Search This Blog

Showing posts with label VPN. Show all posts

VPN: Should Users Leave Their VPN Turned On?

We have all had our shared experiences of strangers sneaking into our phone screens on a bus for work or school. Similarly, one as well can sneak into a browser window, since it is now a common phenomenon for victims to be exposed to all forms of cyberattacks online.  

However, with the aid of a Virtual Private Network (VPN), the user’s internet connection will be secured, preventing unauthorized access to the data or other online activity. So why one should have his VPN activity? And are there any situations that might require a user to turn it off? 

Why should users leave their VPN turned on?

VPN users are often perplexed on whether they should leave their VPN turned on or off. Most online users prioritize their online data security and anonymity, consequently preferring to leave their VPN turned on. But they do have their drawbacks too, including potential time lags, depending on the service being used. Here are some factors to consider about if you are unsure whether to leave your VPN on or not.

Browse the Internet Privately

Some people may need help understanding why VPNs are required to keep you off the grid since all devices come with incognito mode, which they believe has the same function. However, they do not. Incognito mode only protects you from anyone who has access to your device. VPNs protect users from these vulnerabilities, as your online presence is encrypted when VPNs are in use.

By encrypting data, VPNs take it up a notch by preserving your online anonymity and enabling you to access the internet more freely and privately.

Protect Your Information from Hackers

One of the benefits of using a VPN is that it protects the user from potential vulnerabilities lurking across the internet. Hackers can work in a variety of ways in order to gain unauthorized access to sensitive user data or personal information, which could aid them to access victims’ bank accounts, credit cards, etc.

Bypass Geo-Restrictions on Content

Geoblocking is a tool used by services in order to restrict user access to content in certain geographic locations. While turning the VPN off will expose the online user’s real location and consequently restricts the content, with the use of a VPN, one can bypass these restrictions.

When Should You Turn Off Your VPN?

While VPN serves as a significant tool to combat cyberattacks and keep the users’ private data anonymous. Despite the many benefits, there are instances when it is necessary for a user to turn their VPN off.

To Increase Internet Speed

One of the major benefits of using a VPN mentioned earlier is that it encrypts the user’s online presence. But this process takes time. The amount of time that a VPN utilizes in order to encrypt user data could negatively impact one's online experiences. Users may also face a longer wait for a page to load.

To Prevent Fast Battery Drain

The choice of VPN can further impact a device’s battery capacity. Usually, VPNs aid the same battery life as other applications on iOS and Android devices, but some take a bigger battery chunk than others.

Naturally, every mobile device is unique, and the exact battery usage depends on several variables. These include the level of VPN encryption, mobile coverage, and whether or not the VPN runs in the background at all times.

To Reduce Data Consumption

VPNs tend to use more data when encrypting. In case a user has limited data, it would be best for him to turn off the VPN to restore his internet activities and enjoy them without interruptions, such as streaming music, downloading content, and surfing the web.

To Avoid Geo Location Illegality

Not everyone supports VPNs. A technique called VPN blocking was even created to hinder VPN use. Some countries like Iraq, Turkey, Russia, and China, use VPN blockers to limit their citizens’ exposure to inappropriate content. There’s no rulebook for what form of content gets blocked, as it is dependent on the location.

In countries that ban the use of VPNs, there are heavy penalties for anyone caught using one. Users could also be fined as much as $5,000, and they would not be able to rely on their VPN provider to help them out.

Should you use a VPN?

When using the internet, a VPN is a crucial security tool that keeps you protected. Between your device and your service provider, they build an encrypted tunnel, through which all of your information travels and is processed securely.

There are many advantages and drawbacks associated with staying connected via a VPN. Assess why you have to use a VPN and consider if the disadvantages may disproportionately affect you. Whether you leave your VPN on or off, it is most important that you browse safely.

Kill Switch: Your VPN is Useless Without This Essential Security Feature


Kill switch has turned out an essential security feature for VPN. If your virtual private network does not have a kill switch, internet users might have to look for a new VPN provider. 

In the instance, one’s VPN connection drops for any reason, a kill switch will immediately shut down the user’s internet connection. Thus, playing the role of a crucial VPN security feature, the kill switch ensures that the user data does not leak outside the VPN tunnel or be exposed online unencrypted – that may turn dangerous in many situations. 

Using a VPN, the user’s internet traffic is routed to a secure server at a location of his choice over an encrypted tunnel.  

Eventually, the user’s IP address will change to that of the server he is connecting to. This process not only allows access to geo-restricted content but also hides the user’s original IP address and internet traffic from ISP, government agencies, threat actors, and anyone who might be a threat to their online data.  

Why do VPN disconnections occur? 

Since no technology is error-free, even the best VPNs can have connection drops time and again. VPN disconnection happens for several reasons, some of which are listed below:  

• The user is using a weak or congested Wi-Fi connection — like a public Wi-Fi hotspot in a coffee shop, hotel, or airport. • User is switching to a different Wi-Fi network or switching from Wi-Fi to mobile data. • The computer goes to sleep. • An antivirus program or firewall on your computer is interfering with your VPN connection (in this case, make sure to whitelist your VPN software). • User is jumping from one VPN server to another, or they are frequently switching from one server to another, exceeding their VPN provider’s concurrent connection limit. • They use the OpenVPN UDP protocol, which is less stable than the TCP protocol (switch to TCP if you notice your VPN dropping). • The VPN server they are connecting to is down. • VPN app crashes.  

What if your VPN disconnects without a kill switch? 

In case a user’s VPN disconnects without enabling a kill switch, this will leave the internet connection active, exposing the user’s true IP address and web traffic the moment the disconnection continues unencrypted. 

As a result, the user’s online activities will be exposed, compromising any sensitive personal data one may have been accessing while connected to the VPN. A user can as well compromise his true location based on the exposed IP address. 

This could be problematic if the user is using VPN to access geographically restricted content and for professionals who use a VPN for crucial privacy needs. Using kill switch reduces the risk of such situations. 

How does a VPN kill switch operates? 

A VPN kill switch, when enabled continuously monitors the user’s VPN connection and scans for any change in his IP address or the status of one’s network. The kill switch will engage and block access to the internet connection in an instant if it detects any change in either. 

After the user reconnects to the VPN or the VPN tunnel reestablishes automatically, the kill switch will then allow the internet to reconnect, while still continuously monitoring the VPN connection.

Ransomware Exposed Stolen Data From Cisco on Dark Web

Yanluowang ransomware Gang has published Cisco Systems' stolen data on the dark web and following the data leak, Cisco confirmed that the data was stolen from its network during an intrusion that took place in May. 

Cisco Security Incident Response (CSIRT) conducted an investigation wherein it was found that the attackers acquired control of a personal Google account that had the credentials saved in the browser. The threat actors compromised these credentials to launch voice phishing attacks. The idea behind the attacks was to lure the targeted employee into accepting the MFA notification. 

Cisco revealed in a report published in August that the firm's networks had been infiltrated by the Yanluowang ransomware after hackers gained access to an employee's VPN account. The company further asserted that the only information taken was employee login information from Active Directory and non-sensitive files saved in a Box account.

Once the threat actors obtained the employee's Cisco credentials, the hackers employed social engineering and other techniques to get beyond multi-factor authentication (MFA) and gather more data.

After gaining initial access, the hackers registered a list of new devices for MFA, authenticated effectively to the Cisco VPN, and dropped multiple tools in the victim network including RATs such as LogMeIn, TeamViewer, Cobalt Strike, PowerSploit, Mimikatz, and Impacket, as per Security Affairs. 

Over the weekend, Cisco said in an update that "the content of these files matched what we have detected and released.  We continue to see no effect on the business, including Cisco goods or services, confidential customer data or sensitive employee data, copyrights, or supply chain activities, which is consistent with our previous examination of this incident."

The researchers at the cybersecurity firm eSentire linked Yanluowang with "Evil Corp" (UNC2165), the Lapsus$ gang, and FiveHands malware (UNC2447).

The hacked Google account of an employee that had enabled password synchronization through Google Chrome and saved their Cisco details in the browser allowed the thieves to initially access the Cisco VPN.

The leader of Yanluowang ransomware told BleepingComputer that they had stolen thousands of files totaling 55GB from a cache that contained sensitive information including technical schematics and source code. The hacker did not offer any evidence. The only thing they provided was a screenshot showing access to what seemed like a development system. 

Erich Kron, security awareness advocate at security awareness training company KnowBe4 implies that it goes unsaid that Cisco decided against paying the ransom demanded by the ransomware group, which resulted in the stolen data being posted. 

Over 130 Organizations Targeted in Okta Phishing Campaign

In a single phishing attempt, the hackers behind a number of recent attacks, such as those targeting Twilio, Cloudfare, MailChimp, and Klaviyo, infiltrated over 130 firms.

Through this phishing attack, 9,931 login credentials were stolen using a phishing kit with the codename "0ktapus," which the hackers then used to log into business networks and systems using VPNs and other remote access tools.

Because the primary intent of the assaults was to "get Okta identity credentials and two-factor authentication (2FA) codes from users of the targeted organizations," the conduct has been denounced by Group-IB.

The Singapore-based corporation said that the opponent sought out employees of businesses that use Okta, a provider of identity services, and praised the attacks for being well-planned and carried out. With the help of the identity-as-a-service (IDaaS) platform Okta, employees may access all of their company's software with just one login. 

The phrases "OKTA," "HELP," "VPN," and "SSO" were used in 169 different phishing domains that supported the 0ktapus campaign.  

In addition, customers who used these services, such as Signal, and DigitalOcean, became the target of supply-chain attacks as a result of these breaches.

The threat actors targeted businesses in a variety of areas, including bitcoin, technology, banking, and recruiting, based on the phishing domains built as part of this effort.

These login credentials were then utilized by the hackers to log into internal customer support systems, corporate networks, and VPNs in order to steal consumer data. As earlier witnessed with DigitalOcean and Signal, subsequent supply-chain hacks were carried out using this customer data.

The hacked information was disseminated over a Telegram channel via the phishing kit employed in this effort. One of the channel administrators who went by the handle "X" was connected by the experts to a Twitter and GitHub account, which suggests the person may be based in North Carolina, US.

Threat actors frequently targeted data belonging to organizations in the bitcoin industry, according to revelations from previous victims.

According to Group-IB, the hackers were able to steal 5,441 records with MFA codes, 3,129 data with emails, and 9,931 records with user credentials from 136 businesses, with the mass of the targeted businesses being based in the United States.

Cyble: Over 9,000 VNC Sessions Without a Password Found

Virtual network computing (VNC) endpoints that can view and utilize credentials were reported to be vulnerable on at least 9,000 occasions, giving hackers simple access to the data. 

The platform-independent system referred to as Network Computing (VNC) enables users to remotely control other computers, most of which have limited monitoring and adjusting capabilities. Therefore, anyone who compromises VNCs will eventually have access to the underlying systems.

The endpoints can act as access points for unauthorized access, including hackers with malevolent intentions if they are not fully secured with a password, which is frequently the result of neglect, error, or a decision made out of convenience.

As per researchers, the risk of each exposed VNC relies on the kind of underlying system it is in charge of. Some people are discovered to be in charge of a municipality's water control systems, which is quite serious.

Research Analysis 

Over 9,000 vulnerable servers were found when Cyble's security researchers searched the web for internet-facing VNC instances without passwords. China and Sweden are home to the majority of exposed instances, while the United States, Spain, and Brazil round out the top 5 with sizable numbers of unprotected VNCs.

The fact that some of these open VNC instances were for industrial control systems, that should never be accessible to the Internet, only made the situation worse, according to Cyble. Under one of the examined cases, the unencrypted VNC access connected to an HMI for controlling pumps on a remote SCADA system in a nameless manufacturing facility.

Cyble employed its cyber-intelligence systems to keep a watch out for attacks on port 5900, the standard port for VNC, to assess how frequently attackers target these servers. In a single month, Cyble counted more than six million requests. The Netherlands, Russia, and the United States were the major countries from which to access VNC servers.

On hacker forums, there is a large market for accessing vital networks via exposed or compromised VNCs because this kind of access can be utilized for more in-depth network espionage. In other circumstances, security experts provide guidance on how users might actively scan for and find these vulnerable instances.

A long list of exposed VNC instances with very weak or no passwords is presented in a post on a darknet forum that Bleeping Computer has seen.

In this sense, it's crucial to keep in mind that many VNC systems do not accept passwords longer than eight characters, making it essentially unsafe even when both the sessions and the passwords are encrypted.

Servers should never be exposed to the Internet directly, and if they must be accessed remotely, they should at least be hidden behind a VPN to protect access to the servers.

Ransomware Gang Hacks Cisco

The Yanluowang ransomware organization broke into Cisco's business network in late May and stole internal data, the company said in a statement.

Hacker's compromised a Cisco employee's credentials after taking over a personal Google account where credentials saved in the victim's browser were being synced, according to an investigation by Cisco Security Incident Response (CSIRT) and Cisco Talos.

Cisco claims that an attacker targeted one of its employees and was only successful in stealing files from a Box folder linked to that employee's account and employee authentication information from Active Directory. According to the company, the data kept in the Box folder wasn't sensitive.

The Yanluowang threat actors hijacked a Cisco employee's personal Google account, which contained credentials synchronized from their browser, and used those credentials to enter Cisco's network.

Through MFA fatigue and a series of sophisticated voice phishing assaults carried out by the Yanluowang gang under the guise of reputable assistance businesses, the attacker persuaded the Cisco employee to accept multi-factor authentication (MFA) push alerts.

Cisco has linked the attack to an initial access broker with ties to Lapsus$, the gang that attacked several major corporations before its alleged members were apprehended by law enforcement, as well as threat actor UNC2447, a group with ties to Russia known for using the ransomware FiveHands and HelloKitty. The Yanluowang ransomware group has also been connected to the initial access broker.

In actuality, the Yanluowang ransomware organization claimed responsibility for the attack and said it had stolen about 3,000 files totaling 2.8Gb in size. According to the file names the hackers have disclosed, they may have stolen NDAs, source code, VPN clients, and other data.

The attack did not use ransomware that encrypts files. After being removed from Cisco's systems, the hackers did email Cisco executives, but it didn't contain any explicit threats or demands for ransom.

Cloudflare Users Targeted by Hackers that Breached into Twilio

On Tuesday, the web infrastructure provider Cloudflare revealed that at least 76 of its staff members and their families had received texts on both personal and business phones that resembled the intricate phishing effort on Twilio.

Furthermore, Cloudflare said that its Cloudforce One threat intelligence team was able to do an analysis of the attack, despite the fact that its systems were not hacked.

The systems and officials of several firms are the targets of this sophisticated attack, as per analysts. Four phone numbers linked to SIM cards issued by T-Mobile were used in the attack, which exists around the same time Twilio was targeted and was ultimately unsuccessful.

Cloudflare said the rogue domain was built via Porkbun under 40 minutes before the wave of more than 100 smishing messages started. It also said the phishing page was created to quickly pass the data given by unwary customers to the attacker via Telegram.

The data was directly taken to the attacker via the messaging app Telegram once the message receiver input his credentials on the phishing site. Experts claim since the phishing page would request a Time-based One Time Password (TOTP) code, the real-time relay was essential for the hackers. Once they had this information, the attackers would access the actual login page for the victim company.

Only three employees, as per Cloudflare, clicked the link in the phishing email and submitted their credentials. However, the business does not use TOTP codes; rather, its staff members use a YubiKey security key that complies with FIDO2. This implies that even if an attacker has the credentials, they cannot access the firm systems without the hardware key.

As Cloudflare also disclosed, AnyDesk remote access software was immediately downloaded on their machines after providing their credentials on the phishing pages, enabling the hackers to remotely take control of their systems if installed.

The company stated it reset the affected employees' login passwords and tightened its access policy to block any logins from unidentified VPNs, residential proxies, and infrastructure providers in addition to working with DigitalOcean to shut down the attacker's server.

Kaspersky VPN Secure Connection Vulnerability Discovered

Kaspersky's VPN Secure Connection for Microsoft Windows has a local privilege-escalation (LPE) vulnerability that could allow an already-authenticated hacker to access administrative privileges and potentially seize total control of a victim's computer.

Researchers disagree over the bug's CVSS score, which is tracked as CVE-2022-27535. The bug has a high-severity CVSS score of 7.8 out of 10 as per a Synopsys alert published, but Kaspersky scores it as moderate with a 5.0 CVSS level.

In either case, it is present in the Support Tools section of the app and would enable root access to Server, the highest level possible in the Windows environment, allowing an authenticated hacker to delete any file at will from the system.

The Kaspersky team has fixed a flaw in the Kaspersky VPN Secure Connection that was exploited by an authorized hacker to trigger arbitrary file deletion on the host. It might result in device malfunction or the deletion of crucial system files necessary for proper system operation. 

An attacker needed to create a specific file and persuade customers to utilize the 'Delete all service data and reports' or 'Save report on your computer' product capabilities in order to carry out this attack.

Users should upgrade to version 21.6 or later to patch their systems because Kaspersky has solved the problem.

QNAP NAS servers attacked by Checkmate ransomware


A new ransomware strain known as Checkmate has recently come to the attention of Taiwanese vendor QNAP, and early research suggests that it is targeting NAS machines with SMB services that are accessible via the internet. SMB is a communication protocol that allows nodes on a network of devices to exchange access to files. 


The ransomware adds the .checkmate extension to the filenames of encryption keys and leaves an extortion letter with the name !CHECKMATE DECRYPTION README on the compromised devices. 

According to a report by BleepingComputer, some forum users claimed to have contracted the Checkmate ransomware in June. For a decryptor and a decryption key, the hackers want payment from the victims in bitcoins worth $15,000 each. 

The malicious actors behind this campaign, according to QNAP, will use accounts compromised by dictionary assaults to remotely log in to devices that are vulnerable to remote access. After getting access, they begin encrypting files in shared folders, although according to victim claims, all the data is encrypted.

Resist ransomware threats 

The company advised users to utilize VPN software to decrease the attack surface and prevent threat actors from attempting to log in using hacked credentials. It also advised customers to avoid exposing their NAS machines to Internet access. 

Additionally, QNAP users were instructed to evaluate all of their NAS accounts right away, double-check that they're using strong passwords, back up their files, and often create backup snapshots in case their data needs to be restored.

Taking away SMB 1 
  • Visit QTS, QuTS hero, or QuTScloud and log in. 
  • Go to Win/Mac/NFS/WebDAV > Microsoft Networking under Control Panel > Network & File.
  • Then select Advanced Options. 
  • The window for Advanced Options appears. 
  • Select SMB 2 or higher next to the Lowest SMB version. 

QTS, QuTS hero, or QuTScloud updates 
  • Register as an administrator on QTS, QuTS Hero, or QuTScloud.
  • Go to System > Firmware Update in the Control Panel. 
  • Click Check for Update under Live Update. 

The most recent update is downloaded and installed by QTS, QuTS hero, or QuTScloud. Additionally, QNAP stated last month that it is "thoroughly researching" a recent round of attacks that began in early June and are aimed at spreading the DeadBolt ransomware.

In the past two years, a wave of ransomware assaults has targeted QNAP NAS users, leading the vendor to publish several alerts and urgent updates, and even encourage for end-of-life hardware.

Researchers: Wi-Fi Probe Requests Leak User Data


A team of academic researchers from the University of Hamburg in Germany discovered that Wi-Fi investigation requests from mobile devices expose identifiable information about their owners via Wi-Fi investigation requests. 

When a probe response is received, mobile devices use it to obtain information about nearby Wi-Fi access points and connect to them. According to the researchers, attackers who can sniff network traffic can use these probing requests to monitor and identify devices, as well as determine their position. 

According to them, nearly a quarter of probe requests contain the Service Set Identifiers (SSIDs) of previously connected networks, which might be exploited to expose home addresses or visited places. Furthermore, the researchers highlight that the probe requests may be used to trilaterate the position of a device with an accuracy of up to 1.5 metres or to "trace the movement of a device to effectively monitor its owner.

“This is in fact employed in 23% of the stores already. Companies and cities that conduct Wi-Fi tracking take the legal position that only the MAC address contained in probe requests is considered personal data according to GDPR Article 4(1), which protects personal data from unlawful collection and processing,” the researchers stated in their paper. 

Experiment findings:

According to the academics, information gathered during a November 2021 experiment focusing on the analysis of probe requests should be sufficient to deem these queries personal data, based only on SSIDs recorded in the devices' preferred network lists (PNLs). 

As part of the trial, the researchers travelled to a pedestrian area in a German city and recorded probe requests three times in one hour using six off-the-shelf antennas. SSIDs were found in 23.2 per cent of the 252,242 total requests. 

The researchers also determined that some of the submitted probe requests with SSIDs revealed password data and that around 20% of the transmitted SSIDs were likely typos of the genuine SSID. The probe requests also revealed 106 separate first and/or last names, three email addresses, the SSIDs of 92 distinct vacation houses or lodgings, and the name of a nearby hospital. 

The academics claim that they ran all SSIDs using WiGLE's geolocation lookup API, which allowed them to determine the actual networks' locations within a 1-kilometre radius. 

The researchers added, “Considering the wealth of personal and sensitive information we observed in SSID fields, they can constitute identifying information and thus require due consideration. We argue that at least for as long as there are still devices broadcasting SSIDs, probe requests should be considered personal data and not be used for monitoring without legal basis.” 

 SideWinder Hackers Have Planted a Bogus Android VPN Program


A bogus VPN program for Android smartphones was uploaded on the Google Play Store, along with a proprietary tool that screens users for improved targeting, according to phishing efforts linked to an advanced threat actor known as SideWinder. SideWinder is an APT organization that has been operating since at least 2012 and is thought to be led by an Indian actor with a high level of expertise.

Over 1,000 cyber attacks were ascribed to this gang in the last two years, according to Kaspersky, who praised its persistence and clever obfuscation tactics. Organizations in Pakistan, China, Nepal, and Afghanistan are the principal targets.

The threat actor uses spear-phishing emails to spread malicious ZIP bundles containing RTF or LNK files that install an HTML Application (HTA) payload from a remote server. The adversary uses a pretty big infrastructure that includes over 92 IP addresses, mostly for phishing assaults, and hundreds of domains and subdomains that serve as command and control servers. 

SideWinder, also known by the names, RattleSnake, Razor Tiger, T-APT-04, APT-C-17, and Hardcore Nationalist, was responsible for a recent phishing campaign that targeted both public and commercial sector institutions in Pakistan. 

A phishing document tempting victims with a document advocating "a formal debate of the impact of the US withdrawal from Afghanistan on maritime security" was discovered earlier this year by researchers at cybersecurity firm Group-IB. While the exact purpose of the bogus VPN program is unknown, this isn't the first time SideWinder has gotten around Google Play Store restrictions by publishing malicious apps disguised as utility software.

Trend Micro reported in January 2020 that three malicious applications masquerading as photography and file manager utilities used a security weakness in Android (CVE-2019-2215) to acquire root access and abuse accessibility service rights to gather sensitive data.

Polonium Assaults Against Israeli Organizations were Blocked by Microsoft


Microsoft stated it has banned a hacking gang known as Polonium, based in Lebanon, from utilizing the OneDrive cloud storage platform for data exfiltration and command and control while attacking and compromising Israeli firms. The internet giant's Threat Intelligence Center (MSTIC) stated it stopped over 20 malicious OneDrive apps built by Polonium and alerted affected companies, in addition to erasing the criminal accounts created by the Lebanon-based entity. 

"Across the majority of its victims, this attacker has deployed unique tools that abuse lawful cloud services for command and control (C2)." as per Microsoft's research. "POLONIUM was seen generating and using legal OneDrive accounts, then using those accounts as C2 to carry out part of the offensive operation," says the report. 

POLONIUM has been seen operating on or targeting various organizations previously penetrated by the Iran-linked MuddyWater APT (aka MERCURY). 

Since February 2022, the antagonistic group is thought to have breached more than 20 Israeli institutions and one intergovernmental body with operations in Lebanon. Manufacturing, IT, transportation, defense, government, agriculture, finance, and healthcare companies were among the targets of interest, with one cloud service provider hacked to target a downstream aviation company and law firm in a supply chain attack.

Unpatched Fortinet FortiOS SSL VPN servers vulnerable to CVE-2018-13379 exploits leveraging a critical path traversal weakness allowing login credentials theft appear to represent the first access vector for the vast majority of victims, according to Microsoft. In November 2020, a hacker disclosed the passwords for nearly 50,000 vulnerable Fortinet VPNs, just days after a list of CVE-2018-13379 one-line exploits was publicly disclosed. 

A list of roughly 500,000 Fortinet VPN passwords supposedly harvested from susceptible devices was posted online again almost a year later. The actor's campaign chains have included the usage of proprietary tools that use genuine cloud services like OneDrive and Dropbox accounts for C2 and malicious tools named CreepyDrive and CreepyBox for its victims.

This isn't the first time Iranian threat actors have used cloud services to its advantage. Cybereason revealed in October 2021 that a group called MalKamak organized an attack campaign that use Dropbox for C2 communications to remain under the radar. 

MSTIC also stated that several of the victims penetrated by Polonium had previously been targeted by another Iranian entity known as MuddyWater (aka Mercury), which the US Cyber Command has described as a "subordinate element" under MOIS. The victim overlaps support previous reports that MuddyWater is a "conglomerate" of several teams similar to Winnti (China) and the Lazarus Group (North Korea). 

Customers are encouraged to implement multi-factor authentication as well as analyze and audit partner relations to minimize any superfluous permissions to combat such risks.

Android Trojans are After Financial Apps With Over a Billion Downloads


The exploitation of financial apps by trojans has become prevalent, according to a report by Zimperium, a mobile security firm. Trojans are a type of malware that infects users' devices by posing as legitimate and trustworthy programs. The researchers looked at ten separate trojans that are currently active in the open and discovered that they target 639 financial Android apps when combined. 

Once they've infected a device, they leverage Accessibility services to take actions as the user, overlaying login pages on top of authentic banking and finance apps to steal login details, monitoring notifications to capture OTPs, and even carrying out on-device financial fraud. This is particularly concerning because, according to 2021 studies, three out of four Americans use banking applications to conduct their regular financial activities, offering a large target pool for these trojans.

The Google Play Store has slightly over 1 billion downloads of these mobile banking, investment, payment, and cryptocurrency apps combined. PhonePe, which is immensely popular in India and has 100 million downloads on the Play Store, is the targeted application with the most downloads. 

The popular bitcoin exchange software Binance has received 50 million downloads. Cash App is a mobile payment service that is available in the United States and the United Kingdom, with 50 million downloads on Google Play. Even though they don't provide traditional financial services, some banking Trojans target both of these. BBVA, a worldwide online banking platform with tens of millions of downloads, is the most widely marketed application. Seven of the ten most active banking trojans have been found to target this app. 

Additional trojans which were active during the first half of 2021 include the following: 

  • BianLian is a malware that targets Binance, BBVA, and several Turkish apps.
  • Cabassous is after clients from Barclays, CommBank, Halifax, Lloys, and Santander. 
  • Coper may take over accounts from BBVA, Caixa Bank, CommBank, and Santander. 
  • Barclays, Intensa, BancoPosta, and a slew of other Italian apps are among the targets of EventBot. This one uses Microsoft Word or Adobe Flash to hide its true identity. 
  • PayPal, Binance, Cash App, Barclays, BBVA, and CaixaBank may all be affected by the aforementioned Exobot. 
  • FluBot affected BBVA, Caixa, Santander, and several other Spanish apps. 
  • Medusa was a banking app that targeted BBVA, CaixaBank, Ziraat, and Turkish banks. 
  • Binance, BBVA, and Coinbase were all hit by Sharkbot. 
  • PhonePe, Binance, Barclays,, Postepay, Bank of America, Capital One, Citi Mobile, and Coinbase are among the companies targeted by Teabot. 
  • BBVA and a slew of other EU-specific bank apps are among those targeted by Xenomorph. 
The method utilized by these trojans would be that they each have a small target scope and different types of functionality for diverse goals. Because these trojans are concealed among programs available on Android's official app store, users should be cautious and avoid downloading apps from untrustworthy sources. One may take it a step further by using a provider like ExpressVPN.

Zyxel: Firewalls, Access Points, and Controllers are Vulnerable


Zyxel has issued a cybersecurity advisory alerting administrators about various vulnerabilities impacting a variety of firewall, access point, and access point controller products. 

While the flaws are yet not ascribed a high severity rating, the potential damage they can cause is something to be taken seriously as these flaws could be exploited by malicious attackers as an aspect of exploit chains. Moreover, Zyxel goods are used by large enterprises, and any exploitable faults in them attract threat actors right away. 

The most serious of the four flaws is a command injection problem in various CLI commands, which is classified as CVE-2022-26532 (CVSS v3.1 7.8):

  • CVE-2022-0734: A cross-site scripting vulnerability has been discovered in the CGI, which could allow a malicious script to access information stored in the user's browser, such as cookies. 
  • CVE-2022-26531: A locally authenticated attacker might utilize a system crash by exploiting several erroneous input validation issues in various CLI commands of some firewall, AP controller, and AP versions. 
  • CVE-2022-26532: A command injection vulnerability in some firewall, AP controller, and AP versions' "packet-trace" CLI command might enable a local authorized attacker to execute arbitrary OS instructions by passing crafted parameters to the command. 
  • CVE-2022-0910: An attacker might use an IPsec VPN client to downgrade from two-factor authentication to one-factor authentication. 

While Zyxel has released software updates for firewalls and access points, the only way to get a hotfix for AP controllers affected by CVE-2022-26531 and CVE-2022-26532 is to contact the local Zyxel support teams. 

The news comes as a major command injection hole in select Zyxel firewalls; CVE-2022-30525, CVSS score: 9.8) has been actively exploited, forcing the US Cybersecurity and Infrastructure Security Agency to add the vulnerability to its Recorded Exploited Vulnerabilities Database.

FBI Warns of Hackers Selling US College VPN Credentials on Underground Forums


Threat actors are advertising network credentials and virtual private network (VPN) access for colleges and universities based in the United States on underground and public criminal marketplaces. 

Last week, the Federal Bureau of Investigation (FBI) issued an advisory regarding usernames and passwords giving access to colleges and universities based in the U.S. that are put up for sale on Russian cybercriminal platforms. The price of stolen credentials varies between a few U.S. dollars to thousands. 

Hackers use several tactics such as ransomware and spear-phishing, to execute credential harvesting attacks and sell them on Russian hacking forums. The credentials allow hackers to launch brute-force attacks to infiltrate into victim accounts spanning different accounts, internet sites, and services. 

"If attackers are successful in compromising a victim account, they may attempt to drain the account of stored value, leverage or re-sell credit card numbers and other personally identifiable information, submit fraudulent transactions, exploit for other criminal activity against the account holder, or use for subsequent attacks against affiliated organizations," the FBI warned. 

Last year in May, the agency said it identified more than 36,000 email and password combinations for email accounts ending in the ".edu" domain publicly available on an instant messaging platform posted by a group that specialized in the trafficking of stolen login credentials. 

According to Emsisoft threat analyst Brett Callow, 10 of the 13 attacks on colleges this year involved data exfiltration. Ohlone College, Savannah State University, University of Detroit Mercy, Centralia College, Phillips Community College of the University of Arkansas, Florida International University, and Stratford University are just a few of the schools impacted by ransomware this year. 

Security tips 

The FBI advises academic institutions to liaise with their local FBI Field Office and update their incident response and communication plans. Implementing brute-force protection, training sessions for students and faculty to identify phishing attempts, using strong, unique passwords, and multi-factor authentication are regular recommendations that are valid for all organizations. 

"Universities, especially, should be providing students and staff with training to spot convincing phishing emails and the steps to undertake when opening various attachments or emails. Students are an easy target because unlike in a work environment, they often lack the necessary understanding to spot these types of attacks," stated Steven Hope, CEO, and co-founder of password management firm Authlogics.

Several Palo Alto Devices Affected by OpenSSL Flaw


In April 2022, Palo Alto Networks aims to patch the CVE-2022-0778 OpenSSL flaw in several of its firewall, VPN, and XDR devices. 

OpenSSL published fixes in mid-March to address a high-severity denial-of-service (DoS) vulnerability impacting the BN mod sqrt() function used in certificate parsing, which is tracked as CVE-2022-0778. Tavis Ormandy, a well-known Google Project Zero researcher, uncovered the issue. An attacker can exploit the flaw by creating a certificate with invalid explicit curve parameters. 

The advisory for this flaw read, “The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form.” 

“It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters.” 

The bug affects OpenSSL versions 1.0.2, 1.1.1, and 3.0, and the project's maintainers fixed it with the release of versions 1.0.2zd (for premium support customers), 1.1.1n, and 3.0.2. When parsing an invalid certificate, an attacker can cause the OpenSSL library to enter an infinite loop, resulting in a DoS condition, according to Palo Alto Networks. 

“All PAN-OS software updates for this issue are expected to be released in April 2022. The full fixed versions for PAN-OS hotfixes will be updated in this advisory as soon as they are available.” as per Palo Alto Network. 

During the week of April 18, the company is expected to provide security remedies for the above vulnerability. PAN-OS, GlobalProtect app, and Cortex XDR agent software, according to Palo Alto, have a faulty version of the OpenSSL library, whereas Prisma Cloud and Cortex XSOAR solutions are unaffected. 

“We intend to fix this issue in the following releases: PAN-OS 8.1.23, PAN-OS 9.0.16-hf, PAN-OS 9.1.13-hf, PAN-OS 10.0.10, PAN-OS 10.1.5-hf, PAN-OS 10.2.1, and all later PAN-OS versions. These updates are expected to be available during the week of April 18, 2022.” continues the advisory. 

Customers with Threat Prevention subscriptions can enable Threat IDs 92409 and 92411 to limit the risk of exploitation for this issue while waiting for PAN-OS security upgrades, according to the company.

Viasat: Acid Rain Virus Disable Satellite Modems


The cyberattack which targeted the KA-SAT satellite broadband service to erase SATCOM modems on February 24 used a newly discovered data wiper virus. It impacted thousands in Ukraine and thousands more across Europe. 

A cybersecurity firm, SentinelOne, claims to have discovered a malware sample, which disrupted internet connectivity on February 24. The malware, called AcidRain, which was also likely utilized in the Viasat breach, is a Unix executable application which is meant to attack MIPS-based devices. This could indicate the attackers' lack of experience with the filesystem and firmware of the targeted devices, or their desire to create a reusable tool.

The same sample came from SkyLogic, the Viasat operator in charge of the damaged network, which is also situated in Italy. The software sample was also tagged with the moniker "ukrop," which could be a reference to the Ukraine Operation. 

The researchers underscored that Viasat did not offer technical indicators of compromise or a detailed incident response report. Instead, rogue commands damaged modems in Ukraine and other European countries, according to the satellite industry. The SentinelOne duo were perplexed as to how valid orders could produce such mayhem in the modem, "scalable disruption is more feasibly performed by delivering an update, script, or executable," they added. 

The program wipes the system and various storage device files completely. AcidRain executes an initial repetitive replacement and removal of non-standard files in the filesystem if the malware is launched as root "Juan Andres Guerrero-Saade and Max van Amerongen," SentinelOne threat experts, revealed. 

The wipers overwrite file structures with up to 0x40000 bytes of data or utilize MEMGETINFO, MEMUNLOCK, MEMERASE, and MEMWRITEOOB input/output control (IOCTL) service calls to erase data on compromised devices. 

The fact Viasat has supplied nearly 30,000 modems to get clients back online since the February 2022 attack and is still shipping more to speed up service restoration, suggests that SentinelOne's supply-chain threat scenario is correct. The IOCTLs used by this virus also resemble those used by the VPNFilter malware 'dstr' wiper plugin, a destructive program linked to Russian GRU hackers. 

The Ukrainian Computer Emergency Response Team recently stated a data wiper known as DoubleZero had been used in assaults on Ukrainian businesses. On the same day that Russia invaded Ukraine, they discovered IsaacWiper, a data wiper, and HermeticWizard, a new worm which dropped HermeticWiper payloads. ESET has discovered a fourth data-destroying malware strain called CaddyWiper, which wipes data across Windows domains and eliminates user data and partition information from associated drivers. 

Microsoft discovered a sixth wiper, now known as WhisperGate, in mid-January, which was being used in data-wiping attacks targeting Ukraine while masquerading as ransomware.

This New Russian Cyclops Blink Botnet Targets ASUS Routers


Nearly a month after it was discovered that the malware used WatchGuard firewall appliances as a stepping stone to obtaining remote access to infiltrated networks, ASUS routers have been the target of a budding botnet known as Cyclops Blink. 

The botnet's primary objective is to develop an infrastructure for additional attacks on high-value targets, according to Trend Micro, given that none of the compromised hosts belongs to vital organisations or those that have an obvious value on economic, political, or military espionage. 

Cyclops Blink has been identified by intelligence services in the United Kingdom and the United States as a replacement framework for VPNFilter, a malware that has targeted network equipment, especially small office/home office (SOHO) routers and network-attached storage (NAS) devices. 

Sandworm (aka Voodoo Bear), a Russian state-sponsored actor has been linked to both VPNFilter and Cyclops Blink. It has also been tied to several high-profile cyberattacks, including the 2015 and 2016 attacks on the Ukrainian electrical grid, the 2017 NotPetya attack, and the 2018 Olympic Destroyer attack on the Winter Olympic Games. 

The complex modular botnet, c language, affects a variety of ASUS router types, with the company admitting that it is working on a patch to handle any potential exploitation. –  
  • GT-AC5300 firmware under
  • GT-AC2900 firmware under
  • RT-AC5300 firmware under
  • RT-AC88U firmware under
  • RT-AC3100 firmware under
  • RT-AC86U firmware under
  • RT-AC68U, AC68R, AC68W, AC68P firmware under
  • RT-AC66U_B1 firmware under
  • RT-AC3200 firmware under
  • RT-AC2900 firmware under
  • RT-AC1900P, RT-AC1900P firmware under
  • RT-AC87U (end-of-life)
  • RT-AC66U (end-of-life), and
  • RT-AC56U (end-of-life)
Apart from employing OpenSSL to encrypt connections with its command-and-control (C2) servers, Cyclops Blink also includes specific modules that can read and write from the devices' flash memory, allowing it to persist and survive factory resets. A second reconnaissance module acts as a medium for exfiltrating data from the hacked device to the C2 server, while a file download component is responsible for retrieving arbitrary payloads through HTTPS. Although the exact form of initial access is unknown, Cyclops Blink has been affecting WatchGuard and Asus routers in the United States, India, Italy, Canada, and Russia since June 2019. 

A law firm in Europe, a medium-sized entity producing medical equipment for dentists in Southern Europe, and a plumbing company in the United States are among the impacted hosts. Because of the infrequency with which IoT devices and routers are patched and the lack of security software, Trend Micro has warned that this might lead to the establishment of "eternal botnets."

The researchers stated, "Once an IoT device is infected with malware, an attacker can have unrestricted internet access for downloading and deploying more stages of malware for reconnaissance, espionage, proxying, or anything else that the attacker wants to do. In the case of Cyclops Blink, we have seen devices that were compromised for over 30 months (about two and a half years) in a row and were being set up as stable command-and-control servers for other bots."

Facebook, Instagram and Twitter Users from Russia have Noticed Malfunctions in their Work


According to Downdetector, a service for tracking problems in the work of Internet platforms, users from Russia began to complain en masse about the failures of Facebook, Instagram and Twitter. Problems in social networks began on February 25. Over 80% of users sent complaints about the functioning of the application, another 10% noticed that they could not log in to their profile, and 7% reported problems with the operation of social network sites. 

Recall that on February 25, Roskomnadzor (the Federal Service for Supervision of Communications, Information Technology, and Mass Media) partially restricted access to Facebook. On the same day, the Prosecutor General's Office recognized the social network involved in the violation of human rights and freedoms and citizens of Russia. 

On February 26, representatives of Russian media were banned from showing ads and monetization in the social network Facebook. The company took such a step because of the situation around Ukraine. At the same time, Twitter suspended advertising for Russians and Ukrainians, as well as temporarily stopped recommending tweets to avoid the spread of insulting materials. 

In addition, Roskomnadzor restored measures in the form of slowing the speed of Twitter Internet service on devices in Russia in connection with the dissemination of untrustworthy public information about the military operation in Ukraine. 

The agency recalled that since March 10, 2021, Roskomnadzor slowed down Twitter on mobile phones and fixed devices on the territory of the Russian Federation for refusal to delete information that is prohibited in the Russian Federation. On May 17, 2021, after the deletion of more than 91% of the prohibited information by Twitter's moderation services, the restrictions were lifted. 

Roskomnadzor noted that in this situation, the condition for lifting access restrictions "is the complete removal of Twitter of prohibited materials identified by Roskomnadzor, as well as the termination of participation in the information confrontation, distribution of fakes and calls for extremism". 

In the Russian segment of the Internet, you can now often find messages: "If anything, here is my Telegram account...». Since February 25, when Roskomnadzor announced the partial blocking of the Facebook network, almost every Russian user has considered it his duty to notify friends where to look for him now. 

Bloggers and media resources are increasingly posting on their pages posts with recommendations for installing a VPN and other measures to bypass blocking. Service was Seized Because it was Used by Criminals to Spread Ransomware


Following a coordinated worldwide police investigation, a VPN service used by criminals to spread ransomware, malware, and facilitate other forms of cybercrime has been knocked offline. The 15 servers used by the service have been seized or disrupted as part of a combined operation by Europol, Germany's Hanover Police Department, the FBI, the UK's National Crime Agency (NCA), and others. 

According to Europol, was founded in 2008 and provides services based on OpenVPN technology and 2048-bit encryption to give online anonymity for as little as $60 per year. The service also offered a double VPN, with servers located in a variety of countries. "This made a popular choice for cybercriminals, who could use its services to carry on committing their crimes without fear of detection by authorities," the agency said. 

According to Europol, several investigations have revealed criminals using the service to enable illegal operations such as virus dissemination. Other incidents demonstrated the service's usage in the setup of infrastructure and communications for ransomware operations, as well as the actual deployment of malware. Cybercriminals also utilized the site to spread malware while evading authorities — but now that the servers have been seized, law enforcement is reviewing customer data in an attempt to identify cybercriminals and victims of cyberattacks.

The domain presently shows a warning telling visitors that the domain has been seized by legal enforcement. According to the statement, authorities obtained consumer data held on confiscated servers, and an inquiry has been initiated. Europol has not revealed which types of malware and ransomware were distributed using the VPN provider. As a consequence of the investigation, more than 100 organizations have been identified as being vulnerable to cyberattacks, and law enforcement is collaborating with them to mitigate any possible compromise. 

"The actions carried out under this investigation make clear that criminals are running out of ways to hide their tracks online," said Edvardas Šileris, head of Europol's European Cybercrime Centre (EC3). "Each investigation we undertake informs the next, and the information gained on potential victims means we may have pre-empted several serious cyberattacks and data breaches," he added. 

On January 17, 2022, authorities from Germany, the Netherlands, Canada, the Czech Republic, France, Hungary, Latvia, Ukraine, the United States, and the United Kingdom joined forces to disrupt VPNLab, with assistance from Europol.