Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label malicious. Show all posts
Privnote
Cryptocurrency Breach Data Breach Data Theft malicious phishing Privnote

Privnote Secure Messaging App Is Under Phishing Threat

 

Privnote.com, launched in 2008, revolutionized secure messaging with its encryption technology. It allows users to send messages with a unique link, ensuring privacy as the content self-destructs after reading. However, its popularity among cryptocurrency enthusiasts also drew the attention of malicious actors who engaged in phishing activities. 

Phishers exploit Privnote's model by creating clones, such as privnote[.]co, that mimic its functionality. These clones surreptitiously replace cryptocurrency addresses when users create notes containing crypto wallets. Thus, unsuspecting users fall victim to sending funds to the phisher's address instead of the intended recipient. 

GitHub user, fory66399, lodged a complaint last month against MetaMask, a cryptocurrency wallet, alleging wrongful flagging of privnote[.]co as malicious. Threatening legal action, fory66399 demanded evidence and compensation. However, MetaMask's lead product manager, Taylor Monahan, swiftly debunked these claims by providing screenshots showing the fraudulent activities of privnote[.]co. 

According to DomainTools.com, the domain privatenote[.]io has changed hands between two individuals: Andrey Sokol from Moscow and Alexandr Ermakov from Kiev, over two years. While these names may not be the real identities of the scammers, they provide clues to other sites targeting Privnote since 2020. 

Furthermore, Alexandr Ermakov is linked to several other domains, including pirvnota[.]com, privatemessage[.]net, privatenote[.]io, and tornote[.]io, as per DomainTools. This suggests a potential network of fraudulent activities associated with Privnote, emphasizing the need for caution in identifying phishing attempts. 

Let’s Understand Suspicious Activities on Privnote: 

Domain Registrations: The domain pirvnota[.]com saw a change in registration details from Andrey Sokol to "BPW" and "Tambov district" as the registrant's state/province. This led to the discovery of pirwnote[.]com, along with other suspicious domains like privnode[.]com, privnate[.]com, and prevnóte[.]com, all linking to the same internet address. Interestingly, pirwnote[.]com is now selling security cameras from a Hong Kong-based internet address. 

Deceptive Legitimacy: Tornote[.]io appears to have undergone efforts to establish credibility. A Medium account has published numerous blog posts endorsing Tornote as a secure messaging service. However, testing reveals its malicious intent, as it also alters cryptocurrency addresses in messages. 

Search Engine Manipulation: Phishing sites manipulate search engine results to appear prominently for terms like "privnote." Currently, a Google search for "privnote" lists tornote[.]io as the fifth result. These sites rotate cryptocurrency addresses every five days to evade detection. 

According to the Privnote website, it is a web-based service focused on privacy, allowing users to create encrypted notes shared via unique one-time-use HTTPS links. Notes and their contents are processed securely in users' browsers, with no readable data stored on Privnote's servers. 

IP addresses are processed solely for communication and promptly deleted thereafter. Personal data within notes remains encrypted and inaccessible to Privnote. The service uses cookies for functional and non-functional purposes, respecting user privacy preferences. Privnote does not target children under 16 and commits to regularly updating its Privacy Policy.
Read more »
Vulnerabilities and Exploits
Cyberattacks Cybercrimes Google Docs Google Drive malicious Vulnerabilities and Exploits

Attackers Can Hide Malicious Apps Using the Ghost Token Flaw

 


The Google Cloud Platform (GCP) has recently been patched against a zero-day vulnerability called GhostToken, which allowed attackers to infect the platform to create an invisible and irrecoverable backdoor. A malicious attacker could exploit this flaw and gain access to a victim's account. 

By exploiting this flaw, he could also manipulate their data and documents within Gmail or Google Docs. As a result, the victim is completely unaware that this is taking place. By the name GhostToken, the issue has been identified by Israeli cybersecurity startup Astrix Security. The issue affects all Google accounts, including enterprise accounts. From June 19 through June 20, 2022, this issue was discovered and reported to Google. More than nine months after the global patch was released on April 7, 2023, the company deployed a global update. 

According to a recent post by Astrix Security, the GhostToken zero-day vulnerability could allow malicious apps to be installed in the target Google Cloud via the GhostToken zero-day vulnerability. 

The flaw allows attackers to hide their malicious apps from the victim's "Application Management" page in their Google Account to hide them from view by a user logged in to their Google Account. A user is unable to revoke access by doing this. This prevents them from doing so. By doing this, it is ensured that the GCP project associated with the OAuth application that they have been authorized to use remains in a state that says "pending deletion" by deleting it. A threat actor equipped with this capability could restore the project. After restoring it, the rogue app is visible again. As well as gaining access to the victim's data, he could make it invisible again by using the access token to obtain it himself. 

An adversary or attacker could exploit the GhostToken vulnerability to access sensitive information in the target account's Google Drive, Calendar, Photos, Google Docs, Google Maps (location data), and other Google Cloud Platform services provided by the target account. The technical team discovered the vulnerability in June 2022, reported it to Google, and asked them to fix it. Despite acknowledging this problem in August 2022, Google did not release a patch until April 2023. This is despite acknowledging the flaw in August 2022. 

The bug was patched before it was exploited by an active user, enabling Google to release the fix before it was exploited. In the users’ app management option, there is an option to show OAuth application tokens for apps scheduled for deletion as part of the patch. 

Despite the tech giant's fix, Google users must also check their accounts to determine whether there are any unrecognized apps. Additionally, to prevent any risk of damage to their devices, users should ensure that third-party apps have minimal access permissions.

A patch released by Google has been rolled out to address this issue, and it now displays apps in a pending deletion state within the third-party access section of the website. As a result, users can uninstall such apps by revoking their permissions.

There was a vulnerability in Google Cloud's Cloud Asset Inventory API that led to privilege escalation, known as Asset Key Thief, which has now been fixed. Using this vulnerability, users can steal private keys for use in Service Accounts, allowing them to access valuable data they manage. The software giant patched the issue discovered by SADA earlier this month, on March 14, 2023, two months after discovery.
Read more »
Vulnerability and Exploits.
Covid IT Breach malicious Software USB User Privacy Vulnerability and Exploits.

Hackers can Overcome Air-Gapped Systems to Steal Data


What are air gaped systems?

An air gap is a safety feature that isolates a computer or network and prevents it from connecting to the outside world. A computer that is physically isolated and air-gapped is unable to communicate wirelessly or physically with some other computers or network components. 

Data must first be copied on a removable media device, like a USB drive, and then physically transported to the air-gapped system from the computer or network. Only a select group of trusted users should be able to access the air-gapped system in situations where security is of the utmost importance.

New Technique 

Researchers at Ben-Gurion University of the Negev's Department of Software and Information Systems Engineering have developed a novel method for breaching air-gapped systems that takes advantage of the computer's low-frequency electromagnetic radiation.

According to Mordechai Guri, director of research and development at the Cyber Security Research Center at Ben Gurion University, "the attack is very evasive because it executes from a regular user-level process, does not require root capabilities, and is successful even within a Virtual Machine."

The COVID-bit technique makes use of on-device malware to produce electromagnetic radiation in the 0–60 kHz frequency region, which is then transmitted and detected by a covert receiving device in close vicinity.

After SATAn, GAIROSCOPE, and ETHERLED, which are intended to hop across air-gaps and extract private data, COVID-bit is the most recent method developed by Dr. Guri this year.

By utilizing electromagnetic emissions from a component known as a switched-mode power supply (SMPS) and encoding the binary data using a technique known as frequency-shift keying (FSK), the virus uses the COVID-bit, one of these covert channels, to communicate information.

The research article advises employing antivirus software that can recognize strange CPU patterns in addition to limiting the frequencies that some CPUs can use in order to protect air-gapped computers from this kind of attack.

Read more »
Vulnerabilities
and Exploits CommanSpirit Health Cyber Attacks malicious Ransomware Vulnerabilities

Recovery From Ransomware Attack Continues At CHI Health

 


On Tuesday, CommonSpirit Health, one of the country's biggest health systems, told an unspecified "IT Security Incident" that affected multiple regions, has disrupted hospital operations across the nation. As a security measure, a few systems were taken offline in the wake of the attack which also forced patients' procedures to be rescheduled. 

In the case of a ransomware attack, malware is typically infected onto the computer by someone manually loading the infected software. This is done by clicking on a malicious link in an email or on a website. Infected software can be downloaded either manually or through malicious links embedded in emails or sites. There is a goal behind the attack, which is to take control of computer systems or files to disable them.

As soon as the attackers gain access to the network they will be able to demand a ransom. This money is then exchanged for the encryption key from the organization.

A statement issued by CHI Health on Wednesday night noted that CommonSpirit "took immediate steps to protect our systems, contain the incident, begin an investigation and ensure continuity of care upon learning about the ransomware attack. In addition to providing our patients, employees, and caregivers with relevant updates regarding the ongoing situation, we continue to provide the highest level of care for patients. Despite this, we remain committed to maintaining the highest level of patient care and apologize for any inconveniences this matter may have caused."

CHI Health has said that some appointments and procedures have had to be rescheduled or delayed since the attack was reported at the beginning of October; this is due to the unexpected nature of the attack.

There have been reports in recent years that hospitals are following protocols if there are system outages. This includes taking certain records offline including national health records. Additionally, they are taking steps to mitigate disruptions and maintain continuity of care in the wake of an outage.

"To support and assist our team with further investigation and response work, we have engaged leading cybersecurity experts as well as notified law enforcement, and we are conducting a comprehensive forensic investigation to ensure full functionality and to reconnect all of our systems," the hospital told. 

Some patients have expressed frustration with the CommonSpirit Health attack, which some patients say has led to doctors using paper charts instead of computers. This can be a frustrating experience. Making appointments and getting prescriptions from the doctor are some of the challenges that need to be addressed.

According to the Omaha World-Herald, Edward Porter, a diabetic from Omaha, was unable to reorder sensors for his continuous glucose monitor because CHI Health's systems are currently offline, posing a problem with reordering the sensors for his insulin pump.

Under the employer-provided medical insurance that he uses, the devices are considered durable medical equipment the policy. As a general rule, he gets them at a CHI Health pharmacy which is specialized in handling these kinds of devices. Buying them out-of-pocket would cost at least $75 per person, which is an expense that he has not budgeted for, and will not be able to afford.

Neither Common Spirit nor any of its affiliate companies have announced publicly whether the attack has affected all 1,000 care facilities in 21 states, which include 140 hospitals. Additionally, the hospital has not commented on whether any personal or medical data of the patients was compromised as well.

Evidently, the attack has affected the healthcare sector in a significant way; according to Brett Callow, a threat analyst with cybersecurity service provider Emsisoft, it might be the biggest-ever attack ever experienced by a hospital. 
Read more »
Vectors
attacks Bugs Cyber Attacks Flaws malicious Vectors

‘Evil PLC’ Could Turn PLCs Into Attack Vectors

 

When one thinks of someone hacking a programmable logic controller, one usually think of the PLC as the end objective of the assault. Adversaries use other systems to get at what will eventually allow them to cause industrial damage. 

However, a Claroty Team 82 DefCon presentation asks the following question: what if someone exploited a PLC as a vector rather than the destination? The researchers feel that the "Evil PLC" attack scenario is novel: infecting every engineer who interfaces with a PLC with malicious malware. 

Claroty revealed a series of 11 additional vendor-specific vulnerabilities that would allow the attack as proof of concept. These flaws have been discovered in Ovarro TBOX, B&R (ABB) X20 System, Schneider Electric Modicon M340 and M580, GE MarkVIe, Rockwell Micro Control Systems, Emerson PACSystems and Xinje XDPPro platforms. All but the Emerson were issued CVEs. Claroty came up with the notion after trying to learn more about the opponents that attack their honeypots.

“We asked ourselves, how can we actively attack the attackers? We don't know anything about them. We cannot find them,” said Claroty director of research Sharon Brizinov. “And then we kind of had a eureka moment and we thought, okay, what if the PLC was to be weaponized?”

Claroty used a ZipSlip attack against vendors (Emerson, Ovarro, B&R, GE, and Xinje), a heap overflow against Schneider, and a deserialization attack against Rockwell to create an Evil PLC. Evil PLC, according to Claroty, would be suited for two assault scenarios. The first scenario would be if the PLC was the only entry point into a secure facility. Waiting for an engineer to connect to the PLC allows the attacker to infect the engineer's workstation. This might be sped up by encouraging an early inspection using the newfound access to the PLC.

“Once the attacker weaponized the PLC, maybe they deliberately cause a fault on the PLC. The engineer would be lured to the PLC to check what's going on with it,” said Brizinov. 

Another possibility is to take use of the large number of PLCs maintained by outside professionals. One engineer is linked to one PLC could spread malicious code across several enterprises. 

“Usually PLCs are the crown jewel. When we're talking about classic attack vectors in ICS domains we're always seeing the PLC as the endpoint, the end goal; but if we're playing with those ideas and shifting our thoughts a bit, we can we can get to new ways of how to defend and attack both networks,” Brizinov said. 
Read more »
Malicious actor
Cyber Security domains Google Hacking Hacking Group malicious Malicious actor

Google Blocks Malicious Domains Used by Hack-for-hire Groups

About hack-for-hire

Threat Analyst Group (TAG) of Google last week revealed that it blocked around 36 malicious domains used by Hacking groups in Russia, UAE, and India. 

In a technique similar to surveillance ecosystems, hack-for-hire groups give their clients the leverage to launch targeted cyberattacks on corporate organizations, politicians, activists, journalists, and other users that are at high-risk. 


What is Google saying?

Google in its Blog says "as part of our efforts to combat serious threat actors, we use results of our research to improve the safety and security of our products. Upon discovery, all identified websites and domains were added to Safe Browsing to protect users from further harm."  

The only difference in the manners of the two is that while users buy the spyware from commercial vendors and later use it themselves, the actors behind hack-for-hire cyberattacks deploy the hacking attempts on the clients' behalf so that the buyers remain anonymous. 


How does hack-for-hire operate?

The hack-for-hire ecosystem is flexible in two ways, first in how the actors deploy the attacks themselves, and second, in the large range of targets, they seek in a single campaign on their clients' behalf. 

Some hacking groups publicly market their products and services to any user that is willing to pay, however, few operate in a hidden manner and sell their services to a limited public. 

"We encourage any high risk user to enable Advanced Protection and Google Account Level Enhanced Safe Browsing and ensure that all devices are updated. Additionally, our CyberCrime Investigation Group is sharing relevant details and indicators with law enforcement," says Google. 


Other Details


A recent campaign launched by an Indian hacking group attacked an IT company in Cyprus, a fintech organization in the Balkans, an educational institute in Nigeria, and a shopping company in Israel, hinting the wide range of victims. 

According to Google Since 2012, TAG has been tracking an interwoven set of Indian hack-for-hire actors, with many having previously worked for Indian offensive security providers Appin and Belltrox. 

One cluster of this activity frequently targets government, healthcare, and telecom sectors in Saudi Arabia, the United Arab Emirates, and Bahrain with credential phishing campaigns, Google adds. 
Read more »
Mozilla Firefox
Cyber Security Firefox Add-On malicious Mozilla Firefox

Malicious Add-Ons Blocked by Mozilla Firefox

 

The Mozilla Firefox team recently restricted add-ons that have been misusing the proxy API, preventing approximately 455,000 users from upgrading their browsers. 

Mozilla's development team members Rachel Tublitz and Stuart Colville claimed in a Monday post that they had found the rogue add-ons in early June. The add-ons were exploiting the proxy API, that is used by APIs to manage how Firefox connects to the internet. 

Add-ons are advanced software pieces that may be installed to Firefox or other programs to personalize the browser by performing things like limiting tracking, removing advertisements, downloading movies from websites, or translating information. 

However, from the other extreme, they may be malicious tiny creatures that install malware, such as the 28 Facebook, Vimeo, Instagram, as well as other add-ons discovered by experts last year in widely utilized Google and Microsoft browsers. The add-ons stole private data, seemed to have the capacity to activate more malware downloads, and altered links that victims clicked on to send them to phishing sites and advertisements. 

The Firefox team stated that the problematic Firefox add-ons discovered in June, dubbed Bypass and Bypass XM, were intercepting and redirecting users from downloading updates, accessing updated blocklists, and upgrading remotely set material. Mozilla has banned the rogue add-ons from being downloaded by more users. 

According to a blog post, Mozilla is now accepting new applications. The document also includes suggested parameters for Firefox add-on developers to assist accelerate add-on evaluation. 

Mozilla has also altered how well the browser handles key queries such as update requests. Beginning with Firefox 91.1, if an essential demand is performed through a proxy configuration that fails, Firefox will fall back on direct connections. 

“Ensuring these requests are completed successfully helps us deliver the latest important updates and protections to our users,” the Firefox developers said. 

To prevent such fraudulent add-ons, the team had installed a system add-on called Proxy Failover (ID: proxy-failover@mozilla.com). System add-ons — a means to ship Firefox extensions – are hidden, cannot be disabled, and may be updated without restarting the browser. According to Mozilla, Proxy Failover is now available in both current and older Firefox versions. 

Anyone who isn't using the newest version and hasn't disabled updates should check to see if they've been impacted by the malicious add-ons, according to Mozilla. The very first step is to attempt an upgrade of Firefox: Recent versions have an upgraded blocklist that removes harmful add-ons automatically.
Read more »
XAMPP Hosts
Agent Tesla malicious malware XAMPP Hosts

XAMPP Hosts are Employed to Distribute Agent Tesla

 

RiskIQ's research team has evaluated the familiar fingerprints campaign in dangerous infrastructure from famous malware families. Their examination of Agent Tesla infrastructure leads them to discover the employment of web solution stack installations for XAMPP Web Server. They examine these identified campaigns using their Internet Intelligence Graph. 

The most recent investigation depicts a new insight into the ecosystem of Agent Tesla, the TTP its operatives utilize, and how RiskIQ users potentially can use the XAMPP web component to identify hosts that transmit malware and investigate other possibly harmful infrastructures. 

XAMPP is an open-source web server solution stack package produced by Apache Friends, composed primarily of Apache HTTP Server, MariaDB database, and script interpreters created in the PHP and Perl programming languages. XAMPP is a free server solution stack. As the majority of current web server operations employ the same components as XAMPP, it makes it feasible to move from a local test server to a live server. 

Neither the XAMPP is malevolent nor the hosts employing XAMPPA are always hostile. Everything which makes XAMPP useful for developers also provides an excellent tool for actors who threaten them and some malicious sites are using XAMPP to disseminate malware. 

The web component of XAMPP obtained by the Internet Intelligence Graph of RiskIQ demonstrates that there are numerous XAMPP Internet-faced servers despite developing XAMPP without an internet connection. 

For their March 2021 post about, Exploring Agent Tesla infrastructure, researchers first detected the use of XAMPP for malware propagation during the analysis of the Agent Tesla infrastructure. The Agent Tesla infrastructure, with the same MariaDB, Apache, and PHP Web service stack, was then detected – all with open SMBs sometimes with FTP or SMTP services. 

Agent Tesla is indeed a renowned "malware-as-a-service" RAT for stealing passwords, keystrokes, clipboard data as well as other important information. It is typically transmitted through phishing attempts since it initially surfaced around 2014 and was replicated several times. 

They could recognize hosts with this particular web service stack with the XAMPP web component of RiskIQ. Researchers would then detect malicious infrastructure and trends in that infrastructure using these hosts in conjunction with other data sources. 

An IP hosting Agent Tesla and a WBK file, a restorable file by Microsoft Word, are included within one instance. A link to the Hybrid Analysis Report in the related hashes list of the IP is provided for the file which initiates a GET request in a WBK file, and for another file to install a Tesla Agent file with a variety of commands and control (C2) domains. In many other instances, attackers' IPs utilized Agent Tesla, using a malicious XLSX document communicating with the IP to install the Agent Tesla file, which was subsequently renamed. Another IP attacker hosts harmful files and sends phishing emails to implant malware such as SnakeKeylogger or QuasarRAT. 

Evidence indicates that the attacker has installed XAMPP on hosts owned by the provider dynamic DNS[.]org that distributed the Tesla Agent. Other DDNS providers with preinstalled XAMPP stack malware packages have also been identified. 

The researchers state that “While we do not have confirmed malicious activity on this infrastructure, an illegitimate domain mimicking Microsoft Outlook was recently registered on July 23 and has linked to two PHP pages displaying what appears to be XAMPP notifications on settings not yet made.”
Read more »
Subscribe to: Posts (Atom)