Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Spyware. Show all posts
Spyware
Cyber Attacks CyberCrime cybercriminals Cybersecurity CyberThreat iPhone LightSpy Spyware

LightSpy Spyware: A Chinese Affair Targeting iPhone Users in South Asia

 


The LightSpy spyware has been used by cyberespionage groups to spy on users of iPhones, iPads, and other mobile devices in the South Asian region in a recent cyberespionage campaign. According to reports, the cybercriminals behind this cybercriminal campaign are China-based hackers that have been planning surveillance attacks against a specific area. 

As a bonus, this latest version of LightSpy, codenamed 'F_Warehouse,' features a modular structure which significantly enhances the spying abilities of the program. As a result of some of the most alleged infected individuals who are coming from India, initial investigations suggest a possible focus on the country. 

Researchers found that Apple iOS spyware, known as LightSpy, is being used in cyber espionage campaigns targeting South Asia. This sophisticated mobile spyware has resurfaced after a period of inactivity that dates back several months. In a report published by the Blackberry Threat Research and Intelligence Team, cyber security researchers have stated that the most recent version of the LightSpy campaign uses an extremely sophisticated spying framework in combination with a modular framework. 

To protect its command and control servers from being interception and detected, LightSpy employs a certificate-pinning strategy. It is believed that the campaign primarily targets iPhone users in India, although there have been reports of incidents taking place in Bangladesh, Sri Lanka, Afghanistan, Pakistan, Bhutan, the Maldives, and Iran in recent times as well. Hackers have been suspected of exploiting hacker websites to facilitate the deployment of LightSpy spyware, as previously observed in previous campaigns, by using hacked news websites that had Hong Kong-related stories, as they did in previous campaigns. 

In a BlackBerry report, the company uncovered that the loader enables the delivery of the core implant along with several plugins that enhance the capabilities of the primary backdoor. It is considered that LightSpy is an iOS backdoor attack that spreads via watering hole attacks, in which popular websites are infected and then targeted by attackers who attack them when they visit these infected websites and gain access to their systems or mobiles. 

According to the BlackBerry security agency, it has been discovered that the latest spyware attacks may have been coordinated by news websites that were infected and visited by targeted individuals who then installed LightSpy on their computers. A spyware program such as this usually gathers information such as phone numbers, SMS messages, exact location and voicemail from your computer, among other things. 

The report suggests that the attack was carried out by Chinese hackers, as its infrastructure and functionality were very similar to that of DragonEgg spyware, a Chinese nation-state hacker group which has been linked to the attack. Accordingly, Chinese hackers are suspected of conducting the attack. Specifically, the report claims that LightSpy is capable of analyzing location data, sound recordings, contacts, SMS messages, and data from apps such as WeChat and Telegram to extract sensitive information from your phone. 

There is a growing threat of mobile espionage threat campaigns that is highlighted by the re-emergence of the LightSpy spyware implants. Apple’s security updates are all the more important after the recent mercenary spyware attacks that affected iPhone users in 92 countries. The campaign is in line with the recent mercenary spyware attack that had impacted iPhone users all over the world. 

As the agency points out, the most recent version of LightSpy discovered this month is also capable of retrieving files and data from popular apps like Telegram, WeChat, and iCloud Keychain data as well as the history of your web browsers in Safari and Chrome. There is indication that state-sponsored involvement may have been involved in the development of LightSpy in the form of permission pinning which prevents communication interception with its C2 server, as well as the presence of Chinese language artefacts in the implant's source code. 

According to Apple's recent threat notifications, which have been sent to users in 92 countries, including India, the situation has become more severe. It is unsurprising that LightSpy, a mobile spy tool with attractive new capabilities, has made a resurgence and is now posing an alarming threat to individuals and organisations throughout Southern Asia, indicating an alarming escalation in mobile spying attacks.
Read more »
Togo
Africa Cyber Security NSO Spyware Threat Landscape Togo

Pegasus Spyware Targets Two Journalists in Togo: RSF

 

Reporters Without Borders (RSF) disclosed that two journalists in Togo had spyware on their phones that looked similar to the potent Pegasus surveillance tool used by the NSO group. RSF reports that the journalists are accused of defaming a government minister and are currently on trial for it. Since 1963 the nation of West Africa has been ruled by the same repressive royal family. 

RSF was unclear about the detected spyware, stating only that the "traces are typical of Pegasus." According to RSF, the Togo government employed Pegasus until at least 2021, and one of the two targeted journalists was exposed to a "major cyber-espionage operation throughout the first half of 2021.” 

RSF reported that Loïc Lawson, publisher of Flambeau des Démocrates, had 23 spyware attacks on his phone from February to July 2021. A second journalist, freelancer Anani Sossou, was targeted many months later, in October 2021. 

RSF stated that its forensic service for journalists, Digital Security Lab, conducted months of investigation, and Amnesty International's Security Lab corroborated its findings in an independent analysis. 

The organisation began probing the alleged phone tampering in December, roughly three weeks after the journalists were detained. Their arrest followed a complaint from Togo's minister of urban planning, housing, and land reform, who objected to their reporting disclosing the theft of approximately 600,000 Euros (nearly $650,000) in cash from his home.

According to RSF, the journalists were accused of undermining the minister's image and "inciting revolt" at a trial that began last month. While investigating the arrests, RSF stated in a press statement that it "discovered that [the journalists] had in fact been in the crosshairs of the Togolese authorities for a long time." 

The findings mark the first verified incident of spyware being used against journalists in Togo. Pegasus spyware has frequently targeted journalists, human rights campaigners, and opposition party leaders around the world in recent years. Researchers say the attack took place in February, shortly after the Russian government banned Timchenko's journal, Meduza, for being critical of Russia's invasion of Ukraine.
Read more »
Spyware
Gaming Gaming PC Minecraft Online Gaming Privacy Spyware

Gaming PCs as Silent Storytellers: Why Privacy Is Crucial

 


Online games and video games are incredibly popular as a way to connect with people and interact with them. They are a great way to connect with others and interact with them. Many people enjoy playing games online, either on gaming consoles, computers, or mobile devices. However, online gaming also poses some risks, such as viruses, identity theft, and phishing attempts. 

For a game to track its players, a game must track at least some of their interactions during the game to be able to see when they have earned X or Y. Privacy threats are nothing new, but they're often overlooked when it comes to PC gaming. Achievements are one such example.  

As it becomes clear that such in-game tracking is ubiquitous and often taken for granted, it just might be worth taking a closer look at whether PC gaming might be a threat to privacy and how it might be overlooked as such. The information on these devices may be accessible and stolen by identity thieves and other fraudsters if they are not protected.

Spammers can use an unprotected computer as a "zombie drone" to send spam which appears to have been sent from the computer system itself. These computers may be infected with malicious viruses or spyware, causing their computers to be slow and unresponsive. 

There are several ways to secure the privacy of users by taking good care of their devices and protecting them with safety measures and good practices. For important software such as an internet browser, users need to make sure that they download the recommended updates from their device's manufacturer or operating system provider, particularly if it is an important update. 

A variety of tools can be used to prevent the use of malicious software on your device, including antivirus software, antispyware software, and firewalls. It is generally true that PC games are permitted to collect a limited amount of personal information from users so long as users allow them to do so within reasonable limits. Additionally, this data may be used or shared and stored in a wide variety of ways depending on the game device or platform being used. 

Antivirus software


In essence, antivirus software protects users against viruses that can damage their data, slow down or crash their hardware, or even allow spammers to send emails to them through the user's account as a result of their antivirus software. A user's files and incoming emails will be scanned for viruses by antivirus protection, and anything that can cause harm will be removed from the files and emails.

To protect themselves from the latest "bugs" that circulate on the internet, users must keep their antivirus software updated regularly. There is usually a feature in most antivirus software that automatically downloads updates when users are online. An effective firewall works by preventing cyber criminals from entering and using your computer by either using a software program or a physical device. Using Internet search engines, hackers do a similar thing to how some telemarketers use random phone numbers to contact clients. 

Concerns In Online Gaming 

Spyware Threats in Gaming


In the gaming world, players may find themselves at risk of spyware, particularly when engaging with untrustworthy online gaming platforms. Spyware, a clandestine monitoring tool, operates silently, observing a user's online activities without their awareness. The gathered information may be exploited by unscrupulous entities, leading to severe privacy breaches. 

Guarding Against Cyberbullying in Gaming


A typical instance of cyberbullying within the gaming community can be a very distressing experience for those involved. Besides humiliating their targets, the perpetrators also use tactics that attempt to coerce victims into revealing personal information through the use of intimidation and coercion. When obtained, a user's information can be used against them, emphasizing that in a gaming environment, vigilance and protective measures are essential to safeguarding the player's interests. 
Read more »
Technology
Intellexa Predator Predator spyware Spyware Spyware technology Technology

Researchers Details the Licensing Model of Predator Spyware


A recent analysis of the sophisticated commercial spyware, Predator, reveals that its ability to persist between reboots is offered as an “add-on-feature” and is dependent upon the license options selected by the user, according to a recent analysis.

Predator is the result of a collaboration known as the Intellexa Alliance, which also comprises Senpai Technologies, Nexa Technologies, and Cytrox (later bought by WiSpear). In July 2023, the United States put Cytrox and Intellexa on its Entity List due to their "trafficking in cyber exploits used to gain access to information systems."

In regards to the issue, Cisco Talos researchers Mike Gentile, Asheer Malhotra, and Vitor Ventura said in a report, "In 2021, Predator spyware couldn't survive a reboot on the infected Android system (it had it on iOS[…]However, by April 2022, that capability was being offered to their customers."

The cybersecurity vendor first revealed the inner workings of Predator and its harmonic connection with another loader component named Alien more than six months ago. 

"Alien is crucial to Predator's successful functioning, including the additional components loaded by Predator on demand[…]The relationship between Alien and Predator is extremely symbiotic, requiring them to continuously work in tandem to spy on victims," Malhotra told cybersecurity firm Hackernews in an interview. 

Predator is a "remote mobile extraction system" that can target both Android and iOS. It is sold on a licensing model that can cost millions of dollars, depending on the number of concurrent infections and the exploit used for initial access. This puts Predator out of the reach of script kiddies and inexperienced criminals.

Spyware like Predator and Pegasus, which are designed by the NSO Group, often depend on zero-day exploit chains in Android, iOS, and web browsers as covert intrusion vectors. However, if Apple and Google keep patching the security holes, these attack chains can become useless and they will have to start over.

It is significant to note that the organizations that create mercenary surveillance tools can also obtain whole or partial exploit chains from brokers and transform them into a functional exploit that can be used to successfully compromise target devices.

Another noteworthy aspect of Intellexa’s business model is that it gives the task of building the attack infrastructure, giving them some degree of plausible deniability if the campaigns are discovered—which is an inevitable outcome.

"The delivery of Intellexa's supporting hardware is done at a terminal or airport," the researchers said. "This delivery method is known as Cost Insurance and Freight (CIF), which is part of the shipping industry's jargon ('Incoterms'). This mechanism allows Intellexa to claim that they have no visibility of where the systems are deployed and eventually located."

Furthermore, because the operations are intrinsically connected to the license, which is by default limited to a single phone country code prefix, Intellexa has "first-hand knowledge" of whether their customers are conducting surveillance activities outside of their own borders.  

Read more »
User Privacy
Cyber Security Data Safety IDF Israeli Citizen Spyware User Privacy

Hacker Threat: Israeli Police Advise Citizens not to Answer Unknown Calls

 

The Israeli Police and the National Cyber Directorate have advised citizens against answering unexpected WhatsApp calls from abroad. This is because it may be a sign of an attempt to hack a phone. Authorities claim that a high volume of these calls, including video calls, are occurring among Israelis. 

Noting that the issue is being reported to Meta, WhatsApp's parent company, the cyber directorate further stated that responding to such calls will not result in a phone to be hacked or damaged. WhatsApp users are advised by authorities to modify their privacy settings to block calls from unknown numbers. 

Additionally, the Israel Defense Forces (IDF) reported that during the night, fighters from its Shayetet 13 Naval Commando unit conducted what it called a targeted raid from the sea in the southern Gaza Strip. The forces involved in the operation destroyed the terrorist organisation Hamas's infrastructure and conducted operations within a compound that was utilised by the group's naval commando forces. 

The attack also involved Israel Navy vessels and Israeli Air Force aircraft. The mission was accomplished, and the troops departed the area. The Times of Israel reported that the IDF, however, withheld information regarding the attack's specific information and its intended victim. 

Local authorities in Ashkelon, a coastal city in the south, report that multiple rockets fired last week on Friday night from the Gaza Strip were part of the most recent bombardment. The medical staff at the Magen David Adom ambulance service stated that they are looking for potential wounds. A single rocket was seen striking a city road on camera, and the balcony of a high-rise apartment block sustained damage.

Two independent forensic analyses of the Israeli citizen's iPhone published by Haaretz earlier this year in April revealed that the device had twice been infected with Pegasus spyware in the previous two years.

The man was notified by Apple in two separate instances that his device might have been the target of a state-sponsored attack. The man has requested to remain anonymous. It is possible that an Israeli law enforcement agency (such as the Shin Bet or Israel Police) was lawfully surveilling him for purposes unrelated to his political activism.
Read more »
Spyware
Cyber Attacks EU European Union Hacking Human rights Meduza Pegasus Pegasus Spyware Russian exiled journalist Spyware

Russian Exiled Journalist Says EU Should Ban Spyware


The editor-in-chief of the independent Russian news site Meduza has urged the European Union to enact a comprehensive ban on spyware, given that spyware has been frequently used to violate human rights.

According to Ivan Kolpakov, Meduza’s editor-in-chief based in Latvia, it was obvious that Europeans should be very concerned about Pegasus in light of the discoveries regarding the hacking of his colleague Galina Timichenko by an as-yet-unconfirmed EU country.

“If they can use it against an exiled journalist there are no guarantees they cannot use it against local journalists as well[…]Unfortunately, there are a lot of fans in Europe, and we are not only talking about Poland and Hungary, but Western European countries as well,” said Kolpakov.

Since last month, the European Commission has been working on guidelines for how governments could employ surveillance technologies like spyware in compliance with EU data privacy and national security rules since last month. Despite the fact that member states are responsible for their own national security, the Commission is considering adopting a position after learning that 14 EU governments had purchased the Pegasus technology from NSO Group.

Apparently, Timichenko was targeted by Pegasus in February 2023 when she was in Berlin for a private gathering of Russian media workers exile. The meeting's subject was the threats posed by the Russian government's categorization of independent Russian media outlets as foreign agents.

Taking into account the work that Timichenko deals with, Russia was first suspected; but, according to the digital rights organization Access Now, additional information suggests that one of the intelligence services of an EU member state — the exact one is yet unknown — is more likely to be to blame.

Allegedly, the motive behind the hack could be that numerous Baltic nations, to whom Russia has consistently posed a threat, are worried that a few FSB or GRU agents may have infiltrated their borders among expatriate dissidents and journalists.

“It may happen and probably it actually happens, but in my opinion, it does not justify the usage of that kind of brutal tool as Pegasus against a prominent independent journalist,” Kolpakov said.

Kolpakov believes that the revelations have left the exiled community feeling they are not safe in Europe. “This spyware has to be banned here in Europe. It really violates human rights,” he added.     

Read more »
Tech
ad-based infiltration cyber espionage tools Cyber Fraud data collection Ads Israeli spyware Spy Spyware Tech

Investigation Exposes Covert Israeli Spyware Infecting Targets through Advertisements

 

Insanet, an Israeli software company, has reportedly developed a commercial product named Sherlock, capable of infiltrating devices through online advertisements to conduct surveillance on targets and gather data for its clients. 

This revelation comes from an investigation by Haaretz, which disclosed that the spyware system was sold to a non-democratic country. This marks the first public disclosure of Insanet and its surveillance software. Sherlock is capable of infiltrating devices running Microsoft Windows, Google Android, and Apple iOS, as per the provided marketing information.

According to journalist Omer Benjakob's findings, this is the first instance worldwide where a system of this nature is marketed as a technology rather than a service. Insanet obtained approval from Israel's Defense Ministry to globally market Sherlock as a military product, subject to stringent restrictions, including sales exclusively to Western nations. Even presenting it to potential clients in the West requires specific authorization from the Defense Ministry, which is not always granted.

Founded in 2019, Insanet is owned by individuals with backgrounds in the military and national defense. Its founders include Dani Arditi, former chief of Israel's National Security Council, and cyber entrepreneurs Ariel Eisen and Roy Lemkin. Despite attempts to reach out, Arditi and Lemkin did not respond to inquiries, and Eisen could not be reached for comment.

Insanet affirmed its adherence to Israeli law and strict regulatory guidelines. In marketing its surveillance software, Insanet collaborated with Candiru, an Israel-based spyware manufacturer previously sanctioned in the US. The combined offering includes Sherlock and Candiru's spyware, with the former priced at six million euros ($6.7 million, £5.2 million) for a client.

The Haaretz report cited a Candiru marketing document from 2019, confirming Sherlock's capability to breach Windows-based computers, iPhones, and Android devices. Traditionally, different companies specialized in breaching distinct devices, but this system demonstrates the ability to effectively breach any device.

The Electronic Frontier Foundation's Director of Activism, Jason Kelley, expressed concern over Insanet's use of advertising technology to infect devices and surveil targets. Dodgy online ads not only serve as potential carriers for malware but can also be tailored to specific groups of people, making it particularly worrisome.

Sherlock stands out for leveraging legal data collection and digital advertising technologies, commonly favored by Big Tech and online media, for government-level espionage. This differs from other spyware like NSO Group's Pegasus or Cytrox's Predator and Alien, which tend to be more precisely targeted.

Mayuresh Dani, Qualys' threat research manager, likened the threat to malvertising, where a malicious ad is broadly distributed to unsuspecting users. In this case, however, it involves a two-stage attack: first profiling users using advertising intelligence (AdInt) and then delivering malicious payloads via advertisements, making unsuspecting users vulnerable to such attacks.
Read more »
Surveillance Tool
Cybersecurity Hackers Human rights Israel Malicious actor Ransomware Attacks. security measures Spyware Surveillance Tool

Israeli Cyber Firms Unveil Groundbreaking Spyware Tool


Israeli cybersecurity companies have made an unparalleled spyware tool available, which has shocked the whole world's computer sector. This new breakthrough has sparked discussions about the ethics of such sophisticated surveillance equipment as well as worries about privacy and security.

According to a recent article in Haaretz, the Israeli cyber industry has unveiled a cutting-edge spyware tool that has been dubbed InsaneT.This highly advanced technology reportedly possesses capabilities that make it virtually impervious to existing defense mechanisms. As the article states, "Israeli cyber firms have developed an insane new spyware tool, and no defense exists."

The tool's sophistication has caught the attention of experts and cybersecurity professionals worldwide. It has the potential to reshape the landscape of cyber warfare and espionage, making it both a remarkable achievement and a significant cause for concern.

The InsaneT spyware tool's capabilities remain shrouded in secrecy, but it is said to be capable of infiltrating even the most secure networks and devices, bypassing traditional security measures with ease. Its existence highlights the ever-evolving arms race in the world of cybersecurity, where hackers and defenders constantly vie for the upper hand.

While the Israeli cyber industry boasts about this technological breakthrough, ethical concerns loom large. The Register, in their recent report on InsaneT, emphasizes the need for a robust ethical framework in the development and deployment of such powerful surveillance tools. Privacy advocates and human rights organizations have already expressed their apprehension regarding the potential misuse of this technology.

As the world becomes increasingly interconnected, issues related to cyber espionage and surveillance gain prominence. The introduction of InsaneT raises questions about the balance between national security interests and individual privacy rights. Striking the right balance between these two conflicting priorities remains an ongoing challenge for governments and technology companies worldwide.

An important turning point in the history of cybersecurity was the appearance of the spyware tool InsaneT created by Israeli cyber companies. Considering the ethical and security ramifications of such cutting-edge technology, its unmatched capabilities bring both opportunities and risks, highlighting the necessity of ongoing discussion and international cooperation. Governments, corporations, and individuals must manage the complexity of cybersecurity as we advance in the digital era to ensure that innovation does not compromise privacy and security.


Read more »
zero Day vulnerability
Mobile Security Security flaw Security Patch Spyware User Security zero Day vulnerability

Apple Issues Security Updates for Actively Exploited Vulnerabilities in iOS

 

Apple announced a series of patches this week for several of iOS zero-day flaws that have already been used by malicious parties to sneakily install malware and steal user data. Therefore, it is important that you update your phone as soon as you can. 

iOS 16.5.1, which is now available for download if you have an iPhone 8 or newer, fixes a critical security vulnerability that allows hackers to access all of your personal data saved on your iPhone.

This particular vulnerability was discovered in Russia, where thousands of Russian government officials' iPhones were allegedly infected with malware. It's a kernel flaw that allows bad actors to execute arbitrary code with kernel privileges, which means hackers can run whatever code they want on a targeted device. 

According to The Washington Post, the attackers have been sending iMessages with malicious attachments that corrupt and provide access to their targets' iPhones. The latest iOS patch from Apple also addresses a vulnerability in WebKit, the foundation that allows developers to display webpages on Apple devices. Again, it allowed hackers to obtain personal data from users by executing arbitrary code on their target's phone. 

The tech giant stated on the support page for the upgrade that the attacks have only been observed on devices running iOS 15.7 or earlier. Even while this indicates that the company is not aware of any vulnerabilities on iOS devices running newer versions, those systems may still be exposed. Because of this, Apple urges all users to download iOS 16.5.1 even if their iPhone is already shielded from the aforementioned vulnerabilities. 

This security concern is being taken seriously even by American authorities. Federal agencies were asked to download the most recent version by July 13 after the Cybersecurity and Infrastructure Security Agency added the two exploits to its list of known exploited vulnerabilities.

Even if you don't think you're a target for malware, now is a good time to upgrade your device if you have one of the best iPhones. To install iOS 16.5.1 on your device right now, go to Settings, General, and then Software Update.
Read more »
Spyware
Android Data malware Safety Security Spyware

This New Android FluHorse Malware Steals Passwords & 2FA Codes

 

A new Android malware known as 'FluHorse' has been uncovered, which targets users in Eastern Asia with fake applications that seem like legitimate versions. Check Point Research uncovered the malware, which has been targeting various regions of Eastern Asia since May 2022.

The FluHorse malware is delivered via email, and its purpose is to steal the target's account credentials and credit card details, as well as two-factor authentication (2FA) codes if necessary. Malicious emails are sent to high-profile targets, encouraging them to take fast action to remedy a payment issue.

Typically, the victim is directed to a phishing site via a link in the email, from which they download the bogus program APK (Android package file). The FluHorse carrier apps resemble 'ETC,' a Taiwanese toll-collection software, and 'VPBank Neo,' a Vietnamese banking app. On Google Play, both authorized versions of these apps have over a million downloads.

Check Point also discovered malware masquerading as transit software used by 100,000 people, although the name of the virus was not provided in the study.
Upon installation, all three bogus apps request SMS access in order to intercept incoming 2FA codes in case they are required to hijack the accounts.

According to the analysts, the fake apps mimic the originals' user interfaces but lack functionality beyond two to three windows that load forms that harvest the victim's information. As per CheckPoint, the malicious apps were written in Dart and used the Flutter platform, making reverse engineering and decompiling the virus difficult. The study was so difficult that CheckPoint ended up improving existing open-source tools like 'flutter-re-demo' and'reFlutter.'

"Flutter runtime for ARM uses its own stack pointer register (R15) instead of the built-in stack pointer (SP),"  reads Check Point's report.

"Which register is used as a stack pointer makes no difference in code execution or in the reverse-engineering process. However, it makes a big difference for the decompiler. Because of a non-standard register usage, a wrong and ugly pseudocode is generated."

Finally, the functionalities responsible for exfiltrating victims' credentials, credit card data, and the HTTP POST communication that transmitted the intercepted SMS messages to the C2 server were discovered. CheckPoint says that the FluHorse campaign is still active, with new infrastructure and malicious apps emerging every month, making this a live threat for Android users.
Read more »
Spyware
Data Safety malware PyPI python Safety Security Spyware

Spyware Offered to Cyberattackers via PyPI Python Repository

 

Researchers spotted malware peddlers openly selling an info-stealer on the Python Package Index (PyPI) — the official, public repository for the Python programming language — with only the thinnest concealment.

The attackers, who Sonatype researchers linked to the SylexSquad malware-as-a-service (MaaS) gang in Spain, gave their programme a not-so-subtle name: "reverse-shell." Reverse shells are programmes that are often used by hackers to run commands remotely and receive data from targeted machines.

"I think what's quite funny about this is that it's just so blatant," says Dan Conn, developer advocate at Sonatype. "Perhaps SylexSquad were advertising themselves, or they simply didn't care about being caught."

Inside the'reverse-shell' Data-Heisting Malware

Sonatype researchers were taken aback when they discovered a package dubbed "reverse-shell" on a public forum. "Why would someone name a malicious package in such a blatantly obvious way?" the researchers pondered in their blog article for Malware Monthly.

In actuality, the programme turned out to be much more than a reverse shell. This was revealed when the researchers studied one of its files, "WindowsDefender.py." WindowsDefender.py contains several routines with apparent names, such as get_login_data(), get_web_history(),get_downloads(),get_cookies(),get_credit_cards(),ImageGrab.grab().

According to the theme, the hackers had not gone to great lengths to conceal their intentions: this was malware designed to steal information.

"With no obfuscation, [this] appears to be a Discord bot that executes commands and performs actions on the infected machine," according to the analysis. "The malware can retrieve cookies, take screenshots, run shell commands, steal browsing history, and send all this data to the attacker's Discord channel."

More information can be found in another file called "setup.py." There were multiple Spanish-language instructions here to "Clone GitHub repository and execute file," "replace with URL of your GitHub repository," and "path where you want to clone the repo" — indicating that reverse-shell was a MaaS product.

Further investigation revealed several "Made by SylexSquad" tags sprinkled throughout the code, some of which was minimally obfuscated. The researchers discovered that SylexSquad was formerly a hacking marketplace running on the Sellix e-commerce platform in 2022. It has subsequently been decommissioned.

Publishing so publicly to a public repo could have been a deliberate attempt by the organisation to draw attention to their product. "How do we know about groups like Anonymous, LulzSec, or Killnet?" Conn inquires rhetorically. "It's because they get a bad reputation."

However, PyPI is considerably more valuable to them than that.

Why Do Hackers Use Public Repositories?

According to Sonatype, the SylexSquad attackers aren't the only miscreants using forums like PyPI and GitHub, and there are a variety of reasons for their audacity.

"Hosting malicious files on a public repository provides bad actors more control over them," the researchers explained in their blog. "It gives them the power of deleting, upgrading, or even doing version control of the payload."

Among other benefits, "it allows the malware to be shared a lot more widely," Conn elaborates, "and it might actually trip up, in particular, a lot of antivirus software that uses generic signatures — like, actual bytes — to store whether something is malicious or not."

In other words, rather of sending malware upfront, which antivirus scanners may detect fast, hackers can just provide a link to their harmful code elsewhere: "By providing a link to a GitHub, they're perhaps evading that check,"" he says.

To avoid becoming a hotspot for hackers, public repositories have protection safeguards in place. Even the finest scanners and moderators are not perfect, and they cannot be everywhere at the same time.

"Hackers take certain measures like encoding or otherwise obfuscating the code they host, to make it a little bit more difficult for automated engines to pick up," Juan Aguirre, security researcher at Sonatype, points out. SylexSquad encoded its malicious software as numbers in this example, utilising easily reversible ASCII codes for each character.

Sonatype reported the package to the PyPI maintainers, and it was removed. But "it's just a game of cat and mouse," Aguirre says. "Someone catches them and they just run to the next spot."

Aguirre sees this tale as part of a larger issue with open source software: as long as malware developers find use in public repositories, organisations must be conscious of the types of packages they may be picking up.

"It's important to understand what it is that you're running," he concludes. "This is a great case for that. You have to have a bill of materials, you've got to know what you're doing, and what dependencies you're using. If you're just blindly installing things and grabbing code you see, things like this could very easily get into your system."


Read more »
Spyware
Automobile Black Box Attacks Bluetooth location tracking Privacy Spyware

Ways Automobile Companies Collect Customer Data

Automobiles collect data on a variety of aspects, including your identity, travel history, driving style, and more. The utilization of this information, according to automakers, will improve driving efficiency and driver and vehicle safety. However, without rules or regulations regulating consumer privacy in cars and what automakers do with your data, users are left to conjecture.

Rent-a-car firms may undoubtedly take advantage of every chance to increase their revenue and have better control over their fleet. Technology for surveillance is already in use. They can easily track their customers as a result. This function was first created to avoid high insurance costs, reduce the likelihood of automobiles being stolen, and add new levies.  

Companies that rent cars can keep records of the whereabouts and activities of their customers. They can quickly pick up on the client's behavior. Leading businesses disclosed the installation of cameras and microphones in their vehicles. Top firms have disclosed placing cameras and microphones in their vehicles. Customers can feel assured since they don't turn them on arbitrarily. 

How Automakers Gather User Data:
  • Camera: Dashboard and reverse cameras can record an accident for insurance officials to view. However, in addition to providing date, time, and road position information, they can also show the route taken by the vehicle.
  • Key fob: The VIN, the total number of keys that have been associated with a certain vehicle, and the most recent times the car was locked and unlocked are some of the data that are recorded in a fob.
  • Informational system: It was previously possible to listen to music while driving on a simple cassette or CD player. But over time, Bluetooth, wifi, and USB gadgets that can be controlled by touch screens or dashboard displays replaced these systems.
  • Black boxes: They are gadgets that track a driver's performance while operating a car. A driver's premium can be reduced if the black box data shows they are performing effectively while driving.
Tracking devices aid in preventing thefts, recovering vehicles that have already been taken, and saving people in an accident. However, since all of this data is transmitted over an Internet connection, it is susceptible to interception. Additionally, the servers on which this data is housed are vulnerable to hacking. You continue to be in the dark regarding the collection and sharing of your personal data by automakers. It can be challenging, but in the future, one might have to find a workable solution to this dilemma. Always examine the security of your data, and from the outset, become familiar with the potential of the vehicles you rent or purchase.  






















Read more »
User Privacy
Alexa ChatGPT Google Assistant iPhone Privacy Private Data Spyware User Privacy

Stop Siri, Google & Alexa from Stealing Audio Files for Unauthorized Usage

There are several ways to stop devices from accessing your data, as per USA Today reports. Some call for physically blocking cameras and microphones. Laptops and desktop computers would be the finest platforms for this.

The evolution of search and technology will rely on individuals speaking to computers more fluidly to complete tasks. Along the road, users need to protect their privacy, and that process begins with the products employed currently. You might want to as a result or at least forbid them from exploiting such information. Due to transcription's imperfection, it is possible for it to unintentionally carry out your instructions and send odd messages to one of your contacts.

How to turn off Siri on iPhone

It requires a few steps to deactivate Siri on an iPhone. Here is what you must do when you want to entirely deactivate Siri:
  1. Open the iPhone's Settings app.
  2. Click on 'Siri & Search.'
  3. Turn off the controls for 'Listen for Hey Siri ' and 'Press Home for Siri.'
If you deactivate Siri, you won't be able to call it by pressing the home button or say 'Hey Siri.'  Additionally, you won't be able to employ Siri to perform actions like making calls, sending text messages, and creating reminders.

Amazon

Employees at Amazon listening to your records is the real issue. Here's how to stop it:
  1. Launch the Alexa app on your device and select the More menu option.
  2. Choose Privacy > Settings for Alexa.
  3. Pick Manage Your Alexa Data on step three.
  4. Deactivate the toggles next to "Help Alexa" and "Use messages to enhance transcriptions."
For added privacy in some circumstances, you can switch off the Echo's microphone. At the device's top, press the button to turn the microphone on or off.

Smartphone

When you are uncomfortable with Android having access to private records, your preferred option is to turn off Google Assistant because you can't really choose what is sent and saved.

Here's how to disable the "OK Google" wake command:
  1. Launch the Google app on your mobile device.
  2. Tap the icon for your profile photo in the top section.
  3. Select General under Settings > Google Assistant.
  4. To disable Google Assistant, slide the switch next to it to the left.

When it was discovered that Google Assistant and Amazon Alexa were recording random voice snippets in their formative days, criticism erupted. Some firmly gripped their conspiratorial hats, claiming that this was a brand-new dystopia tool for keeping an eye on millions of people. The likelihood is higher that the assistants misheard the cue and began anticipatorily listening for orders. These systems are not fault-tolerant and they can still make blunders.

Some of the major digital firms that might use intelligent chatbots like ChatGPT are Amazon, Google, and Apple. They could complement the current solutions or be included in future versions of Alexa, Google Assistant, and Siri. 




Read more »
Wordpress Vulnerability
Command and Control(C2) Linux Malicious actor Plugin Flaws Spyware URL Vulnerabilities and Exploits Wordpress Vulnerability

WordPress Sites Hit by New Linux Malware

According to an analysis by cybersecurity company Dr. Web, WordPress-based websites are being targeted by an unidentified Linux malware variant.

Recognized as LinuxBackDoor.WordPressExploit.1, while it can also operate on 64-bit Linux versions, the Trojan favors 32-bit versions. 30 vulnerabilities in numerous outdated WordPress plugins and themes have been used by Linux malware.  

Injecting harmful JavaScript into the webpages of websites using the WordPress content management system (CMS) is its primary purpose. The malware may be the malicious instrument that hackers have used for more than three years to perform specific attacks and generate income from the resale of traffic, or arbitrage, based on a study of an unearthed trojan program undertaken by Doctor Web's specialists. 

Malicious actors can remotely operate a Trojan by sending its command and control (C&C) server the URL of the site they want to infect. Threat actors can also remotely disable the spyware, turn it off, and stop recording its activities. 

The researchers described how the process works, adding that if a plugin or theme vulnerability is exposed, the injection is done so that, irrespective of the original contents of the page, the JavaScript would be launched first when the infected page is loaded. By clicking any part of the compromised website, users will be sent to the attackers' preferred website.

Additionally, it can take advantage of many plugins' flaws, including the Brizy WordPress Plugin, the FV Flowplayer Video Player, and the WordPress Coming Soon Page.

According to Dr. Web, both Trojan variants include unreleased functionality for brute-force hacking the admin access of selected websites. Applying well-known logins and passwords while utilizing specialized vocabulary can accomplish this.

The researchers issued a warning, speculating that hackers may be considering using this feature in further iterations of the malware. Cybercriminals will even be able to effectively attack some of the websites that utilize current plugin versions with patched vulnerabilities.

WordPress is reportedly used by 43% of websites, making it a CMS that cybercriminals aggressively target.WordPress website owners are recommended by Dr. Web to update all parts of their platforms, including any third-party add-ons and themes, and to use secure passwords for their accounts.

Read more »
Spyware
Android Android Apps Apps Banking Malware malware SpyNote Spyware

SpyNote Strikes: Android Spyware Targets Financial Establishments

 

Since at least October 2022, financial institutions have been targeted by a new version of Android malware called SpyNote, which combines spyware and banking trojan characteristics. 

"The reason behind this increase is that the developer of the spyware, who was previously selling it to other actors, made the source code public," ThreatFabric said in a report shared with The Hacker News. "This has helped other actors [in] developing and distributing the spyware, often also targeting banking institutions."

Deutsche Bank, HSBC U.K., Kotak Mahindra Bank, and Nubank are among the notable institutions impersonated by the malware. SpyNote (aka SpyMax) is feature-rich and comes with a slew of capabilities, including the ability to instal arbitrary apps, collect SMS messages, calls, videos, and audio recordings, track GPS locations, and even thwart attempts to uninstall the app. 

It also mimics the behaviour of other banking malware by requesting access to services to extract two-factor authentication (2FA) codes from Google Authenticator and record keystrokes to steal banking credentials.

SpyNote also includes features for stealing Facebook and Gmail passwords and capturing screen content via Android's MediaProjection API.

According to the Dutch security firm, the most recent SpyNote variant (dubbed SpyNote.C) is the first to target banking apps as well as other well-known apps such as Facebook and WhatsApp.

It's also known to pose as the official Google Play Store service and other generic applications ranging from wallpapers to productivity and gaming. The following is a list of some of the SpyNote artefacts, which are mostly delivered via smishing attacks:
  • Bank of America Confirmation (yps.eton.application)
  • BurlaNubank (com.appser.verapp)
  • Conversations_ (com.appser.verapp )
  • Current Activity (com.willme.topactivity)
  • Deutsche Bank Mobile (com.reporting.efficiency)
  • HSBC UK Mobile Banking (com.employ.mb)
  • Kotak Bank (splash.app.main)
  • Virtual SimCard (cobi0jbpm.apvy8vjjvpser.verapchvvhbjbjq)
SpyNote.C is approximated to have been bought by 87 different customers between August 2021 and October 2022 after its developer advertised it through a Telegram channel under the name CypherRat.

Nevertheless, the open-source availability of CypherRat in October 2022 has resulted in a significant rise in the number of samples detected in the wild, implying that several criminal groups are using the malware in their own campaigns.

ThreatFabric also stated that the original author has since begun work on a new spyware project codenamed CraxsRat, which will be available as a paid application with similar features.

"This development is not as common within the Android spyware ecosystem, but is extremely dangerous and shows the potential start of a new trend, which will see a gradual disappearance of the distinction between spyware and banking malware, due to the power that the abuse of accessibility services gives to criminals," the company said.

The revelations resulted after a group of researchers demonstrated EarSpy, a unique attack against Android devices that allows access to audio conversations, indoor locations, and touchscreen inputs by using the smartphones' built-in motion sensors and ear speakers as a side channel.

Read more »
User Privacy
Cyber Security El Salvador Illegal spying Journalist Spying Spyware User Privacy

El Salvador Government is Employing Pegasus to Spy on Journalists

 

The warning came in August 2020. I was instructed to meet him at six o'clock at night in a deserted parking lot in San Salvador by a reliable source. He had my number but didn't want to leave a trail, so he reached me through a friend instead. He instructed me to leave my phone in the car when I got there, stated Nelson Rauda Zablah, a Salvadoran journalist whose work has been featured in the New York Times, the BBC, the Los Angeles Times, and the Economist among other publications. 

Moreover, he informed me as we walked that the negotiations between the president of El Salvador and the renowned MS-13 gang were the reason my colleagues at the Salvadoran news outlet El Faro were being watched. 

Although this may seem like a terrifying movie scene, several journalists from Central America have actually experienced it. Many people in my profession go about their daily lives with the sense that they are being watched, putting their phones away before meetings, utilizing encrypted messaging and email apps, communicating in code, and never sharing their real-time location. 

I wouldn't understand what my source meant in full until more than a year later. Not only were my colleagues being followed as they looked into that story. They had frequently been the targets of Pegasus, a type of weapons-grade espionage software, along with at least 18 other El Faro members, including myself. The shiny new toy of the Israeli spyware company NSO Group is called Pegasus. The Citizen Lab and other forensic analysis firms discovered that the Pegasus attacks in El Salvador began in June 2020 and persisted through November 2021. This technique was used to spy on 35 journalists and members of civil society in total. 

When you have the Pegasus virus, spies essentially have a duplicate of your phone. They have access to everything, including your private photos, texts, transactions, and app choices and usage. I had to take action when the surveillance was detected, which included closing my family group chat and uninstalling my financial apps. 

For journalists, this implies that spies can listen in on all of our phone calls and chats with sources. I was attacked while pursuing and publishing personal footage of President Nayib Bukele's siblings discussing the Bitcoin Law in El Salvador with foreign businessmen before it went into law. As my colleagues Carlos Martnez and Gabriela Cáceres continued to divulge additional information concerning the government's interactions with gangs and a related criminal investigation, they were hacked. I could continue forever. 

After the assaults, journalism has become much more challenging. Several sources jokingly returned our calls after the hacking was made public by wishing any decent people listening to a good day. However, a lot more people only picked up the phone to tell us to stop calling, and the majority of them didn't even answer. One person told me that he now knew why his wife had been let go from her government job, according to a source. I was miserable. Guilty. Powerless. 

Above all else, Pegasus makes you feel helpless. We think the infections in El Faro occurred as a result of a "zero-click exploit," which means we didn't even click on a fake link to let the spies in. Just now, they got in. Get a new phone, and change your number; they'll just break in there, too. 

However, we didn't want to be helpless. We shared our tale with press organizations worldwide. We appeared on TV, attended press conferences, and filed a complaint with the attorney general's office in El Salvador. Therefore, 14 of my coworkers at El Faro and I have chosen to sue NSO Group while being represented by the Knight First Amendment Institute at Columbia University. 

We're not in it for the money, I can tell you of that; otherwise, we wouldn't be independent journalists. This is a development of our ongoing efforts in El Salvador to expose corrupt government officials. We are taking this action in the United States because El Salvador's coopted institutions have run out of legal options. 

Additionally, this is not just for us. The gadgets of over 450 law-abiding men and women from all around the world whose devices had been compromised by NSO Group's Pegasus were listed by the Israeli newspaper Haaretz in April. Many of them don't reside in nations or occupations where they can file lawsuits. 

However, someone must. Executives of the NSO shouldn't be able to wash their hands after using their apparatus to harm journalists. In a practical sense, NSO let loose the hounds to hunt us down. And now we're retaliating.
Read more »
Windows
Chrome Google malware Mozilla Spyware Windows

Google Blames Spanish Spyware of Exploiting Chrome, Windows, and Firefox Zero-Days


Variston IT Spyware behind an attack on Google

A surveillance vendor from Barcelona called Variston IT is believed to deploy spyware on victim devices by compromising various zero-day flaws in Google Chrome, Mozilla Firefox, and Windows, some of these go back to December 2018. 

Google Threat Analysis Group (TAG) researchers Clement Lecigne and Benoit Sevens said "their Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender, and provides all the tools necessary to deploy a payload to a target device." 

Variston has a bare-bones website, it claims to provide tailor-made security solutions to its customers, it also makes custom security patches for various types of proprietary systems and assists in the discovery of digital information by law enforcement agencies, besides other services.

Google's Response 

Google said "the growth of the spyware industry puts users at risk and makes the Internet less safe, and while surveillance technology may be legal under national or international laws, they are often used in harmful ways to conduct digital espionage against a range of groups. These abuses represent a serious risk to online safety which is why Google and TAG will continue to take action against, and publish research about, the commercial spyware industry."

The vulnerabilities, which have been fixed by Google, Microsoft, and Mozilla in 2021 and early 2022, are said to have been used as zero-days to help customers deploy whichever malware they want to, on targeted systems. 

What is Heliconia vulnerability?

Heliconia consists of three components called Noise, Files, and Soft, each of these is responsible for installing exploits against vulnerabilities in Windows, Firefox, and Chrome, respectively. 

Noise is designed to exploit a security flaw in the Chrome V8 engine JavaScript that was fixed last year in August 2021, along with an unknown sandbox escape method known as "chrome-sbx-gen" to allow the final payload (also called an agent) to be deployed on select devices.  

But the attack works only when the victim accesses a malicious webpage intended to trap the user, and then trigger the first-stage exploit. 

Google says it came to know about the Heliconia attack framework after it got an anonymous submission in its Chrome bug reporting program. It further said that currently there's no proof of exploitation, after hinting the toolset has shut down or evolved further. 

Google blog said

Although the vulnerabilities are now patched, we assess it is likely the exploits were used as 0 days before they were fixed.

Heliconia Noise: a web framework for deploying an exploit for a Chrome renderer bug followed by a sandbox escape

Heliconia Soft: a web framework that deploys a PDF containing a Windows Defender exploit

Files: a set of Firefox exploits for Linux and Windows.






Read more »
Spyware
Cryptojacking Cyber Attacks OneDrive Ransomware Spyware

Cryptojacking Campaign Exploits OneDrive Vulnerability, Can Deploy Spyware and Ransomware Too


New cryptojacking campaign

Cryptojacking is becoming a nightmare for customers and enterprises, and threat actors have started using various techniques to deploy cryptojackers on victims' systems. As per recent developments, cybersecurity software developer Bitdefender found a crypto jacking campaign exploiting Microsoft OneDrive vulnerability to get access and run without getting caught on compromised devices. 

BitDefender report says:

"OneDrive was specifically chosen in this attack because it permits the actor to achieve easy persistence. Adding OneDrive to startup is an action done by the dropper malware, but even if it did not do so, OneDriveStandaloneUpdater.exe is by default scheduled to execute each day. Of the detections we received, 95.5% came from OneDriveStandaloneUpdater.exe loading the malicious secur32.dll."

From May 1 to July 1, Bitdefender identified around 700 users impacted by the campaign. The campaign operates using four cryptocurrency mining algorithms- Ton, XMR, Ethash, and Etchash. It makes an average of $13 worth of cryptocurrency per compromised device.

Cryptojacking uses OneDrive sideloading bug

Cryptojacking is an unauthenticated exploit of computer manufacture for mining cryptocurrency. The threat actors in the recent cryptojacking campaign used a DLL sideloading vulnerability in OneDrive by writing a fake secur32.dll file. After the file is loaded into the OneDrive process, the fake secur32.dll will download open-source cryptocurrency mining software and install it into genuine Windows processes. 

Sideloading is basically installing a code that has not been approved for running on a system by the developer of the machine's operating system. DLL files are a combination of small programs having instructions that can assist a larger program finish non-core tasks of the original program. 

The campaign also uses Spyware, Ransomware

Meanwhile, the OneDrive sideloading campaign is used only in cryptojacking, DLL side-loading is also used for the deployment of ransomware or spyware. Besides this, as cryptocurrency minutes are resource-sensitive, the victims can instantly see falling CPU and GPU performance, increased energy consumption, and overheating, these issues can ruin expensive hardware. 

OneDrive, by default, is set to reboot on a daily basis, and the threat actors behind the latest cryptojacking campaign were found to run the OneDrive.exe process to run after a reboot, even if the user shuts it down. The attackers use this method to gain persistence. In 95% (estimated) of the findings, the scheduled reboot was found to deploy the infected secur32.dll. 

"Given that the “per machine” installation method may not be suitable for all environments and privilege levels, user caution should be one of the strongest lines of defense against commodity malware. Bitdefender recommends that users ensure their AVs and operating systems are up to date, to avoid cracked software and game cheats, and to download software from trusted locations only"-Bitdefender report.


Read more »
User Privacy
China Chinese Residents Cyber Attacks Spyware Tor Browser User Privacy

Fake Tor browser Containing Spyware Target Chinese Residents

 

Kaspersky threat analysts have unearthed multiple infections via malicious Tor Browser installers propagated via a Chinese-language YouTube video regarding the dark web. 

Dubbed OnionPoison, the malicious campaign targeted users located in China, where the Tor Browser is banned. Hence, internet users in China often attempt to download the Tor browser from third-party websites. 

“Most of the affected users were from China,” Kaspersky Leonid Bezvershenko and Georgy Kucherin said in findings published this week. “As the Tor Browser website is blocked in China, individuals from this country often resort to downloading Tor from third–party websites. And cybercriminals are keen on spreading their malicious activity via such resources.” 

The Chinese-language YouTube channel has more than 180,000 subscribers, and the video has been viewed more than 64,000 times. It is a major setback damaging discovery for TOR browser users as it is an anonymity-based browser, employed as a gateway to the Dark Web. 

The Chinese residents use the browser to bypass Beijing’s extensive surveillance and censorship technologies, which are linked with the country’s strict intolerance of political dissent. 

Tor, named for The Onion Router, was originally designed by the US Naval Research Laboratory as a way to securely communicate between government agencies. It includes a series of volunteer-run servers that route internet traffic through a series of encrypted tunnels. 

The researchers warn that the trojanized version of the browser acts differently from the normal version by storing browsing history and data entered into website forms. It also includes a library compromised with spyware that allows the hackers to scan “exfiltrated browser histories for traces of illegal activity, contact the victims via social networks and threaten to report them to the authorities.”

The best way to avoid OnionPoison is to download Tor from the official website or, if that’s not viable, to scan digital the digital signature if it’s from a third-party site. 

“Regardless of the actor’s motives, the best way to avoid getting infected with OnionPoison implants is to always download software from official websites. If that’s not an option, verify the authenticity of installers downloaded from third-party sources by examining their digital signatures,” the researchers added. 

Modified Tor versions have been employed previously by nation-state hackers. In 2019, security experts at the Slovakian-based cybersecurity firm ESET unearthed a version designed to siphon cryptocurrency from Russian residents.
Read more »
Subscribe to: Posts (Atom)