Search This Blog

Showing posts with label Cyber Security. Show all posts

Google Tricked Millions of Chrome Users in the Name of 'Privacy'

 

Google revealed last month that it is rolling out the Federated Learning of Cohorts (FLoC) program, an important part of its ‘Privacy Sandbox Project’ for Chrome. The company advertised FLoC as the latest, privacy-preserving option in Google Chrome to the third-party cookie.

But the real question is can Google truly preserve the privacy of its users? Well, the results of the FLoC trial don’t indicate that. Millions of Chrome users had no control of their involvement in the FLoC trial, they received no personal text, and, currently, they have no option to opt out from the FLoC trial. The only option to leave the trial is by blocking all third-party cookies on their Google Chrome browsers.

What is the FLoC program? 

FLoC is based on machine learning technology designed by Google and is meant to be an alternative to the kind of cookies that advertising technology firms use today to track you across the web. Instead of a personally-identifiable cookie, FLoC runs locally and examines your browsing pattern to group you into a cohort of like-minded people with similar interests (and doesn’t share your browsing history with Google). That cohort is particular enough to permit advertisers to do their thing and show you relevant ads, but without being so specific as to allow marketers to spot you personally. 

This "interest-based trial,” as Google likes to call it, allows you to hide within the crowd of users with similar interests. All the browser displays are cohort ID and all your browsing history and other data stay locally. Google has also started testing the FLoC cookie for some Chrome users which allows them to analyze the new system in an origin trial. 

Last month, Google’s FLoC trial announcement, gave Chrome users no alternative to quitting before the trial started. Instead, Google quietly started to expand its FLoC technology to Chrome users in the US, Canada, Mexico, Australia, New Zealand, Brazil, India, Japan, Indonesia, and the Philippines.

"When other browsers started blocking third-party cookies by default, we were excited about the direction, but worried about the immediate impact. Excited because we need a more private web, and we know third-party cookies aren’t the long-term answer. Overall we felt that blocking third-party cookies outright without viable alternatives for the ecosystem was responsible and even harmful, to the open and free web we all enjoy,” Marshall Vale, Google’s product manager, stated.

Visa: Hackers Use Web Shells to Compromise Servers and Steal Credit Card Details

Visa, a global payment processor has warned that hackers are on the rise in deploying web shells in infected servers to steal credit card information from online customers. A kind of tools  (scripts or programs) Web Shells are used by hackers to infiltrate into compromised, deploy remote execute arbitrary commands or codes, traverse secretly within victim's compromised network, or attach extra payloads (malicious). Since last year, VISA has witnessed an increase in the use of web shells to deploy java-script-based files termed as credit card skimming into breached online platforms in digital skimming (also known as web skimming, e-skimming, or Magecart attacks).  

If successful, the skimmers allow the hackers to extradite payment information, and personal data posted by breached online platform customers and then transfer it to their controlled severs. According to VISA, "throughout 2020, Visa Payment Fraud Disruption (PFD) identified a trend whereby many e-skimming attacks used web shells to establish a command and control (C2)during the attacks. PFD confirmed at least 45 eskimming attacks in 2020 using web shells, and security researchers similarly noted increasing web shell use across the wider information security threat landscape."

As per VISA PFD findings, most Magecart hackers used web shells to plant backdoors in compromised online store servers and build a c2c (command and control) infrastructure which lets the hackers steal the credit card information. The hackers used various approaches to hack the online shops' servers, exploiting vulnerabilities in unsafe infrastructure (administrative), apps/website plugins related to e-commerce, and unpatched/out-of-date e-commerce websites. These Visa findings were confirmed earlier this February when Microsoft Defender Advanced Threat Protection (APT) team revealed that these web shells implanted on compromised servers have grown as much as twice since last year.  

"The company's security researchers discovered an average of 140,000 such malicious tools on hacked servers every month, between August 2020 to January 2021," reports Bleeping Computer.  "In comparison, Microsoft said in a 2020 report that it detected an average of 77,000 web shells each month, based on data collected from roughly 46,000 distinct devices between July and December 2019," it further says.

Sophos Uncovered Connection Between Mount Locker and Astro Locker Team

 

Sophos published another report on a recently revealed association between the Mount Locker ransomware group and a new group, called "Astro Locker Team." Sophos as of late recognized ransomware targeting an organization’s unprotected machines that had all the hallmarks of Mount Locker ransomware. However, when they followed the link in the ransom note to the attacker's chat/support site, Sophos incident responders found themselves faced with a near-unknown group calling themselves "AstroLocker Team" or "Astro Locker Team." Astro Locker has all the earmarks of being a new ransomware family – however, appearances can be beguiling. 

When comparing the Astro Locker leak site with the Mount Locker leak site, investigators noticed that all five of the organizations listed on the Astro Locker site were likewise listed as victims on the Mount Locker site. Delving in further, the size of the information leaks on each of the five matched and shared some of the same links to the spilled information. Taking a gander at the matching links all the more intently, Sophos experts saw one final association: a portion of the spilled information linked on the Mount Locker site was being facilitated on the Astro Locker onion site: http[:]//anewset****.onion.  

“In recent incidents where Sophos experts investigated and neutralized an active Mount Locker attack, we noticed various techniques that suggest these attackers are not as sophisticated as other ransomware groups like Ryuk, REvil and DoppelPaymer,” said Peter Mackenzie, manager of Sophos’s Rapid Response team. “It is possible that the Mount Locker group wants to rebrand themselves to create a new and more professional image, or it could be an attempt to kickstart a true ransomware-as-a-service (RaaS) program. Regardless, if any organizations become a victim of Astro Locker in the future, they should investigate the TTPs of both Mount Locker and Astro Locker.” 

Mackenzie contended that Mount Locker could be utilizing the Astro name to pretend the group has a significant new associate for its new RaaS program, or it very well might be a legitimate deal intended to speed up its change to turning into a RaaS operation. 

“Branding is a powerful force for ransomware groups. Good branding can come from a single threat group being skilled at hitting high-value targets and avoiding detection — such as DoppelPaymer — or by running a successful RaaS network — like Sodinokibi or Egregor. Powerful branding with ransomware groups can strike fear in targets and lead to a higher likelihood of pay-outs,” he concluded.

Hackers Send Fake Census Form Alerts to UK Respondents

 


The United Kingdom, like every other country, runs a census every ten years. The census asks residents a number of questions regarding the address of individuals, their age, name, nationality, employment, health, education, and language. (The census here is mandatory and participants are obliged to provide answers)
 
The census happens in the year that ends with number-1, except Scotland, the census is postponed until 2022 due to the Covid-19 pandemic. Due to the Covid-19 pandemic, most of the respondents are filling their services online, they are getting a unique 16 digit access code from the government to each resident via snail-mail. The participant can go to the official government census website, enter the 16 digit login code, saving him the arduous work of filling the form by hand, and snail-mail it back. If the participant fails to fill the census form before 21-03-2021, the government will send a chain of warning notifications with a unique 16 digit code, requesting the participant to fill the form and also fining €1000 if he fails to do so.
 
Naked Security reports, "the criminals did make some grammatical mistakes in their forms that a native speaker of English might notice, and these would be another giveaway, along with the fake domain name, but the crooks have cloned the UK Office for National Statistics “look and feel” very believably."
 
Stay alert of forged forms-
 
If the participant hasn't filled the form yet but may soon do it, he/she should stay wary of fake "census reminders" that are sent by the hackers. And if you've already filled your form, be on alert if you think there have to be some modifications in the details. The hackers are trying to take advantage of the online census by luring the participants into phishing attacks and stealing their data.
 
The fake form may ask for your postcode instead of your 16 digits unique code (the hackers could've also sent a fake 16 digit code but they chose not to), after that, the hackers will ask you similar questions that you may answer while filling out the original forms. However, in the fake form case, you end up exposing your personal details to the hackers, instead of sending your details to Office for National Statistics.

 
How to stay safe?

 
1. Check the Domain name before filling the form on the official website.
 
2. Don't open links that you may receive via SMS or e-mail.
 
3. Stay alert of the text messages that you may receive, please go through the message before filling the form.
 

Child Tweets Gibberish from US Nuclear Agency Account

 

An unintelligible tweet sent out from the official account of U.S. Strategic Command in charge of the nation’s nuclear arsenal last weekend had left many in shock. Some jokingly said the cryptic tweet, “;l;;gmlxzssaw,” was a US nuclear launch code and some even thought it was a message to political conspiracists.

Now the US strategic command has revealed that it was a young member of the account’s social media manager who accidentally tweeted from the official account, which was then deleted within minutes. Many people saw this tweet as an attack on the country’s nuclear arsenal including Mikael Thalen, a journalist with the Daily Dot. He decided to file a Freedom of Information Act (FOIA) request to get answers. 

“Filed a FOIA request with U.S. Strategic Command to see if I could learn anything about their gibberish tweet yesterday. Turns out their Twitter manager left his computer unattended, resulting in his ‘very young child’ commandeering the keyboard,” Thalen wrote on his Twitter account. 

“The command’s Twitter manager…momentarily left the command’s Twitter account open and unattended. His very young child took advantage of the situation and started playing with the keys and unfortunately, and unknowingly, posted the tweet. Absolutely nothing nefarious occurred, i.e., no hacking of our Twitter account. The post was discovered and notice to delete it occurred telephonically,” U.S. Strategic Command responded. 

According to a report published by Kaspersky security researchers, remote workers can be more vulnerable to outside attacks, which was proved in this instance. “Lockdown has been a stressful time for everyone…without additional support from young employers, young people and caregivers could continue to deviate further from pre-set and learned IT security rules, exposing their companies to further increased security risk,” Margaret Cunnigham, principal researcher at Facepoint stated.

Hackers Tap Into Home Security Cameras, Record Sex Tapes To Sell Online

Chinese hackers are infiltrating into residents' house security cameras, shooting them having sex and selling the footage online. However shocking this crime may sound, it's pretty common nowadays, according to South China Morning Post. It reports, "the videos are priced based on how exciting they are and are sold via social media, according to an undercover investigative report aired by the television station on Monday. Video clips involving nudity or sexual acts are priced at 50 yuan (US$8) each, while those “normal ones shot in hotel rooms” are 20 yuan (US$3), said an unidentified seller of these videos in the report."  

These videos are always in high demand in the online market. This can be frightening as the sophisticated gadgets that we use for our security can be turned against us, and the internet can put us in such a vulnerable condition. The attackers hacked into candid cameras to spy on hundreds of thousands of victims and record their sex tape, besides this, they were also able to find out about the hidden cameras that hackers used to plant in the hotel rooms.  These sex tapes that are on sale are being called "home videos", hackers have also set up multilevel marketing scheme where the clients are encouraged to sell these videos furthermore. 

The customers were shared the login credentials of the hacked security cameras so that they can tune in themselves. According to one hacker's audio conversation with his VIP clients, he had dozens of people walking around and installing these cameras wherever they went.  Even if these cameras are caught by the hotels, the hackers will only lose around 100 yuan, the losses can be compensated by uploading a couple of videos online. 

"Such videos are primitive,” the hacker said. “Many people like such kind of stuff nowadays, watching people’s privacy, what they’re doing at the moment… You know what, I have sold this video several hundred times," said the hacker, according to South China Morning Post. In a similar incident, hackers hacked into the Amazon ring cameras where the customers were unaware of the breach.

Tala Research Shows that European Telecommunication Websites Expose Sensitive Customer Data

 

In 7 EU countries, Tala assessed the websites of the leading MSPs for the European top mobile providers, data exposure is a major unacknowledged concern. Analysis of Europe's leading mobile providers' websites by Tala Security shows that critical information has been at risk of over-sharing and attack — with few appropriate security measures in place to discourage it. Tala Security's recent study reveals that data exposure is a real concern for Europe's leading mobile companies and by extension for more than 253 million customers who register up and share personal information. The main issue is the insecure website supply chains. 

For many valid reasons, European Telecommunication companies collect sensitive information as part of the digital sign-up procedure, including passport numbers, payment slips, and bank account details. The analysis by Tala shows that European Telco sites do not have enough protection against third-parties risk but also uncover them to other serious risks by using numerous third-party JavaScript integrations. Without command, all websites that have JavaScript code from each owner's website including the supply chain vendor can alter, grab, or release information via JavaScript facilitated client-side attacks. The average JavaScript integration among Telecommunications companies was 162 in the group; this is a very high risk of over-sharing and data visibility. If website owners do not protect sensitive data when entered on their websites, they actually do not leave it suspended; the only reason why it is not stolen is that criminals did not use it. 

“In many cases, data sharing or exposure takes place via trusted, legitimate applications on the allow list —often without the website owner's knowledge,” said Deepika Gajaria, VP of Products at Tala Security. 

Forms used to collect credentials, banking information, passport numbers, etc. are revealed to an average of 19 third parties at considerable risk through form data exposure. No responsive website protection was established on any of the sites. On a scale of 100 with a score of 50 at an average, the website average was only 4.5. 100 percent of the most widespread website attack that frequently led to a significant sensitive leakage in the data is cross-site scripting (XSS). 

“European Telco’s routinely collect sensitive data like passport scans, banking details, address, and employment information. When website owners fail to effectively secure data as it is entered into their websites, they’re effectively leaving it hanging, an accident waiting to happen,” said Gajaria.

Hacker Hacks Underground Covid Vaccine Market On Dark Web

 

In a recent cybersecurity incident, an attacker hacked down a vaccine marketplace that was running on the dark web. The attacker then placed fake orders, cancelled them after making a refund in Bitcoins worth $752,000, a report released on Thursday says.  As per a blog on the market's forum, the attacker managed to find a way to make fake orders, which he cancelled immediately using the seller account of the trader, and immediately made the refunds in the wild, which was withdrawn in an instant. 

Checkpoint research says the method allowed a hacker to make 13 Bitcoins (BTC), an amount equal to $752,000. Currently, the vaccine marketplace on the dark web which was selling these products is down because of the hack.  But, the attack hasn't put a stop to the sale of Covid-19 relief products on the dark internet. Following the marketplace shutdown, another hacking forum was framed using the same address, offering various ads along with Covid-19 vaccines (documents included) and that too on heavy discounts for promotional purposes.  

Cybersecurity experts recently found out that fake Covid-19 vaccine certificates and duplicate Covid-19 test results were being sold on dark internet and hacking platforms for amount as low as Rs 1800 ($25) and up to Rs 18,000 ($250) for people that are looking to book flights, travel across borders, finding a new job or attending a function.  If an interested user wants to get these 'fake certificates,' he can simply obtain them by sending their details and money to the seller on the dark web, the seller will then e-mails back the forged documents for $250. 

Research from Checkpoint revealed that fake negative Covid-19 test results are available on the dark web for a mere amount of $25.  Covid-19 vaccine ads on the darknet have had a 3 fold increase since the last three months. The selling forums on the dark internet are based from European countries like Spain, Russia, France, and Germany. According to experts, "The vaccines advertised include Oxford-AstraZeneca (at $500), Johnson & Johnson ($600), the Russian Sputnik vaccine ($600) and the Chinese SINOPHARM vaccine." Checkpoint research says, "as a result, the marketplace is down completely since, and at this point of time is yet to be restored online."

Russia has created a new data transmission device with protection against cyber threats

It is the first SD-WAN-class development that supports Russian encryption algorithms and is included in the Russian software registry.

Sberbank's press service reports that the technology can allow state institutions and companies of any industry to build a corporate network in minutes, provide a stable connection to regional branches and home offices and protect the data transmitted between them. A single device replaces multiple types of network equipment and includes automatic use of various information security features.

The development consists of two parts: the hardware, which is installed in the offices of the enterprise, and the cloud, where the hardware is managed. The solution can reduce the cost of deploying and maintaining the network by about 2.5 times, as well as reduce the cost of personnel, local installation and manual configuration of each device separately.

"In fact, we have created a universal platform for organizations that combines many network devices at once, including information security tools. BI.ZONE Secure SD-WAN requires no special skills, any employee can connect it to the company's network in a few minutes, and its cost is almost three times cheaper than traditional solutions. Thanks to the cryptographic protection the development is suitable for government agencies, banks and other organizations that work with confidential and personal data or payment information," said Director of Managed Services Unit at BI.ZONE.

The new development is included in the register of Russian software, so it is suitable for organizations that adhere to the import substitution policy. Also, for some organizations, the opportunity to work on a service model with outsourcing of network security management tasks will be an advantage.

Hackers use BazarCall Malware to Infect Victims

 

The most current strategy for tainting your PC is astoundingly antiquated: It utilizes a telephone call. Online researchers are documenting a new malware campaign that they've named "BazarCall." One of its primary malware "payloads" is the BazarLoader remote-access Trojan, which can give a hacker full authority over your PC and be utilized to install more malware. 

In the same way as other malware campaigns, BazarCall begins with a phishing email but from that point goes amiss to a novel distribution method - utilizing phone call centers to circulate pernicious Excel documents that install malware. Rather than bundling attachments with the email, BazarCall emails brief clients to call a telephone number to cancel a subscription before they are naturally charged. These call centres would then direct clients to a specially crafted website to download a "cancellation form" that installs the BazarCall malware. 

All BazarCall assaults begin with a phishing email targeting corporate clients that express the recipient's free trial is about to run out. Be that as it may, these emails don't give any insights about the supposed subscription. The emails at that point brief the client to contact a listed telephone number to cancel the subscription before they are charged $69.99 to $89.99 for a renewal. While the greater part of the emails seen by BleepingComputer has been from a fictitious company named "Medical reminder service, Inc.", the emails have additionally utilized other phony organization names, for example, 'iMed Service, Inc.', 'Blue Cart Service, Inc.', and 'iMers, Inc.' 

All these emails use similar subjects, for example, "Thank you for using your free trial" or "Your free trial period is almost over!" Security researcher ExecuteMalware has put together a more broad list of email subjects utilized by this assault. At the point when a recipient calls the listed telephone number, they will be set on a short hold and afterward be welcomed by a live individual. When asked for more data or how to cancel the subscription, the call center agent asks the victim for a unique customer ID enclosed in the email.

Randy Pargman, Vice President of Threat Hunting and Counterintelligence at Binary Defense, disclosed to BleepingComputer that this unique customer ID is a core component of the assault and is utilized by the call center to decide whether the caller is a targeted victim.

Cyberextortion Threat Evolves as Clop Ransomware Attacked 6 U.S Universities Data Security

 


Malicious actors are now using novel ways to extract universities' data, and are threatening to share stolen data on dark websites unless universities pay them a lot of money. 
The current update reads that the Clop ransomware group claimed to have access to six top universities of the United States including institutions’ financial documents information and passport data belonging to their staff and students. According to the report, a group of hackers has first posted the stolen data online on March 29. 

The universities' that have been attacked, include — The University of Miami, the Yeshiva University, the University of Maryland, the Stanford University, the University of Colorado Boulder, And the University of California, Merced. 

However, there is no official confirmation regarding this cyber-attack from any of the aforementioned universities, it's unsure whether or not the cyberinfrastructure of these universities has been attacked or the hacker group asked for money in exchange for data. 

Additionally, a few days back, Michigan State University also confirmed a cyber attack by a group that was threatening to share it on the dark websites unless a bounty is paid. 

The data stolen by the Clop ransomware group include federal tax documents, passports, requests for tuition remission paperwork, tax summary documents, and applications for the Board of Nursing. 

This data breach affected several individuals and staff of the universities as the shared information also exposed sensitive credentials, such as names of individuals, date of birth, photos, home addresses, immigration status, passport numbers, and social security numbers. 

Not only this, but some news websites also confirmed that the leaked data included several more screenshots including retirement documentation, and 2019/2020 benefit adjustment requests, late enrollment benefit application forms for employees, and the UCPath Blue Shield health savings plan enrollment requests, amid much more. 

It should be noted that such attacks are not unusual for the Clop ransomware group as the group is known for its assault against various organizations. Furthermore, Michigan State University’s officials stated in the regard that, “Payment to these criminals only allows these crimes to be perpetuated and further target other victims. The decision not to pay was in accordance with law enforcement guidance and reached with support from the university’s Board of Trustees and president”.

Here's A Quick Look Into Some Interesting Facts About Website Hacking

 

How many websites are hacked every day? How frequently do hackers attack? Are there any solutions to fix the vulnerabilities? Which are the most hacked websites? These are some basic questions that arise in the reader’s mind. So, in this article, you will get to know the latest statistics regarding website hacking.

Sadly, cyber-attacks are the harsh reality of today’s world and have become so rampant that it’s impossible to count the number of attacks. It requires thorough research, manpower, time, equipment’s and money to conduct a global study that reaches out to millions of people and organizations.

 Number of websites hacked in a year

You will be surprised to know that nearly 1.2 billion sites are running across the globe. It is such a large web that it is impossible to keep watch over. Google’s Safe Browsing tries to alert users about malicious websites and it currently conveys nearly 3 million warnings per day. Out of 1.2 billion sites, between 1-2% have some Indicator of Compromise (IoC) that indicates a website attack.

According to a recent study, nearly 66% of the organizations are not equipped to handle cyber-attacks nor with the financial or reputation damage of a security breach. Threat actors install the malware in sites and such websites get excludes by firms like Google every day.

Different methods of hacking the websites 

Threat actor generally uses 3 methods to hack the website: 

• Access control 

• Software vulnerabilities

• Third-party integrations

Access control indicates particularly the process of authentication and authorization, in simple terms how you log in. Login not only refers to your website’s login, but it also refers to the number of interconnected logins tied together behind the scenes. Threat actors generally use brute force attacks by guessing the possible username and password combinations to log in as the user. 

Software vulnerability, the most reliable method for hackers to breach security. Threat actors use Remote Code Execution (RCE) to hack the website and discover vulnerabilities in the website application code, web development framework, and operating system.

Threat actors also hack the website via third-party integration techniques. Threat actors exploit the vulnerability in the servers of third-party and use it as a doorway to exploit to gain access to your website. These can involve services that you use particularly with your website and its hosting. 

3 simple techniques to protect your website 

• Keep track of frequently compromised vulnerabilities. Every security patch will make it harder for hackers to target your website. 

• Use Web Application Firewall for limiting the exploitation of software vulnerabilities. This firewall also acts as a shield between web traffic and web patches.

• Take the guidance of certified security professionals who manages regular security audits.

Fleeceware apps earned over $400 million on Android and iOS

 

Researchers at Avast have found an aggregate of 204 fleece ware applications with over a billion downloads and more than $400 million in revenue on the Apple App Store and Google Play Store. The purpose of these applications is to bring clients into a free trial to "test" the application, after which they overcharge them through subscriptions which sometimes run as high as $3,432 each year. These applications have no unique functionality and are only conduits for fleece ware scams. Avast has reported the fleece ware applications to both Apple and Google for audit.

Fleece ware is a recently coined term that alludes to a mobile application that accompanies extreme subscription fees. Most applications incorporate a short free trial to attract the client. The application exploits clients who are inexperienced with how subscriptions work on cell phones, implying that clients can be charged even after they've erased the offending application.

The fleece ware applications found comprise predominantly of musical instrument apps, palm readers, image editors, camera filters, fortune tellers, QR code and PDF readers, and ‘slime simulators’. While the applications for the most part satisfy their expected purpose, it is far-fetched that a client would purposely want to pay such a significant recurring fee for these applications, particularly when there are less expensive or even free options available. 

It creates the impression that part of the fleece ware strategy is to target more youthful crowds through playful themes and catchy ads on famous social networks with guarantees of ‘free installation’ or ‘free to download’. The information is alarming: with almost a billion downloads and hundreds of millions of dollars in revenue, this model is drawing in more developers and there is proof to recommend a few famous existing applications have updated to incorporate the free trial subscription with high recurring fees.

Regardless of whether a client erases the application after they notice outgoing payments, this doesn't mean their subscription stops - which permits the developer to cash in further. Google and Apple are not answerable for refunds after a specific time-frame, and keeping in mind that the organizations may decide to refund as a goodwill gesture in some cases however they are not obliged to do so. Along these lines, the lone choices might be to attempt to contact developers directly or to demand a bank chargeback.

Russia's Central Bank has warned of hackers targeting banks' mobile apps

 The Central Bank of Russia has warned of the emergence of a group of hackers investigating vulnerabilities in banks' mobile applications.

The Bank of Russia has detected a shift in hackers' attention from the banking infrastructure to customers' financial mobile applications in order to steal data or money from their accounts. The regulator suggests that a highly skilled hacker group has emerged in the financial market specializing in the deep analysis of mobile applications in order to detect and exploit weaknesses and vulnerabilities.

The survey is based on information exchange between the Central Bank and financial market participants. 818 organizations, including 365 banks, are currently included to it.

"The data available to the Bank of Russia suggests the emergence of at least one group of attackers focused on the skilled hacking of financial mobile applications," the survey said.

The Central Bank cited two examples in which cybercriminals discovered vulnerabilities in mobile apps and used them for hacking. As a result, in the first case, a server containing files with the personal data of a bank's customers - more than 100,000 lines - was published on the Web: Name, gender, mobile phone number, email address, place of work, account and bank card number, account type, currency. In the second case, the hackers managed to steal money by logging into the bank's mobile app and, when making a transfer, substituting their account number with that of another bank customer, who became the victim.

"These two examples are not the only cases of attacks on mobile applications of financial institutions that have occurred recently," the review specifies. In this regard, the Central Bank has recommended banks to strengthen the protection of mobile components of remote service systems.


PRODAFT Accessed Servers of a SolarWinds Hacker

 

A Swiss cybersecurity firm says it has accessed servers utilized by a hacking group attached to the SolarWinds breach, uncovering details concerning who the attackers targeted and how they did their operation. The firm, PRODAFT, likewise said the hackers have proceeded with their campaign as the month progressed. 
PRODAFT, Proactive Defense Against Future Threats, is a cybersecurity and cyber intelligence organization providing solutions for business clients and government establishments.

PRODAFT researchers said they were able to break into the hackers' computer infrastructure and audit-proof of an enormous campaign between August and March, which targeted a great many organizations and government associations across Europe and the U.S. The point of the hacking group, named SilverFish by the researchers, was to keep an eye on victims and steal information, as per PRODAFT's report. SilverFish did an “extremely sophisticated” cyber-attack on at least 4,720 targets, including government organizations, worldwide IT providers, many banking establishments in the U.S. and EU, major auditing firms, one of the world's leading Covid-19 test kit makers, and aviation and defense companies, as per the report. 

SilverFish is centered around network reconnaissance and information exfiltration and utilizes an assortment of software and scripts for both initial and post-exploitation activities. These incorporate promptly accessible tools like Empire, Cobalt Strike, and Mimikatz, as well as customized rootkits, PowerShell, BAT, and HTA files. Prodaft says that SilverFish attackers tend to follow specific standards of conduct while specifying domains, including running orders to list domain controllers and trusted domains, as well as displaying stored credentials and admin user accounts. 

Scripts are then dispatched for post-exploit reconnaissance and information theft exercises. Hacked, legitimate domains are here and there used to reroute traffic to the C2. "The SilverFish group has designed an unprecedented malware detection sandbox formed by actual enterprise victims which enables the adversaries to test their malicious payloads on victim servers with different enterprise AV and EDR solutions, further expanding the high success rate of the SilverFish group attacks," the company says.

"SilverFish are still using relevant machines for lateral movement stages of their campaigns," the company added. "Unfortunately, despite being large critical infrastructure, most of their targets are unaware of the SilverFish group's presence on their networks."

Scammers Disguised as Tesco are Stealing Data Via Phone Scam, Warns Police

 

Wales Police have warned residents of a new phone fraud in which criminals try to trick customers for hundreds of pounds. The scam is brought about by ongoing COVID-19 lockdown restrictions, a time when shopping online and clicking and collecting services have increased enormously. Several people have reported a telephone scam to Dyfed Powys Police, stating that acting fraudsters seemed to be from Tesco. Victims reported that an automatic call has been sent to inform individuals that an order has been placed with Tesco and that £350 is debited. The automatic message continues to say, “if this is not the right amount, please press 1 to go through to our fraud team.” 

Once the frightened victims press ‘1’, they are brought to a scammer who seeks to get as much personal information, including bank details, from them as possible. The police had also cautioned that the scammers seem to be extremely advanced and genuine. Therefore they advised: “If you receive a call like this, it’s best to hang up and either check your Tesco online account yourself or call Tesco directly from a number you have obtained.” 

All in all, the change over the past year to online services and the health and economic complexities resulted in the fraudsters escalating scams. Barclay’s data suggest that impersonation is the highest common form of scam (29 percent ). 

Commenting on the story, Ray Walsh, ProPrivacy's digital data privacy specialist, commented: “These scams rely on clever scripts to convince people that they are being defrauded, so that worried victims hand over sensitive personal data, including their bank details.” 

The fraudsters may even try to persuade the victim to install the software for remote access onto their pc to help delete malware that allowed fake fraud to happen, as per the reports. Anyone who wants to do so will enable cyber-criminals to have direct access to their PC to install any software that steals one’s data. If users receive such a call, they should either verify their own online Tesco account or call Tesco immediately from a number they have received. 

Experts stated that “We remind everyone never to provide their personal information or payment details to anybody who calls them out of the blue, even if they claim to be from a huge brand like Tesco. If you have an order placed with Tesco and you receive a call like this which concerns you, hang up and make an inquiry with Tesco directly to check on the status of your delivery.”

Insider Trading Threats on Dark Web

 

Insider trading can be done more effectively now than ever before, due to a great extent to the continuing proliferation of encrypted and anonymous messaging services, and the presence of dark web and underground networks that permit threat actors to discover co-conspirators and speak with them. Verifiably, few dark web forums catered to the trafficking of non-public corporate data; presently, updated technology takes into account these endeavors to be conducted with a lot more prominent operational security. 

Monetarily inspired threat actors or displeased employees would now be able to trade data away from the prying eyes of law enforcement and security researchers, permitting only vetted individuals to access sensitive information being given by insiders. 

Moreover, the clearnet is host to many market trading enthusiast groups, on places like Reddit and Discord. These groups range in size from thousands to millions of clients. Insikt Group found "stock signals" services, giving paid clients tips on which trades to make dependent on the proposal of “analysts”. Given that the root of the data is muddled, the unregulated nature of these services and the utilization of unknown messaging services is concerning. 

One of the verifiably significant sites had been The Stock Insiders, a Tor-based site, active from April 2016 until August 2018. As the name proposes, the site was made with the goal of having a community of clients with insider access at publicly traded companies who would impart it to different clients to advise the stock trades of the larger group. The site has for quite some time been inactive, the administrator isn't responsive to private messages, and there have not been any updates to the main page since early 2018. The explanation that operations stopped has not been clarified however it doesn't seem, by all accounts, to be the consequence of a law enforcement takedown since the website is still technically up. 

While the site is no longer active, it actually gives an instructive perspective on how its operations were done. The Stock Insiders has a couple of visible posts instructing clients about how to enlist an account and listing out the requirements for full membership.

U.S. authorities found no evidence of Russian hackers' influence on the presidential election

U.S. authorities found no evidence that hackers affiliated with foreign governments were able to block voters from voting, alter votes, interfere with the counting or timely transmission of election results, alter technical aspects of the voting process, or otherwise compromise the integrity of voter registration or ballot information submitted during the 2020 federal election.

This is reported in a joint report by the US Department of Justice (including the FBI) ​​and the Department of Homeland Security (including the Cyber ​​and Infrastructure Security Agency).

According to the report, "as part of Russia's and Iran's extensive campaigns against critical infrastructure, the security of several networks to manage some election functions was indeed compromised. But it had no meaningful impact on the integrity of voter data, the ability to vote, the counting of votes, or the timely transmission of election results. Iran's claims to undermine public confidence in the U.S. election infrastructure were false or exaggerated".

However, experts have identified several incidents in which malicious actors linked to the governments of Russia, China and Iran significantly affected the security of networks linked to U.S. political organizations, candidates and campaigns during the 2020 federal election. In most cases, it is unclear whether the attackers sought access to the networks for foreign political interests or for operations related to election interference.

In a number of cases, the attackers collected at least some information that they might have published in order to exert influence. However, no evidence of publishing, modifying or destroying this information was found.

"We found no evidence (either through intelligence gathering on the foreign attackers themselves, through monitoring the physical security and cybersecurity of voting systems across the country, or through post-election audits or any other means) that a foreign government or other parties compromised the election infrastructure to manipulate the election results," the report authors summarized.

Microsoft Cloud Users Hit by Global Outage

 

Microsoft has recognized a new change to an authentication system as a potential reason for a blackout that scourged clients of its cloud-based portfolio of productivity and back-office apps across the world. Client reports of technical problems with the software giant’s Microsoft 365 online productivity suite initially began arising around 7 pm on Monday 15 March 2021, as indicated by Downdetector's outage tracking data.

Microsoft updated its service health status page soon after and affirmed that clients might be encountering issues when attempting to get to the organization's key online collaboration, communication, and productivity tools. The organization proceeded to affirm that any service that depends on its cloud-based identity and access management service Azure Active Directory (AAD) might be affected. These incorporate the component services that make up Microsoft 365, like Outlook, Word, Excel, and PowerPoint, however, admittance to the association's wider portfolio of cloud services was also affected by the issues. 

As affirmed on the Microsoft status page, clients of its public cloud platform Azure, its business intelligence software Dynamics 365, and the Microsoft Managed Desktop service are additionally known to have encountered access issues. The organization additionally distributed a progression of updates for clients during the incident by means of its social media channels. 

These incorporated an affirmation that a new update to an authentication system had been recognized as causing issues that could be affecting clients around the world. As confirmation of this, the organization affirmed around 9.17 pm on 15 March that it was carrying out a “mitigation worldwide” to address the issue, with a full "remediation" expected within 60 minutes of its deployment. 

“Service health has improved across multiple Microsoft 365 services,” said a post on the Microsoft 365 Twitter account. “However, we are taking steps to resolve some isolated residual impact for services that are still experiencing impact.” The organization on 16th March published a further update on Twitter saying that the incident seemed to have been largely resolved. “Our monitoring indicates that the majority of the services have fully recovered,” it said. “However, we’re addressing a subset of services that are still experiencing some residual impact and delays in recovery.”

'Black Shadow' Infiltrates Israeli Finance Firm, Demand $570,000 in Ransom

 

The private information of thousands of Israelis was compromised on Saturday following a cyberattack on the database of a major Israeli financial service firm. The hacking group called ‘Black Shadow’ announced Saturday that it has managed to access the servers of an Israeli financial service firm, KLS capital. 

“We are here to inform you a (sic) cyber-attack against K.L.S CAPITAL LTD which is in Israel. Their servers are down and we have all their clients’ information. We want to leak some part of their data gradually. Part of our negotiation will be published later,” the group wrote on the Telegram app.

The hackers demanded 10 bitcoins ($60,000) in ransom from the Israeli investment firm, but it refused to negotiate. As a result, the hacker group leaked the obtained data on their Telegram channel. Black Shadow is the same hacking group that carried out a major cyberattack against Shirbit insurance company in December. 

A few hours before making the declaration, the hacking group deliberately published blurred images of the identification cards of two people who work with the firm. A few minutes after the announcement, they published a few more documents and have since published dozens of additional documents including identity cards, letters, invoices, images, scanned checks, database information, and much more, including the private information of the CEO of the firm.

Last year in December, a prominent cybersecurity firm reached out to KLS Capital and alerted them of a potential breach, flagging a vulnerability associated with their use of a so-called VPN. They said there was a simple ‘patch’ that could provide a solution; however, it appears that no action was taken at the time.

In response, KLS capital stated: “The Israeli cyber authority reached out to us three days ago to warn us against a looming cyber attack against us. This attack is very similar to other attacks Iran and its proxies have conducted against Israeli targets – including private and public bodies. Our management acted immediately to take down our servers and join forces with the national cyber directorate – which together with our experts are examining the event.” 

In recent months, threat actors targeted several Israeli organizations including Shirbit insurance company, the Amitial software company, Ben-Guiron University of the Negev, and Israel Aerospace Industries.