Dharma: A Malicious Ransomware In The Skin of an Anti-Virus Software








A family of ransomware has been infecting organizations around the globe and now has a new trick up its sleeve. A file-locking malware is being distributed disguised as anti-virus software.

“Dharma” happens to be the name of the infamous ransomware which has been linked to tens of cyber-crime episodes.

Dharma’s "executive working team" is all about creating and fabricating state-of –the-art attacks that are lucrative to the highest extent.

And by way of the recent stunt they’ve pulled they stand a handsome chance of extorting ransom payments in exchange for decrypting files and locked networks on the Windows system.

Actually, the ransomware poses to be an anti-virus software and hence the users are tricked into downloading and installing it.

The attacks like many others begin with “phishing emails” that claim to be from Microsoft and stating that the victim’s PC is under some risk, threat or is corrupted.

Luring the user into downloading the anti-virus by assessing a download link, if the user goes through with it, two downloads are retrieved.

According to sources, they are Dharma ransomware payload and an old version of anti-virus software from cyber security company ESET.

After the self-extracting archive runs, Dharma starts the file encrypting process. The user is guided to follow the installation instructions for ESET AV remover.

The interface gets displayed on their desktop but still requires user interaction during the installation process all the while distracting the user from the actual con.

The victim would immediately be confronted with a ransom note, once the installation gets done with, demanding crypto-currency in exchange for unlocking the file.

Malware have usually been hidden under skins of actually legitimate applications and software, in the above scenario an official unmodified ESET AV Remover was made use of.

Any other potential application could be exploited and used in this way to fool the not so well cyber-educated and even tech savvy users.

The file-locking malware is relatively new in the market but powerful nonetheless and with the enhanced tendencies of tactic and work being done on it.

Various cyber-cons still try to upgrade old threats and make use of latest techniques to wreak as much havoc as possible.

Ransomware happens to be an especially costly and dynamic threat which could hit in more than one ways.

The only way to not fall prey to such devastating attacks is securing email gateways, embracing better cyber-security manoeuvres, backing up files and constantly patching and updating.


Anonymous Messengers now banned in Russia


On May 5, a government decree on the obligation of the owners of Messengers to identify the users of their resources by telephone number came into force in Russia. The relevant document was signed by Prime Minister Dmitry Medvedev on 6 November 2018.

According to the government decree, Messengers should to check the information about the registration of the user's phone number with the mobile operator.

"In case of non-receipt of information from the operator within 20 minutes after the request or receipt of information about the absence of subscriber information in the databases, the identification is considered not completed", — stated in the document.

If the mobile operator finds the requested phone number in its database, it also undertakes to specify which messengers the subscriber uses and assign a special identification code to him. In addition, the mobile operator must notify the administration of the messenger within 24 hours upon termination of the service agreement with the subscriber.

And if the organizer of the service refuses to fulfill the new requirements, he will face a fine of up to one million, as well as blocking the Messenger on the territory of Russia.

Earlier, Maxim Akimov, the Deputy Prime Minister, expressed confidence that the new rules of user identification in Messengers will not bring problems and financial costs for the IT industry.

Alexander Zharov, the Head of Roskomnadzor recalled that earlier it was enough to simply enter the code sent in an SMS message for registration in the Messenger. However, there was a risk that the person will register on someone else's phone number.

"The possibility of anonymous communication in Messengers made it difficult for law enforcement agencies to investigate crimes," said the Head of Roskomnadzor. At the same time, Zharov emphasized that these rules do not violate the secrecy of correspondence.

Russian mobile operators said they are ready to meet the new requirements. Representatives from Facebook (including Facebook Messenger), Whats App, Instagram and Viber have not yet to respond to the request.

‘Plane hacker’ says “I got bored, so I hacked NASA”


A hacker who is notoriously believed to be involved in several plane hacking revealed that he hacked the famous U.S space agency NASA just because he was bored.

During Digital Age Summit in Istanbul, Roberts spoke to  Anadolu Agency (AA) and said he enjoyed exploiting the vulnerabilities in  cyber securities from big institutes like NASA.

He said, "We have found that the communication security between the satellite and land systems is not well encrypted. We were able to access the system by passing NASA's International Space Station access control measures," .

Roberts Stressed that there are no unbreakable systems, and the transport companies should take serious steps to protect their networks from being hacked as suggested by “Good hackers”.

There was an investigation on Roberts by  Federal Bureau of Investigations (FBI) in 2015 for the suspected hacking of an airplane’s computer system via in-flight wireless Internet

In a search warrant provided by Federal Bureau Of Investigation(FBI) to the federal court,the FBI stated that Roberts had admitted of hacking entertainment systems on flight through in flight internet almost 15 and 20 times between the years 2011 and 2014
In an affidavit Roberts claimed that through in flight hacking he had accessed the controls of the flight and  caused planes to drift sideways.
However Roberts, who is also popularly  known as “Plane Hacker” insists that he did all the hacking just for showing the vulnerabilities in systems available in aviation industry.

Is making hacking unprofitable the key to cyber-security?

Billions are being lost to cyber-crime each year, and the problem seems to be getting worse. So could we ever create unhackable computers beyond the reach of criminals and spies? Israeli researchers are coming up with some interesting solutions.

The key to stopping the hackers, explains Neatsun Ziv, vice president of cyber-security products at Tel Aviv-based Check Point Security Technologies, is to make hacking unprofitable.

"We're currently tracking 150 hacking groups a week, and they're making $100,000 a week each," he tells the BBC.

"If we raise the bar, they lose money. They don't want to lose money."

This means making it difficult enough for hackers to break in that they choose easier targets.

And this has been the main principle governing the cyber-security industry ever since it was invented - surrounding businesses with enough armour plating to make it too time-consuming for hackers to drill through. The rhinoceros approach, you might call it.

But some think the industry needs to be less rhinoceros and more chameleon, camouflaging itself against attack.

"We need to bring prevention back into the game," says Yuval Danieli, vice president of customer services at Israeli cyber-security firm Morphisec.

"Most of the world is busy with detection and remediation - threat hunting - instead of preventing the cyber-attack before it occurs."

Morphisec - born out of research done at Ben-Gurion University - has developed what it calls "moving target security". It's a way of scrambling the names, locations and references of each file and software application in a computer's memory to make it harder for malware to get its teeth stuck in to your system.

The mutation occurs each time the computer is turned on so the system is never configured the same way twice. The firm's tech is used to protect the London Stock Exchange and Japanese industrial robotics firm Yaskawa, as well as bank and hotel chains.

USA: Leading Servers Of Greenville Were Shutdown Owing It To A Ransomware Attack!



In the state of South Carolina, a city by the name of Greenville was attacked by a ransomware which blacked-out majority its servers.


The source of the ransomware and the infection is being conjectured upon by the help of the city staff and IT professionals.

As a basic ransomware works the organizations affected were asked for money. The IT team is working on getting the operation back online

The only servers that were separate and went unaffected were of the Greenville Utilities Commission and that of the emergency for and police department.

The infection first surfaced on the server of the Greenville Police Department. The IT division was immediately contacted and as result the servers were shutdown.

The shutdown hasn’t affected many of the operations and functions, just that the way things go about needed some adjusting.

Thanks to people not being too dependent on computers not much has been affected in the city except for people willing to do payments would need to do so in cash.

After CIRA’s free parking accident and the shutdown of Norsk Hydro, it’s evident that ransomware is an emerging hazard to cyber-security.


Roskomnadzor demanded that VPN services connect to the register of prohibited sites

Roskomnadzor for the first time demanded that the owners of VPN services connect to the register of banned sites in Russia. According to the law, VPN providers and Anonymizers connected to it are obliged to filter traffic.

The requirements for connecting to the State Information System (FGIS) were sent to the operators of 10 VPN services NordVPN, Hide My Ass!, Hola VPN, OpenVPN, VyprVPN, ExpressVPN, TorGuard, IPVanish, Kaspersky Secure Connection and VPN Unlimited.

FGIS contains a single register of banned Internet resources in the Russian Federation. According to the law, VPN services and Anonymizers are obliged to restrict access to Internet resources prohibited in Russia. So, services are required to connect to this system to gain access to the registry.

According to the current legislation, VPN services are required to connect to FGIS within 30 working days from the date of sending the requirements. Otherwise, FGIS may decide to restrict access to the VPN service.

It turned out that Roskomnadzor demanded to connect to the FGIS after receiving approval from the Federal Security Service.

It's important to note that the search engines operators Yandex, Mail.ru, Sputnik, Rambler are currently connected to FGIS. At the beginning of 2019 Roskomnadzor fined the company Google for 500 thousand rubles for non-execution of requirements about connecting to FGIS.

Group-IB: Hackers hit hard SEA and Singapore in 2018




Singapore, 19.03.2019 – Group-IB, an international company that specializes in preventing cyberattacks, on Money2020 Asia presented the analysis of hi-tech crime landscape in Asia in 2018 and concluded that cybercriminals show an increased interest in Asia in general and Singapore in particular. Group-IB team discovered new tool used by the Lazarus gang and analyzed North Korean threat actor’s recent attacks in Asia. Group-IB specialists discovered 19 928 of Singaporean banks’ cards that have shown up for sale in the dark web in 2018 and found hundreds of compromised government portals’ credentials stolen by hackers throughout past 2 years. The number of leaked cards increased in 2018 by 56%. The total underground market value of Singaporean banks’ cards compromised in 2018 is estimated at nearly $640 000.

Lazarus go rogue in Asia. New malware in gang’s arsenal

According to Group-IB Hi-Tech Crime Trends 2018 report, Southeast Asia, and Singapore in particular, is one of the most actively attacked regions in the world. In just one year, 21 state-sponsored groups, which is more than in the United States and Europe combined, were detected in this area, among which Lazarus – a notorious North-Korean state-sponsored threat actor.

Group-IB established that Lazarus is responsible for a number of latest targeted attacks on financial organizations in Asia. Group-IB Threat Intelligence team detected and analyzed the gang’s most recent attack, detected by the company experts, on one of the Asian banks.

In January 2019, Group-IB specialists obtained information about previously unknown malware sample used in this attack, dubbed by Group-IB RATv3.ps (RAT - remote administration tool). The new Trojan was presumably downloaded to a victim’s computer as part of the second phase of a so-called watering hole attack, which, according to Group-IB report on Lazarus, the group has been actively using since 2016. During the first stage, cybercriminals supposedly infected a website, visited by a victim, with a Trojan Ratankba, a unique tool used by Lazarus. Group-IB specialists note that the new RATv3.ps might have been used by North Korean hackers in other recent attacks at the end of 2018. At least one of RATs was available via a legitimate Vietnamese resource, which might have been involved in other attacks.

“The newly discovered Lazarus’ malware is multifunctional: it is capable of data exfiltration from the victim’s computer, downloading and executing programs and commands via shell, acting as a keylogger to retrieve victim’s passwords, moving, creating and deleting files, injecting code into other processes and screencasting,” – comments Dmitry Volkov, Group-IB CTO and Head of Threat Intelligence. “So in case of Lazarus a stitch in time saves nine. It is very hard to contain their attacks as they happen. You have to be well prepared and know their tactics and tools. In particular, it is extremely important to have most up-to date indicators of compromise, unavailable publicly, that can only be gathered through automated machine learning-powered threat hunting solutions. Given the group’s increased activity in the region in 2018, we believe that Lazarus will continue to carry out attacks against banks, which will result in illicit SWIFT payments, and will likely experiment with attacks on card processing, primarily focusing on Asia and the Pacific.”

Several cybersecurity researchers note that also in 2018 Lazarus carried out global campaign known as “Rising sun”. The malicious campaign affected close to 100 organizations around the world, including Singapore. The gang’s new endeavor took its name from the implant downloaded to victims’ computers. It was found that Rising Sun was created on the basis of the Trojan Duuzer family, which also belongs to cybercriminals from the Lazarus group. The malware spreader as part of this campaign was primarily aimed at collecting information from the victim’s computer according to various commands

According to Group-IB Hi-Tech Crime Trends report 2018, Lazarus, unlike most of other state-sponsored threat actors, does not shy away from attacking crypto. “Singapore, being one of the most crypto-friendly countries in the world, attracts not only thousands of crypto and blockchain entrepreneurs every year, but also threat actors willing to grab a piece of the pie. We expect that that other APTs like Silence, MoneyTaker, and Cobalt will stage multiple attacks on cryptocurrency exchanges in the near future,” – says Dmitry Volkov.

Have you been pwned?

Group-IB Threat Intelligence team identified hundreds of compromised credentials from Singaporean government agencies and educational institutions over the course of 2017 and 2018. Users’ logins and passwords from the Government Technology Agency (https://www.tech[.]gov.sg/), Ministry of Education (https://www.moe[.]gov.sg/), Ministry of Health (https://www.moh[.]gov.sg/), Singapore Police Force website (https://polwel[.]org.sg/about/), National University of Singapore learning management system (ivle.nus[.]edu.sg) and many other resources were stolen by cybercriminals. CERT-GIB (Computer Emergency Response Team) reached out to Singaporean CERT upon identification of this information. “Users’ accounts from government resources are either sold on underground forums or used in targeted attacks on government agencies for the purpose of espionage or sabotage. Even one compromised account, unless detected at the right time, can lead to the disruption of internal operations or leak of government secrets,” – comments Dmitry Volkov. Cybercriminals steal user accounts’ data using special spyware aimed at obtaining users' authentication data. According to Group-IB data, PONY FORMGRABBER, QBot and AZORult became the TOP 3 most popular Trojan-stealers among cybercriminals.

Pony Formgrabber retrieves login credentials from configuration files, databases, secret storages of more than 70 programs on the victim’s computer and then sends stolen information to cyber criminals’ C&C server. Another Trojan-stealer — AZORult, aside from stealing passwords from popular browsers, is capable of stealing crypto wallets data. Qbot worm gathers login credentials through use of keylogger, steals cookie files and certificates, active internet sessions, and forwards users to fake websites. All these Trojans are capable of compromising the credentials of crypto wallets and crypto exchanges users. More information on the most actively used Trojans and their targets can be accessed through Group-IB Threat Intelligence.

Public data leaks is another huge source of compromised user credentials from government websites. Group-IB team analyzed recent massive public data breaches and discovered 3689 unique records (email & passwords) related to Singaporean government websites accounts.

Underground market economy. Number of compromised cards of Singaporean banks on sale increases

In 2018, Group-IB detected the total of 19,928 compromised payment cards related to Singaporean banks on darknet cardshops. Singapore, as one of the major financial hubs in Southeast Asia is drawing more and more attention of financially motivated hackers every year. According to Group-IB data, compared to 2017, the number of leaked cards increased in 2018 by 56%. The total underground market value of Singaporean banks’ cards compromised in 2018 is estimated at nearly $640,000.

Group-IB Threat Intelligence team observed two abnormal spikes in Singaporean banks’ dumps, unauthorized digital copies of the information contained in magnetic stripe of a payment card, offered for sale on the dark web in 2018. The first one occurred on July 20th, when almost 500 dumps related to top Singaporean banks surfaced on one of the most popular underground hubs of stole card data, Joker’s Stash. On overage, the price per dump in this leak was relatively high and kept at 45$. The high price is due to the fact that most of the cards were premiums (e.g. Platinum, Signature etc.).

Another significant breach happened on November 23rd when the details of 1147 Singaporean banks dumps were set up for sale on cardshops. The seller wanted 50$ per item– 50% of stolen cards in batch were also marked as Premium.

Group-IB Threat Intelligence continuously detects and analyses data uploaded to cardshops all over the world. According to Group-IB’s annual Hi-Tech Crime Trends 2018 report, on average, from June 2017 to August 2018, the details of 1.8 million payment cards were uploaded to card shops monthly.

QR-codes on historical buildings of Russian city Astrakhan that led to Adult sites have been removed


Hacker reportedly changed website location of the QR-codes on historical buildings of Russian city Astrakhan and replaced them with adult website link. There was no technical detail provided how hacker was able to change the location of QR code.

When residents and guests of the city scanned QR-codes, their phones opened resources for adults, instead of sites with historical references.

Galina Goteeva, the Minister of Culture and Tourism of the region, said on March 15 that the signs with QR codes on the historical buildings of Astrakhan were changed.

QR-codes on historically significant buildings of Astrakhan were placed a few years ago. It was assumed that people can get a historical reference about the building after scanning the code with a mobile phone. Already in November last year, the Media reported about QR codes leading to porn sites and dating sites for quick sex.

In fact, the Regional Ministry of Culture for a long time struggled with the elimination of porn content, the signs were removed with great difficulty. And only at the end of the year sex traffic was stopped completely.

However, it is still a mystery why the signs with QR-codes hung for so long and why they were not promptly replaced. In total, there are at least 15 signs. QR-codes stopped working more than a year ago, but officials did not pay any attention to it: first, the pages gave an error, and later they began to lead to porn sites.

Group-IB : payment data of thousands of customers of UK and US online stores could have been compromised




Moscow, 14.03.2019 – Group-IB, an international company that specializes in preventing cyberattacks, has uncovered a malicious code designed to steal customers’ payment data on seven online stores in the UK and the US. The injected code has been identified as a new JavaScript Sniffer (JS Sniffer), dubbed by Group-IB as GMO.

Group-IB Threat Intelligence team first discovered the GMO JS Sniffer on the website of the international sporting goods company FILA UK, which could have led to the theft of payment details of at least 5,600 customers for the past 4 months.

Do your payments have the sniffles?

Most recent breaches similar to this include British Airways and Ticketmaster which were first analyzed by RiskIQ research team, where cybercriminals managed to compromise personal information of thousands of travelers and concert goers with a few of lines of code. British Airways and Ticketmaster websites were infected with JS Sniffers, a type of malicious code injected into a victim’s website designed to steal a consumer’s personal data including payment card details, names, credentials etc.

FILA UK website (fila.co[.]uk) became cybercriminals’ new major target on the UK market . GMO JS Sniffer has also been discovered on 6 other websites of US-based companies. This type of attack is especially dangerous given that it can be applied to almost any e-commerce site around the world. Group-IB made multiple attempts to alert FILA, which was known to be impacted by GMO. Six other websites affected by this JS Sniffer were notified upon discovery as well. Group-IB team has also reached out to local authorities in the UK and the US to conduct outreach.

Group-IB’s Threat Intelligence team first discovered GMO on the FILA UK website. The malicious code was detected in early March 2019. In the course of further research it was revealed that GMO JS Sniffer has presumably been collecting customer payment data since November 2018. According to Alexa.com, the number of fila.co[.]uk unique monthly visitors is estimated at around 140k per month.

According to IRP, UK market research firm, a minimum conversion into purchase for fashion and clothing ecommerce is equal to 1%. Using very conservative estimates, payment and personal details of at least 5,600 customers could have been stolen by cybercriminals – everyone who has purchased items on fila.co.uk since November 2018 has potentially had their details compromised. Typically, after customer data is stolen, it is usually resold on underground cardshops. Another scheme of cashing out involves the use of compromised cards to buy valuable goods, e.g. electronics, for onward sale.


Mozilla Firefox Considers Blocking Cyber security Company Darkmatter; Reports Arise of Its Link to a Cyber Espionage Program




Firefox 'browser-maker' Mozilla is under talks about considering whether to block the cyber security organization DarkMatter from serving in as one of its internet security gatekeeper after a Reuters report connected the UAE-based firm to a cyber-espionage program.

The international news organization announced in January that the cyber-security company gave the staff the secret to a hacking operation with the codename Project Raven, on behalf of an Emirati intelligence agency. The unit there included previous U.S. intelligence officials who led hostile cyber operations for the UAE government.

The shrouded program, which operated from a converted Abu Dhabi house far from DarkMatter's headquarters, included hacking into the internet accounts of human rights activists, journalists and officials from rival governments.

Mozilla said the company is under talks to arrive at a decision on whether to deny the authority possessed by DarkMatter, however expects to decide within weeks. While two Mozilla officials said in a meeting a week ago that Reuters' report raised their worries about whether DarkMatter would abuse their position to certify sites as safe or not.

Selena Deckelmann, a senior director of engineering for Mozilla, said "We don't currently have technical evidence of misuse (by DarkMatter) but the reporting is strong evidence that misuse is likely to occur in the future if it hasn't already."

Likewise informing that Mozilla was thinking about stripping a few or the majority of the 400 certifications that DarkMatter has granted to sites under a limited authority since 2017.

In any case DarkMatter CEO Karim Sabbagh denied the Reuters report connecting his company in any way to Project Raven."We have never, nor will we ever, operate or manage non-defensive cyber activities against any nationality," he said in a letter to Mozilla on February 25th, posted online by the cyber security company.

While in the past Mozilla has depended heavily on technical issues when choosing whether to trust a company with certification authority or not, the Reuters investigation has driven it to re-evaluate its arrangement for affirming candidates.


Anonymous Threat Group Compromised 1 Million Web Pages of Popular Brands like Coca-Cola and McDonalds’s



Around 1 million Israeli based webpages owned by renowned brands like McDonalds’s and Coca-Cola have been compromised by an anonymous group of hackers who notably breached the websites of leading brands which were introduced for Israel natives with address ‘co.il’  – Cocacola.co.il and McDonalds.co.il and etcetera.  

The hacker group employed third-party accessibility plug-in known as ‘nagich.co.il’ which loaded infected JavaScript code that compromised the website and assisted the threat actors in exploiting and corrupting a million of web pages.

There’s a critical vulnerability which existed in the disabled page accessibility plug-in, Nagich, it permitted access to more than 1 million Israel based webpages and primarily assisted the attackers in corrupting the webpages.

Besides websites of renowned brands – Coca-Cola, McDonald’s and Toys"R"Us, other popular websites namely Ynet and Calcalist also fall prey to this breach. Reportedly, the attackers corrupted these websites and displayed political messages.

The Nagich website is not a usual site, it’s a website which contains an accessibility plugin - a Javascript which runs on a website which opts for this service and provides it a multitude of options. 

On giving necessary permissions, the severe vulnerability can run code on the website which means it can make any changes in our site and do whatever it wants. Hackers exploited it to replace the malicious code with an embedded link with the motives of corrupting webpages.

Due to the delay in taking remedial measures to patch the vulnerability, Nagich officials, in a way led hackers to compromise hundreds of webpages.  



The First-Ever Millionaire Hacker on HackerOne




At a tender age of 19, Santiago Lopez is earning a handsome sum of money via bug bounty program HackerOne and discovering security flaws through vulnerability coordination. He is said to be the first one to make more than USD 1 million through the aforementioned channels and he ranks second on HackerOne.
Lopez is self-taught on how to quash layers of security protections as he resorted to tutorial videos and content on the internet for his hacking and information security classes which he started taking in 2015 at the age of 16.
He has worked and reported vulnerabilities for renowned organizations such as Twitter, Automattic, Verizon, HackerOne among others. As of now, he has successfully reported 1676 different vulnerabilities for online assets. Additionally, he has worked for the US government and other private organizations.
It was a year later when he was awarded a $50 pay for a CSRF vulnerability, the inflow of rewards began; the largest bounty being $9,000, which he received for a SSRF.
Santiago invested his initial bug bounty earnings on a brand new PC and as the money multiplied, the young IT enthusiast considered buying cars.
At HackerOne, the goal of their program is to touch the mark of $100 million by the end of 2020 and on the way of realizing this goal, in 2018, the security researchers at HackerOne have made more than $19 million in bounties which is significantly larger than over $24 million paid in the past five years.
It has been reported that the majority of the hackers dedicate around 10 hours per week searching for bugs, while one-fourth of them are found to be working 10-20 hours every week.
Referencing from a survey, the security researchers with extensive experience in the corresponding field forms the smallest percentage, whereas the majority which is 72.3% carries experiences ranging from one to five years.
It is the joys of accumulating money and dealing with challenges which are among the top driving factors for the researchers to submit bugs through HackerOne.





The Australian Parliament’s Anti –Encryption Law Opening Doors to Potential Cyber Attacks




The Australian Parliament recently gave a green light to an "anti-encryption" law i.e. the Assistance and Access Bill, broadly recognized by numerous U.S. tech giants, to give the nation's intelligence and law enforcement agencies access to end-to-end encrypted communications.

The bill passed, regardless of vocal opposition from cyber security and technology groups far and wide who cautioned that even secondary passages structured solely for law implementation will without a doubt is exploited by those keen to make way to potential cyber-attacks.

Portrayed as a "secondary passage" or "backdoor" the move is said to, in a general sense debilitate Australia's cyber security and perhaps the other users of these innovations as well.

There is additionally a "far reaching concern" that this law will eventually have a negative impact on the employment status from the Australian technology firms as the global network will never again trust these products.

Lawmakers, who in the present digital economy ought to work to close the "cyber exposure gap", not augment it are rather debilitating Australia's overall cyber security posture, with causing a major impact to the economic outcomes also.

There is no denying the fact that law implementation organizations around the world face reasonable difficulties, however laws that debilitate encryption are the wrong solution.

Therefore, as opposed to following Australia's hazardous point of reference, other nations must work to guarantee open wellbeing while likewise shutting the "cyber exposure gap" and reinforcing cyber security standards for all devices. The dangers related with Australia's activity ought not to be downplayed because cyber security is as much important as national security.


Hackers Delivering New Muncy Malware Worldwide through DHL Phishing Campaign



With malicious intentions of targeting the users across the globe, attackers are reported to be disseminating new dubbed Muncy malware in the form of EXE file through DHL phishing campaigns.

Resorting to malspam emails, DHL phishing is amongst the most far-reaching campaigns which distributed several sophisticated malware. They made it appear legitimate by exploiting the deplorable configuration of SMTP servers and by employing email spoofing techniques.

DHL is a company of global repute which specializes in providing express mail services, international couriers and parcels. The reputation of the well-established company took some hits by the cybercriminals as they abused it to distribute malware. 

They did so by configuring the malicious emails to appear to be coming from DHL express. The email comprised of an infected attachment in PDF format.

How the malware is executed?

As soon as the targeted user accesses the PDF attachment, Muncy Trojan file sneaks into the system. Then the packed malware is unpacked and once unpacked it scans the whole C:\ drive for the files containing sensitive data. 

Expert takes

Commenting on the matter, Pedro Tavares, Founder, and Pentester at CSIRT.UBI told the GBHackers, “The phishing campaign is trying to impersonate DHL shipment notification and the malware is attached in the email.”

“This malware is on the rise and is affecting user’s in-the-wild while stealing sensitive information from their devices.”





Websites Including Ixigo Hacked, Leaving 127 Million Accounts Exposed For Sale






Over 127 million accounts were broken into from around 8 separate websites. This is the doing of a hacker who’d stolen records of 620 million people before.

The travel booking site “Ixigo” seems to be one of the major victims from which records were stolen.

Allegedly, these infamous records include the users’ names, email addresses, passwords and other personal details.

According to a research, 18 million user records were wrested from Ixigo and around 40 million were stolen from YouNow which is a live-video streaming site.

1.8 million accounts were wrested from Ge.tt and 57 million records were snatched off from Houzz.

Hakcer’s listings showed that an antiquated “MD5” hashing algorithm was applied to “scramble” passwords which are otherwise easy to “unscramble”.

It was claimed by the hacker themselves that they had user records from mainstream sites like MyFitnessPal and Animoto with declaring number of records to be 151 million and 25 million respectively.

Bitcoin currency of $20,000 could now be used in exchange for databases which make life easier for hackers, from the Dream Market cyber-souk in the Tor network.

The price is pretty hacker-pocket friendly. The major target audience for the deal seem to be spammers and credential stuffers.

These credentials could further be used to hack into other sites and wrest other user details.

The victimized websites have started alerting their users about the hazard and it would only be fit for the users to stay vigilant about it all.


Bank details of Bernard Matthews employees stolen

A suspected cyber-attack "potentially compromised" the bank account details of 200 workers at Bernard Matthews.

The turkey producer has made staff aware of the suspected hack.

The Norfolk-based company said it was alerted by its bank on 22 January, as first reported in the EDP.

A spokesman said: “After being first alerted by our bank, we reported the incident to the relevant authorities and put in place extra security measures, as well as offering additional security advice to those affected.” "We continue to monitor the situation but we are not aware colleagues have been affected any further," he added.

The person or group behind the hack is unknown.

Bernard Matthews employs 3,000 people across East Anglia. The company is a major employer in Norfolk and Suffolk, including at its plant at Holton, near Halesworth, and its headquarters at Great Witchingham.
The business has been through a difficult time in recent years, coming close to collapse in 2013.

Last year, it was one of two interested parties bidding to take over Banham Poultry, in Attleborough, which was eventually sold to Chesterfield Poultry.

In 2016 the Boparan Private Office, owned by food tycoon and 2 Sisters Food Group entrepreneur Ranjit Boparan, known as the “Chicken King”, bought the firm in a pre-pack deal in 2016 from Rutland Partners, saving 2,000 jobs after the firm posted pre-tax losses of £5.2m.

A Malware Program That Hobbled Newspapers Nationwide Makes a Comeback


Ryuk Malware has made a rebound once more and this time it focused on the Tribune publishing Newspaper operations. The Malware program, a refined curve on an extortionate exemplary, is believed to have been utilized in an attack that has maimed newspapers across the nation.

The Malware is such that it automatically spreads from one computer to another, enciphering essential documents en route with an unbreakable code. Endeavors to gain access to the enciphered information, and the malware displays a ransom note, to deposit bitcoin into an unidentified wallet and receive a  key to decode the user's entire system , the refusal for which will result in the documents remaining 'locked for good'.

The issue notwithstanding, surfaced near midnight Thursday and spread quickly over the next day, when sports editors at the Union-Tribune attempted to transmit the completed pages to the printing office. Thusly hindering the distribution of the Saturday editions of The Times and Union-Tribune papers in Florida, Chicago and Connecticut, as well as the West Coast editions of the Wall Street Journal along with the New York Times.

Ryuk showed up on the radar of cybersecurity specialists in August, when the security scientists MalwareHunterTeam rumored five unfortunate casualties. An investigation with Check Point Research was published soon thereafter, assessing that it had officially gotten the attackers more than $640,000, and that much of its code coordinated with that of a ransomware program called Hermes, which has been connected with the North Korean hacking group that was behind the famous WannaCry attack.

Ben Herzog, a security specialist with Check Point says that Ryuk is different as it is a relatively  'artisanal' malware, used to target explicit organizations with little resilience for disturbance, such like hospitals and other healing facilities, ports and now obviously, the newspapers.

Despite the fact that their analysis till now has not prevailed with regards to determining if Ryuk had a technique for consequently spreading among a system or not, which Itay Cohen, another security analyst with Check Point, said may specify "prior, manual work that was done by the attackers in order to take these networks as a hostage.”


BT and Europol sign agreement to share cybersecurity intelligence data


The European Union Agency for Law Enforcement Cooperation (Europol) and communications company BT have joined forces in an agreement to exchange threat intelligence data.

A Memorandum of Understanding (MoU) was signed by both parties at Europol’s in The Hague in the Netherlands, which along with the creation of a framework to share knowledge of cybersecurity threats and attacks, will also help in facilitating sharing of information relating to cybersecurity trends, measures, technical expertise, and industry practices to reinforce cybersecurity in Europe.

To this end, BT will work alongside Europol’s European Cybercrime Centre (EC3), helping in identifying cyber threats and strengthening law enforcement response to cyber crimes.

“The signing of this Memorandum of Understanding between Europol and BT will improve our capabilities and increase our effectiveness in preventing, prosecuting and disrupting cybercrime,” said Steve Wilson, Head of Business at EC3. “Working co-operation of this type between Europol and industry is the most effective way in which we can hope to secure cyberspace for European citizens and businesses. I am confident that the high level of expertise that BT bring will result in a significant benefit to our Europe wide investigations.”

BT became, earlier in the year, the first telecom provider to share information on malicious websites and softwares with other internet service providers (ISPs) via a free online portal, called the Malware Information Sharing Platform (MISP), to help them in tackling cyber threats.

The company will now share that information with Europol to aid in cybercrime investigations.

“We at BT have long held the view that coordinated, cross border collaboration is key to stemming the global cyber-crime epidemic,” Kevin Brown, VP, BT Security Threat Intelligence, said. “We’re working with other law enforcement agencies in a similar vein to better share cybersecurity intelligence, expertise and best practice to help them expose and take action against the organised gangs of cybercriminals lurking in the dark corners of the web.”

BT currently has a team of more than 2,500 cybersecurity experts who have so far helped to identify and share information on more than 200,000 malicious domains.


Britain's National Cyber Security Centre Issues a Warning of a Global Campaign for the Possibility of Some Kind of Russian Activity


Britain's National Cyber Security Centre (NCSC) is on high caution for the likelihood of some kind of Russian movement. More people and resources have been dedicated towards the examination and investigation.

 The FBI and the US Department of Homeland Security issued a joint alarm cautioning of a global campaign with the foremost targets being internet service providers, firms running critical infrastructure, government departments and large companies.

White House cyber security co-ordinator Rob Joyce in a press conference session about the alert said that the US and its allies had "high confidence" that Russia was behind this "broad campaign".

He additionally said that, a huge number of machines coordinating information and data around the net were being targeted, as suggested by the insight gathered by the US and UK.

Despite the fact that it is conceivable that Russian intrusions might increment in the coming future, yet, it is too soon to be sure without a doubt if so. Up until this point, there has been moderately minimal indication of this in the US or UK, in spite of the fact that Russia is blamed for propelling ruinous attacks against Ukraine.

It merits saying that Britain and the US will do relatively indistinguishable activities in Russia, pre-positioning in Russian networks to have the capacity to react.

What nobody is very certain of is whether this makes an impediment somewhat like commonly assured nuclear destruction in the Cold War.
Furthermore, Mr. Joyce said that:
 “Many different organisations had come under attack for months at a time in a bid to scoop up valuable intellectual property, business information or to get at their customers and when we see malicious cyber-activity, whether Kremlin or other nation state actors, we are going to push back.

Ciaran Martin, head of the UK's NCSC, said that the issuing of the alert denoted a "significant moment" as the two forces had at no other time given joint exhortation on the most proficient method to manage attacks.

The worldwide crusade contained nitty gritty data about attack techniques, including the signs left when hardware has been compromised , and how networks arranges change when they have been broken.

Mr Martin said GCHQ, NCSC's parent association, had followed the risk postured by Russian cyber-gangs for over 20 years. Further intelligence about the attacks had been included by "multiple" cyber security associations and organizations, he added.

Nevertheless the guidance given to firms incorporates approaches to design their systems accurately and also gives an insight on how to apply patches to address hardware vulnerabilities


Japan Cryptocurrency Exchange Coincheck starts refunds for $530m hack

The cryptocurrency exchange that fell to a hack of about $534 million in January this year has now started reimbursing the affected customers that lost fund in the hack.

In its blog post, Coincheck said that it will refund users as per its original compensation plan at the rate of 88.549JPY ($0.83) per NEM stolen and that to qualify for reparations, users must have held that amount of NEM on their platform at 23:59:59 JST on 26 January, 2018.

The total amount reimbursed will equal to about $420 million.

After the hack, Coincheck had imposed restrictions on trading and withdrawal of some cryptocurrencies on the exchange. The company is now going to lift some of these restrictions to allow for withdrawals and sales, according to another blog post.

It also said that it is working on evaluating the risks associated with each currency and will “confirm the technical security of our systems regarding these currencies in order to resume normal operations.”

The exchange also plans to resume deposits and purchases of all currencies, and open for new registrations once security and management systems have been updated.

“Once again, we would like to apologize for the inconveniences that the illicit transfer of NEM from out platform and the resulting suspension in services has caused our customers and anyone else affected by this incident. Thank you for your patience,” the company said in its blog post.