U.S. Cyber Military Forces Execute Retaliatory Cyber-attack Against Iran




In a retaliatory cyber-attack against Iran, U.S. cyber military forces cut down a database utilized by its Revolutionary Guard Corps to target ships in the Persian Gulf, just hours after 'the Islamic Republic shot down an American Drone'.

Right now, Iran still can't seem to recuperate the majority of the data lost in the attack and is attempting to re-establish military communication networks connected to the database.

As indicated by the Washington Post, the U.S President Donald Trump purportedly approved the U.S. Cyber Command's strike however the government has not openly recognized its occurrence.

A U.S. official who addressed the Washington Post additionally noted that the cyber-attack was intended to harm for Iran – however not to the degree that would further heighten pressures between the two sides.

Elissa Smith, a Pentagon spokesperson said in a statement, “As a matter of policy and for operational security, we do not discuss cyberspace operations, intelligence, or planning.”

In spite of the attack, the Islamic Republic has stayed rather active in the Strait of Hormuz, holding onto the English oil tanker Stena Impero in mid-July.

Recently discovered Fox News, it happened in June that Iran shut off a portion of its military radar sites around the time the U.S. was ready to dispatch retaliatory strikes, thusly it’s not clear if those radar sites were killed by cyber-attacks or if Iran shut them off intentionally fully expecting them.

In any case these strikes are not first major operations executed by the U.S. Cyber Command, as the organization a year ago had disrupted a Russian entity's endeavours to utilize Internet trolls to cultivate discontent among American voters during the 2018 midterm elections.



Texas Hit with a Series of Coordinated Ransomware Attack




Texas is currently hit with an 'unprecedented' of ransomware attacks that has significantly focused on local government entities in the state, with at least 23 impacted by the attacks.

The attacks which seem to have been led by a single threat actor are said to have of begun in the morning of August 16. It is additionally presumed that 23 may not be the final count considering that right now the details are at 'a minimum' with the Department of Information Resources (DIR), who is leading the investigation into the attacks.

The local Texas authorities, like the DIR, Texas Division of Emergency Management, and Texas Military Department are still investigating the origin of the attack, also involved are the federal agencies such as the Department of Homeland Security, Federal Bureau of Investigation – Cyber, and Federal Emergency Management Agency (FEMA).

In its original statement released on late Friday, DIR says that while investigations regarding the origins of the attack are continuous, their principle need is to aid the response and recuperation of 'affected entities'.

DIR is driving the reaction to what it calls a "coordinated ransomware attack" however does not unveil which organizations are affected. This is a result of security concerns involving the matter.

In an updated statement on Saturday, DIR said that the frameworks and systems of the State of Texas have not been influenced by this attack. Until more details rise, the strain of file-encrypting malware, which is said to be the one responsible for the attack as well as the perpetrator(s) ransom demand, still remains very unclear.


The Czech Republic again accused Russia of hacker attacks


The representative of the Czech National Cyber and Information Security Agency (NUKIB) during a report to the Senate Defense and Security Committee stated that hacker attack on the network of the Czech Foreign Ministry in June this year was organized by a foreign state.

NUKIB on Tuesday provided the results of the investigation of a DDoS attack, which reported that the Russian GRU attacked the computer network of the Foreign Ministry. “The GRU and their hacker group APT28 / Sofacy are behind this attack.”

"The Czech Foreign Ministry was again attacked by hackers from the Russian GRU. Therefore, I understand that we are conducting an open hybrid war with Russia. This espionage should not go unanswered", — Chairman of the party "Elders and Independents" Vit Rakushan commented on the situation.

Prime Minister Andrei Babish said that the Czech Foreign Ministry should focus on strengthening the security of its computer network.

Czech Foreign Minister Tomas Petricek, in turn, said that he had already appealed to the Ministry of Finance of the Republic for additional funding for his Department. The requested funds will be used to implement measures aimed at strengthening cybersecurity. The Minister intends to inform the government about cyber attacks on the Foreign Ministry.

According to Babish, the topic of cyber attacks on the Foreign Ministry will be one of the topics of discussion at the next meeting of the State Security Council. It will take place after August 26, when the holidays of most members of the Cabinet of Ministers will end.

It was previously reported that a criminal case was opened on the fact of a cyber attack on the Foreign Ministry. Hackers didn't manage to steal secret information. They gained access only to a few e-mail boxes of employees of the Ministry, but could not hack the server through which official correspondence is carried out.

Recall that in 2016, the Czech Foreign Ministry was also subjected to hacker attacks. Then the hackers got access to 150 email addresses of employees of the Ministry. The June attack this year led to failures in the internal computer network of the Ministry of Foreign Affairs

No environment is immune to cyber attacks : Research

Global cyber-security solutions provider Check Point Software Technologies Ltd, released its “Cyber Attack Trends: 2019 Mid-Year Report”, revealing that no environment is immune to cyber-attacks.

Threat actors continue to develop new tool sets and techniques, targeting corporate assets stored on cloud infrastructure, individuals’ mobile devices, trusted third-party supplier applications and even popular mail platforms:

Mobile banking: With over 50% increase in attacks when compared to 2018, banking malware has evolved to become a very common mobile threat. Today, banking malware is capable of stealing payment data, credentials and funds from victims’ bank accounts, and new versions of these malware are ready for massive distribution by anyone that’s willing to pay.

Software supply chain attacks: Threat actors are extending their attack vectors such as focusing on the supply chain. In software supply chain attacks, the threat actor typically instils a malicious code into legitimate software, by modifying and infecting one of the building blocks the software relies upon.

Email: Email scammers have started to employ various evasion techniques designed to bypass security solutions and anti-spam filters such as encoded emails, images of the message embedded in the email body, as well as complex underlying code which mixes plain text letters with HTML characters. Additional methods allowing scammers to remain under the radar of Anti-Spam filters and reaching targets’ inbox include social engineering techniques, as well as varying and personalizing email content.

Cloud: The growing popularity of public cloud environments has led to an increase in cyber-attacks targeting enormous resources and sensitive data residing within these platforms. The lack of security practices such as misconfiguration and poor management of the cloud resources, remains the most prominent threat to the cloud ecosystem in 2019, subjecting cloud assets to a wide array of attacks.

“Be it cloud, mobile or email, no environment is immune to cyber attacks. In addition, threats such as targeted Ransomware attacks, DNS attacks and Cryptominers will continue to be relevant in 2019, and security experts need to stay attuned to the latest threats and attack methods to provide their organizations with the best level of protection,” said Maya Horowitz, Director, Threat Intelligence & Research, Products at Check Point.

Sonicwall Cyber Threat Report 2019 Finds Escalation in Ransomware Attacks-As-A-Service


Based on the real world data from more than 1 million international security sensors in more than 200 nations, SonicWall made public the discoveries from its mid-year update of the 2019 through the 'SonicWall Cyber Threat Report'.

With the global malware volume going down by 20%, researchers found a 15% increment in ransomware attacks comprehensively.

This expansion in ransomware-as-a service, open-source malware kits and cryptojacking utilized by cybercriminals comprised of the major highlights of the new data found.

"Organizations continue to struggle to track the evolving patterns of cyber-attacks — the shift to malware cocktails and evolving threat vectors — which makes it extremely difficult for them to defend themselves," said SonicWall President and CEO Bill Conner.

"In the first half of 2019, SonicWall Real-Time Deep Memory Inspection (RTDMI) technology unveiled 74,360 'never-before-seen' malware variants. To be effective, companies must harness innovative technology, such as machine learning, to be proactive against constantly-changing attack strategies,” he added later.

In the first part of 2019, SonicWall also observed a 55% increase in IoT attacks, a number that outpaces the initial two quarters of the previous year, all because organizations and purchasers keep on connecting devices to the web without appropriate safety measures.




Free Scheme, 'The No More Ransom Project' Saving Thousands from Ransomware Attacks


A free scheme known as, 'The No More Ransom project' which was founded by Europol, police in the Netherlands, and McAfee is recorded to have prevented cyber-attack victims from paying heavy ransoms and assisted over 200,000 people in saving approximately $108m (£86m).

Along with advice and recommendations, the project delivers software which is configured to recover computer files that get encrypted during ransomware attacks.

With the introduction of 14 new tools in the year 2019 itself, the project having over 150 global partners can now decrypt a total of 109 variants of infection.

Referencing from the explanation given by, Steven Wilson, head of Europol's European Cybercrime Centre (EC3), “When we take a close look at ransomware, we see how easy a device can be infected in a matter of seconds. A wrong click and databases, pictures and a life of memories can disappear forever. No More Ransom brings hope to the victims, a real window of opportunity, but also delivers a clear message to the criminals: the international community stands together with a common goal, operational successes are and will continue to bring the offenders to justice.”

The project made determined and successful efforts to take down various ransomware campaigns including  GandCrab, which is amongst one of the most hostile ransomware campaigns of all time.

GandCrab continued making headlines in 2018 and in 2019, the cyber world saw an upsurge in the number of ransomware attacks targeting large organizations.

Commenting on the matter, Mr. Woser told BBC, "Projects like No More Ransom have been crucial when it comes to fighting ransomware on a global level, with pretty much all major parties cooperating on a global and daily basis, sharing intel[igence] in real-time - except for the US.

"The US should consider the success of the No More Ransom Project to be a call to action.

"Better cooperation between the private sector and law enforcement could result in fewer ransom demands being paid.

"That would make cyber-crime less profitable and, consequently, reduce the financial incentive for groups to commit cyber-crime."





Lone cyber police station in Bengaluru gets overburdened

The delay in setting up new police stations to handle cyber crime has overburdened the lone station in Bengaluru. Eight new police stations for cyber crime, economic offences and narcotics (CEN stations) were announced in December 2018 to handle the growing number of cyber crime cases in Bengaluru. One station was to be set up in each of the eight law-and-order divisions. Even six months after the announcement, the proposal is yet to be implemented.

The existing station, often crowded, has received over 4,700 complaints so far this year. It got 5,036 cases in the whole of 2018.

More cyber crime cases are registered in Bengaluru than in other Indian cities. And yet, some other cities have multiple dedicated stations. For instance, there are three cyber crime stations in Hyderabad.

Policemen say the sheer number of cases hampers investigations. In fact, the station has filed just one charge sheet until now this year against 52 in 2018 and 229 in 2017. A chargesheet is the end of the investigation process from the police side and paves the way for the case to be heard in court. Until now, there has been only one conviction for a cyber crime — in October 2018 after a case was investigated by the CID.

The existing station has a large number of visitors on most days. A policeman said, “Most of our time is spent in handling incoming cases, leaving us with hardly any time to investigate them.” Another official said though about 20 additional Central and Reserve (CAR) personnel have been deployed at the station, more stations are a must for faster resolution of cases.

Deputy commissioner of police (crime) Girish S said setting up of more stations will help the complainants as they will then have to travel only shorter distances to file complaints. Asked if the volume of cases was affecting investigations, Girish said, “I can’t say it’s affecting investigations, but what is happening is we are focusing on the more pressing, immediate cases, due to which the resolution time for other cases gets prolonged.” Cases of a very serious nature are taken up by the CID wing.

The Cyber Attack Response Center opened in Nizhny Novgorod


In the Russian city Nizhny Novgorod the largest Regional Cyber Attack Response Center was opened. The Center was established by Rostelecom-Solar, a subsidiary of Rostelecom, which is the operator of the systems supporting the operation of the public services portal and biometric identification in banks.
Solar JSOC Centers are already operating in other Russian cities such as Moscow, Samara and Khabarovsk. These subdivisions protect more than 110 largest Russian organizations from hacker attacks.  Federal agencies, regional administrations, financial organizations, energy companies apply to Rostelecom-Solar for information security.
The Center in Nizhny Novgorod has become the largest regional Center for monitoring and responding to cyber attacks.  The organization employs more than 70 information security professionals. The Center will be responsible for the security of all regional clients around the clock. The average response time to eliminate cyber attacks is 30 minutes.
This is a serious team of highly qualified experts in information security, able to provide customers with full protection against cyber threats, – said Igor Lyapunov, Vice President of Rostelecom for information security, General Director of Rostelecom-Solar.
All this work is impossible without qualified personnel.  This was one of the reasons why Nizhny Novgorod was chosen to create the Solar JSOC. The city has a number of universities that train IT specialists.
According to Igor Nosov, the Deputy Governor of the Nizhny Novgorod Region, today the Nizhny Novgorod Region ranks third in Russia in terms of the number of IT professionals. "We are proud of our IT companies. Today, about 700 such companies operate in the region, including the world's leading companies. And the fact that we are leaders in the IT sphere makes the problem of information security even more urgent for us.”
It is planned that the Regional Center will work closely with universities, implement internship and employment programs. Every year, more than 70 graduates and senior students participate in the Solar JSOC internship program, about 30 of them receive a job offer.

It is worth noting that now, cyber attacks are in the top 5 largest and most serious challenges facing Russia. Moreover, hacker targets are changing. Previously, the task was to seize cash, now hackers are going to gain control over the management of information systems. EhackingNews recently reported on a DDoS attack during the Presidential Straight Line.

US cyber attacks on Iranian targets not successful: Minister

U.S. cyber attacks against Iranian targets have not been successful, Iran's telecoms minister said on Monday, within days of reports that the Pentagon had launched a long-planned cyber attack to disable his country's rocket launch systems.

Tension runs high between longtime foes Iran and the United States after U.S. President Donald Trump on Friday said he called off a military strike to retaliate for the Middle East nation's downing of an unmanned U.S. drone.

U.S. President Donald Trump said on Saturday he would impose fresh sanctions on Iran but that he wanted to make a deal to bolster its flagging economy, an apparent move to defuse tensions following the shooting down of an unmanned U.S. drone this week.

On Thursday, however, the Pentagon launched a long-planned cyber attack, Yahoo News said, citing former intelligence officials. The cyber strike disabled Iranian rocket launch systems, the Washington Post said on Saturday.

"They try hard, but have not carried out a successful attack," Mohammad Javad Azari Jahromi, Iran's minister for information and communications technology, said on social network Twitter.

"Media asked if the claimed cyber attacks against Iran are true," he said. "Last year we neutralised 33 million attacks with the (national) firewall."

Azari Jahromi called attacks on Iranian computer networks "cyber-terrorism", referring to Stuxnet, the first publicly known example of a virus used to attack industrial machinery, which targeted Iran's nuclear facilities in November 2007.

Stuxnet, widely believed to have been developed by the United States and Israel, was discovered in 2010 after it was used to attack a uranium enrichment facility in the Iranian city of Natanz.

Washington accused Tehran of stepping up cyber attacks.

Officials have detected a rise in "malicious cyber activity" directed at the United States by people tied to the Iranian government, Chris Krebs, director of the Department of Homeland Security's cybersecurity agency, said on Saturday on Twitter.

US Cyber Command launched a digital strike against an Iranian spy group





The United States’s Cyber Command launched a retaliatory digital strike against an Iranian spy group that is believed to be behind a series of attack on commercial ships, according to two former intelligence officials.

The Iranian spy group has ties with the Iranian Revolutionary Guard Corps, a division of Iran’s Armed Force group. For the past several years, they have been digitally targeting the military and civilian ships that are passing through the economically important Strait of Hormuz. 

The exact details of the retaliatory strike are unknown. However, the strike against the group is said to have taken place on the same day when Iran shot down $180million unmanned US surveillance drone. 

A Pentagon spokesperson only told Yahoo News that 'as a matter of policy and for operational security, we do not discuss cyberspace operations, intelligence or planning.'



Hit by Ransomware Attack, US Town Agrees to pay Attackers $600,000 in Bitcoin



Riviera Beach, a small city which is located just north of West Palm Beach, fall prey to a massive cyber attack, wherein the hackers paralyzed the city's computer systems and have asked the city council to pay a $600,000 ransom in Bitcoin in order to have the data released.

With the hope of regaining the access to the encrypted data in the cyber attack, the officials of the Florida town conducted a meeting this week where the council agreed to pay the criminals 65 Bitcoin, a difficult to track currency.

Reportedly, it was after an employee of the town's police division accessed a phishing email, the virus which paralyzed all the computer systems in the city was unleashed.

To spread the word about the ransomware attack amongst the residents, a notice was posted on the city website which stated that they had undergone a data security event and was "working with our internal management team third-party consultants to address all issues."

Commenting on the matter, Mr. Rebholz, a principal for Moxfive, a technology advisory firm, said, “The complexity and severity of these ransomware attacks just continues to increase,”

“The sophistication of these threat actors is increasing faster than many organizations and cities are able to keep pace with.” He added.

A number of American cities have fallen prey to similar, computer-based breaches wherein the attackers demanded heavy ransoms for the restoration of the networks. Recently, Baltimore experienced a similar attack and though they refused to pay the ransom, the attack cost the city $18 million to fix damages.



Telegram Describes the DDoS Attack in Layman terms



The popular messaging app, Telegram, is being hit by a powerful distributed denial of service (DDoS) attack due to which it was down for users all around the world. The services were terminated for about an hour and during this period, the encrypted messaging service, 'Telegram' commented on the working of a DDoS attack.
“We’re currently experiencing a powerful DDoS attack, Telegram users in the Americas and some users from other countries may experience connection issues.” Telegram tweeted.
The company explained a DDoS attack as when “your servers get GADZILLIONS of garbage requests which stop them from processing legitimate requests. Imagine that an army of lemmings just jumped the queue at McDonald’s in front of you – and each is ordering a whopper,” 
 “The server is busy telling the whopper lemmings they came to the wrong place – but there are so many of them that the server can’t even see you to try and take your order.”
The attack was not the first of its kind; the company’s services were disrupted by a similar attack four years ago as well. During that incident, the company’s chief executive, Parel Durov and other officials denied commenting on who was responsible for the DDoS attacks.
In one of its tweets, the company talks about a bright side of these DDoS attacks and says, "There's a bright side: All of these lemmings are there just to overload the servers with extra work – they can't take away your Big Mac and Coke,"
"To generate these garbage requests, bad guys use 'botnets' made up of computers of unsuspecting users who were infected with malware at some point in the past. This makes a DDoS similar to the zombie apocalypse: one of the whopper lemmings just might be your grandpa," Telegram further tweeted to elaborate on how hackers carry out a DDoS attack successfully.




Undetected malware attacks Linux systems

A new sophisticated, unique Linux malware dubbed HiddenWasp used in targeted attacks against victim’s who are already under attack or gone through a heavy reconnaissance.

The malware is highly sophisticated and went undetected; the malware is still active and has a zero detection rate. The malware adopted a massive amount of codes from publically available malware such as Mirai and the Azazel rootkit.

Unlike Windows malware, Linux malware authors won’t concentrate much with evasion techniques, as the trend of using Anti-Virus solutions in Linux machine is very less when compared to other platforms.

However, the Intezer report shows “malware with strong evasion techniques does exist for the Linux platform. There is also a high ratio of publicly available open-source malware that utilizes strong evasion techniques and can be easily adapted by attackers.” In the past, we saw many malware focussed on crypto-mining or DDoS activity, but the HiddenWasp is purely a targeted remote control attack.

The malware is composed of a user-mode rootkit, a trojan, and an initial deployment script. Researchers spotted the files went undetected in VirusTotal and the malware hosted in servers of a hosting company ThinkDream located in Hong Kong.

While analyzing scripts, Intezer spotted a user named ‘sftp’ and hardcodes, which can be used for initial compromise and also the scripts has variable to clear the older versions from the compromised systems.

The scripts also include variables to determine server architecture of the compromised system and download components from the malicious server based on the compromised server architecture. Once the components installed, the trojan will get executed on the system.

“Within this script, we were able to observe that the main implants were downloaded in the form of tarballs. As previously mentioned, each tarball contains the main trojan, the rootkit, and a deployment script for x86 and x86_64 builds accordingly.”

Ransomware tool causing chaos in Baltimore was developed by NSA



A recent spate of ransomware attacks in Baltimore and other U.S. cities has been executed using a tool developed by the National Security Agency (NSA). Thousands of people in Baltimore have been locked out of their computers in the past three weeks, causing disruption across the city. And this has been enabled by a piece of software created by the NSA, according to a report in the New York Times.
The EternalBlue exploit takes advantage of a vulnerability in Microsoft Windows machines to infiltrate target computers. The software was stolen from the NSA and leaked by hackers in 2017, and since then has been used in a wide variety of cybercrinimal schemes. 2017’s WannaCry attack used the software, as did Russia’s NotPetya attack on Ukraine last year.
Now the same software is being used against U.S. citizens, causing particular problems for local governments with machines which have been disrupted. Many local governments do not regularly update their computers, leaving them vulnerable to exploits. In Baltimore, hospitals, airports, ATMs, shipping operators, and vaccine-producing factories have all been effected in the last few weeks.
The software locks the target computer’s screen, then shows a message demanding a payment of around $100,000 in Bitcoin for the target to regain access to their files. “We’ve watching you for days,” the message says, according to The Baltimore Sun. “We won’t talk more, all we know is MONEY! Hurry up!”
The NSA has never acknowledged the theft of the software or its responsibility for the cyberattacks conducted using it.
“The government has refused to take responsibility, or even to answer the most basic questions,” Thomas Rid, a cybersecurity expert at Johns Hopkins University, said to the Times. “Congressional oversight appears to be failing. The American people deserve an answer.”
EternalBlue may have been developed with good intentions to protect national security, but this event shows the problems with law enforcement or intelligence agencies having tools which allow them access to computers and phones. When such a tool is leaked, it can no longer be controlled.


Your Profile Up For Sale Somewhere On The Dreadful Dark Web For Rs. 140/day?





After hacking feats, cyber cons have stooped to selling hacked profiles on the dreadful dark web for a minimal cost of Rs. 140/day.


What’s even more unsettling is the fact that organizations, market researchers and people looking for business related data could also be behind this profile marketing.

The corner of the “dreadful dark web” where these profiles are available is not accessible via regular browsers.

By way of tools like “Tor” which is an open source software that aids anonymous communication and access to a whole new world of stolen passwords, data and profiles.

According to researchers, other than cyber attackers the people tracking the consumer behavior are after free access to video streaming sites that have already been paid for by the victim.

It’s super disconcerting the way rival companies are buying profiles to get "Intel" on their competitors consumer base, sensitive data and even tracking key executives.

These hacking goons are working in groups where one sells encrypted data and the other quite conveniently decrypts all for dear money.

Then there’s a third group which stores a list of the decrypted passwords into a central server which provides data sets from these breaches.

WARNING! If you happen to use a single password or even passwords that are a teensy bit different for more than one log in sites and multiple websites you are in serious trouble.

Reportedly, the hackers have collected over 8000 databases from small websites singly. It’s only up to the imagination what kind would have been from major sites.

On the dark sites, the data is being sold in packages ranging from a minimal Rs.140 ($2) to a staggering Rs.4900 ($70).

Payment methods of Crypto-currencies like Bitcoin, Litecoin, Dash, Ripple, Zcash and Ethereum are all available to the users’ comfort.

If several passwords are bought from the website a profile could be fabricated within minutes, because quite foolishly users have the same passwords for multiple sites.

This makes the user’s behaviour extremely predictable and it becomes easy for the buyers to track the victim’s activities all over the internet.

The people who spend more time on the internet are more susceptible to such hazards because they are easier to track.

A normal user’s passwords are available for as little as a rupee but then the hot shot public figures like politicians’ or actors’ passwords’ cost ranges from Rs.500- Rs.2500/password.

QUICK TIP!
·       Try not to use common, mainstream passwords that are only easily hack-able and guess-able.

·       Especially after a company experiences a breach or a hacking feat they should make their security stronger.

·       The systems should be made more accountable than ever.

No company has faced any adversities as of yet due to this profile marketing freak-show.






Unistellar Attackers Delete Over 12,000 Unsecured MongoDB Databases




With around 12,000 unsecured MongoDB databases being deleted in the course of three weeks, attackers have solicited the owners from the databases to contact the said cyber-exotortionists to have the information restored with just a message left behind.

They search for the already exposed database servers utilizing BinaryEdge or Shodan search engines, delete them and demand a ransom for their 'restoration services' and these sorts of attacks focusing on the publicly available MongoDB databases have known to have occurred since atleast the early 2017 [1, 2, 3, 4].

While Mongo Lock attacks likewise target remotely open and unprotected MongoDB databases, the campaign does not appear to demand a particular ransom. Rather, an email contact is given, well on the way to arrange the terms of information recuperation.

Sanyam Jain, an independent security researcher and the person who found the wiped out databases, gave quite a sensible clarification to this, saying that "this person might be charging money in cryptocurrency according to the sensitiveness of the database."

The 12,564 unprotected MongoDB databases wiped out by Unistellar were found by the researchers utilizing BinaryEdge. Seeing that, right now, BinaryEdge indexes somewhat more than 63,000 publicly accessible MongoDB servers as per Jain, it appears as though the Unistellar attackers have dropped by approx 20% of the aggregate.




The cyber-extortionists leave behind notes asking their victims to connect with them if  they need to reestablish their data by sending an email to one of the accompanying two email addresses: unistellar@hotmail.com or unistellar@yandex.com.

Shockingly, there is no real way to follow if their victims have been paying for the databases to be reestablished on the grounds that Unistellar just gives an email to be reached and no cryptocurrency address is given.

These attacks can happen simply because the MongoDB databases are remotely open and access to them isn't appropriately verified. This implies that the database owners can without much of a stretch forestall such attacks by following genuinely basic steps intended to appropriately secure their database instances.

MongoDB gives details on the most proficient method on how to verify a MongoDB database by actualizing legitimate confirmation, access control, and encryption, and furthermore offers a security agenda for executives to pursue.

More to the point, significant measures will undoubtedly be taken which will additionally forestall the attacks by empowering authentication and to not enable the databases to be remotely accessible.


Nigerian BEC Fraudsters Resorting to RATs as the Tool to Amplify Attacks



The number of Business Email Compromise, also known as BEC fraud has risen up by an alarming rate; hackers have resorted to Remote Access Trojans (RAT) to amplify their attacks. 

The FBI’s Internet Crime Complaint Center, IC3 attempted to reduce the damage done by these attacks by formulating a Recovery Asset Team which took care of the consequences of  BEC scams. However, the number of scammers involved in these kinds of attacks is significantly more than ever before.

The attacks which witnessed an unprecedented upsurge are regarded as a global threat with Nigeria practicing it extensively; in the African country, money making via BEC scams have become the norm. After examining the cybercrime in Nigeria, Palo Alto Network’s Unit 42 recorded the country’s evolution into employing ransomware and malware to attain financial objectives.

In 2018, the number of groups involved in BEC scams reached up to 400 which were a hundred more than the previous year, the activities further multiplied by 54% in comparison to the year 2017.

With a monthly average of 28,227 attacks, the most affected sector was High-tech which recorded over 120,000 attacks in the previous year and the second most targeted was the wholesale industry which was subjected to around 80,000 attacks. Lastly, the third most affected sector was manufacturing, which fell prey to a total of 57,000 attacks.

Monitoring the attacks, Verizon says in a report, “Given the sheer number of incidents in this sector, you would think that the government incident responders must either be cape and tights wearing superheroes, or so stressed they’re barely hanging on by their fingernails.”

“Admittedly we do not have as much data as to what is happening beyond the deception and initial device compromise. The inclusion of keylogging malware is a good indicator that additional credential theft and reuse is a likely next step.”




New Malicious Campaign Discovered Attacking Public and Private Entities via DNS Hijacking




A new malicious campaign called "Sea Turtle," as of late discovered by researchers allegedly, is said to have been attacking public and private elements in different nations utilizing DNS hijacking as a mechanism.

Moreover the campaign is known to have compromised no less than 40 different organizations across over 13 different nations amid this vindictive campaign in the first quarter of 2019.

Since DNS hijacking is a sort of malevolent attack that redirects the users to the noxious site by altering the DNS name records when they visit the site by means of compromised routers or attackers affecting a server's settings.

The attackers helped out their work through very industrious strategies and propelled apparatuses in order to gain access to the sensitive systems and frameworks as smoothly as possible.

By focusing on two distinct groups of victims they are focusing on a third party that is known to provide services to the primary targets to effectively play out the DNS seizing. The main aim of the attackers behind "Sea Turtle" is to ultimately aim to steal the credentials so as to access the systems and frameworks in the following manner:
  1.        Via establishing a means to control the DNS records of the target.
  2.        To modifying DNS records in order to point legitimate users of the target to actor-controlled servers.
  3.        To capturing legitimate user credentials when users interacted with these actor-controlled servers.
Researchers said that they "assess” with probably high certainty that these hijacking attacks are being propelled by an advanced, state-sponsored actor hoping to get to the sensitive systems and frameworks.

To ensure against these DNS hijacking attacks, the organizations are currently attempting to execute a registry lock service, multifaceted verification (to access the DNS records), and obviously keeping up to date on the patches, particularly on the internet facing machines.



Broadcom WiFi Chipset Driver Defect Takes Its Toll On OSs, IoTs, Phones and Other Devices.




Reportedly, the flaws in the Broadcom WiFi chipset drivers are causing a lot of trouble for phones and operating systems that are exposed to it.


This means, attackers could be allowed to execute arbitrary code and initiate DOS. (Denial of Service)

As reported by an intern of a reputed lab, the Broadcom drivers and the open source “brcmfmac” driver possess several vulnerabilities.

As it turns out, the Broadcom drivers are susceptible to “two heap buffer overflows.” Whereas, the ‘brcmfmac’ drivers are susceptible to frame validation bypass as well as heap buffer overflow.

Per the Common Weakness Enumeration database, the heap buffer overflows could cause the software to run in an infinite loop, system crashes, along with execution of arbitrary code.


These above activities are evidently beyond the security policies and security services.

The aforementioned Broadcom WiFi chips are insidiously used by almost everyone without their knowing it. From a laptop through the IoT devices to the smart TVs all the devices have these chip drivers.


As these chips are enormously prevalent, they comprise of an even more enormous target range. Any simple vulnerability or flaw found in them could be a matter of serious risk.

The Broadcom WiFi chipset drivers could be easily exploited by the unauthenticated attackers by way of sending malicious “WiFi packets”.

These packets would later on help in initiating the arbitrary code execution. All the attacks would simply lead to Denial of Service.

In the list of the risks that stand to vulnerable devices, Denial of Service attacks and arbitrary code execution are on the top. These flaws were found also in Linux kernel and the firmware of Broadcom chips.

According to the source note, the four brcmfmac and Broadcom wl drivers vulnerability is of the sort, CVE-2019-8564, CVE-2019-9500, CVE-2019-9501, CVE-2019-9502, CVE-2019-9503.

·       CVE-2019-9503: When the driver receives the firmware event frame from the remote source, it gets discarded and isn’t processed. When the same is done from the host the appropriate handler is called. This validation could be bypassed if the bus used is a USB.

·       CVE-2019-9500: A malicious event frame could be constructed to trigger a heap buffer overflow.



·       CVE-2019-9501: The vendor is supplied with the information with data larger than 32 bytes and  a heap buffer overflow is triggered in “wlc_wpa_sup_eapol”

·       CVE-2019-9502: when the vendor information data length is larger than 164 bytes a heap buffer overflow is triggered in “wlc_wpa_plumb_gtk”

If the wl driver’s used with SoftMAC chipsets the vulnerabilities are triggered in the host’s kernel whereas, when used with FullMAC chipset, they are triggered in chipset’s firmware.

There are approximately over 160 vendors that stand vulnerable to Broadcom WiFi chipsets within their devices.

Two of Broadcom’s vulnerabilities were patched which were found in the open source brcmfmac Linux kernel.

CVE-2019-8564 vulnerability had been patched by Apple as a part of their security update, a day before the developer revealed the vulnerabilities.


Hackers in Ukraine are attacking Government websites


On the eve of the presidential elections in Ukraine, phishing attacks on Government Internet resources were activated.

According to the Head of the Computer Forensics Laboratory, the intensity of cyber attacks is increasing every year. It is a permanent process and is not necessarily associated with the elections. However, at the moment, the sites of the Central Election Commission, the Presidential Administration, the Cabinet of Ministers and infrastructure departments may be under attack.

In general, the situation with the cyber defense of Governments departments is now much better than a few years ago, since the cyber defense was improved by European financial assistance. Many different projects on quality protection have been funded.

At the same time, the sites of presidential candidates are in the risk zone of hacker attacks on the eve of the elections. It turned out that politicians can simulate the attack of hackers on their resources for the sake of PR to emphasize their importance.