Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

User Security
Cyber Attacks Japanese Gamers Ransomware attack User Security

Chaos Ransomware Hits Japanese Minecraft Players

 

Security researchers at FortiGuard have uncovered a variant of the Chaos ransomware that targets Japanese Minecraft gamers. The Chaos malware encrypts gamers' Windows devices via fake Minecraft alt lists promoted on gaming platforms. 

Minecraft is a massively widespread sandbox video game at present played with over 140 million people, and according to Nintendo sales numbers, it is the best-selling game in Japan. The amount of creativity that players can express in the sandbox game generally contributes to its popularity.

According to FortiGuard researchers, Chaos ransomware is actively spreading in Japan, encrypting the records data of Minecraft players and dropping ransom notes. 

The bait used by the threat actors are 'alt list' text files that supposedly comprise stolen Minecraft account credentials, but in reality, is Chaos ransomware executable. Minecraft players who want to troll or offend other players without the risk of getting banned use ‘alt’ lists to search out stolen accounts that they’ll use for bannable offenses. 

As a consequence of their recognition, alt lists are always in demand and are generally shared for free or by automated account mills that provide the community with "spare" accounts. After encrypting users’ files, the Chaos ransomware adds four arbitrary characters or digits to their extensions and drops a ransom note named 'ReadMe.txt,' where cybercriminals demand 2,000 yen (~$17.56) for file recovery.

This explicit variant of the Chaos Ransomware is configured to find the compromised systems for various file types smaller than 2ΜΒ and encrypt them. However, if the file is bigger than 2MB, random bytes will be inserted into it, making it unrecoverable even if the ransom is paid. Due to the harmful nature of the assault, those who pay the ransom can only recover smaller files. 

The rationale for this functionality is unclear, and it may very well be attributable to poor coding, incorrect configuration, or damaging gamers' files purposely. In this particular campaign, cybercriminals are selling text files to create a false sense of safety while swapping them out in the long run with executables. Customers should remain vigilant and not execute any files they download from the Internet unless they trust the site and have scanned it with a software like VirusTotal.
Read more »
Sydney
Accounts Hacked Credential stealing Cyber Security Netflix Sydney

Sydney Man Detained by AFP, Obliged to Pay AUS $1.66 Million

 

As punishment, a Sydney man who has been selling hijacked subscription service deets must now pay almost $1.66 million in cryptocurrency (and some cash). The 23-year-old had previously been sentenced to two years and two months in prison in April for running the massive illicit operation that sold Netflix, Hulu, and Spotify usernames and passwords. 

According to the AFP, the funds would be allocated by the Department of Home Affairs to assist crime prevention, law enforcement, and community safety activities. The accused will now face a two-year and two-month jail term also. 

The AFP launched an investigation in May 2018 after receiving information from the FBI concerning a now-defunct account-generating website named WickedGen.com. 

WickedGen was a portal that offered stolen login information for internet subscription services such as Netflix, Spotify, and Hulu. The account information belonged to unwitting individuals in Australia and across the world, including the United States. 

The Sydney resident was identified as the site's founder, operator, and major financial beneficiary, as well as the developer, of WickedGen and three additional sites which too provided similar services. The perpetrator had over 150,000 registered members throughout four websites and sold about 86,000 memberships to unlawfully access authorized streaming services. 

In October of last year, the Sydney-based man pled guilty to acquiring these log-ins and passwords. Following the guilty plea, the AFP's Criminal Assets Confiscation Taskforce (CACT) secured restraining orders on the individual's cryptocurrencies, as well as bank and PayPal accounts kept under fictitious identities. 

While comparing to all those who watch free-to-air television, the usage of online subscriptions has increased in Australia, with nearly the same amount of Australians consuming material via online subscription streaming platforms, such as Netflix. 

According to the observations published by the Australian Bureau of Communications, Arts, and Regional Research, the prominence of over-the-top services has been on the surge.
Read more »
Threat actors
Babuk Ransomware Golang malware Security Researchers Threat actors

A New Ransomware Variant Based on Golang has Surfaced

 

Threat actors are increasingly using ransomware developed in the Go programming language; Babuk, Hive, and HelloKitty, as well as a slew of additional Golang-based threats, are among them. Google introduced "Go," a statically typed, object-oriented, cross-platform programming language. Go is comparable to C in syntax but adds memory safety, garbage collection, structural typing, and concurrency in the CSP style. Because of its domain name, golang.org, the language is often referred to as Golang, but the true name is Go. 

DECAF is a new ransomware strain discovered by Morphisec Labs, which was incorporated in Go 1.17. In late September, the first version, which includes symbols and a test assertion, was discovered. The attackers rapidly stripped the original alpha version, inserted more functionality, and posted this stub version to test its detection score. They had a fully weaponized version on a customer site inside a week. 

Go 1.17 is the most recent release, six months following Go 1.16. The majority of the modifications are made to the toolchain, runtime, and libraries. Go 1.17 includes three small enhancements to the language, they are: 

 • Conversions from slice to array pointer: An expression s of type []T may now be converted to array pointer type *[N]T. If a is the result of such a conversion, then corresponding indices that are in range refer to the same underlying elements: &a[i] == &s[i] for 0 <= i < N. The conversion panics if len(s) is less than N. 

 • unsafe. Add: unsafe. Add(ptr, len) adds len to ptr and returns the updated pointer unsafe. Pointer(uintptr(ptr) + uintptr(len)). 

 • unsafe.Slice: For expression ptr of type *T, unsafe. Slice(ptr, len) returns a slice of type []T whose underlying array starts at ptr and whose length and capacity are len. 

The data required for the ransomware's malicious activity is set up during the initialization stage. The malware begins by interpreting the --path command-line argument, which indicates the root directory where the ransomware will begin encrypting data recursively. The malware's next task is to determine which directories it should encrypt.

It checks if --path is set, and if it isn't, it runs FileUtils.ListDriverRootPaths(). Researchers discovered that ListDriverRootPaths iterates over all potential drives, looking for drives with a type other than DRIVE_CDROM. The malware's final action in this is to construct a WMI object for later use.
Read more »
Vulnerabilities and Exploits
Apple Flaws macOS Root Privilege Rootkit Shrootless Bug Vulnerabilities and Exploits

Microsoft: Shrootless Bug Allows Hackers Install macOS Rootkits

 

A new macOS vulnerability found by Microsoft could be used by attackers to circumvent System Integrity Protection (SIP) and conduct arbitrary activities, gain root privileges, and install rootkits on susceptible computers. 

The Microsoft 365 Defender Research Team disclosed the Shrootless vulnerability (now tracked as CVE-2021-30892) to Apple via the Microsoft Security Vulnerability Research Program (MSVR). SIP (also known as rootless) is a macOS security mechanism that prevents potentially dangerous programs from editing protected folders and files by restricting the root user account's ability to conduct operations on protected sections of the OS. 

SIP permits only processes signed by Apple or those with specific entitlements (i.e., Apple software updates and Apple installers) to change these protected sections of macOS. Microsoft researchers found the Shrootless security flaw after finding that the system_installed daemon had the com.apple.rootless.install.inheritable entitlement, which enabled any child process to completely circumvent SIP filesystem limitations. 

Jonathan Bar Or, a principal security researcher at Microsoft stated, "We found that the vulnerability lies in how Apple-signed packages with post-install scripts are installed. A malicious actor could create a specially crafted file that would hijack the installation process. After bypassing SIP’s restrictions, the attacker could then install a malicious kernel driver (rootkit), overwrite system files, or install persistent, undetectable malware, among others." 

With the security upgrades released on October 26, Apple addressed the security vulnerability. According to Apple's security alert, "a malicious programme may be able to manipulate protected areas of the file system." 

"We want to thank the Apple product security team for their professionalism and responsiveness in fixing the issue," Jonathan Bar Or added.

Microsoft also announced last week that it has discovered new strains of macOS WizardUpdate malware (also known as UpdateAgent or Vigram), which had been upgraded to employ new evasion and persistence techniques. 

The trojan distributes second-stage malware payloads, such as Adload, a malware strain that has been active since late 2017 and is notorious for being able to infect Macs despite Apple's YARA signature-based XProtect built-in antivirus.
Read more »
TrickBot
Cyber Crime Hackers Arrested Russian Hacker TrickBot

Russian accused of developing programs for the Trickbot hacker network extradited from South Korea to US

 The US Department of Justice said that the Russian is a member of a hacker group that used the Trickbot malicious network. The network has been used to attack "millions of computers" around the world, including schools, banks, healthcare, energy and agricultural companies, the prosecution said.

According to the ministry's press release, 38-year-old Vladimir Dunaev and his accomplices stole money and confidential information from November 2015 until August 2020, and also damaged computer systems. Individuals, financial and state institutions, utilities and private enterprises are among the victims of the hackers' actions.

The US Department of Justice clarifies that Mr. Dunaev was allegedly one of the developers of malware for the Trickbot network. He was engaged in creating modifications for the browser and helped malicious software bypass security programs.

The Russian was extradited from South Korea to the United States last week, on October 20. He is charged with conspiracy to commit computer fraud and identity theft, conspiracy to commit information technology and banking fraud, and conspiracy to launder money. In total, more than 10 people are involved in the case, including four Russians and one Ukrainian.

In June, similar charges were brought against a citizen of Latvia, Anna Witte, whom the US Justice Department also considers a member of the hacker group that used Trickbot. This network, according to the American side, was located in Russia, Ukraine, Belarus and the Republic of Suriname (South America). The Washington Post wrote that Trickbot is allegedly controlled by Russian-speaking attackers. In November 2020, the network was disconnected, the American company Microsoft took part in the special operation.

Read more »
Flash Loan
cryptocurrency hack Cyber Attacks DeFi Platforms Flash Loan

DeFi Protocol Cream Finance Suffers a $130 Million Hack

 

Cream Finance, an Ethereum-based lending and borrowing protocol, has suffered a loan flash assault, losing over $130 million worth of ether and ERC-20 tokens. 

According to Peckshield, a block security firm, threat actors exploited a security loophole in the platform’s flash loan feature, then transferred the stolen funds to a wallet under their possession before splitting them through other wallets.

Following the assault, the value of the Cream LP tokens witnessed a substantial decline of 27 percent and is currently priced at around $111 (roughly Rs. 8,300), as per CoinGecko. The protocol that has over 72,000 followers on Twitter confirmed the attack and revealed that an investigation into the case is underway. 

Additionally, the Cream Finance group is trying to negotiate with the hackers, offering to present them 10% of all of the tokens that had been lost. This is a known strategy that has paid off for some protocols which were exploited in the past. 

Unfortunately, this is the third time Cream Finance suffered a loan flash attack this year, in August threat actors stole $29 million and another $37 million were stolen in February. However, this latest hack is the third-largest Defi hack in history. 

According to a recent report released by CipherTrace, DeFi assaults are becoming very profitable for cybercriminals. The attacks accounted for 76% of all major hacks in 2021 and earned a profit of 361 million.

“By July 2021, DeFi-related hacks total $361 million, already making up three-quarters of the total hack volume this year—a 2.7x increase from 2020. DeFi-related fraud continues to rise, as well. At the time of this report, DeFi-related fraud accounted for 54% of major crypto fraud volume, whereas last year DeFi-related fraud only made up 3% of the year’s total,” states CipherTrace. 

“The three hacks that Cream Finance has experienced are all related to flash loans, and the hackers from the [August attack] returned [most of] the stolen funds,” Sun Huang, general manager and vice president for security development operations at XREX Inc. stated. “This time we can expect the hacker to return as well, especially when the tracking technology for blockchain has become more mature and many could catch the hints and chase down attackers.”
Read more »
Vulnerabilities and Exploits
API Bug Data Exposure Germany Scoolio Vulnerabilities and Exploits

400,000 German Students Data Exposed due to API Flaw

 

A newly found API issue in Scoolio, a school software used by 400,000 German students, has exposed the personal information of those kids. Lilith Wittmann of the IT security collective Zerforchung discovered the issue and notified the applications team immediately. 

Scoolio employs targeted advertising based on data collected from users, the majority of whom are students, without their knowledge or permission. It does, however, assert that it does not collect any user information. 

Scoolio's API shortcomings, as per Wittmann's report, facilitate information extraction based on the user ID. Anyone who uses this technique can obtain the user's username, email address, GPS history, school name and class, interests, UUID data, and personal information such as origin, religion, gender, and so on. 

Furthermore, the researcher also gave a fake representation of the data types affected by the issue. 

The researcher also noted that the API patch to avoid data leak was relatively straightforward and that it arrived in 30 days, on October 25, 2021, after they were notified of the issue on September 21, 2021. She goes on to say that it is impossible to say how many students were affected as Scoolio inflates user statistics. The app's creators have produced an official paper outlining the patch and have confirmed it. 

Scoolio provides users with tools for managing time, homework planning, staying in touch with friends, and even contacting firms for job vacancies or internship options. The business behind this one collaborated with several German schools and marketed it as a remote teaching support software. It was created with funding from three state-owned investment groups: SIB Innovations und Beteiligungsgesellschaft mbH, Technologiegründerfonds Sachsen, and Kreissparkasse Bautzen, so many students are compelled to use the software as a result of collaborations and government initiatives endorsing the same. 

The fundamental issue is that no security flaws are being audited. An initiative dubbed "EduCheck Digital" (EDCD) that began in August is attempting to evaluate which instructional media fulfills German data protection requirements and have the green signal for usage in schools. 

"I would like to thank Ms. Wittmann for the information and the SDS for the exchange and thank you for your feedback on our security measures," Danny Roller, CEO, and founder of the Scoolio app shared in a statement. 

"Fortunately, after extensive testing, we can confirm that No user data was intercepted by third parties before the investigation by Ms. Wittmann and we have successfully closed the gaps found."
Read more »
Wordpress Security
Flaws Malicious Sites Sensitive Data Leak Vulnerabilities and Exploits WordPress Plugin Wordpress Security

This WordPress Plugin Flaw Impacts 1M Sites & Allows Malicious Redirects

 

A high-severity issue in the OptinMonster plugin permits unauthorised API access and sensitive information leak on around a million WordPress sites. 

The flaw, identified as CVE-2021-39341, was found by researcher Chloe Chamberland on September 28, 2021, and a fix was made available on October 7, 2021. All OptinMonster plugin users are recommended to upgrade to version 2.6.5 or later, as all previous versions are impacted. 

OptinMonster is a popular WordPress plugin for creating stunning opt-in forms that assist site owners in converting visitors to subscribers/customers. It is primarily a lead generation and monetization tool, and it is used on roughly a million websites because of its ease of use and variety of features.

According to Chamberland's vulnerability disclosure report, OptinMonster's power is based on API endpoints that provide easy integration and a streamlined design process. However, the execution of these endpoints isn't always safe, with the '/wp-json/omapp/v1/support' endpoint being the most crucial example. 

This endpoint can provide information such as the site's entire route on the server, API keys used for site requests, and more. An attacker with access to the API key could make modifications to the OptinMonster accounts or even inject malicious JavaScript snippets into the site. Without anyone's knowledge, the site would run this code every time a visitor activated an OptinMonster element.

To make circumstances terrible, the intruder would not even need to authenticate on the targeted site in order to use the API endpoint, since an HTTP request would circumvent security checks under certain, simple conditions. While the '/wp-json/omapp/v1/support' endpoint is the worst-case scenario, it is not the only insecure REST-API endpoint that may be exploited. 

When the researcher's findings reached the OptinMonster team, the popular WordPress plugin's developers understood that the entire API needed to be revisited. As a result, all OptinMonster upgrades that appear on the WordPress dashboard in the next weeks must be installed, as they will most likely resolve further API issues. 

Meanwhile, any API keys that may have been stolen were instantly invalidated, forcing site owners to produce new keys. This case demonstrates how widely deployed and popular WordPress plugins can harbour several undetected flaws over extended periods.
Read more »
Supply Chain Attack
Cyber Attacks Lazarus Group North Korea Security Experts Supply Chain Attack

Lazarus Has Started to Target the IT Supply Chain

 

The Lazarus hacker gang, which is backed by North Korea, has shifted its emphasis to new targets and has been detected by Kaspersky security experts improving its supply chain assault capabilities. After breaching a Latvian IT provider in May, Lazarus utilized a new form of the BLINDINGCAN backdoor to attack a South Korean research tank in June.

Lazarus built an infection chain in the first case found by Kaspersky researchers, which began with legitimate South Korean security software distributing a malicious payload. The target in the second case was a Latvian company that develops asset monitoring solutions, an unusual victim for Lazarus. CISA and the FBI were the first to notice the backdoor utilized in these assaults. It can elude detection by removing itself from infiltrated computers, exfiltrate data, create and destroy processes, and tamper with file and folder timestamps, according to the researchers. 

The infection chain included the Racket downloader, which was signed with a stolen certificate. The hacker gang infiltrated weak web servers and installed scripts that gave them control over the dangerous implants. 

Lazarus has been targeting the defence industry using the MATA malware architecture for cyber-espionage purposes for some months, according to Kaspersky. MATA had previously been utilized by the gang for a variety of reasons, including data theft and ransomware transmission. A downloader was used to collect further malware from the command and control (C&C) server in the attacks, which leveraged a multi-stage infection chain. For this campaign, Lazarus upgraded the MATA framework and signed some of its components with a legitimate but stolen digital certificate. 

“Through this research, we discovered a stronger connection between MATA and the Lazarus group, including the fact that the downloader malware fetching MATA malware showed ties to TangoDaiwbo, which we had previously attributed to the Lazarus group,” Kaspersky said. 

Lazarus, also known as Hidden Cobra, has been active since at least 2009 and is suspected of orchestrating a number of high-profile strikes. In 2020, the group targeted COVID-19 research, as well as members of the security research community and vaccine maker Pfizer. 

"These recent developments highlight two things: Lazarus remains interested in the defense industry and is also looking to expand its capabilities with supply chain attacks," said Ariel Jungheit, a senior security researcher at Kaspersky. "When carried out successfully, supply chain attacks can cause devastating results, affecting much more than one organization – something we saw clearly with the SolarWinds attack last year."
Read more »
Russian Hackers
Cyber Attacks cyber espionage Russia Russian Hackers

Russian hackers disguised themselves as Americans to hide cyber espionage

The hacker group Nobelium, linked by information security experts with the Russian Federation, tried to disguise its activities using resident proxies — the IP addresses of mobile and home computer networks of ordinary Americans.

We are talking about a new Nobelium campaign (the group is also considered to be the organizer of the sensational cyberattack on the American software manufacturer SolarWinds) aimed at organizations associated with global IT supply chains. According to Microsoft, since May of this year, hackers have attacked more than 140 technology service providers, 14 of them they managed to compromise.

In the period from July 1 to October 19 of this year, Microsoft recorded more than 22 thousand Nobelium attacks on 609 of its customers, but most of the attacks were unsuccessful.

According to a Bloomberg source, the campaign targeted American government departments, non-governmental organizations and technology firms.

According to Charles Carmakal, senior vice president of the Mandiant information security company, hackers used resident IP proxies — IP addresses associated with a specific location that can be purchased over the Internet.

The use of such proxies makes it possible to disguise hacking attempts as traffic originating from American mobile phones or home Internet networks. For example, an attempt by a hacker to penetrate a computer network from the outside will look like a company employee logs in from a mobile phone.

Nobelium and other hacker groups use Bright Data, Oxylabs and IP Burger to obtain residential proxies.

In response to Bloomberg's request to comment on the situation, representatives of Israel-based Bright Data reported that the company carefully checks customers and found no signs of Nobelium using their networks. Lithuanian Oxylabs stated that they are conducting an internal investigation, which currently has not revealed any signs of malicious use of the service.

Read more »
User Privacy
Cyber Fraud Fake Job Ads Private Details User Privacy

Scammers are Using Fake Job Listing to Steal Applicants Identities

 

Job hunting during a pandemic has proven to be much harder than in normal times. Threat actors are using phony job advertisements with the motive to steal your identity and use it to commit scams. 

One of the methods scammers employ to tempt people is by advertising unusually generous pay. One such example is of Airport shuttle driver vacancy in which scammers are offering a job that involves picking up passengers for 35 hours a week at an appealing weekly pay rate that works out to more than $100,000 a year. 

But in reality, airports aren't really offering six-figure salaries for shuttle drivers. Instead, the fake ads are scammers’ latest attempt to steal people’s identities and use them to commit fraud, according to recent warnings from the FBI, the Federal Trade Commission, and cybersecurity firms that monitor such cyber frauds. 

The U.S. Secret Service responsible for investigating financial crimes, also acknowledged that it has noticed a “marked increase” in phony job ads seeking to steal people’s personal data, often with the motive of filing fake unemployment insurance claims.

“These fraudsters, they’re like a virus. They continue to mutate. This particular mutation is an emerging threat,” said Haywood Talcove, chief executive of the government division of LexisNexis Risk Solutions. 

Earlier this year in March, LexisNexis discovered around 2,900 ads offering unusually generous pay, using suspicious email domains and requiring that one verify one’s identity upfront. The total of these fake job scams surged to 18,400 by July, and then to 36,350 as of this month. Talcove said these figures are based on a small sample of job ads and that the real number is likely much higher.

According to the U.S. Department of Labor, nearly 2.9% of total workers in America quit their jobs in August which is an all-time-high. Meanwhile, huge numbers of laid-off workers are still seeking out work, making for a historic churn in the labor market. In 2020, the FBI’s Internet Crime Complaint Center data showed 16,012 people were victims of employment scams. 

Some scammers recreate companies’ hiring websites to trick people. One such fake job application site uses Spirit Airlines’ photos, text, font, and color code. The fake site asks applicants to upload a copy of both sides of their driver’s license at the outset of the process and sends them an email seeking more information from a web address that resembles Spirit’s, with an extra “i” (spiiritairline.com). 

Last week, the FBI issued an alert regarding phony websites that scammers design to resemble the state unemployment websites of Illinois, Maryland, Nevada, New Mexico, and Wisconsin. Fraudsters use the sites to steal victims’ private details, according to the FBI. 

To mitigate the risks, the FBI recommends people search the company by its name only. If multiple websites with similar names pop up, that may suggest the job listing is fake. Also, companies typically ask for bank account information after hiring applicants, not before. The FBI is also requesting people to never provide bank details to an employer and to only reveal personal details after verifying the firm's identity.
Read more »
Subscribe to: Comments (Atom)