Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Pull Request
Crypto Currency cryptomining malware Cyber Attacks GitHub Pull Request

Attackers found abusing GitHub Infrastructure to Mine Cryptocurrency

 

Microsoft-owned GitHub is the new cyberattack victim, with reports of cybercriminals manipulating GitHub's cloud infrastructure to mine cryptocurrency. Code repository hosting service, Github has started an investigation into a series of attacks aimed at abusing its infrastructure to mine cryptocurrency illegally. 

GitHub Actions is a continuous integration (CI) and continuous deployment (CD ) solution that makes it easy to automate all the software workflows and setup periodic tasks. The particular attack adds malicious GitHub Actions code to repositories forked from legitimate ones and further creates a Pull Request for the original repository maintainers to merge the code back, to alter the original code. 

“In a phone call, Dutch security engineer Justin Perdok told The Record that at least one threat actor is targeting GitHub repositories where Actions might be enabled. The attack involves forking a legitimate repository, adding malicious GitHub Actions to the original code, and then filing a Pull Request with the original repository in order to merge the code back into the original.” reported The Record. 

“But the attack doesn’t rely on the original project owner approving the malicious Pull Request. Just filing the Pull Request is enough for the attack, Perdok said.” This is particularly true for GitHub projects that have automated workflows setup to substantiate incoming Pull Requests via Actions. As soon as a Pull Request is created for the original project, GitHub's systems execute the attacker's code which instructs GitHub servers to retrieve and run a crypto miner. 

This isn't the first time an attack leveraging GitHub infrastructure has abused GitHub Actions. An identical attack had previously been identified by another programmer, Yann Esposito, in which an attacker had filed a malicious Pull Request against Esposito's GitHub project. 

Last year, BleepingComputer reported on GitHub being used to host a wormable botnet Gitpaste-12, which reappeared with over 30 exploits the following month. Unlike Gitpaste-12 or the Octopus Scanner malware, which targeted vulnerable projects and computers, this attack appears to be solely abusing on GitHub servers for crypto mining.

In an email, GitHub told The Record that they are “aware of this activity and are actively investigating”. For now, the attack does not appear to damage users’ projects in any way and seems to be solely focused on abusing GitHub infrastructure.
Read more »
Taxpayers
Cyber Crime cybercriminals Phishing Campaign Robinhood Taxpayers

Attackers Targeted Robinhood with a Phishing Campaign

 

Attackers have targeted clients of stock-trading broker Robinhood with a phishing campaign planned to steal their credentials and spread malware utilizing counterfeit tax documents, the organization has cautioned.

Robinhood Markets, Inc. is an American financial services organization settled in Menlo Park, California, known for offering commission-free trades of stocks and exchange-traded funds through a mobile application presented in March 2015. Robinhood is a FINRA-managed broker-dealer, enlisted with the U.S. Securities and Exchange Commission, and is a member of the Securities Investor Protection Corporation. The organization's revenue comes from three fundamental sources: interest earned on customers' cash balances, selling order information to high-frequency traders (a practice for which the SEC opened an investigation into the company in September 2020), and margin lending. As of 2020, Robinhood had 13 million clients. 

Robinhood, has confronted various regulatory and legal difficulties along the way, sent an email to clients Thursday warning of a phishing scam “that may have reached some of our customers.” 

Attackers targeted clients in two ways, as per the email. One assault vector utilized phishing emails with links to counterfeit Robinhood sites provoking visitors to enter their login credentials, including authentication codes the organization uses to help guarantee the security of individuals' accounts. Other emails saw assailants exploiting the tax season, requesting potential victims to download counterfeit tax files, for example, Form 1099—that included malware, as per the email. 

“There tends to be an increase in these types of emails around tax season, so we ask that you be extra careful about how you access your Robinhood account,” as per the email. Robinhood recommended individuals check the strength of safety features of the application on their gadgets, manually eliminating any gadgets they don't perceive from accessing and resetting passwords on the off chance that they believe they might be in danger. The organization likewise urged clients to reach out to its support team directly from the Robinhood application or its site. 

One of the main grievances among Robinhood clients was that they couldn't reach the company for support, causing regulators like the Securities and Exchange Commission (SEC) to become de facto customer support for the platform’s clients.
Read more »
United States
Cyber Crime Cyber Crime Report Russian Hackers United States

Russian hackers suspected of stealing thousands of US State Department emails

In 2020, Russian hackers stole thousands of emails from U.S. State Department employees. As Politico reported, this is the second major hack of the department's email server in the last ten years, carried out "with the support of the Kremlin."

According to Politico sources, this time, hackers accessed the emails of the U.S. State Department's Bureau of European and Eurasian Affairs, as well as the Bureau of East Asian and Pacific Affairs. A Politico source said it was unclear whether classified information was among the stolen emails. It also remains unclear whether the hack was part of a larger SolarWinds attack that gave hackers access to dozens of U.S. federal agencies.

The U.S. State Department declined to comment to the publication on the likely attack. "For security reasons, we cannot discuss the nature or extent of any alleged cybersecurity incidents at this time," said a State Department spokesman. Politico also sent a request to the Russian embassy in the United States. At the time of publication, the Russian side had not responded.

Recall, U.S. media reported on the large-scale hacking attack on the U.S. government on December 14, 2020. The hack was later confirmed by U.S. intelligence agencies. According to their information, dozens of agencies were hacked, it was organized by Russian hackers. U.S. President Joe Biden announced his intention to impose sanctions against Russia for cyber attacks. On March 8, 2021, the media reported on White House plans to conduct covert cyberattacks on Russian networks in response to the SolarWinds hack.

Russian presidential press secretary Dmitry Peskov stressed Moscow's noninvolvement in the cyberattacks. Russian Foreign Ministry spokeswoman Maria Zakharova also said that U.S. accusations that Russia was involved in a massive hacking attack on U.S. federal agencies were unproven.

Read more »
Zimperium zLabs
Android Data Theft FakeSysUpdate malware User Privacy Zimperium zLabs

Protect Your Android Phones from Android 'System Update' Malware

 

Security researchers at Zimperium zLabs have discovered a new ‘sophisticated’ Android malware posing as a software update application. This malware becomes more lethal when it sits stealthily masqueraded as a system update.

Once the malware is downloaded on a device, the victim’s device is registered with the Firebase Command and Control (C2), upon which a hacker can send commands via Firebase messaging service to manage data theft. The process of data exfiltration starts once a condition is fulfilled, including the addition of a new mobile contact, app installation, or a receipt of an SMS text.

“When the victim is using Wi-Fi, all the stolen data from all the folders are sent to the C2, whereas when the victim is using a mobile data connection, only a specific set of data is sent to C2,” security researcher at Zimperium zLabs stated.

According to a report by researchers at Zimperium, this malware has the capability of stealing your data once it is installed into your Android phone. Once in control, cybercriminals can record audio and phone calls, take photos, access WhatsApp texts, steal instant messenger texts, peer into GPS location data, examine the default browser’s bookmarks, search for files with specific extensions, inspect the clipboard data, the content of the notifications, steal SMS texts and call logs, list the downloaded applications and even extract device information. 

Security researchers have termed the malware as ‘FakeSysUpdate’ which is quite capable of concealing its source. Unfortunately, researchers have not detected the source of this malware but advised the Android users to remain vigilant regarding the content on their device. Frequently check for official updates, uninstall all the apps that you feel are necessary, and also avoid installing apps from a third-party source.

In an interview with TechCrunch, Shridhar Mittal, CEO of Zimperium zLabs stated that “it’s easily the most sophisticated attack we’ve seen…I think a lot of time and effort was spent on creating this app. We believe that there are other apps out there like this, and we are trying our very best to find them as soon as possible.”
Read more »
Technology
Android Softwares Multinational tech giants Russia Smart Devices Technology

Russian Law Requires Smart Devices To Come Pre-Installed With Domestic Software

Russia is taking security measures against technology that can hurt big tech companies in the region. In light of new laws, every smart device such as TVs, computers, smartphones, and tablets that will be purchased in Russia from now it is mandatory for it to come with pre-installed Russian-domestic software in the device. The new law is deciphered as an attempt by the government to shut down online freedom but the government officials are stating that this initiative has been introduced to promote home tech firms and to help Russian home tech companies to compete with foreign counterparts. 

The two Russian tech giants such as Yandex and Mail.ru. will be providing the pre-installed software in smart devices. 

“The law applies from Thursday to all devices and the Company said that it would offer apps from Russian developers to users activating phones but that all apps were checked to make sure they meet Apple's own privacy and security policies", Reuters said. 

In other words, it means that clients will be able to choose Russian-domestic software and apps over multinational companies’ software when setting up their smart devices. Additionally, on Twitter an iOS developer – Tian Zhang has shared a video of the new setup process on Thursday. 

Now a screen in the setup reads, "In compliance with Russian legal requirements, continue to view available apps to download." Tapping "continue" redirect the user to a list of Russian-domestic software and apps, including several from the search giant Yandex. 

Intelligence is saying that Russia is trying to compete with the US tech giants in the country and simultaneously trying to strengthen its reliance on its government-controlled "sovereign internet." 

It is about the last month when the Russian government slowed down Twitter in the response to Twitter's refusal to remove the banned content from the platform, but that ended up blocking several domains, including the Kremlin's website.
Read more »
Phishing Campaign
Cyber Fraud Donation Scam E-mail Fraud Fraudsters MacKenzie Scott Phishing Campaign

Mackenzie Scott Scam: Fraudsters asking Fake Donations in Billionaire's name

 

A major phishing campaign that reached tens of thousands of inboxes impersonated as MacKenzie Bezos-Scott grant foundation promising monetary advantages to recipients of the e-mail in exchange for a processing fee. 

The processing fee is referred to as an "advance fee," and it has been used since before the internet, with the "Nigerian prince" version popularising it. But this phishing campaign took advantage of the charitable acts last year from author MacKenzie Scott, ex-wife of Amazon founder Jeff Bezos. 

The scam surfaced after Mackenzie Scott revealed in December that she had donated $4.2 billion of her fortune to over 300 organizations, including food banks and other charities that assist the people in need. Ironically, one food bank in Arkansas, which had received an authentic email from Scott about a legitimate donation, initially mistook it for a hoax. 

Eyal Benishti, the CEO of tech security company Ironscales said, “That may have primed fraudsters to develop a phishing scam based on Scott's donations in the hope that some organizations would believe that they, too, are receiving valid emails”. About 200 of its customers have received the bogus Mackenzie Scott emails, although none have fallen for the bait, he added. 

Fraudsters initiated the scam by sending out spoofed emails that claimed, MacKenzie Bezos-Scott grant foundation is distributing funds from their foundation. In fact, the emails were sent not to distribute billions to charity, but fleece victims. 

However, the fake Mackenzie Scott emails had a few tip-offs that hints they weren't real: 

1. Sender’s title appeared as “Mackenzie Scott Grant” but the return email address was to the domain ‘@mintme.com’ 
2. Multiple grammatical errors in the email body 
3. Sender’s name and signature were different 

The fraudsters alleged that they are from the "MacKenzie Bezos-Scott foundation" and have chosen a recipient for a grant. Further, they ask for the recipients' full name and address, and if they answer, recipients are required to submit a small processing fee to unlock the grant. Of course, there's no grant; it's just a tactic to extort money from the victims.

Scams have escalated as a result of large-scale relief programs such as stimulus checks and the Paycheck Protection Program, which has drawn out fraudsters trying to trick people into giving away sensitive data, such as Social Security numbers. With the ongoing levels of hardship due to the coronavirus pandemic, people are more susceptible to scams at the moment.
Read more »
Dark Web
COVID-19 Covid-19 Vaccinations COVID-19 Vaccine Cyber Security Dark Web

Hacker Hacks Underground Covid Vaccine Market On Dark Web

 

In a recent cybersecurity incident, an attacker hacked down a vaccine marketplace that was running on the dark web. The attacker then placed fake orders, cancelled them after making a refund in Bitcoins worth $752,000, a report released on Thursday says.  As per a blog on the market's forum, the attacker managed to find a way to make fake orders, which he cancelled immediately using the seller account of the trader, and immediately made the refunds in the wild, which was withdrawn in an instant. 

Checkpoint research says the method allowed a hacker to make 13 Bitcoins (BTC), an amount equal to $752,000. Currently, the vaccine marketplace on the dark web which was selling these products is down because of the hack.  But, the attack hasn't put a stop to the sale of Covid-19 relief products on the dark internet. Following the marketplace shutdown, another hacking forum was framed using the same address, offering various ads along with Covid-19 vaccines (documents included) and that too on heavy discounts for promotional purposes.  

Cybersecurity experts recently found out that fake Covid-19 vaccine certificates and duplicate Covid-19 test results were being sold on dark internet and hacking platforms for amount as low as Rs 1800 ($25) and up to Rs 18,000 ($250) for people that are looking to book flights, travel across borders, finding a new job or attending a function.  If an interested user wants to get these 'fake certificates,' he can simply obtain them by sending their details and money to the seller on the dark web, the seller will then e-mails back the forged documents for $250. 

Research from Checkpoint revealed that fake negative Covid-19 test results are available on the dark web for a mere amount of $25.  Covid-19 vaccine ads on the darknet have had a 3 fold increase since the last three months. The selling forums on the dark internet are based from European countries like Spain, Russia, France, and Germany. According to experts, "The vaccines advertised include Oxford-AstraZeneca (at $500), Johnson & Johnson ($600), the Russian Sputnik vaccine ($600) and the Chinese SINOPHARM vaccine." Checkpoint research says, "as a result, the marketplace is down completely since, and at this point of time is yet to be restored online."
Read more »
User Security
Cyber Fraud NFTs non-fungible token Scammers Technology User Security

Centre of Attraction for Scammers : NFTs

 

NFTs - non-fungible token have been around for a few years now, but recent attention has sparked a surge throughout the market. NFTs are all here to stay, according to proponents, as they're more stable. Though enthusiasts may be correct about NFTs' long-term viability, as they may also no longer be a significant part of the art market once the original frenzy subsides. The art market's key elements are authenticity and originality, and NFTs certainly delivers both. 

A non-fungible token (NFT) is a data unit on a digital ledger known as a blockchain that really can represent a single digital object and therefore is not interchangeable. NFTs can be used to depict digital files like art, audio, video, video game objects, and other types of creative work. However, the definition can appear to be fundamentally abstract, it comes down to being able to assert exclusive possession of a collectible. 

"The higher the value of a cryptocurrency, the higher the volume of fraud targeting its users," says Abhilash Garimella, research scientist at fraud prevention firm Bolster.

NFTs can reflect digital possession of almost everything, for instance we can take, Twitter CEO Jack Dorsey's first tweet, Grimes' original art, Marvel artists' exclusive superhero comic drawings, and every other form of artistic work, including videos and audio. The Marvel comics entered the blockchain world, where an Ethereum-based Spiderman NFT was sold for $25,000. And till now the NFT "cryptocurrency collectibles" have sold for more than $100 million. 

Bitcoin and other cryptocurrencies have been questioned, despite proponents believing they are the future of economic systems and opponents dismissing them as nothing but a digital Ponzi scheme. Bitcoin mining is said to use as much energy as used by entire countries. People have become much more hesitant to buy and sell off their assets on the blockchain as they have become more aware of its vast energy requirements. Despite the fact that the blockchain is also said to be safe, there've been numerous cryptocurrency hacks. Both of these factors can deter young people from joining the craze, making it more difficult for NFTs to achieve long-term success. 

Hackers are indeed searching for ways to get as many Bitcoin, Monero, Ethereum, and other valuable digital coins as feasible, as shown by their fondness for ransomware, crypto mining, and hacking through cryptocurrency exchanges and extracting all of their assets in recent times. 

In 2020, two Florida teens and a British man duped a number of people into thinking that the 130 high-profile Twitter accounts they'd took over might potentially double people's bitcoin assets once they'd been collected by Elon Musk and Bill Gates. Many people have fallen for the scam which involves Musk allegedly offering "free" NFTs after victims "verified" themselves by giving a small number of bitcoins "temporarily". This was one of the NFTs scams.
Read more »
User Privacy
Brian Krebs Data Breach Ubiquiti User Data Leak User Privacy

Ubiquiti has been Covering up a Data Breach

 

Ubiquiti, an organization whose prosumer-grade routers have gotten synonymous with security and manageability is being blamed for concealing a “catastrophic” security breach — and following 24 hours of silence, the organization has now given a statement that doesn't deny any of the whistle-blower’s claims. 

In January, the creator of routers, Internet-connected cameras, and other networked gadgets, revealed what it said was “unauthorized access to certain of our information technology systems hosted by a third-party cloud provider.” The notification said that, while there was no proof the intruders accessed client information, the organization couldn't preclude the likelihood that they got clients' names, email addresses, cryptographically hashed passwords, addresses, and telephone numbers. Ubiquiti suggested clients to change their passwords and enable two-factor authentication.

 Initially, Ubiquiti emailed its clients about a supposedly minor security breach at a “third-party cloud provider” on January 11th but found out that the cybersecurity news site KrebsOnSecurity is reporting that the breach was far more awful than Ubiquiti let on. A whistle-blower from the organization who spoke to Krebs guaranteed that Ubiquiti itself was breached and that the organization's legal team forestalled efforts to precisely report the dangers to customers. 

The breach comes as Ubiquiti is pushing—if not outright requiring—cloud-based accounts for clients to set up and regulate gadgets running newer firmware renditions. An article says that during the underlying setup of an UniFi Dream Machine (a popular router and home gateway appliance), clients will be incited to sign in to their cloud-based account or, on the off chance that they don't have one, to make an account. 

Brian Krebs of KrebsOnSecurity wrote, "In reality, Adam (the fictitious name that Brian Krebs of KrebsOnSecurity gave the whistleblower) said, the attackers had gained administrative access to Ubiquiti’s servers at Amazon’s cloud service, which secures the underlying server hardware and software but requires the cloud tenant (client) to secure access to any data stored there." 

“They were able to get cryptographic secrets for single sign-on cookies and remote access, full source code control contents, and signing keys exfiltration,” Adam said.
Read more »
Water facility attack
Data Breach data security Travnichek United States Water facility attack

Man Indicted In Kansas Water Facility Breach

 

Today the US Department of Justice charged a Kansas man for breaching a public water system and trying to shut down the water functioning process with the intention of damaging the local community. 

The official statement has been posted on Wednesday by the Department of Justice (DOJ); The 22-year-old man named Wyatt A. Travnichek, accused of hacking into the computer system of the local water utility is a native of Ellsworth County, Kan. He was well aware of the public damage that could be caused by getting access to the Ellsworth County Rural Water District's (also known as Post Rock Rural Water District) computer system with illegal means. He tried to sabotage the water running system, according to the sources. 

The episode first appeared on 27 March 2019, when Post Rock experienced an uncertified remote trespass the facility system and successfully shut down the whole functioning operations. 
Lance Ehrig, Special Agent in Charge of EPA’s Criminal Investigation Division in Kansas said that “By illegally tampering with a public drinking water system, the defendant threatened the safety and health of an entire community…”

“…EPA and its law enforcement partners are committed to upholding the laws designed to protect our drinking water systems from harm or threat of harm. Today’s indictment sends a clear message that individuals who intentionally violate these laws will be vigorously prosecuted.” 

Nevertheless, the court’s documents had not mentioned whether Travnichek’s operation was successful or not. Additionally, the court did not explain how the operation was detected. In this regard, the officials stated that Travnichek was an employee of the Post Rock Rural Water District from January 2018 to January 2019 until he resigned from the facility in January 2019. 

Post Rock provides water facilities around eight Kansas counties. Part of Travnichek's job was to log in to the Post Rock computer system to monitor the plant after hours, but he ended up exploiting the system by illicitly accessing it. 

"He logged in remotely to Post Rock Rural Water District's computer system and performed activities that shut down processes at the facility which affect the facility's cleaning and disinfecting procedures with the intention of harming the Ellsworth County Rural Water District No. 1," the document further reads.
Read more »
Phishing and Spam
BazarCall BazarLoader malware Phishing and Spam

Hackers Attack Users With Malware Using Underground Call Centres

 

BazarLoader malware actors have started working with underground call centres to fool targets of their spamming campaign by making them open corrupted Office files and corrupting their devices with malware. It's not the first time when underground call centres and the hacking group have come up to work together, however, it's the first time when the likes of the BazarLoader gang, a major Malware distributer, have used this technique on such a massive scale. 

How it took place?

The recent attacks have been very unique from the general malware scenario of today, the attackers have their own identities, normally known as BazaCall or BazarCall, the reason being they depend upon telephone calls to conduct their infiltration. Currently, the attack techniques that these hackers use are simple and yet effective. The group (BazarLoader) initiates the malware campaign by sending spam campaigns to specific targets. To attract the attention of the users, the email baits the victims through offers, subscriptions, free trials, etc. 

The email also consists of details for users to call a specific number that is mentioned in the mail to know more about the offer. If the victim dials the mentioned number, they are redirected to a call centre, here, a supposed operator tells directs the victim into downloading an office file, tells the user to disable the office security features, and run an excel or word file which allows hackers to run macros (automated scripts), that is used to download and install the malware in victims' device. Thanks to cybersecurity expert Brad Duncan, the phone recordings of one of the call centres involved are available. 

Targets include high profile accounts 

A cybersecurity expert that goes by the name Analyst said that these attack campaigns started in January 2021. The analyst is the same person that termed the attack as BazarCall, says that most of the targets use .edu or corporate email address, never target home users that use free emails like Gmail, Yahoo, or Hotmail. The Record reports, "the security researcher says the classic endgame for these attacks is to infect corporate networks, where the BazarLoader malware can then turn around and rent access to ransomware gangs, such as the Ryuk crew, with which they’ve collaborated before.
Read more »
Subscribe to: Comments (Atom)