Search This Blog

Showing posts with label cybercriminals. Show all posts

 Facebook: Bogus Event Scammers are Targeting Vendors

 

Victims have experienced nothing but worry as a result of a real-world scam that takes the pleasure out of craft fairs. It may sound strange, but it's a common criticism aimed at small/self-employed business owners who sell their own creations. They sell a range of craft-style things similar to those seen on Etsy and Redbubble in large quantities. Putting these products in front of live audiences at an event will almost certainly increase sales. 

Vendor fraud denotes misdeeds executed on a company's accounts payable (AP) for financial gain by vendors, or an employee. It's a type of scam that includes misrepresenting a vendor's or recipient's account details in AP to reroute payments.

How does this bogus vendor fair operate?

Regardless of location, the mainstream follows a consistent pattern. 
  • The imposters create completely new Facebook accounts and frequently use the same name on many accounts. 
  • They collect information from potential fair exhibitors via multiple web forms wherein name, address, description of sold things, business name, and phone number are all requested. 
  • Payment inquiries are made at this point. The recovery of funds might range from "fairly easy" to "total disaster" depending on the payment type.

How are the victims selected? 

Before claiming why an event is taking place nearby, the fraudsters use the seller's own public information against them, indicating the seller's location or even the types of products sold. The most intriguing aspect of it all is that fake fair frauds aren't an unusual occurrence. It's a legitimate sub-industry populated by devoted con artists. 

For example, false payments — in a payment scheme, the fraudster and employee can create a fictitious vendor (shell company) or manipulate an actual vendor's account to reflect their information. 

Changes to existing checks or the creation of unauthorized checks are examples of check changes. An employee takes checks from a vendor, alters the beneficiary, or forges the vendor's signature, and deposits the monies into an account of their choosing. 

Overbilling — When dealing with large numbers, a vendor expands invoices by adding extra goods or services to invoices raised to your organization. 

Vendor Fraud Classification 
  • Billing Fraud: Employees might manipulate payments in two ways. It can entail creating a fake vendor or generating duplicate payments using a genuine vendor's account. 
  • Fictitious Vendor - An employee with sufficient authority and access creates a fictitious vendor account or a shell corporation, registers it as a vendor, and makes regular payments to it. 
  • Duplicate Payments - An employee impersonates a legitimate vendor, manipulates payment data, and makes duplicate payments on a vendor's invoice. 
  • Check Manipulation: An employee falsifying or altering information on a vendor's check to redirect funds to a personal bank account. 
  • Bribery Acceptance: This sort of fraud is the outcome of an agreement between a vendor and an employee, in which the employee receives personal remittances from the seller in exchange for more advantages or sales.
  • Excess Billing: When a vendor invoices the company for excess quantities/prices than what was previously agreed upon, it is referred to as overbilling. 
  • Price fixing: Two sellers work together to fix prices at greater than normal levels.
  • Bid rigging: A form of fraud that involves collaboration between two or more vendors and workers to secure a procurement contract in favor of the highest bidder.
  • Cyber fraud: Vendor fraud cases are conducted by unknown, unauthorized personnel with no link to either the company or the vendor, making them the most difficult to identify. 

Indicators of threat 

For customers: the seller claims to be unavailable (for example, because they are traveling or have relocated to another country) and demands money before arranging for delivery of the items. They must pay the seller using foreign money transfers, checks, or direct bank transfers. They may receive a forged email receipt from the website's secure payment provider.

For vendors: Even if one is selling an expensive item like a car, the potential buyer is willing to buy your item without seeing it in person. The goods are widely available in the customer's native country, and a possible overseas buyer might be interested in purchasing them (e.g. a car or a couch). The cost of shipping frequently outweighs the cost of the item. 

Measures

Facebook posts without a location tag are an attempt to remain anonymous. Methods of Invoice Matching, Using Data Mining, Methodologies Establishing a fraud helpline might allow staff to report problems without fear of repercussions.

Vendor fraud can have a significant financial impact on a company, it can be avoided by properly developing, evaluating, and updating corporate rules regularly. 

345,000 People are Affected by a Data Breach at ARcare

 

ARcare announced a data breach after an unauthorized party acquired access to sensitive information stored on the company's computer servers. The names, dates of birth, financial account information, and Social Security numbers of some people were exposed as a result of the incident.

ARcare sent out data breach notices to those whose information was compromised on April 25, 2022. The Arcare breach, according to the US Department of Health and Human Services, affected 345353 people. 

ARcare, a community health clinic in Augusta, Arkansas, offers services such as chronic disease management, behavioral health, and HIV treatment. The healthcare provider discovered the personal information about individuals had been exposed on April 4 and began notifying potentially affected individuals and regulators on April 25. 345,353 people may have been infected, according to the US Department of Health and Human Services (HSS). 

ARcare learnt about a data security incident affecting its software system on February 24, 2022, according to an official document filed by the business. As a result, the corporation took steps to secure its computer systems and initiated an inquiry to discover more about the incident's origin and scale. 

The data breach alert states, "ARcare is examining and updating existing policies and procedures relevant to data protection and security.ARcare is also looking into additional security measures to minimize any risk related to this incident and to better prevent future instances."

ARcare confirmed on March 14, 2022, how an unauthorized entity had gained access to and perhaps removed sensitive data from the ARcare network. Between January 18, 2022, and February 24, 2022, an unauthorized entity got access to the system.

Emotet is Evolving with Different Delivery Methods

 

Emotet is a well-known botnet and trojan which distributes follow-on malware via Windows platforms.  After a 10-month pause amid a coordinated law enforcement operation to take down its assault infrastructure, Emotet, the work of a cybercrime organization known as TA542 (formerly known as Mummy Spider or Gold Crestwood), marked its comeback late last year. 

Since then, Emotet campaigns have sent tens of thousands of messages to thousands of clients across many geographic regions, with message volumes exceeding one million in some situations. The threat actor behind the popular Emotet botnet is experimenting with new attack methods on a small scale before incorporating them into larger-scale spam campaigns, possibly in response to Microsoft's decision to deactivate Visual Basic for Applications (VBA) macros by default across all of its products.

According to analysts, the malicious actors behind Emotet, TA542, are experimenting with new approaches on a micro level before deploying them on a larger scale. The current wave of attacks is claimed to have occurred between April 4 and April 19, 2022, when prior large-scale Emotet campaigns were halted. 

Researchers from Proofpoint discovered numerous distinguishing characteristics in the campaign, including the usage of OneDrive URLs rather than Emotet's traditional dependence on Microsoft Office attachments or URLs connecting to Office files. Instead of Emotet's previous use of Microsoft Excel or Word documents with VBA or XL4 macros, the campaign employed XLL files, which are a sort of dynamic link library (DLL) file designed to expand the capability of Excel.

Alternatively, these additional TTPs could mean the TA542 is now conducting more targeted and limited-scale attacks in addition to the traditional mass-scale email operations. The lack of macro-enabled Microsoft Excel or Word document attachments is a notable departure from prior Emotet attacks, implying the threat actor is abandoning the tactic to avoid Microsoft's intentions to disable VBA macros by default beginning April 2022. 

The development came after the virus writers addressed an issue last week which prevented potential victims from being compromised when they opened weaponized email attachments.

Security Breach Impacting 2.5 Million Users Revealed by Mortgage Servicer

 

In October, Lakeview Loan Servicing revealed a significant data breach that went unnoticed for more than a month and exposed the personal details of above 2 million customers. Any incident that leads to unauthorized access to data, applications, networks, or devices is referred to as a security breach. As a result, information is accessed without permission. It usually happens when an invader can get past security measures. 

The breach that was discovered in early December, harmed 2,537,261 borrowers between Oct. 27, 2021, and Dec. 7, 2021, as per the firm. According to public notice The letters, an unauthorized person gained access to the firm's servers and data, including names, addresses, loan information, and Social Security numbers. One of the notices described the occurrence as an "external system breach."

Mortgage servicers receive mortgage payments from homeowners and remit them to investors, tax officials, and insurers via escrow accounts. Investors' assets in mortgaged properties are also protected by servicers, who ensure the homeowners have enough insurance coverage. Customers have lodged eight class-action lawsuits in a Florida federal court since the servicer's revelation in mid-March, alleging Lakeview of breach of fiduciary responsibility, among other things, for failing to preserve personally identifiable information. In a complaint filed on behalf of Jennifer Morrill, a California client, Daniel Rosenthal, an advocate with DBR Law, P.A., said, "This PII was exposed due to Defendant's negligent, reckless, and willful acts and failures and the fails to secure the PII of Plaintiff and Class Members." 

According to Morrill's lawsuit, the sum at risk surpasses $5 million, and the proposed class has more than 100 members. In Morrill's case, a filing on Friday asks that the court cases be consolidated, pending a judge's consent. On Monday, Rosenthal declined to speak on the lawsuit. Lakeview refused to respond to the claims in a statement but said it contacted the proper third parties and people after discovering the incident. "Lakeview, like many other firms, encountered a security incident in 2021," according to the statement. "Steps were taken to contain the problem right once, law enforcement was alerted, and a forensic investigation firm conducted a comprehensive investigation." The operations of Lakeview were not hampered." 

According to a public document with the State Attorney General's Office made by an outside counsel for the firm, the servicer didn't witness a breach in the previous 12 months. Affected consumers received a free year of Kroll free credit and identity theft protection from Lakeview. The news comes amid an increase in fraud risk for mortgage lenders, who are more vulnerable to cyber attacks than other financial institutions. According to a new FundingShield Q1 2022 study, one out of every three transactions involves components of wire or title fraud risk, and wire errors and instances of perpetuated fraud are increased in about 6% of transactions. 

"Keep in mind," warned Ike Suri, chairman, and CEO of FundingShield, a loan and title fraud protection service. "And when it comes to these percentages, we're talking big figures." As per Security experts, the percentage of visitors affected by the Lakeview breach, as well as the volume of information exposed, was substantial. "It's a lot of data which will have repercussions on those people's current business and ongoing relationships, as well as the business itself," Suri said.

The operating assets to a mortgage loan are owned by Lakeview. They work with several Servicing companies to process payments, manage a trust, as well as provide customer support for their current mortgage. 

Spam with an SMS Group Offering Freebies in Return for Direct Debit

 
Unsolicited and unwanted messages which are referred to as spam, are rarely sent from another phone. They often originate on a computer and are delivered to your phone via email or instant messaging. Scammers can transmit them cheaply and easily since they are sent over the internet. Robotexts are a sort of spam text; however, because they are simpler to ignore than robocalls, they are less intrusive. 

Spam texts and robotexts are frequently the beginning of a scam in which the sender hopes to collect personal information about the user to utilize it for fraudulent purposes. These texts put you in danger of identity theft and raise the chances of you installing malware onto your phone unintentionally. 

Spam text messages are often not scams, although they are sometimes. Scammers will deploy a variety of content to deceive you which includes luring keywords like "You've won a prize, a gift card, or a voucher", which you must use, or "You've been offered a credit card with a low or no interest rate". You must take action because there is an issue with your payment information. There's a delivery package notification  potentially requesting you to reschedule a delivery slot or pay a delivery fee to obtain it. If you weren't the one who made the purchase or transaction, you'll be alerted and asked to respond.
  • Remember any reputable organizations will not approach you out of the blue by text message and ask you to reveal personal or financial information. 
  • There are grammatical and spelling mistakes. In client correspondence, legitimate businesses rarely make obvious spelling or grammatical problems. 
  • Is the message of any interest to you? Did you order or expect anything, for example, if it alerts you about a parcel delivery? Did you enter a competition if it informs you about a prize? Is it a gift card from a store where one previously purchased something? 
Why do People continue receiving spam texts, they may utilize technologies to generate numbers automatically, so you may obtain both robocalls and robotexts even if you have a different phone number. Users' data is sold on social networking sites as prominent and well-known social networking sites watch your online behavior and sell such data for advertising. What can one do if they receive a spam text message, don't respond, avoid clicking on any links, and don't give out any personal details. Furthermore, directly go to the company's website and report the scammer. 

One important question that needs to be addressed is: What steps can be taken to protect yourself against spam texts? In order to avoid being scammed via spam texts, users are advised to only give out their personal cell phone number if it is really necessary. Online forms frequently ask for phone numbers, however, users must bear in mind that the information they provide could end up on marketing lists or databases. To help decrease the number of unwanted messages and calls, do not give out your phone number unless it is absolutely necessary, besides, do not make your cell phone number available to the public. For example, avoid putting your mobile phone number on your Facebook, Twitter, or other social media pages. Additionally, keep a close check on your phone bill which includes examining your phone bill regularly. 

Users must note that if they are unsure, they should check the provider's website to see if they are offering freebies in exchange for payment. Although it is more than likely they aren't, it is still preferable to click any of them to find out.

Spanish FA Reported a Cyber Attack, Private Texts Seized

 

Police have been informed that the Royal Spanish Football Federation (RFEF) has witnessed a cyber attack. In recent months, top leaders of the union, particularly president Luis Rubiales, have had documents and information from private email accounts, private texts, and audio calls taken.

Headquartered in Las Rozas, La Ciudad del Ftbol, a community near Madrid, the Royal Spanish Football Federation is Spain's football regulating organization. The Spanish FA won the 2010 FIFA World Cup and two European Championships in a row as a result of these events. 

"It's likely this personally identifiable information, taken unlawfully and with clear criminal purpose, was provided to numerous media," the RFEF added. 

Before the publishing of the information, an unnamed journalist informed the RFEF claiming its media outlet had been provided access to illegally acquired material from an unknown source who communicated over an encrypted voice. 

"Through third parties, the media outlet in issue claimed to have obtained confidential contracts, private WhatsApp conversations, emails, and a variety of documents involving the RFEF management," the journalist told. "If accurate, it would be a crime of secret revelation and a breach of the people attacked's fundamental rights." 

The Spanish FA has condemned such "criminal and mafia" acts to all relevant organizations, as well as appointed a private firm to improve security and prevent future attacks.

Cyberattacks, like hacktivists, can be linked to cyber warfare or cyberterrorism. To put it another way, motivations can differ. And there are three basic types of motivations: criminal, political, and personal. Money theft, data theft, and company disruption are all options for criminally minded attackers.

Data Stolen From Parker Hannifin was Leaked by the Conti Gang

 

Several gigabytes of data allegedly taken from US industrial components major Parker Hannifin have been leaked by a known Conti gang. Parker Hannifin is a motion and control technology business which specializes in precision-built solutions for the aerospace, mobile, and industrial industries. 

The Fortune 250 business said in a legal statement on Tuesday, the compromise of its systems was discovered on March 14. Parker shut down several systems and initiated an inquiry after detecting the incident. Law enforcement has been alerted, and cybersecurity and legal specialists have been summoned to help. Although the investigation is ongoing, the company announced some data, including employee personal information, was accessed and taken. 

"Relying on the Company's early evaluation and currently available information, the incident has had no major financial or operational impact, and the Company does not think the incident will have a significant impact on its company, operations, or financial results," Parker stated. "The Company's business processes are fully operating, and it retains insurance, subject to penalties and policy limitations customary of its size and industry." 

While the company has not shared any additional details regarding the incident, cybersecurity experts have learned the infamous Conti gang has taken credit for the Parker breach. More than 5 GB of archive files supposedly comprising papers stolen from Parker have been leaked by the hacker group. However, this could only be a small percentage of the data they've obtained; as per the Conti website, only 3% of the data theft has been made public. Usually, hackers inform victims they must pay millions of dollars to restore encrypted files and avoid stolen information from being leaked. 

Conti ransomware is a very destructive malicious actor because of how quickly it encrypts data and transfers it to other computers. To gain remote access to the affected PCs, the organization is using phishing attempts to deploy the TrickBot and BazarLoader Trojans. The cyber-crime operation is said to be led by a Russian gang operating under the Wizard Spider moniker and members of Conti came out in support of Russia's invasion of Ukraine in February.

Conti data, such as malicious source code, chat logs, identities, email addresses, and C&C server details, have been disclosed by someone pretending to be a Ukrainian cybersecurity researcher. Conti works like any other business, with contractors, workers, and HR issues, as revealed by the released documents. Conti spent about $6 million on staff salaries, tools, and professional services in the previous year, according to a review conducted by crisis response firm BreachQuest.

Conti and other ransomware organizations continue to pose a threat to businesses and ordinary services, and measures should be taken to help prevent a severe cyberattack.

Cyberattack in New York City, Sensitive Data of 820,000 Students was Exposed

After a digital education network used by dozens of city schools revealed hackers acquired access to confidential information of 820,000 present and former classmates during a January breach, the mayor of New York City and several education officials expressed strong outrage. 

The incident occurred in January, according to the city's Department of Education, when an internet grading system and attendance system utilized by many public schools was hijacked. 

Hackers might have gotten names, nationalities, birthdays, first languages, and student ID numbers from those platforms, as well as sensitive data including whether children used special education or free lunch programs.

The hack affected both present and former public school pupils dating back to the 2016-17 scholastic year. 

Officials from the California-based firm behind the system, Illuminate Education, have lambasted it for allegedly falsifying its cybersecurity measures. The corporation hasn't said what, if anything, was done with the information. The Department of Education has requested the NYPD, FBI, and state attorney general examine the incident. 

The regional director of K12 Security Information Exchange, Doug Levin, told the New York Daily News, "It can't remember of another school system which has had a student data leak of magnitude originating from one occurrence." 

The DOE said it will work with Illuminate in the coming weeks to send individualized letters to the families of each of the roughly 820,000 kids affected by the hack, detailing what data was exposed. According to school officials, Illuminate will likely fund a credit-monitoring program for affected kids, and will now be vulnerable to identity theft.

Chancellor of the New York City Schools, David Banks, has asked for a probe of Illuminate Education's cybersecurity safeguards, pushing the state's education agency to inquire into it.

Anonymous Plan to Release 35,000 Documents, Targeting Russia's Central Bank

 

Hackers stole $31 million ($2 billion) from Russian Central Bank client accounts, but officials were able to recover $26 million ($1.66 billion) of the assets, according to the bank in a report issued, originally reported by Reuters.

On Thursday, a Twitter account linked to the hacker-activist organization Anonymous claimed Russia's central bank had been hacked and that 35,000 files on "secret deals" will be revealed within 48 hours. 

The report does not say how Russian Central Bank officials detected the breach, but they did so in time to freeze some of the funds while they were being transferred between bank accounts to avoid being traced. 

Anonymous is a loosely organized organization of hackers from all over the world which has been active since at least 2008 when it targeted the Church of Scientology. It then shifted to 'hacktivism,' in which it targeted governments and corporations over key concerns. Members are known to wear Guy Fawkes masks and conceal one's voices with voice changers or text-to-speech tools. 

The gang does not appear to have a clearly defined hierarchy or set of regulations, making it difficult to credit cyber operations effectively. Since before the Russian invasion, Ukraine's government, army, and banks had been subjected to Russian-sponsored cyber attacks. Mykhailo Fedorov, Ukraine's Minister of Digital Transformation, told the press the main purpose of these attacks is to destabilize the country, stir panic, and create anarchy. 

The incident is similar to one that occurred earlier this year when hackers attempted to steal over $1 billion from the Bangladesh Central Bank but only succeeded in stealing $81 million. The majority of the funds were sent to Philippine casinos. The Bangladesh Central Bank has so far been able to retrieve $18 million in stolen funds. 

The study by the Russian Central Bank came on the same day the FSB (Federal Security Service) issued a warning about foreign intelligence services may try to destabilize Russia's financial system by spreading rumors of a false crisis, fake news about bank collapses, SMS alerts, and cyber-attacks. 

The FSB claimed its agents discovered servers held by a Ukrainian web hosting company in the Netherlands which were supposed to be utilized in the alleged campaign. Officials from the FSB said they were prepared to take any steps necessary to fight the danger.

Theft of 54 million SA Records, as per TransUnion Linked to the Current Breach

 

Recently one of South Africa's main credit bureaus, TransUnion has been hacked, and the hackers are demanding $15 million in ransom. 

The compromised credit bureau revealed on Friday it had been hacked and had received a ransom demand which "will not be paid." By exploiting an authorised client's credentials, the hackers, dubbed N4aughtysecTU, acquired access to an "isolated server holding restricted data from our South African firm."

N4aughtysecTU told IT Web it had 4 terabytes of client data and had accessed 54 million records, including information from more than 200 businesses. It allegedly threatened to attack TransUnion's corporate clients unless the credit bureau paid it $15 million in Bitcoin (about R223 million). 

The breach affects many South Africans who have entered into credit agreements, regardless of loan size. Users automatically consent to the credit bureaus disclosing about credit and payment history when they sign into agreements with banks or other financial institutions, credit card providers, vehicle lenders, utilities, or other creditors. The fact that your account information and payment history will be submitted to credit reporting agencies is outlined in these agreements.

According to a statement on the TransUnion website: 
  • An isolated server containing limited information from our South African operations was impacted by the attack.
  • The team is working closely with other specialists to figure out what data was impacted. 
  • Consumer information, such as phone numbers, email addresses, and identity information, may be affected. 
People should not give out personal information such as passwords and PINs to strangers over the phone or over email, according to Sabric, and demands for personal information should be confirmed first.

Experian, a credit bureau, had a data breach in 2020, potentially exposing the personal information of 24 million South Africans. Alongside, a ransomware attack hit Debt-IN Consultants, a debt recovery partner to various South African financial sector companies, in 2021. It is estimated that over 1.4 million South Africans' personal information was fraudulently accessed from its systems.

Moreover, banks have also been targeted. Absa revealed a data breach in November 2020, and over a year and a half later, it is still identifying more compromised customers. 

Misconfigured Keys are Tackled in ServiceNow's Guidelines

 

ServiceNow, a $4.5 billion software company assisting businesses with its digital workflows, has released recommendations for its clients regarding Access Control List (ACL) misconfiguration. 

In one of its reports, AppOmni said that the usual misconfigurations are caused by a "combination of customer-managed ServiceNow ACL setups and overprovisioning of access to guest users". 

The general public is a factor in RBAC for public-facing businesses. The capacity to provide public access to the information within your 'database,' which may be a forum, online shop, customer service site, or knowledge base, is one crucial feature of RBAC, according to the paper. When firms upgrade or alter SaaS services or onboard new users, the difficulty is guaranteeing the appropriate level of access.

The researchers found roughly 70% of the ServiceNow instances examined by AppOmni were misconfigured, posing the risk of unauthorized users stealing critical data from businesses who are not even aware of them being at risk. 

Securing SaaS, according to AppOmni CEO Brendan O'Connor, is much more involved in simply checking a few options or enabling strong authentication for users."Because of its flexibility and power, SaaS platforms have evolved into company operating systems. There are numerous good reasons for workloads and applications running on a SaaS platform to interface with the outside world, such as integrating with emails and text messages or hosting a customer care portal" O'Connor further added. 

As per AppOmni Offensive Security Researcher Aaron Costello, ServiceNow external interfaces exposed to the public could allow a hostile actor to take data from records. Meanwhile, Brian Soby, CTO of AppOmni, said "the enormous degree of flexibility in modern SaaS systems has made misconfiguration one of the largest security concerns enterprises face. Our goal is to shine a light on frequent SaaS platform misconfigurations and other potential hazards so customers can guarantee the system posture and configuration matches its business intent."

 Cyberattack Logan Health and Server Intrusion 

 

A sophisticated intrusion on the IT systems resulted in the compromise of a file server containing protected health information of Logan Health Medical Center which recently notified 213,543 patients, workers, and business associates warning the personal and health data may have been accessed by criminals.

Logan Health Medical Center, according to a letter, first observed evidence of illegal behavior on one of its servers on November 22, 2021. As a result, the hospital solicited the help of outside forensic experts to investigate the magnitude of the event and as to whether any sensitive personal information had been exposed. 

Logan Health CEO Craig Lambrecht reminded staff of its "vital responsibility in protecting patients' sensitive health information" in an email to employees, as well as a series of reminders on password security and responding with emails from unknown senders. 

Logan Health Medical Center confirmed on January 5, 2022, how an unauthorized party had gained access to files containing protected health information about specific staff and patients. On February 22, 2022, Logan Health began sending out data breach notification letters to all factions whose knowledge was contained in the affected files. 

After gaining access to a computer network, a cybercriminal can see and delete any data stored on the stolen servers. While most organizations can determine which files were accessed in the event of a data breach, it may not be able to determine which files the hacker really visited or whether any data was removed. 

The investigation into the Logan Health Medical Center data breach is still in its early stages. There is currently no proof of Logan Health being legally liable for the data breach. However, as more information about the breach surfaces, this could change. 

You can defend oneself from data theft or other forms of fraud by doing the following:

  • Determine what information has been tampered with.
  • Limit Who Has Access to Your Accounts in the future. 
  • Take steps to safeguard your credit and financial accounts.
  • Monitor your credit report and financial accounts regularly.

 Is Malware Analysis Challenging?

 

To minimize the likelihood and possible effect of cyberattacks, security teams require greater detection and analytic capabilities. Despite this, companies are limited in their ability to detect and respond to advanced and targeted assaults due to a lack of qualified cybersecurity personnel, an overabundance of tools, and broken processes. 

To answer these questions, OPSWAT has released two new solutions which aim to minimize the time and effort required for manual analysis, eliminate the requirement for specialized expertise, and break down barriers across diverse tools and workflows: 

  • OPSWAT Sandbox 
  • MetaDefender Malware Analyzer

"Malware analysis is a vital tool for management teams looking to go beyond check-the-box compliance procedures toward the proactive threat management and crisis response programs," said OPSWAT CEO Benny Czarny. "Organizations are undertaking a change to keep ahead of skilled adversaries which are attacking vital infrastructure to remain abreast of these attacks." 

These tools work together to make malware analysis more intelligent, resulting in faster and more accurate results with less manual effort. MetaDefender Malware Analyzer is a unified, fully integrated platform for malware tool integration, analysis orchestration, playbook automation, and aggregated reporting across several analysis tools.

Finding, training, and retaining malware analysts is difficult for businesses — The most difficult aspect of hiring new employees is that there are not enough qualified prospects. As a result, the vast majority of businesses rely on their staff to learn malware analysis skills, despite the fact, almost half of them say it's difficult to find good training programs. Furthermore, these firms recognize the malware analysis function is understaffed - more than half reported worker burnout in the last 12 months, and far more than half reported active recruitment of existing teams. 

Malware analysis technologies are ineffective due to a lack of automation, integration, and accuracy  The lack of automated tools which are not integrated is the biggest problem with malware analysis tools. Without these features, malware analysis might devolve into a time-consuming and error-prone manual procedure involving many tools and workflows. Accuracy is the most critical criterion to consider when assessing malware analysis tools — only around a quarter of businesses are confident in their capacity to detect, investigate, and resolve malware attacks.

Cyberattacks Were Launched Against Government Sites of Both Russia and Ukraine

 

Following Russia's attack on Ukraine, the Kremlin's official website and several other major Russian government websites have gone offline. Currently, the websites to go offline include Kremlin (kremlin.ru), the official website of Russian President Vladimir Putin, the Russian Ministry of Defense, and the Russian Parliament's official website (aka the Duma). Although it is unclear whether these websites were taken down as a result of a cyberattack or a technical error. 

This comes just one day after a suspected hack took out a number of Ukrainian government websites. Ukraine is on the radar of cybercriminals, according to two cybersecurity organisations with a strong presence in the country, ESET and Symantec Threat Intelligence, which have revealed that the country's computer networks are being targeted with devastating data-wiper malware. 

According to an ESET assessment, the new data wiper malware has targeted hundreds of computer systems in Ukraine. In one example, it infiltrated the victim's device's Microsoft Active Directory server. The virus appears to have been created five hours before it was released into the world, implying that its code and operational infrastructure were likely already set up and ready to go. 

According to ESET's analysis, the malware employed in the attack was HermeticaWiper, which is typically distributed via Windows group policies. This suggests that attackers may have gained complete control of their target's internal networks. According to the organisation, the malware corrupts data by exploiting genuine drivers from a disk management utility, EaseUS Partition Master software. 

Furthermore, the Wiper binary is signed "using a code signing certificate issued to Hermetica Digital Ltd," according to ESET researchers. When the wiper is activated, it launches the EaseUS disk partition application and, if the data is corrupted, it reboots the machine. 

However, Stairwell's security researcher Silas Cutler noted that HermeticaWiper may access both local data and the master boot record part of the hard drive, preventing the computer from booting into the operating system following the device's forced reboot. This is comparable to the WhisperGate malware. 

Given the time-stamp data of one of the samples, this attack could have been in the works for two months. According to Symantec Threat Intelligence, the Wiper is followed by a distributed denial of service (DDoS) attack on a number of Ukrainian websites.

It should be noted that on February 16th, 2022, Ukrainian banks and government websites were also subjected to a series of DDoS attacks. The cyberattacks were blamed on Russia by the governments of the United Kingdom and the United States. The sites of Ukraine's Ministry of Foreign Affairs, Cabinet of Ministers, and Parliament were among those affected.

Users at Citibank Attacked by a Massive Phishing Scam

 

Scammers impersonating Citibank are now targeting customers in an online phishing campaign. Thousands of bogus email messages were sent to bank customers, according to Bitdefender's Antispam Lab, with the intent of collecting sensitive personal information and internet passwords. 

Responding to unusual activities or an unauthorized login attempt, the accounts have been placed on hold. As a result, the attackers claim all users should authenticate existing accounts as soon as possible to avoid a permanent ban.

According to Bitdefender's internal telemetry, these campaigns are focused primarily on the United States, with 81 percent of the phishing emails sent ending up in the mailboxes of American Citibank customers. However, it has also reached the United Kingdom (7 percent), South Korea (4 percent), and a small number have indeed made it to Canada, Ireland, India, and Germany. When it comes to the origins of these phishing attacks, 40% of the phoney emails appear to have come from the United States, while 13% came via IP addresses in Mexico. 

The cybercriminals behind the effort utilize email subject lines like "Account Confirm Confirmation Required," "Second Reminder: Your Account Is On Hold," and "Account Confirm Confirmation Required" to deceive Citibank clients into opening the emails. Other subject lines were, "Urgent: Account Confirmation Required," "Security Alert: Your Account Is On Hold," and "Urgent: Your Citi Account Is On Hold." 

Since some of the phishing emails in the campaign use the official Citibank logo to make them appear more real, the scammers who sent them did not take the time to correctly fake the sender's email address or repair any punctuation issues in the email body.

Citing phoney transactions or payments, and also questionable login attempts is another strategy used to create these phishing emails which appear to be from Citibank itself, to fool potential victims into authenticating actual accounts. When victims click the verify button, users are taken to a cloned version of the legitimate Citibank homepage. However, if a Citibank customer goes this far, fraudsters will steal the credentials and utilize them in future assaults. 

Bitdefender has discovered another large-scale phishing campaign that went live between February 11 and 15, 2022, offering victims the opportunity to seek cash compensation from the United Nations. The challenge in this situation is to identify the beneficiary as a scam victim, one of the 150 people who were declared eligible for a $5 million payout from Citibank. 

Banks rarely send SMS or email alerts to customers about critical account changes, thereby users can contact the bank and ask to speak to an agent if they receive a message which makes strong claims. Instead of calling the phone numbers included in the email, users should go to the bank's official website and look up the information on the contact page.

Giant User Theft and Bot Attacks Target on Job Seekers

 

Job seekers are viable targets for social manipulation efforts because applicants are emotionally weak and eager to provide any information to help them win the job. Cybercriminals are finding it easier to find the next victim now the "Great Resignation" is in full armor. 

A job posting portal with a location in six countries was the sufferer in this instance. The goal of the attack was to collect job seeker information from the website. 

Since February 1, experts have seen a 232 percent increase in phishing email attacks imitating LinkedIn, seeking to deceive job seekers into handing up private credentials. The emails contained subject lines including "Searching for a suitable candidate online," "You mentioned in 4 searches this week," and even "You have 1 new message," as per the Egress team. 

The OWASP Foundation classifies web scraping as an operational threat (OAT-011), which is defined as gathering accessible data or processing output from an application. While web scraping walks a delicate line among reporting and data privacy violations, it is still one of the most common automated hacks affecting businesses today, according to Imperva.

Imperva didn't name the company, but it said it received 400 million bot requests from 400,000 network Interfaces over four days in an attempt to harvest all of its job seekers' information. Similar strategies can be employed in "scalping" attacks, which are aimed to purchase in-demand, limited-edition products in order to resell them at a greater price later. Imperva neutralized one such operation on a retailer's website around Black Friday week, which had nine million bot queries in only 15 minutes — 2500 percent above its normal traffic rate.

Several people are accustomed to receiving regular authentic LinkedIn communications – and may unintentionally click without double-checking. Individual users are still responsible for being aware of the data they provide socially and how it can be used to deceive users into clicking a malicious link.

Trickbot has Corrupted over 140,000 Devices

 

As per cyber threat intelligence firm Test Level Analysis (CPR), Trickbot, a financial Trojan infection that targets businesses and consumers for personal data, has infected over 140,000 devices belonging to customers of Amazon, Microsoft, Google, and 57 other organizations since November 2020. The investigation focuses on Trickbot, a well-known banking Trojan that was first discovered in 2016 and has since expanded into a botnet, ransomware, and malware ecosystem.

Threat actors have frequently used the bedfellows to mount multiple attacks in the past. TrickBot was frequently provided as a payload in specialized email phishing attacks by Emotet, though TrickBot has also delivered Emotet samples — the hazardous scenario at hand currently.

CPR has detected how Trickbot's writers are targeting high-profile individuals in order to steal and corrupt valuable sensitive data. At the same time, everyone should understand the people in charge of the infrastructure are highly skilled in virus development. Trickbot is mostly used to steal financial information, account credentials, personally identifying information, and even bitcoin. It's a modular malware that can be adapted to a variety of different use scenarios, which makes it far more dangerous.

More than 140,000 devices infected, according to Alexander Chailytko, Check Point's cybersecurity, research, and innovation manager, seem to be mostly computers belonging to the general population, as well as "some companies." The data gathered represents telemetry which has been obtained from its clients, however, it is "greater than" 140,000. As a result, the security vendor may have more or less visibility in specific parts of the world, according to Chailytko. 

"Trickbot has affected one out of every 45 enterprises. Over the previous few months, we've noticed a decrease in Trickbot campaign activity," the cybersecurity researcher stated. Users may defend it against Trickbot by only opening documents from reputable sources, using separate unique passwords profiles, and updating similar functionality and antivirus updated with the latest.  

Customers  Threatened by a Data Breach at Hong Kong's Harbour Plaza Hotel

 

Hong Kong's privacy authority is looking into a hack against the Harbour Plaza hotel company, which revealed more than 1.2 million visitors' booking information. The investigation's goal is to learn more about what kind of private details were compromised. Customers have been warned to keep an eye out for any strange activity in their accounts and to be aware of any unexpected emails, calls, or messages in the meantime. 

"The impacted data was the information of visitors who remained within these hotels," the PCPD tells ISMG. "As the investigations into the cyberattack are ongoing," the PCPD told ISMG, declining to specify the type of hack, the threat actor involved, or the data compromised. 

According to Harbour Plaza's statement, the Hong Kong Police was also notified along with certain other relevant authorities. The company has hired an undisclosed third-party cybersecurity forensics agency to investigate and control the problem, as well as improve its security perimeter in the future. 

According to the company's FAQs about the data leak, those who are affected will be alerted. Customers should be "extra cautious against scamming or other attempted schemes," according to the hotel firm, which says "lodging reservation databases" were impacted. It indicates possible information such as a customer's name, email address, phone number, reservation, and stay details may have been hacked. 

Inquiry into the data leak at online retailer HKTVmall 

Separately, the PCPD is looking into a case involving HKTVmall, a well-known shopping and entertainment platform run by Hong Kong Technology Venture Co. Ltd. 

The security breach has endangered the personal details of a "small fraction" of HKTV Co. Ltd.'s 4.38 million registered customers, according to a statement made on Feb. 4. According to the notice, the connected server was in an "other Asian" country. 

According to the company, it promptly notified the Hong Kong Police or the PCPD, and hired two cybercrime firms on January 27 "to conduct an investigation and further enhance HKTVmall's server security measures." 

Customer data that may have been obtained by an unauthorized person, according to HKTVmall, includes:

  • Account names which have been registered.
  • Login passwords which are encrypted and masked.
  • Email addresses which have been registered and that can be contacted. 
  • Names of recipients, shipping addresses, and contact numbers for orders placed between December 2014 and September 2018.
  • Clients who have connected their HKTVmall account to a Facebook account or an Apple ID have the date of birth, official name, and email accounts for Facebook accounts and Apple IDs.

An Israeli Spy Agency, QuaDream, Hacks Devices 

 

According to Reuters, an Apple software loop exploited by Israeli spy firm NSO Group to hack access iPhones in 2021 was also targeted by a competitor at the same time. 

The two companies QuaDream got the capacity to remotely hack into iPhones, compromising the smartphones without the user clicking on a malicious link. The fact the two firms employed the same advanced 'zero-click' hacking technique suggests that cellphones are more prone to digital espionage than the industry admits. 

The two organizations utilized ForcedEntry software exploits to steal iPhones. In the context, it's worth noting that an exploit is a piece of computer code that takes advantage of a set of unique software flaws to provide a hacker unauthorized access to data. 

"People want to feel they're safe, and telecommunications companies want the user to assume they're safe," stated Dave Aitel, a cybersecurity partner at Cordyceps Systems. 

Some notable Israelis have been attacked with Pegasus, according to a recent revelation from the Israeli publication Calcalist, including a son of former Prime Minister Benjamin Netanyahu. "CEOs of government ministries, news reporters, tycoons, corporate executives, mayors, social activists, and even the Prime Minister's relatives were all police targets," according to Calcalist. "Phones were hacked by NSO's spyware prior to any research even opening and without any judicial authorization." 

Some of QuaDream's clients overlapped with NSO Group's  implying that the buyers utilized Pegasus and REIGN for surveillance, specifically targeting political opponents. Surprisingly, the two cyberweapon's techniques were so identical when Apple patched the security weakness, it didn't make a difference. 

Spyware firms have long claimed to sell high-powered technologies to assist governments in combating national security threats. Human rights organizations and journalists, on the other hand, have reported the use of spyware to harm civil society, discredit political opposition, and sabotage elections on numerous occasions. 

Pegasus was also recently discovered on the devices of Finland's diplomatic corps working outside the nation, according to Finnish officials, as well as of a wide-ranging espionage campaign. Pegasus was allegedly installed on the iPhones of at least nine US State Department workers.

European Oil Port Hubs Hit by a Cyberattack

 

Hamburg, a major port part of northern Germany, was targeted by the cyberattack, as were at least six oil ports in Belgium and the Netherlands. Prosecutors in Belgium have opened an inquiry into the theft of oil supplies in the country's marine entryways, particlarly Antwerp which also happens to be Europe's second-largest port after Rotterdam.

Prosecutors in Germany are said to be looking into a cyberattack on oil facilities which are described as a probable ransomware attack, wherein hackers demand money in exchange for reopening captured networks. 

Last month, oil prices reached a seven-year high amid geopolitical tensions with Russia, and rising energy costs are fueling an increase in costs which has alarmed European authorities. 

"A cyberattack was launched against several terminals, causing significant disruption. The software has been taken over, which is unable to process barges. The operating system is basically down "Jelle Vreeman, a senior trader at Riverlake in Rotterdam, echoed this sentiment.

Europol, the EU's police agency, confirmed the information of the events in Germany had given assistance to authorities. "At this time, the investigation is underway and in a critical stage," said Claire Georges, a spokesman for Europol. 

Last week, the first signs of what looks to be a complex cyberattack were revealed in Germany; on January 29, Oiltranking Group and Mabanaft were found to be the victims of a cyber-attack. 

Belgian authorities were also looking into the incident, which impacted terminals in Ghent and Antwerp-Zeebrugge. In Amsterdam, Ghent, Antwerp, SEA-Tank, Oiltanking, and Evos are all reporting faults with the operating systems. 

Oiltanking Deutschland GmbH & Co. KG, a company that stores and delivers oil, motor fuels, and other petroleum products, announced its website was being hacked. According to the company, it was compelled to function at "restricted efficiency" and was conducting an investigation. The intrusion on Oiltanking was caused by ransomware, which encrypts data and renders computer systems is useless until a ransom is paid.

Following a ransomware attack on US oil distributor Colonial Pipeline in May of last year, supplies were tightened across the US, prompting various states to declare an emergency. However, cyber-security experts warn against assuming many events are part of a coordinated campaign to destabilize the European energy industry. 

"Some varieties of malware harvest emails and contact information and use it to actively spam dangerous attachments or links," said Brett Callow, Threat Researcher at cyber-security firm Emsisoft. While investigating the degree of the infiltration, the organizations report taking steps to rectify the situation and strengthen the network.