Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Software Updates. Show all posts
Youtube
Cheatcodes LummaC2 malware malware Piracy Software Updates Youtube

Are YouTube Game Cracks Hiding Malware?


Recently, cybersecurity researchers have unearthed a disturbing trend: threat actors are exploiting YouTube to distribute malware disguised as video game cracks. This alarming course of action poses a significant risk to unsuspecting users, especially those seeking free software downloads.

According to findings by Proofpoint Emerging Threats, cybercriminals are leveraging popular video-sharing platforms to target home users, who often lack the robust defences of corporate networks. The plan of action involves creating deceptive videos offering free access to software and video game enhancements, but the links provided lead to malicious content.

The malware, including variants such as Vidar, StealC, and Lumma Stealer, is camouflaged within seemingly innocuous downloads, enticing users with promises of game cheats or software upgrades. What's particularly troubling is the deliberate targeting of younger audiences, with malicious content masquerading as enhancements for games popular among children.

The investigation uncovered several compromised YouTube accounts, with previously dormant channels suddenly flooded with English-language videos promoting cracked software. These videos, uploaded within a short timeframe, contained links to malware-infected files hosted on platforms like MediaFire and Discord.

One example highlighted by researchers featured a video claiming to enhance a popular game, accompanied by a MediaFire link leading to a password-protected file harbouring Vidar Stealer malware. Similarly, other videos promised clean files but included instructions on disabling antivirus software, further endangering unsuspecting users.

Moreover, cybercriminals exploited the identity of "Empress," a well-known entity within software piracy communities, to disseminate malware disguised as cracked game content. Visual cues provided within the videos streamlined the process of installing Vidar Stealer malware, presenting it as authentic game modifications.

Analysis of the malware revealed a common tactic of bloating file sizes to evade detection, with payloads expanding to approximately 800 MB. Furthermore, the malware utilised social media platforms like Telegram and Discord for command and control (C2) activities, complicating detection efforts.

Research into the matter has again enunciated the need for heightened awareness among users, particularly regarding suspicious online content promising free software or game cheats. While YouTube has been proactive in removing reported malicious accounts, the threat remains pervasive, targeting non-enterprise users vulnerable to deceptive tactics.

As cybercriminals continue to exacerbate their methods, it's imperative for individuals to exercise caution when downloading software from unverified sources. Staying informed about emerging threats and adopting cybersecurity best practices can help combat the risk of falling victim to such schemes.


Read more »
Software Updates
Apple Apple MacOS Guardz macOS macOS Ventura 13.5 malware Software Updates

New Malware can Allow Control of macOS Without Users Noticing


Cybersecurity company Guardz recently exposed a new malware, used by hackers to take control of unprotected Macs, remotely. Guardz describes how a threat agent has been selling the tool on a Russian cybercrime forum since April 2023 in a blog post. 

Hidden Virtual Network Computing (HVNC)

HVNC is a malware, sharing similarities with a VNC (Virtual Network Computing), a tool used in remotely controlling computers over the internet or other networks. 

An employer with an IT department might, for instance, utilize VNC to diagnose a worker's computer, and the worker can see that the computer is being accessed. However, with an HVNC, the target user is unaware of the access, allowing a threat actor to utilize an HVNC for malicious practices.

Reportedly, the malware has been distributed to the Russian cybercrime forum – Exploit. For a "lifetime price of $60,000," the threat agent is selling the HVNC, and for an extra $20,000, the customer can add "more malicious capabilities to the arsenal."

However, Guardz did not mention any instance of such a case except in Mac. Moreover, the CVE.report database that identifies various vulnerabilities and exploits did not yet make an entry of the HVNC malware, and neither did Apple release an official statement.

How to Protect Oneself Against the Malware

While malware attacks are inevitable, users can protect themselves by taking certain measures.

First, one must make sure to update their macOS to the latest version. Moreover, Apple provides safeguards within macOS, along with releasing security patches regularly through OS updates, thus it becomes necessary to adopt them whenever they are made available to the users.

With macOS Ventura 13.5 being the latest version, a user who is using any other version is in fact running an older version, which needs to be updated. However, Apple has released security updates for its operating systems like Monterey and Big Sur – Monterey 12.6.8 and Big Sur 11.7.9 on July 24. 

Since malware are often presented as legitimate software distributed to users via email or on web forums and slipshod websites, another way that can keep users from falling prey to the malware is by only downloading software from trusted sources, like App Store or directly from the developers.

Moreover, users can make use of the several guides provided online, such as the guides on ‘whether or not you need antivirus software,’ list of Mac viruses, malware, and Trojans, and a comparison of Mac security software.

Read more »
Third-party software security
3CX Update Incident response malware Software Updates Third-party software security

The Risks of Automatic Updates: A Closer Look at the Malicious 3CX Update

3CX Malicious Update

On March 31, 2023, several companies reported that their 3CX phone systems had suddenly stopped working. Upon investigation, they found that their systems had been compromised by a malicious software update delivered by 3CX's automatic update system. In this blog, we'll take a closer look at the incident and explore the lessons that can be learned from it.

The 3CX Incident: How It Happened

The attackers had managed to gain access to 3CX's update servers and replace a legitimate software update with a malicious version. This update, which was automatically installed on thousands of 3CX systems, contained a backdoor that gave the attackers full access to the compromised systems. They were able to steal sensitive data, listen in on calls, and even make unauthorized calls.

The Risks of Automatic Updates

The incident highlights the risks associated with automatic software updates, which are designed to keep systems up to date with the latest security patches and bug fixes. While automatic updates can be a convenient way to keep systems secure, they can also be a vector for malware and other malicious software.

In the case of the 3CX incident, the attackers were able to compromise the update system itself, which meant that even systems that were fully up to date were still vulnerable to the attack. This is a particularly worrying development, as it means that even the most security-conscious organizations may be at risk if their software vendors are compromised.

The Importance of Multi-Layered Security Measures

The incident also highlights the importance of multi-layered security measures. While automatic updates can be an important part of an organization's security strategy, they should not be relied upon as the sole defense against attacks. Other measures, such as regular vulnerability scanning, threat intelligence monitoring, and user training, can help to reduce the risks associated with automatic updates.

Organizations should also ensure that they have a robust incident response plan in place, which includes procedures for dealing with unexpected software failures or security breaches. This can help to minimize the impact of a security incident and ensure that systems are quickly restored to normal operation.

Evaluating Third-Party Software Security

Finally, organizations should carefully evaluate the security risks associated with any third-party software they use, including the software update mechanisms. Vendors should be asked about their security practices and measures, such as encryption, authentication, and monitoring, to ensure that their systems are protected against attacks.

3CX's Response

In response to the incident, 3CX has released a statement urging all users to immediately update their systems to the latest version, which includes a fix for the backdoor. They have also announced that they are conducting a full investigation into the incident and working with law enforcement to identify the attackers.

The 3CX incident is a stark reminder of the importance of multi-layered security measures and the risks associated with automatic software updates. While automatic updates can be a convenient way to keep systems up to date with the latest security patches and bug fixes, they can also be a vector for malware and other malicious software.

Organizations should carefully evaluate the security risks associated with any third-party software they use and take a proactive approach to security, including regular vulnerability scanning, threat intelligence monitoring, and user training. With the right security measures in place, organizations can help to reduce the risks associated with automatic updates and ensure that their systems remain secure against cyber threats.

Read more »
TTP
bOOKcOVE Cyber Fraud Cyberattacks Kimsuky NIS Software Updates Spear-Phishing Emails TTP

Kimsuky's Attacks Alerted German and South Korean Agencies

 


In a joint warning issued by the German and South Korean intelligence agencies, it has been noted that a North Korean hacker group named Kimsuky has been increasing cyber-attack tactics against the South Korean network. With sophisticated phishing campaigns and malware attacks, the group has been suspected of being behind the attacks. It is believed that the North Korean government is behind them. Cyberattacks continue to pose a major threat to businesses and governments throughout the world as a result of increasing cyberattacks. 

Kimsuky (aka Thallium and SmokeScreen) is a North Korean threat group that has developed a reputation for utilizing cutting-edge tools and tactics in its operations. There have been two upcoming attack tactics developed by the group that enhances the espionage capabilities of the organization. These tactics raise no red flags on security radars. There are several malicious Android apps and YouTube extensions being abused as well as Google Chrome extensions.   

Kimsuky is believed to have expanded its tactics to attack a wide range of organizations in both countries, according to the German Office for Information Security (BSI) and South Korea's National Intelligence Service (NIS). Initially targeting U.S. government agencies, research institutions, and think tanks, the group has now spread to businesses in the technology and defense sectors as well. 

Kimsuky appears to be using a new malware called "BookCove" to steal sensitive information from its targets, according to a statement issued by the company. A spear-phishing email is designed to appear like it has been sent from a reputable source, but in reality, the message contains malware. Upon clicking the link or attachment in an email that contains malware, the user's computer is infected with the malware. The hacker can have access to the victim's data and can monitor the activities of the victim as a result of this. \

Various South Korean and German agencies suggest that organizations should implement the necessary precautions to safeguard themselves against these threats. Security measures must be taken, such as multi-factor authentication and regular updates, and employees must be educated on the risks associated with phishing. 

North Korean hacking group, Kimsuky, has been operating since 2013, providing malware for PCs. Several sources claim that the group is linked to the Reconnaissance General Bureau of the North Korean government. This Bureau gathers intelligence and conducts covert operations on behalf of the government. 

According to research, the apps, which embed FastFire and FastViewer, are distributed through Google Play's "internal testing" feature. This gives third-party developers the ability to send apps to a "small set of trusted testers." 

Nevertheless, it bears mentioning that these internal app testing exercises cannot exceed 100 users per app, regardless of the number of users. This is regardless of when the app is released into production. There is no doubt that this campaign has a very targeted nature, which indicates its focus. 

Two malware-laced apps use Android's accessibility services to steal sensitive information ranging from financial to personal information. APK packages for each app are listed below with their respective names in APK format:

  • Com. viewer. fast secure (FastFi) 
  • Com.tf.thinkdroid.secviewer (FastViewer) 
Organizations can take the following measures to protect themselves against Kimsuky's attacks 

A multi-factor authentication system protects the network and system from unauthorized access since it requires the attacker to possess at least two factors, such as a password and a physical device, such as a mobile phone. 

Even if cyber criminals could get past some existing security measures, this would make it far harder for them to access private data. In addition to the above-mentioned measures, organizations may also wish to consider taking the following measures to protect themselves: 
  • Maintaining a regular software update schedule is important. 
  • The best practices for protecting your company's information are taught to your employees. 
  • It is essential to use tools and techniques to detect and respond to advanced threats. 
A robust incident response plan is a crucial tool for organizations to develop to be prepared in case of an incident. If cyberattacks occur, they should be able to respond rapidly and effectively to mitigate their impact.

A growing number of companies are attacked by state-sponsored groups like Kimsuky due to cyberattacks. To reduce their risk of falling victim to these sophisticated cyber-espionage tactics, businesses and governments in Germany need to take proactive steps to protect themselves, including improving their security systems. 

Operating silently, Kimsuky has continuously evolved its TTPs to keep up with changing threats, as well as developing efficient tactics. The majority of attacks are conducted using phishing or spear-phishing. The most significant priority that must be addressed against this threat is to protect the accounts of individuals or organizations and other critical assets. Those involved in organizations and individuals are advised to keep abreast of the latest tactics and adhere to relevant agencies' recommendations.
Read more »
Subscribe to: Posts (Atom)