Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Victim
Cyber Fraud data security Hackers Information phishing Security Victim

Hackers Target National Portal of India Via ‘Unprecedented’ Phishing Method

 

On Thursday, cyber-security experts announced the discovery of an "unprecedented, sophisticated" phishing method that has been extorting people from official websites worldwide, including the Indian government's portal https://india.gov.in. 

According to AI-driven cyber-security startup CloudSEK, threat actors have been targeting the Indian government's webpage by using a fake URL to deceive users into entering sensitive information such as credit card numbers, expiration months, and CVV codes. 

In a most advanced phishing technique known as Browser-in-the-Browser (BitB) attack, hackers imitate the browser window of the Indian government website, most typically SSO (single sign-on) pages, with a unique login. BitB attacks impersonate reputable websites in order to steal user passwords and other sensitive data such as personally identifying information (PII). The new URL that emerges as a result of the BitB attack looks to be legitimate. 

"The bad actors have also replicated the original page's user interface. Once their victims click into the phishing page, a pop-up appears on the phoney window claiming that their systems have been blocked, posing as a notification from the Home Affairs Enforcement and Police," the researchers asserted. 

The users are then alerted that their excessive usage of pornographic websites is banned under Indian law, and they are asked to pay a Rs 30,000 fee in order to unlock their computers.

"They are given a form to fill out in order to pay the fine, which asks them to divulge personal information, including their credit card information. The victims become panicked because the warning has a sense of urgency and appears to be time-bound," the researchers stated. 

The information entered by the victims into the form is sent to the attacker's server. Once the attackers have obtained the card information, it may be sold to other purchasers in a bigger network of cyber criminals, or the victim may be extorted for more funds. 

When users attempt to connect to a website, they may click on a malicious link that appears as an SSO login pop-up window. Users are requested to check in to the website using their SSO credentials when they visit the provided URL. The victims are then sent to a fraudulent webpage that appears just like the SSO page. The attack often triggers single sign-on windows and presents bogus web pages that are identical to the legitimate page. 

"Combine SSO with MFA (multi-factor authentication) for secure login across accounts, check for suspicious logins and account takeovers and avoid clicking on email links from unknown sources," the researchers suggested.
Read more »
VPN
Bitcoin Scams Encryption Malicious actor malware NAS QNAP Ransomware Attacks. VPN

QNAP NAS servers attacked by Checkmate ransomware

 

A new ransomware strain known as Checkmate has recently come to the attention of Taiwanese vendor QNAP, and early research suggests that it is targeting NAS machines with SMB services that are accessible via the internet. SMB is a communication protocol that allows nodes on a network of devices to exchange access to files. 

Objectives: 

The ransomware adds the .checkmate extension to the filenames of encryption keys and leaves an extortion letter with the name !CHECKMATE DECRYPTION README on the compromised devices. 

According to a report by BleepingComputer, some forum users claimed to have contracted the Checkmate ransomware in June. For a decryptor and a decryption key, the hackers want payment from the victims in bitcoins worth $15,000 each. 

The malicious actors behind this campaign, according to QNAP, will use accounts compromised by dictionary assaults to remotely log in to devices that are vulnerable to remote access. After getting access, they begin encrypting files in shared folders, although according to victim claims, all the data is encrypted.

Resist ransomware threats 

The company advised users to utilize VPN software to decrease the attack surface and prevent threat actors from attempting to log in using hacked credentials. It also advised customers to avoid exposing their NAS machines to Internet access. 

Additionally, QNAP users were instructed to evaluate all of their NAS accounts right away, double-check that they're using strong passwords, back up their files, and often create backup snapshots in case their data needs to be restored.

Taking away SMB 1 
  • Visit QTS, QuTS hero, or QuTScloud and log in. 
  • Go to Win/Mac/NFS/WebDAV > Microsoft Networking under Control Panel > Network & File.
  • Then select Advanced Options. 
  • The window for Advanced Options appears. 
  • Select SMB 2 or higher next to the Lowest SMB version. 

QTS, QuTS hero, or QuTScloud updates 
  • Register as an administrator on QTS, QuTS Hero, or QuTScloud.
  • Go to System > Firmware Update in the Control Panel. 
  • Click Check for Update under Live Update. 

The most recent update is downloaded and installed by QTS, QuTS hero, or QuTScloud. Additionally, QNAP stated last month that it is "thoroughly researching" a recent round of attacks that began in early June and are aimed at spreading the DeadBolt ransomware.

In the past two years, a wave of ransomware assaults has targeted QNAP NAS users, leading the vendor to publish several alerts and urgent updates, and even encourage for end-of-life hardware.
Read more »
TCU
Brazil cyber attack Cyber Attacks cyberattack information Data Theft Online data Theft TCU

No Backup: Why the Government in Brazil is at High Risk of Cyberattacks

 

According to a new report by the Brazilian Federal Audit Court (TCU), several federal government agencies in Brazil are at a high risk of cyberattacks. Federal government agencies need to reassess their approach to handling cybersecurity threats, the report reads. 

Report points out the number of areas at high risk but one of the biggest problems in the cybercrime section that the report has uncovered is the lack of backups while dealing with cyberattacks. 

A group of 29 areas that represent a high risk in terms of vulnerability, mismanagement, abuse of power, or need for drastic changes was discovered. 

Backups are very important and help against various forms of attack, as well as mistakes and mishaps. The most obvious one of those would be ransomware attacks. 
When systems are hacked and are locked up, a data backup could be the respite you’re looking for to restore the data stored on your devices. 

Additionally, the report cited the data

 • 74.6% of organizations (306 out of 410) do not have a formally approved backup policy—a basic document, negotiated between the business areas (“owners” of the data/systems) and the organization’s IT, with a view to disciplining issues and procedures related to the execution of backups. 

• 71.2% of organizations that host their systems on their own servers/machines (265 out of 372) do not have a specific backup plan for their main system. 

• 60.2% of organizations (247 out of 410) do not keep their copies in at least one non-remotely accessible destination, which carries a risk that, in a cyberattack, the backup files themselves end up being corrupted, deleted, and/or encrypted by the attacker or malware, rendering the organization’s backup/restore process equally ineffective. 

 • 66.6% of organizations that claim to perform backups (254 out of 385), despite implementing physical access control mechanisms to the storage location of these files, do not store them encrypted, which carries a risk of data leakage from the organization, which can cause enormous losses, especially if it involves sensitive and/or confidential information. 

Further, the researchers said that the federal government cannot respond to and treat cybersecurity attacks adequately. Also, there are several vulnerabilities in both information security and cybersecurity across most central bodies.
Read more »
Web Server
Cyber Attacks Malicious Extension Russia User Security Web Server

ABCsoup Adware Campaign Employs 350 Browser Extension Variants to Target Russian Users

 

Zimperium researchers have identified an adware campaign targeting Russian users of Google Chrome, Opera, and Mozilla Firefox browsers. The campaign employs more than 350 versions of malicious browser extensions using the Google Translate extension ID to fool victims into downloading the malicious files.

"The extensions are installed onto a victim's machine via a Windows-based executable, bypassing most endpoint security solutions, along with the security controls found in the official extension stores," researchers explained. 

The malicious browser add-ons come with an identical extension ID as that of Google Translate to trick users into believing that they have installed a legitimate extension. However, the extensions are not available on the official browser web stores. 

The hackers deliver them via multiple Windows executables that install the add-on on the victim's web browser. If the targeted user already has the Google Translate extension installed, it replaces the original version with the malicious variant owing to their higher version numbers (30.2.5 vs. 2.0.10). 

"Furthermore, when this extension is installed, Chrome Web Store assumes that it is Google Translate and not the malicious extension since the Web Store only checks for extension IDs," Zimperium researcher Nipun Gupta stated. 

According to Zimperium, the malicious extensions are geared towards serving pop-ups, siphoning private details to deploy target-specific ads, fingerprinting searches, and injecting malicious JavaScript that can further act as spyware to capture keystrokes and monitor web browser activity. 

The primary motive of this malicious campaign is to scan for Russian social networking services like Odnoklassniki and VK among the current websites opened in the browser, and if so, collect the victims' first and last names, dates of birth, gender, and transfer the data to a remote server. 

The malicious extension does not utilize the stolen details to serve personalized ads but also has the capability to inject custom JavaScript code based on the websites opened. This includes YouTube, Facebook, ASKfm, Mail.ru, Yandex, Rambler, Avito, Brainly's Znanija, Kismia, and rollApp, indicating a heavy Russia focus. 

The researchers attributed the campaign to the threat actors based in Russia or Eastern Europe. The extensions were created to single out Russian users given the wide range of local domains featured.

"This malware is purposefully designed to target all kinds of users and serves its purpose of retrieving user information," Gupta said. "The injected scripts can be easily used to serve more malicious behavior into the browser session, such as keystroke mapping and data exfiltration."
Read more »
Vulnerability and Exploits
Node.js patch fixes Security Patch Vulnerabilities and Exploits Vulnerability and Exploits

Node.js Patches Various Flaws that may Lead to Attacks

About vulnerabilities

Node.js maintainers released multiple patches for flaws in the JavaScript runtime environment that can cause HTTP request smuggling and arbitrary code execution, among some other attacks. An advisory mentions the information about the seven patched bugs, it includes three seperate HTTP Request Smuggling vulnerabilities. 

The three flaws- a flawed parsing of transfer-encoding bug, tracked as CVE-2022-32213, an errored delimiting of header fields issue, tracked as CVE-2022-32214, and an improper parsing of multi-line transfer encoding exploit, tracked as CVE-2022-32215, can all in the end lead towards HTTP request smuggling. 

The Daily Swig says "the moderate-severity implementation bug (CVE-2022-2097) could cause encryption to fail in some circumstances. AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimized implementation will not encrypt the entirety of the data, which could reveal sixteen bytes of data that was pre-existing in the memory that wasn’t written." 

How Severe are these bugs?

The three bugs were rated as "medium" severity, they affect all three variants of the 18.x, 16.x, and 14.x releases lines. llhttp v6.0.7 and llhttp v2.1.5 includes the patches that were updated inside Node.js. 

Other problems 

The advisory also includes information about a DNS rebinding flaw in --inspect through improper IP addresses. Categorised as "high" severity, the bug (CVE-2022-32212) can permit arbitrary code execution, warns the advisory. 

“The IsAllowedHost check can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid or not.When an invalid IPv4 address is provided browsers will make DNS requests to the DNS server, providing a vector for an attacker-controlled DNS server or a MitM who can spoof DNS responses to perform a rebinding attack and hence connect to the WebSocket debugger, allowing for arbitrary code execution. This is a bypass of CVE-2021-22884,” says the advisory. 

The flaw affects all variants of the 18.x, 16.x, and 14.x releases lines.

Read more »
Technology
Apple Information Technology Lockdown Mode New Security Features New Technology Technology

Apple Came With Lockdown Mode, a New Security Feature

On Wednesday, Apple shared details of a new, advanced version of the security option named Lockdown Mode for Apple device users who may face sophisticated cybersecurity threats. 

According to the technical details of the new security update, users can avail this Lockdown Mode this fall with iOS 16, iPadOS 16, and macOS Ventura. This extreme version of security feature is designed for a few users such as government officials, journalists, and activists, who are easy prey of NSO Group or other private state-sponsored mercenary spyware. 

Ivan Krstić, Apple's head of security engineering and architecture, called Lockdown Mode "a groundbreaking capability". "While the vast majority of users will never be the victims of highly targeted cyberattacks, we will work tirelessly to protect the small number of users who are. That includes continuing to design defenses specifically for these users, as well as supporting researchers and organizations around the world doing critically important work in exposing mercenary companies that create these digital attacks." 

Lockdown Mode includes the following protection features:

• Web browsing: Certain complex web technologies, like just-in-time (JIT) JavaScript compilation, are disabled unless the user excludes a trusted site from Lockdown Mode. 

• Messages: Most message attachment types other than images are blocked. Some features, like link previews, are disabled. 

• Apple services: Incoming invitations and service requests, including FaceTime calls, are blocked if the user has not previously sent the initiator a call or request. 

• Wired connections with a computer or accessory are blocked when iPhone is locked. 

• Configuration profiles cannot be installed, and the device cannot enroll into mobile device management (MDM), while Lockdown Mode is turned on. 

Following the updates, Lori McGlinchey, the Ford Foundation’s director of its Technology and Society program, said, “The global spyware trade targets human rights defenders, journalists, and dissidents; it facilitates violence, reinforces authoritarianism, and supports political repression...” 

“…The Ford Foundation is proud to support this great initiative to bolster civil society research and advocacy to resist mercenary spyware. We must build on Apple’s commitment, and we invite companies and donors to join the Dignity and Justice Fund and bring additional resources to this collective fight.”
Read more »
Technology
cryptocurrency cryptomining JavaScript NPM Package Technology

NPM JavaScript Package Repository Targeted by Widespread Cryptomining Campaign

 

Checkmarx researchers have unearthed a new large-scale cryptocurrency mining campaign targeting the NPM JavaScript package repository. 

The hacker behind this malicious campaign, dubbed CuteBoi, published 1,283 modules in the repository and employed over 1,000 different user accounts. The researchers discovered the supply chain assault after spotting a burst of suspicious NPM users and packages designed automatically. 

“Checkmarx SCS team detected over 1200 npm packages released to the registry by over a thousand different user accounts. This was done using automation which includes the ability to pass the NPM 2FA challenge. This cluster of packages seems to be a part of an attacker experimenting at this point,” reads the post published by Israeli application security testing firm Checkmarx. 

All the rogue packages impersonated a near-identical source code from an already existing package named eazyminer that's employed to mine Monero by means of utilizing unused resources of systems such as ci/cd and web servers. One notable modification entails the URL to which the mined cryptocurrency should be sent, although installing the rogue modules will not bring about a negative effect. 

"The copied code from eazyminer includes a miner functionality intended to be triggered from within another program and not as a standalone tool," researcher Aviad Gershon explained. "The attacker didn't change this feature of the code and for that reason, it won't run upon installation." 

As observed in the case of RED-LILI earlier this year, the packages are published via an automation methodology that allows hackers to bypass two-factor authentication (2FA) protections. 

However, while the former involved setting up a custom server and using a combination of tools like Selenium and Interactsh to programmatically design an NPM user account and defeat 2FA, CuteBoi depends on a disposable email service called mail.tm to automate the creation of the users that upload the packages to the NPM repository. 

Specifically, it utilizes a REST API provided by the free platform that enables "programs to open disposable mailboxes and read the received emails sent to them with a simple API call." In this, hackers behind the CuteBoi campaign can circumvent the NPM 2FA challenge when creating a flood of user accounts to publish the packages. 

Earlier this week, security research uncovered another NPM-related large-scale software supply chain attack dubbed IconBurst designed to siphon sensitive data from forms embedded in downstream mobile applications and websites. 
Read more »
Telegram
Cybersecurity HTML Info Stealer malware PowerShell Telegram

XFiles Malware Exploits Follina, Expands ItsAttacks

What is XFiles?

The X-Files info stealer malware has put a new vulnerability in its systems to exploit CVE-2022-30190- Follina, and attack targeted systems with malicious payloads. A cybersecurity firm said that the new malware uses Follina to deploy the payload, run it, and take control of the targeted computer. "In the case of the XFiles malware, researchers at Cyberint noticed that recent campaigns delivering the malware use Follina to download the payload, execute it, and also create persistence on the target machine," says Bleeping Computers.  

How is Follina infected? 

•The malware, sent in the victims' spam mail, consists of an OLE object that directs to an HTML file on an external resource that has JavaScript code, which exploits Follina. 

•After the code is executed, it gets a base64-encoded string that contains PowerShell commands to make a presence in the Windows startup directory and deploy the malware. 

•The second-stage module, "ChimLacUpdate.exe," consists of an AES decryption key and a hard-coded encryption shellcode. An API call decodes it and deploys it in the same running process. 

•After infection, XFiles starts normal info stealer malware activities like targeting passwords and history stored in web browsers, cookies, taking screenshots, and cryptocurrency wallets, and look for Telegram and Discord credentials. 

•The files are locally stored in new directories before they are exfiltrated via Telegram. 

The XFiles is becoming more active 

• A cybersecurity agency said that XFiles has expanded by taking in new members and initiating new projects. 

• A project launched earlier this year by Xfiles is called the 'Punisher Miner.' 

• However, it's an irony that a new mining tool will charge $9, the same as how much XFiles costs for a month of renting the info stealer. 

CyWare Social says "it appears that the XFiles gang is expanding and becoming more prolific. The gang is recruiting talented malware authors, becoming stronger, and thus providing their users with more readymade tools that do not require experience or coding knowledge. Successful incorporation of the Follina-exploiting document increases the chances of infection and consequently increases the success rate of attacks."
Read more »
RSA
APT CISA & FBI Cyber Attacks Encryption North Korean Hackers Ransomware Attacks. RSA

North Korea: Maui Ransomware Attacks Healthcare Services

 

North Korean state-sponsored hackers are using Maui to encrypt computers and data for vital healthcare services, including electronic health records, diagnostics, imaging, and intranet. A joint advisory from the FBI, the Treasury Department, and the Cybersecurity and Infrastructure Security Agency (CISA) describes a ransomware campaign that Pyongyang has been executing at least since May 2021. 

Traits of threat actors

It is unknown how these threat actors enter organizations through the initial access vector. The less well-known ransomware family stands out, according to cybersecurity firm Stairwell, since it lacks numerous essential characteristics typically found in ransomware-as-a-service (RaaS) groups. Stairwell's findings served as the basis for the alert. 

The lack of an "embedded ransom letter to provide recovery instructions or automated means of transferring encryption keys to attackers" is one analogy of this, according to security expert Silas Cutler in a technical analysis of the ransomware.

Instead, Maui sample analysis indicates that the malware is made to be manually executed by a remote actor using a command-line interface, utilizing it to target particular files on the compromised machine for encryption, as recently seen in the case of Bronze Starlight.

Each of these keys is then encrypted with RSA using a key pair generated for the first time when Maui is launched, in addition to encrypting target files with AES 128-bit encryption with a new key. The RSA keys are encrypted using a hard-coded, particular-to-each-campaign RSA public key as a third-degree of security.

The fact that Maui is not provided as a service to other affiliates for use in exchange for a cut of the money earned is another thing that sets it apart from other conventional ransomware products. 

Why is DPRK targeting healthcare?

Ransomware is highly hazardous in the healthcare industry. Such businesses often don't provide cybersecurity much attention or funds. Hospitals and other similar organizations also own critical medical and health data prone to abuse. Furthermore, such facilities cannot afford to be shut down for an extended period, which increases the possibility that they might pay the ransom to resume services.

Although these North Korean-sponsored ransomware operations targeting healthcare companies have been occurring for a year, iboss claims that they have increased significantly and become more sophisticated since then. It's the most recent example of how North Korean enemies are changing their strategies to shadily produce an ongoing flow of income for the country's struggling economy. 

The ransomware attacks are alleged to have temporarily or permanently affected health services in several cases. It is currently uncertain what infection vector was first used to carry out the incursions. Only 2% of those who paid the ransom in 2021 received their whole data recovered, according to the Sophos' State of Ransomware in Healthcare 2022 report. This compares to the global average of 46%. 

Read more »
Windows
Bugs Flaws Security Versions Vulnerabilities and Exploits Windows

Fortinet Fix Multiple Path Traversal Vulnerabilities

 

Fortinet has patched a slew of security flaws in many of its endpoint security products. On Tuesday, the California-based cybersecurity behemoth, which accounts for more than a third of all firewall and unified threat management deployments globally, published a massive number of firmware and software upgrades (July 5). 

Multiple relative route traversal faults in FortiDeceptor's administrative interface, which sets up virtual computers that act as honeypots for network intruders, are among a quartet of high-severity problems (CVE-2022-30302). 

According to the accompanying Fortinet alert, abusing these may permit a remote and authorised attacker to obtain and delete arbitrary files from the underlying filesystem using carefully crafted web requests. Similarly, path traversal in the named pipe responsible for the FortiESNAC service might allow attackers to gain privilege escalation in Windows versions of the endpoint security and VPN application FortiClient (CVE-2021-41031). 

Meanwhile, the FortiNAC network access control system was vulnerable to a "empty password in configuration file vulnerability," which allowed an authorised attacker to access the MySQL databases via the command line interface (CLI) (CVE-2022-26117). 

Additional flaws

The other high severity issue, which affects the FortiAnalyzer security event analysis appliance, the FortiManager network management device, the FortiOS operating system, and the FortiProxy web proxy, "may allow a privileged attacker to execute arbitrary code or command via crafted CLI 'execute restore image' and 'execute certificate remote' TFTP protocol operations" (CVE-2021-43072). 

Meanwhile, FortiEDR endpoint security solution cross-site scripting (XSS) vulnerabilities (CVE-2022-29057); a privilege escalation issue in FortiManager and FortiAnalyzer (CVE-2022-26118); and stack-based buffer overflows in diagnostic CLI commands impacting FortiOS and FortiProxy (CVE-2022-26118) (CVE-2021-44170). 

The sixth and final medium severity problem affects FortiOS, FortiProxy, FortiSwitch ethernet switches, the FortiRecoder video surveillance system, and the FortiVoiceEnterprise communications system (CVE-2021-42755). Last but not least, a low severity XSS vulnerability impacts FortiOS (CVE-2022-23438).
Read more »
Vulnerabilities and Exploits
Bugs Flaws Open SSL Private Keys RCE Flaw Vulnerabilities and Exploits

This OpenSSL Flaw Could Lead to Remote Code Execution

 

A high-severity vulnerability in OpenSSL might allow a hostile actor to execute the malware on server-side devices. 

OpenSSL is a widely used encryption library that provides an open source version of the SSL and TLS protocols. It offers tools for, among other things, creating RSA private keys and performing encryption and decryption.  

An alert indicates that the OpenSSL 3.0.4 version introduced a "serious bug" in the RSA implementation for X86 64 CPUs supporting the AVX512IFMA instructions. Because of this flaw (CVE-2022-2274), the RSA implementation with 2048-bit private keys is incorrect, resulting in memory corruption during the computation. 

As a result of the memory corruption, an attacker may be able to perform RCE on the system performing the computation, OpenSSL maintainers said. On June 22, 2022, Xi Ruoyao, who also built the patch, reported this problem to OpenSSL. 

This problem affects SSL/TLS servers and other servers that use 2048-bit RSA private keys and operate on computers that implement AVX512IFMA instructions of the X86 64 architecture. 

“On a vulnerable machine, proper testing of OpenSSL would fail and should be noticed before deployment,” the advisory reads. 

Users using OpenSSL 3.0.4 should update to OpenSSL 3.0.5. This problem does not affect OpenSSL 1.1.1 or 1.0.2.
Read more »
Subscribe to: Comments (Atom)