Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

surveillance
data security data threat malware surveillance

Balikbayan Foxes: Threat Group Impersonating The Philippine Entities

 

Proofpoint has discovered a new and “highly functional” cybercriminal group that is impersonating many departments of the Philippine government and businesses to spread Trojan malware. The group dubbed "Balikbayan Foxes" and tracked as TA2722, is mainly targeting Shipping/Logistics, Business Services, Manufacturing, Finance, Pharmaceutical, and Energy entities across the region. Alongside, the group is also targeting other countries including North America, Europe, and Southeast Asia. 

The threat actors have conducted a series of campaigns throughout 2021 in which the group impersonated various Philippine government bodies including the Philippine Overseas Employment Administration (POEA), the Department of Health, and the Bureau of Customs to send phishing emails. The other campaigns were personated by the group named the Manila embassy for the Kingdom of Saudi Arabia (KSA) and DHL Philippines. 

According to the research, seeing the continuous pattern of spoofing email addresses and delivering lures designed to impersonate government bodies, it's clear that the threat actors are targeting the organizations that are directly or indirectly connected to the Philippine government. Besides, threat actors used themes related to COVID-19 infection information, invoicing, billing, and industry advisories. Some of the targets are involved in a very large supply chain, so if it gets compromised, it could have a far-reaching impact. 

Research conducted at Proofpoint identified that in every campaign the threat actors distributed either Remcos or NanoCore remote access trojans (RATs). Remcos and NanoCore Trojans are mainly used for surveillance, information gathering, monitoring data theft operations, and control of compromised computers. 

It has been observed that in a series of campaigns, different mechanisms have been used in some cases, phishing emails were sent containing OneDrive URLs linking to RAR files with embedded UUE files, whereas in others, crafted.PDFs were attached containing embedded URLs leading to compressed executables (.iso files) that download and run malware. The group has also used another common malware payload deployment method that involved MS Excel documents containing macros which if activated will execute Trojan. 

The reports also showed that Balikbayan Foxes is expanding and advancing its tactics. The group is highly activated at present time, the research added. 
Read more »
Whatsapp Scam
Cyber Crime Cyber Hacking Fraudster Scams Whatsapp Data Whatsapp Scam

Delhi Police: Nigerian Arrested for Scamming People by Hacking Mobile Phones

 

The Intelligence Fusion and Strategic Op (IFSO) unit of Delhi Police uncovered a syndicate that was hacking into people's mobile devices and WhatsApp accounts using custom-made malware. 

According to sources, the syndicate's leader recently hacked a senior bureaucrat's WhatsApp account, prompting a full-fledged inquiry. The mastermind of the module, identified as Chimelum Emmanuel Aniwetalu alias Maurice from Nigeria, has been arrested, according to DCP (IFSO) KPS Malhotra. His associate has also been found, and operations are underway to capture him. The syndicate was operating in Delhi and Bangalore. 

DCP Malhotra stated, “The syndicate was sending malware through WhatsApp and thereby accessing call logs, SMSs and contacts and control of the targeted WhatsApp account. After hacking the account, they would pose as the original WhatsApp account holder and communicate with the contact list thereby further hacking into more contacts.” 

“We had received a complaint that a person’s mobile phone was hacked by some unknown persons. Taking over the control of the WhatsApp of the complainant, they started demanding money from the contact list of the complainant by sending various distress messages. The accused had also provided a bank account to the contacts of the complainant for transferring the money."

An FIR was filed at IFSO, and an investigation team comprised of ACP Raman Lamba and inspectors Vijay Gahlawat and Bhanu Pratap was constituted. A technical investigation including IP address analysis (IP-DR) and human intelligence resulted in the recognition of one of the accused, who was caught during a raid. He was captured with a laptop and 15 phones. 

According to the investigation of the confiscated laptop, the gang utilised apps to create and distribute multiple malicious URLs. The accused had delivered malware disguised as an application to the victim's devices. 

DCP Malhotra further stated, “The accused created a dedicated application for each victim which when downloaded and installed on the victim’s phone, sent contacts, call logs and SMSs on the accused’s server.” 

During interrogation and forensic investigation of the devices, it was discovered that the accused employed a variety of methods, the most notable of which was impersonating a girl and befriending males on numerous social media sites. Once trust was established, the gang would give a link allowing him or her to join a group of like-minded peers. 

The DCP further added, once a person clicked on that link, he or she lost control of their social media profiles. Following that, the gang used social media accounts to acquire money. 

Mastermind Maurice was discovered overstaying in the nation despite the fact that his tourist visa had expired in 2018. The investigation also showed that he was scamming individuals under the pretext of selling herbal seeds online. He also befriended elderly men by impersonating ladies from other nations. 

According to police, the man fabricated paperwork claiming to be an UN-approved asylum seeker. A separate case has been opened at the Mohan Garden police station in this matter. The house owner, who rented his property to the foreigner, has also been arrested. 

“Delhi Police appeals to people for being cautious while communicating on social media and avoid clicking on any random web link or URL sent on any social media platform,” the DCP cautioned.
Read more »
USA
Cyber Attacks Ransomware Ranzy Locker Ransomware USA

FBI Warns Against Ranzy Locker Ransomware That Had Attacked 30 US Firms Till Now

 

The FBI announced on Monday 25th of October, that Ranzy Locker ransomware perpetrators had hacked at least 30 US firms from diverse industries this year.

"Unknown cybercriminals using Ranzy Locker ransomware had compromised more than 30 US businesses as of July 2021," the FBI said in a TLP: WHITE flash alert. 

The flash warning was produced in collaboration with CISA and therefore is intended to give information that will assist security experts in detecting and preventing similar ransomware attacks. 

The majority of Ranzy Locker victims who reported cyberattacks to the FBI stated that the attackers broke into their networks and systems by brute-forcing Remote Desktop Protocol (RDP) credentials. 

“The FBI first identified Ranzy Locker ransomware in late 2020 when the variant began to target victims in the United States. Unknown cybercriminals using Ranzy Locker ransomware had compromised more than 30 US businesses as of July 2021. The victims include the construction subsector of the critical manufacturing sector, the academia subsector of the government facilities sector, the information technology sector, and the transportation sector,” stated the advisory. 

Subsequent victims indicated that the attackers compromised their networks by using existing Microsoft Exchange Server vulnerabilities and phishing. The attackers sought to discover critical data to exfiltrate, such as customer information, personally identifiable information (PII)-related files, and financial records. Ranzy Locker is used for encrypting files on infected Windows host systems (including servers and virtual machines) and network shares. The Ranzy Locker program puts a ransom note across all folders wherever encryption happened, requesting payment in return for a decryption tool. 

Victims who browse the group's Tor payment site will receive a 'Locked by Ranzy Locker' notice as well as a live chat screen where they could bargain with the malicious attackers. As part of the whole "service," ransomware operators offer their victims to decrypt three files for free to demonstrate that the decryptor can recover their files. 

If victims do not pay the ransom demands, their obtained papers will be exposed on Ranzy Locker's data breach site, Ranzy Leak. 

The domain utilized by their leak portal was previously used by Ako Ransomware, a move that was part of the gang's rebranding from Ako to ThunderX and subsequently Ranzy Locker. 

ThunderX was a ransomware operation that began in late August 2020. Tesorion discovered flaws in its encryption within just a month of its inception, which aided in the development of a free decryptor. Later, the cybercrime organization repaired the flaws and published a new version of its Ranzy Locker ransomware strain. 

“The FBI encourages recipients of this document to report information concerning suspicious or criminal activity to their local FBI field office. With regards to specific information that appears in this communication; the context, individual indicators, particularly those of a non-deterministic or ephemeral nature (such as filenames or IP addresses), may not be indicative of a compromise. Indicators should always be evaluated in light of your complete information security situation,” read the advisory.
Read more »
Security Researchers
Cyber Attacks Dark Web Grief Russian Hackers Security Researchers

Russian Cybercriminals Claim to have Hacked the National Rifle Association

 

On the dark web, a well-known Russian cybercriminal gang has posted files that claim to be from the National Rifle Association. Grief, a hacking group, posted 13 files to its website on Wednesday, claiming to have hacked the NRA. It has threatened to reveal more files if it is not paid, however it has not stated how much it will cost. 

The news of the incident swiftly circulated online, with dozens of Twitter accounts with no followers attempting to magnify the attack's content by retweeting it. The accounts were formed in the previous six months and followed no one, but they shared content regarding the cyberattack, including postings from The Washington Times linked to a news report and a screenshot of Grief's website from Brett Callow, an Emsisoft threat analyst. 

When asked about the new accounts' activity, Twitter stated it reviewed "many accounts violating our platform manipulation and spam policies" and then took action. Twitter could not say who was behind the manipulative activity, or whether the accounts were linked to the group that claimed responsibility for the attack on the NRA. 

Grief, according to most cybersecurity experts, is a renamed effort by a group of Russian cybercriminals known as Evil Corp, which is currently under sanctions by the US Treasury Department. "It's the same group," said Allan Liska, a ransomware analyst at the cybersecurity firm Recorded Future. 

When contacted for comment, the NRA did not react. It did, however, issue a tweet in which it stated that it "does not share anything relevant to its physical or electronic security," and that it "takes extreme efforts to secure information regarding its members, donors, and operations." Grief, although being a criminal organization, isn't renowned for faking when it says an organization has been hacked, according to Brett Callow. "I’m not aware of any incidents in which Grief/Evil Corp has attempted to take credit for other operations’ attacks," Callow said. 

Some experts speculated that the NRA paid a ransom to its attackers after Grief temporarily withdrew the NRA from its website. Grief deleting the NRA from its website, according to Jon DiMaggio, chief security strategist at cyber threat analysis firm Analyst1, could be evidence that the NRA paid up. 

According to a screenshot uploaded by Mr. Callow, the NRA entry on Grief's leak website was available Monday, along with a file titled "corporate insurance" and other data. “Insurance docs are useful to ransomware operators as they effectively specify how much orgs can afford to pay — no matter what their balance sheets look like,” Mr. Callow tweeted.
Read more »
Russian Cyber Security
Cyber Attacks Hackers attack Russia Russian Cyber Security

"Ransomware" screen on trams and TV billboards in Russia turn out to be ad from cyber security firm

According to Positive Technologies, provocative street art first appeared, mimicking ransomware malware. So, fictional windows of the Windows interface were depicted on trams with the inscription “All passengers with sad faces. This tram has been hacked,” it was written on the walls “We will return the wall for 3 BTC (bitcoin),” and on the TV screens — “Right now we will steal Antey.”

A few days later, the images were replaced by others, which had the QR code of the Positive Technologies company's manifesto video about the need to pay attention to information protection.

According to Positive Technologies, with the help of an unusual campaign, the company tried to attract the attention of people and organizations to cybersecurity problems, which have become especially acute recently.

“In 2020, compared to 2019, the number of unique cyber incidents increased by 51%. Seven out of ten attacks were targeted. Most often, cybercriminals attacked government and medical institutions, as well as industrial enterprises,” Positive Technologies reports.

Information security experts note that the number of cyberattacks in the world has increased by 40% this year compared to the previous one. As for Russia, the number of cyberattacks has increased even more significantly — by 54%.

“The concept of art is that we visually convey the process of a hacker attack. The information environment already affects the real one. The main desire is to show through clear and simple images that everything can be hacked in the modern world. And do not underestimate such threats, because while you are reading this text, someone can hack you,” said one of the artists.

Read more »
QR Codes
Credential Phishing Cybersecurity Login Credentials malware Microsoft 365 QR Codes

Threat Actors Use QR Codes to Steal Login Credentials

 

Hackers are distributing phishing mails having QR codes in a cyberattack campaign built to extract login details of Microsoft 365 cloud apps. Passwords and usernames for cloud services of entreprises have become a main target for hackers, exploiting these to launch ransomware and malware attacks, or by selling stolen login details to other threat actors, who exploit it for their own campaigns. 

Threat Actors are finding sneaky opportunities to scam victims into opening malicious links that lead to phishing websites built to look like genuine Microsoft login webpages, and smartly selling the login credentials. 

Cybersecurity experts at Abnormal Security analyzed a recent campaign, the researchers sent various phishing mails which tried to use QR codes built to evade mail protections and steal login details. QR codes are useful when it comes to attempts malicious tasks, as standard mail security regulations like URL scanners don't detect any hint of suspected links or attachments in the email. 

The campaign is operated via email accounts hacked earlier, which allows hackers to send mails from authentic user accounts of companies to give a look of authenticity to these mails, and users believe it to be legitimate. As of now, experts are yet to confirm how threat actors are able to get control of these accounts used for sending phishing mails. 

As per experts, these phishing mails contain a voicemail message from the email account admin sending the mail, the target is requested to scan a QR code for listening to the voice mail. The QR codes sent to the victims were also created the same day. An earlier variant of the campaign tried to scam users into opening a malicious link by hiding it in an audio file. 

But, antivirus softwares were able to find and identify the malicious files, which made threat actors turning to QR codes. "While using the QR codes method can more easily bypass email protections, the victim needs to follow many more steps before they reach the point where they could mistakenly give their login credentials to cyber criminals. Applying multi-factor authentication to Microsoft 365 accounts can also help protect login details from being stolen," ZDNet reports.
Read more »
User Security
Cyber Attacks Data Theft Personal Information User Data User Privacy User Security

CU Boulder Cyberattack Exposes Data of 30,000 Students

 

The University of Colorado Boulder is sending out electronic notifications to roughly 30,000 former and current students that their private details may have been stolen during a recent data breach.

According to a release from the university, the third-party software, provided by Atlassian, had a security loophole that impacted a program used by the Office of Information Security. The office did an internal investigation that showed some data was accessed by a hacker. Atlassian is an Australian software firm headquartered in Sydney that manufactures products for software developers, project managers, and other software development teams. 

The vulnerability “impacted a program used mostly by the Office of Information Technology (OIT) to share resources, such as support and procedural documents, configuration files and collaborative documents,” the university said in a statement. 

The accessed files contained personally identifiable information (PII) for current and former CU Boulder students. Included in that information were names, student ID numbers, addresses, dates of birth, phone numbers, and genders. Fortunately, no Social Security numbers or financial details were compromised during the security incident.

“An analysis by the Office of Information Security revealed some data stored in the program was accessed by an attacker. Atlassian released a software patch for the vulnerability on August 25. (The Office of Information Technology) upgraded the software to the latest version which is not susceptible to the vulnerability that allowed the intrusion,” CU Boulder said in its announcement. “OIT was testing the new version and preparing to implement it when the intrusion occurred.”

Most of the students whose data may have been impacted in the incident are no longer associated with CU Boulder as a student or employee, Dan Jones, associate vice chancellor for integrity, safety, and compliance at the university, stated. However, the university is providing free monitoring services for those whose personal details were compromised.

This is the second known case of CU data being compromised in a cyberattack. Earlier this year in January, CU was one of many clients affected by an attack on Accellion, a large file transfer service. Files of 447 users were compromised in the data breach, containing private details for thousands of students, faculty, and staff across all CU campuses. According to CU, the two cyberattacks are not connected. 
Read more »
zero Day vulnerability
Microsoft Privilege Escalation Flaw Proof of concept Root Access Vulnerabilities and Exploits zero Day vulnerability

A New LPE Zero-day Vulnerability Affected All Windows Versions

 

A security researcher has revealed technical specifics about a zero-day privilege elevation vulnerability in Windows, as well as a public proof-of-concept (PoC) attack that grants SYSTEM rights under specific settings. 

The good news is that because the exploit needs a threat actor to know another user's user name and password in order to trigger the vulnerability, it is unlikely to be extensively employed in attacks. The bad news is that it affects all versions of Windows, including Windows 10, Windows 11, and Windows Server 2022. 

In August, Microsoft announced a security patch for a "Windows User Profile Service Elevation of Privilege Vulnerability" identified as CVE-2021-34484 by security researcher Abdelhamid Naceri. After investigating the fix, Naceri discovered that it was insufficient and he was able to circumvent it with a new exploit that he disclosed on GitHub. 

Naceria explained in a technical writeup about the vulnerability and the new bypass, "Technically, in the previous report CVE-2021-34484. I described a bug where you can abuse the user profile service to create a second junction. But as I see from the ZDI advisory and Microsoft patch, the bug was metered as an arbitrary directory deletion bug. Microsoft didn’t patch what was provided in the report but the impact of the PoC. Since the PoC I wrote before was horrible, it could only reproduce a directory deletion bug." 

According to Naceri, since they just rectified the symptom of his bug report and not the root cause, he could rewrite his exploit to establish a junction somewhere and still accomplish privilege elevation. This exploit will open an elevated command prompt with SYSTEM privileges while the User Account Control (UAC) prompt is shown. 

Will Dormann, a CERT/CC vulnerability analyst, examined the vulnerability and discovered that, while it functioned, it was temperamental and did not always establish the elevated command prompt. 

Dormann told BleepingComputer, "Definitely still a problem. And there may be scenarios where it can be abused. But the 2 account requirement probably puts it in the boat of NOT being something that will have widespread use in the wild." 

However, Naceri told BleepingComputer that a threat actor essentially requires another domain account to exploit the vulnerability, thus it is still a cause for concern. 

A Microsoft spokesperson stated, “We are aware of the report and will take appropriate action to keep customers protected.”
Read more »
Japan Cyber Security
Data Breach data security Fake Apps Japan Cyber Security

New Android Spyware Threat Poses as Antivirus in Japan

 

Japanese cybersecurity intelligence recently identified the latest advanced mutant of the FakeCop info stealer impersonating a legit privacy service provider Android app by NTT Docomo known as ‘Anshin Security.’ 

In the wake of the attack other antivirus service companies are on red alert as spyware acquires a wide range of users’ data by promising protection against the spyware. The fake app offers an anti-virus tool against the spyware but it instead installs malware on the user’s device. 

According to the cybersecurity firm Cyble, spyware sends a malicious APK in phishing links via email or SMS imitating the Japanese company KDDI. Alongside, the malware has also been identified as being recorded on 22 out of 62 AV engines on VirusTotal, which hints at the fact that the malware has been developed to stay hidden across many parameters. 

Hackers collect confidential information of users such as contacts, accounts information, SMS, and apps list. It does not end here, hackers also alter or delete SMSs in the device database, device hardware information (IMEI), and send SMS without the user’s knowledge. 

Further, for users' safety, the organization will look into other antivirus software and flag them as malicious. Users are suggested to remove the current app and use the latest versions of Google Play Protect, activate them. Lastly, users are also recommended to avoid clicking on unidentified links.

Security experts say that supposedly, FakeCop has similar origins as Flubot and Medusa as similar to these two malware, it also employs free dynamic DNS 'duckdns.org' to deliver.
Read more »
Ransomware
Cyber Attacks FreeBSD Hive Ransomware Linux Ransomware

Linux And FreeBSD Systems Are Being Exploited in the Wild by Hive Ransomware

 

The Hive ransomware group that has been active since mid-2021 reportedly encrypts Linux and FreeBSD with new malware versions designed exclusively for these platforms. 

The Slovak internet security firm ESET revealed that Hive's new encryptors have been under development and require more functionality. During ESET's examination, the Linux edition also turned out to be largely unstable, with encryption collapsing whenever the malware was executed with an explicit route. 

Allowing for a single command-line argument (-no-wipe); Hive's Windows ransomware, on the other hand, has up to five implementation choices, including stopping programs and bypassing disc cleaning, irrelevant data, and older files. 

The Linux variant of the ransomware likewise fails to encrypt when performed without root access since it tries to dump the ransom note on the root file systems of infected computers. "Just like the Windows version, these variants are written in Golang, but the strings, package names, and function names have been obfuscated, likely with gobfuscate," ESET Research Labs said. 

Hive has already infiltrated over 30 organizations, not including victims who declined to pay a ransom. They were amongst several ransomware organizations that have started attacking Linux servers as their business targets gradually shifted to virtual servers for better device management and much more effective resource utilization. Ransomware operators may encode numerous servers with just a single command by targeting virtual machines. 

Security experts eventually identified HelloKitty and BlackMatter ransomware Linux encryptors in the wild in July and August, validating Wosar's claim. 

One month later, it was revealed that a few of these Linux malware variants are also defective and may corrupt victims' data during encryption. Moreover, Snatch and PureLocker ransomware organizations have already employed Linux versions in their attacks.
Read more »
Ransomware attack
Bitcoin Cyber Attacks Hackers Ransom Ransomware attack

PNG's Finance Ministry Suffers a Ransomware Attack

 

According to Bloomberg News, a ransomware cyberattack has targeted Papua New Guinea's government finance office, and the hackers are demanding bitcoin. While many details of the attack are still unknown, it's becoming clear that ransomware attacks will no longer be limited to the world's wealthiest countries and organizations. 

The attack on the Department of Finance's Integrated Financial Management System began a week ago, according to John Pundari, the finance minister and interim treasurer. Attackers disabled the system, which controls access to hundreds of millions of dollars in international aid funds, and demanded Bitcoin as ransom from PNG. The government did not pay a ransom to any hacker or third party, according to Pundari, who also stated that the system had been "completely restored."

"The government and the people of Papua New Guinea can be assured that the government financial services will continue as usual," Pundari said in a statement. "The Department (of Finance) is conscious of the security and integrity of its data. Therefore restoration of services to all government agencies, including the sub-national level, will be done gradually, so as not to compromise or allow any further spread of this malware or other virus." 

PNG's cyber security settings are susceptible, therefore it had to rely on its development partners for help. However, a data center established in PNG by Chinese telecommunications giant Huawei exposed classified government papers to theft, according to an Australian-funded investigation commissioned by PNG's National Cyber Security Centre in 2020. 

According to Jonathan Pryke, director of the Lowy Institute's Pacific Islands Program in Sydney, PNG's financial constraints have precluded it from developing a viable cybersecurity environment. He said the government's systems were so vulnerable that it would have to start again with a secure network, which would cost a lot of money. He also stated that cyber security was not on the top of the PNG priority list. 

To top it off, Papua New Guinea has been dealing with some of its worst covid-19 surges to date in recent weeks. According to Australia's ABC News, the country is presently averaging roughly 388 cases each day, which is largely regarded to be an undercount of the true number due to poor testing. Covid-19 vaccines have also been a challenge for the Pacific nation, with a poor 1.2 percent immunization rate so far.
Read more »
Subscribe to: Comments (Atom)