Search This Blog

Showing posts with label Safety. Show all posts

Microsoft Offers Guidelines on Detecting Outlook Zero-day Exploits

 

Microsoft has released a detailed guide to assist customers in detecting signs of compromise by exploiting a recently patched Outlook zero-day vulnerability. This privilege escalation security flaw in the Outlook client for Windows, tracked as CVE-2023-23397, enables attackers to steal NTLM hashes without user interaction in NTLM-relay zero-click attacks. 

It can be used by threat actors to send messages with extended MAPI properties containing UNC paths to attacker-controlled SMB shares. In the report, Microsoft shared several techniques for determining whether credentials were compromised by CVE-2023-23397 exploits, as well as mitigation measures to protect against future attacks.

While the company also released a script to assist administrators in determining whether any Exchange users have been targeted, Redmond stated that defenders must look for other signs of exploitation if the threat actors have cleaned up their traces by deleting any incriminating messages.

Alternative sources of indicators of compromise associated with this Outlook flaw include telemetry extracted from multiple sources such as firewall, proxy, VPN, and RDP Gateway logs, as well as Azure Active Directory sign-in logs for Exchange Online users and IIS Logs for Exchange Server.

Forensic endpoint data such as Windows event logs and endpoint telemetry from endpoint detection and response (EDR) solutions are other places security teams should look for signs of compromise (if available).

Post-exploitation indicators in compromised environments are associated with the targeting of Exchange EWS/OWA users and malicious mailbox folder permission changes that allow the attackers to gain persistent access to the victim's emails.

CVE-2023-23397 mitigation strategies
 
Microsoft also provided instructions on how to prevent future attacks on this vulnerability, urging organizations to install the recently released Outlook security update.

"To address this vulnerability, you must install the Outlook security update, regardless of where your mail is hosted (e.g., Exchange Online, Exchange Server, some other platform) or your organization’s support for NTLM authentication," the Microsoft Incident Response team said.

Other measures at-risk organizations can take to mitigate such attacks and post-exploitation behavior include:
  • For organizations leveraging on-premises Microsoft Exchange Server, apply the latest security updates to ensure that defense-in-depth mitigations are active.
  • Where suspicious or malicious reminder values are observed, make sure to use the script to remove either the messages or just the properties, and consider initiating incident response activities.
  • For any targeted or compromised user, reset the passwords of any account logged in to computers of which the user received suspicious reminders and initiate incident response activities.
  • Use multifactor authentication to mitigate the impact of potential Net-NTLMv2 Relay attacks. NOTE: This will not prevent a threat actor from leaking credentials and cracking them offline.
  • Disable unnecessary services on Exchange.
  • Limit SMB traffic by blocking connections on ports 135 and 445 from all inbound IP addresses except those on a controlled allowlist.
  • Disable NTLM in your environment.
CVE-2023-23397 has been actively exploited since at least April 2022, and it has been used to breach the networks of at least 15 European government, military, energy, and transportation organizations.

While Microsoft publicly blamed the attacks on "a Russia-based threat actor," Redmond also stated in a private threat analytics report obtained by BleepingComputer that the hacking group is APT28 (also tracked as STRONTIUM, Sednit, Sofacy, and Fancy Bear).

This threat actor has previously been linked to Russia's military intelligence service, the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). These stolen credentials were used for lateral movement and to change Outlook mailbox folder permissions, allowing them to exfiltrate emails.

"While leveraging NTLMv2 hashes to gain unauthorized access to resources is not a new technique, the exploitation of CVE-2023-23397 is novel and stealthy. Even when users reported suspicious reminders on tasks, initial security review of the messages, tasks, or calendar items involved did not result in detection of the malicious activity. Furthermore, the lack of any required user interaction contributes to the unique nature of this vulnerability," the Microsoft Incident Response team added.


To Safeguard Children from Exploitation, Parents Should Reconsider Approach to Online Behaviour

 

Raising children in the digital age is becoming particularly complex. Many young people are growingly reliant on screens for social interaction. They experiment with new media sharing platforms such as TikTok, Snapchat, and BeReal, but without necessarily considering long-term consequences. 

This is normal because children's prefrontal cortex, the part of the brain responsible for reasoning, decision-making, and impulse control, is still underdeveloped. Parents who are responsible for anticipating the outcomes of digital interactions are overwhelmed. Many parents may lack the digital literacy to guide their children through today's plethora of social media platforms, messaging apps, and other online platforms. This situation may expose children to online sexual exploitation. 

They collected data from a diverse group of experts in the United States and the United Kingdom for our study. Interviews were conducted with internet safety non-profits, safeguarding teams, cybercrime police officers, digital forensics staff, and intelligence directors. The ability to share explicit content online is a major reason for the rapid escalation of online child sexual exploitation. The research unveiled four distinct stages used by perpetrators.

In Stage 1, perpetrators use various technological tools and networks to initiate contact with potential victims, such as social media, messaging apps, games, and online forums. They frequently create false identities by using fake images to create convincing digital personas through which they approach children, such as posing as a "new kid on the block" looking for new friends.

In Stage 2, perpetrators use tactics such as impersonating a similar-aged child to gain the trust of potential victims. This can occur over a long period of time. In one case we investigated, a 12-year-old boy in Lee County, North Carolina, received 1,200 messages from the same perpetrator over the course of two years. Offenders may send their own explicit images during this stage to reduce a victim's suspicion.

In Stage 3, the perpetrators resort to online extortion. They modify innocent photos or use photographs provided by victims to make them appear sexual or pornographic. Perpetrators then send these images to their victims in order to keep them in a state of humiliation. When perpetrators threaten to share these humiliating images with the victim's friends, teachers, or family unless their victims send more explicit photos or videos, the situation escalates.

At this point, many extortion techniques and direct threats are being used. It's difficult to imagine the psychological strain this can put on children. Before seeking help, a 12-year-old girl uploaded 660 sexually explicit images of herself to a cloud-based storage account controlled by a 25-year-old perpetrator.

In Stage 4, perpetrators begin selling these images on peer-to-peer networks, the dark web, and even child pornographic websites.

Defending against online exploitation

Parents can help prevent exploitation by avoiding common mistakes. By sharing these, parents, policymakers, school boards, and even children will reconsider their approach to online behavior.
 
1. "That will never happen to us!" Many victims and their families are victims of optimism bias, believing that bad things will never happen to them. Online crimes, on the other hand, can affect anyone. Unfortunately, these occurrences are more common than most people realise. No family is immune to the dangers of the online world.

2. "Everyone's doing it!" It is now common for parents to overshare pictures of their children on social media. Many parents find it difficult to resist the pressure or temptation to post photos of their children on social media. These photographs are frequently edited and distorted to appear pornographic. Everyone in the family must resist the urge to overshare photos on social media.

3. "It doesn't bother my kids!" Many children today have a digital presence that their parents initiated and maintain without their consent. This disregard for children's privacy not only undermines their autonomy, but it can also have long-term consequences for their self-esteem, personal and professional future, and parent-child relationship.

4. "We are unable to keep up with their technology!" When they can't keep up with their children, many parents feel overwhelmed and intimidated. As technology continues to play an important role in children's lives, parents' digital literacy must be improved through online resources and schools. Parents must seek and receive assistance in understanding the technology that their children use.

5. "They're just online chatting with friends!" Parents may be very involved and interested in who their children talk to on the way home from school or at friends' houses, but they may not be as aware of who their children talk to online. Just as they are interested in their child's real-world interactions, the benefits and risks of online behavior must be an important and frequent topic of discussion.

Online child sexual exploitation is a serious and multifaceted problem that requires our undivided attention. We can only hope to prevent children from becoming victims of these crimes if we carefully consider these critical concerns.

Is Your Child in Actual Danger? Wary of Family Emergency Voice-Cloning Frauds

 

If you receive an unusual phone call from a family member in trouble, be cautious: the other person on the line could be a scammer impersonating a family member using AI voice technologies. The Federal Trade Commission has issued a warning about fraudsters using commercially available voice-cloning software for family emergency scams. 

These scams have been around for a long time, and they involve the perpetrator impersonating a family member, usually a child or grandchild. The fraudster will then call the victim and claim that they are in desperate need of money to deal with an emergency. According to the FTC, artificial intelligence-powered voice-cloning software can make the impersonation scam appear even more authentic, duping victims into handing over their money.

All he (the scammer) needs is a short audio clip of your family member's voice—which he could get from content posted online—and a voice-cloning program. When the scammer calls you, he’ll sound just like your loved one,” the FTC says in the Monday warning.

The FTC did not immediately respond to a request for comment, leaving it unclear whether the US regulator has noticed an increase in voice-cloning scams. However, the warning comes just a few weeks after The Washington Post detailed how scammers are using voice-cloning software to prey on unsuspecting families.

In one case, the scammer impersonated a Canadian couple's grandson, who claimed to be in jail, using the technology. In another case, the fraudsters used voice-cloning technology to successfully steal $15,449 from a couple who were also duped into believing their son had been arrested.

The fact that voice-cloning services are becoming widely available on the internet isn't helping matters. As a result, it's possible that scams will become more prevalent over time, though at least a few AI-powered voice-generation providers are developing safeguards to prevent potential abuse. The FTC says there is an easy way to detect a family emergency scam to keep consumers safe. "Don't believe the voice. Call the person who allegedly contacted you to confirm the story. 

“Don’t trust the voice. Call the person who supposedly contacted you and verify the story. Use a phone number you know is theirs,” the FTC stated. “If you can’t reach your loved one, try to get in touch with them through another family member or their friends.”

Targeted victims should also consider asking the alleged family member in trouble a personal question about which the scammer is unaware.

Shoulder Surfing: What is it and how to Protect Yourself?

 

The Wall Street Journal reported last month on a recent trend in phone theft: Thieves in major cities want more than just expensive smartphones; they also want the users' PINs. What's the reason? A stolen phone may fetch a good price on the black market, but the financial information stored behind your phone's PIN can be worth tens of thousands of dollars more. 

The most common method for a thief to learn a phone's PIN, or passcode, is "shoulder surfing," which means the thief literally observes the owner entering their phone's PIN and then decides to steal that person's phone. After stealing it, the thief can use the observed PIN to unlock it, then change the PIN and even account passwords for the owner's online services.

After stealing it, the thief can unlock it using the observed PIN, then change the PIN and even account passwords for the owner's online services, effectively locking the owner out of remote tracking of the stolen phone and removing their ability to remotely delete data from the stolen device. That PIN also grants the thief access to numerous financial apps on the stolen phone, which he or she can then use to transfer money from the victim's accounts.

Shoulder surfers can target anyone, whether they use an iPhone or an Android device, and especially if they use a simple 4-digit PIN to unlock their phone, as the majority of people do.

But it's 2023, and with so much personal data (photos, notes, and messages) and financial data (bank apps, money transfer apps, photos of tax records or other financial statements) on our phones, protecting all that sensitive information with a 4-digit PIN is asking for trouble. Fortunately, there are simple methods built into the iPhone's iOS and Android operating systems to protect your device from shoulder surfing. Here are things you should be aware of.
  • Cover the ATM keypad when entering your PIN.
  • Use strong passwords, a single sign-on password manager, two-factor authentication or biometric authentication for an added layer of cybersecurity.
  • Don't verbalize sensitive information over a mobile device in public.
  • Use a screen protector for public computers or laptops.
  • Lock your devices whenever you leave them.
  • When entering data on a cellphone in a public place, sit with your back to the wall.

Two ‘ViLE’ Cybercrime Group Members Charged in 2022 Hacking of DEA Portal

 

Last year, cybercriminals began using a novel method to steal subscriber data from social media companies: they would hack into police email accounts using stolen passwords purchased on the dark web, then utilise their access to file an emergency data request, or EDR. EDRs are a type of urgent subpoena that does not require court approval or broader company review. They are frequently issued by police agencies to social media companies, and law enforcement encourages the companies to turn over subscriber information on specific users as soon as possible. Hackers would conduct harassment campaigns against users using information from EDRs.  

Two people have been arrested in connection with one such scheme. Federal prosecutors charged two men with computer crimes on Tuesday, accusing them of being members of a gang that engaged in targeted online harassment and doxxing campaigns. Officials say Nicholas Ceraolo, 25, of New York, and Sagar Steven Singh, 19, of Rhode Island, are members of the "ViLE" online collective.

The group is said to have "acquired victims' information through various means" before posting or threatening to post it "on a public website administered by a ViLE member."Ceraolo and Singh, also known as "Ominous" and "Weep," are accused as part of "ViLE" of hacking into a federal law enforcement data portal and then using information from that portal to carry out extortion and harassment schemes against targets. Officials do not identify the police portal in question, only describing it as a  nonpublic, password-protected web portal (the "Portal") maintained by a United States federal law enforcement agency, whose intent is to share information from government databases with state and local law enforcement agencies.

According to cybersecurity reporter Brian Krebs, the portal in question belongs to the Drug Enforcement Agency, based on his previous reporting about a previous hack of that portal. According to Krebs, the DEA portal in question provides access to 16 different law enforcement databases, giving the criminals access to a wide range of sensitive information.

Ceraolo and Singh, according to federal prosecutors, used information stolen from the data portal to cyberstalk, threaten, and extort their victims. In Singh's case, he allegedly threatened targets using information obtained directly from the portal. In one instance, he contacted a victim and threatened to "harm" their family if they did not comply with his demands, despite having access to their social security number, home address, and driver's licence information.

Ceraolo is accused of using his portal access to submit EDRs to social media companies, giving him access to sensitive subscriber data. In the complaint, one incidentt is described as follows...

"…between February 2022 and May 2022, Ceraolo accessed without authorization an official email account belonging to a Bangladeshi police official. Ceraolo used the account to pose as a Bangladeshi police officer in communication with U.S.-based social media platforms. In one instance, Ceraolo induced a social media platform (Platform-1) to provide information about one of its subscribers, including the subscriber’s address, email address and telephone number, by asserting that the subscriber had participated in “child extortion” and blackmail and had threatened officials of the Bangladeshi government."

It's an odd story — and an obvious example of the lengths cybercriminals will go to obtain valuable information.

“As these charges make clear, the alleged unauthorised access of a US federal law enforcement system and impersonation of law enforcement officials are serious offences, and the criminals who perpetrate these schemes will be held accountable for their crimes,” said Ivan J. Arvelo, Special Agent-in-Charge with Homeland Security Investigations for New York. “HSI and its law enforcement partners are committed to safeguarding public safety infrastructure from cyber criminals and ensuring that those seeking to compromise these systems face the fullest extent of the law.”

Ceraolo, who is charged with both wire fraud and computer crimes, faces up to 20 years in prison, according to officials. Singh faces up to five years in prison if convicted of computer crimes.

EV Charging Stations Prone to Cyber Attacks : Indian Govt to Parliament

 

Electric vehicle charging stations, like any other technological application, are vulnerable to cyber attacks and cyber security incidents, Indian Parliament was informed on Thursday. 

Union Minister Nitin Gadkari stated in a written reply to the Lok Sabha that the Indian Computer Emergency Response Team (CERT-In), which is tasked with tracking and monitoring cyber security incidents in India, obtained reports of security flaws in products and applications pertaining to electric vehicle charging stations. 

"The government is fully cognizant and aware of various cyber security threats and is actively taking steps to combat the issue of hacking," Gadkari said. 

According to the information reported to and tracked by CERT-In, the number of cyber security incidents reported in 2018, 2019, 2020, 2021, and 2022 is 2,08,456; 3,94,499; 11,58,208; 14,02,809 and 13,91,457, respectively.

In response to a separate question, the road transport and highways minister stated that Rs 147 lakh was paid out in compensation to victims of hit-and-run accidents during the current fiscal year until February.

The ministry  has announced the 2022 Compensation to Victims of Hit-and-Run Motor Accidents Scheme. It increases compensation for victims of hit-and-run accidents to Rs 50,000 (for serious injury) and Rs 2,00,000 (for death), with a detailed procedure for obtaining this compensation.

In reply to another question, Gadkari stated that the ministry has set a higher target of 12,200 km for National Highway construction in the current fiscal year than in the previous three fiscal years.

"The target of construction of NHs for financial year 2023-24 has not yet been finalized," he added.

The minister stated that 19 projects totaling Rs 21,864 crore have been delayed as a result of  land acquisition.

Exfiltration Malware: At the Forefront of Cybersecurity Issues

 

While massive public security breaches are understandably concerning, the increase in malware designed to exfiltrate data directly from devices and browsers is a significant contributor to continued user exposure, according to SpyCloud . Last year, over 22 million unique devices were infected by malware, according to the 2023 report. 
SpyCloud recovered 721.5 million exposed credentials, roughly half of which came from botnets, tools commonly used to deploy highly accurate information-stealing malware. These infostealers allow cybercriminals to operate on a large scale, stealing valid credentials, cookies, auto-fill data, and other highly valuable information for use in targeted attacks or sale on the darknet.

“The pervasive use of infostealers is a dangerous trend because these attacks open the door for bad actors like Initial Access Brokers, who sell malware logs containing accurate authentication data to ransomware syndicates and other criminals,” said Trevor Hilligoss, Director of Security Research at SpyCloud. “Infostealers are easy, cheap, and scalable, creating a thriving underground economy with an ‘anything-as-a-service’ model to enable cybercrime. This broker-operator partnership is a lucrative business with a relatively low cost of entry.”

Critical business applications are easily accessible to cybercriminals

 Cybercriminals have doubled down and taken advantage of the economic downturn, expanding their hybrid workforce, creating ghost accounts from terminated employees, and rising outsourcing.

When employees enter corporate networks using malware-infected unmanaged or undermanaged devices, threat actors have a simple route into important company applications such as single sign-on platforms and virtual private networks.

In 2022, SpyCloud researchers recovered millions of credentials stolen from popular third-party business applications that had been impacted by malware. The data stolen from these apps, which include code repositories, customer databases, messaging platforms, and HR systems, provides bad actors with the information they need to launch damaging follow-up attacks such as ransomware.

If these credentials are not properly remediated and remain active, they will continue to pose a threat to organisations even after the malware has been removed from the device.

Organizations are oblivious to the threat of sophisticated malware-based attacks

“Organizations are overlooking the mounting threat of sophisticated malware-based attacks and the protracted business impact of infected devices. Leaders need a new approach that disrupts the flow of stolen authentication data and mitigates the ongoing threat of these exposures,” said Hilligoss.

“Collectively, we need to start thinking about protecting digital identities using a Post-Infection Remediation approach, rather than solely focusing on cleaning individual infected devices. Taking action on exposed employee data before it can be used by criminals is paramount to preventing account takeover, fraud, ransomware, and other forms of cybercrime,” concluded Hilligoss.

By resetting application credentials and invalidating session cookies syphoned by infostealer malware, security teams can supplement their traditional cyber incident response playbooks with additional steps to fully negate opportunities for ransomware and other cyberattacks.

Password hygiene remains a problem

Session hijacking enabled by stolen cookies is becoming more common: In 2022, SpyCloud researchers recovered nearly 22 billion device and session cookies. These records allow criminals to gain access to sensitive information by bypassing MFA and hijacking an active session, effectively turning bad actors into employee clones.

Users' personally identifiable information (PII) is as appealing as it has always been: In 2022, SpyCloud researchers found 8.6 billion PII assets, including 1.4 billion full names, 332 million national IDs/full social security numbers, and 67 million credit card numbers.

Despite increased cybersecurity training emphasis, password hygiene remains poor: 72% of users exposed in breaches in 2022 continued to use previously compromised passwords. SpyCloud recovered over 327,000 passwords related to artists Taylor Swift and Bad Bunny, over 261,000 passwords associated with streaming services such as Netflix and Hulu, and over 167,000 passwords related to Queen Elizabeth's death and the British royal family.

The government sector is more vulnerable to malware-infected devices than the private sector: In 2022, SpyCloud discovered 695 breaches containing.gov emails, a nearly 14% increase from 2021. Password reuse rates among government employees continue to be high, with 61% of users having more than one password exposed in the previous year.

123456, 12345678, and password are the three most commonly exposed plaintext passwords associated with government emails. Malware exfiltrated nearly 74% of exposed government credentials globally in 2022 (compared to 48.5% globally).

After Hundreds of Penetration Tests, Here are Top 5 Lessons

 

To keep applications safe, developers must strike a balance between creativity and security frameworks. Correlating business logic with security logic will pay dividends in terms of safety.

Web applications are the most common vectors used by attackers to carry out breaches. Web applications were the point of entry for roughly 70% of all breaches studied, according to Verizon's "Data Breach Investigations Report". 

After performing over 300 Web application penetration tests, developers continue to make the same security mistakes that lead to vulnerabilities. They frequently do not use secure frameworks and instead attempt to write their own security code and authentication processes.

It's worth noting how much pressure developers are under to get products to market as soon as possible. They are rewarded based on how many features they can introduce as quickly as possible, rather than how securely they can introduce them. This results in security shortcuts and, in the long run, vulnerabilities in Web applications.

Five Lessons for More-Secure Apps

Pen testers act as the devil's advocate, reverse engineering what application developers create to demonstrate where and how attackers gain access. The findings have highlighted common fundamental errors. Here are five lessons that software development companies can learn to improve the security of their applications.

Attackers continue to use cross-site scripting (XSS):  For a long time, XSS has been a popular Web application vulnerability. It was removed from the Open Web Application Security Project (OWASP) top 10 list in 2021 due to advancements in application development frameworks, but it is still visible in nearly every penetration test we conduct.

Although it is frequently thought to be low risk, XSS risks can be severe, including account takeover, data theft, and complete compromise of an application's infrastructure. Many developers believe that using a mature input validation library and setting proper HttpOnly cookie attributes is sufficient, but when custom code is used, XSS bugs still find their way in. Consider WordPress sites: an XSS attack on an administrator is critical because the credentials allow the user to load plug-ins, which then execute code-like malicious payloads on the server.

Automated scanners don't go far enough: If you only scan Web applications with automated tools, vulnerabilities are likely to slip through the cracks. These tools employ fuzzing, a technique that injects malformed data into systems, but this technique can result in false positives.

Scanners aren't always up to date with modern Web development and don't always produce the best results for JavaScript single-page applications, WebAssembly, or Graph. Complicated vulner
abilities necessitate a handcrafted payload to validate, rendering automated tools ineffective.

Although human analysis is required for the most accurate and detailed analysis of vulnerabilities and exploits, these scanners can be used as a supplement to quickly find the low-hanging fruit.
When authentication is homegrown, it's usually too weak

When it comes to Web application security, authentication is everything: When developers attempt to create their own forgotten password workflow, they frequently do so in an insecure manner.

Pen testers frequently have access to other users' information or have excessive privileges that are not appropriate for their role. This causes horizontal and vertical access control problems, allowing attackers to lock users out of their accounts or compromise the application.

It all comes down to how these protocols are implemented. For example, Security Assertion Markup Language (SAML) authentication is a single sign-on protocol that is becoming more popular as a means of increasing security, but if it is implemented incorrectly, you will have opened more doors than you have closed.

Attackers target flaws in business logic: Developers examine features to see if they meet the needs of the customer. They frequently fail to consider how an attacker might use that feature maliciously from the other side of the lens.

A good example is an e-commerce website's shopping cart. It is business-critical, but it is frequently insecure, resulting in serious vulnerabilities such as zeroing out the total at checkout, adding items after checkout, or replacing products with different SKUs.

It's difficult to blame developers for focusing on the primary use case and failing to recognise other, usually malicious, uses. Their performance is determined by how well they deliver the feature. Executives must consider the other side of the coin and recognise that business logic should correspond to security logic. The most important business features, such as a shopping cart or authentication workflow, are probably not suitable for a junior developer.

There's no "out of scope" in a good penetration test: Because of the number of resources and assets that go into them, web applications can quickly become complex. Back-end API servers that enable the main application's functionality must be considered.

It's critical to share all of those external assets, as well as how they connect to what the developers built, with penetration testers. The developer may regard those assets as "out of scope" and thus not responsible for them, but an attacker would not respect that line in the sand. Nothing is "out of scope," as penetration tests demonstrate.

A Question of Balance

When software development companies are aware of some of the most common risks, they can engage with security auditors more effectively and make penetration tests less painful. No company wants to limit the creativity of its developers, but by balancing creativity with security frameworks, developers understand where they have leeway and where they must adhere to the guardrails that keep applications safe.

Who Is Responsible for the NetWire Remote Access Trojan?

 

A Croatian national was arrested for reportedly running NetWire, a Remote Access Trojan (RAT) that has been advertised on cybercrime forums since 2012 as a covert way to spy on infected systems and steal passwords. The arrest coincided with the seizure of the NetWire sales website by the Federal Bureau of Investigation in the United States (FBI). While the defendant, in this case, has not yet been publicly identified, the NetWire website has been leaking information about its owner's likely true identity and location for the past 11 years.

NetWire is a multi-platform threat that can infect not only Microsoft Windows machines but also Android, Linux, and Mac systems. It is typically installed via booby-trapped Microsoft Office documents and distributed via email. NetWire's dependability and low cost ($80-$140 depending on features) have made it a popular RAT on cybercrime forums for years, and NetWire infections consistently rank among the top ten most active RATs in use.

Since 2012, NetWire has been sold openly on the same website: worldwiredlabs[.]com. The domain was taken as part of "a coordinated law enforcement action taken against the NetWire Remote Access Trojan," according to a seizure notice from the US Department of Justice (DOJ).

“As part of this week’s law enforcement action, authorities in Croatia on Tuesday arrested a Croatian national who allegedly was the administrator of the website,” reads a statement by the DOJ today. “This defendant will be prosecuted by Croatian authorities. Additionally, law enforcement in Switzerland on Tuesday seized the computer server hosting the NetWire RAT infrastructure.”

The name of the accused was not mentioned in either the DOJ statement or a press release issued by Croatian authorities about the operation. But it's remarkable that authorities in the United States and elsewhere have taken so long to take action against NetWire and its alleged owner, given that the RAT's author apparently did very little to conceal his true identity.

The WorldWiredLabs website was launched in February 2012 on a dedicated host with no other domains. The site's true WHOIS registration records have always been hidden by privacy protection services, but there are plenty of clues in WorldWiredLabs's historical Domain Name System (DNS) records that point in the same direction.

The WorldWiredLabs domain was moved to another dedicated server at the Internet address 198.91.90.7 in October 2012, which was home to only one other domain: printschoolmedia[.]org, which was also registered in 2012.

Printschoolmedia[.]org was registered to a Mario Zanko in Zapresic, Croatia, and to the email address zankomario@gmail.com, according to DomainTools.com. According to DomainTools, this email address was also used to register one other domain in 2012: wwlabshosting[.]com, which was also registered to Mario Zanko from Croatia. A look at the DNS records for printschoolmedia[.]org and wwlabshosting[.]com reveals that both domains used the DNS name server ns1.worldwiredlabs[.]com while they were online. There are no other domains that use the same name server.

Worldwiredlabs[.]com DNS records also show that the site forwarded incoming email to tommaloney@ruggedinbox.com. This email address was used to register an account at the clothing retailer romwe.com, using the password "123456xx," according to Constella Intelligence, a service that indexes information exposed by public database leaks.

A reverse search on this password in Constella Intelligence reveals that it has been used by over 450 email addresses, two of which are zankomario@gmail.com and zankomario@yahoo.com. A search in Skype for zankomario@gmail.com yields three results, including the account name "Netwire" and the username "Dugidox," as well as another for a Mario Zanko (username zanko.mario).

Dugidox is the hacker handle that has been most frequently associated with NetWire sales and support discussion threads on various cybercrime forums over the years. Constella associates dugidox@gmail.com with a number of website registrations, including the Dugidox handle on BlackHatWorld and HackForums, as well as Croatian IP addresses for both. According to Constella, the email address zankomario@gmail.com used the password "dugidox2407."

Someone with the email address dugidox@gmail.com registered the domain dugidox[.]com in 2010. The WHOIS records for that domain name list a "Senela Eanko" as the registrant, but the address used was the same street address in Zapresic that appears in the WHOIS records for printschoolmedia[.]org, which is registered in Mr. Zanco's name.

Prior to Google+'s demise, the email address dugidox@gmail.com corresponded to an account with the nickname "Netwire wwl." The dugidox email address was also linked to a Facebook account (mario.zanko3), which included check-ins and photos from various locations throughout Croatia.

That Facebook page is no longer active, but the administrator of WorldWiredLabs stated in January 2017 that he was considering adding certain Android mobile functionality to his service. Three days later, the Mario.Zank3 profile posted a photo saying he was chosen for an Android instruction course — with his dugidox email clearly visible.

According to incorporation records from the United Kingdom's Companies House, Mr. Zanko became an officer in a company called Godbex Solutions LTD in 2017. In a YouTube video, Godbex is described as a "next generation platform" for exchanging gold and cryptocurrencies. As per Companies House records, Godbex was dissolved in 2020. Mr. Zanko was born in July 1983, and his occupation is listed as "electrical engineer."

Multiple requests for comment from Mr. Zanko went unanswered. The Croatian police have issued a statement regarding the NetWire takedown.

The United States has Released its National Cybersecurity Strategy: Here's What you Need to Know

 


The US government is taking steps to enhance the country's cybersecurity capabilities and improve its overall technology governance strategy. President Joe Biden recently unveiled a new National Cybersecurity Strategy aimed at securing cyberspace and building a resilient digital ecosystem that is easier to defend than to attack. 

"When we pick up our smartphones to keep in touch with loved ones, log on to social media to share our ideas with one another, or connect to the internet to run a business or take care of any of our basic needs, we need to be able to trust that the underlying digital ecosystem is safe, reliable and secure," Biden wrote in the framework's preface.

The strategy is part of a broader effort by the Biden administration to reinforce cyber and technology governance, which includes increasing accountability for tech firms, strengthening privacy protections, and ensuring fair competition online.

Why does the United States require a National Cybersecurity Strategy?

The world is becoming more complex, and cyber threats are becoming more sophisticated, with ransomware attacks causing millions of dollars in economic losses in the United States. According to IBM, the average cost of a ransomware attack in 2022 will be more than $4.5 million. The greatest threats we face are interconnected, raising the prospect of a "polycrisis," in which the overall combined impact of these events exceeds their individual impact.

This is also true of technological risks, where attacks on critical information infrastructure, for example, could have disastrous consequences for public infrastructure and health, or where rising geopolitical tensions increase the risk of cyberattacks.

Cybercrime and cyber insecurity were ranked eighth in terms of severity of impact by risk experts polled for the World Economic Forum's Global Risks Report, both in the short term (the next two years) and over the next decade. According to Google data, state-sponsored cyberattacks targeting NATO users increased by 300% in 2022 compared to 2020. With cyberattacks on the rise, experts at the World Economic Forum's Annual Meeting at Davos predicted that 2023 would be a "busy year" for cyberspace with a "gathering cyber storm".

“This is a global threat, and it calls for a global response and enhanced and coordinated action,” Jürgen Stock, Secretary-General of the International Criminal Police Organization (INTERPOL), said at Davos.

According to the Forum's Global Cybersecurity Outlook 2023, 93% of cybersecurity experts and 86% of business leaders believe global instability will have a negative impact on their ability to ensure cybersecurity in the future.

As Biden notes, "Cybersecurity is essential to the basic functioning of our economy, the operation of our critical infrastructure, the strength of our democracy and democratic institutions, the privacy of our data and communications, and our national defense.

"We must ensure the internet remains open, free, global, interoperable, reliable, and secure – anchored in universal values that respect human rights and fundamental freedoms."

What are the National Security Strategy's five pillars?

Because the COVID-19 pandemic has accelerated the world's digital transformation, we rely on connected devices and digital technology to do more than ever before, putting our lives and livelihoods at greater risk from cyber threats.

The US National Security Strategy recognizes the need to rebalance the burden of responsibility for cybersecurity away from small businesses and individuals and onto the public and private organizations best placed to defend cyberspace through "robust collaboration".

It also aims to strengthen cyberspace resilience by balancing the need to address immediate threats with incentivizing investment in the digital ecosystem's secure, long-term future. Each of the five pillars it establishes is divided into strategic objectives, but here's a quick rundown of what they entail:

1. Defend critical infrastructure
2. Disrupt and dismantle threat actors
3. Shape market forces to drive security and resilience
4. Invest in a resilient future
5. Forge international partnerships to pursue shared goals


Despite the Risk of Ransomware Attacks, Businesses Continue to Pay

 

Most companies in four Asia-Pacific countries have had to protect against phishing and ransomware attacks, with those infected in Australia being the most willing to pay ransomware demands. Australians are also the most likely to be victims of such attacks, with 92% reporting phishing incidents and 90% reporting business email compromise attacks.

 As per Proofpoint's State of the Phish report, another 86% and 80% have had to deal with ransomware and supply chain attacks, respectively. In Singapore, South Korea, Japan, and Australia, 2,000 employees and 200 security professionals were polled. Singaporeans experienced the next highest number of attacks, with 85% dealing with phishing incidents and 78% dealing with ransomware attacks. Another 72% reported business email compromise, with 46% reporting direct financial loss.

However, while Singapore reported the highest number of ransomware infections (68%), their Australian counterparts (58% of whom were infected) were more likely to cave to ransom demands when breached. In Australia, 90% admitted to making a payment at least once, compared to 71% in Singapore and 63% in South Korea. Only 18% of Japanese businesses paid at least one ransom, the lowest overall, while the global average was 64%.

In accordance with the report, Japanese law forbids local businesses from transferring funds to organized crime, which may include cybercrime. According to Proofpoint, 64% of Japanese respondents reported a successful phishing attack, compared to the global average of 84%. According to the security vendor, this could be due to cybercriminals' lack of fluency in the local language, which makes it easier for Japanese employees to identify poorly worded phishing lures.

"Around the world, English is the language most used in phishing attacks, so businesses that don't conduct activities in English may receive some protection," the report noted. However, it highlighted that it might be less culturally acceptable in some countries to acknowledge they suffered a security breach, resulting in under-reporting. 

In South Korea, 48% of the 72% who experienced ransomware attacks became infected. In Australia, 83% of the 96% who had cyber insurance said their insurer paid the ransom in full or in part. In Singapore, 90% of respondents reported having cyber insurance, with 95% reporting that their insurers paid the ransom in full or in part.

In South Korea, 82% had cyber insurance, while 74% and 72%, respectively, said their insurers covered the ransom payment in full or in part. Globally, 76% of organizations were targeted by ransomware, with 64% becoming infected. 82% of insurers stepped up to pay the ransom in full or in part for those who had a cyber insurance policy for ransomware attacks.

"While conventional phishing remains successful, many threat actors have shifted to newer techniques, such as telephone-oriented attack delivery and adversary-in-the-middle (AitM) phishing proxies that bypass multi-factor authentication," said Ryan Kalember, Proofpoint's executive vice president of cybersecurity strategy. "These techniques have been used in targeted attacks for years, but 2022 saw them deployed at scale. We have also seen a marked increase in sophisticated, multi-touch phishing campaigns, engaging in longer conversations across multiple personas. Whether it's a nation state-aligned group or a business email compromise actor, there are plenty of adversaries willing to play the long game."

The security vendor emphasized the significance of employee training and security awareness, especially as phishing attempts become more sophisticated.

"The awareness gaps and lax security behaviours demonstrated by employees create substantial risk for organisations and their data," said Jennifer Cheng, Proofpoint's Asia-Pacific Japan director of cybersecurity strategy. "While email remains the favoured attack method for cybercriminals, we've also seen them become more creative--using techniques much less familiar such as smishing and vishing. Since the human element continues to play a crucial role in safeguarding companies, there is clear value in building a culture of security that spans the entire organisation." 

Transparent Tribe Hackers Disseminate CapraRAT via Trojanized Messaging Apps

 

Transparent Tribe, an alleged Pakistan-aligned advanced persistent threat (APT) group, has been interconnected to an ongoing cyber espionage campaign targeting Indian and Pakistani Android users with a backdoor called CapraRAT. 

"Transparent Tribe distributed the Android CapraRAT backdoor via trojanized secure messaging and calling apps branded as MeetsApp and MeetUp," ESET said in a report shared with The Hacker News.

It is estimated that up to 150 victims, most of whom have military or political affiliations, were targeted, with the malware (com.meetup.app) available for download from fake websites posing as official distribution centers for these apps. The targets are believed to have been lured by a honeytrap romance scam in which the threat actor approaches the victims via another platform and persuades them to install malware-laced apps under the guise of "secure" messaging and calling.

The targets are believed to have been lured by a honeytrap romance scam in which the threat actor approaches the victims via another platform and persuades them to install malware-laced apps under the guise of "secure" messaging and calling.

The apps, however, come pre-installed with CapraRAT, a modified version of the open-source AndroRAT that Trend Micro first documented in February 2022 and that exhibits overlap with a Windows malware known as CrimsonRAT.

The backdoor includes a plethora of features that allow it to capture screenshots and photos, record phone calls and surrounding audio, and exfiltrate sensitive data. It can also make calls, send SMS messages, and receive download commands. However, in sequence to use the app's features, users must first create an account by linking their phone numbers and completing an SMS verification step.

As stated by the Slovak cybersecurity firm, the campaign is narrowly targeted and there is no evidence that the apps were available on the Google Play Store.

Transparent Tribe, also known as APT36, Operation C-Major, and Mythic Leopard, was recently linked to another wave of attacks against Indian government organizations using malicious versions of the Kavach two-factor authentication solution.

The research comes just weeks after cybersecurity firm ThreatMon detailed a spear-phishing campaign by SideCopy actors targeting Indian government entities with the goal of deploying an updated version of the ReverseRAT backdoor.

LastPass Releases New Security Incident Disclosure and Recommendations

 

LastPass was compromised twice last year by the same actor, once in late August 2022 and again on November 30, 2022. On Wednesday, the global password manager company released a report with new findings from its security incident investigation as well as recommended actions for affected users and businesses. As per LastPass, the hacker first gained access to a software engineer's corporate laptop in August. 

The first attack was critical because the hacker was able to use information stolen by the threat actor during the initial security incident. The bad actor then launched the second coordinated attack by exploiting a vulnerability in a third-party media software package. The second attack targeted the home computer of a DevOps engineer.

“The threat actor was able to capture the employee’s master password as it was entered after the employee authenticated with MFA and gained access to the DevOps engineer’s LastPass corporate vault,” detailed the company´s recent security incident report.

LastPass has validated that the attacker gained access to the company's data vault, cloud-based backup storage containing configuration data, API secrets, third-party integration secrets, customer metadata, and all customer vault data backups during the second incident. The LastPass vault also includes access to the shared cloud-storage environment, which houses the encryption keys for customer vault backups stored in Amazon S3 buckets, which users utilize to store data in their Amazon Web Services cloud environment.

The second attack was laser-focused and carefully planned, as it targeted one of only four LastPass employees with access to the corporate vault. After decrypting the vault, the hacker exported the entries, including the decryption keys required to access the AWS S3 LastPass production backups, other cloud-based storage resources, and related data.

In two security bulletins, LastPass issued instructions to affected users and businesses. The following are the key points from those bulletins. The Security Bulletin: Recommended actions for LastPass free, premium, and families include best practices for master passwords, guidebooks to creating strong passwords, and allowing extra layers of security such as multifactor authentication. Users were also urged to change their passwords.

LastPass master passwords should be between 16 and 20 characters long, include a minimum of one upper and lower case, numeric, symbol, and special character, and be unique — that is, not used on another site. Users can reset LastPass master passwords by following the official LastPass guide.

LastPass also requested that users use the Security Dashboard to check the security score of their current password strength, enable and test the dark web monitoring feature, and enable default MFA. Users are notified when their email addresses appear in dark web forums and sites. To assist businesses that use LastPass, the Security Bulletin: Recommended Actions for LastPass Business Administrators was created exclusively after the event. The more comprehensive guide contains ten points:
  • Master password length and complexity.
  • The iteration counts for master passwords.
  • Super admin best practices.
  • MFA shared secrets.
  • SIEM Splunk integration.
  • Exposure due to unencrypted data.
  • Deprecation of Password apps (Push Sites to Users).
  • Reset SCIM,, Enterprise API, and SAML keys.
  • Federated customer considerations.
  • Additional considerations.
Superb administration LastPass users have access to more features than the average administrator. Following the attacks, the company issued special recommendations for super admin users due to their extensive powers. The following are LastPass super admin recommendations. LastPass users have access to more features than the average administrator. Following the attacks, the company issued special recommendations for super admin users due to their extensive powers. The following are LastPass super admin recommendations.
 
LastPass has stated that it is confident that it has taken the necessary steps to limit and eliminate future access to the service; however, according to Wired, the most recent disclosure of LastPass was so concerning that security professionals "started calling for users to switch to other services." LastPass' main competitors are 1Password and Dashlane.

Experts have also questioned LastPass's transparency, pointing out that it fails to date security incident statements and has yet to clarify when the second attack occurred or how long the hacker was inside the system; the amount of time a hacker spends inside a system has a significant impact on the amount of data and systems that can be exploited. (I contacted LastPass for a response but did not receive one.)

The consequences of these recent security incidents are clear to LastPass users. While the company convinces that there is no evidence that the compromised data is being sold or marketed on the dark web, business administrators are left to deal with LastPass' extensive recommendations.
A password-free future

Unfortunately, password manager hacking is not a new phenomenon. Since 2016, LastPass has had security incidents every year, and other top password managers such as Norton LifeLock, Passwordstate, Dashlane, Keeper, 1Password, and RoboForm have been either targeted, breached, or proven to be vulnerable, according to Best Reviews.

Password manager companies are increasingly being targeted by cybercriminals because they store sensitive data that can be used to access millions of accounts, including cloud accounts where business-critical systems and digital assets are hosted. Cybersecurity practices, transparency, breaches, and data exfiltration can all have an impact on the future of these password manager companies in this highly competitive landscape.

Thousands of Websites Attacked Via Compromised FTP Credentials

 

Wiz, a cloud security startup, has issued a warning about a widespread redirection campaign in which thousands of East Asian-targeted websites have been affected using legitimate FTP credentials. In many cases, the attackers gained access to highly secure auto-generated FTP credentials and utilized them to hijack the victim websites to redirect visitors to adult-themed content. 

The campaign, which has most likely been ongoing since September 2022, has compromised at least 10,000 websites, many of which are owned by small businesses and large corporations. According to Wiz, differences in hosting providers and tech stacks make identifying a common entry point difficult to identify a common entry point.

As part of the initial incidents, the attackers added "a single line of HTML code in the form of a script tag referencing a remotely hosted JavaScript script" to the compromised web pages. The injected tags cause a JavaScript script to be downloaded and executed on the machines of website visitors.
According to Wiz, in some cases, JavaScript code was injected directly into existing files on the compromised server, most likely via FTP access, ruling out the possibility of malvertising.

The cybersecurity startup has identified a number of servers associated with this campaign, which serve JavaScript variants that share many similarities, implying they are closely linked, if not part of the same activity.

Before redirecting the visitor to the destination website, the JavaScript redirection code checks for specific conditions such as a probability value, a cookie set on the victim's machine, whether the visitor is a crawler, and whether or not they are using Android. 

Originally, the JavaScript code was seen fingerprinting users' browsers and sending the gathered data to attacker-controlled infrastructure. The behavior, however, has not occurred since December 2022. Other changes in the redirection scripts that Wiz has noticed include the addition of intermediate servers to the redirection chain in February 2023.

In some cases, website administrators removed the malicious redirection only to find it reemerged shortly afterward. As per Wiz, the campaign's goal could be ad fraud or SEO manipulation, but the attackers could also be looking to increase traffic to the destination websites. However, the threat actors may decide to employ the gained access for other illicit reasons.

Resecurity Discovered the Investment Scam Network Digital Smoke

 

Resecurity discovered one of the largest investment fraud networks in terms of size and volume of operations designed to defraud InteSecurity from Australia, Canada, China, Colombia, the European Union, India, Singapore, Malaysia, the United Arab Emirates, Saudi Arabia, Mexico, the United States, and other regions. The bad actors, acting as an organized crime syndicate, built a massive infrastructure to impersonate popular Fortune 100 corporations from the United States and the United Kingdom, using their brands and market reputation to defraud consumers. Once the victims' payments are received, they delete previously created resources and launch the next new campaign, which is why the group was dubbed "Digital Smoke" by investigators.

According to the FTC's most recent report, "The Top Scams of 2022," people reported losing $8.8 billion to scams. The total damage from investment fraud, including ponzi and pyramid schemes, exceeds $5.8 billion in the United States and more than $77 billion globally (2022), with significant rapid growth beginning in Q1 2023. Beyond monetary losses, investment fraud causes significant harm to investors. According to a FINRA survey, financial scams cause health, marital, and trust issues. Businesses suffer significant damage to customer loyalty and brand reputation, affecting sales and market profile in the long run.

Notably, bad actors have impersonated world-renowned brands such as ABRDN (UK), Blackrock (US), Baxter Medical (US), EvGo (US), Ferrari (Italy), ITC Hotels (India), Eaton Corporation (US/UK), Novuna Business Finance (UK), Tata (India), Valesto Oil (Malaysia), Lloyds Bank (UK), and many more.

Applied to financial services (FIs), oil and gas, renewable energy, EV batteries, electric vehicles, healthcare, semiconductors, and globally recognized investment corporations and funds. In Q4 of 2022, information about Digital Smoke, as well as the identities of key actors, was shared with the Indian Cybercrime Coordination Center and US Law Enforcement. The majority of scam projects have been terminated as a result of coordinated action and numerous domain takedowns.

The group's operating model was centered on investment opportunities in non-existent products and investment plans purportedly offered by Fortune 100 corporations and state-owned entities. The bad actors created a large network of WEB-resources and related mobile applications hosted on bulletproof hosting providers in jurisdictions not easily reachable for immediate takedowns - the total number of identified hosts in December 2022 alone exceeded 350+ with thousands of related domains used for'cloaking' (Black SEO), hidden redirects, and short URLs for protection of the payment gateway used by fraudsters to collect payments from victims lever Notably, a combination of these methods allowed fraudsters to process funds with great flexibility, including support for Google Pay (GPay), PhonePe, Paytm, and major online-banking platforms.

To attract investors, the bad actors registered multiple fake domain names with similar brand spelling and promoted them via social media and instant messenger apps. Notably, the links used by bad actors to register new victims included a referral code that was linked to affiliates promoting the scam on YouTube and WhatsApp IM. After the victim registers, the bad actors ask them to make a deposit by sending money to an Indian bank account.

Notably, Digital Smoke cybercriminals were interested in oil markets and renewable energy products. The impersonators included Shell, Glencore, Ovintiv, and Lukoil, as well as Velesto Oil, a Malaysia-based multinational provider of drilling for the upstream sector of the oil and gas industry. ACWA Power, based in the Kingdom of Saudi Arabia, was identified as one of the most recent brands abused in January 2023.

This aspect distinguishes the campaign because of the strong emphasis on oil traders, which is not commonly used by investment scammers. In some of the observed scams, bad actors offered victims the opportunity to invest in new oil fields, the construction of petroleum stations, and renewable energy technologies. It's worth noting that some of the language used in this pretext was lifted from existing investment programs aimed at entrepreneurs and franchises looking for new business opportunities in the oil and gas industry. This activity is unusual for cybercriminals and may serve as a clear differentiator for the Digital Smoke group. The activity spike occurred during the Christmas and New Year's holiday seasons when both Internet users and financial institutions were overwhelmed with logistics and payments. In the first quarter of 2023, the activity continued to include new impersonated brands from other industries, such as semiconductors and EV batteries.

Aside from businesses, the fraudsters had no qualms about targeting state-owned enterprises and using their profiles to defraud users. The India Brand Equity Foundation, a Trust established by the Government of India's Department of Commerce, Ministry of Commerce and Industry, was one of the organizations impersonated by Digital Smoke fraudsters. Following a similar pattern, the bad actors created a number of scams that impersonated government resources in the UAE by imitating the profile of the Minister of State for Foreign Trade.

The Digital Smoke case is noteworthy, and it may confirm how sophisticated investment scams have become in recent years. Fraudsters put in a lot of time and effort to create high-quality resources that look almost identical to their well-known investment product counterparts - in the case of Digital Smoke, they created a separate mobile app with a unique design for each investment scam they ran.

Digital Smoke has clearly demonstrated how bad actors use cross-border payments and different jurisdictions to make further investigation and identification of their victims more difficult. Investment fraudsters take advantage of this flaw to conceal the origin of the activity and distribute payment flows through multiple merchants and money mules located in different countries. Resecurity discovered a large network of money mules leveraging accounts in multiple Indian financial institutions that process victim payments. The accounts that were involved in fraudulent activity were reported to law enforcement.

“Proactive fraud intelligence gathering enables to protect consumers and keep financial institutions aware about merchants used by cybercriminals. Their timely identification along with tracking of involved money mules helps to minimize potential damage caused by illicit activity.” – said Christian Lees, Chief Technology Officer (CTO) at Resecurity, Inc.

Notably, legitimate businesses that have been impersonated suffer serious consequences, both in terms of reputation and customer loyalty - which is why an effective and ongoing brand protection system is one of the must-have solutions to mitigate the negative side effects of such scams. Business leaders should consider monitoring their brands' online exposure, which includes, but is not limited to, social media, mobile marketplaces, and instant messaging services.

Fraudsters can Rob your Entire Digital Life Using this iPhone Feature

 

The Wall Street Journal has recently published a detailed article covering a technique that thieves are using to steal not only people's iPhones, but also their savings. The success of the attack is dependent on the thieves (often working in groups) learning not only physical access to the device but also the passcode — the short string of numbers that acts as a failsafe when TouchID or Face ID fails (or isn't used, for whatever reason). With the passcode and the device, thieves are able to change the password associated with an Apple ID "within seconds", while also remotely logging out of any other connected Macs or iPads.

After that, the phone can be freely used to empty bank accounts using any installed financial apps before being sold. The article contains numerous examples of victims who have lost tens of thousands of dollars as a result of the scam.

How the iPhone passcode scam works?

According to the Journal, incidents have occurred in New York, Austin, Denver, Boston, Minneapolis, and London. The attack usually occurs on nights out when people's guards have been lowered by alcohol. Thieves typically observe people entering their passcodes (sometimes filming to ensure accuracy) and then steal the phone when the victim's guard is down.

“It’s just as simple as watching this person repeatedly punch their passcode into the phone,” Sergeant Robert Illetschko, lead investigator on a case in Minnesota where a criminal gang managed to steal nearly $300,000 via this technique, told the Journal. “There’s a lot of tricks to get the person to enter the code.” 

According to the paper, in some cases, the criminals will first befriend the victim, convincing them to open a social media app. If the user has Face ID or TouchID, the criminal may borrow the phone to take a photo, then subtly restart it before returning it, as a freshly rebooted phone requires the passcode to be entered.

If a thief obtains your iPhone and passcode, your phone can be wiped and sold for a quick profit. However, the negative consequences multiply if you keep banking apps on there, and they become even worse if you keep other personal data on there.

Apple Card accounts have been opened in a couple of cases, according to the Journal. Given the amount of personal data required, that shouldn't be possible, but many people keep that on their phones as well. And Apple's technology can work against users in this case; for example, the ability to search for text within photos appears to have revealed one man's Social Security number.

Concerningly, the paper also claims that hardware security keys, which were introduced in iOS 16.3, did not prevent the passcode from changing the Apple ID password. Worse, the stolen passcode could be used to remove the hardware keys from the account.

“We sympathize with users who have had this experience and we take all attacks on our users very seriously, no matter how rare,” an Apple spokesperson said. “We will continue to advance the protections to help keep user accounts secure.”

The Journal notes that while Android phones aren’t immune to this kind of attack, law enforcement officials say that the higher resale value of iPhones makes them a far more common target.

What can you do to protect yourself from an iPhone passcode scam?

The first point to make is that you are significantly safer if you only use Face ID or Touch ID in public. This is due to the fact that the Apple ID password reset requires the passcode, and biometric logins will not suffice.

If you find yourself entering a passcode in public, cover your screen: you never know who is watching. Of course, this is useless if someone demands your passcode and iPhone at gun or knife point, as has been reported in some areas. However, if you create an Apple ID recovery key, the damage will be significantly reduced. This means that criminals won't be able to reset your password using the stolen passcode and will instead need a 28-character code.

While this may not prevent some short-term financial losses, the Journal reports that "most" banks and financial apps have refunded money stolen through such fraudulent activity.

It does have some disadvantages. If you forget your 28-character code, you're locked out for good, but at least your precious memories saved to iCloud won't be lost forever, as they were for one victim interviewed by the Journal.

“I go to my Photos app and scroll up, hoping to see familiar faces, photos of my dad and my family — they’re all gone,” said Reyhan Ayas, who had her iPhone 13 Pro Max snatched by a man she’d just met outside a bar in Manhattan. “Being told permanently that I’ve lost all of those memories has been very hard.”

How SMB Protocol Functions and its Susceptibility to Vulnerabilities

 

The SMB protocol enables computers connected to the same network to share files and hardware such as printers and external hard drives. However, the protocol's popularity has also led to an increase in malicious attacks, as older versions of SMB do not use encryption and can be exploited by hackers to access sensitive data. It is crucial to understand the different types of SMB and how to stay protected from associated risks. 

The Server Message Block (SMB) is a network protocol used for sharing data between devices on a local or wide area network. Originally developed by IBM in the mid-1980s for file sharing in DOS, it has since been adopted by other operating systems including Microsoft's Windows, Linux, and macOS.

The SMB protocol plays a crucial role in the regular activities of various businesses and groups by providing a convenient means of retrieving files and accessing resources from other computers connected to the network.

Consider a scenario where you are part of a team whose members operate from distinct locations. In such situations, the SMB protocol is an excellent tool for swiftly and effortlessly exchanging files. It enables every team member to retrieve identical data and collaborate on assignments. Several individuals can remotely view or modify the same file as if it were stored on their personal computers.

How Does the SMB Protocol Function?

To establish a connection between the client and server, the SMB protocol employs the request and response method. Here are the steps to make it work:

Step 1: Client request: The client (the device making the request) sends an SMB packet to the server. The packet includes the complete path to the requested file or resource.

Step 2: Server response: The server (the device that has access to the requested file or resource) evaluates the request and, if successful, responds with an SMB packet containing additional information on how to access the data.

Step 3: Client Process: The client receives the response and then processes the data or resource as needed.

SMB Protocol Types

The SMB protocol has seen a few upgrades as technology has advanced. There are several types of SMB protocols available today, including:
  • SMB Version 1: This is the original version of the SMB protocol, released by IBM in 1984 for file exchange on DOS. It was later modified by Microsoft for use on Windows.
  • CIFS: The Common Internet File System (CIFS) is a modified version of SMBv1 that was designed to allow for the sharing of larger files. It was first included in Windows 95.
  • SMB Version 2: SMB v2 was released by Microsoft in 2006 with Windows Vista as a more secure and efficient alternative to previous versions. This protocol added features like improved authentication, larger packet sizes, and fewer commands.
  • SMB Version 3: SMB v3 was released by Microsoft with Windows 8. It was created to boost performance while also adding support for end-to-end encryption and improved authentication methods.
  • Version 3.1.1 of SMB: The most recent version of the SMB protocol was released with Windows 10 in 2015, and it is fully compatible with all previous versions. It adds new security features such as AES-128 encryption and enhanced security features to combat malicious attacks.
What Are the SMB Protocol's Risks?

Although the SMB protocol has been a valuable asset to many businesses, it also poses some security risks. This protocol has been used by hackers to gain access to corporate systems and networks. It has evolved into one of the most popular attack vectors used by cyber criminals to breach systems.

Worse, despite the availability of upgraded versions of SMB, many Windows devices continue to use the older, less secure versions 1 or 2. This increases the likelihood that malicious actors will exploit these devices and gain access to sensitive data.

The following are the most common SMB exploits.
  • Brute Force Attacks
  • Man-in-the-Middle Attacks
  • Buffer Overflow Attacks
  • Ransomware Attacks
  • Remote Code Execution
Maintain Your Safety While Employing the SMB Protocol

Despite the risks associated with the SMB protocol, it remains an important component of Windows. As a result, it is critical to ensure that all business systems and networks are protected from malicious attacks.

To stay safe, only use the most recent version of the SMB protocol, keep your security software up to date, and keep an eye on your network for unusual activity. It is also critical to train your staff on cybersecurity best practices and to ensure that all users use strong passwords. By taking these precautions, you can keep your company safe from malicious attacks.