Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Ransomware Attacks.
Customer Data data misuse Malware. Ransom Ransomware Ransomware Attacks.

Nefilim Ransomware Evolving Rapidly: Top Targets at a Glance


Ransomware has continually expanded both in terms of threat and reach as threat actors continue to devise fresh methods of introducing new ransomware variants and malware families. One such newly emerged ransomware that was first identified at the end of February 2020, Nefilim, threatens to release victims’ encrypted data if they are unable to pay the ransom. With a striking code resemblance to that of Nemty 2.5 revenge ransomware, Nefilim is most likely to be distributed via exposed Remote Desktop Protocol, according to Vitali Kremez, an ethical hacker at SentinelLabs.

Earlier this month, researchers from threat intelligence firm Cyble, discovered a post by the authors of Nefilim ransomware, claiming to have hacked The SPIE Group, an independent European market leader for technical services in the fields of energy. As per the claims made by the operators in the post, they are in the possession of around 11.5 GB of company’s sensitive data that include corporate operational documents- company’s telecom services contracts, dissolution legal documents, infrastructure group reconstruction contacts and a lot more.

Since April 2020, Nefilim has targeted multiple organizations around the globe, narrowing down on the regions- South Asia, South America, Oceania, North America, and Western Europe. Going by the count of attacks disclosed publicly, manufacturing comes on top as the most preferential and hence the most targeted industries by the operators of Nefilim ransomware; Mas Holdings, Fisher & Paykel, Aban Offshore Limited, Stadler Rail were some of the major targets. Other industries infiltrated by Nefilim are communication and transportation; Orange S.A. and Toll Group, Arteris SA being some of the top targets respectively. One important thing to notice here is that the ransomware has spared the healthcare and education sector entirely as of now, interestingly, no organization from the two aforementioned sectors has been targeted.

 Nefilim uses a number of ways including P2P file sharing, Free software, Spam email, Torrent websites, and Malicious websites, to infiltrate organizations’ IT systems. Designed specially to penetrate Windows PCs, Nefilim actively abuses Remote Desktop Protocol and uses it as its primary attack vector to infiltrate organizations. It employs a combination of two distinct algorithms AES-128 and RSA-2048 to encrypt the target’s data that is later leaked on their websites known as Corporate Leaks- when victims’ fail to pay the ransom.

Users are advised to stay wary of exposed ports and security departments shall ensure closing off unused ports, experts have also recommended to ‘limit login attempts’ for Remote Desktop protocol network admin access from settings to stay guarded.
Read more »
Russia
Data Breach Database Leaked Information Leakage Russia

The data of 55 thousand clients of Russian banks were publicly available


 The Bank of Russia and the Visa payment system have notified credit institutions about the leakage of bank customer card data.

The database with the data of 55 thousand users of the Joom marketplace, specializing in the delivery of goods from China, was publicly available. 

- The database was available for free download on the Darknet and in Telegram channels last week. It contained the first six and last four digits of the card number, its expiration date, the payment system and the Bank that issued the card, as well as the user's full name, phone number, email address and residential address.

A representative of the company said that the leak occurred back in March. The company has terminated cooperation with the counterparty due to which the incident occurred.

It is noted that only those banks whose cards were used by customers from the database received messages from a center for monitoring and responding to computer attacks in the credit and financial sector (FinCERT). A number of banks have already taken measures to prevent the threat, some of them have informed customers about the reissue of cards.

According to Ilya Tikhonov, Head of Compliance and Audit at Softline Group of Companies, online stores are traditionally one of the most poorly protected segments, since their creators do not pay enough attention to the issue of protection from cyber attacks. 

"Based on the nature of the data, I can assume that it was obtained by an external attack: malware was used to intercept data during the payment process”, added he.

"The database is freely available in several places, it could have been downloaded by hundreds of people, so it will be difficult for fraudsters to use it", said Ashot Hovhannisyan, founder and technical Director of DeviceLock.

Read more »
Pakistan
APT36 Cybersecurity Pakistan

APT36: A Pakistani Hacking Group, Strengthens Its Operations and Finds New Targets


Famous as APT36, Transparent Tribe is a hacking group that works from Pakistan. APT36 is infamous for monitoring and spying over government activities and military operations in Afghanistan and India. As per the latest reports, APT36 has now strengthened its workforce with better tools and strategies

About the incident 

 APT36 usually focuses on using the same TTP (tactics, techniques, and procedures) except in a few cases where it uses different strategies for unique programs.


Some key highlights-

  • According to the reports, APT36 has sharpened its tools and activities. It involves attacking campaigns on a much larger scale and specifically targeting Afghanistan. 
  • Usually, APT36 uses 'custom.net' malware, commonly known as 'crimson rat.' APT36 has been using other malware recently, including python-based 'Peppy rat.' 
  • In the period between June2019-June2020, 200 samples were collected, which showed the Transparent Tribe Commission's components. 

Mode of operation 

  • APT36 uses spear-phishing emails containing MS-Office files, which are encoded with the malware. After successful execution, the malware can steal sensitive information, private credentials, capture screenshots, steal logs and keys, and regulate the microphone and webcam. 
  • Besides this, APT36 also uses the USBworm. It is a multipurpose malware that can steal information and function as a worm to attack any network and exploit vulnerabilities. 


APT36 attacks


  • APT36 attacked Indian railways in June and stole important information 
  • Earlier this year, APT36 deployed spear-phishing emails, posing to work as an authentic communication of government of India 
  • Cybersecurity experts have observed that APT36's primary targets include military and diplomacy from the past one year. According to them, the attacks will not decrease in the foreseeable future; on the other hand, they expect it to rise. 

According to Kaspersky's report, "we found two different server versions, the one being a version that we named "A," compiled in 2017, 2018, and 2019, and including a feature for installing the USBWorm component and executing commands on remote machines. The version that we named "B" was compiled in 2018 and again at the end of 2019. The existence of two versions confirms that this software is still under development, and the APT group is working to enhance it."
Read more »
Technology
Apple Audience Network Advertising Facebook iOS 14 Technology

The new iOS 14 to drop Facebook's Audience Network Advertising to 50%


Facebook on Wednesday posted a response to the new iOS 14 on their official blog stating that the new iOS could lead to a 50% drop in their Audience Network advertising business.



Though the company had previously raised issues with iOS 14 and that it could impact their advertising, this Wednesday blog detailed exactly how. 

Facebook Audience Network collects data from the user ( Facebook's data) and provides targeted in-app advertisements. Advertisers use a unique device ID number known as the IDFA in order to make advertisements personalized. 

In iOS 14, these tracking IDFA would be made optional and the user can opt if they want their app to track or not. Facebook said they won't collect IDFA information in iOS 14 at all even though it will make a significant dent in their audience network advertising. 

"We know this may severely impact publishers' ability to monetize through Audience Network on iOS 14, and, despite our best efforts, may render Audience Network so ineffective on iOS 14 that it may not make sense to offer it on iOS14 in the future," Facebook said in the blog.

"While it's difficult to quantify the impact to publishers and developers at this point with so many unknowns, in testing we've seen more than a 50% drop in Audience Network publisher revenue when personalization was removed from mobile ad install campaigns," Facebook said. "In reality, the impact to Audience Network on iOS 14 may be much more, so we are working on short-and long-term strategies to support publishers through these changes." 

Facebook said that their advertising policies will be in compliance with iOS 14's and Apple's preconditions but the social network's whole revenue is derived from advertising and around a billion people view at least one Audience Network ad in a month, so the decision is bound to affect Facebook grandly. 

The blog further cleared some changes Facebook would do for iOS 14 and operations for their partners. The new iOS is expected to launch this year.
Read more »
New Zealand
Cyber Attacks DDOS Attacks Fancy Bear New Zealand

NZ Stock Exchange Halted Temporarily Twice After Being Hit by Cyber Attacks


The New Zealand stock exchange was hit by a cyber-attack due to which it had to remain offline two days in a row. The exchange said the attack had "impacted NZX network connectivity" and it had chosen to temporarily halt trading in cash markets not long before 16:00 local time.

The trading had to be stopped briefly for a second time, yet was back ready for action before the day's end. 

A DDoS attack is generally a quite straightforward kind of cyber-attack, wherein a huge 'array' of computers all attempt to connect with an online service at the same time usually resulting in 'overwhelming its capacity'. 

They frequently use devices undermined by malware, which the owners don't know are a part of the attack. 

While genuine traders may have had issues with carrying out their business, but it doesn't mean any financial or personal data was accessed. NZX said the attack had come “from offshore via its network service provider". 

The subsequent attack had halted the trading for a long time in the working day - from 11:24 to 15:00 local time, the exchange said. In any case, in spite of the interference, the exchange was up at the end of the business, close to its 'all-time' high. 

Nonetheless, NZX said it had first been hit by a distributed denial of service (DDoS) attack from abroad and so the New Zealand cybersecurity organization CertNZ had also given a caution in November that mails were being sent to financial firms threatening DDoS attacks except if a ransom was paid. 

The mails professed to be from a notable Russian hacking group Fancy Bear. 

Be that as it may, CertNZ said at the time 'the threat had never had never been carried out, past a 30-minute attack as a scare tactic'.
Read more »
Russian Hackers
Cyber Crime Cyber Crime Report Cyber Criminals Russian Russian Hackers

Russian citizen arrested in the United States on charges of organizing a cyber crime


According to the Ministry of Justice, 27-year-old Yegor Kryuchkov tried to pay $1 million to an employee of a company from Nevada in order to introduce malware into its computer network. When the FBI joined the investigation, the Russian tried to run from the United States

A Federal Court in Los Angeles has arrested a Russian citizen, Yegor Kryuchkov, on charges of conspiring to commit cybercrime. This was reported by the press service of the US Department of Justice.

According to the Department, 27-year-old Kryuchkov in the period from July 15 to August 22 this year tried to bribe an employee of an unnamed American company located in the state of Nevada. The statement claims that the Russian offered him $1 million for participation in the implementation of the fraudulent scheme.

The Ministry of Justice reported that Kryuchkov allegedly planned to load malicious software into the computer system of this company. This would allow him and his associates to gain unhindered access to company data.

Last week, Kryuchkov was contacted by the Federal Bureau of Investigation (FBI), after which he left Reno (Nevada) and went to Los Angeles in order to leave the United States. The Russian, according to the Department, asked his friend to buy him a plane ticket.

Kryuchkov was detained in Los Angeles on August 22. According to the Ministry of Justice, the Russian entered the United States on a tourist visa.

The Russian Embassy in the United States said that diplomats are aware of Kryuchkov's arrest. "We will contact the Russian in the near future to find out the problem. We will provide him with the necessary consular and legal assistance,” said the diplomatic mission.

Read more »
Vulnerabilities and Exploits
Bank Cyber Security Bank Information Security Russia Vulnerabilities and Exploits

Experts identified flaw that allows criminals to steal money using Faster Payments System (FPS)


Experts have identified a flaw that allows criminals to steal money from accounts of clients of banks through the Faster Payments System (FPS),  which is often opposed to the idea of a crypto-ruble.

The experts found out that when the function of transfers via the FPS in the mobile bank was activated, one of the credit institutions was left vulnerable. Fraudsters were able to take advantage of this error and get customer account data.

Then the attackers launched the mobile bank in debug mode,  logged in as real clients, and sent a request to transfer funds to another bank, only instead of their account they indicated the account number of another client for debiting. Since the system does not verify the ownership of the account, it debited the money and transferred it to the fraudsters.

According to market participants, this is the first case of theft of funds using the FPS. The vulnerability could only be known by someone familiar with the application: an employee or developer.

The Central Bank noted that the problem was found in the mobile app of only one credit institution and promptly eliminated. 

Yaroslav Babin, head of web application security analysis at Positive Technologies, said that using the FPS is safe, but there may be problems in the applications of individual banks.

According to him, if hackers found a vulnerability in the application of a credit institution, the client will not be able to influence the safety of their funds in any way. All responsibility lies with the Bank that developed and released the app.

Babin recommends that banks pay more attention to system security analysis, implement secure development methods, and analyze the source code of all public applications or their updates before publishing them.

It is worth noting that the Faster Payments System is a service that allows individuals to instantly transfer money by mobile phone number to themselves or others. At the moment, all the largest credit organizations in Russia and more than 70 banks are connected to the FPS.

Read more »
Russia
Cybersecurity FBI Nevada Russia

FBI Arrests Russian Hacker, Who Tried To Convince An Employee to Hack His Nevada Company


 A hacker from Russia went to America and asked an employee of a Nevada company to install a malware in their company network. 

In a recent incident, the U.S Department of Justice declared charges against a Russian hacker today. The Russian national had traveled all the way to America to ask an American employee if he could set up malware, offering him $1,000,000 for the job. As per the court's reports today, the culprit, a 27-year-old hacker from Russia, named Egor Igorevich Kriuchkov, is found as a criminal member of an infamous Russian hacking group. The purpose of the attack was to gain internal access to the company's network and hack confidential information, later to be used as extortion for ransom purposes.


According to the company employee, Igor told him that to prevent the company from knowing about the primary attack, his team of hackers would launch DDoS attacks as a decoy to distract the corporate."The purpose of the conspiracy was to recruit an employee of a company to surreptitiously transmit malware provided by the coconspirators into the company's computer system, exfiltrate data from the company's network, and threaten to disclose the data online unless the company paid the coconspirators' ransom demand," says the court document.

However, Igor's heist plan failed when the employee who was contacted reported this incident to the FBI. The FBI kept a watch on Igor for the first few days, observing his every move. When it finally had all the evidence for the prosecution, the FBI arrested Igor last Saturday.

Timeline of Igor's visit to his arrest- 
  • Igor contacts employee CHSI (identified by the court) via WhatsApp and briefs him about the attack. Both used to be friends two years ago. 
  • Igor arrives in the U.S, meets with CHSI at a bar. 
  • On Igor's last day of the trip, he gives CHS1 all the details about the 'special project.' 
  • In the later events, the FBI contacts Igor, who tries to flee the country at that moment and is finally arrested.
Read more »
P2P Botnets
Botnets Cyberattack DDoS DDOS Attacks P2P Botnets

Over 500 SSH Servers being Breached by FritzFrog P2P Botnet


Cyberspace has seen an unprecedented rise in modified versions of peer-to peer, also known as (P2P) threats, it might have appeared that these P2P services have been vanishing, but in reality, they have emerged even stronger in newer ways. BitTorrent and eMule are still known to be in use by attackers.

A peer-to-peer (P2P) network is an IT infrastructure in which two or more computers have agreed to share resources such as storage, bandwidth and processing power with one another. Besides file sharing, it also allows access to devices like printers without going through separate server software. A P2P network is not to be confused with client-server network that users have traditionally used in networking, here, the client does not contribute resources to the network.

Researchers at Guardicore have recently discovered a sophisticated peer-to-peer (P2P) botnet called as FritzFrog that has been actively operated since January 2020, breaching SSH servers; it’s a Golang-based modular malware that executes a worm malware written in Golang, it is multi-threaded, completely volatile, and fileless and leaves no trace on the infected system’s disk.

It has a decentralized infrastructure which distributes control among all its nodes. The network uses AES for symmetric encryption and the Diffie-Hellman protocol for key exchange in order to carry out P2P communication via an encrypted channel.

So far, more than 20 malware samples have been discovered by the researchers as FritzFrog attempted to brute force over 500 SSH servers belonging to educational institutions, governmental institutions, telecom organizations, banks, and medical centers worldwide. The campaign also targeted some well known high-education institutions in the United States and Europe, along with a railway firm.

Botnets are being leveraged by attackers for DDoS attacks and other malicious activities, as per the recent attack trend. Earlier in June this year, the Monzi malware was seen exploiting IoT devices, mainly DVRs and routers. Threat actors brought together various malware families namely Mirai, Gafgyt and IoT Reaper, to carry out a botnet capable of DDoS attacks, command or payload execution or data exfiltration.

“FritzFrog’s binary is an advanced piece of malware written in Golang. It operates completely in-memory; each node running the malware stores in its memory the whole database of targets and peers,” according to Guardicore’s report.

“FritzFrog takes advantage of the fact that many network security solutions enforce traffic only by the port and protocol. To overcome this stealth technique, process-based segmentation rules can easily prevent such threats.”

“Weak passwords are the immediate enabler of FritzFrog’s attacks. We recommend choosing strong passwords and using public key authentication, which is much safer. In addition, it is crucial to remove FritzFrog’s public key from the authorized_keys file, preventing the attackers from accessing the machine. Routers and IoT devices often expose SSH and are thus vulnerable to FritzFrog; consider changing their SSH port or completely disabling SSH access to them if the service is not in use.” The report further read.
Read more »
Microsoft
COVID-19 Cyber Security Microsoft

Microsoft's new report suggest a rapid transformation in cyber security due to the pandemic

 In just two months of the pandemic, the digital world went through "two years worth of digital transformation" according to Microsoft and to compute these changes the company did a survey of 800 leaders from companies with more than 500 employees from the United States, United Kingdom, India, and Germany. The report circumcises the pandemic threat landscape, the long term cybersecurity, budget, staffing, and the adjustments companies did to update their security.


The crux of the matter remains that the pandemic bought on a  multitude of attacks and scams but the very thing strengthened the need for better cybersecurity and many businesses realized this and overall we saw a grave change where digital security is concerned.

According to Microsoft's report following are the changes bought on in cybersecurity by the global pandemic in the long term-
Security as a prime factor in Digital Empathy
With scales of business going WFH (work from home), business leaders quickly realized better security is more productive and drives a better end-to-end experience. For most business leaders the main aim was to improve user experience and productivity thus investing in cybersecurity with VPNs and Multi-factor authentications. The reports show a considerable increase in cybersecurity investments in the surveyed countries since the beginning of the pandemic.

Zero Trust Journey
According to csooonline.com, "Zero Trust is a security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access." Earlier, this Zero Trust capability was an option, now this has become the priority and everyone's on it for a much secure and private environment inside the database of the company.

More Database, Better Threat Intelligence
The pandemic highlighted the advantages of cloud backups and threat tracking. Microsoft tracked around 8 Million threats daily from around the world due to the diverse and large data input. With the help of automated tools, human insights, and large data, many threats could be tracked and stopped before they reached the user. 

Cyber reliance key to business operations
Cyber Security is fundamental for efficient business operations and cyber resilience. For that remote workplace, businesses need to constantly update their security plans and threat assessment as well as employ end to end security solutions.

Microsoft reports, "More than half of cloud forward and hybrid companies report having cyber-resilience strategy for most risk scenarios compared to 40% of the primarily on-premises organization. 19% of companies relying primarily upon on-premises technology do not expect to maintain a documented cyber-resilience plan."

 Cloud Security Solutions as Inevitable 
Nearly, 40% of organizations invested in cloud security solutions, followed by Data and Information Security (28%), Network Security(27%), and Anti-phishing tools (26%). Cloud not only protects data but also helps track security issues and provides overall integrated security.


  
Read more »
Russian Cyber Security
Cyber Fraud Information Security News Russia Russian Cyber Security

The Russian quality system (Roskachestvo) reported on the new traps of scams in WhatsApp

The absolute majority of fraud in WhatsApp occurs through social engineering when the text prompts the user to click on a link or download a file, said Ilya Loevsky, deputy head of Roskachestvo. So, criminals often make mass mailings with various profitable offers or lotteries to encourage the user to participate and click on an infected link or download a suspicious file.

"As a rule, hackers use big names of companies, such as Google, Apple, Facebook, hot topics like COVID-19, or super-profitable offers (last year it was a "promotion" about 1000 free gigabytes of the Internet for the 10th anniversary of the service). Fraudsters often fake official WhatsApp profiles by copying the name and design,” the expert gives examples.

According to the expert, sending such messages to your contacts is undesirable, as it only contributes to the spread of fraud.

However, after clicking on a malicious link, anything can happen to the victim, from stealing personal data to withdrawing funds from their card.

It is interesting to note that in June 2020, ESET reported a phishing attack aimed at the audience of WhatsApp and Telegram messengers. Users received messages asking them to fill out a questionnaire and get four barrels of beer from a famous brand as a gift.

One of the conditions for participation in the campaign was the mandatory forwarding of messages to ten contacts in WhatsApp.

In January of this year, a similar phishing attack was launched on WhatsApp users. Victims were lured by messages that a famous sports brand was celebrating an anniversary and giving t-shirts and shoes. To receive gifts, users were encouraged to click on the link.

Loevsky concluded that sometimes messages from unknown users may contain just forwarded files that spread panic in society, so it is better to disable auto-upload of media files in the messenger settings and not accept files from unknown accounts.

Read more »
Subscribe to: Comments (Atom)