Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Tax refunds
Android App Financial Credentials malware Sensitive data Tax refunds

Drinik Malware is Fooling Users to Give in their Mobile Banking Details

 

There's a new malware, and it's wreaking havoc on Android users. Drinik is a malware that steals vital data and financial credentials from a smartphone user. CERT-In, the Indian Computer Emergency Response Team, has issued a warning to many banks. Customers of 27 public and private banks in the country have been hit by the malware so far. 

The Drinik malware is presently imitating an Income Tax Department application, and after a user has been duped into downloading it, it collects all sensitive data. Not only that, but the malware also forces the user to complete a transaction, after which it crashes and displays a bogus warning. In the meantime, it gathers all of the essential information from the user.

In 2016, the Drinik malware was apparently utilised as a primitive SMS hacker. CERT-In, on the other hand, speculated that it had lately morphed into a banking Trojan aimed at Indian customers. Victims receive an SMS message with a link to the phishing site, according to the details mentioned in the CERT-In advisory. It then requests some personal information before downloading the application. 

The malicious Android application imitates a legitimate version of the Income Tax Department's solution for generating tax refunds. According to the advisory, it asks for authorization to view SMS messages, phone records, and contacts, as well as a refund application form that requests information like as full name, PAN, Aadhaar number, address, and date of birth. 

Following that, all sensitive banking information such as account number, IFSC code, CIF number, debit card number, expiration date, CVV, and PIN is requested. According to the attackers, these details will be utilised to help generate tax refunds that will be transferred directly to the user's account. In actuality, the agency observes that when a user touches the app's "Transfer" button, it displays an error and displays a bogus update screen. This aids the attacker in running a Trojan in the background that shares user information such as SMS messages and call logs. 

The attackers are able to construct a bank-specific mobile banking screen using the quietly obtained details in order to persuade the victim to input their mobile banking credentials. According to the CERT-In, these are then exploited to commit financial fraud. 

Banking consumers are advised to download apps directly from official app stores such as Google Play. Furthermore, the government agency advises people not to visit untrustworthy websites or click on untrustworthy links.
Read more »
Windows Validation
Malformed Certificates malware OpenSUpdater User Security Windows Validation

Malware Creators Use Malformed Certificates To Trick Windows Validation

 

Google researchers have identified malware developers generating malformed code signatures that appear to be valid in Windows to bypass security software.

This technique is actively used to spread OpenSUpdater, a family of unwanted software known as riskware, which plants advertisements into targets' browsers and installs other redundant programs on their machines.

Researchers believe the financially motivated threat actors behind OpenSUpdater will attempt to infect as many devices as possible and are specifically targeting US citizens who are looking to download game cracks and other pirated software. 

Novel approach 

Last month, security researcher Neel Mehta from Google Threat Analysis Group (TAG) spotted that the creators of an unwanted software known as OpenSUpdater began signing their packages with valid but purposely malformed certificates, accepted by Windows but refused by OpenSSL. 

By disrupting OpenSSL’s certificate parsing, some security systems would not detect the malware samples that use OpenSSL-based detection criteria and permitted to carry out their harmful operations on victims' PCs.

"Since mid-August, OpenSUpdater samples have carried an invalid signature, and further investigation showed this was a deliberate attempt to evade detection. Security products using OpenSSL to extract signature information will reject this encoding as invalid. However, to a parser that permits these encodings, the digital signature of the binary will otherwise appear legitimate and valid," Mehta explained.

It looks like the OpenSUpdater is able to bypass security defenses by enabling the samples deployed on a victim’s computer. This can happen as any security solutions using OpenSSL to parse digital signatures will virtually ignore the samples' malicious nature because they will reject the signature information as invalid, confusing, and breaking the malware scan process.

"Since first discovering this activity, OpenSUpdater's authors have tried other variations on invalid encodings to further evade detection. This is the first time TAG has observed actors using this technique to evade detection while preserving a valid digital signature on PE files," Mehta added. 

The Google TAG team has collaborated with the Google Safe Browsing team in an attempt to block this family of unwanted software from further spreading onto other victims’ computers, BleepingComputer reported. Additionally, security researchers have advised Google users to download and install software only from trustworthy sources.
Read more »
User Security
Bank Data Leak Data Breach Personal Data Breach Sensitive Data Leak User Data User Privacy User Security

African Bank Alerts of Data Breach With Personal Details Compromised

 

South African retail bank African Bank has confirmed that one of its debt recovery partners, Debt-IN, was targeted by a ransomware attack in April 2021. 

Expert security advice determined at the time that there was no indication that the ransomware assault resulted in a data leak – nevertheless, Debt-IN is now aware of the fact that the personal information of some customers, including several African Bank Loan customers under debt review, has been breached. 

Debt-IN is certain that no data communicated after April 1, 2021, has been compromised, as per the bank. 

It stated, “A robust mitigation plan has been implemented by Debt-IN to contain and reduce any further adverse impact.”

“We have been collaborating with Debt-IN to address this breach. We have notified the relevant regulatory authorities and we are also in the process of alerting customers who have been affected, via email and SMS.” 

African Bank's fraud prevention team has significantly enhanced security safeguards to protect all clients as an added precaution. 

“If you detect any suspicious activity, or feel that your information has been compromised, you can apply for a free Protective Registration listing with the Southern African Fraud Prevention Services (SAFPS),” the bank added. 

“This will alert banks and credit providers that an identity has been compromised. You can apply by emailing protection@safps.org.za.” 

Latest in a line of high-profile data breaches

Customers of African Bank can contact 0861 111 011 if they detect suspicious activity on their accounts. The breach is the most recent in a string of high-profile data breaches and cyber assaults in South Africa this year. 

Following an investigation into the data breach at Experian in August 2020, the Hawks caught a 36-year-old suspect in Gauteng last week (15 September). 

The South African Banking Risk Information Centre (SABRIC) stated that Experian, a consumer credit reporting firm, has suffered a data breach, compromising the personal information of millions of South Africans. 

Experian initially disclosed that there had been a data breach that leaked personal details of up to 24 million South Africans and 793,749 business enterprises to a potential criminal. 

In recent months, the Justice Department was also targeted by a ransomware attack, and it is currently working to restore its systems. In July, Transnet was also targeted in a similar manner.
Read more »
Zoho
Cyber Attacks Port of Houston Texas USA zero Day vulnerability Zoho

Port of Houston Attacked Employing Zoho Zero-Day Vulnerability

 

CISA officers on 23rd of September reported about a potential government-backed hacker organization that has tried to break the Port of Houston networks, one of the major port agencies in the United States, employing zero-day vulnerabilities in a Zoho user authentication device. 

Authorities at the Port claimed they fought the attack effectively, adding that the attempted breach was not influenced by operational data or systems. 

The attack investigation was launched that led to the formation of a combined advisory on 16 September by the CISA, the FBI, and the Coast Guard alerting American organizations of cyberattacks by a nation-state hacking group utilizing the Zoho zero-day. 

The zero-day was employed mostly in late August cyberattacks according to Matt Dahl, Principal Intelligence Analyst at the CrowdStrike security firm. Nevertheless, on 8 September Zoho fixed the vulnerability (CVE-2021-40539), whereupon CISA additionally sent the first warning on the ongoing attacks. 

CISA officials have claimed that they have still not given a specific hacking organization or foreign government the credit for the attack on the Port of Houston. 

The Port Houston is the nation's largest port with a waterborne tonnage and a vital economic powerhouse for the Houston area, the State of Texas, and the United States, which has held and managed public wharves and terminals along with Houston Ship Chanel for over 100 years. More than 200 private terminals and eight public terminals along with the federal waterway aid nearly 1.35 million jobs in Texas and a national 3.2 million jobs, while $339 billion in economic activity in Texas—20.6% of Texas' total gross domestic product (GDP), with economic impacts totaling $801.9billion across the country. 

“[A]ttribution can always be complicated in terms of being able to dispositively say who that threat actor is,” CISA Director Jen Easterly told senators in a meeting of the Senate Homeland Security and Governmental Affairs Committee. 

“But we are working very closely with our interagency partners and the intelligence community to better understand this threat actor so that we can ensure that we are not only able to protect systems, but ultimately to be able to hold these actors accountable,” the CISA Director added, who categorized the attackers as a “nation-state actor” in an answer to a subsequent question. 

However, The officers of Port of Houston did not respond to the response request to gather further facts regarding the attack.
Read more »
User Security
Cyber Crime database Facebook leaked data Sensitive data User Security

3.8 Billion Clubhouse and Facebook User Records are Being Sold Online

 

According to CyberNews, a database holding the records of about 3.8 billion Clubhouse and Facebook users is being auctioned at a major hacker forum. The person selling them is reportedly asking for $100,000 for the complete database but is ready to split it up into smaller caches for lower costs. 

These records contain sensitive information such as phone numbers, addresses, and names, among other things. All of this information appears to have been obtained through a breach of Clubhouse's systems on July 24th, during which numerous members' phone numbers were exposed online. However, the damage isn't limited to Clubhouse's users. 

According to the September 4 post, the database also contains profiles of users who do not have Clubhouse accounts, whose phone numbers may have been obtained by threat actors as a result of Clubhouse's previous requirement that users share their entire contact lists with the social media platform in order to use it. 

Because the platform requires users to sync their contacts with the app, contact numbers from a user's phone can also be revealed if the company's servers are hacked. And it appears that this is exactly what occurred. As a result, those who do not have a Clubhouse ID and password have their data exposed to the hacker site and may be at risk. While it is still unclear how Facebook user IDs ended up in the mix, it is plausible that the cybercriminal compared the revealed numbers to those found in prior Facebook hacks, which have been many.

Prior to this compilation, threat actors had little use for the purportedly scraped Clubhouse phone numbers, which were posted without any additional information about the participants. As a result, the prior Clubhouse scrape was labeled a "bad sample" on the forum and failed to pique scammers' interest. 

However, according to CyberNews senior information security expert Mantas Sasnauskas, the expanded compilation “could serve as a goldmine for scammers.” They would obtain access to a lot more contextual information about the owners of the hacked phone numbers, according to Sasnauskas, such as usernames, locations based on phone number suffixes, Clubhouse network sizes, and Facebook profiles. 

This means that scammers would be able to launch localized mass campaigns and create customized scams based on information acquired from potential victims' Facebook accounts much more easily. “People tend to overshare information on social media. This could give insights for scammers on what vector to employ to run their scams successfully by, for example, calling people with the information they learned from their Facebook account,” says Sasnauskas.
Read more »
User Security
Cyber Security Impersonation Techniques Malicious Emails User Security

Employees in Retail Industry Most Frequently Targeted by Malicious Emails, New Study Reveals

 

A new study from security firm Tessian highlights the sophisticated techniques employed by threat actors to evade detection and trick employees. Between July 2020-July 2021, two million malicious emails bypassed traditional email defenses, like secure email gateways, placing many employers at risk of data breach and cyber fraud. 

According to the study, retail industry was targeted far more than any other industry, with the average employee in this sector receiving 49 malicious emails a year. This is significantly higher than the overall average of 14 emails per user, per year. Employees in the manufacturing industry were also identified as major targets, with the average worker receiving 31 malicious emails a year. 

The most common technique employed by the attackers was display name spoofing (19%), where the hacker modifies the sender’s name and disguises themselves as someone the victim recognizes. Domain impersonation, where the attacker sets up an email address that looks like a legitimate one, was used in 11% of threats discovered. The brands most likely to be impersonated were Microsoft, ADP, Amazon, Adobe Sign, and Zoom. 

Threat actors also targeted employees in the legal and financial services industries through account takeover attacks. In this method, the malicious emails come from a trusted vendor or supplier’s legitimate email address. They likely won’t be flagged by a secure email gateway as suspicious and to the person receiving the email, it would look like the real deal. 

Interestingly, less than one quarter (24%) of the emails examined in the study contained an attachment, while 12% contained neither a URL nor file — the typical indicators of a phishing attack. Links, however, do still prove to be a popular and effective payload, with 44% of malicious emails containing a URL.

Interestingly, threat actors deliver malicious emails around 2 p.m. and 6 p.m. in the hopes that a phishing email, sent during the late afternoon, will slip past a tired or distracted employee. 

“Gone are the days of the bulk spam and phishing attacks, and here to stay is the highly targeted spear phishing email. Why? Because they reap the biggest rewards. The problem is that these types of attacks are evolving every day. Cybercriminals are always finding ways to bypass detection and reach employees’ inboxes, leaving people as organizations’ last line of defense. It’s completely unreasonable to expect every employee to identify every sophisticated phishing attack and not fall for them. Even with training, people will make mistakes or be tricked,” said Josh Yavor, Tessian’s CISO.

“Businesses need a more advanced approach to email security to stop the threats that are getting through – the attacks that are causing the most damage – because it’s not enough to rely on your people 100% of the time,” he added.
Read more »
Zero Day
Apple MacOS Remote Code Execution Vulnerabilities and Exploits Zero Day

Remotely Exploitable Zero-Day Vulnerability In MacOS Allows Code Execution

 

A zero-day security flaw in the macOS Finder system in Apple might enable remote attackers to deceive users to perform unauthorized commands, however, a silent patch didn't resolve that, states researchers. 

The macOS Finder is the standard file manager and the GUI front-end used in all Macintosh operating systems. This is the first item users see when booting, and it regulates the activation of additional programs and overall user management of file, disc, and network volume. In other terms, it is the master program for all the other things on the Mac. 

This time the flaw resides in the handling of the macOS Finder, as per an SSD Secure Disclosure Notice.Inetloc files. Inettloc files may be used to open files remotely in a browser on someone's Mac by utilizing the "file:/" format (instead of http://) as shortcodes to the Internet destination (such as an RSS feed or a telnet site). The last function, experts argued, is at stake with day zero. 

Independent Park Minchan security researcher revealed the SSD vulnerability, stating that the problem affects the macOS Big Sur version as well as all the previous ones. In reply, Apple decided not to declare a CVE and repaired the matter discreetly instead. But, experts claimed, the patch was bungled. 

The .Inetloc files can also be particularly developed with contained instructions for the exploitation scenario for the flaw. The manufactured data may then be linked, researchers noted, too (or connected to) hostile e-mails. If people are socially engineered to click these, the instructions inside them immediately run in stump mode without the warning or consent of the victims. 

“A vulnerability in the way macOS processes. Inetloc files cause it to run commands embedded inside, the commands it runs can be local to the macOS allowing the execution of arbitrary commands by the user without any warning/prompts,” according to the advisory. 

New macOS (like Big Sur) versions reportedly banned the file:/ prefix… They stated that they did the case matching causing File:/ or fIle:/ to circumvent the inspection. 

“We…have not received any response from them since the report has been made,” according to the advisory. “As far as we know, at the moment, the vulnerability has not been patched.” 

Whether it is used in the wild or not, no information is out there. Meanwhile, Apple did not respond to the comment request.
Read more »
User Security
Data Stolen Data Theft malware Ransomware User Data User Privacy User Security

Marcus & Millichap Hit With Potential BlackMatter Ransomware

 

Marcus & Millichap, a publicly-traded real estate investment corporation became the victim of a recent cyberattack that may have been the activity of the BlackMatter ransomware group, as per the malware sample discovered on Hatching Triage.

In an 8-K filing with the SEC on Monday, the company said that it "had been subject to a cybersecurity attack on its information technology systems." Marcus & Millichap stated that there was no indication of a data leak and the attack is not categorized as a ransomware attack. 

The filing stated, "[Marcus & Millichap] immediately engaged cybersecurity experts to secure and restore all essential systems and was able to do so with no material disruption to its business." 

"The Company's investigation of the attack is ongoing; however, at this time there is no evidence of any material risk or misuse relating to personal information." 

Moreover, a BlackMatter ransomware sample found by Valéry Marchive of TechTarget sister site LeMagIT on Hatching Triage displayed a ransom message that indicated the link between the sample and Marcus & Millichap. 

However the ransomware gang does not specifically mention Marcus & Millichap, it does mention systems connected to the domain "mmreibc.prv," which is almost similar to a site owned by the firm i.e mmreibc.com. 

A question from a user is included in a Malwarebytes forum post from 2010, including a list of documents that comprises both the mmreibc.prv domain and two clear links to Marcus & Millichap. Last year, a Microsoft community post made clear allusions to both the company and mmreibc.prv. 

The note reads, "If you are not going to contact us in the next 3 days, we will prepare your data for the publications. Your personal company info will be leaked and will be in the news. This will lead to a fall of your stock." 

The ransomware note further claimed that 500 GB of data had been stolen. Since the ransom negotiation chat site has been locked, the status of any prospective ransomware settlements between the victim and BlackMatter is unclear. 

According to the company's 8-K filing, Marcus & Millichap carries cyber insurance, which it believes will pay most of the expenditures connected to this attack. 

SearchSecurity reached out to Marcus & Millichap for the response on whether the event was a BlackMatter ransomware assault or the firm paid the threat actors a ransom. The following statement was issued by a spokesperson: 

"Marcus & Millichap's 8-K filing stands on its own and best provides the context of what occurred and how we responded to a cyberattack. In keeping with our tradition of placing the highest priority on corporate systems, client service and agent and originator support, we immediately deployed all necessary resources to respond to the incident. As mentioned in the filing, we were able to restore all essential systems and at present, there is no interruption to our business." 

The BlackMatter ransomware group first surfaced in July. At that point, security intelligence provider Flashpoint stated that the threat actor resembled ransomware giants REvil and DarkSide and was aiming for large-scale victims.
Read more »
Russia
Cyber Security Hacking News Russia

Bi. Zone: most of the leaks and hacks in Russian companies are related to old forgotten software

About 60% of information leaks and 85% of hacks in corporate computer networks are related to unaccounted-for digital assets.

According to Bi. Zone, the main reason for hacking and data leaks in Russian companies is digital assets unaccounted for during inventory. Most often, security services forget about public cloud storage like Google Drive, DropBox and files in them. This allows attackers to penetrate the networks of organizations and gain access to confidential information. Digital assets often remain unaccounted for due to the high speed of business digitalization: local security services do not have time to keep track of new software.

Bi.Zone specialists obtained this information by analyzing the data of more than 200 Russian and foreign companies.

“Let's say the company had an information system (IS) A. Then it is changed to an information system B. At the same time, no one disposes of the first IS, it remains. It may still have access to the Internet. As system A stops even being updated, the risk of intruders penetrating through it increases because they may use the vulnerability that the company forgot to close with the appropriate update”, said Andrey Konusov, CEO of Avanpost.

According to him, there is also a risk that an employee of the company who has not worked in it for a long time could give access to the old system to cybercriminals.

During the inventory of digital assets, the company should take into account all its files and services, including those that are stored or work on the Internet. If anything is missed, there is a risk of leaks or compromise of the network. According to Alexei Parfentiev, head of analytics at SerchInform, unaccounted assets are essentially an open door for intruders to access sensitive data.

Digital assets often remain unaccounted for during the inventory due to the fact that local IT and information security services do not keep up with the high speed of business digitalization.

Rostelecom-Solar noted that often the reasons for the discussed violations are a lack of resources and neglect of information security requirements for the sake of convenience.

Read more »
User Security
Data Breach Ministry of Defense Sensitive data Leaked United Kingdom User Privacy User Security

A Second Data Breach at the Ministry of Defence has been Discovered

 

The email addresses of dozens more Afghans who may be eligible for relocation in the United Kingdom have been exposed in a second data leak by the British Ministry of Defence (MoD), putting their safety in jeopardy. According to the BBC, the newest mishap had MoD staff accidentally copying 55 people into an email, making their personal information exposed to all recipients. 

According to the BBC, the recipients, at least one of whom is a member of the Afghan national army, were told that relocation officials in the UK had been unable to contact them and that they needed to update their information. 

The MoD's Afghan Relocations and Assistance Policy (ARAP) team, according to a spokesperson, was "aware" of the error, which occurred earlier this month. “Steps have now been taken to ensure this does not happen in the future. We apologize to those affected and extra support is being offered to them,” the spokesperson said. “This week, the defence secretary instigated an investigation into data handling within that team.”

Officials from the Ministry of Defence have contacted those affected and offered advice on how to minimize the potential hazards. 

It comes just a day after the defence secretary issued an apology for a second breach affecting the email addresses of dozens of Afghan interpreters working for British forces. Defence Secretary Ben Wallace said in the House of Commons on Tuesday that thousands of members of the armed services and veterans had been let down by "an unacceptable level of service."

Ben informed lawmakers on Tuesday that mechanisms for "data handling and communication processing" had already been modified. According to BBC, who cited defence officials, Wallace was unaware of the second MoD breach when he made those remarks. 

Former Conservative defence minister Johnny Mercer, who fought in Afghanistan, expressed concern that similar situations could occur again. He said: “I’ve been concerned from the start as to how these individuals have been treated – the whole thing was such a rush to the door when Kabul fell that these mistakes were inevitable. I personally think we’ve taken out people we really shouldn’t have, and failed to bring out the majority of those we should – I think we are only beginning to learn the scale of what has gone on here.”
Read more »
National Cyber Security
Cyber Attacks National Cyber Security

Hackers hacked the accounts of employees of government agencies in Russia and more than ten other neighboring countries

The British company Cyjax discovered a large-scale attack against employees of state agencies in Russia and neighboring countries. Attackers create websites that simulate e-mail access for officials, and this data can be used to further attack agencies or sell access in the shadow market. Experts give different versions of the direction of the attacks, from political provocations to banal data phishing.

Among the attacked organizations are the Russian Academy of Sciences (RAS), the mail service Mail.ru as well as state structures of more than a dozen countries, including Armenia, Azerbaijan, China, Kyrgyzstan, Georgia, Belarus, Ukraine, Turkey, Turkmenistan and Uzbekistan.

According to Cyjax, 15 sites are currently active that simulate e-mail login page for employees of the ministries of Foreign Affairs, finance or energy of various countries.

Mail.ru said that they monitor the appearance of phishing sites and fraudulent emails and “respond in a timely manner to such incidents.” They added that they have an anti-spam system that adapts to new spam scenarios, including phishing.

Cyjax believes that the purpose of the attack is to collect usernames and passwords to access the mailboxes of government officials. Moreover, a certain pro-state group may be behind this, since there is no financial benefit from the attack and the Russian Federation and neighboring countries have become targets of attacks.

“The motive of the campaign may be a provocation against Russia on the theme that Russia itself is hacking its neighbors,” says Yuri Drugach, co— founder of the StopPhish project. The provocation is indicated by the fact that some of the domains were registered in July and the servers are hosted in Russia.

Yuri Drugach suggested that several groups of scammers are behind the attacks. For example, the Russian Academy of Sciences has six fake sites where attackers engage in phishing and install malicious add-ons in the browser.

Read more »
Subscribe to: Comments (Atom)