Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Pune Police
Bitcoin Crypto Scam Cyber Fraud CyberCrime Pune Police

Pune Police Recover Over Rs. 84 Crore Worth of Bitcoins From Two Cyber Experts

 

The Pune city Police have traced 237 bitcoins taken by two cyber specialists who were arrested for committing a multicrore cryptocurrency seizure fraud while assisting the cops in two cases in 2018.

Last month on March 12, the Pune City police’s cybercrime cell detained two specialists — Pankaj Ghode (38) and Ravindranath Patil (45) and an ex-IPS officer of Jammu and Kashmir cadre, following an exhaustive probe that began in April 2021. 

In 2018, Ghode and Patil aided a Pune police Special Investigations squad in uncovering two multimillion-dollar bitcoin ponzi schemes. The duo transferred the cryptocurrencies, recovered from the Gainbitcoin scam, and then manipulated the screenshots of those transactions and gave them to the police as proof. However, the technical investigation revealed that there were some bitcoins in the said wallet and Ghode did not give information regarding them to the investigating officer. 

Two FIRs were lodged at Dattawadi and Nigdi police stations against the duo for probing the fraud, under sections 406, 409, 420, 120 b, 109, 201 of the IPC and sections of the Maharashtra Protection of Interest of Depositors (MPID) Act. 

From the 17 persons arrested in the 2018 case, the Pune Police, had, with the assistance of Ghode and Patil, seized 241.46 Bitcoins, 452 Bitcoin cash units, and 94 Ethereum units. As of Thursday, 14:00 IST, Bitcoin was trading at 35,76,630, according to CoinMarketCap data, which means the recovered bitcoins are worth 84,88,88,259.00 as per recent exchange rates. 

“We have been able to trace as many 237 bitcoins to the wallets linked to Patil, equivalent to worth over Rs 84 crore. Prima facie, this chunk of cryptocurrency is from what was seized from the accused in the 2018 cases. The probe suggests that Patil was also involved in crypto trading. To date, we have seized Rs 6 crore worth of cryptocurrencies, such as Ethereum, Ripple, and four others. We are also probing a discrepancy of 900 bitcoins — equivalent to over Rs 320 crore today — in the reports submitted by Ghode at the time of the 2018 investigation,” an official who is part of the present investigation team stated.
Read more »
Vulnerabilities and Exploits
Bug CVE vulnerability DDOS Attacks Denial of Service vulnerability Edge Firefox PDFs Vulnerabilities and Exploits

After 17 years, the Zlib Crash-An-App Flaw Has Been Patched

 

Four years after the vulnerability was first found but left unpatched, the widely used Zlib data-compression library now has a patch to close a vulnerability that might be abused to crash apps and services. Tavis Ormandy, a bug hunter for Google Project Zero, informed the Open-Source-Software-Security mailing list about the programming error, CVE-2018-25032, which he discovered while trying to figure out what caused a compressor crash. 

"We reported it upstream, but it turns out the bug is already public since 2018, but the update never made it into a release. As far as they are aware, no CVE has ever been assigned to it." Ormandy stated. Furthermore, when Eideticom's Danilo Ramos discovered the defect in April 2018, it was 13 years old, implying this bug had been lurking for 17 years, waiting to be exploited. 

Zlib is a data-compression general-purpose library that is free, and legally unencumbered (i.e., not covered by any patents). It can be used on nearly any computer hardware and operating system. Anyone who has ever used softwares like PKZIP, WinRAR, 7-Zip, or any archiving utilities will attest to how data compression software has always been useful.

The primary goal of data compression is to save space, such as by reducing the amount of storage space required for backups or reducing data transfer bandwidth. Despite the computational overhead of squashing and expanding data before and after storing or sending it, compression frequently saves time and space by reducing the amount of data that must be moved back and forth between a fast storage location like RAM (memory) and a slow storage location like a disc, tape, or network. 

The patch was never included in a Zlib software update, and Ormandy showed a proof-of-concept exploit which works against both default and non-default compression schemes supported by the library just a few days after discovering the problem. This means any attempt to unpack maliciously designed compressed data may cause an application or network service to crash. 

In a nutshell, this is a memory corruption flaw: if user-supplied data is particularly formatted, software that relies on Zlib to compress it can crash and terminate due to an out-of-bounds write. The open-source Zlib is so extensively used that there are plenty of potential avenues for exploitation, which is why this problem is such a huge deal, in contrast to its nearly two-decade history. Zlib's algorithm, DEFLATE, which became an internet standard in 1996, is used to squash and expand data in a variety of file formats and protocols, and the software it handles these inputs to, will almost certainly use zlib. 

According to Sophos, these programs include Firefox, Edge, Chromium, and Tor, as well as the PDF reader Xpdf, video player VLC, Word and Excel compatible software LibreOffice, and picture editor GIMP. The Zlib problem, which was first discovered in 1998, enables data in a pending buffer to corrupt a distance symbol table. Out-of-bounds access can cause the program to crash and even create a denial of service. 

Users should install a non-vulnerable version of the zlib shared library, which they can usually get from the OS maker by downloading the latest updates, and developers should make sure the software packages don't rely on a vulnerable version of the reliance, pushing out app or service updates as needed.
Read more »
ransomware attacks
Cyber Attacks Data Exploit data security LEHB Ransomware ransomware attacks

US Health Provider LEHB Hit by Ransomware Attack, Network Compromised

Law Enforcement Health Benefits (LEHB), health and welfare funds for Philadelphia police offers, sheriffs, and county detectives, disclosed that the company was hit by a ransomware attack in 2021. "The Conti ransomware group has been responsible for a large number of these incidents, successfully attacking at least 16 US healthcare organizations and first responder networks during the year – as well as Ireland’s Health Service Executive and Department of Health," writes The Daily Swig. 

According to LEHB, attackers started coding files stored in the company network on 14 September 2021. An inquiry into the issue revealed that on Friday 25th, 'few affected files' containing members' data might have been excluded from the network by threat actors. Suspicious access to the US Department of Health and Human Services (HSS) breach portal hints that more than 85,000 users from LEHB may have been impacted by the incident. The compromised data includes names, DoBs, Social Security numbers, driving license info, bank account numbers, and health information. 

However, every LEHB member wasn't affected, and the data elements mentioned above were also not the same for every member. LEHB denies any case of identity theft or abuse of compromised data from the ransomware hit. However, the incident impacted members and offered credit monitoring services to those whose Social Security numbers might have been used. The health plan provider suggests its members set up 'fraud alerts' and security freezes on credit files, and ask for a free credit report. 

Cyber attack incidents are getting sophisticated as each day passes, resulting in LEHB implementing extra precautionary steps to protect its network and enhance internal procedures to detect and mitigate future cybersecurity threats. LEHB is assessing and updating its company policies and procedures to reduce the chances of ransomware incidents in the future. 

The Daily Swig reports "the healthcare sector has been particularly hard hit by ransomware since the start of the Covid-19 pandemic, with the FBI’s 2021 Internet Crime Report revealing earlier this month that of all critical infrastructure sectors, it was healthcare that faced the most ransomware attacks last year."

Read more »
virus
Hive IP Address IPfuscation malware Ransomware Research Shellcode virus

Hive Ransomware Employs New 'IPfuscation' Tactic to Conceal Payload

 

Threat researchers have found a new obfuscation strategy employed by the Hive ransomware gang, which utilises IPv4 addresses and a series of conversions that leads to the download of a Cobalt Strike beacon. Threat actors use code obfuscation to conceal the malicious nature of their code from human reviewers or security software to avoid discovery. 

There are a variety of techniques to create obfuscation, each with its own set of benefits and drawbacks, but a new one identified during an incident response involving Hive ransomware reveals that adversaries are coming up with new, subtler ways to accomplish their objective. 

Analysts at Sentinel Labs describe a new obfuscation technique called "IPfuscation," which is another example of how effective basic but sophisticated tactics can be in real-world malware deployment. The new approach was discovered while examining 64-bit Windows executables, each of which contained a payload that delivered Cobalt Strike. 

The payload is disguised as an array of ASCII IPv4 addresses, giving it the appearance of a harmless list of IP addresses. The list could potentially be misconstrued for hard-coded C2 communication information in malware research. A blob of shellcode arises when the file is handed to a converting function (ip2string.h) that converts the string to binary.

Following this step, the virus executes the shellcode either directly through SYSCALLs or through a callback on the user interface language enumerator (winnls.h), resulting in a normal Cobalt Strike stager. 

The following is an example from the Sentinel Labs report: The first hardcoded IP-formatted string is the ASCII string “252.72.131.228”, which has a binary representation of 0xE48348FC (big-endian), and the next “IP” to be translated is “240.232.200.0”, which has a binary representation of 0xC8E8F0. 

Disassembling these “binary representations” indicates the start of shellcode generated by common penetration testing frameworks. The analysts have uncovered additional IPfuscation variants that instead of IPv4 addresses use IPv6, UUIDs, and MAC addresses, all operating in an almost identical manner as was described above.

The conclusion here is that relying simply on static signatures to detect malicious payloads is no longer sufficient. According to the researchers, behavioural detection, AI-assisted analysis, and holistic endpoint security that combines suspicious elements from various locations have a better probability of removing IPfuscation.
Read more »
USA officials
Credential Phishing Data Breach data threat USA USA officials

FBI Warns Election Officials of Credential Phishing Attacks

 

Recently, on Tuesday the Federal agency of United states FBI has released a warning report regarding the US election officials being targeted in an ongoing and widespread phishing campaign by unidentified malicious actors in an attempt to steal their credentials since at least October 2021. 

FBI revealed that the group of hackers has used various methods to redirect their targets to phishing pages and trick them into entering their login credentials. Reportedly, hackers used compromised email addresses of US government leaders to spoof US businesses. 

"If successful, this activity may provide cyber actors with sustained, undetected access to a victim's systems," the FBI said in a private industry notification.

"…As of October 2021, US election officials in at least nine states received invoice-themed phishing emails containing links to websites intended to steal login credentials." 

According to the FBI intelligence, the threat actors have targeted the officials in the three separate "coordinated" phishing attacks and breached accounts of elected officials across at least nine states, Additionally, representatives of the National Association of Secretaries of State were also impacted in October. 

The first attack came to light on 5 October when unrecognized hackers used two email addresses, one from the compromised account of a government official, in an attempt to steal the login data of elected leaders. Less than two weeks later, two identical phishing attacks had been seen from the email addresses linked to US businesses. 

It has been noticed that in each phishing attack, the group of attackers sent an email recognized as "INVOICE INQUIRY.PDF,” which once opened, redirected users to a credential-harvesting website.

Following the incident, the FBI and the US federal law enforcement agency said that the threat “is still very real” and is heading into the 2022 election season. The group of hackers who are behind this phishing campaign will likely continue the attacks against US election officials with new phishing emails as the 2022 midterm elections are closing in. 

The threat intelligence asked network defectors to educate officials against these attacks on how to identify phishing, social engineering, and spoofing attempts and how to protect their systems against such common threats.
Read more »
Security Flaws
Cyber Security data security Public Sector Security Flaws

82% Applications in Public Sector Have Security Flaws

According to a new study from Veracode, more than 82% (4/5th) of public sector apps have security vulnerabilities, the highest found in any industry. The experts also found that the apps in the public sector take twice the time to get patch the flaws once identified, compared to other industry security fixes. Besides this, around 60% of flaws in third-party libraries in the public sector haven't been patched for two years. It is twice the time frame compared to industry data and almost 15 months behind the cross-industry average. 

The report is based on the data collected via 20 million scans across half a million apps in the public sector, financial services, manufacturing, retail, healthcare, technology, and hospitality. Veracode simplifies AppSec programs by combining five application security analysis types in one solution, integrated into the development pipeline. With comprehensive analysis, you’re covered today and as your program evolves Joint lowest fix rate for vulnerability in the public sector is 22% which is the lowest. 

The study suggests that public sector organizations are more prone to software supply chain attacks because they are more vulnerable, for instance, solar winds, which led to huge disruptions and breaches of critical data. Fortunately, the findings suggest that public sector entities have improved in battling high severity flaws. As per analysis, high-level flaws were found in 16% of public sector apps and the total numbers fell by 30% in the last year. 

The experts believe that the data hints toward new government cybersecurity measures. Public sector lawmakers and politicians know that dated technology and a large amount of sensitive data are the reason for public organizations to become a primary target for hackers. 

This is why Congress and the White House are working together to update regulations that govern cybersecurity compliance.  "In January, President Biden signed a National Security Memorandum (NSM) requiring national security systems to implement network cybersecurity measures that are at least as good as those required of federal civilian networks. Earlier this month, the US passed new legislation that will force critical infrastructure companies to report cyber incidents within 72 hours" reports Infosecurity. 

Read more »
Software Vendor
Cloud Threat Report Log4Shell malware Software Vendor

Log4Shell is Employed in 31% of Malware infections, Lacework Labs Identifies

 

In the latest cloud threat report by Lacework, it was disclosed that the infamous Log4Shell vulnerability was exploited as an initial infection vector in 31% of cases identified by Lacework researchers over the past six months. 

The software vendor’s report confirms that the Log4j vulnerability was abused extensively by malicious actors, as cybersecurity researchers had suspected when it emerged in December last year. 

According to Lacework Labs, it initially noticed a flood of requests with malicious payloads immediately after the Log4Shell bug was disclosed, these were the result mainly of researchers searching for the vulnerability. However, these were replaced by malign requests over time, as threat actors adopted publicly available proof-of-concept exploits. 

“Over time, we watched scanning activity evolve into more frequent attacks, including some that deployed crypto-miners and Distributed Denial of Service (DDoS) bots to affected systems,” it explained. In addition to improving their payloads, adversaries continued to adapt their exploitation methods to stay ahead of signature-based detections used by many types of security products.”

In addition to Log4j, multiple threat actors have also employed one backdoor in the ua-parser-js NPM package to secure access to Linux systems and launch the XMRig open-source miner. The original hacking group had managed to exploit the NPM developer’s account to deploy a malicious payload to the package. 

In fact, malicious actors increasingly favor NPM as a vector for attack. A report from Checkmarx this week claimed that attackers have simplified the process of designing new NPM accounts from which to distribute supply chain malware. 

“The attacker has fully automated the process of NPM account creation and has open dedicated accounts, one per package, making his new malicious packages much harder to spot,” it explained. At the time of writing, the threat actor ‘RED-LILI’ is still active at the time of writing and continues to publish malicious packages.” 

The researchers at Lacework Labs also investigated issues around compliance, compromised Docker APIs and malicious containers, and additional bugs within the software supply chain. Based on the findings of this report, researchers advised that defenders should evaluate security infrastructure against the industry's best practices and execute proactive defence and intelligence weapons with active bug monitoring.
Read more »
Spoofing
attacks Cyber Attacks Emails Hackers Spear Phishing Spoofing

New Spear Phishing Campaign Targets Russian Dissidents

 

In Russia, a new spear-phishing campaign targeting dissenters with alternative views to those presented by the state and national media over the war in Ukraine is underway. The campaign distributes emails to government personnel and public servants, alerting them about software and online platforms that are illegal in the country. 

The mails contain a malicious attachment or link that sends a Cobalt Strike beacon to the recipient's computer, allowing remote operators to execute eavesdropping on the victim. The campaign was discovered and reported on by Malwarebytes Labs threat analysts, who were able to sample some of the bait emails. 

Various phishing methods

To persuade recipients to open the attachment, the phishing emails pretend to be from a Russian state organisation, ministry, or federal service. The main two spoofed organizations are the "Russian Federation Ministry of Information Technologies and Communications" and the "Russian Federation Ministry of Digital Development, Communications, and Mass Communications." 

To attack their targets with Cobalt Strike, the threat actors use three different file types: RTF (rich text format) files, archive attachments of malicious documents, and download links inserted in the email body. Since it involves the exploitation of CVE-2021-40444, a remote code execution flaw in the rendering engine used by Microsoft Office documents, the case of RTFs is the most interesting. 

All of the phishing emails are written in Russian, as expected, and they appear to have been created by native speakers rather than machine translated, implying that the campaign is being spearheaded by a Russian-speaking individual. Malwarebytes discovered simultaneous attempts to spread a deeply obfuscated PowerShell-based remote access trojan (RAT) with next-stage payload fetching capabilities in addition to Cobalt Strike. 

The campaign's targets are mostly employed by the Russian government and public sector, including the following organisations: 
  • Portal of authorities of the Chuvash Republic Official Internet portal
  • Russian Ministry of Internal Affairs
  • ministry of education and science of the Republic of Altai
  • Ministry of Education of the Stavropol Territory
  • Minister of Education and Science of the Republic of North Ossetia-Alania
  • Government of Astrakhan region
  • Ministry of Education of the Irkutsk region
  • Portal of the state and municipal service Moscow region
  • Ministry of science and higher education of the Russian Federation
As per the aforementioned organisations, phishing actors target persons in crucial positions who could cause problems for the central government by stirring anti-war movements.
Read more »
VMware
Cyberattack data wipers Google Honeypot Installation IBM Malicious actor malware python RaaS Ransomware Attacks. VMware

JupyterLab Web Notebooks Targeted by Unique Python-Based Ransomware

 

The first-ever Python-based ransomware virus specifically tailored to target vulnerable Jupyter notebooks has been revealed by researchers. It is a web-based immersive computing platform which allows editing and running programs via a browser. Python isn't widely used for malware development, instead, notably, thieves prefer languages like Go, DLang, Nim, and Rust. Nonetheless, this isn't the first time Python has been used in a ransomware attack. Sophos disclosed Python ransomware, particularly targeting VMware ESXi systems in October 2021. 

Jupyter Notebook is a web-based data visualization platform that is open source. In data science, computers, machine learning, and modular software are used to model data. Over 40 programming languages are supported by the project, which is used by Microsoft, IBM, and Google, as well as other universities. According to Assaf Morag, a data analyst at Aqua Security, "the attackers got early access via misconfigured environments, then executed a ransomware script it encrypts every file on a particular path on the server and eliminates itself after execution to disguise the operation." 

The Python ransomware is aimed at those who have unintentionally made one's systems susceptible. To watch the malware's activities, the researchers set up a honeypot with an exposed Jupyter notebook application. The ransomware operator logged in to the server, opened a terminal, downloaded a set of malicious tools, including encryptors, and then manually generated a Python script. While the assault came to a halt before completing the mission, Team Nautilus was able to gather enough data to mimic the remainder of the attack in a lab setting. The encryptor would replicate and encrypt files, then remove any unencrypted data before deleting itself. 

"There are over 11,000 servers with Jupyter Notebooks which are internet-facing," Aqua researcher Assaf Morag stated. "Users can execute a brute force attack and perhaps obtain access to some of them — one would be amazed how easy it can be to predict these passwords." We believe the attack either timed out on the honeypot or the ransomware is still being evaluated before being used in real-world attacks." Unlike other conventional ransomware-as-a-service (RaaS) schemes, Aqua Security described the attack as "simple and straightforward," adding since no ransom note was displayed on the process, raising the possibility the threat actor was experimenting with the modus operandi or the honeypot scheduled out before it could be completed. 

Regardless, the researchers believe it is ransomware rather than a wiper weapon based on what they have. "Wipers typically exfiltrate data and delete it or simply wipe it," Morag continued. "We haven't observed any attempts to move the data outside the server, and the data wasn't just erased, it was encrypted with a password," says the researcher. This is even additional evidence this is a ransomware attack instead of a wiper."

Although evidence discovered during the incident study leads to a Russian actor, citing similarities with prior crypto mining assaults focused on Jupyter notebooks, the attacker's identity remains unknown.
Read more »
US Federal Agencies
Cyber Attacks security threat UPS devices US Federal Agencies

US Federal Agencies Warn of Cyber Attacks Targeting UPS Devices

 

The US Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy released a joint advisory warning for U.S. organizations to secure Internet-connected uninterruptible power supply (UPS) devices from ongoing cyber assaults.

UPS devices are regularly used as emergency power backup solutions in mission-critical environments and are also equipped with an internet of things (IoT) capability, enabling the administrators to carry out power monitoring and routine maintenance. But as is often the case, such features also expose them to malicious attacks. 

"The Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy are aware of threat actors gaining access to a variety of internet-connected uninterruptible power supply (UPS) devices, often through unchanged default usernames and passwords," the federal agencies said.

"Organizations can mitigate attacks against their UPS devices, which provide emergency power in a variety of applications when normal power sources are lost, by removing management interfaces from the internet." 

To safeguard against such threats, CISA and DoE are recommending concerned entities ensure all UPS systems are disconnected from the internet. If linking their management interfaces to the Internet is not viable, admins are advised to put the devices behind a virtual private network (VPN), enable multifactor authentication (MFA), and use strong passwords or passphrases in accordance with the National Institute of Standards and Technology guidelines. 

Additionally, the advisory includes auditing usernames and passwords to ensure that they’re not still factory-default or otherwise easily guessed or cracked. U.S. organizations are also urged to execute login timeout/lockout policies to mitigate these ongoing assaults against UPSs and similar systems. Besides default credentials, malicious actors can also exploit critical security loopholes to enable remote takeovers of uninterruptible power supply (UPS) devices and allow them to burn them out or disable power remotely. 

The warnings come three weeks after security firm Armis uncovered multiple high-impact vulnerabilities in APC Smart-UPS devices that could be exploited remotely by unauthenticated attackers without user interaction as a physical weapon. Two of the main vulnerabilities include flaws in SmartConnect’s TLS implementation – the first is a buffer overflow memory bug, and the second is a problem with the way SmartConnect’s TLS handshake works.
Read more »
War
Cyber Attacks Internet Provider Russia Ukraine War

Ukraine War: Major Internet Provider Suffers Cyber-Attack

 

A cyber-attack was launched against a significant Ukrainian internet provider. Ukrtelecom is working to restore service after it believes it was the victim of an attack. The network was shut down to "safeguard the vital network infrastructure." 

Ukrtelecom JSC is Ukraine's monopolist telephone company, also active in Internet service providing and mobile markets. Yuriy Kurmaz, the CEO of the company stated in a statement: “In order to protect the critical network infrastructure and not interrupt services to the Armed Forces, other military bodies and users of critical infrastructure, we were forced to temporarily restrict internet access to most private users and business customers.” 

Netblocks, an international internet monitoring organisation, stated it was the company's biggest outage since the beginning of the Russian invasion last month, with connectivity down to 13% of what it was before President Vladimir Putin announced the war. 

They said on Twitter: “Update: Ukraine's national internet provider Ukrtelecom has confirmed a cyberattack on its core infrastructure. Real-time network data show an ongoing and intensifying nation-scale disruption to service, which is the most severe registered since the invasion by Russia.” 

According to the BBC, other people in Ukraine using various internet providers had no problems. In terms of geographical coverage, Ukrtelecom is the largest internet provider, although Kyivstar is the largest in terms of customer numbers. 

The United Nations has confirmed 1,179 civilian deaths and 1, 860 civilian injuries since the war began in late February, but the total is believed to be substantially higher. Furthermore, the attack has triggered a humanitarian crisis, with more than 10 million people forced to evacuate their homes, with 3.8 million of them seeking refuge in neighbouring nations.
Read more »
Subscribe to: Comments (Atom)