Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

USA
Cyber Security Cyberattack New Law Ransom Ransomware Attacks. USA

US House Homeland Leaders Introduce Bipartisan Cyber Incident Reporting Legislation

 

Representative Yvette D. Clarke (D-NY), Chairwoman of the Cybersecurity, Infrastructure Protection & Innovation Subcommittee, along with other representatives and with other ranking officers of the Cybersecurity, Infrastructure Protection & Innovation Subcommittee, presented the Cyber Incident Reporting for Critical Infrastructure Act of 2021. Meanwhile, the Biden administration expressed public support during congressional testimony for such requirements. 

If this legislation is to come to fruition, it would require the DHS Cybersecurity and Infrastructure Security Agency (CISA) to organize requirements and procedures for critical infrastructure owners and operators to report cyber-attack incidents under this law. Additionally, under this legislation, critical infrastructure organizations and operators have to report cyber-attacks to the cybersecurity and Infrastructure Security agencies within 72 hours. 

The bill will also mandate it to organizations, including businesses with more than 50 employees, state and governments, and non-profits organizations, to report CISA of any ransomware payments they make within 24 hours. Along with this, the law reads that any organization when infected by ransomware should use recovery tactics instead of paying ransom to the attackers. 

According to the act, a new office will come into existence under CISA and it will be named “Review new Cyber Incident Office”. The office will be responsible for receiving, aggregating, and analyzing the reported cyberattack incidents. 

The introduced law is partly in response to a surge of major cyber-attacks particularly from ransomware that has hit the government agencies and private sectors which own and operate 85% of critical infrastructure. 

“As our nation continues to be faced with more frequent and increasingly sophisticated cyberattacks, authorizing mandatory cyber incident reporting is a key cybersecurity and national security priority,” said Chairman Thompson. 

“I applaud Chairwoman Clarke, as well as Ranking Member Katko and Ranking Member Garbarino, for their months of dedicated work to put together this legislation to require covered critical infrastructure entities to report certain cyber incidents to CISA. Once enacted, CISA will be on the path to getting the information it needs to identify malicious cyber campaigns early, gain a greater understanding of the cyber threat landscape, and be a better security partner to its critical infrastructure partners.” He added. 
Read more »
Sensitive data
API Customer Data Cyber Security GDPR Sensitive data

Elastic Stack API Security Vulnerability Exposes Customer and System Data

 

The mis-implementation of Elastic Stack, a collection of open-source products that employ APIs for crucial data aggregation, search, and analytics capabilities, has resulted in severe vulnerabilities, according to a new analysis. Researchers from Salt Security uncovered flaws that allowed them to not only conduct attacks in which any user could extract critical customer and system data, but also to create a denial of service condition in which the system would become inaccessible. 

“Our latest API security research underscores how prevalent and potentially dangerous API vulnerabilities are. Elastic Stack is widely used and secure, but Salt Labs observed the same architectural design mistakes in almost every environment that uses it,” said Roey Eliyahu, co-founder and CEO, Salt Security. “The Elastic Stack API vulnerability can lead to the exposure of sensitive data that can be used to perpetuate serious fraud and abuse, creating substantial business risk.” 

The vulnerability was originally detected while safeguarding one of their customers, a huge online business-to-consumer platform that provides API-based mobile applications and software as a service to millions of consumers around the world, according to the researchers. 

 Officials at Salt Security were eager to point out that this isn't a flaw in Elastic Stack itself, but rather a problem with how it's being deployed. According to Salt Security's technical evangelist Michael Isbitski, the vulnerability isn't due to a fault in Elastic's software, but rather to "a common risky implementation set up by users." 

"The lack of awareness around potential misconfigurations, mis-implementations, and cluster exposures is largely a community issue that can be solved only through research and education," Isbitski said. API threats have increased 348% in the last six months, according to the Salt Security State of API Security Report, Q3 2021. The development of business-critical APIs, combined with the advent of exploitable vulnerabilities, reveals the substantial security flaws that occur from the integration of third-party apps and services.

The impact of the Elastic Stack design implementation flaws rises considerably when an attacker chains together multiple attacks, according to Salt Labs researchers. Attackers can use the lack of authorization between front-end and back-end services to establish a working user account with basic permission levels, then make educated assumptions about the schema of back-end data stores and inquire for data they aren't authorized to access. 

Salt Labs was able to gain access to a large amount of sensitive data, including account numbers and transaction confirmation numbers, as part of its research. Some of the sensitive information was also private and subject to GDPR regulations. Attackers could use this information to access other API-based features, such as the ability to book new services or cancel existing ones.
Read more »
Group-IB
Cyber Security Group-IB

The expert assessed the prospects of cybersecurity company Group-IB after the arrest of its founder

Experts believe that the arrest of Ilya Sachkov, the founder and CEO of Group-IB, will not affect the company's work, nor will it affect the Russian information security market. Criminal cases against the heads of companies working in the field of information security have already happened in Russia.

On September 28, the office of Group-IB was searched, and the next day the court put the businessman in custody for two months on charges of treason. He might face up to 20 years in prison.

It is still unclear what exactly Ilya Sachkov's crime was. Group-IB lawyers are studying the court order, and employees are confident in the innocence of their leader and in his business reputation. At the moment, the technical director and co-founder of Group-IB Dmitry Volkov temporarily heads the company.

Ilya Sachkov and Dmitry Volkov opened Group-IB in 2003. The company creates products to combat online fraud, works in the field of computer forensics, consulting and auditing of information security systems. As noted on the Group-IB website, it cooperates with Interpol, Europol and the OSCE, provides assistance to Russian special services and law enforcement agencies in operations against hacker groups. The company's income can be at least 2 billion rubles ($27.2 million) per year, excluding foreign assets.

According to one version, Group-IB's problems could arise due to too close contacts of its employees with Western intelligence services. So, in 2020, the US Department of Justice accused Nikita Kislitsin, head of the Department of network security of Group-IB, of trying to sell stolen data of users of the social network Formspring. As follows from the testimony of Kislitsin, in order to avoid punishment, he leaked to the FBI “a lot of information on Russian hackers and hackers in uniform.” According to some media reports, Sachkov personally allegedly agreed to this.

Another theory is that the detention of Ilya Sachkov was influenced by the interrogation of Russian hacker Pavel Sitnikov, which took place on the eve of the searches in Group-IB. According to the hacker's representative, Sitnikov repeatedly criticized the activities of Group-IB and the company's founder Ilya Sachkov, and also collected compromising information on him.


Read more »
Telegram
Bank Bank Hacking Bots Cyber Security OTP OTP Theft Telegram

Analysts Warn of Telegram Powered Bots Stealing Bank OTPs

 

In the past few years, two-factor verification is one of the simplest ways for users to safeguard their accounts. It has now become a major target for threat actors. As per Intel 471, a cybersecurity firm, it has observed a rise in services that allow threat actors to hack OTP (one time password) tokens. Intel 471 saw all these services since June which operate via a Telegram bot or provide assistance to customers via a Telegram channel. Through these assistance channels, users mostly share their feats while using this bot and often walk away thousand dollars from target accounts. 

Recently, threat actors have been providing access to services that call victims, which on the surface, looks like a genuine call from a bank and then fool victims into providing an OTP or other authentication code into a smartphone to steal and give the codes to the provider. Few services also attack other famous financial services or social media platforms, giving SIM swapping and e-mail phishing services. According to experts, a bot known as SMSRanger, is very easy to use. With one slash command, a user can enable various modes and scripts targeted towards banks and payment apps like Google Pay, Apple Pay, PayPal, or a wireless carrier. 

When the victim's phone number has been entered, the rest of the work is carried out by the bot, allowing access to the victim's account that has been attacked. The bot's success rate is around 80%, given the victims respond to the call and provides correct information. BloodOTPBot, a bot similar to SMSRanger sends the user a fake OTP code via message. In this case, the hacker has to spoof the target's phone number and appear like a company or bank agent. After this, the bot tries to get the authentication code with the help of social engineering tricks. 

The bot sends the code to the operator after the target receives the OTP and types it on the phone keyboard. A third bot, known as SMS buster, however, requires more effort from the attacker for retrieving out information. The bot has a feature where it fakes a call to make it look like a real call from a bank, and allows hackers to contact from any phone number. The hacker could follow a script to fake the victim into giving personal details like ATM pin, CVV, and OTP.
Read more »
United States
APT actors malware Microsoft SolarWinds Hack Sunshuttle United States

Newly Discovered 'Tomiris’ Backdoor Linked to SolarWinds Attack Malware

 

Kaspersky security researchers have unearthed a new backdoor likely designed by the Nobelium advanced persistent threat (APT) behind last year's SolarWinds supply chain attack. 

The new malware, dubbed Tomiris, was first identified in June 2021 from samples dating back to February, a month before the “sophisticated second stage backdoor” Sunshuttle was spotted by FireEye and linked to Nobelium. Nobelium is also known by the monikers UNC2452, SolarStorm, StellarParticle, Dark Halo, and Iron Ritual. 

"While supply-chain attacks were already a documented attack vector leveraged by a number of APT actors, this specific campaign stood out due to the extreme carefulness of the attackers and the high-profile nature of their victims. Evidence gathered so far indicates that Dark Halo spent six months inside Orion IT's networks to perfect their attack and make sure that their tampering of the build chain wouldn't cause any adverse effects,” Kaspersky researchers stated. 

Moscow-headquartered firm Kaspersky identified Tomiris while examining a series of DNS hijacking attacks mounted against multiple government organizations in a CIS member state between December 2020 and January 2021, which allowed threat actors to redirect traffic from government mail servers to devices under their possession.

Their victims were redirected to webmail login pages that helped hackers steal their email credentials and, in some cases, tricked them into installing a malware update that instead downloaded the Tomiris backdoor. 

“During these times, the authoritative DNS servers for the above zones were switched to attacker-controlled resolvers. Most of these hijackings were relatively brief and appear to have primarily targeted the mail servers of the affected organizations. We don’t know how the threat author was able to achieve this, but we assume that he somehow obtained credentials from the Registrar’s control panel used by the victims,” researchers added. 

Multiple similarities between Tomiris and Sunshuttle malware 

Researchers discovered multiple similarities between the Sunshuttle and Tomiris backdoors (e.g., both developed in GB, persistence through scheduled tasks, the same coding scheme for C2 communications, automated sleep triggers to reduce network noise). They also spotted the Kazuar backdoor, a .NET-based backdoor linked to the Turla group which shares multiple features with the Sunburst malware used in the SolarWinds attack on the same network as Tomiris. 

Earlier this year in March 2021, Microsoft and FireEye describe Sunshuttle as a Golang-based malware that acts as a command-and-control backdoor, establishing a secure connection with an attacker-controlled server to fetch and execute arbitrary commands on the exploited device as well as exfiltrate files from the system to the server. 

Despite this, researchers have not established a conclusive link between the new backdoor and Russia-backed Nobelium state hackers due to the possibility of a false flag attack designed to mislead researchers. 

The revelation comes days after Microsoft released the details of a passive and highly targeted implant dubbed ‘FoggyWeb’ that was employed by the Nobelium hacking group to deploy additional payloads and steal sensitive information from Active Directory Federation Services (ADFS) servers.
Read more »
Shutdown Servers.
Data Breach European Bookseller Ransom Attack Ransomware Ransomware attack Shutdown Servers.

Ransomware Attack On Major European Bookseller

 

Recently a ransomware attack targeted a leading book supplier software, the attack interrupted regular functions of thousands of bookstores in Europe including France, Belgium, and the Netherlands. The data stolen may have included not only personally identifiable information but also payment details. 
The ransomware group targeted TiteLive, a French company that provides cloud-based software for book sales and inventory management. Bookstores that have been affected by the ransomware attack included Libris, Aquarius, Donner, Malperthuis, and Atheneum Boekhandels. Additionally, some other clients have also been listed on the company’s website including Paris Libraries, Gallimard, Furet du Nord SciencesPo, and La Pro-Cure. 

In order to prevent the ransomware attack from spreading, TiteLive shut down its IT infrastructure, which resulted in a days-long downtime of MediaLog. Media Log includes processing online orders and shipping, cash sales, and customer relationship functions such as loyalty cards, direct mail, and financial information. 

According to the company’s website, the company offers its primary product to more than 1,000 bookstores. Owing to the disruption, around 130 independent bookshops in the Netherlands, Belgium, and France are largely shut down. Currently, these stores do not have access to billing and inventory data. For now, the form of ransomware that was used in the attack has not been disclosed. 

The group of attackers asked for a huge ransom payment for the encryption which targeted Windows servers run by TiteLive, forcing the company’s products offline. Furthermore, at present, what data may have been stolen is also unclear. However, the company has clarified that it is not going to pay ransom to the malicious actors.
Read more »
Ransomware
Decryption Key Linux malware RansomEXX RansomExx Gang Ransomware

RansomEXX Comes into Action Encrypting Files Using AES-CBC

 

In the latest Profero report - Senior Incident Responder Brenton Morris states that RansomeXX decryptors have failed to encrypt different files for the victims that have paid for the ransom demanded by the Linux Vmware ESXI malicious attacker. Profero has found that this RansomExx organization does not lock Linux files appropriately, which might contribute to damaged data during encryption. 

Following a reverse engineering process of the RansomExx Linux encrypter, Profero found that perhaps the problem was created by the inadequate encryption of Linux files. The encrypted file would have included encrypted data and unencrypted data afterward if the ransomware were to encrypt a Linux file simultaneously.’ 

RansomEXX encrypts the disc data and thereafter demands a ransom to acquire the key to decode. Encryption is arranged using the Open Source mbedtls package, so when the virus is activated, it produces a 256-bit key and encodes all the existing files in ECB mode using AES block encryption. Then after, each second, a new AES key will be produced, i.e. various files with different AES keys will be encrypted. 

Each AES key is encrypted and connected to every encrypted file via a public RSA-4096 key included in malware code; the ransomware might purchase a private key from the victim for decryption. 

"Some strains of Linux ransomware will attempt to acquire a file lock using fcntl while others will often not attempt to lock files for writing, and instead either knowingly choose to take the risk of corrupting the files or do so unknowingly due to lack of Linux programming experience," Morris told. "The Linux version of RansomEXX did not attempt to lock the file at all." 

If RansomExx encrypts a document, an RSA encrypted decryption key will be added to each file's end. The person who collects a ransom provides a decryptor that can decrypt the encoded decryption key of each file and then use that to decipher the contents of the file. 

However, since unencrypted material is annexed to the file end in these problematic encrypted files, the decrypter couldn't read the encrypted key correctly and the file will not be decrypted. 

"Because the attackers provide paying victims with a decryption tool they must run to decrypt their files there is a risk that the decryption tool may be malicious. This requires affected victims to reverse engineer the provided decryption tool to ensure there is no hidden payload or malicious features, a time investment that can be problematic for some organizations during a ransomware incident," explains Profero's blog post. 

Profero has published a RansomEXX open-source decryptor that can decrypt encrypted files with the file lock problem to assist its customers and the cyber security industry at large. 

Victims still have to have a decryption key from the malicious attacker, although now they can take time to evaluate one given by actors who are confronted with it instead.
Read more »
Infected Devices
Android Android devices Botnet Cyber Attacks DDOS Attack Infected Devices

Turkish National Charged for DDoS Attack on U.S. Company

 

Authorities in the United States charged a Turkish national for launching distributed denial-of-service (DDoS) assaults against a Chicago-based multinational hospitality company using a now-defunct malware botnet. 

Izzet Mert Ozek, 32, is accused of launching attacks against the Chicago multinational in August 2017 using WireX, a botnet developed using Android malware. 

According to authorities, Ozek's attacks caused infected Android devices to transmit massive volumes of online traffic to the company's public website and online booking service, leading servers to crash. As per the news release from the US Department of Justice, the charges were announced on September 29 in the Northern District of Illinois. 

The press release stated, “In August 2017, IZZET MERT OZEK used the WireX botnet, which consisted of compromised Google Android devices, to direct large amounts of network traffic to the hospitality company’s website, preventing legitimate users from completing hotel bookings, according to an indictment returned Tuesday in U.S. District Court in Chicago. The hospitality company, which managed luxury hotels and resorts, was headquartered in Chicago and the servers for its website were located in northern Illinois.” 

“The indictment charges Ozek, 32, with one count of intentionally causing damage to a protected computer. Ozek is believed to be residing in Turkey, and a warrant for his arrest will be issued.” 

The official statement and indictment do not specify whether Ozek developed the WireX botnet himself or bought it from a third party. The botnet, which was created just a month before in July 2017, soon grew to gigantic size of more than 120,000 bots after its creator attacked Android smartphones with fraudulent Android apps. 

Months after the disastrous Mirai malware attacks at the end of 2016, the cyber-security industry responded quickly to eliminate the emerging danger while it was still in its early phases. 

A coalition of security firms, including Akamai, Cloudflare, Flashpoint, Google, Dyn, RiskIQ, and Team Cymr, launched an investigation weeks after the attack on the Chicago multinational company to track WireX’s bots and backend infrastructure and then seize and take down its command and control systems.
Read more »
Third Party Apps
Android devices Google Play Malicious Campaign malware Third Party Apps

GriftHorse Malware has Infected More than 10 Million Android Devices

 

A new malware named GriftHorse is said to have infected over 10 million Android cell phones. According to the research at mobile security firm Zimperium, the threat group has been executing the campaign since November 2020. The GriftHorse malware was propagated through both Google Play and third-party application stores, according to the research group, and it stole "hundreds of millions of Euros" from victims. 

GriftHorse will produce a significant number of notifications and popups when a user downloads any of the malicious programmes, luring consumers in with exceptional discounts or prizes. People who click these are taken to a web page where they must authenticate their phone number in order to gain access to the promotion. 

In actuality, GriftHorse's victims are paying for premium SMS services that cost more than $35 per month. GriftHorse operators are thought to have made anywhere from $1.5 million to $4 million per month with this fraud, and their initial victims are thought to have lost more than $230 if they didn't stop the scam. 

GriftHorse malware has been tracked by Zimperium researchers Aazim Yaswant and Nipun Gupta for months, and they describe it as "one of the most widespread campaigns the zLabs threat research team has encountered in 2021." But, according to the two Zimperium researchers, the GriftHorse developers put a lot of effort into the quality of their malware, using a wide range of websites, malicious apps, and developer personas to infect victims and evade detection as much as possible.

“The level of sophistication, use of novel techniques, and determination displayed by the threat actors allowed them to stay undetected for several months,” Yaswant and Gupta explained. “In addition to a large number of applications, the distribution of the applications was extremely well-planned, spreading their apps across multiple, varied categories, widening the range of potential victims.” 

Handy Translator Pro, Heart Rate and Pulse Tracker, Geospot: GPS Location Tracker, iCare – Find Location, and My Chat Translator are among the popular apps infested with GriftHorse malware. Users in India are also affected, according to the firm. Zimperium, a member of the App Defense Alliance, claimed it alerted Google about all GriftHorse-infected apps, which have since been withdrawn from the Play Store. These apps may, however, still be available in third-party app stores.
Read more »
Hacking News
Cyber Attacks Hacker Group ChamelGang Hackers News Hacking News

Cybersecurity experts have discovered a new hacker group

Cybersecurity experts have discovered a new hacker group ChamelGang, which attacks institutions in ten countries around the world, including Russia. Since March, Russian companies in the fuel and energy sector and the aviation industry have been targeted, at least two attacks have been successful. Experts believe that pro-government groups may be behind the attacks.

According to Positive Technologies, the first attacks were recorded in March. Hackers are interested in stealing data from compromised networks.

India, the United States, Taiwan and Germany were also victims of the attacks. Compromised government servers were discovered in those countries.

The new group was named ChamelGang from the word chameleon, as hackers disguise malware and network infrastructure as legitimate services. The grouping tools include the new, previously undescribed ProxyT malware, BeaconLoader and the DoorMe backdoor, which allows a hacker to gain access to the system.

In one of the attacks, the hackers first attacked the subsidiary, and two weeks later, the parent company. They found out the password of the local administrator on one of the servers and penetrated the company's network using the Remote Desktop Protocol (RDP). Hackers remained undetected on the corporate network for three months and during that time gained control over most of the network, including critical servers and nodes.

In the second attack in August, attackers took advantage of a chain of related vulnerabilities in Microsoft Exchange to penetrate the infrastructure. Hackers were in the organization's infrastructure for eight days and did not have time to cause significant damage.

Kaspersky Lab cybersecurity expert Alexey Shulmin confirmed the targeted nature of the attack and the wide geography of victims. He added that some grouping utilities have an interface in Chinese.

Experts believe that attacks on strategically important industrial facilities, including the fuel and energy sector and the aviation industry, are often carried out by cyber mercenaries and pro-government groups.

Read more »
User Security
Bots Cyber Fraud Internet scammers Twitter Twitter Bots User Security

Scammers are Using Twitter Bots for PayPal and Venmo Scams

 

Internet scammers are using Twitter bots to trick users into making PayPal and Venmo payments to accounts under their possession. Venmo and PayPal are the popular online payment services for users to pay for things such as charity donations or for goods such as the resale of event tickets. This latest campaign, however, is a stark warning against making or revealing any sort of transaction on a public platform.

How fraudsters operate? 

The fraud campaign begins when a well-meaning friend asks the person in need for a specific money transferring account — PayPal or Venmo. Then the Twitter bot springs into action, presumably identifying these tweets via a search for keywords such as ‘PayPal’ or ‘Venmo’.

Twitter bot impersonates the original poster by scraping the profile picture and adopting a similar username within minutes in order to substitute their own payment account for that of the person who really deserves the money. 

Twitter user ‘Skye’ (@stimmyskye) posted a screenshot online detailing how she was targeted by a Twitter bot. Skye noted that the bot blocks the account that it is mimicking, and scraps the whole profile. 

“Because you’re blocked, you’ll see that there’s one reply to that question but the reply tweet won’t show up. If you see a ghost reply to a comment like that, it’s almost always a scam bot. They delete as fast as they clone your account. You won’t even know it happened,” Skye wrote.

“They will delete the reply tweet, but the account itself will usually not be deleted, just change the username. So, the accounts are usually not brand new, they even have followers. You need to check closely,” she warned. 

“Given that the mechanism is automated, I’m willing to bet that the attack is fairly successful. A Twitter user would need to pay close attention to what is going on in order to notice what’s happened. Don’t publicly link to your PayPal (or similar) account – deal with payments via direct message instead. By doing this, the scam bot won't be triggered, and wouldn't be able to show up in the same chain of direct messages even if it was,” Andy Patel, researcher with F-Secure’s Artificial Intelligence Center of Excellence, advised users.
Read more »
Subscribe to: Comments (Atom)