Search This Blog

Showing posts with label Underground Forum. Show all posts

Attackers Use Underground Hacking Forum to Strip Activation Lock from iPhones

 

Checkm8.info, an underground hacking forum is offering users a convenient way to strip ‘activation lock’ from iPhones with its pay-for-hacking service. However, iOS security analysts believe the hackers are tricking people to remove protections from stolen iPhones. 

Activation lock essentially prohibits anyone from activating the device until the owner enters the requested credentials. The lock is enabled when the administrator sets up Find My, the Apple service that allows people to track the location of their iPhone, Mac, or Apple Watch. 

“Activation Lock,” a text popup across the iPhone’s screen read. “This iPhone is linked to an Apple ID. Enter the Apple ID and password that were used to set up this iPhone.” 

The hackers are using checkra1n, an open-source jailbreaking tool published in 2019. Checkra1n employs an exploit called checkm8 designed by the developer known as Axi0mX. According to checkm8.info’s website, Checkm8 is only applicable for devices running iOS versions 12 to 14.8.1 because the latest iPhones have updated bootrom code that is not susceptible to checkm8. 

A video posted on checkm8.info’s website shows how smoothly the process of using the checkm8.info tool is. A user only needs to download the software, install it, open it up, and finally plug it into Mac or PC. Subsequently, the site charges $69.99 per license. 

“Done! You have successfully bypassed the iCloud activation lock on your device,” the video’s female narrator explains. 

Additionally, Checkm8.info provides a service called “Bypass iPhone Passcode.” This service tool is not identical to established iPhone unlocking services such as Cellebrite and GrayShift. “This service restores the device to factory settings and activates it as a new device using a saved activation ticket from the system. So basically, this method has nothing with brute-forcing or user data leak. Passcode phrase is a common name used by other tools for this service so we decided to give it the same name,” the checkm8.info administrator explained. 

Three years ago in 2019, security researcher axi0mX uncovered checkm8, an exploit that enabled the jailbreak of millions of iOS devices. The exploit lay in the bootrom of the compromised devices. Before 2019, the last iOS bootrom-based jailbreak was published way back in 2009, making the Checkm8 exploit even more astonishing feet since many believed the hardware avenue for rooting devices had long been shut down closed.

Info Stealing BlackGuard Malware is Advertised for Sale on Russian Hacking Forums

 

A sophisticated information stealer dubbed BlackGuard is gaining the attention of the cybercrime community. The malware is advertised for sale on multiple Russian hacking forums with a lifetime price of $700 or a subscription of $200 per month. 

This low value and ease of access may permit a thrifty menace actor to loot hundreds of cryptocurrency wallets, financial institution accounts, and much with little to no work, researchers at Zscaler who spotted and analyzed the malware explained. 

The malware was first spotted on Russian-language hack forums in January 2022, but then it was distributed privately and was at the testing stage. As with all modern information-stealers, BlackGuard exfiltrates information from almost any application that processes sensitive user data, with a focus on crypto assets. In an infected system, BlackGuard looks for the following applications to steal user data from them: 
  • Web browsers: Passwords, cookies, autofill, and history from Chrome, Opera, Firefox, MapleStudio, Iridium, 7Star, CentBrowser, Chedot, Vivaldi, Kometa, Elements Browser, Epic Privacy Browser, uCozMedia, Coowon, liebao, QIP Surf, Orbitum, Comodo. 
  • Wallet browser extensions: Binance, coin98, Phantom, Mobox, XinPay, Math10, Metamask, BitApp, Guildwallet, iconx, Sollet, Slope Wallet, Starcoin, Swash, Finnie, KEPLR, Crocobit, OXYGEN, Nifty, Liquality, Auvitas wallet, Math wallet, MTV wallet, Rabet wallet, Ronin wallet, Yoroi wallet, ZilPay wallet, Exodus, Terra Station, Jaxx 
  • Cryptocurrency wallets: AtomicWallet, BitcoinCore, DashCore, Electrum, Ethereum, Exodus, LitecoinCore, Monero, Jaxx, Zcash, Solar, Zap, AtomicDEX, Binance, Frame, TokenPocket, Wassabi 
  •  Email: Outlook 
  •  Messengers: Telegram, Signal, Tox, Element, Pidgin, Discord 

The gathered information is bundled in a ZIP file, also known as logs, and is sent to the attackers’ C&C server via a POST request, along with a system profile report that assigns a unique identifier to the victim’s equipment.

In terms of bypassing BlackGuard’s capabilities are still under development, but some systems are already in place to avoid detection and analysis. First, the malware is packed with a crypter, and the code is obfuscated using base64. Finally, it will inspect the operating system’s processes and try to block any actions linked to antivirus software or sandboxing once it landed on a vulnerable workstation.

How to avoid the installation of malware? 

To mitigate the risks, you must avoid visiting shady websites and downloading files from untrustworthy or dubious sources. Furthermore, use two-factor authentication, keep your OS and applications updated, and use strong and unique passwords for all your online accounts. If you believe that your computer is already compromised, researchers recommend running a scan with Combo Cleaner Antivirus for Windows to automatically eliminate infiltrated malware.

LockBit Ransomware Variant is Now Targeting VMware ESXI Servers

 

LockBit ransomware has always been a key weapon for malicious actors targeting Windows, but cybersecurity researchers at Trend Micro spotted LockBit Linux-ESXi Locker version 1.0 being advertised on an underground platform, meaning the sneaky ransomware is now targeting VMware ESXi virtual machines.

According to Trend Micro, the LockBit operators are advertising a new Linux version since October 2021. The move focuses on expanding the audience of potential targets, including all the organizations that are shifting to virtualization environments. Additionally, the ransomware can encrypt a wide range of servers and files – and drive up the pressure for a victim to give in and pay a ransom for the decryption key.

"The release of this variant is in line with how modern ransomware groups have been shifting their efforts to target and encrypt Linux hosts such as ESXi servers," stated Junestherry Dela Cruz, threats analyst at Trend Micro. "An ESXi server typically hosts multiple VMs, which in turn hold important data or services for an organization. The successful encryption by ransomware of ESXi servers could therefore have a large impact on targeted companies." 

According to the researchers, Linux encryptors are nothing new as similar encryptors have been discovered in the past from HelloKitty, BlackMatter, REvil, AvosLocker, and the Hive ransomware operations. Like other Linux encryptors, LockBit offers a command-line interface allowing affiliates to enable and disable various features to tailor their attacks.

However, what makes the LockBit Linux encryptor stand out is the wide use of both VMware ESXi and VMware vCenter command-line utilities to check what virtual machines are running and to shut them down so they are not compromised while being encrypted.

To mitigate the risks, Trend Micro advised organizations to keep systems up to date with the latest security patches to prevent intrusions, especially as LockBit is known to exploit vulnerable servers to help it spread. Those behind LockBit attacks have also been known to exploit stolen usernames and passwords, so if it's known that a password has been part of a data breach, it should be changed.

Additionally, multi-factor authentication can be applied across the entire ecosystem in order to provide an additional layer of defense against cyber assaults.