Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

VCRT
AML cryptocurrency Cyber Attacks Cyber Criminals FBI KYC Ransomware VCRT

Cryptocurrency Exchanges Linked to Ransomware

 


Nine cryptocurrency exchange websites have been taken down by the FBI and the Ukrainian police in a daring joint operation. Cybercriminals and ransomware gangs use these websites to launder money for cybercriminals. This is because these websites facilitate money laundering by criminals operating online. Ukrainian prosecutors' offices and the Virtual Currency Response Team were also involved in the operation. 

Several virtual currency exchange services were seized by the FBI on Monday. These services may have been used by cybercriminals to launder money obtained through ransomware hacks. As a result of a collaboration between the FBI's Detroit Field Office and Ukrainian police, the Detroit FBI field office seized virtual currency exchanges used by criminals for anonymous transactions, the United States Department of Justice has announced. 

There is a press release that states that the FBI also received support from the Virtual Currency Response Team (VCRT), the National Police of Ukraine, and the regional prosecutors as a result of the 'crypto exchanges' operation. 

  1. 24xbtc.com 
  2. 100btc.pro 
  3. pridechange.com 
  4. 101crypta.com 
  5. uxbtc.com 
  6. trust-exchange.org 
  7. bitcoin24.exchange 
  8. paybtc.pro 
  9. owl.gold 
These websites allow you to anonymously buy Bitcoin, Ether, and other cryptocurrencies. They offer Russian and English exchange services with few Know Your Customer (KYC) or Anti-Money Laundering (AML) restrictions. In addition to online forums dedicated to criminal activity, websites are also advertised. 

These exchange servers have been shut down, and their domain names have been taken over by US authorities. Several exchanges were accused of offering anonymous cryptocurrency exchange services to website visitors. These visitors included cybercriminals, scammers, and many other bad actors, offering these services anonymously to site visitors. 

The FBI has accused these crypto exchanges of being used by cyber criminals, including scammers, ransomware operators, and hackers, for laundering money. Additionally, the FBI stated that these exchanges did not have a license. This acted as support for criminal activities under US laws. 

Two servers were confiscated. These servers were located in different parts of the world including the US, Ukraine, and several European countries. Cybercriminals used the exchanges to launder money from illegal activities, and the authorities are using the seized infrastructure to identify and track down those hackers.

It should be noted that both the English and Russian-language exchanges that offered similar services and avoided money laundering were censured by the FBI for the lack of anti-money laundering measures and the collection of Customer knowledge information, or none at all. The FBI claims that these sorts of unlicensed, rogue exchanges are one of the most critical hubs of the cybercrime ecosystem. 

Users have been able to convert their cryptocurrency into coins that are more difficult to track down on websites that have been seized anonymously. Hackers disguised the source of the money they stole and avoided detection by law enforcement agencies.

There is a lot of variety on these sites. Users can get live help and instructions in both Russian and English covering a wide range of cybercrime communities. 

The FBI's announcement indicates that noncompliant virtual currency exchanges that operate in violation of the United States Code, Sections 1960 and 1956, act as hubs for cybercrime. They have lax anti-money laundering programs and collect little information about their customers. These exchanges are significant cybercrime centers.

A search was conducted at the home of former FTX executive Ryan Salame early this month. This was part of the FBI's investigation into Salame's role as an advisor to Bankman-Fried at the time. 

During an operation conducted by the FBI and Ukrainian police, the FBI and Ukrainian police took down nine websites known as 'crypto exchanges'. These websites were well known for serving as money launderers for ransomware groups and cyber criminals. As part of an organized campaign, the daring action was undertaken by a cybercriminal who wanted to destroy the digital infrastructure that allows him to make money from his malicious actions by “interfering” with it and using it for his malicious goals. 


Read more »
US Congress
Cyber Security Data Kids Safety Online Safety Safety Security US Congress

Fight over Kids Online Safety Act Sparks Debate, as Bill Gains Support in Congress

 

The Kids Online Safety Act, or KOSA, is a newly reintroduced legislation aimed at improving the mental health and safety of children by imposing restrictions on tech companies. Although it is gaining support in Congress, civil liberties groups are increasingly opposing it, arguing that the bill would undermine free speech and online privacy protections. 

Under KOSA, platforms would be required to prevent users under 17 from accessing content that promotes harmful behaviors like eating disorders and suicide. They would also need to provide parents with tools to monitor their children's platform use, including safety settings. Additionally, companies would have to allow independent audits and grant academic researchers access to data to better understand how social media is affecting young people. 

The latest version of KOSA, which was first introduced by Senators Richard Blumenthal of Connecticut and Marsha Blackburn of Tennessee last year, specifies the duty of care aspect to only apply to tech companies for harms such as eating disorders, suicide, and data collection. Furthermore, the bill includes explicit protections for support services like suicide help hotlines, schools, and educational software.

“I think our bill is clarified and improved,” Sen. Richard Blumenthal, D-Conn., said at a press conference Tuesday that also included groups and parents supporting the bill. “We’re not going to solve all of the problems of the world with a single bill but we are making a measurable, very significant start.”

Several advocacy groups, including the National Center on Sexual Exploitation, the American Academy of Pediatrics, and Fairplay, along with parent and youth advocates, have expressed their support for KOSA legislation. During a press conference, parents who lost their children in social media-related incidents also spoke in favor of the bill. However, some critics of the bill have argued that the proposed changes do not address their concerns. 

 “If an attorney general wants to argue that trans kids talking about going to a protest is making other kids depressed, they can do that,” says Fight for the Future director Evan Greer.

Additionally, the bill does not provide clear guidelines on what counts as mitigation or prevention resources, leaving companies at risk of liability or discouraging them from recommending content on that topic. In the past, companies have been shown to opt for the latter option in similar situations, as demonstrated by the passage of SESTA-FOSTA in 2018. 

“There are two fatal flaws in this bill,” said Greer. “One is a misunderstanding of how platforms will react to this liability and the other is a fundamental misunderstanding of how technology works.”
 
The group requested a meeting with Blumenthal's office to discuss their concerns, but their requests were ignored. Blumenthal's office did not respond to the question about the meeting requests. The ACLU, which Blumenthal said the lawmakers had met with, also still opposes the law. 

“KOSA’s core approach still threatens the privacy, security and free expression of both minors and adults by deputizing platforms of all stripes to police their users and censor their content under the guise of a ‘duty of care,'” said Cody Venzke, senior policy counsel at ACLU. “KOSA would be a step backwards in making the internet a safer place for children and minors.”

Despite its critics, the bill appears to be outpacing other online safety efforts in Congress. The bill now has over 30 cosponsors in the Senate, more than double the last time it was introduced. Blumenthal says that Senate Majority Leader Chuck Schumer, D-N.Y., backs the legislation and a vote is a question of timing. “I fully hope and expect to have a vote this session,” Blumenthal said.

“Giving extremist governors the power to decide what content is safe for kids online is a nonstarter,” Sen. Ron Wyden, D-Ore., wrote in a statement to CyberScoop. “However, I share the sponsors’ goal of making the internet safer for children and appreciate the bill’s effort to limit addictive design features targeted at children. I urge my colleagues to focus on elements that will truly protect kids, rather than handing MAGA Republicans more power to wage their culture war against kids.”

The proposed KOSA bill, which aims to enhance children's safety, does not have a counterpart in the House and may face opposition from younger and more progressive members. It is one of many bills focused on children's safety that has garnered attention from civil society groups, with KOSA receiving the most support. Meanwhile, the Senate Judiciary Committee is set to discuss another bill, the EARN IT Act, which seeks to prevent online exploitation of children but has raised concerns about its potential impact on free speech and encryption. 

A coalition of 132 organizations has written to Senate Judiciary Chair Dick Durbin and ranking member Lindsey Graham, urging them to reject the bill. Durbin has also introduced similar legislation, the STOP CSAM Act, but it is not expected to be discussed this week. 

Additionally, a new bill introduced by a Sens. Tom Cotton, R-Ark., Brian Schatz, D-Hawaii, Katie Britt, R-Ala., and Chris Murphy, D-Conn. would prohibit social media for children under 13 and require parental consent for those under 18.
Read more »
Vulnerabilities and Exploits
Application Management Hotel Chains Software Bug User Security Vulnerabilities and Exploits

Vulnerability in Oracle Property Management Software Puts Hotels at Risk

 

The hundreds of hotels and other hospitality-related organisations across the globe who use Oracle's Opera property management system may wish to immediately patch a bug that Oracle revealed in its April 2023 security update. 

Only an authenticated attacker with highly privileged access might take use of the vulnerability (CVE-2023-21932), according to Oracle, which has defined it as a complicated flaw in the Oracle Hospitality Opera 5 Property Services software. Based on factors like the apparent inability of an attacker to remotely exploit it, the vendor gave it a moderate severity rating of 7.2 on the CVSS scale. 

Inaccurate evaluation 

Oracle's description of the vulnerability is incorrect, according to the researchers who actually found and reported the bug to the firm. 

The researchers from Assetnote, a company that manages attack surfaces, and two other organisations claimed in a blog post that they had used the weakness to pre-authenticate remote code execution while taking part in a live hacking event in 2017. One of the biggest resorts in the US was mentioned by the researchers as the target in that incident. 

"This vulnerability does not require any authentication to exploit, despite what Oracle claims," Shubham Shah, co-founder and CTO of Assetnote, explained in a blog post this week. "This vulnerability should have a CVSS score of 10.0."

In order to centrally manage reservations, guest services, accounting, and other activities, hotels and hotel chains all over the world use Oracle Opera, also known as Micros Opera. Major hotel brands like Marriott, IHG, Radisson, Accor, and the Wyndham Group are among its clients. 

Attackers who use the software to their advantage may be able to obtain guests' sensitive personal information, credit card information, and other data. The Opera 5 Property Services platform's version 5.6 contains the bug CVE-2023-21932. 

Oracle claimed that the flaw enables attackers to access all data that Opera 5 Property Services has access to. A portion of the system's data would also be accessible to attackers, who might edit, add, or remove it. 

Shah, a bug hunter on the HackerOne platform, in connection with Sean Yeoh, engineering lead at Assetnote, Brendan Scarvell, a pen tester with PwC Australia, and Jason Haddix, CISO at adversary emulation firm BuddoBot, conducted a source-code analysis of Opera and found the vulnerability. 

Shah and the other researchers determined that CVE-2023-21932 involved an Opera code fragment that decrypts an encrypted payload after sanitising it for two particular variables rather than the other way around.

According to the researchers, this kind of "order of operations" flaw enables attackers to use the variables to smuggle in any payload without any sanitization taking place.

"Order of operations bugs are really rare, and this bug is a very clear example of this bug class," Shah tweeted earlier this week. "We were able to leverage this bug to gain access to one of the biggest resorts in the US, for a live hacking event." 

The researchers gave an explanation of the steps they took to get around particular restrictions in Opera in order to execute pre-authentication, noting that none of them required any kind of specialised access or software knowledge. 

Security expert Kevin Beaumont claimed there were a number of Shodan queries an attacker might use to discover hotels and other companies using Opera in response to the Assetnote blog.

According to Beaumont, every property he discovered using Shodan was not patched. We must eventually discuss Oracle product security, Beaumont stated.

CVE-2023-21932 is only one of many bugs in Oracle Opera, according to Shah and the other researchers, at least some of which the company has not fixed. Please never post this on the Internet, they pleaded.
Read more »
Mortgage Industry
Alvaria Customer Information Cyber Security Data Breaches Mortgage Industry

Inside the Carrington Mortgage Services Ransomware Attack: Compromised Data and Cybersecurity Measures

cybersecurity incidents in the mortgage industry

The Carrington Mortgage Services Ransomware Attack

Cybersecurity incidents have become increasingly common in the mortgage industry, with multiple lenders and servicers experiencing data breaches that compromised sensitive customer information. Carrington Mortgage Services is the latest player to be impacted, as a ransomware attack at its vendor Alvaria compromised the information of its customers, including partial Social Security numbers. 

In this blog post, we'll take a closer look at the details of this breach, as well as other recent cybersecurity incidents in the mortgage industry.

Details of the Data Compromised in the Attack

Last week, Carrington Mortgage Services announced that a technology company it uses, Alvaria, experienced a ransomware attack in March. As a result, the personal information of some of Carrington's customers, including partial Social Security numbers, was compromised. 

 Although neither Carrington nor Alvaria disclosed the total number of affected clients, a letter to state attorneys general indicated that at least 4,167 residents of Massachusetts were impacted. This is the most recent hack of a mortgage player, following a series of incidents across the industry last year. 

Alvaria's Response to the Breach

Alvaria responded to the attack by restoring its operations through backups and securing its networks. According to the Lowa letter, “the unauthorized actor obtained some data associated with the company maintained in the technical system log and temp files.” “While Alvaria performed its forensic investigation, the company completed its analysis of the affected data on April 4, 2023 

According to Carrington Mortgage Services, compromised data due to the breach at Alvaria includes clients' names, mailing addresses, telephone numbers, loan numbers and balances, and the last four digits of their Social Security numbers. 

However, when asked about Alvaria's reported data breach, Carrington's attorney declined to comment, while Alvaria's general counsel deferred to a company spokesperson. Alvaria did notify the FBI and took additional security measures following the breach, although the details of these measures were not disclosed. 

Impact of Data Breaches on Mortgage Lenders and Servicers

In an effort to mitigate the effects of the breach, Carrington is offering customers 24 months of free credit monitoring and fraud consultation from Experian. In a letter to the Iowa Attorney General, Carrington defended its information security diligence and stated that it had received positive reviews from state and federal regulators, rating agencies, and banking counterparts. 

The letter signed by the attorney for Carrington said: “Nevertheless, in light of this event, the company has begun an additional assessment of Alvaria's technical security measures to ensure that Alvaria has been providing and will continue to provide the security measures promised to the company and to help ensure this type of incident does not happen again.” 

Carrington Mortgage Services has been actively involved in the mortgage servicing rights market and purchased $62.3 billion in 2020, making it one of the top 25 services in the country. In total, it holds $122.1 billion in MSRs from 682,000 borrowers. This incident is the second data breach at Alvaria within four months, with the previous attack being disclosed in February and impacting 4,695 customers. 

Other Cybersecurity Incidents in the Mortgage Industry

The Hive Ransomware group was responsible for this attack, and in November, the group released corporate records on the dark web, though no customer data was included. It's unclear whether the November breach affected mortgage customer data. In 2021 alone, various mortgage lenders have disclosed cybersecurity incidents that impacted 191,000 customers. 

These attacks have ranged in severity, from incidents affecting as few as 600 customers to a third-party breach that impacted 139,493 customers of Hatch Bank in California. Several class action complaints against impacted companies remain pending in federal courts, including those against servicers such as Key Bank, Lower, and Overby-Seawell Company.

Read more »
Scammers
Artificial Intelligence Cyber Attacks McAfee Scammers

Top Victim of AI Voice Scams with 83% Losing Money

A new report has revealed that India tops the list of countries most affected by AI-powered voice scams. The report, released by cybersecurity firm McAfee, shows that 83% of Indians who fell victim to voice scams lost money, making them the most financially affected.

Voice scams are a growing concern in India and around the world. Criminals use artificial intelligence (AI) technology to create lifelike voice bots that mimic real human voices, making it harder for victims to detect fraud. Once they gain the victim's trust, scammers use various tactics to steal their money or personal information.

According to the McAfee report, almost half of all Indians have experienced an AI-enabled voice scam. These scams can take many forms, such as impersonating bank officials, telecom providers, or even government officials. The scammers trick victims into revealing their bank account or credit card details or even convincing them to transfer money to a fake account.

The report highlights the need for greater awareness of AI-powered voice scams and how to avoid falling victim to them. It recommends that individuals take basic precautions such as not sharing personal information over the phone, verifying the identity of the person calling before divulging any information, and being wary of unsolicited calls.

McAfee also recommends that organizations invest in anti-fraud technology to help detect and prevent these scams. The report suggests that organizations could use advanced voice analytics to identify fraudulent calls and stop them in real time.

As AI technology continues to evolve, it is likely that voice scams will become even more sophisticated and harder to detect. It is therefore essential that individuals and organizations remain vigilant and take proactive steps to protect themselves from this growing threat.

The rise of AI-powered voice scams is a cause for concern in India and globally. With India topping the list of victims, it is clear that more needs to be done to combat this threat. By raising awareness, investing in anti-fraud technology, and taking basic precautions, individuals and organizations can help protect themselves from these scams and prevent criminals from profiting at their expense.


Read more »
USA
Cyber Security Cyber Threats Index for cybersecurity Technology USA

Absolute's 2023 Resilience Index: America's Cybersecurity

Recently, the White House has come up with a new national cybersecurity strategy called ‘Absolute's 2023 Resilience Index’, it will hold software companies responsible for products’ security. The document unveiled by the government includes regulations for vulnerable critical infrastructure firms and software liability for exploitable vulnerabilities. 

Following this, the administration said that it is collaborating with Congress to create a new law that can combat cybersecurity matters effectively. This index has been proposed after hacking incidents that threatened major public services during the first year of the Biden administration. 

In addition to this, the federal government is also planning to use its regulatory and purchasing power to encourage software manufacturing companies that are crucial to the economy and national security to improve their cybersecurity measures. 

Jen Easterly, director of CISA, has urged technology companies to take responsibility for the cybersecurity of their products, which are crucial to society. Further, she questioned why the blame for security breaches falls on companies for not patching vulnerabilities, rather than on the manufacturers who created the technology requiring multiple patches. 

“We often blame a company today that has a security breach because they didn’t patch a known vulnerability. What about the manufacturer that produced the technology that required too many patches in the first place?” Easterly added. 

The administration is considering ways to make the tech sector accountable for the digital safety of critical US industries, with a forthcoming cybersecurity strategy expected to demand increased security investments from industries supporting sectors like energy, water, and healthcare. 

In recent years, the White House has already released important guidelines for improving cybersecurity, such as the Executive Order on Improving the Nation’s Cybersecurity, which was issued in May 2021 and mandated zero trust as a best practice for modern cybersecurity programs across sectors. Additionally, in a memo issued in January 2022, the U.S. Office of Management and Budget identified zero trust as a critical element of a modern cybersecurity strategy. 

However, the main obstacles to achieving cybersecurity success today are the same as they were 12 months ago. Bad actors are continuously evolving, developing new variants and methods. Consequently, a narrowly scoped or static approach to cybersecurity is unlikely to be effective in protecting critical infrastructure.
Read more »
Security
Cyber Security Data Issues Risks Safety Security

Businesses Must Stay up With Cybercriminals, as They Become More Sophisticated

 

As much as we may want to tune out when we hear about cybersecurity, it is an issue that cannot be ignored. Cybercrime is a constant threat to businesses and individuals alike, and the risks are too great to simply accept and move on. While it may seem like we have already heard enough about it, the reality is that we can never be too vigilant when it comes to protecting ourselves against cyber threats. 

One of the biggest risks is the so-called "day zero attack," which exploits previously unknown weaknesses in software. These attacks can be incredibly damaging, especially if the software is widely used. That's why it's crucial that we make cybersecurity a top priority and stay vigilant in our efforts to identify and mitigate vulnerabilities. Unfortunately, many people take a "been there, done that" approach to cybersecurity, assuming that they've already taken all the necessary steps to protect themselves. 

But the truth is that new threats are constantly emerging, and unless we stay up to date and remain proactive in our approach to cybersecurity, we risk leaving ourselves open to attack. In short, we can never hear enough about cybersecurity. It is a constant and ever-evolving threat that requires constant attention and vigilance. By staying informed and proactive, we can better protect ourselves and our businesses from the damaging effects of cybercrime.

Some may argue that this type of warning seems overly dramatic and pessimistic, but consider the following scenario: An employee receives a notification on their laptop to update a software application with crucial security upgrades to mitigate against vulnerabilities. However, due to a looming deadline, they repeatedly ignore the notification. Eventually, a malicious actor finds an open door into the system and exploits the vulnerability, all because the employee didn't prioritize cybersecurity.

Sadly, this scenario is more common than we'd like to think. While South Africa has made significant progress in catching up with the rest of the world regarding cybersecurity, there are still challenges to overcome. One such challenge is the difficulty of convincing boards to invest in a non-revenue-generating department such as cybersecurity.

While it may be tempting to downplay the importance of cybersecurity and assume that we're doing enough to protect ourselves, the reality is that the threats are constantly evolving and require our ongoing attention and vigilance. By prioritizing cybersecurity and investing in the necessary resources and infrastructure, we can better safeguard our businesses and personal information from the ever-present dangers of cybercrime.

Even if a business decides to outsource its security needs, it still requires a certain level of expertise in-house. In the past, it was common to rely on instinct and hope for the best, but now there are industry standards and best practices that have been mandated for businesses in all sectors. Adhering to these standards requires significant time, money, and resources investments. While cybersecurity is not a revenue-generating department, failure to invest in it can put the entire business at risk.

Unfortunately, this is a hard pill to swallow for many local businesses, as the costs of implementing these measures can be significant. It may also be difficult to find and retain the necessary scarce skills. A small or medium-sized business may need to hire up to five new employees, while a larger organization may need closer to 10.

Furthermore, the concept of "zero trust" has become increasingly popular in recent years. While this approach may work well for large corporations, it can be challenging to strike a balance between security and usability. The only truly zero trust environment is an analog one, where air-gapped processes are completely out of reach of cybercriminals. Once a system is connected to the internet, there is always a risk of infection, no matter how many security measures are in place.

The majority of the exploits we read about are caused by a relatively small number of vulnerabilities. A well-publicized ransomware attack, for example, could be the end result, but it would most likely have been accomplished through one of a tiny group of vulnerabilities that had not yet been patched or fixed with an update.

Looking ahead to 2023 and beyond, the one certainty is that threat actors will continue to search for vulnerabilities. The criminal underworld's research and development teams are hard at work, sharing exploits and communicating broadly about the best ways to attack. This sophisticated collaboration feeds an ongoing increase in ransomware attacks.

The primary concern going forward is how we deal with an increase in sophistication, regardless of the means used by the criminal or the vulnerability they seek to exploit. While we have been fortunate so far in being able to differentiate between legitimate and scam emails, advances in technology, particularly artificial intelligence, could make this more difficult in the future.

To combat this, businesses and individuals need to understand their overall attack surface, including vulnerabilities in PCs, laptops, and mobile devices, as well as available VPNs and services. Once a business has a comprehensive understanding of its attack surface, it should use third parties to perform penetration tests and vulnerability scans and stay on top of its cloud security obligations.

Alongside investments like a dedicated Security team and the assistance of third-party partners, ongoing user cybercrime education and awareness strategies will remain one of the most important investments for any business. All organizations should also be moving along the continuum of a zero trust strategy, finding the balance between security and usability. Ultimately, each user is responsible for security.
Read more »
Vulnerabilities and Exploits
Ad Scam Application Security Backdoor Installation Malicious Ad User Privacy Vulnerabilities and Exploits

Google Ads Exploited to Tempt Corporate Employees Into Installing LOBSHOT Backdoor

 

As part of a sophisticated scheme to trick corporate employees into installing malware, a newly uncovered backdoor and credential-stealer is disguising itself as a genuine software download. 

Elastic Software researchers spotted the malware, known as LOBSHOT, spreading through deceptive Google Ads for well-known remote-workforce applications like AnyDesk, they reported in a recent blog post. 

"Attackers promoted their malware using an elaborate scheme of fake websites through Google Ads and embedding backdoors in what appears to users as legitimate installers," researcher Daniel Stepanic wrote in the post. 

Additionally, LOBSHOT, a backdoor that appears to be financially motivated and steals victims' banking, cryptocurrency, and other credentials and data, appears to be the work of threat group TA505, which is known for disseminating the Clop ransomware, according to the researchers.

The DLL from download-cdn[.]com, a domain historically connected to the threat group known for its involvement in the Dridex, Locky, and Necurs operations, was run by the bogus download site used to disseminate LOBSHOT, according to the claim.

The researchers "assess with moderate confidence" that LOBSHOT is a new malware capability utilised by the gang based on this other infrastructure connected to TA505 that is used in the campaign. 

In addition, fresh samples associated with this family are being discovered by researchers every week, and they "expect it to be around for some time," he added. 

Utilising nefarious ads by Google 

Potential victims are exposed to LOBSHOT by clicking on Google Ads for what appear to be real workforce software, such AnyDesk, similar to similar threat campaigns seen earlier in the year. Similar tactics were used in January to propagate the malware-as-a-service Rhadamanthys Stealer using website redirects from Google Ads that also masqueraded as download pages for well-known remote-workforce applications like AnyDesk and Zoom.

According to Elastic Search, the campaigns are in fact connected to "a large spike" in the usage of malvertising that security researchers have been noticing since earlier this year. 

"Similar infection chains were observed in the security community with commonalities of users searching for legitimate software downloads that ended up getting served illegitimate software from promoted ads from Google," Stepanic further wrote. 

This behaviour indicates a pattern of persistent rival abuse and expansion of their influence "through malvertising such as Google Ads by impersonating legitimate software," he said. 

Stepanic recognised that while these malware kinds may appear to be minor and have a narrow scope, they actually pack a powerful punch thanks to their "fully interactive remote control capabilities" that enable threat actors to acquire initial access to corporate networks and carry out subsequent destructive activities. 

Infection chain 

When a person conducts a web search for a trustworthy piece of software, Google Ads returns a boosted result that is actually a malicious website. This is when the LOBSHOT infection chain starts. 

"In one observed instance, the malicious ad was for a legitimate remote desktop solution, AnyDesk," the researcher explained. "Careful examination of the URL goes to https://www.amydecke[.]website instead of the legitimate AnyDesk URL, https://www.anydesk[.]com." 

The consumer visits a landing page for the software they were hoping to download after clicking on that advertisement, which appears to be legitimate. 

The researchers claimed that it is actually an MSI installer that the user's PC executes after downloading. Stepanic stated that the landing pages had "very convincing branding that matched the legitimate software and had Download Now buttons that pointed to an MSI installer."

Elastic Software claims that when MSI is executed, a PowerShell is launched that downloads LOBSHOT through rundll32 and starts a connection with the attacker-owned command-and-control server. 

Exploitation and mitigation 

Attackers employ LOBSHOT's hVNC (Hidden Virtual Network Computing) component, a module that permits "direct and unobserved access to the machine," as one of its key features, to get access to targets. 

The hVNC (Hidden Virtual Network Computing) component of LOBSHOT is one of its key features. This module enables "direct and unobserved access to the machine," and is utilised by attackers to avoid detection, according to Stepanic. He added, "this feature is frequently baked into many popular families as plugins and continues to be successful in evading fraud-detection systems." 

According to the researchers, LOBSHOT, like the majority of malware currently in use, uses dynamic import resolution to get around protection software and delay the early discovery of its capabilities.

"This process involves resolving the names of the Windows APIs that the malware needs at runtime as opposed to placing the imports into the program ahead of time," Stepanic added. 

Researchers have provided links to several Elastic Search GitHub sites that illustrate preventative measures to fend off malware like LOBSHOT connected to its numerous activities, including Suspicious Windows Explorer Execution, Suspicious Parent-Child Relationship, and Windows.Trojan.Lobshot. 

The post also provides guidelines that businesses can use to build EQL searches to look for behaviours that are suspiciously similar to the ones that the researchers saw LOBSHOT execute in connection to grandparent, parent, and kid relationships.
Read more »
malware
C2 Exploit Decoy Dog DNS attacks Infoblox malware

Uncovering the Decoy Dog C2 Exploit: Infoblox's Finds Dangerous Threat

Decoy Dog

Finding recent reports on Domain Name System (DNS) attacks may prove difficult as a report by IDC in 2021 highlighted that 87% of organizations encountered a DNS attack in 2020. 

Despite this, DNS is not typically considered a prominent target in attacks, likely due to complex security terminologies such as DNS over TLS or HTTP. According to a report by CloudFlare, DNS queries in plaintext can be encrypted with TLS and HTTP to ensure secure and private browsing. 

In spite of this, Akamai's DNS threat report for Q3 highlighted a rise of 40% in DNS attacks during the corresponding quarter of the previous year. Furthermore, during Q3 of the previous year, 14% of all safeguarded devices communicated with a malicious designation at least once.

A new malware toolkit called Decoy Dog

The Infoblox Threat Intelligence Group, which examines billions of DNS records and millions of domain-related records daily, has identified a new malware toolkit called Decoy Dog that employs the Pupy remote access trojan. 

Renée Burton, Senior Director of Threat Intelligence at Infoblox, revealed that Pupy is an open-source tool that is complex to utilize and inadequately documented. Infoblox's findings indicate that the Decoy Dog toolkit is being employed in less than 3% of all networks, and the threat actor who controls it is linked to only 18 domains. 

Through a sequence of anomaly detectors, the team discovered Decoy Dog's activities and learned that it had been running a data exfiltration command and control system since early April 2022 for over a year, which no one else had detected.

Russian links

Infoblox's researchers discovered that the Decoy Dog C2 was primarily originating from hosts located in Russia, according to an analysis of external global DNS data. 

The concern with this malware is that no one knows precisely what it controls, even though its signature is known. 

Burton explained that command and control allow an attacker to take over systems and issue orders, such as extracting all of an individual's emails or shutting down a firewall. She also stated that Pupy, which is linked to Decoy Dog, has previously been associated with nation-state activities, despite not being easy for the average cybercriminal to access due to its complexity and lack of instructions on establishing the DNS nameserver required for C2 communications.

The RAT effect

Similar to legitimate remote access tools that allow technicians to showcase new systems or make repairs, RATs are straightforward to install and do not affect the computer's processing speed. These malicious tools can be delivered via email, video games, software, advertisements, and web pages. Pupy is a RAT that has particular C2 functionalities.

As per Burton,
  • RATs allow access to a system and some use C2 infrastructure for remote control.
  • Pupy is a challenging-to-detect, cross-platform, open-source C2 tool primarily coded in Python.
  • Decoy Dog is a rare type of Pupy deployment that can be identified through its DNS signature. According to Infoblox, only 18 domains match this signature out of 370 million.

Some common uses of RAT malware involve an attacker acquiring remote access to a laptop, then leasing it out to other threat actors who install more malware through its network access. This can result in a laptop becoming part of a botnet.

Toolkits that are small and unusual can pose hidden dangers

Hidden RATs, or malware of unknown origin that remains undetected, can pose significant risks. For example, in 2018, Israeli cyber-arms firm NSO Group developed a C2 spyware called Pegasus that could infiltrate and control various mobile devices, giving remote hackers access to a phone's cameras, location, microphone, and other sensors for surveillance purposes.

Amnesty International became involved when the Saudi government allegedly used Pegasus to spy on the family of Jamal Khashoggi, who had been murdered by government operatives.

Amnesty International's Security Lab recently uncovered another commercial spyware that went unnoticed for two years and utilized zero-day attacks against Google's Android operating systems. However, Infoblox had already blocked 89% of those domains before Amnesty's report, providing protection to its customers and verifying Amnesty's findings, according to Burton.



Read more »
PrivacyAffairs
Coinbase cryptocurrency Cyber Crime Dark Web Hacking Identity Theft PrivacyAffairs

Hackers Sell Coinbase Accounts for as low as $610 on Dark Web


The emerging popularity of cryptocurrency and the convenience of online banking has resulted in an upsurge in cybercrime activities and identity fraud.

A recent research by PrivacyAffairs.com notes that hackers target social media logins, credit card numbers, and online banking logins to steal personal information worth $1,010 on the dark web.

According to an official press release released on May 1, 2023, the sale of hacked crypto accounts which is currently booming, has raised some serious concerns.

Coinbase, a cryptocurrency exchange has become a frequent target for threat actors, with stolen verified accounts worth $610 on the dark web. Users' accounts on Kraken, another well-known exchange, have also been compromised and sold online for as low as $810.

For hackers, selling compromised cryptocurrency accounts has been a profitable business, and since more people have started investing in digital assets recently, demand for these accounts has only increased. Cryptocurrencies are considered as an appealing target by hackers wanting to make a quick buck since they are mainly unregulated and decentralized.

As the value of cryptocurrencies continues to rise, it drives the hackers into stealing them. The anonymous attribute of cryptocurrencies make it challenging to locate and recover assets that have been stolen, leaving victims with limited resources.

How to Protect Oneself From Identity Theft and Hacking? 

PrivacyAffairs.com highlights the significance of raising public awareness as well as encouraging caution in order to reduce the possibility of identity theft and hacking. Online privacy should be carefully guarded by users, who should also use strong, unique passwords for each account. In addition to this, two-factor authentication is a vital tool for protecting online account.

Moreover, cryptocurrency users are advised to take extra precautions. Using cold wallets to store their virtual assets offline and avoiding sharing of their private keys or seed phrases with anyone are some of the ways that can protect you from falling prey to cybercrime activities.

The threat of cybercrime and identity fraud will only increase as the usage of digital assets and online banking grows more widespread. It is crucial that users take the required security measures to guard against hackers and other nefarious actors lurking on the dark web..

Read more »
United States Cyber Security
Data Breach GPS Hacks Malicious actor United States Cyber Security

Marshals' Computer System Still Down 10 Weeks After Hack


A computer system used by the U.S. Marshals Service to track and hunt fugitives remains down 10 weeks after a hack, raising concerns about the effectiveness of the agency’s surveillance efforts. The hack, which occurred in February, forced the Marshals to shut down their electronic surveillance system, which tracks fugitives and monitors their movements through GPS-enabled ankle bracelets.

According to a statement from the Marshals, the agency is still working to bring the system back online and has been forced to rely on manual surveillance techniques in the meantime. This includes the use of physical surveillance teams and other traditional methods of tracking fugitives.

The prolonged downtime of the electronic surveillance system has raised concerns about the ability of the Marshals to effectively track and apprehend fugitives, particularly in cases where they may pose a significant threat to public safety. The agency has not provided details on the scope or nature of the hack, nor has it disclosed whether any sensitive data or information was compromised as a result of the breach.

The hack of the Marshals’ electronic surveillance system underscores the growing threat posed by cyber-attacks on critical infrastructure and government agencies. These attacks can have far-reaching consequences, potentially compromising sensitive data, disrupting essential services, and undermining public safety and national security.

As cyber threats continue to evolve and become more sophisticated, it is essential that government agencies and organizations responsible for critical infrastructure invest in robust cybersecurity measures and stay ahead of the curve in detecting and responding to potential attacks. This includes implementing advanced security protocols and regular security assessments, as well as investing in staff training and education to ensure that all employees are aware of the risks and how to respond in the event of a breach.

The prolonged downtime of the Marshals' electronic surveillance system underscores the need for government agencies and critical infrastructure organizations to remain vigilant and proactive in protecting against cyber threats. As the threat of cyber attacks continues to evolve, investment in robust cybersecurity measures, protocols, and staff education is necessary to ensure the protection of sensitive data and essential services.

Read more »
Subscribe to: Comments (Atom)