Search This Blog

Latest News

Threat Actors Target Covid-19 Vaccine Cold Chain Via Spear-Phishing Campaign

  Cybercriminals are continuing to target the COVID-19 vaccine cold chain, the means of delivering and storing vaccines at safe temperatures...

All the recent news you need to know

Nagios XI Servers: Seems to be Turning Into Cryptocurrency Miners for Attackers

 

Nagios XI is a popular enterprise server and network monitoring solutions. The feature “Configuration Wizard: Windows Management Instrumentation (WMI)” is being exploited in Nagios XI. 

On March 16, 2021, Unit 42 researchers observed an attacker targeting Nagios XI software to exploit the vulnerability CVE-2021-25296, a remote command injection vulnerability impacting Nagios XI version 5.7.5, to conduct a cryptojacking attack and deploy the XMRig coin miner on victims’ devices.

The XMRig coin miner is an open-source cross-platform cryptocurrency miner. If the attack is successful, the XMRig coin miner will be installed on the compromised devices. The vulnerability can be lessened by updating Nagios XI to the most recent update. 

In order to understand if a device is compromised and running XMRig miner, users can either:
1.Execute commands ps -ef | grep 'systemd-py-run.sh\|systemd-run.py\|systemd-udevd-run.sh\|systemd-udevd.sh\|systemd-udevd.sh\|workrun.sh\|systemd-dev' and check the result. If the processes of the mentioned scripts are running, the device might be compromised. 

2.Check the files in the folder /usr/lib/dev and /tmp/usr/lib to see if the mentioned scripts exist or not. If they exist, the devices might be compromised. If the system is discovered to be hacked, simply terminating the operation and deleting the scripts will remove the XMRig used in the attack. 

The attacks try to execute a malicious bash script fetched from the malicious server 118[.]107[.]43[.]174. The bash script dropped by the attacker downloads the XMRig miner from the same server where the script is hosted and releases a series of scripts to run the XMRig miner in the background. Once the attack succeeds, the devices will be compromised for cryptojacking. 

The attack targeting Nagios XI 5.7.5, exploits CVE-2021-25296 and drops a cryptocurrency miner, jeopardizing the security of systems running out-of-date Nagios XI applications. 

Cryptojacking malware-infected devices can experience performance degradation. Furthermore, the attacker could modify the script online, causing the new script to be automatically downloaded and executed on the compromised computers, resulting in additional security risks. 

Security subscriptions protect Palo Alto Networks Next-Generation Firewall customers from the vulnerability: 
1.Threat Prevention can block attacks with Best Practices through Threat Prevention signature 90873. 
2. Static signature detections in WildFire can avoid malware. 
3.Malicious malware domains can be blocked using URL filtering.

Customers Deceived by Google for Collection of User Location Data

 

The Federal Court of Australia observed that somewhere between January 2017 and December 2018, Google LLC and Google Australia Pty Ltd (together, Google) deceived customers in a world-first compliance action by ACCC on personal location information gathered from Android mobile devices. 

As a result of the 2019 legal proceedings against Google, the Australian Competition and Consumer Commission (ACCC) has stated that the rulings represent an "important victory for consumers" over protecting online privacy. Google deceived Android users to believe that the tech giant will only collect personal information, the ACCC said. 

“This is an important victory for consumers, especially anyone concerned about their privacy online, as the Court’s decision sends a strong message to Google and others that big businesses must not mislead their customers,” ACCC Chair Rod Sims said. “Today’s decision is an important step to make sure digital platforms are upfront with consumers about what is happening with their data and what they can do to protect it.” 

The Court ruled that in the initial installation Google misrepresented the setting of 'Location History' as the only Google Account setting which impacted whether Google obtained, maintained, or used personally identifiable information on the location of a device once consumers had created a new Google Account. In reality, Google was also able to capture, store and use personal location data during activation through a different Google Account setting entitled 'Web & App Activity.' Though this setting was set by default.

Also between 9 March 2017 and 29 November 2018, customers were deceived by the fact that Google didn't bother to tell them that perhaps the configuration was related to the collection of personal location data after they had accessed the 'Web & App Activity settings on their Android system. The Court held that the actions of Google could trick the audience. 

“We are extremely pleased with the outcome in this world-first case. Between January 2017 and December 2018, consumers were led to believe that ‘Location History’ was the only account setting that affected the collection of their location data, when that was simply not true,” Mr. Sims said. He also added, “Companies that collect information must explain their settings clearly and transparently, so consumers are not misled. Consumers should not be kept in the dark when it comes to the collection of their location data.” 

The Court rejected the claims of the ACCC concerning certain declarations by Google on how users could prevent Google from obtaining and then using the location information and the purposes for which Google uses its personal location information. Though the ACCC seeks declarations, fines, instructions for publishing, and conformity orders.

Hackers have Access to Domino’s India 13TB of Internal Data

 

Popular pizza outlet Domino's India appears to have succumbed to a cyber assault. As per Alon Gal co-founder of an Israeli cybercrime intelligence, the hackers have access to Domino's India 13TB of internal information which incorporates employee details of more than 250 employees across verticals like IT, Legal, Finance, Marketing, Operations, and so on. The hackers guarantee to have all client details and 18 crore other details which incorporate clients' names, phone numbers, email IDs, delivery address, payment details including more than 10 lakh credit card details used to purchase on Domino’s India app. 

Further, the hackers are meaning to sell the whole information to a single buyer. As indicated by Alon Gal, the hackers are searching for $550,000 (around Rs 4 crores) for the whole database. The hackers likewise have plans to construct a search portal to enable querying the data. The sale is clearly occurring on the dark web and likely on a site frequented by cyber scammers. For now, Domino's India has neither affirmed nor rejected that information of its consumers has been stolen or leaked from its servers. 

“Information includes 180,000,000 order details containing names, phone numbers, emails, addresses, payment details, and a whopping 1,000,000 credit cards,” Gal claimed in a tweet. “Plenty of large-scale Indian breaches lately, this is worrying,” he added. 

It is particularly worrying as India has been a victim of several large-scale cyber breaches lately. As indicated by Computer Emergency Response Team (CERT-IN) information, during the Covid-19 pandemic digital assaults on India grew by almost 300% last year, developing to 11,58,208 out of 2020 contrasted with 3,94,499 out of 2019.

Independent cybersecurity researcher Rajshekhar Rajaharia revealed to IANS that he had cautioned about this conceivable hack to the CERT-in on March 5. “I had alerted CERT-in about a possible Domino’s Pizza India hack where the threat actor got data access with details like 200 million orders and personal data of the users too. The hacker, however, did not provide any sample,” Rajaharia said. 

There have been a string of hacking incidents including Indian firms in the recent past, including Bigbasket, BuyUcoin, JusPay, Upstox, and others. Gal recently claimed that the personal information of almost 533 million (53.3 crore) Facebook clients, including 61 lakh Indians, was leaked online after a hacker posted the details on a digital forum.

Here's a Quick Look at How Pakistani Counterfeiters Helped Russian Operatives

 

One company stood out in a cascade of U.S. sanctions imposed on Thursday on Russian cybersecurity companies and officials allegedly acting on behalf of the Kremlin intelligence in Karachi, Pakistan: ‘A fresh air farm house’. 

The Farm House, whose Facebook page reveals a waterpark-equipped vacation rental, is run by 34-year-old Mohsin Raza, considered one of two founders of an internet faux ID enterprise that prosecutors say helped Russian operatives get a toehold in the United States. 

According to a U.S. Treasury assertion and an indictment issued this week by federal prosecutors in New Jersey, Raza operated a digital faux ID mill, churning out photographs of doctored drivers’ licenses, bogus passports, and cast utility payments to assist rogue shoppers to go verification checks at U.S. fee firms and tech corporations. 

Reuters reached Raza in Pakistan at a telephone number offered by the US Treasury's sanctions record. He confirmed his identity and acknowledged being a digital counterfeiter, saying he used "simple Photoshop" to change ID cards, bills, and other documents to order. Raza – who stated he is additionally dabbled in graphic design, e-commerce and cryptocurrency – denied any wrongdoing, saying he was merely serving to individuals entry accounts that they’d been frozen out of.

Among his clients, the New Jersey indictment alleges was a worker of the Internet Research Agency – a notorious Russian troll farm implicated by U.S. investigators, media experiences, leaked paperwork, and former insiders in efforts to intrude in U.S. elections. The IRA worker used Raza’s companies in 2017 to obtain cast drivers’ licenses to assist the identification of pretend accounts on Facebook, based on the indictment. 

Facebook didn’t instantly provide any remark. Raza stated he did not observe who used his service. He stated inspiration for his enterprise got here a number of years in the past when a PayPal account which he had opened beneath an alias was locked, trapping a whole lot of {dollars} he’d obtained for optimizing on-line search outcomes. 

Money earned from the fake ID business was poured into the construction of the Fresh Air Farm House, Raza said. The facility, which features three bedrooms, a playing field, a water slide, and a BBQ area, is now on a US list of sanctioned entities alongside Russian oligarchs and defense contractors. Raza's business is an example of how transnational cybercrime can serve as a springboard for state-sponsored disinformation, said Tom Holt, who directs the School of Criminal Justice at Michigan State University. 

The alleged use by Russian operatives of a Pakistani fake ID merchant to circumvent American social media controls "highlights why this globalized cybercrime economy that touches so many areas can be a perfect place to hide - even for nation-states," he said.