Search This Blog

Latest News

Every fifth child faced with malware and adult content

Experts analyzed how often children encounter cyber incidents in the online space. It turned out that every fifth child has at least once en...

All the recent news you need to know

Chinese Military Unit Linked to Cyber Espionage Campaign Targeting India

 

Recorded Future, a US security firm, revealed a cyber espionage campaign linked to a suspected Chinese state-sponsored threat activity group, named RedFoxtrot. Recorded Future's threat research arm Insikt Group, discovered evidence dating back to 2014 that interconnects RedFoxtrot and Chinese military-intelligence apparatus, the People's Liberation Army (PLA) Unit 69010. 

Before restructuring in 2015, PLA’s cyber-attack unit 69010 was known as the Lanzhou Military Region’s Second Technical Reconnaissance Bureau, and now it has been incorporated into the Network Systems Department of the PLA’s Strategic Support Force (SSF). According to a report published by Recorded Future’s Insikt Group, cybersecurity experts have detected intrusions targeting aerospace, defense, government, telecommunications, mining, and research organizations in Afghanistan, India, Kazakhstan, Kyrgyzstan, Pakistan, Tajikistan, and Uzbekistan.

“Notable RedFoxtrot victims over the past 6 months include multiple Indian aerospace and defense contractors; telecommunications companies in Afghanistan, India, Kazakhstan, and Pakistan; and several national and state institutions in the region. Activity over this [past six-month] period showed a particular focus on Indian targets, which occurred at a time of heightened border tensions between India and the People’s Republic of China (PRC,” analysts explained.

According to the research team, for its attacks, the RedFoxtrot group employs both bespoke and publicly available malware families, including IceFog, ShadowPad, Royal Road, PCShare, PlugX, and web server infrastructure to host and deliver payloads and to collect stolen information. Some of the group’s past campaigns have been previously documented by other security firms under different names in something that has become a common sight in modern-day threat hunting.

“The recent activity of the People's Liberation Army has largely been a black box for the intelligence community. Being able to provide this rare end-to-end glimpse into PLA activity and Chinese military tactics and motivations provides invaluable insight into the global threat landscape. The persistent and pervasive monitoring and collection of intelligence is crucial in order to disrupt adversaries and inform an organization or government's security posture", Christopher Ahlberg, CEO, and Co-Founder of Recorded Future, stated.

Recorded Future researchers were successful in making connections inside this nebula of Chinese state-sponsored hacking activity to RedFoxtrot (and subsequently to PLA Unit 69010) due to lax operational security (OpSec) measures of one of its members. 

“Insikt Group is not publicly disclosing the identity of this individual; however, an extensive online presence provided corroborating evidence indicating that this individual is located in Ürümqi, has an interest in hacking, and also has a suspected historical affiliation with the PLA’s former Communications Command Academy located in Wuhan,” the researchers further stated.

The Russian government plans to create a unified video surveillance system

The Russian government wants to create a single video surveillance system that will unite smart cameras in Russian cities. The devices will be able to recognize faces and license plates. The project will help to quickly respond to crimes, and in some cases, prevent them. The personal data of ordinary people is promised to be reliably protected.

The development of the project and the installation of cameras is estimated at 250 billion rubles ($3,500,000), and the implementation may take five years. Previously, the project was estimated at 97 billion rubles ($1,350,000).

Now the cameras in Moscow send video to the Data Processing Center, and in the new system, they will recognize suspicious situations themselves and only then send the video to the Data Processing Center.

It is expected that different cameras will be installed in the cities, depending on the tasks. A face recognition system will be needed somewhere and there will be cameras with powerful computing modules. In other places, there will be enough cameras with motion sensors.

According to the expert, the system will make it possible to better detect violations, respond promptly to them, and in some cases even predict them.

The emergence of a unified video surveillance system may raise fears that personal data will be sent to smart cameras. The CEO of Lab.Ag and the developer of many government sites, Artem Geller, explained that such an outcome is inevitable because the cameras are aimed at fixing the physical data of people.

"Of course, they will process the physiological aspects such as face, gait, clothing, license plate. But don't forget that cameras are already doing this,” Geller added.

Cybersecurity specialist Sergey Vakulin recalled the experience of video surveillance systems in China, where there is also a face recognition function, but each person is assigned his own identification number. And only then this data is encrypted, but even with such a process, there are vulnerabilities.

"The biggest problem is that a lot of data is stored and transmitted using a global network. And devices connected to the global network are more vulnerable," Vakulin added.

According to Vakulin, it is too early to worry about possible hacking and data leaks. He explained that each system has cybersecurity specialists, testers who detect bugs.

Cisco Smart Switches Detected with Vulnerabilities

 

In Cisco's Small Business 220 Series smart switches a researcher has uncovered various vulnerabilities, especially those with high severity assessments. This Monday, the networking giant advised its consumers that patches for these vulnerabilities are available. 

The impact switch runs firmware versions earlier than 1.2.0.6 and has the web-based management interface enabled. 

Cisco Systems, Inc. is a US conglomerate based in San Jose, California, in the Silicon Valley center. Cisco designs manufacture and distribute high-tech services and products for networking hardware, software, telecommunications equipment, and others. 

Security researcher Jasper Lievisse Adriaanse has identified the vulnerabilities. He discovered four kinds of safety holes on the small enterprise switch as published in a notice by Cisco. 

One can be used by a remote, unverified attacker, tracked as CVE-2021-1542, which is rated as high severity to take over the user session and obtain access to the web portal of a switch. The attacker could acquire managerial access to the management interface, based on the rights of the potential customer. 

Another high-severity problem is CVE-2021-1541, which enables a remote device attacker with admin access to perform arbitrary root-privileged commands on the operating system underneath it. 

The two other weaknesses identified by the investigator, both of which were Cisco's medium severity, might allow a remote attacker to initiate XSS (CVE-2021-1543) or HTML injection attacks (CVE-2021-1571). 

“[In the case of the] XSS flaw, the vector which I tested and verified was by exploiting a vulnerability in how certain packets which are only valid on the same L2 domain are parsed,” Adriaanse explained. 

He added, “It should be possible, if you’re on the same L2 domain, to perform the XSS attack through CVE-2021-1543, obtain the CSRF token and perform arbitrary actions as the logged-in user. As I don’t write a lot of Javascript I didn’t attempt to write a payload to subsequently exploit CVE-2021-1541. Note however that due to lacking Content-Security-Policy headers you can use CVE-2021-1543 to include remote Javascript code. So you’re not limited by the packet size of the abused L2 protocol. I guess with enough experience and determination one could concoct a payload to do anything in the UI.” 

The XSS defect is due to inspections by the web-based management interface of the device being submitted by the user. An attacker could use this error by deceiving the victims into clicking a malicious link and accessing a certain page. The attacker may induce weakness in running arbitrary script code in connection with the affected interface or access sensitive, browser-based information. 

The HTML Injection Vulnerability is caused by faulty parameter checks on affected pages. In order to address certain vulnerabilities, Cisco has published software updates. 

Joker Malware Targeting Android Users Again

 

Recently Joker virus has been discovered in a few Google Play Store apps. The malware infiltrates a user's device through applications, collects data, and then subscribes these users to premium memberships without the individual's consent or agreement. 

Since three years, the Joker Trojan malware has been discovered in Google Play Store apps. In July 2020, the Joker virus infected over 40 Android apps available on Google Play Store, forcing Google to remove the compromised apps from the Play Store. Users' data is stolen, including SMS, contact lists, device information, OTPs, and other major data.

Quick Heal Security Labs recently discovered 8 Joker malware on the Google Play Store. These eight apps were reported to Google, and the company has since deleted them all from its store. 

The following are the eight apps that have recently been discovered to be infected with the Joker Trojan virus and should be deleted from any Android device: 
-Auxiliary Message 
-Fast Magic SMS 
-Free CamScanner 
-Super Message 
-Element Scanner 
-Go Messages 
-Travel Wallpapers 
-Super SMS 

Through SMS messages, contact lists, and device information, the Joker Trojan collects information from the victim's device. The Trojan then interacts discreetly with advertising websites and, without the victim's knowledge, subscribes them to premium services. 

According to the Quick Heal report, these applications request notification access at launch, which is then utilised to obtain notification data. After that, the programme takes SMS data from the notification and requests Contacts access. When permission is granted, the app makes and manages phone calls. Afterwards, it keeps working without displaying any suspicious attacks to the user. 

“Joker is one of the most prominent malware families that continually targets Android devices. Despite awareness of this particular malware, it keeps finding its way into Google’s official application market by employing changes in its code, execution methods, or payload-retrieving techniques. This spyware is designed to steal SMS messages, contact lists, and device information along with silently signing up the victim for premium wireless application protocol (WAP) services,” Zcaler stated in a blog post.