Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

User Security
China Dark Web Data Breach Data Breaches Data Leak User Privacy User Security

Private Details of 1 Billion Chinese Citizens up for Sale on Dark Web

 

In what could be the biggest-ever breach of personal information in history, the massive store of data containing information about more than a billion people has been leaked from a government agency, possibly from China, and put up for sale on Dark Web for 10 Bitcoins. 

More than 23TB of details apparently siphoned from a Shanghai police database stored in Alibaba’s cloud was put up for sale on the underground Breach Forums by someone with the handle ‘ChinaDan’. The leaked data included names, addresses, birthplaces, national ID numbers, cellphone numbers, and details of any related police records. 

"In 2022, the Shanghai National Police (SHGA) database was leaked. This database contains many TB of data and information on Billions of Chinese citizen," Changpeng Zhao, CEO of cryptocurrency exchange Binance, posted on Twitter. "Databases contain information on 1 billion Chinese national residents and several billion case records, including: name, address, birthplace, national ID number, mobile number, all crime/case details."

How did the data leak? 

The root cause of the data leak remains unknown, but experts believe that the database may have been misconfigured and exposed by human error since April 2021 before it was identified. This would contradict a claim that the database’s credentials were inadvertently leaked as part of a technical blog post on a Chinese developer site in 2020 and later employed to steal a billion records from the police database since no passwords were required to access it. 

But according to Bob Diachenko, a Ukrainian security researcher, this may not be correct. In late April, the researchers’ monitoring records show the database was exposed via a Kibana dashboard, a web-based software used to visualize and search massive Elasticsearch databases. If the database didn’t require a password as believed, anyone could have accessed the data if they knew its web address. 

Cybersecurity experts frequently search the internet for leaked exposed databases or other sensitive data. But hackers also run the same scans, often with the motive of copying data from an exposed database, deleting it, and offering the data’s return for a ransom payment — the standard methodology employed by attackers in recent years. 

Diachenko believes that’s what exactly happened on this occasion; a hacker discovered, raided, and deleted the exposed database, and left behind a ransom note demanding 10 bitcoins for its return. 

“My hypothesis is that the ransom note did not work and the threat actor decided to get money elsewhere. Or, another malicious actor came across the data and decided to put it up for sale,” said Diachenko.
Read more »
Vulnerabilities and Exploits
Avast Backdoor HTTP Attacks Microsoft Exchange Server Vulnerabilities and Exploits

Microsoft IIS Servers Targeted by SessionManager Backdoor


Since March 2021, threats on Microsoft IIS Servers have used a new backdoor called "SessionManager," according to Kaspersky Lab researchers. 

Victims of the backdoor

SessionManager, the malicious software that takes advantage of one of the ProxyLogon vulnerabilities in Exchange servers, poses as a module for Internet Information Services (IIS), a virtual server application for Windows systems. 

The 24 different targets were spread over the continents of Africa, South America, Asia, Europe, Russia, and the Middle East. They also included political, military, and industrial institutions. To date, a SessionManager variation has compromised 34 servers in total.

Due to the comparable victims and a widely used OwlProxy variation, the researchers describe the attack as the GELSEMIUM malicious attacker.

Features  supported by SessionManager:
  • On the hacked server, reading, writing to, and deleting arbitrary files is possible.
  • Remote command execution also runs on arbitrary programs from the compromised server.
  • Creating connections to any network endpoints that the hacked server is capable of accessing, as well as reading and writing in those connections.
The backdoor also might serve as a post-deployment tool, enabling operators to spy on the intended environment, collect in-memory passwords, and introduce new malicious payloads.

Elements of  command and control code

Since its initial discovery in March 2021, ProxyLogon has drawn the interest of numerous malicious actors, and the most recent attack chain is no exception. The Gelsemium team took use of the flaws to drop SessionManager, a backdoor designed in C++ to handle HTTP requests submitted to the server.

Once the malicious code receives the carefully constructed HTTP requests from the threat actors, it runs the instructions concealed in the requests before sending them to the server to be handled like any other request.

Additionally, the malware serves as a covert route for spying, collects passwords stored in memory, and distributes other tools like Mimikatz and an Avast memory export application.
Read more »
Technology
Computers Cryptography Protocols Quantum Technology

Post-quantum Cryptography Achieves Standardization Milestone

 

The first four standardised protocols for post-quantum cryptography have been released, providing the foundation for the creation of "future-proof" apps and web services. 

Last Monday, the US federal government's National Institute of Standards and Technology (NIST) announced a quartet of recommended protocols as part of a continuing standardisation process. The chosen encryption algorithms will be included in NIST's post-quantum cryptography standard, which is scheduled to be completed within the next two years. 

Four more algorithms are currently being considered for inclusion in the standard. According to NIST, for most use cases, two basic algorithms should be implemented: CRYSTALS-KYBER (key-establishment) and CRYSTALS-Dilithium (digital signatures). 

In the event that one or more approaches prove insecure, more than one algorithm for each use case is being sought as a backup. NIST recommends CRYSTALS-Dilithium as the principal method for digital signatures, with FALCON for applications that require smaller signatures than Dilithium can offer. SPHINCS, a third algorithm, is slower than the other two but was approved since it is based on a distinct mathematical process and so gives a possibility to increase variety. Dustin Moody of NIST discussed why another round of selection was required.

“Of the four algorithms we selected, one is for encryption and three are for digital signatures,” Moody told The Daily Swig. 

“Of the four algorithms that we will continue to study in the fourth round, all four are encryption algorithms. The primary motivation for this is to find a non-lattice-based signature scheme which is suitable for general purpose use to be a backup for our lattice-based signature algorithms we are standardizing (Dilithium and Falcon),” Moody added. 

He continued: “Our current NIST public-key standards cover encryption and signatures. So that is what our standardization process was targeted for – to replace the vulnerable cryptosystems in those standards. Other functionalities may be considered in the future.” 

The ongoing quest for next-generation cryptographic systems is required since present encryption protocols, such as RSA, rely on solving mathematical problems that are beyond the capabilities of even the most powerful conventional computers. Sufficiently powerful quantum computers, which operate on a fundamentally different paradigm than today's PCs or servers, may be capable of cracking today's public key encryption techniques. Increasing the key length alone will not suffice to counter this possible danger, necessitating the creation of post-quantum cryptography methods. 

Decrypt later, store now

Despite the fact that the present generation of quantum computers is mostly experimental and hampered by engineering hurdles, attackers may be planning for their future availability using "store-now-decrypt-later" assaults.If such attacks are effective, a rising volume of normally encrypted financial, government, commercial, and health-related data will be vulnerable to attack by suitably powerful quantum computers. 

Quantum computers handle computational tasks by relying on the features of quantum states, such as superposition, interference, or entanglement, rather than the basic binary states (0 or 1) of traditional computers. When paired with quantum algorithms, the technology might solve some mathematical problems, such as integer factorization, in a manageably short period, posing a danger to current encryption systems that rely on the current intractability of such issues. Quantum-resistant algorithms are based on arithmetic problems that both traditional and quantum computers should struggle to solve.
Read more »
Ransomware attack
Cyber Attacks Dutch Police Dutch University Ransom Ransomware attack

Maastricht University Retrieves Ransom Amount Paid in 2019

 

Earlier this month, the southern Maastricht University (UM) in Netherland with more than 22,000 students, revealed that it had retrieved the ransom paid after a ransomware assault that targeted its network in December 2019. 

After a detailed investigation of the incident, Fox-IT researchers attributed the attack to a financially motivated hacker gang tracked as TA505 (or SectorJ04). The hacking group has been active since at least 2014 and has primarily targeted retail and financial organizations. 

The hackers breached the university's systems through phishing e-mails in mid-October and installed Clop ransomware payloads on 267 Windows systems on December 23, after moving laterally via the network. 

After a week, the university decided to accede to the criminal gang's demand and paid a 30 bitcoin ransom (roughly €200,000 at the time) for the ransomware decryptor. This was partly because private data was in danger of being lost and students were unable to take an exam or work on their theses. Secondly, the rebuilding of all compromised systems from scratch or creating a decryptor were not viable options. 

"It is a decision that was not taken lightly by the Executive Board. But it was also a decision that had to be made," University explained in a blog post. "We felt, in consultation with our management and our supervisory bodies, that we could not make any other responsible choice when considering the interests of our students and staff."

However, as UM recently revealed, the local police traced and seized a wallet containing the cryptocurrency paid by the university as ransom in 2019.

"The investigation [..] eventually paved the way for the seizure of the cryptocurrency by the Dutch Public Prosecution Service. As early as February 2020, the investigation team froze a so-called wallet containing part of the paid ransom," UM said. The value of the cryptocurrencies found at that time was €40,000; at the current exchange rate, they are worth approximately €500,000."

Although this might appear like the university made a considerable profit within a relatively short time, the €500,000 seized by Netherlands' Public Prosecution Service represents significantly less than the damage inflicted during the ransomware attack. These seized funds are now in a bank account under the control of the law enforcement agents, and the Ministry of Justice has already initiated legal proceedings to transfer them to the university.
Read more »
Ransomware Attacks.
Data Leak Double extortion Encryption Extortion Threat Malicious actor malware Ransomware Attacks.

Businesses Hit By The Ransomware 0mega

 

Launched in May 2022, this new ransomware operation known as 0mega uses a double-extortion method to target corporations all over the world and seeks millions of dollars in ransom. 

Since a ransomware sample for the 0mega operation is not yet detected, not much is known about the encryption method used. However, what's known is that the malware adds the .0mega extension to the encrypted file names and produces ransom letters with the filename extension DECRYPT-FILES.txt, according to BleepingComputer. 

Such ransom notes are made specifically for each victim, and they typically include the name of the business and a list of the various kinds of data that were stolen. Additionally, some notes contain threats that, in the scenario that a ransom is not paid, the 0mega gang will reveal the information to commercial partners and trade associations. 

The victims can contact the ransomware group using the "help" chat feature of the Tor payment negotiation site included in ransom notes. It includes a special code to get in touch with the operators via the negotiating site. 

Like practically all ransomware operations that target businesses, 0mega has a specific site for data leaks where malicious actors disseminate stolen information if a ransom is not paid. 152 GB of data that was stolen from an electronics repair business in a May incident is now hosted on 0mega's leak site. 

Last week, though, there was a second victim who has since been eliminated, suggesting that the business has perhaps paid a ransom. In a published blog post The digest 'Crypto ransomware', researchers Lawrence Abrams and Andrew Ivanov discusss the malware in detail.
Read more »
Spyware
attacks Breach Crypto cryptocurrency lazarus Lazarus Group malware Spyware

Hackers Used Fake LinkedIn Job Offer to Steal $625M

 

Earlier this year, Ronin Network (RON), the blockchain network behind the popular crypto games Axie Infinity and Axie DAO, experienced the greatest crypto attack against a decentralised financial network ever reported. 

The United States issued advice in May 2022, stating that highly competent hackers from North Korea were attempting to get work by posing as IT freelancers. The Axie Infinity attack was socially engineered, with the North Korean government-backed hacker organisation Lazarus into Sky Mavis' network by giving one of the company's workers a PDF file carrying malware. Lazarus' participation in such a high-profile breach should come as no surprise. 

In January 2022, analysts from several crypto security organizations concluded that North Korean hackers had stolen $1.3 billion from cryptocurrency exchanges throughout the world, with the famed Lazarus group as their top suspect. 

Axie Infinity Hack 

The employee, an ex-senior engineer at the firm, fell for the trap and opened the PDF, believing it was a high-paying job offer from another company. However, this firm did not exist in reality.

During the recruitment process, the ex-employee disclosed sensitive personal information that attackers utilised to steal from the organisation. Sky Mavis' staff are regularly threatened by sophisticated spear-phishing attempts on multiple social networks, according to the company. In this case, one person, who does not even work at Sky Mavis, was duped. 

How was Ronin hacked? 

According to The Block, at the time of the attack, Axie Infinity had nine validators from its proof-of-authority, an Ethereum-based sidechain Ronin. 

“The attacker managed to leverage that access to penetrate Sky Mavis IT infrastructure and gain access to the validator nodes,” Sky Mavis stated.

To get access to the company's networks, the attacker needed to seize five out of nine validators. The spyware-laced PDF allowed the attacker to gain control of four validators and get entry to the community-run Axie DAO (Decentralized Autonomous Organization), from which they gained control of the fifth validator. After breaching the network, the attackers took $25 million in USDC stablecoin and 173,600 ether (about $597 million) from Axie Infinity's treasury, totaling $625 million in crypto. 

Nonetheless, the Ronin sidechain upped the number of validators to 11 to improve security, and Sky Mavis is reimbursing Axie Players who lost crypto as a result of the hack. In April 2022, the company raised $150 million in funding. 

The US administration alleges that the assault was carried out by the renowned North Korean hacking organisation Lazarus. This organisation specialises in such attacks. This is hardly Lazarus' first foray into the blockchain sector. However, Lazarus using social engineering to infiltrate a company's networks is unusual. In reality, the Slovak internet security company ESET notified LinkedIn users in June 2020 about Lazarus' involvement in a complex LinkedIn recruiting fraud targeting military and aerospace industries.
Read more »
Disneyland
cyber attack Cyber Attacks data compromised Data Theft Disneyland

Disneyland's Official Handles Hacked to Take Revenge

 

Disneyland Resort’s Instagram and Facebook pages have been compromised on Thursday by a self-proclaimed “super hacker” who posted a number of posts that included foul language and racist slurs. A Disneyland spokesperson said that the accounts “were compromised early this morning.” The posts have since been removed. 

“We worked quickly to remove the reprehensible content, secure our accounts, and our security teams are conducting an investigation,” the spokesperson said in a statement. 

Following the incident, The Los Angeles Times reported that the hacker named “David Do,” claimed that he was taking his “revenge” on Disneyland workers who had allegedly insulted him. 

“I am a super hacker that is here to bring revenge upon Disneyland [...] Who’s the tough guy now Jerome?” one of the posts read. The hacker also uploaded posts in which he was claiming to have “invented” COVID-19 and suggested he was working on a new variant of the “COVID20” virus. 

The culprit posted overall four posts on Disneyland’s Instagram account before 5 am PT, according to a post on the Disneyland blog

Disneyland's Facebook and Instagram handles were temporarily taken down shortly after the officials found out the posts on live and were brought back online after the cybersecurity team removed the posts. However, the park’s other social media handles and pages were not compromised. 

“It’s not known how this person managed to gain access to the Disneyland Instagram account. Was it a stranger hack or a previous employee with access to the logins? We worked quickly to remove the reprehensible content, secure our accounts and our security teams are conducting an investigation,” Disneyland said in an update to the post today.
Read more »
User Privacy
Data Breach LockBit 2.0 ransomware Money Laundering Ransomware Attacks. User Privacy

Expansion of the LockBit Ransomware

 

To keep the masses notified about potential threats, the Cybereason Global Security Operations Center (GSOC) Team publishes Cybereason Threat Analysis Reports. The Threat Analysis Reports examine into such threats and offer suggestions for how to defend against them. 

LockBit, which was first identified in September 2019, uses the ransomware-as-a-service (RaaS) attack method and targets businesses. The ransomware operators are improving their techniques to disable Endpoint detection and response (EDR) tools and other security solutions. 

Variables of the Virus 

Using the infrastructure and tools already in place for ransomware, Lockbit RaaS enables affiliates to conduct their own attacks while splitting a portion of the money received.

The affiliates associated with the LockBit gang utilized their own malware and tools to exploit the targets in the first attack that the researchers were able to document, which happened in Q4 2021. The majority of the infections that the researchers examined involved threat actors infiltrating the target networks by taking advantage of a misconfigured service, particularly an RDP port that was left accessible to the public. 

The attacker started the reconnaissance work and credentials extraction after gaining the first foothold on the vulnerable network. In this instance, the attackers employed advanced network monitoring tools like Netscan and Mimikatz to find the network's structure and valuable assets. 

The researchers describe a second infection that happened in Q2 of 2022. The researchers described the attack's many phases, including the initial compromise, lateral actions, creating durability, upgrading of privileges, and the generation of the ransomware in its final stages. 

The attackers made use of net.exe to create domain accounts and grant themselves 'domain administrator' rights. They then exploited these accounts to propagate throughout the victim's network and maintain persistence. The researchers also discovered that the attackers were using Ngrok, a reliable reverse proxy tool that enables them to build a tunnel to servers protected by firewalls.

Additional PCs in the target network were also infected by the threat actors with the malware 'Neshta', a file infector that inserts malicious code into targeted executable files. 

Exfiltration of Records

The data was collected and exfiltrated when the LockBit affiliate secured persistent remote access and the necessary credentials. For this, the actors employed three different tools: 
  • Filezilla.exe is used to establish a connection to attacker-controlled remote FTP service. 
  • Data exfiltration using Rclone.exe to a cloud hosting provider associated with 'Mega'.
  • Data exfiltration tool Megasync.exe to a "Mega"-related cloud hosting provider .
The LockBit affiliate has now fulfilled all the steps required to run the LockBit payload and start encryption:
  • Through several hacked devices, persistence in the system.
  • Access to accounts with high privilege.
  • Gathered and leaked victim info.
  • List of the most valuable assets discovered through network scans .
Along with Mitre mapping, the experts also discussed signs of vulnerability. LockBit 3.0, which includes significant innovations like a bug bounty program, Zcash payment, and new extortion techniques, was just launched by the Lockbit ransomware operation. The group is now one of the most active ransomware gangs and has been active at least since 2019.
Read more »
Spear Phishing Campaign
CrowdStrike Cyber Phishing malware Malware Attack Phishing Campaign RATs Spear Phishing Campaign

Callback Malware Campaign Imitates CrowdStrike and Other Big Cybersecurity Organizations


About the Attack

Earlier this month, CrowdStrike Intelligence found a callback phishing campaign copying big cybersecurity companies, including CrowdStrike. The phishing emails say that the receiver's (e-mail) company has been compromised and that the victim should contact the given phone number. The campaign incorporates similar social-engineering techniques that were used in the recent callback campaigns like WIZARD SPIDER'S 2021 Bazaar all campaign. 

The campaign is likely to include common genuine remote administration tools (RATs) for access in initial stage, off the shelf penetration testing tools for lateral movement, and execution of ransomware or extorting data. The callback campaign incorporates emails that look like it originates from big security companies, the message says that the security company found a potential issue in the receiver's network. As we have noticed in the earlier campaigns, the threat actor gives the recipient a phone number to call. 

In the past, callback campaign operators have tried to convince victims to install commercial RAT software to get an early foothold on the network. "For example, CrowdStrike Intelligence identified a similar callback campaign in March 2022 in which threat actors installed AteraRMM followed by Cobalt Strike to assist with lateral movement and deploy additional malware," says CrowdStrike. 

Current Situation 

Currently, CrowdStrike intelligence can't confirm the version in use, the callback operators will most probably use ransomware to monetize their operations. "This assessment is made with moderate confidence, as 2021 BazarCall campaigns would eventually lead to Conti ransomware — though this ransomware-as-a-service (RaaS) recently ceased operations. This is the first identified callback campaign impersonating cybersecurity entities and has higher potential success given the urgent nature of cyber breaches," says CrowdStrike.

Read more »
Windows
Backdoor Security Bug Shellcode Vulnerabilities and Exploits Windows

Rozena Backdoor Deployed by Abusing the Follina Vulnerability

 

A newly discovered phishing campaign is exploiting the Follina security vulnerability to deploy a private backdoor, named Rozena on the Windows systems. 

"Rozena is a backdoor malware that is capable of injecting a remote shell connection back to the attacker's machine," Cara Lin, a researcher at Fortinet FortiGuard Labs stated in a report published this week. 

Tracked as CVE-2022-30190, the security bug is related to the Microsoft Support Diagnostic Tool (MSDT) that impacts Windows 7, Windows 8.1, Windows 10, Windows 11, Windows Server 2008, Windows Server 2012, Windows Server 2016, Windows Server 2019, and Windows Server 2022. The vulnerability came to light in late May 2022 but the root cause of the flaw has been known for at least a couple of years. 

The latest attack chain is a weaponized Office document that, when opened, links to a Discord CDN URL to retrieve an HTML file ("index.htm") that, in turn, triggers the diagnostic utility employing a PowerShell command to download next-stage payloads from the same CDN attachment space. 

This includes the Rozena implant ("Word.exe") and a batch file ("cd.bat") that's designed to terminate MSDT processes, establish the backdoor's persistence by means of Windows Registry modification, and download a harmless Word document as a decoy. 

The primary function of the Rozena backdoor is to inject a shellcode that launches a reverse shell to the hacker’s device (“microsofto.duckdns[.]org”), in this way the malicious actor can secure full control of the system. 

The exploitation of the Follina security bug is done by distributing the malware via malicious word documents. The word documents act as a dropper and are distributed through emails that contains a password-encrypted ZIP as an attachment, an HTML file, and a link to download, in the body of the email. Multiple malware such as Emotet, QBot, IcedID, and Bumblebee are then injected into the victim’s device. 

According to researchers, the assaults discovered in early April primarily featured Excel files with XLM macros. Microsoft's decision to block macros by default around the same time is said to have forced the hackers to shift to alternative techniques like HTML smuggling as well as .LNK and .ISO files. 

“CVE-2022-30190 is a high-severity vulnerability that lets a malicious actor deliver malware through an MS Word document. Microsoft already released a patch for it on June 14, 2022. In this blog, we showed how an attacker exploits Follina and included details of Rozena and the SGN ShellCode. Users should apply the patch immediately and also apply FortiGuard protection to avoid the threat,” the researcher concluded.
Read more »
VMware
Linux malware Ransomware RedAlert VMware

This New RedAlert Ransomware Targets Windows, Linux VMware ESXi Servers

 

RedAlert (aka N13V), a new ransomware threat that encrypts both Windows and Linux VMWare ESXi systems, has been discovered. Concerning the RedAlert ransomware, MalwareHunterTeam uncovered the new ransomware and published various screenshots of its data leak site. Because of a string in the ransom text, the ransomware is known as RedAlert. 

However, the attackers are internally referring to their operation as N13V in the Linux encrypter version. The Linux encryptor is intended for use on VMware ESXi servers, including command-line options that enable attackers to shut down any operating virtual machines before locking data. 

RedAlert, like other enterprise-targeted ransomware operations, conducts double-extortion attacks in which data is taken and then ransomware is used to encrypt machines. The ransomware exclusively targets VMware ESXi virtual machine data, such as memory files, log files, virtual discs, and swap files. 

The ransomware encrypts certain file formats and appends the extension.crypt658 to the file names. The ransomware produces a specific ransom note entitled HOW TO RESTORE in each folder, which includes a description of the stolen data and a link to a TOR ransom payment site. One of RedAlert/features N13V's is the '-x' command-line option, which performs asymmetric cryptography performance testing with various NTRUEncrypt parameter sets. 

During encryption, the ransomware employs the NTRUEncrypt public-key encryption method, which supports several 'Parameter Sets' with varying degrees of protection. Aside from RedAlert, the only other ransomware known to use this form of encryption is FiveHands.  

RedAlert currently lists only one organisation as a victim, however, this may change in the near future. Furthermore, the malware's compatibility for both Windows and Linux shows that it intends to target a broader attack surface. As a result, enterprises should keep an eye on this threat. Always use encryption and access controls to safeguard critical information.
Read more »
Subscribe to: Comments (Atom)