Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

User Security
Data Breach Google Forms phishing Telegram User Security

Threat Actors are Using Telegram & Google Forms to Obtain Stolen User Data

 

Security researchers have noted an increase in the misuse of legitimate services such as Google Forms and Telegram for gathering user data stolen on phishing websites. Emails remain the popular method among threat actors to exfiltrate stolen data but these methods foreshadow a new trend in the evolution of phishing kits.

After analyzing the phishing kits over the past year, researchers at cybersecurity company Group-IB observed that more of these tools permit collecting users' stolen data using Google Forms and Telegram. 

What is a phishing kit? 

A phishing kit is a toolset that helps design and run phishing web pages mimicking a particular brand or firm or even several at once. Phishing kits are often sold to those hackers who do not have exceptional coding skills. These phishing kits allow them to design an infrastructure for large-scale phishing campaigns.

By extracting the phishing kit, security researchers can examine the methodology used to carry out the phishing attack and figure out where the stolen data is sent. Besides, a thorough examination of the phishing kit helps researchers in detecting digital footprints that might lead to the developers of the phishing kit.

Latest trends of 2020 

Security researchers at Group-IB identified more than 260 unique brands which were on the target list of cybercriminals, most of them being for online services (30.7% - online tools to view documents, online shopping, streaming service, and more,) email customers (22.8%), and financial organizations (20%). The most exploited brands of 2020 were Microsoft, PayPal, Google, and Yahoo.

Another trend the researchers noticed was that the developers of phishing kits were double-dipping to increase their profits by adding code that copies the stream of stolen data to their network data host. Security researchers explained that one method is by configuring the ‘send’ function to deliver the information to the email provided by the buyer of the phishing kit as well as the ‘token’ variable linked with a concealed email address.

“Phishing kits have changed the rules of the game in this segment of the fight against cybercrime. In the past, cybercriminals stopped their campaigns after the fraudulent resources had been blocked and quickly switched to other brands. Today, they automate their attacks and instantly replace the blocking phishing websites with new web pages,” Yaroslav Kargalev, Deputy Head at CIRT-GIB, stated.
Read more »
Russia
Cyber Attacks Lithuania Lithuania Cyber Security Russia

Russian intelligence was accused of cyber attacks on Lithuania's top leadership

Last year, hacker groups controlled by Russian secret services conducted cyber attacks on Lithuania's top leadership - This is stated in the annual report on the state of national cybersecurity published by the Ministry of Defense of the Baltic republic

The document claims that Lithuanian foreign policy and national security institutions, as well as energy and education facilities were attacked by Russian intelligence.

"Groups controlled by Russian intelligence services also used the Lithuanian information technology sector infrastructure for cyber attacks against targets in Western countries. For example, in July 2020, there were cyber attacks by the APT29 cyber group against organizations developing a coronavirus vaccine in the West that were carried out using Lithuanian IT infrastructure," the report said.

As noted in the document, some of the cyber incidents registered in the republic last year are associated with "political, geopolitical, strategic events in Lithuania, the region and around the world."

According to the report, "it is assumed that hostile intelligence services seek to illegally obtain information about vulnerabilities in Lithuanian communication and information systems, as well as personal user information (account login data) and use it for other cyber incidents".

As an example, a cyber attack was reported in December 2020, when 24 public sector websites were hacked, three of which published fake news with different content. An investigation into the incident revealed that it had been prepared in advance and was carried out in an orderly manner.

Various cyberattacks are often reported in Lithuanian state institutions. Most often they are attributed to "Russian hackers" or hinted that they were carried out by "unfriendly countries," although no evidence has been found.

Moscow has repeatedly stressed that accusations by Western partners are unfounded.

In addition, the authorities of the Baltic States have consistently obstructed the work of the Russian media. As the Russian Foreign Ministry noted, signs of coordination are clearly visible in the actions of Vilnius, Riga and Tallinn, and the cases of media harassment in the Baltic countries clearly demonstrate that the demagogic statements of these countries about their adherence to the principles of democracy and freedom of speech are worth in practice.

It's interesting to note that the report released by the Lithuanian Ministry of Defense shows that cyber incidents in Lithuania increased by 25 percent in 2020, and the number of incidents involving malware increased by 49 percent.

Read more »
Vulnerabilities and Exploits
New Feature Processor Sandboxing Security Vulnerabilities and Exploits

AMD Admits Ryzen 5000 CPU Exploit Could Leave Your PC Open to Hackers

 

According to AMD itself, AMD's Zen 3 CPU architecture may include a feature that could be exploited by hackers in a Spectre-like side-channel attack. 

With Zen 3, the speculative execution feature—which is a common feature in modern processors— is known as Predictive Store Forwarding (PSF). Essentially its task is to guess which instruction is most likely to be sent next through the use of branch prediction algorithms and fetch that command in anticipation. The aim is to speed up the microprocessor's output pipeline, but the feature comes with risks, according to TechPowerUp. 

In the occurrence of a misinterpretation, software such as web browsers that use 'sandboxing' can expose your CPU to side-channel attacks. 

Sandboxing (isolation) is actually aimed at protecting against threats by placing malicious code on the naughty step and challenging its motivations. However, similar to the Spectre vulnerabilities, possible changes to the cache state in such cases could result in hackers gaining access to portions of one’s personal data. 

Due to Spectre and Meltdown vulnerabilities, web browsers don't tend to rely on isolation processes as much nowadays, but there are still risks that AMD outlines forthrightly. 

Under the security analysis section of a publicly accessible AMD report, "A security concern arises if code exists that implements some kind of security control which can be bypassed when the CPU speculates incorrectly. This may occur if a program (such as a web browser) hosts pieces of untrusted code and the untrusted code can influence how the CPU speculates in other regions in a way that results in data leakage."

"If an attacker is able to run code within a target application, they may be able to influence speculation on other loads within the same application by purposely training the PSF predictor with malicious information." 

However, there is a way to protect yourself from the feature's potential flaws, which is by simply disabling PSF. However, this is not an option that AMD recommends because it has the potential to stifle performance. In certain cases, Meltdown and Spectre mitigations in Intel CPUs had also led to similar performance limitations.

The tests by Phronix show that turning off the feature only reduces CPU output by 1%. A firmware update could provide a short-term patch for those that are currently affected, but a long-term solution will likely have to come in the form of a change to the architecture itself.
Read more »
Technology
Bitcoin Bitcoin Mining Blockchain China Crypto Currency mining Global Climate Technology

China and its Humongous Bitcoin Mining Industry has Severe Impact on the Global Climate

 

According to a new study in Nature Communications, electricity consumption and carbon emissions from bitcoin mining in China have accelerated speedily. These effects could weaken global sustainable practices without stricter regulations and policy changes. 

Bitcoin and other cryptocurrencies depend heavily on "blockchain" technology, a shared transaction database that requires confirmation and encryption of entries. Blockchain is a digital recording device that offers secure means for payments, pacts, and contracts to be documented and authenticated. But uniquely, the database is shared between a network of computers, and not in a place such as the conventional ledger book. Only a few users or hundreds and thousands of people can enter this network. However, the network is secured by people known as "miners," who use high-powered computers to check transactions. These computer systems consume huge quantities of electricity. 

Around 40% of China's Bitcoin mines are coal operated and the rest utilize renewable sources, according to the study. The coal power stations, however, are so large that Beijing's promise to peak carbon emissions by 2030 could be undermined and carbon neutralized by 2060, the study warned. 

With a simulated carbon emissions model, Dabo Guan, Shouyang Wang, and colleagues track carbon emissions streams from Bitcoin blockchain operations in China. Given recent developments in Bitcoin mining, it is estimated that this procedure will spike energy consumption at around 297 terawatt-hours by 2024 and generate approximately 130 million metric tons of carbon emissions. This exceeds the total annual emission volumes of greenhouse gas in entire mid-sized European countries, for example, Italy and the Czech Republic. 

In order to guarantee a stable supply from renewable sources it should concentrate on updating the power grid, said Wang. He further added that “Since energy prices in clean-energy regions of China are lower than that in coal-powered regions … miners would then have more incentives to move to regions with clean energy.” 

In the past year, Bitcoin's price rose five times and reached a record of $61,000 in March, presently it’s just below the mark of $60,000. Due to the available profits, Wang said carbon taxation isn’t sufficient to determiners. The research teams said the "attractive financial incentive of bitcoin mining" has triggered an arms race in the mining hardware industry. The price hike in Bitcoin was further driven by some renowned companies, including electric carmaker Tesla, implementing it as a method of payment. The Covid 19 pandemic also probably played a role, where more people shopped online and left physical currencies in their accounts.
Read more »
WhatsApp
Fake Apps Google Play Store malware Netflix WhatsApp

Fake Netflix App Spreads Malware via WhatsApp Messages

 

Researchers have discovered malware camouflaged as a Netflix application, prowling on the Google Play store, spread through WhatsApp messages. As per a Check Point Research analysis released on Wednesday, the malware took on the appearance of an application called "FlixOnline," which publicized by the means of WhatsApp messages promising "2 Months of Netflix Premium Free Anywhere in the World for 60 days." But once installed, the malware begins stealing information and credentials.

The malware was intended to monitor incoming WhatsApp messages and automatically react to any that the victims get, with the content of the response crafted by the adversaries. The reactions attempted to bait others with the proposal of a free Netflix service, and contained links to a phony Netflix site that phished for credentials and credit card information, analysts said. 

“The app turned out to be a fake service that claims to allow users to view Netflix content from around the world on their mobiles,” according to the analysis. “However, instead of allowing the mobile user to view Netflix content, the application is actually designed to monitor a user’s WhatsApp notifications, sending automatic replies to a user’s incoming messages using content that it receives from a remote server.” Once you install the FlixOnline application from the Play Store, it asks for three sorts of authorizations: screen overlay, battery optimization ignore, and notification. Researchers from Check Point noticed that overlay is utilized by malware to make counterfeit logins and steal client credentials by making counterfeit windows on top of existing applications. 

The malware was additionally able to self-propagate, sending messages to client's WhatsApp contacts and groups with links to the phony application. With that in mind, the computerized messages read, “2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE (CORONA VIRUS)* Get 2 Months of Netflix Premium Free anywhere in the world for 60 days. Get it now HERE [Bitly link].”

“The malware’s technique is fairly new and innovative,” Aviran Hazum, manager of Mobile Intelligence at Check Point, said in the analysis. “The technique here is to hijack the connection to WhatsApp by capturing notifications, along with the ability to take predefined actions, like ‘dismiss’ or ‘reply’ via the Notification Manager. The fact that the malware was able to be disguised so easily and ultimately bypass Play Store’s protections raises some serious red flags.”
Read more »
ransomware attacks
cyber attack IoT IoT devices IOT Security Ransom Attack Ransomware ransomware attacks

Canadian IoT Solutions Provider, Sierra Wireless Hit by a Ransomware Attack


Sierra Wireless, a Canadian IoT solutions provider said that it has reopened its manufacturing site's production after the company suffered a ransomware attack that breached its internal infrastructure and official website on March 20. When the company came to know about the attack, it called one of the world's best cybersecurity firms "KPMG," to help Sierra Wireless in the investigation and inquiry of the incident.

According to Sierra Wireless, "security is a top priority, and Sierra Wireless is committed to taking all appropriate measures to ensure the highest integrity of all of our systems. As the investigation continues, Sierra Wireless commits to communicating directly to any impacted customers or partners, whom we thank for their patience as we work through this situation." 

Currently, the staff at Sierra Wireless is working on re-installing the company's internal infrastructure, after the corporate website was brought back online. Besides this, the Canadian MNC said that ransomware attacks couldn't breach services and customer-oriented products as the internal systems that were attacked were separated. The company believes that the scope of the attack was limited to Sierra Wireless' corporate website and internal systems, it is confident that the connectivity services and products weren't affected, and the breach couldn't penetrate the systems during the incident. 

As of now, the company isn't expected to issue any firmware or software security updates or product security patches, which are generally required after the ransomware attack. The company hasn't disclosed the ransomware operator behind the attack, it has also not specified what data was stolen from the incident before the encryption could happen. 

The attack happened in March, after that the company took back its Q1 guidance. A company spokesperson said that Sierra wireless won't reveal any further information regarding the attack as per the company protocol, because the data involved is highly confidential and sensitive. Bleeping Computer reports, "Siera Wireless' products (including wireless modems, routers, and gateways) sold directly to OEMs are being used in IoT devices and other electronic devices such as smartphones, and an extensive array of industries." Stay updated for more news.

Read more »
User Privacy
500 Million Data Breach LinkedIn Users User Privacy

Data Stolen from 500 Million LinkedIn Users Leaked Online

 

Just days after a Facebook data leak was revealed, security experts have discovered another one, this time the victim being LinkedIn as a huge pile of data containing the personal information of 500 million LinkedIn users has been found on sale on a popular hacking forum.

To prove the legitimacy of the data leak, the poster has included nearly 2 million records as a sample, which forum members can view for $2 worth of forum credits. The leaked data includes user names, contact numbers, email addresses, links to other social media profiles, and users’ workplace details. While, the data does not contain credit card information, legal documents, or other financial information that could be used for scams.

However, security researchers warned that lack of financial information does not mean that it is not dangerous. Hackers could misuse the data to create detailed profiles of their potential victims and then conduct targeted phishing or social engineering attacks. They could also use the information to spam emails and contact numbers, or brute-force the passwords of LinkedIn profiles and linked email addresses. 

The threat actor has demanded a minimum of ‘four-digit sum in turn for access to the entire 500 million-user databases. Cybernews confirmed that the data in the sample was scraped from LinkedIn, although it remains unclear if the leaked files contain the latest information, or if it was taken from the previous data breach.

5 steps to protect your LinkedIn account

Across the globe, there are nearly 740 million user profiles on LinkedIn. If we presume that the hacker is telling the truth, then the data of 500 million users is on the hacking forum. Considering that, LinkedIn users should take all the necessary precautions to protect their accounts by:

• Creating a strong and unique password, and storing it in a password manager.

• Enabling two-factor authentication (2FA) on all your online accounts.

• Downloading strong anti-phishing and anti-malware software. 

• Learning to identify phishing emails and text messages.

• Reporting to the cyber police if any problem arises. 

This is not the first time that hackers have targeted LinkedIn users. In 2012, hackers were able to steal password hashes of nearly 170 million LinkedIn users. The stolen data was in the private hands for almost 4 years before appearing on the dark web in 2016.
Read more »
Russian Hackers
Cyber Crime Cyber Crime Report hacker news Russian Hackers

The Russian who hacked JPMorgan was demanded $20 million in compensation

In January, Andrei Tyurin was sentenced to 12 years in prison for the largest theft of personal data of bank clients in US history.  He acted as part of a hacker group and stole data that brought the hackers hundreds of millions of dollars

The Federal Court for the Southern District of New York ordered to pay compensation in the amount of $19.9 million to Russian Andrei Tyurin, who was sentenced in January to 12 years in prison for cybercrimes.  This is evidenced by the documents received on Monday in the electronic database of the court.

As follows from these materials, the parties came to an agreement on the amount that Tyurin should provide to individuals and legal entities affected by his actions.  According to the agreements approved by the court, Tyurin "will pay compensation in the amount of $19,952,861."  The full list of companies and individuals who will receive these funds is not provided in the documents.  It is also not specified whether Tyurin has the ability to pay the specified amount.

In early January, Tyurin was sentenced to 144 months in prison.  According to Judge Laura Taylor Swain, the Russian was involved in "large-scale criminal activities of a financial nature."  According to the investigation, he was involved in cyber attacks on large American companies in order to obtain customer data.

The US prosecutor's office said that Tyurin hacked the data of nearly 140 million customers and stole information from 12 companies.  Among them are JPMоrgan Chase Bank, Dow Jones & Co, Fidelity Investments, E-Trade Financial.  The authorities called the actions of the Russian the largest theft of data from the bank's clients in the history of the country.

Tyurin was extradited to the United States from Georgia in September 2018.  The American authorities charged him with hacking into the computer systems of financial structures, brokerage houses and the media specializing in the publication of economic information.  Representatives of the Secret Service claimed that the Russian was involved in "the largest theft of customer data from US financial structures in history."  They noted that Tyurin could be sentenced to imprisonment for up to 92 years.

 The Russian initially declared his innocence.  According to the materials of the court, in September 2019 Tyurin made a deal with the prosecutor's office.  He pleaded guilty to several counts.  The US Secret Service claimed that Tyurin and his accomplices "embezzled hundreds of millions of dollars."

Read more »
New Banking Trojan
Brazil Digital Security malware New Banking Trojan

Janeleiro a New Banking Trojan Targeting Corporate, Government Targets

 

A banking Trojan has been found out by cybersecurity researchers, which has targeted many organizations across the state of Brazil. An advisory has been released on Tuesday by ESET on the malware that was being developed in 2018. 
According to cyber intelligence, the Trojan named Janeleiro primarily focused on Brazil and launched multiple cyber attacks against corporate giants in various sectors such as engineering, healthcare sector, finance, retail, and manufacturing. Notably, the threat actors who are operating the banking trojan have also made attempts to get access into government systems using the malware.

According to the researchers, the Trojan is similar to other Trojans that are currently being operated across the state, specifically in Grandoreiro, Casbaneiro, and Mekotio, to name a major few. 

Janeleiro enters into smart devices similar to most malware, however, some features are different. First, Phishing emails will be sent in small batches, masked as unpaid invoices of the firm. These emails contain links that compromise servers into the system and download a .zip archive hosted in the cloud. If the target opens the archive file, a Windows-based MSI installer then loads the main Trojan DLL into the system. 

"In some cases, these URLs have distributed both Janeleiro and other Delphi bankers at different times," ESET says. 

“…This suggests that either the various criminal groups share the same provider for sending spam emails and for hosting their malware, or that they are the same group. We have not yet determined which hypothesis is correct." 

Interestingly, the Trojan first checks the geo-location of the targeted system's IP address. If the state code is Brazil and it remains and runs its operation but if it is other than Brazil then the malware will exit automatically. 

Janeleiro is being used to frame fake pop-up windows "on-demand," such as when operators compromised banking-related keywords from its machine. Once the operators get access to the system then they ask for sensitive credentials and banking details from targets.
Read more »
Vulnerability and Exploits
CISA Malicious actor VMware VMware Carbon Black Cloud Workload vSphere Vulnerability and Exploits

The VMware Carbon Black Cloud Workload Patched a Vulnerability

 

The VMware Carbon Black Cloud Workload device's major security vulnerability will indeed permit root access, and the authority to handle most of the solution administration rights. The lately identified vulnerability, trackable as CVE-2021-21982, with a 9.1 CVSS score, remains in the device's administrative interface and continues to exist because intruders might bypass authentication by manipulating the URL on the interface. VMware Black Cloud Workload is the forum for cybersecurity defense on VMware's vSphere portal for virtual servers and workloads. vSphere is the virtualization platform for VMware cloud computing. 

As per the statement made by VMware last week, the problem is caused by inaccurate URL handling. “A URL on the administrative interface of the VMware Carbon Black Cloud Workload appliance can be manipulated to bypass authentication,” the company noted. “An adversary who has already gained network access to the administrative interface of the appliance may be able to obtain a valid authentication token.” 

In turn, the intruder would be able to obtain the device management API. Once the intruder is logged in as an admin, it may also access and change administrative configuration settings. The opponent might also perform several attacks, which include code execution, de-activation of security monitoring, or the catalog of virtual instances in the private cloud, and even more since it depends on what instruments the institution has implemented in the environment. 

“A malicious actor with network access to the administrative interface of the VMware Carbon Black Cloud Workload appliance may be able to obtain a valid authentication token, granting access to the administration API of the appliance,” VMware notes in an advisory. 

VMware's Carbon Black Cloud Workload is being used by organizations in virtualized environments for protecting workloads that offer tools for the evaluation of vulnerabilities, antiviruses, and threats. 

Egor Dimitrenko, a positive technologies researcher who has been credited with the discovery of the vulnerability, says that the intruder could definitely use the bug to execute arbitrary code on a server. “Remote Code Execution is a critical vulnerability that gives an attacker unlimited opportunity to perform any attack to company infrastructure,” Dimitrenko underlines. 

The researcher explains that the intruder should not usually be able to access the VMware Carbon Black Cloud workload admin panel from the Internet, but also indicates that misconfigurations can result in improper exposure. He says that organizations can implement tools for remote access inside the internal network. 

In order to deal with this vulnerability and encourage customers to use the update to stay secure, VMware released version 1.0.2 of the VMware Carbon Black Cloud Workload appliance last week. It is also recommended that network checks should be implemented to ensure limited access to the device admin interface. Additionally on Friday, the Cybersecurity and Infrastructure Security Agency (CISA) published an advisory to warn of the vulnerability and raise awareness on the existence of patches for it.
Read more »
Threat actors
Application Vulnerability Cyber Attacks cyber threat SAP Threat actors

Active Cyber Attacks on Mission-Critical SAP Apps

 

Security researchers are warning about the arrival of attacks targeting SAP enterprise applications that have not been updated to address vulnerabilities for which patches are available, or that utilize accounts with weak or default passwords. 

Over 400,000 organizations worldwide and 92% of Forbes Global 2000 use SAP's enterprise apps for supply chain management, enterprise resource planning, product lifecycle management, and customer relationship management.

According to a study released jointly by SAP and Onapsis, threat actors launched at least 300 successful attacks on unprotected SAP instances beginning in mid-2020. Six vulnerabilities have been exploited, some of which can provide complete control over unsecured applications. Even though SAP had released fixes for all of these flaws, the targeted companies had not installed them or were using unsecured SAP user accounts. 

"We're releasing the research Onapsis has shared with SAP as part of our commitment to help our customers ensure their mission-critical applications are protected," Tim McKnight, SAP Chief Security Officer, said. 

"This includes applying available patches, thoroughly reviewing the security configuration of their SAP environments, and proactively assessing them for signs of compromise." Researchers also observed attackers targeting six flaws, these flaws, if exploited, can be used for lateral movement across the business network to compromise other systems. 

The threat actors behind these attacks have exploited multiple security vulnerabilities and insecure configurations in SAP applications in attempts to breach the targets' systems. In addition, some of them have also been observed while chaining several vulnerabilities in their attacks to "maximize impact and potential damage."

According to an alert issued by CISA, organizations impacted by these attacks could experience, theft of sensitive data, financial fraud, disruption of mission-critical business processes, ransomware, and halt of all operations. 

Patching vulnerable SAP systems should be a priority for all defenders since Onapsis also found that attackers start targeting critical SAP vulnerabilities within less than 72 hours, with exposed and unpatched SAP apps getting compromised in less than three hours. 

Both SAP and Onapsis recommended organizations to protect themselves from these attacks by immediately performing a compromise assessment on SAP applications that are still exposed to the targeted flaws, with internet-facing SAP applications being prioritized. 

Also, companies should assess all applications in the SAP environment for risk as soon as possible and apply the relevant SAP security patches and secure configurations; and assess SAP applications to uncover any misconfigured high-privilege user accounts.

"The critical findings noted in our report describe attacks on vulnerabilities with patches and secure configuration guidelines available for months and even years," said Onapsis CEO Mariano Nunez.

"Companies that have not prioritized rapid mitigation for these known risks should consider their systems compromised and take immediate and appropriate action" Nunez added.
Read more »
Subscribe to: Comments (Atom)