Search This Blog
Load More
Trendy Right Now

Popular Posts

Banner
Showing posts with label Cyber Security. Show all posts
pNetwork
Binance Smart Chain Bitcoin Cyber Security DeFi Hack pNetwork

pNetwork Suffered Loss In Bitcoins Worth $12 Million

 

While Hackers allegedly violated the protocol and seized $12.7 million in Bitcoin, pNetwork thus became the newest victim of the DeFi hack. Whilst suffering a loss of $12 million in bitcoins, the company claims it will reward the hacker with a bug bounty of $1.5 million if the funds are recovered. 

On the 19th of September 2021, at 5:20 pm UTC, a hacker conducted a multi pTokens attack on the pNetwork system. The pBTC-on-BSC cross-chain bridge, used by the bridge and 277BTC taken from the pBTC-on-BSC collateral, was the one successful. However, the suspicious activity was detected and the technical team intervened.

In the most recent security incident involving a decentralized funding system, the cross-chain project pNetwork stated on Sunday that the organization has indeed been hacked and has suffered losses worth 277 pBTC, a kind of packaged bitcoin, with a loss of more than $12 million. 

In a series of tweets announcing the incident, pNetwork said, "We're sorry to inform the community that an attacker was able to leverage a bug in our codebase and attack pBTC on BSC, stealing 277 BTC (most of its collateral). The other bridges were not affected. All other funds in the pNetwork are safe." 

"The bridges will run with extra security measures in place for the first few days," pNetwork said in a follow-up post. "This means slower transactions processing in exchange for higher security." 

For transactions that function on smart contracts on the Platform, the pBTK tokens are an equivalent value of bitcoin. pNetwork allows many blockchains, which include Binance Smart Chain, Ethereum, Eos, Polygones, Telos, xDAI, and Ultra. 

The company then corrected the error, suggested a remedy, and expected "everybody to review it. pNetwork has confirmed that all other network bridges have not been impacted and also that the leftover funds are protected. furthermore, the broken bridges will soon be back in service. The company also had a message to the "black hat hacker" with a "clean" 1 million dollars bounty if all money were returned. 

Although pNetwork recognizes that possibility of such an instance is little, this is no precedence. As previously reported, Poly Network likewise utilized other digital assets for almost $600 million. But Mr. White Hat finally refunded the cash and even dismissed the provided bond, since the project named the culprit. 

The company stated that “We are adding additional security measures on the bridges as we reactivate them (more on this in the risk management section). Currently, we are also doing some extra checks on the transactions before they are broadcasted — this is not necessary, but something we are temporarily doing to be on the safe side and extra cautious.” 

It should be noted that the network's indigenous cryptocurrency – PNT – has dropped by 20% within 24-hour and is presently below $1.
Read more »
United States
Cyber Security FTC Health Devices HIPAA Sensitive data United States

FTC: Health App and Device Makers Should Comply With Health Breach Notification Rule

 

The Federal Trade Commission on 15th September authorized a policy statement reminding makers of health applications and linked devices that gather health-related data to follow a ten-year-old data breach notification rule. The regulation is part of the agency's push toward more robust technology enforcement under Chair Lina Khan, who hinted that more scrutiny of data-based ecosystems related to such apps and devices could be on the way. 

In written remarks, Chair Lina Khan stated, "The Commission will enforce this Rule with vigour." According to the FTC, the law applies to a range of vendors, as well as their third-party service providers, who are not covered by the HIPAA breach notification rule but are held liable when clients' sensitive health data is breached. 

After being charged with studying and establishing strategies to protect health information as part of the American Recovery and Reinvestment Act in 2009, the FTC created the Health Breach Notification Rule. 

The rule requires suppliers of personal health records and PHR-related companies to notify U.S. consumers and the FTC when unsecured identifiable health information is breached, or risk civil penalties, according to the FTC. "In practical terms, this means that entities covered by the Rule who have experienced breaches cannot conceal this fact from those who have entrusted them with sensitive health information," the FTC says. 

Since the rule's inception, there has been a proliferation of apps for tracking anything from fertility and menstruation to mental health, as well as linked gadgets that collect health-related data, such as fitness trackers. 

The FTC's warning comes after the agency and fertility mobile app maker Flo Health reached an agreement in June over data-sharing privacy concerns. According to the FTC, the start-up company misled millions of women about how it shared their sensitive health data with third-party analytics firms like Facebook and Google, in violation of the FTC Act. 

According to privacy attorney Kirk Nahra of the law firm WilmerHale, the FTC's actions on the Health Breach Notification Rule "are an interesting endeavour to widen how that rule has been understood since it was implemented."

"It is focusing attention on a much larger group of health-related companies, and changing how the FTC has looked at that rule and how the industry has perceived it. I expect meaningful challenges to this 'clarification' if it is put into play," he notes. 

Failure to comply might result in "monetary penalties of up to $43,792 per violation per day," according to the new policy statement.
Read more »
Linux Kernel
Cyber Security Google JavaScript Linux Kernel

$100 Million Pledged by Google to Groups that Manage Open-Source Projects

 

Google recently announced a $100 million donation to organizations that manage open-source security priorities and assist with vulnerability fixes, and it has now revealed eight of the projects it will fund. The Linux Foundation recently stated that it will directly support persons working on open-source project security. Google, Microsoft, the Open Source Security Foundation, and the Linux Foundation Public Health Foundation have all endorsed it. When problems are discovered, the Linux Foundation coordinates fixes. 

The foundation and its colleagues will use the Open Source Technology Improvement Fund's (OSTIF) security assessments to hunt for previously discovered problems. Two Linux kernel security audits are among these initiatives. 

The Open Source Technology Improvement Fund is a non-profit corporation committed to improving the security of open-source software. OSTIF makes it simple for projects to dramatically improve security by enabling security audits and reviews. 

"Google's support will allow OSTIF to launch the Managed Audit Program (MAP), which will expand in-depth security reviews to critical projects vital to the open-source ecosystem," said Kaylin Trychon, a security comms manager on the Google Open Source Security team.

OSTIF selected 25 essential projects for MAP, which were then prioritized to determine the eight that will get Google funding. Trychon explains that the eight chosen projects, which include libraries, frameworks, and applications, were chosen because enhancing their security will have the most influence on the open-source ecosystem. 

Along with five other Java-related projects, these eight projects include Git, a prominent version control software, Lodash, a JavaScript utility library, and Laravel, a PHP web application framework. Git, the "de facto" version control software established by Linux kernel founder Linus Torvalds and which forms the backbone of platforms like GitHub and GitLab, is perhaps the largest of the eight audit projects Google is sponsoring. 

Well-known systems and tools used by developers, such as the Drupal and Joomla web content management systems, webpack, reprepro, cephs, Facebook-maintained React Native, salt, Gatsby, Google-maintained Angular, Red Hat's Ansible, and Google's Guava Java framework, are among the projects with funding pending support. 

Google made a $10 billion commitment to boosting zero-trust programmes, securing software supply chains, and enhancing open-source security following a meeting between US President Joe Biden and leading US tech corporations last month.
Read more »
User Security
Cyber Security IT Support-Themed Email Phishing Campaign User Security

Scammers Use 'IT Support-Themed Email' to Target Organizations

 

Cybersecurity researchers at Cofense Phishing Defense Center (PDC) have unearthed a new phishing campaign that uses 'information technology (IT) support-themed email' to lure users to update their passwords. 

The email appears legitimate because it’s a common practice within organizations to send security updates to their employees on a weekly or monthly basis. IT team deploys a reset password communication mail to strengthen the employee’s email security. Therefore, it’s a smart move by the attackers to target organizations via phishing email. 

Researchers first suspected the email because the domain was only a few months old. However, the domain address “realfruitpowernepal[.]com” was identical to an organization’s internal IT department, yet a further examination of the domain led to a free web design platform. The second red flag was the opening of the email that doesn’t contain phrases such as “Good Morning” or “Dear…”, possibly suggesting the mass-email attack.

When the user proceeds further by clicking on the “Continue” button, a Mimecast link appears, along with the now censored user email address toward the end of the URL. The users might not feel anything dubious because scammers have used the correct spelling and name, which directs users to a Mimecast web security portal that gives them two options: block the malicious link or ignore it. 

Choosing either option directs the user to the same phishing landing page that displays the session as expired. The motive of the scammers was to make the phishing landing page appear identical to the legitimate Mimecast site. However, during the investigation, it was discovered that the URL provided does not match the authentic Mimecast URL and the footer detail was missing, researchers explained.

Scammers have employed very powerful social engineering to trick the users. The phishing page is designed in such a way that the user providing true login credentials or a random string of credentials, would still be redirected to the page displaying a successful login message.

How to safeguard against phishing emails?


• Installing security software is the first line of defense against phishing attacks. Antivirus programs, spam filters, and firewall programs are quite effective against phishing attacks. 
• Monitor: use phishing simulation tools to evaluate employee knowledge regarding phishing attacks. 
• Organizations should incorporate cyber security awareness campaigns, training, support, education, and project management as a part of their corporate culture. 
• Businesses should deploy multi-factor authentication to prevent hackers from gaining access to their systems.
Read more »
Russian Hackers
Cyber Security Hackers News REvil Russian Cyber Security Russian Hackers

Russian hacker confirmed the resurrection of the most famous Russian hacker group REvil

 A Russian hacker who collaborated with the well-known REvil group confirmed that cybercriminals returned to active work after a two-month break. He named political reasons the main reason for the temporary suspension of their activities. This refutes the claims of REvil members themselves, who explained this with precautions after the disappearance of one of the community members.

An anonymous cybercriminal said that the group initially planned only to suspend its activities, but not to end it completely. According to him, this step was due to the difficult geopolitical situation.

"They told key business partners and malware developers that there was no cause for concern and that cooperation would not be suspended for long," the hacker said.  Answering the question about the influence of the Russian leadership on the decision of the most famous group of the country to hide for a while, the Russian hacker noted that such an option is hardly possible. According to him, there is no evidence to suggest any connection between REvil and the government or intelligence services of Russia or other countries. Moreover, no one discusses such a topic on a serious level on the darknet.

"It is not surprising that the hacker group responsible for high—profile attacks on American infrastructure took precautions after the conversation between the US and Russian presidents," the anonymous hacker stressed. "Geopolitical factors are always taken into account in a business of this level, although this is the first time I have encountered a situation where a group has been forced to curtail its activities relatively unexpectedly".

REvil's return was announced last week when the group's site on the darknet became active again after two months of downtime. Shortly after that, community members stated in messages on one of the Russian forums that the temporary suspension was dictated by precautionary measures. They were allegedly caused by the disappearance of one of the REvil members: "We backed up and disabled all the servers. We thought he had been arrested. We waited — he didn't show up, and we restored everything from backups."

Read more »
Russian Cyber Security
Cyber Security Russia Russian Cyber Security

Only one-in-ten Russian organizations are aware of the danger of vulnerabilities in web applications

In 2020, attacks on the web accounted for one-third of all information security incidents. However, only 10% of Russian organizations believe that web applications are a priority element of the infrastructure for scanning for vulnerabilities.

Rostelecom-Solar surveyed April-June 2021 200 organizations of various sizes and profiles (public sector, finance, industry, IT, etc.) were interviewed. According to it, only 7% of organizations realize the importance of scanning an isolated segment of the IT infrastructure. For example, these are industrial networks or closed state data exchange systems. 29% of respondents consider it important to scan the external perimeter. Meanwhile, 45% of respondents named the organization's local network as the key element for analyzing vulnerabilities. And only one-tenth of respondents consider it important to scan all elements of the infrastructure.

In general, according to the survey, 70% of organizations have vulnerability control. However, most of them do not scan regularly: more than 60% of companies scan the infrastructure once a quarter or less.

Experts note that almost all organizations either conduct scanning automatically (41% of respondents answered this way) or by means of a single dedicated information security specialist (39%). This is not enough to quickly process the data obtained from the scanner and formulate up-to-date recommendations for closing the vulnerabilities found.

According to experts, if the company does not have a vulnerability management process and there are no resources for processing the received data, so-called shadow IT appears in the infrastructure. These are unrecorded and therefore unprotected areas of the IT landscape that can be exploited by hackers to carry out an attack.

Read more »
Windows
Beacon Cobalt Strike Cyber Security Linux Windows

Linux Implementation of Cobalt Strike Beacon Employed by Hackers in Attacks Worldwide

 

Security experts have detected an unauthorized version of the Cobalt Strike Beacon Linux created by malicious attackers that are actively utilized to attack organizations worldwide. Cobalt Strike is a legal penetration testing tool built for the red-team attacking infrastructure (security organizations that function as attackers to detect the security and flaws in the infrastructure of their org). 

Cobalt Strike is often utilized for post-exploitation duties by malicious attackers (often dropped in ransomware campaigns) following the planting of so-called beacons that give permanent remote access to affected machines. Employing beacons, attackers may access compromised servers for the collection of data or distribute additional payloads of malware afterward. 

Over time, the cybercriminals acquired split copies of the Cobalt Strike and circulated this as one of the most prevalent instruments of cybersecurity threats culminating in theft and extortion of information. Cobalt Strike, however, has always had a problem - it enables only Windows devices and therefore does not contain Linux beacons. 

Further, as per a new analysis by the security company Intezer, scientists describe exactly how the threat actors have chosen to construct their cobalt strike-compatible Linux beacons. Malicious actors may now maintain and execute remote control over both Windows and Linux devices by utilizing these beacons. 

The undiscovered variant — dubbed "Vermilion Strike" — of the penetration testing program is one of the uncommon Linux ports, typically a Windows-based red team instrument which is heavily used by opponents to launch a range of specific attacks. As a threat simulation software, Cobalt Strike claims to be Beacon's payload designed to simulate a sophisticated actor and to double their post-exploitation behaviors. 

"The stealthy sample uses Cobalt Strike's command-and-control (C2) protocol when communicating to the C2 server and has remote access capabilities such as uploading files, running shell commands, and writing to files," Intezer researchers said in a report. 

Once installed, the malware starts the operation in the background, decoding the required configuration for the beacon to operate effectively just before the fingerprint identification of the Linux-compromised device and communicating to a remote server via DNS or HTTP to recover base64 encoded and AES-encrypted commands, to write files and upload them back to the webserver. 

"Vermilion Strike and other Linux threats remain a constant threat. The predominance of Linux servers in the cloud and its continued rise invites APTs to modify their toolsets to navigate the existing environment," the researchers said.
Read more »
Security Researchers
Android Cyber Security Data Theft macOS Personal Information Security Researchers

Hackers Can Use the SSID Stripping Flaw to Mimic Real Wireless APs

 

A group of researchers discovered what appears to be a new way for threat actors to mislead people into connecting to their wireless access points (APs). The method, called SSID Stripping, was revealed on Monday by AirEye, a wireless security company. It was discovered in conjunction with Technion - Israel Institute of Technology researchers.

Simply put, unwary users might be duped into connecting to hacker-created Wi-Fi hotspots. This vulnerability exposes users to data theft as well as access to their personal information on their devices. Because it affects nearly all software systems, including MS Windows, macOS, Apple iOS, Ubuntu, and Android, SSID Stripping has emerged as a serious concern. 

A user can see a connection that resembles the name of one of their trusted connections in an SSID Stripping attack, according to researchers. The catch is that the user must manually join the false network. The network, on the other hand, will get through the device's security restrictions since the original SSID name will be saved in the string the attacker has added, which the user won't be able to see on the screen. As a result, people will connect to the phoney AP.

“The SSID published by any AP in the proximity of a wireless client is processed by that client – regardless of whether there is any trust between the client device and the AP. Hence an attacker may attempt to include malicious payload within the SSID in an attempt to exploit a vulnerable client implementation,” researchers noted. 

They were able to create three different sorts of "display errors," as they call them. One of these entails adding a NULL byte into the SSID, which causes Apple devices to show just the portion of the name preceding this byte. To achieve the same effect on Windows machines, the attacker may utilize "new line" characters. 

Non-printable characters are used to represent the second sort of display error, which is more prevalent. Without notifying the user, an attacker may add unusual characters to the SSID's name. For example, instead of aireye_network, the attacker can show aireye_x1cnetwork, where x1c indicates a byte having a hex value of 0x1c. 

The third display error removes a section of the network name from the viewable region of the screen. In this case, an iPhone may show an SSID named aireye_networknnnnnnnnnnnrogue as aireye_network, eliminating the word rogue. This method, along with the second type of error, can successfully disguise the suffix of a rogue network name.
Read more »
Tesla
Cyber Security Data Leak Full Self Driving Tesla

TESLA FSD Beta Software Leaked Days Before the Release of Version 10

 

Full Self Driving (FSD) beta software of the TESLA car has been leaked, and it is circulated in and around the network of hackers. 

This latest software upgrade of Tesla's Full Self-Driving (FSD) enables electric cars to operate virtually on both roads and streets in town. The most recent FSD version also allows for better navigation and quicker turns, roundabouts, and merges. It enables the driver to input a navigation system location. The car will try to convey the driver, who stays accountable and needs to be prepared to take control all of the time, to the place with proper monitoring.

CEO Elon Musk promised the US owners of Tesla that have bought the FSD package a wider release, while the release was repeatedly postponed it finally rolled out on the 12th of September with the Full Self-Driving Beta v10 software.

Elon Musk, CEO of the business termed this software upgrade "mind-blowing." Several early access fleet Tesla customers have also stated that FSD 10 beta is substantially superior to the outgoing version 9.2. 

Insiders aware of this situation told Electrek that Tesla FSD Beta binary firmware documents were leaked in the hacker community of Tesla. 

Root access is often referenced as the ability to connect into a website root account or be able to execute commands as a root, with a Linux-based system, like the working system Tesla. Certain hackers with Tesla cars have root access for viewing software upgrades from Tesla, including enabling unannounced or dormant functions. It has been acknowledged within this community that FSD Beta firmware has been running for quite a while, and one may run it in their vehicle having root access. 

They remained silent not to alert Tesla, however, a Ukrainian customer of the Tesla has shared the FSD Beta 8.2 video in his vehicle in Kiev, in which the Tesla software has still not been released. 

The software has indirectly been described as having slipped outside the internal Tesla testing program and early access. While this is an older version, Electrek was informed by insiders that the newer version of FSD Beta version 9 is also passed around. 

Electrek was further briefed by an insider that Tesla was only recently made aware of the FSD leak, even though it has been going on for a while. The very same insider claims that the root community endeavored because there is no other wrong purpose but to use it, to restrict the distribution of the firmware. There have been efforts to buy the leak too.
Read more »
Spectre
Bypass of Security constraints Cyber Security Google Chrome JavaScript Sensitive data Spectre

Spook.js: Chrome is Threatened by a New Spectre Like Attack

 

A newly found side-channel attack targeting Google Chrome might allow an attacker to use a Spectre-style attack to bypass the web browser's security protections and extract sensitive information. Spook.js is a novel transient execution side-channel attack that specifically targets Chrome. Despite Google's efforts to minimize Spectre by installing Strict Site Isolation, malicious JavaScript code can still extract information in some instances. 

An attacker-controlled webpage can learn which other pages from the same website a user is presently viewing, collect sensitive information from these pages, and even recover auto-filled login credentials (e.g., username and password). If a user downloads a malicious extension, the attacker may obtain data from Chrome extensions (such as credential managers). 

Spectre, which made news across the world in 2018, makes use of vulnerabilities in contemporary CPU optimization features to get around security measures that prohibit separate programmes from accessing one other's memory space. This enabled attackers to steal sensitive information across several websites by attacking how different applications and processes interact with processors and on-chip memory, allowing a wide range of attacks against different types of applications, including web apps. 

Strict Site Isolation was implemented by Google Chrome, which prohibits several web pages from sharing the same process. It also divided each process's address space into separate 32-bit sandboxes (despite being a 64-bit application). 

Site Isolation is a Chrome security feature that provides extra protection against some sorts of security vulnerabilities. It makes it more difficult for websites that aren't trustworthy to get access to or steal information from your accounts on other websites.

Despite these safeguards, Spook.js, according to researchers from the University of Michigan, University of Adelaide, Georgia Institute of Technology, and Tel Aviv University, "shows that these countermeasures are insufficient in order to protect users from browser-based speculative execution attacks." 

“More specifically, we show that Chrome’s Strict Site Isolation implementation consolidates webpages based on their eTLD+1 domain, allowing an attacker-controlled page to extract sensitive information from pages on other subdomains,” they said. "Next, we also show how to bypass Chrome’s 32-bit sandboxing mechanism. We achieve this by using a type confusion attack, which temporarily forces Chrome’s JavaScript engine to operate on an object of the wrong type."

“Web developers can immediately separate untrusted, user-supplied JavaScript code from all other content for their website, hosting all user-supplied JavaScript code at a domain that has a different eTLD+1," the study recommended. “This way, Strict Site Isolation will not consolidate attacker-supplied code with potentially sensitive data into the same process, putting the data out of reach even for Spook.js as it cannot cross process boundaries."
Read more »
Ransowmare
Cyber Security Data Leak Ragnar Locker Ransomware Group Ransowmare

Ragnar Locker to Publish Victims Data if They Approach FBI

 

The ransomware gang Ragnar Locker implements a new strategy, which forces victims to pay the ransom and threatens to expose their stolen data if victims approach the FBI. Earlier, Ragnar Locker has struck notable ransomware attacks on various companies to extract millions of dollars in ransom payments. 

Ragnar Locker perpetrators are believed to deploy payloads of the ransomware to the victim's computers manually. They spend time recognizing system resources, business backups, and other critical files before the data encryption phase. 

This week, the organization threatened to release complete information on victims seeking the aid and assistance of the police and investigating authorities amid a ransomware attack in an annunciation on the darknet leak portal of Ragnar Locker. 

The threat is equally applicable to individuals who approach file recovery experts to try to decode files and later on negotiate. In any case, the gang will expose the entire data of the victims on their .onion site. 

The Ransomware administrator says that the process of recovery is only worsened by affected companies who hire "professional negotiators" It is because these negotiators typically collaborate with FBI-associated data retrieval businesses and equivalent organizations. 

“In our practice we has facing with the professional negotiators much more often in last days,” the announcement said in broken-English-ese. “Unfortunately it’s not making the process easier or safer, on the contrary it’s actually makes all even worse.” 

“So from this moment we warn all our clients, if you will hire any recovery company for negotiations or if you will send requests to the Police/FBI/Investigators, we will consider this as a hostile intent and we will initiate the publication of whole compromised Data immediately. Don’t think please that any negotiators will be able to deceive us, we have enough experience and many ways to recognize such a lie. Dear clients if you want to resolve all issues smoothly, don’t ask the Police to do this for you. We will find out and punish with all our efforts,” further reads the announcement. 

Such dealers are either connected to or interact personally with law enforcement officials, the gang claims. In any case, they are in it and do not care about the economic well-being of their customers or their data privacy, stated the organization. 

The previous victims of Ragnar Locker included the Japanese game maker Capcom, ADATA manufacturer of computer chips, and the Dassault Falcon airline company. In Capcom's case, 2,000 devices were supposedly encoded and the attacker demanded $11.000,000 for a decryption key in return. 

Ragnar Locker's latest revelation induces further stress for victims, given that governments across the world have strongly advocated against paying ransoms in the present climate of escalating cyber threats. 

"Government has a strong position against paying ransoms to criminals, including when targeted by ransomware. Paying a ransom in response to ransomware does not guarantee a successful outcome," said the British Home Secretary, Priti Patel in May this year.
Read more »
TeamTNT
AWS Crypto Currency Crypto Currency mining Cyber Security Monero TeamTNT

Chimaera Toolkit Found on Thousands of Windows and Linux Systems Worldwide

 

AT&T's Alien Labs security branch has raised the alarm about a TeamTNT malware campaign that has gone almost totally undiscovered by anti-virus systems and is converting target machines into bitcoin miners, according to the company. TeamTNT, dubbed "one of the most active threat organizations since 2020" by Alien Labs researcher Ofer Caspi, is notorious for its exploitation - and misuse - of open-source security tools for anything from identifying susceptible targets to dumping remote-control shells. 

Last year, TeamTNT was discovered and linked to bitcoin mining malware being installed on susceptible Docker containers. Trend Micro discovered that the organization tries to steal AWS credentials in order to spread to other servers, while Cado Security discovered TeamTNT targeting Kubernetes installations more recently. 

The port scanner Masscan, libprocesshider software for running the TeamTNT bot from memory, 7z for file decompression, the b374k shell php panel for system control, and Lazagne are among TeamTNT's open-source tools. 

Palo Alto Networks' Unit 42 found Chimaera, a software repository that "highlights the expanding scope of TeamTNT operations within cloud environments as well as a target set for current and future operations," according to the company.

Now, AT&T's Alien Labs has shed additional light on Chimaera, claiming that it has been in use since July and is "responsible for thousands of infections globally" across Windows, Linux, AWS, Docker, and Kubernetes targets, all while eluding detection by anti-virus and anti-malware programmes. 

The usage of Lazagne, an open-source application developed with one goal in mind: collecting credentials from major browsers, is a significant element of the Chimaera toolkit. Another programme tries to find and exfiltrate Amazon Web Services (AWS) credentials, while an IRC bot serves as a command and control server.

"In this case, most of the used files that are placed on disk at some point lack a clear malicious purpose by themselves," Caspi told of the reason the malware could go undetected for so long. "The malicious processes injected into memory without touching the disk are harder to identify if they don't share indicators with previous malicious activity or perform any clearly malevolent activity." 

TeamTNT's primary objective is to mine Monero, a privacy-focused cryptocurrency, on victim hardware rather than harvesting credentials. "Mining cryptocurrency has always been TeamTNT's major goal," Caspi stated.
Read more »
Jee Mains
Cyber Security Hacking News iON Jee Mains

CBI Investigates Hacking Incident in Jee Maine Examination, Three Director Arrested

 

CBI (Central Bureau of Investigation) is investigating the chances of a potential hack into TCS' iON digital platform related to JEE Mains exam hack which appeared recently. The suspected issue surfaced when CBI charged 3 Noida-based directors last week. iON of TCS is India's biggest digital assistant software provider. NTA (National Testing Agency) selected the iON to organize national level examinations like JEE Mains and NEET, in a safe and secure way. Besides conducting examinations, iON also provides logistics requisites for the test, which includes the appointment of venue heads and management of test labs. 

As per sources, CBI is investigating various iON labs at different locations where examinations were organized. TCS hasn't said anything on the issue. As of now, CBI has arrested seven accused of the incident, including three directors from Affinity Education (a private coaching institute). iON doesn't let any other software or tool operate on its platform and also blocks internet access. However, in this particular case, currently under investigation, the examination center computers might've already had some external softwares pre-installed that may have led to remote internet connection and gained access to systems during the examination. It mostly happens with coaching centers in remote areas. 

They conspire with the venue heads and assist students screen share their exams and someone else (most probably from the coaching institute) helps the students by completing their exams. The students give around 2-3 lakhs per hacked system. The systems have pre-installed external softwares prior to the examination. Ethical hacker Sunny Nehra told BusinessLine," these tools are externally installed and connected with a Windows system through which remote access is given. Though iLEON operating systems are very strong and hard to crack, the company would have to identify the loopholes in the back-end and rework the architecture of the software.” 

Experts suggest that a candidate appearing in the examination should only have the option to access URL-based links linked to the exams, which once opened, won't allow other applications to run until the exam is over. It can be made possible by installing a network firewall at examination centers, via which external traffic will flow. If firewall isn't possible,  endpoint security can be installed and the admin can use it to control and restrict access to other softwares.
Read more »
User Security
Cyber Security Internet Scam NFT Scam User Security

NFT Collector Scammed into Buying Fake Banksy Bidding

 

A hacker compromised a site of famed street artist Banksy and sold an NFT (non-fungal token) of artist's art for more than $336,000. The hacker, however, returned all the stolen cash except a transaction fee. The incident, however, has sent a message to cybersecurity experts, and also a new threat is on the rise: NFTs. In this case, the hacker did an auction on the genuine Banksy website "banksy.co.uk", which is said to be the first Banksy NFT, as per BBC. If a collector buys an NFT, they don't get copyright or ownership over the image. 

An unknown collector(British) identified by BBC as 'prominent', also goes by the name "Pranksy" offered 90% more than the other bidder to https://threatpost.com/nft-collector-tricked-into-buying-fake-banksy/169179/ the Banksy NFT. According to ThreatPost, the Bolster research team also tracks emerging NFT scams and found the most popular cybercriminal tactics include setting up fake stores, the sale of fake art (Banksy is a popular lure), Airdrop scams offering free crypto and brand impersonation on social media. 

"The NFT market has surged recently, with more than $2.5 billion so far just this year. And as the market attracts money, it will draw in cybercriminals looking for a piece of the action. Consumers will have to increase their awareness around potential NFT fraud, experts predict," reports ThreatPost. When some background check was done on the hacker, he returned most of the money earlier this week, except $6,918 and transaction fees. Pranksy says that he never expected of a refund. The reason could be Pranksy tracked the hacker and followed him on Twitter, and the incident also received a lot of press coverage, which may have compelled the hacker to refund the stolen amount. He also said that others wouldn't have the same luck if they went through the same thing. 

The genuine Banksy and his team responded to the incident with a statement "the artist Banksy has not created any NFT artworks." Bolster's Young-Sae Song said that it would've been very tough for someone to notice the Banksy NFT Auction was a scam. Abhilash Garimella, Bolster researcher, had earlier predicted that "these scams will get more complex and sophisticated. Scammers will keep innovating to make sure users fall for these. Not just NFTs, when buying anything online, a buyer needs to be aware of where and to whom they are giving away their credit card or banking information."
Read more »
User Data
Credit Card Credit Card Fraud Cyber Security Debit Cards. Financial Data Breach ransomware attacks User Data

Wawa Paying $9 Million in Cash, Gift Cards in Data Breach Settlement


The Wawa convenience store chain is paying out up to $9 million in cash and gift cards to customers who were affected by a previous data breach, as reimbursements for their loss and inconvenience. 

The affected customers can request gift cards or cash that Wawa is paying out to settle a lawsuit over the security incident. Here's everything you need to learn about the proposed class action settlement – who's eligible, how to submit a claim for cash or a gift card, and how to object to the deal. 

Customers who used their payments cards at any Wawa store or gas pump during the data breach, but were not impacted by the fraud, qualifies to receive a $5 gift card, as compensation. These claimants are referred to as 'Tier One Claimants'. 

However, the claimants will be required to submit proof of the purchase they conducted at a Wawa store or fuel pump between March 04, 2019, and December 12, 2019 – when the data breach occurred – in order to claim the gift card. Customers would essentially be required to provide proof of the transaction date, preferably a store receipt of a statement by the bank, or a screenshot from the concerned bank or credit card company website or app. 

The next category of claimants, referred to as 'Tier Two Claimants' could receive a gift card worth $15 if they show reasonable proof of an actual or attempted fraudulent charge on their debit or credit card post-transaction. 

The last category of claimants, referred to as 'Tier Three Claimants' qualify to receive a cash reimbursement of upto $500, if they provide reasonably documented proof of money they spent in connection with the actual or attempted fraudulent transaction on their payment card. It must be reasonably attributed to the data breach incident. 

During the 9 month span of the data breach, around 22 million class members made a financial transaction at one of the Wawa stores. Customers have been given a deadline of November 29, 2021, to submit a claim for recompensation. By doing so, they are giving up their right to sue Wawa over the 2019 security incident. 

Those who wish to retain their right to sue the company over the security incident and do not wish to receive the payment will be required to exclude themselves from the class. The deadline given for the same is November 12, 2021. 
 

What is this settlement for?


In 2019, the Wawa convenience store chain experienced a data breach wherein cybercriminals hacked their point-of-sale systems to install malware and steal customers' card info. As the fraud impacted Wawa's 850 locations along the East Coast, the U.S based convenience store company found itself buried in a series of lawsuits. One of which – filed by the law firm Chimicles Schwartz Kriner & Donaldson-Smith, of Haverford – claimed that the data breach “was the inevitable result of Wawa's inadequate data security measures and cavalier approach to data security.”

The massive data breach that lasted for nine months,
affected in-store payments and payments at fuel pumps, including “credit and debit card numbers, expiration dates, and cardholder names on payment cards.” Meanwhile, hackers also attempted to sell the stolen financial data on the dark web. 

As a result, a police investigation was called in for and the organization also conducted an internal investigation by appointing a forensics firm for the same.
Read more »
WordPress
Cyber Security Plugins Security Researchers WordFence WordPress

WordPress Sites Affected by Bugs in Gutenberg Template Library and Redux Framework

 

The Gutenberg Template Library & Redux Framework plugin for WordPress, which is deployed on over 1 million websites, has two vulnerabilities. According to the researchers, these might enable arbitrary plugin installation, post deletions, and access to potentially sensitive information about a site's configuration. Redux.io's plugin provides a variety of templates and building blocks for developing web pages in WordPress' Gutenberg editor. 

This plugin is a collection of WordPress Gutenberg blocks that allow publishers to quickly create websites using pre-built “blocks” while utilizing the Gutenberg interface. 

The first vulnerability (CVE-2021-38312) is rated as high-severity on the CVSS scale, with a score of 7.1 out of 10. It's caused by the plugin's use of the WordPress REST API, which handles requests to install and manage blocks. According to Wordfence, it fails to properly allow user permissions. 

The WordPress REST API allows apps to communicate with the user's WordPress site by sending and receiving data in JSON (JavaScript Object Notation) objects. It's the backbone of the WordPress Block Editor, and it may also help the user's theme, plugin, or custom app create new, more sophisticated interfaces for managing and publishing the user's site's content. 

“While the REST API Endpoints registered under the redux/v1/templates/ REST Route used a permission_callback to verify a user’s permissions, this call-back only checked whether or not the user sending the request had the edit_posts capability,” Wordfence researchers said in a Wednesday posting. Users with lower rights, such as contributors and authors, may utilize the redux/v1/templates/plugin-install endpoint to install any plugin from the WordPress repository, or the redux/v1/templates/delete_saved_block endpoint to delete posts, according to the researchers. 

The second vulnerability, a medium-severity flaw (CVE-2021-38314), has a CVSS score of 5.3. It exists because the Gutenberg Template Library & Redux Framework plugin registers numerous AJAX actions that are available to unauthenticated users, one of which is deterministic and predictable, allowing for the discovery of a site's $support_hash. 

“This $support_hash AJAX action, which was also available to unauthenticated users, called the support_args function in redux-core/inc/classes/class-redux-helpers.php, which returned potentially sensitive information such as the PHP version, active plugins on the site and their versions, and an unsalted md5 hash of the site’s AUTH_KEY and SECURE_AUTH_KEY,” according to Wordfence. An attacker may use the information to plot a website takeover using other vulnerable plugins, according to the researchers.
Read more »
Trojan Attacks
Banking Trojan Cyber Security Evasive Techniques Phishing email Qakbot Trojan Attacks

QakBot (QBot) Campaign: A thorough Analysis



Trojan-Banker QakBot, also known by the names - QBot, QuackBot, and Pinkslipbot, is a modular information stealer that has been active for almost 14 years. With the key agenda of stealing banking credentials, QakBot employs various tools to evade detection and hamper manual analysis. The authors have developed the trojan with an aggressive sophistication that allows its variants to essentially deploy additional malware, create a backdoor to infected systems, and log user keystrokes. 

Typically, QakBot attacks contain MS Office Word documents that are deployed via phishing emails constructed to trick the user into accessing it. However, in 2020, some of the QakBot campaigns featured ZIP attachments that contained macros within the word document enclosed in the ZIP file. These macros are configured to trigger the execution of a PowerShell script that further downloads the QBot payload from selected internet addresses. 

Spoofing the Victim: Opening the QBot Infected Word Doc 

The word document which carries a malicious macro, once accessed by the victim, leads him to the Word Program on his system wherein he is asked to click on "Enable Content" shown in a yellow-colored dialogue box appearing right below the header. It reads "Security Warning" in bold letters. Once the user clicks onto it, it spoofs him into believing that it is taking its time to load data as another gray-colored dialogue box appears, reading "Loading data. Please wait..."

However, behind the scenes, the malicious Macro is being executed. As a part of the process, the Macro creates a folder in which it attempts to download the QakBot payload; it's placed in 5 different places. Referencing from the 5 corresponding URLs, it could be easily concluded that they all were constructed with the same website builder, which possibly has an exploit that lets EXE files being uploaded onto it with a PNG extension.

In one of its previous campaigns, upon running, QBot replaced the original binary with a duplicate 'Windows Calculator app: calc.exe'. Then, it scanned the installed programs, compared process names to a blacklist, examined registry entries, and inspected hardware details to eventually look for a virtualization software like VMware or VirtualBox. If QBot fails to detect a virtualization software, it copies the legitimate executable into a folder; it disguises itself as a signed valid certificate. After setting the executable in place, QBot schedules a task to run the executable every 5 hours. Once the execution is completed, an explorer.exe process is launched by QBot, the code of the same is injected into the process' memory. QBot can also execute additional processes employing double process mechanisms. 

In order to safeguard against the ever-evolving threat of QakBot, experts recommend organizations provide training to their employees who could come up with alternative solutions when automated intrusion-detectors fail.
Read more »
VPN
Cyber Security Parliamentary Standing Committee User Security VPN

Parliamentary Panel Advises Indian Government to Ban VPN Services

 

Citing the growing threat in cyberspace, the Parliamentary Standing Committee on Home Affairs has advised the Indian government to block the virtual private network VPN (apps), saying VPNs provide significant technological challenges to maintain the sovereignty of the nation. 

The request from the Parliamentary Standing Committee comes as 31 Members of Parliament discovered that VPNs can bypass cyber security walls and allow cybercriminals to remain anonymous online. The Committee has termed the VPN services as a threat to counter cyber attacks and other nefarious activities. 

“The Committee notes with anxiety the technological challenge posed by VPN services and Dark Web, that can bypass cyber security walls and allow criminals to remain anonymous online. As of date, VPN can easily be downloaded, as many websites are providing such facilities and advertising them,” Parliamentary Standing Committee on Home Affairs said in its report. 

“The Committee, therefore, recommends that the Ministry of Home Affairs should coordinate with the Ministry of Electronics and Information Technology to identify and permanently block such VPNs with the help of internet service providers.”

India had recorded a 671 percent rise in the first half of 2021 compared to 2020 as a result of transformational changes in the working cultures of Indian companies. “Prior to 2021, the VPN penetration rate in India hovered around 3 percent, which is near the bottom of the list globally. Yet, by far the most significant growth in the number of downloads in H1-2021 was in India,” said Atlas VPN, a free VPN app that conducted the analysis.

The Indian government must act to strengthen tracking and surveillance by improving and developing state-of-the-art technology and put a check on VPN and the Dark Web, the Parliamentary Standing Committee advised. 

Impacts of Banning VPN on Indian Citizens 

According to the National Cyber Security Coordinator, India faces around 375 cyberattacks on a daily basis. In such circumstances, banning VPN in India could cause irreparable damage for large businesses that have relied on VPNs to secure their network connections, especially as remote work continues to be a new trend. 

Additionally, internet users will be more prone to third-party attacks and malwares trying to steal private information. Also, the internet users will not be able to access content online that is otherwise not available in India or is restricted. Also not to forget, users will lose one of the most basic and easiest ways to maintain privacy online.
Read more »
Ransomware Groups
Crypto Currency Cyber Security Ransomware Attacks. Ransomware Groups

US Government Comes Up With A Plan to Restrict Cyberattacks

 

Ransomware attacks are at an all time high in the United States, hackers are disrupting computer systems administering crucial infrastructure and refuse to give access until the ransom is paid, generally in Bitcoin or other hard to track crypto currency (decentralised). Earlier this year, hackers cracked down one of the biggest agencies in US (Colonial Pipeline). 

In June 2021, hackers attacked a meat processing industry to shutdown nine beef plants. Cyberattacks on smaller organizations that include Baltimore City Government, Steamship Authority of Massachusetts, which get low attention, but hint towards a general scenerio of ransomware cybercrime. New York Times reports "The United States should also prohibit transactions with the American banking system by foreign banks that do not impose stricter regulations on cryptocurrency. Because access to the American financial market is vitally important to foreign banks, they, too, would have a strong incentive to comply." 

Biden government took some restrictive measures to limit the impact of these attacks. An executive order made Federal government to outline a plan for the issue. In a meeting held last week, President Biden requested leaders of Google, Apple and other organisations to come up with a plan for dealing with these attacks. However, this doesn't solve the issue root problem. Ransomware attacks happen because of monetary benefits. If it becomes hard for criminals to make profit out of these attacks, maybe they will decrease. By handling crypto currency with aggressive measures, government can limit its use for illegal purposes in anonymous payments. 

In case of ransomware attacks, hackers can seize a company's resources and assets, demand ransom safely, which lowers the risk factors. The U.S government can take some preventive measures, first being enforcement of regulations for crypto currency industry equal to regulate the traditional government industry. "Cryptocurrency exchanges, “kiosks” and trading “desks” are not complying with laws that target money laundering, financing of terrorism and suspicious-activity reporting, according to a recent report from the Institute for Security and Technology. Those laws ought to be enforced equally in the digital domain," reports the New York Times
Read more »
White House
Cyber Security Government & Risk Management US Federal Agencies White House

White House Directs Federal Agencies to Improve Logging Capabilities

 

The White House has directed federal agencies to improve their logging capabilities in order to accelerate cybersecurity incident response, according to a memo from the Office of Management and Budget. 

The memo, issued by acting OMB Director Shalanda Young, includes a maturity model for event log management intended to guide federal agencies' implementation of its requirements across four event logging (EL) tiers: not effective, basic, intermediate, and advanced.

"These tiers will help agencies prioritize their efforts and resources so that, over time, they will achieve full compliance with requirements for implementation, log categories, and centralized access. Agencies should also prioritize their compliance activities by focusing first on high-impact systems and high-value assets,” according to OMB. 

By working through these various tiers, federal departments will align more with the types of log management capabilities present in the private sector, according to Mike Hamilton, the former vice-chair for the Department of Homeland Security's State, Local, Tribal, and Territorial Government Coordinating Council. 

The memo follows a May 12 executive order by President Joe Biden issued following the SolarWinds hack that compromised nine federal agencies, a ubiquitous government contractor, and about 100 U.S. companies.

“Recent events, including the SolarWinds incident, underscore the importance of increased government visibility before, during, and after a cybersecurity incident. Information from logs on federal information systems — for both on-premises systems and connections hosted by third parties, such as cloud services providers — is invaluable in the detection, investigation, and remediation of cyber threats,” reads the memo. 

The departments now have 60 days to assess their capabilities against the maturity model and plan to address resource and implementation gaps. Those plans must be sent to the OMB Resource Management Office and Office of the Chief Information Officer desk officer. OMB expects federal agencies to prioritize their high-impact systems and high-value assets first as they implement EL requirements.

Agencies were also told to share logs with third parties like the FBI and Cybersecurity and Infrastructure Security Agency. “This sharing of information is critical to defend federal information systems,” reads the memo. The memo directs CISA to deploy teams to advise agencies in their assessment of their logging capabilities and release tools with the FBI to help assess logging maturity. 

Meanwhile, the Department of Commerce must have the National Institute of Standards and Technology maintain Special Publication 800-92, its “Guide to Computer Security Log Management” and incorporate the memo’s requirements into its next revision and other relevant publications.
Read more »
Subscribe to: Posts (Atom)