Search This Blog

Showing posts with label Passwords. Show all posts

Cybercriminals Target Citizen Journalists; Here's How to Mitigate

 


The rise of digital connectivity has made it possible for citizens, governments, and businesses to communicate more easily and efficiently. however, for reasons alike cybercrime is becoming a growing problem in the modern world, with hackers targeting individuals and organizations.

Recently, a journalist at the Citizen was targeted by cybercriminals due to information he had published on the internet. In order to change the employee's banking details with the human resources department, they sent a fake letter by email to have the information changed.

When Gertrude Makafola experienced this incident, it prompted her to tweet about it. She stated that a scammer had emailed HR pretending to be her and asking to change her banking details. Upon analyzing the letter, he pointed out, "This looks like my @CapitecBankSA confirmation letter, however, it isn't. Fortunately, the HR manager doesn’t allow this through email or phone, you have to come in person @mtyala @BelindaaaPheto @Mizzyb1".

Citizens who are considered vulnerable should be aware that cybercriminals are lurking around waiting to take full advantage of unprotected networks as they use a variety of attack methods.

According to Mohammed Amin, Senior Vice President, Middle East, Turkey, and Africa for Dell Technologies, during October, Cybersecurity Awareness Month, the company is showing no signs of slowing down the rise of cybercrime, posing risks to everyone across all aspects of society. 

During the year 2021, ransomware attacks increased by 150% from the previous year. More than 80% of experts say that this growth is now posing serious risks to public safety. "In today's world, cybercrime is a major threat, and these statistics indicate the severity and prevalence of this crime."

Cybercrime can affect anyone at any time, no matter who they are


It was earlier this year when a cybersecurity company raised concerns about cybercrime and the recent efforts of the hacking group SpiderLog$. This group pointed out that many of the security systems used in South African government departments were susceptible to serious cyberattacks.

The SpiderLog$ program has managed to obtain private information on President Cyril Ramaphosa from public sources. In addition to this, he also provided details about the loan he took out from a South African bank in the 2000s. In addition, he also provided details concerning his home address, ID number, and cellphone number.

According to Pankaj Bhula, Regional Director for Africa at Check Point Software, "this recent activity showed that no one - not even South Africa's President - is immune to cybercrime and that no one can protect themselves from the threat of such criminal activities."

As a result of this report, SpiderLog$ has shown that South Africa is worryingly vulnerable to cyberattacks, with the group even saying that the country is like a playground for hackers. "Therefore, this should serve as a stark reminder for all organizations to enhance cybersecurity security within their organization."


In the face of cyber threats, what can we do to protect ourselves?


Using Amin's words, the key objective should be to develop a cyber resilience strategy that is capable of anticipating and responding to significant disruptions in data systems across the world.

A more serious test of the organization’s readiness to return to "business as usual" should be how quickly and seamlessly they can do so. There are several components to such resilience including creating and implementing thorough cybersecurity training exercises amongst the workforce as one of the critical components.”

Amin said that this not only provides employees with training and knowledge about security risks and lures, but also heightens awareness and reinforces the importance of teamwork, skills, and collaboration across the organization as a whole.

He added that in the face of rapid advances in cybercrime, the use of cybersecurity and the methods employed by cybercriminals need to be at the top of the minds of the public and business sectors.

"In the age of cyberattacks, cyber security has become more than just an insurance policy against them. A resilient cyber market, if implemented effectively, can help bolster long-term economic prosperity and innovation, as well as provide us with the digital defenses we need to protect ourselves from cyberattacks in the modern era."

The following tips will help you minimize the chances of becoming a victim of cybercrime:

  1. Keep in mind that you should never store any personal information, including banking information, on your smart device.
  2. PINs or OTPs (one-time pins) are never requested by your bank, and will never be asked by your bank.
  3. In no case will your bank ask you to process a payment to reverse a transaction that you have already completed.
  4. Before you approve any transaction, make sure you carefully check the OTPs or app approval notifications that have been sent to you. Please do not approve any payment for a transaction that you are unaware of and are not aware of in advance.
  5. The banking app you are using needs to be updated to the most recent version and your notifications need to be enabled as well.
  6. On your devices, you should enable the screen lock feature.
  7. Choosing the most reliable antivirus or security software for your business is one of the most significant decisions you can make. Your staff members should be informed not to open unsolicited emails without first making sure that the message is virus free before opening it.
  8. As often as possible, make sure all your business software is up-to-date and that your technology is updated.

Warning to iPhone and Android Users: 400 Apps Could Leak Data to Hackers

 


Android and iPhone users are being told to delete specific apps from their mobile phones because they could potentially steal their data. 

According to reports, Facebook has issued a warning after discovering an apparent data hack. This appears to have infected more than 400 apps and appears to have been stealing sensitive login information from smartphones. Because these apps offer popular services such as photo editors, games, and VPNs, they can easily remain unnoticed. This is because they tend to advertise themselves as popular services.

The scam apps are designed to obtain sensitive consumer information by asking users to sign in via their Facebook account once the apps have been installed. Hull Live reported that this is being done for them to be able to access their features.

It has been reported that Facebook published a post on its newsroom about a malicious app that asks users to sign in with their Facebook account. This is before they can use its advertised features. If they enter their credentials, the malware steals their usernames and passwords, which is a serious security risk.

In this case, there are official Google Play Store and Apple App Store marketplaces where these applications are available for download. This means that thousands of devices could potentially have been installed on them.

Apple and Google have already removed these apps from their application stores, however, they can still be found on third-party marketplaces, so anyone who had already downloaded the apps could still be targeted if they had done so previously.

According to Facebook, this year, they have identified more than 400 malicious Android and iOS apps that target people across the internet to steal their login information. This is in a bid to gain access to their Facebook accounts.

Apple and Google have been informed of the findings. It is working to assist those who might be affected by these results in learning more about how to remain safe and secure with their online accounts.

According to Facebook, users should take the following steps to fix the problem:

• Reset and create new, stronger passwords. Keep your passwords unique across multiple websites so that you, do not have to reuse them.

• To further protect your account, you should be able to use two-factor authentication. Preferably by using the Authenticator app as a secondary security measure.

• Make sure that you enable log-in alerts in your account settings so you are notified if anyone attempts to gain access to your account.

• Facebook also outlined some red flags that Android and iPhone users should be aware of when choosing an app that is likely to be, fraudulent.

• Users must log in with social media to use the app and, it will only function once they have completed this step.

A Facebook spokesperson added that looking at the number of downloads, ratings, and reviews may help determine whether a particular app is trustworthy.

Hackers Had Internal Access for 4 Days

Password management solution LastPass has confirmed that the company was hacked and the hackers had access to its development system for four days. The company stated in a blog post that nearly two weeks back, it detected some “unusual activity” in portions of its “LastPass development environment”, and immediately carried out an investigation for the same. 

As per the company’s reports, the hackers likely gained access to some of its source code through “a single compromised developer account”. The hackers were able to compromise a company developer’s endpoint to gain access to the Development environment, impersonating the developer after he “authenticated using multi-factor authentication,” which allowed them to get hold of some of the source code and “some proprietary LastPass technical information”. However, the company claims that no user data was compromised during the action.  

The company states that all of its “products and services are operating normally.” The Investigation for the hack is still ongoing and the company states that it has “implemented additional enhanced security measures.” 

LastPass CEO Karim Toubba stated that “There is no evidence of any threat actor activity beyond the established timeline [...] there is no evidence that this incident involved any access to customer data or encrypted password vaults”. 

The company restated that despite the unauthorized access, the hacker did not succeed in getting hold of any sensitive user data owing to system design and zero trust access (ZTA) is put in place to avert such incidents in the future. 

ZTA includes complete segregation of the Development and Production environment and the company’s own inability to access any of its customer’s password vaults without the master password set by the customers. “Without the master password, it is not possible for anyone other than the owner of a vault data,” the CEO stated. 

Lastly, LastPass also mentioned that it has restored to the services of a leading cybersecurity firm to enhance its source code safety practices and will ensure its system’s security, deploying additional endpoint security guardrails in both Development and Production environments to better detect and prevent any attack aiming at its systems.

Neopets Hacked, 69 Million Accounts Potentially Breached

 

The virtual pet website Neopets has announced that it has been hacked. JumpStart Games, as announced yesterday on Twitter and the official forums, is requesting that all 69 million accounts reset their passwords. 

"Neopets recently became aware that customer data may have been stolen," reads the official Twitter announcement. "We immediately launched an investigation assisted by a leading forensics firm. We are also engaging law enforcement and enhancing the protections for our systems and our user data." 

The hacker responsible, as first reported by Neopets community site JellyNeo (via Polygon), has been found offering the whole Neopets database and source code for 4 Bitcoins (approximately $100,000). For an extra cost, the hacker would provide live access to the database. It's unclear whether this hack involves credit card information. Neopets charges a fee to eliminate adverts from the site and gain access to the forums and other premium services. In-game cash called NeoCash is also utilised for numerous microtransactions. 

Neopets, which debuted in 1999, were a brief phenomenon. Neopets, a website where players take care of a virtual pet, soon grew to millions of users, with original developer Adam Powell selling the service to Viacom for $160 million in 2005. Viacom eventually sold the site to JumpStart Games, which still owns it. The Neopets themselves require frequent food and care, yet even if neglected, they will not perish. 

One may also take them on a tour to Neopia (the Neopets world), where they and their Neopet can participate in a variety of minigames and enjoy the site's comprehensive social features. Although it is no longer at its peak, Neopets still has a committed user base. This isn't the first time that Neopets has been compromised. In 2016, a similar data breach compelled all Neopets users to change their passwords. 

This current attack is also unlikely to help the site's tattered reputation, especially in light of the recent announcement of the Neopets Metaverse Collection, a new NFT initiative that fans have slammed as a brazen cash grab.

Google Blocked Dozens of Domains Used by Hack-for-hire Groups

 

Google's Threat Analysis Group released a blog post on Thursday detailing the actions of hack-for-hire groups in Russia, India, and the United Arab Emirates. More than 30 domains used by these threat groups have been added to the internet giant's Safe Browsing system, preventing users from accessing them. 

Hack-for-hire groups are sometimes confused with businesses that provide surveillance tools. As per Google, surveillance vendors often give the tools required for spying but leave it up to the end-user to run them, whereas hack-for-hire groups perform the attacks themselves. Several hack-for-hire groups have been found in recent years. Google's investigation focuses on three groups thought to be based in India, Russia, and the United Arab Emirates. 

Google has been tracking the threat actor linked to India since 2012, with some of its members formerly working for offensive security firms. They now appear to be employed by Rebsec, a new firm that publicly sells corporate espionage services. The group has been observed phishing credentials for AWS, Gmail, and government services accounts from healthcare, government, and telecom firms in the Middle East. 

The Russia-linked threat actor, known as Void Balaur by others, has targeted journalists, politicians, NGOs and organisations, and persons who looked to be ordinary residents in Russia and neighbouring nations. Phishing was also used in these assaults. 

“After the target account was compromised, the attacker generally maintained persistence by granting an OAuth token to a legitimate email application like Thunderbird or generating an App Password to access the account via IMAP. Both OAuth tokens and App Passwords are revoked when a user changes their password,” explained Shane Huntley, director of Google’s Threat Analysis Group. 

This group also had a public website where it advertised social media and email account hacking services. The UAE group primarily targets government, political, and educational groups in North Africa and the Middle East. This threat actor also employs phishing emails, but unlike many other organisations, it employs a custom phishing kit rather than open source phishing frameworks. 

“After compromising an account, the actor maintains persistence by granting themselves an OAuth token to a legitimate email app like Thunderbird, or by linking the victim Gmail account to an attacker-owned account on a third-party mail provider. The attacker would then use a custom tool to download the mailbox contents via IMAP,” Huntley said. 

Google believes Mohammed Benabdellah, who was sued by Microsoft in 2014 for developing the H-Worm (njRAT) malware, is associated with the group.

QNAP NAS Devices Struck by eCh0raix Ransomware Attacks

 

The ech0raix ransomware has resumed targeting vulnerable QNAP Network Attached Storage (NAS) systems this week, as per user complaints and sample uploads on the ID Ransomware site.

ech0raix (also known as QNAPCrypt) began attacking QNAP customers in many large-scale waves in the summer of 2019 when attackers brute-forced their entry into Internet-exposed NAS equipment. Since then, victims of this ransomware strain have discovered and reported numerous further campaigns, in June 2020, May 2020, and a large wave of assaults targeting devices with weak passwords that began in mid-December 2021 (just before Christmas) and gradually declined towards early February 2022. 

A fresh series of ech0raix assaults have been validated by an increase in the amount of ID Ransomware submissions and users reporting getting affected on the BleepingComputer forums, with the first hit on June 8. 

Although just a few dozen ech0raix samples have been submitted, the real number of successful assaults is likely to be larger because only a subset of victims will utilize the ID Ransomware service to detect the ransomware that encrypted their devices. 

While this ransomware has been used to encrypt Synology NAS systems since August 2021, this time victims have solely reported attacks on QNAP NAS systems. The attack vector employed in the current ech0raix campaign is unknown until QNAP releases additional information on these attacks. 

How to Protect NAS Against Attacks 

While QNAP is yet to give a warning to consumers about these assaults, the firm has already recommended users secure their data from potential eCh0raix attacks 
  • by using stronger passwords for administrator accounts
  • activating IP Access Protection to protect accounts from brute force assaults, 
  • and preventing the use of the default port numbers 443 and 8080 
In this security advice, QNAP gives extensive step-by-step instructions for changing the NAS password, enabling IP Access Protection, and changing the system port number. 

Customers are also advised by the Taiwanese hardware manufacturer to stop Universal Plug and Play (UPnP) port forwarding on their routers to avoid exposing their NAS systems to Internet-based assaults. One can also stop SSH and Telnet connections and enable IP and account access prevention by following these step-by-step instructions. QNAP also urged users on Thursday to protect their devices against continuous DeadBolt ransomware threats. 

"According to the investigation by the QNAP Product Security Incident Response Team (QNAP PSIRT), the attack targeted NAS devices using QTS 4.3.6 and QTS 4.4.1, and the affected models were mainly TS-x51 series and TS-x53 series," the NAS maker stated.

"QNAP urges all NAS users to check and update QTS to the latest version as soon as possible, and avoid exposing their NAS to the Internet."

Alert! Scam Pixelmon NFT Website Hosts Password-stealing Malware

 

A bogus Pixelmon NFT site tempts visitors with free tokens and collectables while infecting them with spyware that steals their cryptocurrency wallets. Pixelmon is a popular NFT project with plans to create an online metaverse game where users can gather, train, and battle other players with pixelmon pets. 

The project has attracted a lot of attention, with nearly 200,000 Twitter followers and over 25,000 Discord members. Threat actors have replicated the original pixelmon.club website and built a fake version at pixelmon[.]pw to deliver malware to take advantage of this interest. Instead of providing a demo of the project's game, the malicious site provides executables that install password-stealing malware on a device. 

The website is selling a package named Installer.zip that contains a faulty executable that does not infect customers with malware. However, MalwareHunterTeam, which was the first to identify this malicious site, detected other dangerous files transmitted by it, allowing to see what malware it was spreading. Setup.zip, which contains the setup.lnk file, is one of the files sent by this fraudulent site. Setup.lnk is a Windows shortcut that runs a PowerShell command to download pixelmon[.]pw's system32.hta file. 

When BleepingComputer tested these malicious payloads, the System32.hta file downloaded Vidar, a password-stealing malware that is no longer widely used. Security researcher Fumik0_, who has previously examined this malware family, confirmed this. When launched, the Vidar sample from the threat actor connects to a Telegram channel and retrieves the IP address of a malware's command and control server. The malware will then obtain a configuration instruction from the C2 and download further modules to steal data from the afflicted device. 

Vidar malware may steal passwords from browsers and apps, as well as scan a computer for files with certain names, which it subsequently sends to the threat actor. The C2 commands the malware to seek for and steal numerous files, including text files, cryptocurrency wallets, backups, codes, password files, and authentication files, as seen in the malware setup below. Because this is an NFT site, visitors are expected to have bitcoin wallets installed on their PCs. 

As a result, threat actors focus on looking for and stealing cryptocurrency-related files. While the site is presently not distributing a functioning payload, BleepingComputer has observed evidence that the threat actors have been modifying the site in recent days, as payloads that were available two days ago are no longer available. 

One can expect this campaign to continue to be active, and working threats to be added soon, based on the site's activity. Due to the high number of fraudsters attempting to steal the bitcoin from NFT projects, one should always double-check that the URL they are viewing is indeed associated with  their interested project.

Medatixx Struck by Ransomware Attack, Customers Advised to Change Passwords

 

Medatixx, a German medical software provider whose products are used in around 21,000 health institutions, advises customers to update their application passwords, following a ransomware attack that damaged their entire operations. 

The business stressed that the impact has not reached clients and is restricted to their internal IT systems and shouldn't affect their PVS (practice management systems). Threat actors may have obtained Medatixx users' credentials, as it is uncertain what data was taken during the attack. 

As a result, Medatixx advises clients to take the following precautions to ensure that their practise management software stays secure: 
  • Change the user passwords on practise software. 
  • On all workstations and servers, change the Windows logon passwords 
  • Passwords for TI connectors should be changed. The aforementioned are preventative steps, according to the business, but they should be implemented as soon as possible. 
The following are the software products whose users should respond to this emergency immediately:  
  • easymed
  • medatixx
  • x.comfort
  • x.concept
  • x.isynet
  • x.vianova
About the attack

The ransomware attack on Mediatixx occurred last week, and the firm is still recovering, with just e-mail and central telephone services restored so far. Additionally, all regional sales partners and customer support lines are operational, allowing clients to contact corporate staff with any questions they may have. There is no confirmation when the corporation will resume normal operations. 

Furthermore, it is unknown whether the actors were able to get any customer, doctor, or patient information. The company states that it has alerted Germany's data protection authorities about the occurrence and will provide an update after the inquiry is completed. 

Medatixx explained in the translated advisory, "It is not known at this point whether or not, and to what extent any data was stolen. It can therefore not be ruled out that the data stored by us has been stolen." 

As per Heise Online, Mediatixx solutions are used in around 25% of all medical institutions in Germany, and this might be the country's largest hack ever in the healthcare system. Furthermore, according to the German news agency, the attackers could steal user credentials through remote maintenance systems.

Ficker – An Info-Stealer Malware Being Distributed by Russians

 

Threat actors are using the Malware-as-a-Service (MaaS) model to attack Windows users, according to researchers. The new info-stealer malware “Ficker” was discovered and is being disseminated via a Russian underground forum by threat actors. FickerStealer is a family of data-stealing malware that first appeared in the year 2020. It can steal sensitive data such as passwords, online browser passwords, cryptocurrency wallets, FTP client information, Windows Credential Manager information, and session information from various chat and email clients. 

Unlike in the past, when Ficker was spread via Trojanized web links and hacked websites, causing victims to unintentionally download the payload, the current outbreak is stealthy and uses the well-known malware downloader Hancitor to spread. 

Hancitor (also known as Chanitor) malware first appeared in the wild in 2013, relying on social engineering techniques such as posing as DocuSign, a genuine document signing service. This malware tricked users into allowing its harmful macro code to run, allowing it to infect the victim's computer. Hancitor will attempt to download a wide range of additional harmful components after connecting to its command-and-control (C2) infrastructure, depending on its operators' most recent malicious campaign. 

The attack begins with the attackers sending malicious spam emails with a weaponized Microsoft Word document attached, which is fully phoney yet masquerades as the real thing. Spam email content entices victims to open it, resulting in the execution of malicious macro code that allows Hancitor to communicate with the command and control server and get a malicious URL containing a Ficker sample.

It employs the evasion approach to avoid detection by injecting Ficker into an instance of svchost.exe on the victim's PC and concealing its activity. Threat actors routinely utilize svchost.exe to hide malware in the system process and avoid detection by typical antivirus software. 

Researchers also discovered that Ficker is heavily obfuscated, preventing it to execute in a virtual environment by employing multiple analysis checks. Malware authors also included an execution feature in the malware, preventing it from being executed in certain countries such as Russia, Uzbekistan, Belarus, Armenia, Kazakhstan, and Azerbaijan. 

According to the Blackberry report, “The malware also has screen-grab abilities, which allow the malware’s operator to remotely capture an image of the victim’s screen. The malware also enables file-grabbing and additional downloading capabilities once connection to its C2 is established.”

RockYou2021: The Largest Data Leak with 8.4 Billion Passwords

 

According to Cybernews, what appears to be the world's largest password collection, called RockYou 2021, has been leaked on a famous hacker site. A forum user uploaded a 100GB TXT file containing 8.4 billion password entries. 

All of the passwords in the leak, according to the author, are 6-20 characters long, with non-ASCII characters and white spaces eliminated. According to the same individual, the collection has 82 billion passwords. However, Cybernews discovered that the actual figure was roughly ten times lower, at 8,459,060,239 entries, after conducting its own testing. 

The forum member has named the compilation ‘RockYou2021,' probably in allusion to the historic RockYou data breach that occurred in 2009 when threat actors hacked into the social app website's servers and obtained over 32 million user passwords stored in plain text. 

This leak is equivalent to the Compilation of Many Breaches (COMB), the greatest data breach compilation ever, with a collection that exceeds its 12-year-old namesake by more than 262 times. The RockYou2021 compilation, which has been accumulated by the individual behind the compilation over several years, contains its 3.2 billion hacked credentials, as well as credentials from numerous other hacked databases. Given that only roughly 4.7 billion people are online, the RockYou2021 compilation might theoretically contain the passwords of the entire global online population almost two times over. 

“By combining 8.4 billion unique password variations with other breach compilations that include usernames and email addresses, threat actors can use the RockYou2021 collection to mount password dictionary and password spraying attacks against untold numbers of online accounts,” CyberNews notes.

“Since most people reuse their passwords across multiple apps and websites, the number of accounts affected by credential stuffing and password spraying attacks in the wake of this leak can potentially reach millions, if you feel one or more of your passwords may have been exposed as a result of the RockYou2021 incident, you should change your passwords for all of your online accounts right away. A password manager, according to Cybernews, can help you build strong, complex passwords that aren't easy to remember. You may also set up two-factor authentication (2FA) across all of your accounts. Finally, as always, carefully check all unsolicited spam emails, phone calls, and text messages for signs of phishing.

ClickStudios told Clients to Change Passwords After a Cyberattack

 

Following a cyberattack on the corporate password manager Passwordstate, Click Studios, an Australian software house, has advised consumers to reset passwords across their organizations. According to an email sent to consumers by Click Studios, attackers had "compromised" the password manager's software upgrade function in order to extract user passwords. 

Between April 20 and April 22, the Australian software firm was hacked. The attack specifics were published by CSIS Security Group, which dealt with the hack. In an advisory, ClickStudios detailed the assault.

The company said, “Initial analysis indicates that a bad actor using sophisticated techniques compromised the In-Place Upgrade functionality. The initial compromise was made to the upgrade director located on Click Studios website www.clickstudios.com.au. The upgrade director points the In-Place Upgrade to the appropriate version of software located on the Content Distribution Network. The compromise existed for approximately 28 hours before it was closed down. Only customers that performed In-Place Upgrades between the times stated above are believed to be affected. Manual Upgrades of Passwordstate are not compromised. Affected customers password records may have been harvested.” 

An update to the Passwordstate app started the supply chain assault. When the malicious update is enabled, it connects to the attacker's servers and downloads malware intended to intercept and deliver the password manager's contents back to the attackers. The attacker's servers were also taken down on April 22, according to the company. However, if the attackers are able to reactivate their infrastructure, Passwordstate users can be at risk.

Employees can exchange passwords and other personal information through their company's network computers, such as firewalls and VPNs, shared email addresses, internal directories, and social media accounts, using enterprise password managers. According to Click Studios, Passwordstate is used by “more than 29,000 customers,” including Fortune 500 companies, federal agencies, banks, military and aerospace companies, and businesses in most sectors. 

For the remediation for Passwordstate customers, ClickStudios said, “Customers have been advised to check the file size of moserware.secretsplitter.dll located in their c:\inetpub\passwordstate\bin\ directory. If the file size is 65kb then they are likely to have been affected. They are requested to contact Click Studios with a directory listing of c:\inetpub\passwordstate\bin output to a file called PasswordstateBin.txt and send this to Click Studios Technical Support.”

Security Firm Stormshield Discloses Data Breach, Theft of Source Code


Stormshield is a French based leading cyber-security firm that provides network security services and security equipment to the government. Recently the firm discovered that malicious actors have used one of its customer support portals and stole sensitive credentials of some of its customers. While reporting the same to the press, the firm also said that hackers successfully managed to steal parts of the source code for the Stromshield Network Security (SNS) firewall, a product certified for use in sensitive government networks, as part of infiltration. 

The organization told that its team is investigating the attack and assessing the impact of the breach on government systems with the French cyber-security agency ANSSI (Agence Nationale de la Sécurité des Systèmes d'Information). 

"As of today, the in-depth analysis carried out with the support of the relevant authorities has not identified any evidence of illegitimate modification in the code, nor have any of the Stormshield products in operation been compromised," Stormshield said in a message posted earlier today on its website. 

The cybersecurity department of the French government is taking this cyberattack as a major data breach. The French cyber-security agency ANSSI noted in its own press release that "Stormshield SNS and SNI products have been 'under observation' for the duration of the investigation." 

Additionally, Stromshield has informed that its department is reviewing the SNS source code and has also taken some major steps to prevent further attacks on the firm. The Company has also replaced the digital certificates which were used to sign SNS software updates. 

"New updates have been made available to customers and partners so that their products can work with this new certificate, all the support tickets and technical exchanges in the accounts concerned have been reviewed and the results have been communicated to the customers," Stormshield spokesperson said. 

“Only about 2% of customer’s accounts were affected in the breach, which is "around 200 accounts out of more than 10,000." He added. 

Furthermore, the French security firm said “it also reset passwords for its tech support portal, which the attackers breached, and the Stormshield Institute portal, used for customer training courses, which weren’t breached, but the company decided to reset passwords as a preventive measure”.

250,000+ Login/Passwords Leaked in The Trident Crypto Fund Data Breach


More than 260,000 customers’ data was compromised online in a gigantic data breach that went down pretty recently.

Trident Crypto Fund, per reports, experienced this data breach which gave rise to the leakage of thousands of customer records including usernames and passwords, online.

Per sources, Trident is a crypto-investment index fund that functions as an arm of the “Dragonara Business Center”, Italy. It also is reportedly the “first coin-based index fund”.

And like scattered sugar for ants, the leaked records were immediately devoured by the cyber-cons right after they were compromised.

Per sources, personal data of over 260,000 registered users of the Trident Crypto Fund was left bare for people to exploit as per they wished to.

Reports mention that the leaked data comprised of phone numbers, encrypted passwords, email addresses, and IP addresses.

The aforementioned data was discovered to be published on several “file-sharing” websites in the past month.

According to researchers, the hackers had evidently de-crypted the stolen files and published an array of over 120,000 passwords at the beginning of March. It was also found out that the password and login ID pairs were matchless with the ones previously leaked.

The details or even the mention of the data breach haven’t appeared on the website or on other communication platforms. But reportedly, a victim of the breach was contacted who confirmed the connection between the fund and the leaked data.

As mentioned on the fund’s website, the company “works hard” to protect its customers’ data and secure accounts. They allegedly are also investigating the “suspected breach”.

The Russians were the ones to get heavily affected by the above-mentioned data leak as the compromised data was a direct key to their accounts. Word has it that more than 10,000 Russian users were impacted by the Trident Crypto Fund data breach.

Even though it’s possible that Russian residents might have had their records leaked previously as well, there are no records of that happening.

Nevertheless, this data breach structured the history of data leakages for Russia as this happens to be one of the first major ‘Personal’ data breaches the country’s citizens have faced that has had such a major impact.

TP-Link Routers Vulnerable Again; Voids Passwords! Patching Highly Suggested!



A “zero-day vulnerability” was recently discovered in the “TP-Link Archer C5v4 routers” with the firmware version 3.16.0 0.9.1 v600c and of the build 180124 Rel.28919n.

This vulnerability could affect devices both at corporate levels as well as domestic level. The attacker could take control of the routers configuration by way of “telnet on the local area network” and it could connect to the File Transfer Protocol (FTP) via the LAN or WAN (wide area network).

The attackers could gain complete access of all the admin licenses and privileges. Enabling guest wi-fi, and acting an entry point happen to be a few other demerits of the vulnerable router.

Previously as per reports there was a “password overflow issue”. When a string shorter than the estimated length is typed then the estimated length is sent as the password, altering the actual password whereas if too long then the password gets void.

The vulnerability allegedly depends on the type of request that is sent through for requesting access to the device. Either it is safe or is vulnerable. The safe requests for HTML content there are two aspects that need to be taken into account.

One of them being the “TokenID” and the other being “the JSESSIONID”. Per reports the common Gateway Interface though, is only based on the referrer’s HTTP headers if it matches the IP address or the domain related to it then the main service of the routers thinks it to be valid and if the referrer is removed it responds as “Forbidden”.

The automated attacks that were dissipated via the botnet malware, “Mirai” were caused by weak passwords that allowed access to the FTP server and even provided console access.


Reportedly, the function “strncmp” is used to validate the referrer header with the string “tplinkwifi.net”. It apparently also validates for the IP address. This is definitely hence a disconcerting vulnerability which could be easily exploited.

The shorter strings when sent corrupt the password stopping the users from logging in but luckily it would stop the attacker too. FTP, Telnet and other services are mostly affected by this.

A longer string length made it entirely void and the value became empty. This made Telnet and FTP accessible simply by using “admin” as a password which is the default.

The same configuration of FTP is also allowed on the WAN. The router also reportedly happens to be vulnerable to the CGI attack which is pretty injurious to privacy.

So far there isn’t a way to set a new password, but even if there were the next vulnerable LAN/WAN/CGI request would void that password as well. Per reports, another aftermath of this vulnerability is that the RSA encryption key would crash.

This vulnerability is extremely disconcerting when the “Internet of Things” IoT security is considered at large. Millions of businesses and homes could be affected by any exploit or vulnerability these routers disperse.

What could be done right off the bat is, creating stronger passwords, applying two-factor authentication, changing all the default passwords and at last applying mitigating controls to all the devices in use.

Patching is HIGHLY ADVISED. TP-Link has provided patches for the TP-Link Archer C5 v5 and other versions.