Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Windows 10
JavaScript Microsoft TrickBot Trojan Vulnerability and Exploits Windows 10

Windows 10 Users Beware! TrickBots' Prevalence And Conveyance Escalates in Devices



Reports mention that recently attackers were found exploiting the latest version of the “Remote Desktop ActiveX” which was developed for Windows 10.

Sources say that similar to what many others are doing, the exploitation could cause the automatic execution of the “OSTAP” JavaScript downloaded on the ta
rget’s systems.

Per analyses of researchers, the ActiveX is employed to automatically execute a mal macro right after the target enables a document. The majority of the documents contained images to encourage people to enable the content.

Per reports, the catch was that the image contained a hidden ActiveX control below it; the OSTAP downloader was disguised in white text to make it seemingly invisible to eyes and readable for machines.

Trickbot attackers misuse people’s tendencies of not updating their software with the latest updates to protect the systems.

Trickbots happen to be among the most advanced versions of the malware structures. The number is increasing and so is the threat to systems with Windows 10. Not of late, researchers dug out more documents that execute the OSTAP JavaScript downloader.

It was also found out that the groups of tricksters that were exploiting the ActiveX control were not the only ones. Other groups were also into misusing them along with a few others.

According to sources, the victim documents had the following nomenclature-“i<7-9 arbitrary="" digits="">.doc”. Almost every document had in it an image that would convince the enablers to open it. What the opener wouldn’t know is that below the image is a hidden ActiveX control. The OSTAP JavaScript downloader would be disguised as white text which only the machines could read.

Per sources, the analysis of the ActiveX code exposed the use of the “MsRdpClient10NotSafeForScripting” class. The script is crafted in a way that the server field is left empty to cause an error which would aid the attackers further on.

According to researchers, the technique that kicks the ‘macro’ on is, “_OnDisconnected”. This will execute the main function, first. It doesn’t get executed instantly for it takes time to resolve the DNS to an empty string only to return an error.

The OSTAP’s execution would depend on the “error number matches” exactly to “disconnectReasonDNSLookupFailed”. The OSTAP wscript directive is relative to the error number computation.

The execution of the wscript would work with its very content. This trick is quite an old one in the book. Microsoft’s BAT would ignore the ‘comments’, along with the content and everything that comes with the syntax, while the execution’s happening.

Once the JavaScript is edited per the attackers’ needs, the obfuscation scheme gets repeated. Updating systems doesn’t work every time but it’s a pre-requisite anyway.

A defense mechanism is paramount in cases of OSTAP and the likes of it. With the technology that’s prospering with every passing minute, so is the number of attack mechanisms and attackers. Hence keep systems updates and a tight security structure in place.


Read more »
Russian Cyber Security
Credit Card Fraud Cyber Fraud Information Security News Russia Russian Cyber Security

The hacker explained why in Russia cards will become more often blocked


Hacker Alexander Warski told what to expect from Governing Bodies. According to him, bank cards will more often be blocked in Russia.

The information security specialist expressed the opinion of the new law on mandatory notification of blocking of finances on the accounts of Russians. Starting from March 28, according to the new law, credit institutions are obliged to notify customers about the blocking of funds on the same day, necessarily indicating the reason for their actions. According to the hacker, the new law will only contribute to a significant increase in blockages.

"The governing bodies will be more likely to use this tool," - said Warski.
At the moment, the percentage of all illegal withdrawals is 1% of all financial transactions. Scammers use fake phone numbers that are displayed as Bank numbers and disturb people on behalf of the Bank. In this regard, the hacker believes that mobile operators are to blame for allowing the sale of virtual SIM cards.

State Duma Deputy Natalia Poklonskaya believes that the introduction of the new law will make the bank-client relationship system more transparent.

"Now this side of banking will become more open, and blocking the client's account will no longer be unexpected, which means that it will not be able to be a manipulative tool," said Natalia.

Earlier, EhackingNews reported that experts from the information security company Positive Technologies came to the conclusion that hackers will need only five days on average to hack a large Russian Bank.

In addition, it became known that 89% of data leakage incidents in Russian banks were caused by ordinary employees.

Banks also noted the appearance of special Telegram bots, through which people can earn anonymously on the leak of information and personal data. Each case of information disclosure costs 50-100 thousand rubles ($750 - $1,500).
Read more »
Portugese
Hacking. Lampion Trojan malware Portugese

New Lampion Trojan Found Attacking Portuguese Users


There's a new Trojan in town - "The Lampion Trojan", this malware as discovered by security researchers is distributed via phishing emails that target Portuguese users and it appears like it's from Portuguese Government Finance & Tax.


 How does it attack? 

  • The Segurance Informatica-Lab (SI-Lab) reports that the phishing email that distributes the Trojan impersonates government mails, this time from Portuguese Government Finance & Tax. 
  • The email messages users about their debt from the year 2018.
  • Then it asks the user to click on a link to clear issues and avoid being scammed.
  • As soon as the victim clicks on the link available in the body of the email, the malware Trojan is downloaded in the system from the online server. 
  • The file that is downloaded is a compressed file called FacturaNovembro-4492154-2019-10_8.zip.’ When it is unzipped by the user, they will see three files - a PDF, VBS, and a text file.


 The file-
  • This file Factura Novembro-4492154-2019-10_8.zip is just the first phase of the infection chain of the trojan. It acts as a dropper and a downloader.
  • The dropper then downloads the next set of files from the online server. As the file is executed, it downloads two more files - P-19-2.dll and 0.zip. This P-19-2.dll is the actual Lampion trojan. 
  • The dll file contains a name in Chinese and a message for the victim. 


 The Lampion Trojan- 

The Lampion Trojan is an improvised form of the Trojan-Banker.Win32Chierro family, developed in Delphi. It has both anti-debug and anti-VM techniques that make it removal quite difficult both in a sandbox environment or manually. Security researchers discovered some features in the captured samples of the Trojan and found out that it can perform the following actions- Remote Connection; Startup Network; Resources Retrieval; Network Resources Manipulations and Redirect Folder Path; Retrieval Messages Communications; Communications Parameters Changes; Custom Functions; Dialog Box; Spawning Code and Logic Storage.

Cyware social reports that  "Lampion trojan is involved in capturing data belonging to both the users and infected systems. The collected information includes system information pages, installed software, web browser history, clipboard, details of the file system, etc."

It can also give access to hackers to perform functions in the infected machine through a web interface.
Read more »
VPN
Android CVE Cybersecurity VPN

Hackers Exploit Vulnerabilities in Pulse VPN and Android Devices to Launch Heavy Cyberattack


The vulnerability named CVE-2019-1150 has affected Pulse VPN's network and is regarded as highly 'severe.' Whereas vulnerability named CVE-2019-2215 targets unpatched android smartphones. As we all know, in the world of cybersecurity, it becomes highly unsafe when the hackers target unpatched devices and systems as they can have terrible consequences. Recently, it has become a trend among hackers to target unpatched Android smartphones. Attackers were also found exploiting the flaws in Pulse Secure VPN in an attempt to compromise the cybersecurity of various organizations and individuals.


The flaw in Pulse Secure VPN

 According to Kevin Beaumont, who is a Uk based cybersecurity expert, the assertion that 'Revil' is big-time ransomware and at least 2 companies are affected after the hackers exploited the vulnerability in Pulse Secure's VPN flaw. Many hackers are now exploiting this flaw to launch ransomware attacks. As per the latest information, the organization that is said to be affected by this cyber attack is a currency exchange and travel insurance company 'Travelex.' According to cybersecurity experts, the attack was launched using the Revil ransomware. The consequences of this cyberattack compelled Travelex to shut down all of its online mode of operations.
As a result, the company shut down its system offline and had to manually operate its nationwide branches.

The vulnerability known as CVE-2019-1150 is regarded as highly 'hazardous' by the cybersecurity experts. CVE-2019-1150, an uncertain read data vulnerability attacks different versions of Pulse Secure VPN named Pulse Connect Secure and Pulse Policy Secure. The vulnerability allows hackers access to Https and connects the hackers to the company's network without the hackers having to enter login credentials such as id and password. By exploiting this vulnerability, hackers can view confidential files, download files, and launch various malicious codes to disrupt the company's entire network. Pulse Secure VPN had released a security patch last year in April, and the users are requested to update to the latest security patch.

The flaw in Android Devices

 Hacking group 'SideWinder APT' exploited vulnerabilities via 3 apps in the Google play store named as Camera, FileCrypt, and CallCam. “These apps may be attributed to SideWinder as the C&C servers it uses are suspected to be part of SideWinder’s infrastructure. Also, a URL linking to one of the apps’ Google Play pages is found on one of the C&C servers,” says Trend Micro cybersecurity experts.
Read more »
Russian Cyber Security
Cyber Security Cyber Security awareness Cyber Security News Russia Russian Cyber Security

The Russian quality system (Roskachestvo) gave recommendations on protecting data in social networks

Scammers in social networks use social engineering techniques to hack a user account. In this regard, Roskachestvo experts recommend setting the most stringent privacy settings for the personal page. According to experts, cybercriminals tend to get into the friend list in social networks in order to use this opportunity for fraud in the future, so users of social networks should monitor their privacy and be vigilant.

"Set the most strict privacy settings. For example, hide your contact information, published posts, and information about relatives and friends from everyone except your friends. This will make it more difficult for attackers to get your data and use it in fraud using social engineering," said experts.

Cybercriminals use fake phone numbers, fake names, and other people's photos to get into the friend's list. In addition, there is a high risk that when you click on a postcard, petition, or unknown link, the user is redirected to a site that requests access data to social networks and passes them to the fraudster.

"Everyone knows for sure that a request for financial assistance from a hacked page is a fraudulent technique," reminded Roskachestvo.

Experts advise adding only really familiar people to friends, and also beware of those who ask or offer money, and if a friend makes such a request, ask him personally by phone.

"Do not send payment or other confidential information in social networks and messengers. If you have already sent your card data, find and delete these messages," said experts.

Roskachestvo advises not to follow suspicious links sent in messages, not to use public Wi-Fi networks, set up two-factor authentication in social networks, and use complex passwords for each service, using special software generators to compile them.

"At the same time, it is extremely important to use different passwords for accounts on different resources," said Anton Kukanov, head of the Center for Digital Expertise of Roskachestvo.
Read more »
Technology
Amazon Coronavirus Technology

Corona Impacts Amazon; More Than One Million Products Banned


The e-commerce giant has finally started taking steps to secure against the corona epidemic by banning more than one million products and furthermore by removing "tens of thousands" of overrated health products from unethical vendors.

A quest for "coronavirus" on Amazon raised results for face masks, disinfectant wipes and recently published books on viral infections, revealing how a few merchants are taking advantage of the health crisis. It additionally offered results for vitamin C boosters as well - a fake remedy for the virus that has been broadly disseminated on the web.

The World Health Organisation (WHO) expresses its worry about some deceptive Amazon postings prior this month, including counterfeit medications. The organization said fake coronavirus claims online were creating mass turmoil and asked tech giants to battle this spread of misinformation.

Amazon is yet to provide a rundown of those items it says it has expelled, but a BBC search for "coronavirus" on the online site proposes that numerous items are as yet being sold at strangely high prices. A portion of those items is not by any means fit for purpose, like the dispensable dust or surgical masks, as opposed to the recommended protective gear.

In one such example, a 50-piece heap of surgical masks from one seller cost more than £170, while a well-known alternative of a similar item is at a sale for around £36. Indeed, even that less expensive item has still risen drastically in price since early January, when it cost under £10.


Alluding to the act of "hiking up prices of goods" to unreasonably high levels in light of an expansion in demand, a spokesperson said, "There is no place for price gouging on Amazon," She referred to the company policy which permits Amazon to bring down items/products that "hurt customer trust", including when pricing "is significantly higher than recent prices offered on or off Amazon".

And further on added that the company will keep on monitoring the site for price spikes.

Read more »
User Privacy
data security Facebook Privacy Twitter User Data User Privacy

Facebook Sues Data Analytics Firm for Improperly Harvesting User Data


On Thursday, Facebook filed a federal lawsuit in California Court against OneAudience, a New Jersey-based marketing firm mainly involved in data analytics. The social media giant claimed that the firm was paying app developers to secretly harvest its users' data by getting an infectious software SDK installed onto their apps. The SDK was planted in various gaming, shopping, and utility-type applications available to download from the Google Play Store, as per the court documents.

A software development kit also known as SDK is a downloadable collection of software development tools used for developing applications. It consists of the basic tools a developer would require to build a platform-specific app with ease and excellence. In other words, SDK basically enables the programming of mobile applications. However, these packages have their drawbacks too as they also contain tools like trackers and it collects information about devices and app usage to send it back to the SDK maker.

Facebook alleged in the lawsuit that OneAudience has blatantly misused the feature "login with Facebook" to acquire unauthorized access to sensitive user data without any permissions. OneAudience has also been accused of paying apps to gain access to users' Twitter and Google data when they log into the infected apps using their account info.

"With respect to Facebook, OneAudience used the malicious SDK – without authorization from Facebook – to access and obtain a user's name, email address, locale (i.e. the country that the user logged in from), time zone, Facebook ID, and, in limited instances, gender," Facebook remarked.

Earlier in November 2019, social media giants Twitter and Facebook told that OneAudience collected private user information and the incident left hundreds of users affected as their privacy was compromised when OneAudience illegally collected their names, email addresses, usernames, genders and latest posts through SDK.

While commenting on the matter, Jessica Romero, Director of Platform Enforcement and Litigation, said "Facebook's measures included disabling apps, sending the company a cease and desist letter, and requesting their participation in an audit, as required by our policies. OneAudience declined to cooperate."

"This is the latest in our efforts to protect people and increase accountability of those who abuse the technology industry and users," she further added.
Read more »
Women's rights
AirDrop Cyber Crime Cyber flashing Sexual abuse Women's rights

Cyber Flashing- Another Horrendous Way of Sexual Assault Via The Internet!


Of all the horrible things a pervert could do using the cyber means, Cyber Flashing is by far the most debauching and harassing of all.

For all those who aren’t well aware of this concept, cyber flashing is like every other form, a highly disgusting method of “image-based sexual abuse”.

This technology backed crime doesn’t stand on a particular pedestal as to the legality of it hence, the fact that people don’t know much about it let alone it being a crime.

You may be sitting somewhere in peace and quiet, supposedly on a much-wanted vacation cruising your lazy fingers on your phone and Bam! A stranger’s genitals cover your phone screen via an AirDrop file.

The initial shock, getting grossed out and the eventual sickening feeling you get is all well understood. Because the moment you try to close the file it only gets sent, again and again, a good number of times.

The nastiest part about this is that the person who sent it to you could be sitting close by, watching you see their nether regions and could be taking some sort of nauseating pleasure out of it.

According to several polls and researches, in England, Scotland and Wales combined, 40 percent of the women have, in one form or the other experienced cyber-flashing by having received repulsively uncalled for pictures of male private parts.


Disappointingly enough, notwithstanding the pervasiveness of the situation not many governments have special legal provisions to contend with cyber-flashing. Several countries’ existing laws don’t cover the subject wholly and only in the light of “sexual harassment or communication”.

Nevertheless, Scotland, Singapore and the American state of Texas did get something done for this but only under the pressure of women’s rights campaigns.

In the years that have passed, groups have suggested pretty fervently the need for the introduction of a new law that solely focuses on “image-based sexual abuse” and legally forbids cyber-flashing.
But it never had a toll on the government and the recommendations got rejected.

Contemplating over the severity of the not-at-all trivial crime and the neglect it has undergone in terms of its legal consequences is desperately needed to frighten away any potential partakers.

The degenerates require getting this into their head that sending someone an unsolicited picture of their genitals is simply not okay and that they can be legally punished for it.

Cyber-flashing could seriously distress the receivers and make them think that they are not safe even in public spaces. It also empowers men to accept the anonymous nature of the ill-act and just show off their genitals, without the fear of getting immediately caught.
Women need to be emboldened about fighting back against it.

Moreover, girls and women need to know that these “dick-pics” are definitely not imprudent tries at flirting and the men need to understand that this is not a pathway of getting nudes in return or appallingly enough, some twisted way of showing off.

The current laws need to keep up with the expeditious changes in technology. Also, how people embrace the ill-usages of it especially for harassment and sexual abuse.

Read more »
Russia
Bank Security Central Bank of Russia Cyber Fraud Russia

The Central Bank of Russia warned about the new scheme of fraud "taxi from the Bank"


Fraudsters have found a new way to withdraw money from Russians. Social engineering is also in progress: people are offered a new service from banks "taxi to ATM", and on the way, they are convinced to transfer money to a third-party account.

Victims of the new scheme are those who do not use online banking, in particular, the elderly. Attackers force them to transfer money through an ATM, for which they offer to use the "taxi from the Bank" service for free.

This information is confirmed not only in banks but also in the Central Bank. Several people have already become victims of such a fraud, all of them tell about the same story: criminals call from the number "8 800" and report that someone is trying to withdraw funds from the client's card. If the potential victim does not have an Internet Bank, the person was offered a special taxi to the ATM.

"Allegedly, it will be possible to transfer funds to a secure account from ATM. Attackers order a regular taxi for the victim, and when a person is at the ATM, he makes a dictation operation to transfer money to the attacker's account," said Alexey Golenishchev, Director of monitoring operations and disputes at Alfa-Bank.

The Central Bank warned that customers are never asked to make transactions through ATMs when a suspicious operation is suspected. Scammers often offer to transfer money through an ATM, and "taxi from the Bank" is one of the varieties of this scheme.

Sberbank confirms this scenario and recognizes that the scheme is becoming more popular. The victims are lonely people or elderly people who are easily to trick, and they do not have the opportunity to consult with someone. Scammers do not give time to think and convince a person to act quickly.

Usually, the damage from such fraudulent actions is about 15 thousand rubles ($220).
Previously, fraudsters began to practice another way of cheating. A man finds a forgotten card at an ATM, picks it up and then the owner of the card appears. Of course, the owner reports that money has disappeared from his card.
Read more »
Ransomware
Bretagne Télécom DoppelPaymer malware Ransomware

Bretagne Télécom recovered 30 TB data in a ransomware attack by DoppelPaymer


Bretagne Télécom, a cloud service provider was hacked by DoppelPaymer, ransomware that exploited CVE-2019-19781 vulnerability in unpatched servers.


Bretagne Télécom is a French cloud hosting telecommunications company that provides a range of services like telephony, Internet and networking, hosting, and cloud computing services to roughly 3,000 customers with 10,000 servers.

Fortunately this is a success story with a happy ending, as the ransom attack was a failure with no data loss and no ransom paid. The company could restore the encrypted system and data from backups on Pure Storage FlashBlade arrays.

Around 30 TB data was encrypted

The attack took place in the first half of January, on the unpatched servers making them vulnerable to attack. The attackers started scanning the vulnerable servers from Jan 8 and attacked two days later. The company soon released patches to overcome the vulnerability with the final patch being published on January 24.

The DoppelPaymer's operators infiltrated around 148 machines with data from "around thirty small business customers", as Bretagne Télécom CEO Nicolas Boittin told LeMagIT.

The DoppelPaymer Ransomware hackers demanded a ransom of 35 bitcoins (~$330K) for decrypting the system. Ofcourse, the company restored the data and didn't require the "decrypting services" from the hackers. Using the Pure Storage FlashBlade arrays' Rapid Restore feature, Bretagne Télécom could restore all of the customer's data.

"We found the time when the attackers installed the scheduled encryption tasks. Once these tasks and the malware were removed, we were able to return to operational conditions."

"It is not the first time that this has happened to customers. But most of the time, they are self-managing, so we didn't interfere," Boittin added.

"Ransomware from our customers, there may not be one per month, but not far. And we never paid. I refuse to fuel a parallel economy where we would give pirates the means to improve their systems to attack us again."
The company personally decrypted and stored data from each customer without a network, some even took six hours. They could efficiently tackle the attack by considering them as data breaches, most of the companies do that resulting in compromise of sensitive information even before the encryption takes place.
Read more »
DDoS
Banking Cybersecurity DDoS

Hackers launch DDoS Attacks to Target Australian Banks


Hackers threatening banks in Monero to pay large amounts of money, and if the demands are not met, hackers have blackmailed to launch DDoS attacks against the banks. Since last week, bank corporations and different organizations in the financial sector in Australia have become the target of DDoS extortion campaigns.

A hackers group is blackmailing the victims to pay heavy amounts as a ransom. The attackers threaten to conduct a DDoS (Distributed Denial of Service) attack unless they are paid with XMR cryptocurrency in Monero. A security threat has been sent out by ACSC (Australian Cyber Security Centre) to inform the public about the attack. According to ACSC, none of the hackers have launched any attacks, nor has there been any news of DDoS attacks. The current evidence serves as proof of this claim.


DDoS Campaign Began in 2019 

 The Global Ransom Denial of Service (DDoS), a campaign that started in October 2019, is responsible for launching the attacks on Australian financial organizations. According to ZDNet, earlier ransom efforts targeted financial companies and the banking sector. But over time, these attacks expanded and reached out to other industries. The list of nations who were the victims of the ransom threat is the banking sector in South Africa and Singapore, the telecom sector in turkey, ISP providers in South Africa and gambling websites in South Asian countries.

The ransom demands kept going on, and the attackers systematically extended the campaigns to 10 different countries across the world. Some of the attacks were successful but not all of them, as it would have been near to impossible to launch an all-out DDoS resource attack against each party. According to claims of ZDNet, it confirms that numerous attacks launched against the parties as a part of the campaign were successful.

The Group keeps changing names 

 The group responsible for these attacks kept changing their identity to prevent being identified by the authorities. At first, they used Fancy Bear, the Russian hackers' group responsible for the 2014 White House Attack and 2016 DNC hack. After that, they used Cozy Bear, another Russian hacking group which is also infamous for the 2016 DNC attack.
Read more »
Subscribe to: Comments (Atom)