Search This Blog

Latest News

This Vulnerability in E-Learning Platform Moodle Could Even Modify Exam Results

  Critical Security Exploit in the popular e learning platform Moodle can be compromised that lets access to student data and test papers, t...

All the recent news you need to know

City Officials of Grass Valley Negotiates with the Handlers of Ransomware Attack

 

The city of Grass Valley is one of the latest victims of a ransomware attack. The operators of the ransomware attack informed the city officials that they had obtained data from city systems and threatened to post it on the web if the city doesn't pay a ransom. Surprisingly, the city officials decided to pay the ransom. 

“I think everyone’s a target. We’re not supposed to negotiate with terrorists – it emboldens them,” said Matthew Coulter, a Grass Valley resident who clearly wasn’t happy by the decision taken by the city officials.

According to Grass Valley police, they were left with no choice after the perpetrators contacted them in late June and threatened to publish the stolen data. The copied data allegedly included information on people or businesses that had conversations with various Grass Valley systems, including law enforcement.

“If we didn’t pay a small ransom and that data was dumped on the world wide web, then all of the people that we interacted with would be at risk of identity theft, loss of privacy, et cetera. One of the factors that weighed heavily for the city council was if this was something we could do to protect the people that we serve,” said Grass Valley attorney Michael Colatuono. 

City and emergency services were not greatly affected, and some discretionary outages were temporarily implemented. The cost of the incident is covered by the city’s insurance, according to an earlier press release and statements during the news conference.

Grass Valley isn’t the first city in the region to become a target, and likely won’t be the last. Sierra College was affected earlier this year, others are dealing with similar issues. City officials said the Federal Bureau of Investigation was contacted and that various state agencies are still investigating to find the perpetrators behind the attack. Credit monitoring is available to anyone interested if their personal data may have been breached.

To counter any cyberattack, the most important thing to look out for is ‘phishing’ emails. They may come from emails that you seem to recognize, but they could be pretending to be someone you are familiar with. He said to always check email addresses and avoid clicking on links you don’t recognize, referencing how one click could read this chaos, said Matt Bishop, a cybersecurity expert and UC Davis professor.

Malevolent PyPI Packages Detected Filching Developer Data

 

Repositories of software packages have become a frequent target for supply chain attacks. Reports concerning malware attacks on prominent repository systems like npm, PyPI, and RubyGems have been recently surfacing. Programmers completely trust repositories and install packages from such sources, provided that they are trustworthy. 

Malware packages may be posted to the package repository, permitting malicious actors to leverage repository systems to propagate viruses and start successful attacks both on developers and CI/CD machines in the pipeline. 

Eight Python packages that have been installed more than 30,000 times have been deleted from the PyPI portal with malicious code, demonstrating again how software package repositories have developed into a hub for a popular supply chain attack. 

The dearth of moderation and automated security safeguards in public software repositories enables relatively unfamiliar attackers, through typosquatting, dependency misunderstanding, or basic social engineering attempts, to utilize them as a base to disseminate malware. 

PyPI is Python's primary third-party software repository, which has package manager utilities, such as pip, as its default package and dependency source. 

Several of the packages could have been used for more complex threats, allowing the attacker to implement remote code on the target device, collect network data, plunder credit card details, and autosaved passwords in browsers like Chrome and Edge, and sometimes even steal Discord authentication tokens to impersonate the victim. 

PyPI is not alone in software package repositories that appear as a potential attack surface to invasions, with rogue packages identified in npm and RubyGems that might potentially damage a complete system or be a useful jump-off point to deepen the network of a victim. 

"The continued discovery of malicious software packages in popular repositories like PyPI is an alarming trend that can lead to widespread supply chain attacks," said JFrog CTO Asaf Karas. "The ability for attackers to use simple obfuscation techniques to introduce malware means developers have to be concerned and vigilant. This is a systemic threat, and it needs to be actively addressed on several layers, both by the maintainers of software repositories and by the developers." 

Mostly on the programmers' side, precautionary action must form an important part of any CI/CD pipeline, including the confirmation of the signature in the library and the use of automated security instruments that analyze problematic code suggestions included inside the project. Automated tools like these may warn users about the use of harmful code.

Google Plans to Ban 'Sugar Dating' Apps From September

 

Google is all set to remove ‘Super Dating' applications from the Play Store in order to make the Android app download market a safer place. From September 1, Sugar Dating" apps will no longer be available on play store, according to the company. 

Google is targeting applications that promote financial indemnity in relationships as there is a slew of “Sugar Daddy” type dating apps available. Google's "inappropriate content policy" has been modified and additional limits will be imposed on sexual content, especially forbidding compensated sexual relationships,” (i.e., sugar dating).  

A relationship in which a male provides money or possessions to someone younger than him in exchange for favors is referred to as a "Sugar Daddy" relationship. Previously, this didn't appear to be an issue for Google, but many platforms are rapidly attempting to establish an atmosphere that is more in touch with today's awareness culture. 

But, considering that certain traditional dating apps and social networks are also utilized for paid relationships, the question is how big of an impact it will have on them. Eventually, this update is primarily intended to safeguard young people from privacy and safety concerns while using applications. 

Google is taking these steps at a time when Trump's Fosta-Sesta law from 2018 is being increasingly utilized to target sites that encourage prostitution and online sex work. This legislation makes it simpler to penalize websites that aid in sex trafficking. Operators of sites that allow sex workers to communicate with clients, for example, may face a 25-year jail sentence. 

Although the law has been hardly ever enforced to date and could serve as a barrier, as per 2020 report by a group of sex workers called Hacking/Hustling mentioned that the law has had a "detrimental effect on online workers' economic stability, safety, access to the community, and clinical outcomes," as pressure on online platforms results in the elimination of tools such workers use to stay safe. 

Google's update also seeks to enhance children's safety, particularly their privacy. Advertisers will no longer be able to get advertising IDs from a child-oriented application. These IDs are basically surfing data that advertisers use to tailor their ad campaigns to effectively reach their target market and improve sales. Google, like other digital powerhouses, appears to be moving in the direction of effectively safeguarding young people on platforms and other networks.  

Furthermore, Google's Store Listing and Promotion policy will be updated on September 29, 2021, to ban spam text and images in app titles, icons, and developer names.

Security Researchers Discovered Crimea Manifesto Buried in VBA Rat

 

On Thursday, Hossein Jazi and the Threat Intelligence team at Malwarebytes released a report revealing a new threat actor that may be targeting Russian and pro-Russian individuals. A manifesto regarding Crimea was included by the assailants, implying that the attack was politically motivated. A suspicious document called "Manifest.docx" is used in the attacks, and it downloads and runs two attack vectors: remote template injection and CVE-2021-26411, an Internet Explorer exploit. Malwarebytes' Threat Intelligence team discovered the "Манифест.docx" ("Manifest.docx") on July 21.

"Both techniques have been loaded by malicious documents using the template injection technique. The first template contains a url to download a remote template that has an embedded full-featured VBA Rat. This Rat has several different capabilities including downloading, uploading, and executing files," Jazi said. 

The second template is imported into the document and is included in Document.xml.rels. According to the threat research teams at Google and Microsoft, the loaded code contains an IE Exploit (CVE-2021-26411) that was previously utilized by Lazarus APT to target security researchers working on vulnerability disclosure. The shell code used in this vulnerability loads the same VBA Rat as the remote template injection exploit. 

The attack, according to Jazi, was motivated by the ongoing conflict between Russia and Ukraine, which includes Crimea. Cyberattacks on both sides have been on the rise, according to the report. The manifesto and Crimea information, however, might be utilized as a false flag by threat actors, according to Jazi. 

The attackers used a combination of social engineering and the exploit, according to the report, to boost their chances of infecting victims. Malwarebytes was unable to pin the assault on a single actor but said that victims were shown a decoy document with a statement from a group linked to a figure named Andrey Sergeevich Portyko, who supposedly opposes Russian President Vladimir Putin's Crimean Peninsula policies. 

The decoy document is loaded after the remote templates, according to Jazi. The document is written in Russian but also has an English translation. A VBA Rat is also included in the attack, which collects victim information, identifies the AV product installed on the victim's workstation, runs shell-codes, deletes files, uploads and downloads files, and reads disc and file system information. Instead of using well-known API calls for shell code execution, which can easily be flagged by AV products, the threat actor employed the unique EnumWindows to run its shell-code, according to Jazi.