Search This Blog

Showing posts with label VPN. Show all posts

Online Tracking: What Do You Need to Know?

 


You can leave a record of whatever you click on the Internet whenever you browse the Internet, as well as any websites you visit. The majority of websites use small pieces of data known as cookies to track information about your visit to their website. Aside from cookies, many websites also use user accounts to monitor visitors' activity while browsing the web. There is no serious risk to your online security from this type of browser tracking. However, it is imperative to understand how your online data is being processed and tracked since it is being monitored in the first place. 

A small shift has been observed in recent years in favor of consumer privacy. Many tech giants received substantial fines because they used trackers in an invasive or incorrect way that violated consumer privacy. For example, Google settled charges that in the past year, it misled users into  thinking they had turned off location tracking, as a result of which it paid out a $391.5 million settlement. 

Despite this, the company continues to collect information about its customers.  Even though there have been some high-profile finger-wagging at tech companies for disregarding users' privacy, brands and advertisers are still mostly free to use tracking software to track our online actions without much resistance on the part of consumers. 

As a result, it is unlikely that this situation will change anytime soon. A project is currently being developed by the EU Commission that will allow brands to track users more easily while online. A unique code is generated from a user's mobile phone or a network based on a user's mobile number. Brands could use digital footprints to identify users and categorize them. This would enable them to target them individually with customized content and identify their behavior. 

The following may sound like an innocuous plan to improve the internet experience for users and brands alike. However, too many might seem out of the ordinary. The expansion of brands' ability to collect our personal information raises serious concerns about the safety, security, and even ethical implications of data collection. 

Everything is Tracked  

A tracker is essentially a piece of code embedded within a website or app. This allows a company to collect and track information about how users use those tools. You can collect a lot of information about how you use your computer. This includes the websites you visit, the links you click, the products you buy, and even your location.   

By collecting and analyzing this information, companies can gain valuable insights into their users' preferences, habits, and behaviors. A company could then use these insights to improve its services and products. Modern internet usage is hyper-personalized and built on trackers and data collection. 

Since the results are superficial, there is only minimal real value in focusing advertising on user interests and tailoring browsing experiences to their needs. The fact that high-quality targeted ads are a step up from the unusable banners found on most websites is evident from the fact that they are compared to glitchy, irrelevant ads that are almost impossible to use on some websites. 

The reality is that the vast amount of information consumers are releasing, storing, and converting into customized ads based on their preferences, location, and browsing history has created an increasing sense of discomfort for many consumers. In the end, this information can be used to target these individuals with ads based on their preferences and information. In the last few years, it has become increasingly apparent that internet giants are closely monitoring their digital footprint more closely than ever before. This is because they sell their personal information to the highest bidder. It is as if they are constantly watched; they feel like their digital footprint is constantly and closely monitored. 

It is even possible to argue that targeted advertising is not in the public interest. Some experts worry that individuals will be unable to explore more interesting ideas and perspectives due to personalized content generated by tracking. One's worldview narrows as a result. 

Ultimately, it is up to the Consumer   

It is clear what internet users need to do to limit online trackers. A virtual private network (VPN) is the most effective and simplest way to encrypt internet traffic and hide IP addresses as it encrypts and hides internet traffic from all governments. Therefore, advertisers and third parties will have difficulty tracking online activities as a result. It also sets up a system that prevents hackers or bad actors from accessing personal data that could be misused in illegal activities.  

Even though it is difficult to fool online trackers, there seems to be a growing movement of internet users breaking away from big corporations such as Google and Facebook. As a result, these users are turning to products and services that actively denounce internet tracking. They work towards creating a more transparent internet that does not track them online. There are many privacy-conscious features in this version, which allow users to roam freely and without worrying about being constantly tracked and monitored by the system.  

To do this, they often resort to visiting websites, utilizing privacy-first analytics tools that actively use these tools regularly. The fact is, as mentioned, that for most consumers it won't be easy or even possible to completely disappear from all social media. This will alter their internet usage overnight. However, there are small steps that internet users can take to have a bit more control over how their personal information is collected online and how their data is used, such as relying on brands that actively eschew corporate surveillance practices. 

There has been an unprecedented increase in brands' ability to track consumers' movements, which has resulted in users losing control over their digital destinies. Users need to protect their privacy and identity online, so it has become an even more critical concern than ever before. It is imperative to know the processes by which brands and businesses collect and use our data as well as how they track us. Internet users can use VPNs to protect their privacy by equipping themselves with this knowledge. This will limit how much data is collected about them online. This is done by limiting data mining.  

There is no doubt that this will lead to a more optimistic internet landscape in which consumers have control over their data and privacy. This is one where they control their data. Brands and big corporations will not only have to follow suit as this movement gains momentum but they will be forced to do so when the trend grows.

Ways in Which Online Merchants Scam Customers

When attempting to unsubscribe from an email newsletter that the user never subscribed to, one discovers a jumble of text—some of it practically grayed out—at the bottom of the message, making it virtually impossible to find an 'unsubscribe' link? A 'dark pattern' is a kind of internet design that serves to 'deceive, insinuate, and obfuscate,' as seen in that example.

The web has traditionally been rife with shady activities, from viruses to scams. Harry Brignull, a UX specialist, did not turn shedding light on the deceptive internet strategies even the most well-known brands employ until 2010. Harry coined strategies such as the moniker 'dark patterns' to emphasize how detrimental they may be to the victim's mental and financial health.

According to a Which poll, 45% of respondents said that dark patterns made them feel tricked or annoyed, and 13% said that they had been persuaded to spend more money than they had intended. According to the U.S. Federal Trade Commission, consumers end up spending 20% more money when ticket prices are not disclosed upfront. Additionally, a website's dark designs can persuade you to divulge more information than users are comfortable with.

Ways that internet shopping might lure you into splurging:
  • Free delivery minimums
  • Email reassurance
  • Advertisements with retargeting
  • Discounted loyalty programs
  • Discounts for new clients
  • Discounts dependent on subscription
Dark patterns include tricky questions, adding unwanted items to your online shopping cart, and coercing you into disclosing sensitive information. The world's most popular internet retailer, Amazon, is the one deceiving consumers the most. It employs 11 of the 12 identified forms of dark patterns listed above, some of which have sparked inquiries from the FTC and EU regulators. On the other hand, Walmart, probably Amazon's biggest rival, employs just four.

Even though some expenses might be necessary, being aware of the strategies that merchants employ to increase your purchase will prevent you from falling for them. You must have encrypted internet service to receive highly relevant adverts from businesses, that monitor your online activity across multiple websites. VPN offers the highest level of encryption. Your online activities are all susceptible to being recorded and examined by interested parties without Internet privacy protection.


Mousetrapping: What is it & how to Safeguard Against it?

 

Mousetrapping works in the identical way that a traditional mousetrap does: you unknowingly walk into a trap designed to keep you trapped for as long as possible. Operators who utilize mousetraps actively market their products or services. They may even attempt to steal your personal details. So, how do you know when you've stepped into a trap? 

Mousetrapping is an unethical practice used by some website operators to keep you on their site for longer than necessary. It is a technique that traps you in an endless loop of pages and pop-ups, preventing you from leaving a website.

Some operators will even open the new page you've been redirected to in a new window. You can't access the taskbar, toolbar, or browser menu while in this window, making it difficult to close. These websites may even deactivate the web browser's back or exit buttons, trapping you on the page until you exit the browser. In such cases, the only actionable buttons that work are those in pop-ups that force you to perform whatever action the website owner dictates.

"Your phone is hacked. Download this Antivirus Software Now.
99% of android users have this app on their phone.
Your government is tracking your phone. Install this VPN."

When you visit a website with mousetraps, you will encounter a lot of messages like this: pop-ups requesting you to download an app, visit another site, or even enter your phone number. Clicking the exit button on these pop-ups usually results in more call-to-action messages. Executing these actions and downloading the files will almost certainly result in the installation of malware on your computer and the theft of sensitive information.

How to Recognize a Mousetrap

The first step in making a mousetrap is to closely mimic the URL of a legitimate popular website. It could be a celebrity's official website or your favorite newspaper. The malicious site could end up on a search engine with a simple misspelling and a line of code. Because the code and content closely resemble that of the authentic website, the link to the site ends up on search engines.

It is sometimes difficult to tell if a website is legitimate until you click on a link. Fortunately, there are methods for determining whether a website is genuine. The mousetraps are designed by the owners of these websites in order to capture as many clicks as possible from unwitting visitors. When you realize you've been duped, you immediately attempt to exit the site by clicking on a broken back button.

The logical next step would be to press the forward button or search the toolbar for an escape route. It is already too late at this point. It is nearly impossible to leave this way because the site owner has included lines of code that will open one ad banner after another for every click you make.

That isn't all. Because pop-ups appear quickly, you may need to open multiple windows in order to evade them. You must close each pop-up one by one, and the more clicks you have, the more benefit the site owner receives. The close button on pop-ups does not always work, resulting in more ads, banners, and redirects.

Mousetrapping isn't just for clicks. Some threat actors use these traps to keep their victims occupied. The pop-ups and windows are designed to keep you on the page while malware is downloaded onto your system.

How to Get Out of a Mousetrap

The obvious escape, like most traps, will most likely lead you deeper into the trap. The back button you rush to click will simply open an ad in another window or launch a barrage of banners, further frustrating you. Despite this, there are a few ways to get out of mousetraps.

1. Input Another URL Address
2. Disable JavaScript
3. Use Keyboard Shortcuts

It's difficult to spot a malicious website, especially if it's a carbon copy of a popular platform. When you realize you've been trapped and windows and pop-ups are appearing with every click, go to the URL bar and enter a new address. You should be able to close the opened windows using keyboard shortcuts.

However, prevention is always preferable to cure. Use web browsers that have add-ons and plug-ins that prevent redirects, advertisements, and unauthorized window openings. Another option is to disable JavaScript. Many site features, including pop-ups and banners, would be disabled.

Warning: Ransomware Attacks Spreading via Fortinet Kit

 

The eSentire’s Threat Research Unit (TRU) confirmed in its recent research that the threat actors are exploiting Fortinet Virtual Private Network (VPN) devices that remain vulnerable to critical authentication bypass vulnerability.  The VPNs were being controlled by third-party providers; thus, the company had no direct visibility into the devices. 

Fortinet is a security ecosystem, which provides a variety of different products including next-generation firewalls, antivirus, VPNs, and endpoint solutions, among other offerings. 

On October 10, 2022, Fortinet issued a public statement in which it disclosed the critical vulnerability (CVE-2022-40684) in the system impacting several of their products including FortiOS, FortiProxy, and FortiSwitchManager. 

If the vulnerability is successfully exploited, the hacker could gain access to the Fortinet device. Specifically, devices are often integrated with organization-wide authentication protocols such as Lightweight Directory Access Protocol (LDAP) and Active Directory (AD). 

The TRU further said that its team detected and shut down two attacks on its customers – one was a Canadian-based college and the other, was a global investment firm. 

Additionally, once the threat actors had gained access to the target network, they exploited Microsoft’s Remote Desktop Protocol (RDP) to successfully get lateral movement and legitimate encryption utilities BestCrypt and BitLocker. 

Keegan Keplinger, research and reporting lead for the eSentire TRU, said “SSL VPNs are easy to misconfigure, and they are highly targeted for exploitation since they must be exposed to the internet and they provide access to credentials for the organization…” 

“Additionally, the tendency for these devices to be managed by a third party often means that the organization and their security providers have no direct visibility into activities being conducted on the device. This allows threat actors longer dwell times, as observed in the sale of these devices on the dark web, [making] SSL VPNs a prime target for initial access brokers [IABs].” 

Furthermore, Keplinger said the TRU’s research had shown that threat actors are always ready when it comes to exploiting vulnerabilities in well-used products. The attack is giving high singles to big tech companies if their technology is bing exploited in such a way.

A Zero-Trust Future Encourage Next-Generation Firewalls

The future of Zero Trust security relies greatly on next-generation firewalls (NGFWs). NGFWs are classified by Gartner Research as "deep packet inspection firewalls that incorporate software inspection, intrusion prevention, and the injection of intelligence from outside the firewall  in addition to protocol inspection and blocking."  As per Gartner, an NGFW should not be mistaken for a standalone network intrusion prevention system (IPS) that combines a regular firewall and an uncoordinated IPS in the same device.

Significance of Next-Generation Firewalls

1. Substantial expense in ML and AI

As part of zero-trust security management goals, NGFW providers are boosting their assets in ML and AI to distinguish themselves from competitors or provide higher value. Analytical tools, user and device behavior analysis, automated threat detection and response, and development are all focused on identifying possible security issues before they happen. NGFWs can continuously learn and react to the shifting threat landscape by utilizing AI and ML, resulting in a more effective Zero Trust approach to defending against cyberattacks.

2. Contribution of a Zero Trust 

By removing implicit trust and regularly confirming each level of a digital transaction, the zero trust approach to cybersecurity safeguards a business. Strong authentication techniques, network segmentation, limiting lateral movement, offering Layer 7 threat prevention, and easing granular, least access restrictions are all used to defend modern settings and facilitate digital transformation. 

Due to a lack of nuanced security measures, this implicit trust means that once on the network, users, including threat actors and malevolent insiders, are free to travel laterally and access or exfiltrate sensitive data. A Zero Trust strategy is now more important than ever as digitalization accelerates in the shape of a rising hybrid workforce, ongoing cloud migration, and the change of security operations. 

3. Threat monitoring to enforce least privilege access

Device software for NGFWs, such as Patch management tasks can be handled by IT teams less frequently because updates are distributed in milliseconds and are transparent to administrators.

NGFWs that interface with Zero Trust environments has automated firmware patch updates, IPS, application control, automated malware analysis, IPsec tunneling, TLS decryption, IoT security, and network traffic management (SD-WAN) patch updates.  

NGFWs used by Microsoft Azure supply Zero Trust

By enabling businesses to impose stringent access rules and segment their networks into distinct security zones, Microsoft Azure leverages next-generation firewalls (NGFWs) to deliver zero-trust security. This enhances the overall network security posture.

Azure Firewall can be set up to monitor traffic in addition to regulating it, looking for risks and anomalies, and taking appropriate action. In an effort for this, malicious communications can be blocked, infected devices can be quarantined, and security staff can be made aware of potential dangers.


NGFW firms are investing more in AI and ML to further distinguish their solutions. Companies must continue to enhance API connections, particularly with IPS, SIEM systems, and Data Loss Prevention (DLP) solutions. They must also concentrate on how software-defined networking (SDN) might increase adaptability while supplying finer-grained control over network traffic. A well-implemented Zero Trust architecture not only produces improved overall security levels but also lower security intricacy and operational overhead.

When Using Open Wi-Fi, Users Don't Employ a VPN

A VPN is a software program that masks the actual IP address and encrypts all data leaving any device. 
Using a VPN, enables users to connect to a secure network via a public network and transport all of the data into an encrypted channel, safeguarding their online activity. 

The user's authentic IP address is concealed and next-generation encryption is used to mask user activities when the web server is redirected via another private internet server.

The likelihood of connecting to free public Wi-Fi to stream a network, watch YouTube videos, or browse through social media feeds increases as a result. This is where one of the finest VPN services is useful and essential throughout the holiday season. 

A recent poll reveals that when connecting to a risky Wi-Fi, the majority of users continue to refrain from using such protection software. 

Business VPNs were not required in the past when cybersecurity experts were in high demand. To safeguard online activity in the present digital environment, each user must use a secure VPN. However, for individuals who frequently connect to open internet hotspots, it is all the more important. It appears that a majority of us still do not adhere to this crucial privacy-friendly habit, which is a concern.

More than 56% of participants in a recent survey of 1,000 American users aged 18 and older who use public Wi-Fi claimed they were not using a VPN. And to make matters harder, 41% do not use any encryption software at all.

The top travel hazards to be aware of this festive season have been compiled by cybersecurity company Lookout, which also makes antivirus software like Lookout Security and other security, privacy, and identity theft detection solutions.

Some of the key guidelines are as followed:
  • Stay aware of insecure Wi-Fi networks because hackers may conceal themselves behind a similar deceptive network to deceive careless passengers and steal their login information. 
  • Using USB charging outlets in public places can be risky.
  • Do not fall for travel-related phishing schemes, hackers may also attempt to con users using these scams.

Reliable VPN services are of utmost importance for browsing the web securely in any situation and avoiding prying governments and nefarious individuals from getting access to user data. 
 


Over 4,000 Vulnerable Pulse Connect Secure Hosts Exposed to Internet


After CISA published a report in April 2021, cautioning online users regarding the exploitations of Pulse Connect secure vulnerabilities, researchers at cybersecurity firm, Censys, found that 4,460 Pulse Connect Secure hosts out of 30,266 appliances exposed to the internet are void of security patches.

Pulse Connect Secure

Regarded as the most extensively used SSL VPN solution, Pulse Connect Secure offers remote and mobile customers secure access to business resources. Additionally, the Ivanti portfolio added the VPN appliance to its lineup in the year 2020, after acquiring Pulse Secure. 

Pulse Secure appliances are as well a distinguished choice for both cyber criminals and state-backed threat actors. Government agencies, in regard to this, have sent out several advisories in order to warn users of the ongoing exploitation of these products’ unpatched vulnerability. 

Censys Study on Pulse Connect Secure

As per the report published by Censys, six vulnerabilities, including a critical-severity file write vulnerability that may be used to execute arbitrary code with root capabilities, are still unpatched in about 3,500 of the affected appliances. 

“In total, Censys has found 30,266 Pulse Connect Secure hosts running on the internet […] One of the easiest ways to find these running using Censys is to search for a specific URI that can be found in the HTTP response body of a Pulse Connect Secure web service,” reads the post published by Censys. 

In addition to this, Censys found that more than 1,800 of the vulnerable hosts are not yet equipped with patches for three severe security flaws that Pulse Secure resolved in May 2021, despite being warned two weeks back of the flaws (CVE-2021-22893, CVSS score of 10) that were being exploited in the attack. 

Censys also discovered hundreds of Pulse Connect Secure appliances that were still affected by other severe vulnerabilities including CVE-2018-5299 (CVSS score of 9.8), CVE-2018-6320 (CVSS score of 9.8), CVE-2019-11510 (CVSS score of 10), and CVE-2019-11540 (CVSS score of 9.8). 

According to the Censys report’s Breakdown by Country (top 20), with 8,575 hosts, the United States has the largest overall number of Pulse Connect installations, however, just 12% of those hosts lack security fixes. While with 3,000 hosts (700 vulnerable), Japan holds the second position, followed by UK and Germany, both with slightly over 1,700 hosts (155 and 134 vulnerable, respectively).  

Evolution of Malware and Its Ever-Expanding Landscape

 

Whether you are a large corporation or just a regular user, the internet can be deadly. And although digital technologies offer new opportunities, fraudsters are becoming increasingly skilled at exploiting them.

CrowdStrike's 2022 Global Threat Report indicates that there were 82% more ransomware-related data breaches in 2017 than there were in 2016. Iranian hackers who are supported by the government were recently uncovered to have spied on people using phoney VPN apps. Phishing operations are frequently the easier method to strike, like the current one that targeted shoppers over Black Friday. 

All of these assaults have one thing in common: malicious software that is able to get past one or more devices' security measures and harm the users of those devices. That is what is referred to as malware in technical lingo. 

You might be tempted to believe that all you need to do to protect your data is download one of the top antivirus programmes. However, the reality is more complicated when it comes to really safeguard your device from infection. 

Because malware can take many different forms, your security strategy must also be varied. A simple mix of protection software is not the best defence against malware, either. Before you can defeat an adversary, you must understand it. Knowledge and safety measures are the first lines of defence! 

Most Typical Forms of Malware 

Ransomware: When it infects a device, it encrypts the data and systems of the users, making it impossible to access them until a ransom is paid. It frequently spreads through malicious files, and it typically targets companies rather than individuals. 

Spyware: As its name implies, this category of software tries to gather information for secretly monitoring users. Keyloggers are a type of spyware that, for instance, tracks user activity. Spyware frequently accesses devices using both fraudulent and real apps. 

Trojans: These are programmes that appear to be trustworthy while secretly carrying out malicious attacks on users' systems. They can be discovered in a variety of software programmes, such as games or other well-known apps, as well as an attachment to a malicious email. 

Mitigation Tips 

Because there are many various types of malware on the internet that behave differently, an effective defence against it needs to be varied to protect your device from all potential threats. Here are some recommendations you might want to adopt on a regular basis. 

Use a reliable antivirus 

It goes without saying that every user should have a trustworthy antivirus programme installed on their devices, including antivirus for Mac. This is because, before installation, it will ensure that all files and programmes are clean of malware. You may schedule routine scans and adjust monitor settings simultaneously based on your requirements. Just be aware that some malware may manage to evade its control. 

Maintain software updates 

Attacks are frequently launched by cybercriminals using OS and app vulnerabilities. In order to reduce hazards, it is crucial to maintain your system and software updated. To ensure that you don't miss any changes, enable automatic updates. 

Frequently backup your data 

We talked about the risk that cyberattacks like ransomware or file-wiper software pose to your data. While the latter instantly delete all the content on your device, the former frequently prevents you from regaining control of your data even after you agree to pay. Therefore, the best line of defence in case you become targeted is to periodically back up your contents on an external hard drive or encrypted cloud storage. 

Pay attention to warning signs 

Malware may infiltrate your device even if you take precautions and download the proper protection software. In these situations, your chances of reducing the hazards increase with the speed of your response. To find a cure for any sickness, you must pay close attention to the symptoms. These include emails that are sent without your knowledge, your device stalling or crashing, programmes running on their own, an unexpectedly full hard disc, and more.

VPN: Should Users Leave Their VPN Turned On?


We have all had our shared experiences of strangers sneaking into our phone screens on a bus for work or school. Similarly, one as well can sneak into a browser window, since it is now a common phenomenon for victims to be exposed to all forms of cyberattacks online.  

However, with the aid of a Virtual Private Network (VPN), the user’s internet connection will be secured, preventing unauthorized access to the data or other online activity. So why one should have his VPN activity? And are there any situations that might require a user to turn it off? 

Why should users leave their VPN turned on?

VPN users are often perplexed on whether they should leave their VPN turned on or off. Most online users prioritize their online data security and anonymity, consequently preferring to leave their VPN turned on. But they do have their drawbacks too, including potential time lags, depending on the service being used. Here are some factors to consider about if you are unsure whether to leave your VPN on or not.

Browse the Internet Privately

Some people may need help understanding why VPNs are required to keep you off the grid since all devices come with incognito mode, which they believe has the same function. However, they do not. Incognito mode only protects you from anyone who has access to your device. VPNs protect users from these vulnerabilities, as your online presence is encrypted when VPNs are in use.

By encrypting data, VPNs take it up a notch by preserving your online anonymity and enabling you to access the internet more freely and privately.

Protect Your Information from Hackers

One of the benefits of using a VPN is that it protects the user from potential vulnerabilities lurking across the internet. Hackers can work in a variety of ways in order to gain unauthorized access to sensitive user data or personal information, which could aid them to access victims’ bank accounts, credit cards, etc.

Bypass Geo-Restrictions on Content

Geoblocking is a tool used by services in order to restrict user access to content in certain geographic locations. While turning the VPN off will expose the online user’s real location and consequently restricts the content, with the use of a VPN, one can bypass these restrictions.

When Should You Turn Off Your VPN?

While VPN serves as a significant tool to combat cyberattacks and keep the users’ private data anonymous. Despite the many benefits, there are instances when it is necessary for a user to turn their VPN off.

To Increase Internet Speed

One of the major benefits of using a VPN mentioned earlier is that it encrypts the user’s online presence. But this process takes time. The amount of time that a VPN utilizes in order to encrypt user data could negatively impact one's online experiences. Users may also face a longer wait for a page to load.

To Prevent Fast Battery Drain

The choice of VPN can further impact a device’s battery capacity. Usually, VPNs aid the same battery life as other applications on iOS and Android devices, but some take a bigger battery chunk than others.

Naturally, every mobile device is unique, and the exact battery usage depends on several variables. These include the level of VPN encryption, mobile coverage, and whether or not the VPN runs in the background at all times.

To Reduce Data Consumption

VPNs tend to use more data when encrypting. In case a user has limited data, it would be best for him to turn off the VPN to restore his internet activities and enjoy them without interruptions, such as streaming music, downloading content, and surfing the web.

To Avoid Geo Location Illegality

Not everyone supports VPNs. A technique called VPN blocking was even created to hinder VPN use. Some countries like Iraq, Turkey, Russia, and China, use VPN blockers to limit their citizens’ exposure to inappropriate content. There’s no rulebook for what form of content gets blocked, as it is dependent on the location.

In countries that ban the use of VPNs, there are heavy penalties for anyone caught using one. Users could also be fined as much as $5,000, and they would not be able to rely on their VPN provider to help them out.

Should you use a VPN?

When using the internet, a VPN is a crucial security tool that keeps you protected. Between your device and your service provider, they build an encrypted tunnel, through which all of your information travels and is processed securely.

There are many advantages and drawbacks associated with staying connected via a VPN. Assess why you have to use a VPN and consider if the disadvantages may disproportionately affect you. Whether you leave your VPN on or off, it is most important that you browse safely.


Kill Switch: Your VPN is Useless Without This Essential Security Feature

 

Kill switch has turned out an essential security feature for VPN. If your virtual private network does not have a kill switch, internet users might have to look for a new VPN provider. 

In the instance, one’s VPN connection drops for any reason, a kill switch will immediately shut down the user’s internet connection. Thus, playing the role of a crucial VPN security feature, the kill switch ensures that the user data does not leak outside the VPN tunnel or be exposed online unencrypted – that may turn dangerous in many situations. 

Using a VPN, the user’s internet traffic is routed to a secure server at a location of his choice over an encrypted tunnel.  

Eventually, the user’s IP address will change to that of the server he is connecting to. This process not only allows access to geo-restricted content but also hides the user’s original IP address and internet traffic from ISP, government agencies, threat actors, and anyone who might be a threat to their online data.  

Why do VPN disconnections occur? 


Since no technology is error-free, even the best VPNs can have connection drops time and again. VPN disconnection happens for several reasons, some of which are listed below:  

• The user is using a weak or congested Wi-Fi connection — like a public Wi-Fi hotspot in a coffee shop, hotel, or airport. • User is switching to a different Wi-Fi network or switching from Wi-Fi to mobile data. • The computer goes to sleep. • An antivirus program or firewall on your computer is interfering with your VPN connection (in this case, make sure to whitelist your VPN software). • User is jumping from one VPN server to another, or they are frequently switching from one server to another, exceeding their VPN provider’s concurrent connection limit. • They use the OpenVPN UDP protocol, which is less stable than the TCP protocol (switch to TCP if you notice your VPN dropping). • The VPN server they are connecting to is down. • VPN app crashes.  

What if your VPN disconnects without a kill switch? 


In case a user’s VPN disconnects without enabling a kill switch, this will leave the internet connection active, exposing the user’s true IP address and web traffic the moment the disconnection continues unencrypted. 

As a result, the user’s online activities will be exposed, compromising any sensitive personal data one may have been accessing while connected to the VPN. A user can as well compromise his true location based on the exposed IP address. 

This could be problematic if the user is using VPN to access geographically restricted content and for professionals who use a VPN for crucial privacy needs. Using kill switch reduces the risk of such situations. 


How does a VPN kill switch operates? 


A VPN kill switch, when enabled continuously monitors the user’s VPN connection and scans for any change in his IP address or the status of one’s network. The kill switch will engage and block access to the internet connection in an instant if it detects any change in either. 

After the user reconnects to the VPN or the VPN tunnel reestablishes automatically, the kill switch will then allow the internet to reconnect, while still continuously monitoring the VPN connection.

Ransomware Exposed Stolen Data From Cisco on Dark Web

Yanluowang ransomware Gang has published Cisco Systems' stolen data on the dark web and following the data leak, Cisco confirmed that the data was stolen from its network during an intrusion that took place in May. 

Cisco Security Incident Response (CSIRT) conducted an investigation wherein it was found that the attackers acquired control of a personal Google account that had the credentials saved in the browser. The threat actors compromised these credentials to launch voice phishing attacks. The idea behind the attacks was to lure the targeted employee into accepting the MFA notification. 

Cisco revealed in a report published in August that the firm's networks had been infiltrated by the Yanluowang ransomware after hackers gained access to an employee's VPN account. The company further asserted that the only information taken was employee login information from Active Directory and non-sensitive files saved in a Box account.

Once the threat actors obtained the employee's Cisco credentials, the hackers employed social engineering and other techniques to get beyond multi-factor authentication (MFA) and gather more data.

After gaining initial access, the hackers registered a list of new devices for MFA, authenticated effectively to the Cisco VPN, and dropped multiple tools in the victim network including RATs such as LogMeIn, TeamViewer, Cobalt Strike, PowerSploit, Mimikatz, and Impacket, as per Security Affairs. 

Over the weekend, Cisco said in an update that "the content of these files matched what we have detected and released.  We continue to see no effect on the business, including Cisco goods or services, confidential customer data or sensitive employee data, copyrights, or supply chain activities, which is consistent with our previous examination of this incident."

The researchers at the cybersecurity firm eSentire linked Yanluowang with "Evil Corp" (UNC2165), the Lapsus$ gang, and FiveHands malware (UNC2447).

The hacked Google account of an employee that had enabled password synchronization through Google Chrome and saved their Cisco details in the browser allowed the thieves to initially access the Cisco VPN.

The leader of Yanluowang ransomware told BleepingComputer that they had stolen thousands of files totaling 55GB from a cache that contained sensitive information including technical schematics and source code. The hacker did not offer any evidence. The only thing they provided was a screenshot showing access to what seemed like a development system. 

Erich Kron, security awareness advocate at security awareness training company KnowBe4 implies that it goes unsaid that Cisco decided against paying the ransom demanded by the ransomware group, which resulted in the stolen data being posted. 


Over 130 Organizations Targeted in Okta Phishing Campaign

In a single phishing attempt, the hackers behind a number of recent attacks, such as those targeting Twilio, Cloudfare, MailChimp, and Klaviyo, infiltrated over 130 firms.

Through this phishing attack, 9,931 login credentials were stolen using a phishing kit with the codename "0ktapus," which the hackers then used to log into business networks and systems using VPNs and other remote access tools.

Because the primary intent of the assaults was to "get Okta identity credentials and two-factor authentication (2FA) codes from users of the targeted organizations," the conduct has been denounced by Group-IB.

The Singapore-based corporation said that the opponent sought out employees of businesses that use Okta, a provider of identity services, and praised the attacks for being well-planned and carried out. With the help of the identity-as-a-service (IDaaS) platform Okta, employees may access all of their company's software with just one login. 

The phrases "OKTA," "HELP," "VPN," and "SSO" were used in 169 different phishing domains that supported the 0ktapus campaign.  

In addition, customers who used these services, such as Signal, and DigitalOcean, became the target of supply-chain attacks as a result of these breaches.

The threat actors targeted businesses in a variety of areas, including bitcoin, technology, banking, and recruiting, based on the phishing domains built as part of this effort.

These login credentials were then utilized by the hackers to log into internal customer support systems, corporate networks, and VPNs in order to steal consumer data. As earlier witnessed with DigitalOcean and Signal, subsequent supply-chain hacks were carried out using this customer data.

The hacked information was disseminated over a Telegram channel via the phishing kit employed in this effort. One of the channel administrators who went by the handle "X" was connected by the experts to a Twitter and GitHub account, which suggests the person may be based in North Carolina, US.

Threat actors frequently targeted data belonging to organizations in the bitcoin industry, according to revelations from previous victims.

According to Group-IB, the hackers were able to steal 5,441 records with MFA codes, 3,129 data with emails, and 9,931 records with user credentials from 136 businesses, with the mass of the targeted businesses being based in the United States.



Cyble: Over 9,000 VNC Sessions Without a Password Found

Virtual network computing (VNC) endpoints that can view and utilize credentials were reported to be vulnerable on at least 9,000 occasions, giving hackers simple access to the data. 

The platform-independent system referred to as Network Computing (VNC) enables users to remotely control other computers, most of which have limited monitoring and adjusting capabilities. Therefore, anyone who compromises VNCs will eventually have access to the underlying systems.

The endpoints can act as access points for unauthorized access, including hackers with malevolent intentions if they are not fully secured with a password, which is frequently the result of neglect, error, or a decision made out of convenience.

As per researchers, the risk of each exposed VNC relies on the kind of underlying system it is in charge of. Some people are discovered to be in charge of a municipality's water control systems, which is quite serious.

Research Analysis 

Over 9,000 vulnerable servers were found when Cyble's security researchers searched the web for internet-facing VNC instances without passwords. China and Sweden are home to the majority of exposed instances, while the United States, Spain, and Brazil round out the top 5 with sizable numbers of unprotected VNCs.

The fact that some of these open VNC instances were for industrial control systems, that should never be accessible to the Internet, only made the situation worse, according to Cyble. Under one of the examined cases, the unencrypted VNC access connected to an HMI for controlling pumps on a remote SCADA system in a nameless manufacturing facility.

Cyble employed its cyber-intelligence systems to keep a watch out for attacks on port 5900, the standard port for VNC, to assess how frequently attackers target these servers. In a single month, Cyble counted more than six million requests. The Netherlands, Russia, and the United States were the major countries from which to access VNC servers.

On hacker forums, there is a large market for accessing vital networks via exposed or compromised VNCs because this kind of access can be utilized for more in-depth network espionage. In other circumstances, security experts provide guidance on how users might actively scan for and find these vulnerable instances.

A long list of exposed VNC instances with very weak or no passwords is presented in a post on a darknet forum that Bleeping Computer has seen.

In this sense, it's crucial to keep in mind that many VNC systems do not accept passwords longer than eight characters, making it essentially unsafe even when both the sessions and the passwords are encrypted.

Servers should never be exposed to the Internet directly, and if they must be accessed remotely, they should at least be hidden behind a VPN to protect access to the servers.

Ransomware Gang Hacks Cisco

The Yanluowang ransomware organization broke into Cisco's business network in late May and stole internal data, the company said in a statement.

Hacker's compromised a Cisco employee's credentials after taking over a personal Google account where credentials saved in the victim's browser were being synced, according to an investigation by Cisco Security Incident Response (CSIRT) and Cisco Talos.

Cisco claims that an attacker targeted one of its employees and was only successful in stealing files from a Box folder linked to that employee's account and employee authentication information from Active Directory. According to the company, the data kept in the Box folder wasn't sensitive.

The Yanluowang threat actors hijacked a Cisco employee's personal Google account, which contained credentials synchronized from their browser, and used those credentials to enter Cisco's network.

Through MFA fatigue and a series of sophisticated voice phishing assaults carried out by the Yanluowang gang under the guise of reputable assistance businesses, the attacker persuaded the Cisco employee to accept multi-factor authentication (MFA) push alerts.

Cisco has linked the attack to an initial access broker with ties to Lapsus$, the gang that attacked several major corporations before its alleged members were apprehended by law enforcement, as well as threat actor UNC2447, a group with ties to Russia known for using the ransomware FiveHands and HelloKitty. The Yanluowang ransomware group has also been connected to the initial access broker.

In actuality, the Yanluowang ransomware organization claimed responsibility for the attack and said it had stolen about 3,000 files totaling 2.8Gb in size. According to the file names the hackers have disclosed, they may have stolen NDAs, source code, VPN clients, and other data.

The attack did not use ransomware that encrypts files. After being removed from Cisco's systems, the hackers did email Cisco executives, but it didn't contain any explicit threats or demands for ransom.






Cloudflare Users Targeted by Hackers that Breached into Twilio


On Tuesday, the web infrastructure provider Cloudflare revealed that at least 76 of its staff members and their families had received texts on both personal and business phones that resembled the intricate phishing effort on Twilio.

Furthermore, Cloudflare said that its Cloudforce One threat intelligence team was able to do an analysis of the attack, despite the fact that its systems were not hacked.

The systems and officials of several firms are the targets of this sophisticated attack, as per analysts. Four phone numbers linked to SIM cards issued by T-Mobile were used in the attack, which exists around the same time Twilio was targeted and was ultimately unsuccessful.

Cloudflare said the rogue domain was built via Porkbun under 40 minutes before the wave of more than 100 smishing messages started. It also said the phishing page was created to quickly pass the data given by unwary customers to the attacker via Telegram.

The data was directly taken to the attacker via the messaging app Telegram once the message receiver input his credentials on the phishing site. Experts claim since the phishing page would request a Time-based One Time Password (TOTP) code, the real-time relay was essential for the hackers. Once they had this information, the attackers would access the actual login page for the victim company.

Only three employees, as per Cloudflare, clicked the link in the phishing email and submitted their credentials. However, the business does not use TOTP codes; rather, its staff members use a YubiKey security key that complies with FIDO2. This implies that even if an attacker has the credentials, they cannot access the firm systems without the hardware key.

As Cloudflare also disclosed, AnyDesk remote access software was immediately downloaded on their machines after providing their credentials on the phishing pages, enabling the hackers to remotely take control of their systems if installed.

The company stated it reset the affected employees' login passwords and tightened its access policy to block any logins from unidentified VPNs, residential proxies, and infrastructure providers in addition to working with DigitalOcean to shut down the attacker's server.



Kaspersky VPN Secure Connection Vulnerability Discovered

Kaspersky's VPN Secure Connection for Microsoft Windows has a local privilege-escalation (LPE) vulnerability that could allow an already-authenticated hacker to access administrative privileges and potentially seize total control of a victim's computer.

Researchers disagree over the bug's CVSS score, which is tracked as CVE-2022-27535. The bug has a high-severity CVSS score of 7.8 out of 10 as per a Synopsys alert published, but Kaspersky scores it as moderate with a 5.0 CVSS level.

In either case, it is present in the Support Tools section of the app and would enable root access to Server, the highest level possible in the Windows environment, allowing an authenticated hacker to delete any file at will from the system.

The Kaspersky team has fixed a flaw in the Kaspersky VPN Secure Connection that was exploited by an authorized hacker to trigger arbitrary file deletion on the host. It might result in device malfunction or the deletion of crucial system files necessary for proper system operation. 

An attacker needed to create a specific file and persuade customers to utilize the 'Delete all service data and reports' or 'Save report on your computer' product capabilities in order to carry out this attack.

Users should upgrade to version 21.6 or later to patch their systems because Kaspersky has solved the problem.


QNAP NAS servers attacked by Checkmate ransomware

 

A new ransomware strain known as Checkmate has recently come to the attention of Taiwanese vendor QNAP, and early research suggests that it is targeting NAS machines with SMB services that are accessible via the internet. SMB is a communication protocol that allows nodes on a network of devices to exchange access to files. 

Objectives: 

The ransomware adds the .checkmate extension to the filenames of encryption keys and leaves an extortion letter with the name !CHECKMATE DECRYPTION README on the compromised devices. 

According to a report by BleepingComputer, some forum users claimed to have contracted the Checkmate ransomware in June. For a decryptor and a decryption key, the hackers want payment from the victims in bitcoins worth $15,000 each. 

The malicious actors behind this campaign, according to QNAP, will use accounts compromised by dictionary assaults to remotely log in to devices that are vulnerable to remote access. After getting access, they begin encrypting files in shared folders, although according to victim claims, all the data is encrypted.

Resist ransomware threats 

The company advised users to utilize VPN software to decrease the attack surface and prevent threat actors from attempting to log in using hacked credentials. It also advised customers to avoid exposing their NAS machines to Internet access. 

Additionally, QNAP users were instructed to evaluate all of their NAS accounts right away, double-check that they're using strong passwords, back up their files, and often create backup snapshots in case their data needs to be restored.

Taking away SMB 1 
  • Visit QTS, QuTS hero, or QuTScloud and log in. 
  • Go to Win/Mac/NFS/WebDAV > Microsoft Networking under Control Panel > Network & File.
  • Then select Advanced Options. 
  • The window for Advanced Options appears. 
  • Select SMB 2 or higher next to the Lowest SMB version. 

QTS, QuTS hero, or QuTScloud updates 
  • Register as an administrator on QTS, QuTS Hero, or QuTScloud.
  • Go to System > Firmware Update in the Control Panel. 
  • Click Check for Update under Live Update. 

The most recent update is downloaded and installed by QTS, QuTS hero, or QuTScloud. Additionally, QNAP stated last month that it is "thoroughly researching" a recent round of attacks that began in early June and are aimed at spreading the DeadBolt ransomware.

In the past two years, a wave of ransomware assaults has targeted QNAP NAS users, leading the vendor to publish several alerts and urgent updates, and even encourage for end-of-life hardware.

Researchers: Wi-Fi Probe Requests Leak User Data

 

A team of academic researchers from the University of Hamburg in Germany discovered that Wi-Fi investigation requests from mobile devices expose identifiable information about their owners via Wi-Fi investigation requests. 

When a probe response is received, mobile devices use it to obtain information about nearby Wi-Fi access points and connect to them. According to the researchers, attackers who can sniff network traffic can use these probing requests to monitor and identify devices, as well as determine their position. 

According to them, nearly a quarter of probe requests contain the Service Set Identifiers (SSIDs) of previously connected networks, which might be exploited to expose home addresses or visited places. Furthermore, the researchers highlight that the probe requests may be used to trilaterate the position of a device with an accuracy of up to 1.5 metres or to "trace the movement of a device to effectively monitor its owner.

“This is in fact employed in 23% of the stores already. Companies and cities that conduct Wi-Fi tracking take the legal position that only the MAC address contained in probe requests is considered personal data according to GDPR Article 4(1), which protects personal data from unlawful collection and processing,” the researchers stated in their paper. 

Experiment findings:

According to the academics, information gathered during a November 2021 experiment focusing on the analysis of probe requests should be sufficient to deem these queries personal data, based only on SSIDs recorded in the devices' preferred network lists (PNLs). 

As part of the trial, the researchers travelled to a pedestrian area in a German city and recorded probe requests three times in one hour using six off-the-shelf antennas. SSIDs were found in 23.2 per cent of the 252,242 total requests. 

The researchers also determined that some of the submitted probe requests with SSIDs revealed password data and that around 20% of the transmitted SSIDs were likely typos of the genuine SSID. The probe requests also revealed 106 separate first and/or last names, three email addresses, the SSIDs of 92 distinct vacation houses or lodgings, and the name of a nearby hospital. 

The academics claim that they ran all SSIDs using WiGLE's geolocation lookup API, which allowed them to determine the actual networks' locations within a 1-kilometre radius. 

The researchers added, “Considering the wealth of personal and sensitive information we observed in SSID fields, they can constitute identifying information and thus require due consideration. We argue that at least for as long as there are still devices broadcasting SSIDs, probe requests should be considered personal data and not be used for monitoring without legal basis.” 
 

 SideWinder Hackers Have Planted a Bogus Android VPN Program

 

A bogus VPN program for Android smartphones was uploaded on the Google Play Store, along with a proprietary tool that screens users for improved targeting, according to phishing efforts linked to an advanced threat actor known as SideWinder. SideWinder is an APT organization that has been operating since at least 2012 and is thought to be led by an Indian actor with a high level of expertise.

Over 1,000 cyber attacks were ascribed to this gang in the last two years, according to Kaspersky, who praised its persistence and clever obfuscation tactics. Organizations in Pakistan, China, Nepal, and Afghanistan are the principal targets.

The threat actor uses spear-phishing emails to spread malicious ZIP bundles containing RTF or LNK files that install an HTML Application (HTA) payload from a remote server. The adversary uses a pretty big infrastructure that includes over 92 IP addresses, mostly for phishing assaults, and hundreds of domains and subdomains that serve as command and control servers. 

SideWinder, also known by the names, RattleSnake, Razor Tiger, T-APT-04, APT-C-17, and Hardcore Nationalist, was responsible for a recent phishing campaign that targeted both public and commercial sector institutions in Pakistan. 

A phishing document tempting victims with a document advocating "a formal debate of the impact of the US withdrawal from Afghanistan on maritime security" was discovered earlier this year by researchers at cybersecurity firm Group-IB. While the exact purpose of the bogus VPN program is unknown, this isn't the first time SideWinder has gotten around Google Play Store restrictions by publishing malicious apps disguised as utility software.

Trend Micro reported in January 2020 that three malicious applications masquerading as photography and file manager utilities used a security weakness in Android (CVE-2019-2215) to acquire root access and abuse accessibility service rights to gather sensitive data.

Polonium Assaults Against Israeli Organizations were Blocked by Microsoft

 

Microsoft stated it has banned a hacking gang known as Polonium, based in Lebanon, from utilizing the OneDrive cloud storage platform for data exfiltration and command and control while attacking and compromising Israeli firms. The internet giant's Threat Intelligence Center (MSTIC) stated it stopped over 20 malicious OneDrive apps built by Polonium and alerted affected companies, in addition to erasing the criminal accounts created by the Lebanon-based entity. 

"Across the majority of its victims, this attacker has deployed unique tools that abuse lawful cloud services for command and control (C2)." as per Microsoft's research. "POLONIUM was seen generating and using legal OneDrive accounts, then using those accounts as C2 to carry out part of the offensive operation," says the report. 

POLONIUM has been seen operating on or targeting various organizations previously penetrated by the Iran-linked MuddyWater APT (aka MERCURY). 

Since February 2022, the antagonistic group is thought to have breached more than 20 Israeli institutions and one intergovernmental body with operations in Lebanon. Manufacturing, IT, transportation, defense, government, agriculture, finance, and healthcare companies were among the targets of interest, with one cloud service provider hacked to target a downstream aviation company and law firm in a supply chain attack.

Unpatched Fortinet FortiOS SSL VPN servers vulnerable to CVE-2018-13379 exploits leveraging a critical path traversal weakness allowing login credentials theft appear to represent the first access vector for the vast majority of victims, according to Microsoft. In November 2020, a hacker disclosed the passwords for nearly 50,000 vulnerable Fortinet VPNs, just days after a list of CVE-2018-13379 one-line exploits was publicly disclosed. 

A list of roughly 500,000 Fortinet VPN passwords supposedly harvested from susceptible devices was posted online again almost a year later. The actor's campaign chains have included the usage of proprietary tools that use genuine cloud services like OneDrive and Dropbox accounts for C2 and malicious tools named CreepyDrive and CreepyBox for its victims.

This isn't the first time Iranian threat actors have used cloud services to its advantage. Cybereason revealed in October 2021 that a group called MalKamak organized an attack campaign that use Dropbox for C2 communications to remain under the radar. 

MSTIC also stated that several of the victims penetrated by Polonium had previously been targeted by another Iranian entity known as MuddyWater (aka Mercury), which the US Cyber Command has described as a "subordinate element" under MOIS. The victim overlaps support previous reports that MuddyWater is a "conglomerate" of several teams similar to Winnti (China) and the Lazarus Group (North Korea). 

Customers are encouraged to implement multi-factor authentication as well as analyze and audit partner relations to minimize any superfluous permissions to combat such risks.