Chinese Hackers Attacked Eight Major Technology Service Providers




Eight largest technology service providers were attacked by the hackers of China’s Ministry of State Security; they attempted to access sensitive commercial information and secrets from their clients across the world.

In December, last year, a vicious operation was outlined in formal charges filed in the U.S.; it was designed to illegally access the Western intellectual property with motives of furthering China’s economic interests.

According to the findings made by Reuters, the list of the compromised technology service providers include Tata Consultancy Services, Dimension Data, Hewlett Packard Enterprise, Computer Sciences Corporation, HPE’s spun-off services arm, IBM, DXC Technology, Fujitsu and NTT Data.

Furthermore, various clients of the service providers such as Ericsson also fall prey to the attack.
However, IBM previously stated that it lacks evidence on any secret commercial information being compromised by any of these attacks.

Referencing from the statements given by HPE, they worked diligently for their “customers to mitigate this attack and protect their information.” Meanwhile, DXC told that it had, “robust security measures in place” in order to keep their clients secure.

Commenting on the matter and denying the accusations and any sort of involvement in the attacks, the Chinese government said, “The Chinese government has never in any form participated in or supported any person to carry out the theft of commercial secrets,”

“While there have been attacks on our enterprise network, we have found no evidence in any of our extensive investigations that Ericsson’s infrastructure has ever been used as part of a successful attack on one of our customers,” a spokesperson of Ericsson told as the company said, it doesn’t comment on specific cybersecurity matters.




Cybercrime goes out of control in India



Phishing, data theft, identity theft, online lottery, cyber attacks, job frauds, banking frauds, cyberbullying, online blackmailing, morphing, revenge porn, cyber hacking, child pornography, cyber grooming, cyberstalking, data diddling, software piracy, online radicalisation — the dark web of cybercrimes is spreading across the world and India is one of the hotspots of this digital crime.

With increasing mobile coverage and cheaper data, more and more Indians now access the internet even while on the move. This has exposed unsuspecting ones to fall prey to online fraudsters. Many become victims of sexual exploitation after being made to share personal details while some others use the new media like WhatsApp to spread fake news to create trouble for political and other gains. There have been several lynching incidents in the country in the past couple of years after fake messages about child lifting and cow slaughter were spread through social media.

In spite of an alarming rise in cybercrime in the country, the most recent Government statistics available on this is from 2016. Cybercrimes touched 12,317 cases in 2016 which was an increase from 9,622 reported in 2014. The National Crimes Record Bureau is yet to release the statistics for 2017 and 2018.

The data available is just a tip of the iceberg and the numbers might be much more, says a senior government official. “Many even do not report loss of money or honour out of shame. Many cannot even tell their families that they have lost money in online frauds,” the official said.

Officials say the problem is that common people are not aware of the risks involved while dealing with the internet. Many are unaware, they say, and exercise no caution while using the net. They click unwanted links, unknowingly give the cyber fraudster their personal details and get cheated.

My SQL Servers on Windows Attacked by Hackers to Distribute GrandCrab Ransomware



One of the most widespread Ransomware, GrandCrab, which keeps on making headlines every now and then us being circulated via multiple kinds of attacks like exploit kit, compromised  websites, social media campaigns, and weaponized office documents. 

A new variant of GrandCrab Ransomware which is configured to attack Internet-facing MySQL servers on Windows has been detected by the researchers; the ransomware is also reported to hold around 40% share of the ransomware market. 

How does it attack?

The malicious operation begins with the injection of a corrupted DLL file into the database server with the help of SQL database commands.
As the attack proceeds, DLL is invoked in order to get hold of the ransomware payload which is hosted on the malicious server. 
Attacker secures a reliable connection with the database server and then advances to upload the corrupted helper DLL by employing set command; it is carried out in the form of hexadecimal characters. 
“Later they issued a command to concatenate binaries to a single file and them into the server’s plug-in directory. Also, they used several commands used to swap forward slash and backslash characters that seemed designed to make an end-run around security features,” researchers observed. 

Referencing from the study conducted by the Sophos researchers, "an intriguing attack this week from a machine based in the United States. We monitored both the behavior and network traffic generated by this honeypot and were surprised to see the honeypot (which runs under Linux) download a Windows executable.”

“What makes this interesting is that the IP address of this machine hosting the GrandCrab sample geolocates to Arizona, in the desert southwest region of the United States, and the user interface of the HFS installation on this machine is in simplified Chinese.”

Decoding the threat, they said, “it does pose a serious risk to MySQL server admins who have poked a hole through the firewall for port 3306 on their database server to be reachable by the outside world,”



Cybercriminals Preferring Audio Skimmers Over Flash Skimmers






There has been a rapid increase in the number of web skimming attacks since the advancements in the technological sector; it also resulted in excessive activity in the black market of physical card skimming tools.
Web skimming attacks are designed to capture critical financial data and card details like the name of the holder and sensitive numbers. It is when attackers connect their spying tool to a point-of-sale system (PoS) or an ATM in order to get access to the data that is processed from credit/debit cards via these machines.
The ever evolving ways of web skimming are one of the reasons why it is thriving and remains undetected,  professionals skimmers have formed closed communities which are organized to coordinate during skimming processes and assist the cashers, decoders, engineers, extractors, and vendors with whatever they need.
Advanced Intelligence, a New York based fraud prevention company reported that the usual targets are gas stations, ATMs or PoS terminals. Skimming includes unauthorized access to sensitive financial information for which the cybercriminals mainly rely on upgrades and advancements in technology to produce and circulate products which are unassailable and undetectable.
Another variant includes Audio Skimmers, which have been known to exist since 2010 and the technique employed in Audio Skimming is said to be existing since 1992. The devices involved store the data and encrypt it to capture it in MP3 format. The threat rate of Audio Skimmers multiplies with the camera attached to capture the PIN number and acting as a video skimmer.
Commenting on the matter, Yelisey Boguslaskiy, director of security research at AdvIntel, said, "They use timing-calculating algorithms to “reed” the audio when the card is been scanned by the ATM, which allows them to decode a track in 1-2 seconds and immediately convert it into text format,"
"Russian-speaking real carding communities have traditionally been exclusive and tight-lipped regarding their skimming operations. Skimming developers form exclusive trusted underground criminal networks thereby connecting talented engineers, their trusted sellers, and wealthy carder buyers of such tools,” further added.







Hackers charged with stealing $ 2.4 million



A group of hackers from the cybercrime group known as “The Community” charged in the U.S for “Sim Hijacking” attack and commit wire fraud along with 3 former employees of mobile phone providers.

All the 6 members of “The community ” group alleged to have participated in thefts of victims’ identities and used the data to steal cryptocurrencies via SIM Hijacking attack also known as SIM Swapping.

“SIM Hijacking” or “SIM Swapping” is an identity theft technique that exploits a common cyber-security weakness – mobile phone numbers.

This special technique used by hackers to gain control of victims’ mobile phone number in order to route the victims mobile traffic such as phone calls and short message service (“SMS”) messages through the devices controlled by “The Community”.

According to the fifteen-count indictment unsealed, SIM Hijacking was accomplished by a member of “The Community” contacting a mobile phone provider’s customer service—posing as the victim—and requesting that the victim’s phone number be swapped to a SIM card (and thus a mobile device) controlled by “The Community”. Later, Hijacked new SIM will be used as a gateway to gain control of online accounts such as a victim’s email, cloud storage, and cryptocurrency exchange accounts.

Here is the list of 6 “The Community” 3 former employee of mobile phone provider.

Conor Freeman, 20, of Dublin, Ireland

Ricky Handschumacher, 25 of Pasco County, Florida

Colton Jurisic, 20 of, Dubuque, Iowa

Reyad Gafar Abbas, 19, of Rochester, New York

Garrett Endicott, 21, of Warrensburg, Missouri

Ryan Stevenson, 26, of West Haven, Connecticut

Charged in the criminal complaint were:

Jarratt White, 22 of Tucson, Arizona

Robert Jack, 22of Tucson, Arizona

Fendley Joseph, 28, of Murrietta, California

Millions of Peoples’ Data Exposed On The Dark Web Via an Unprotected Database; Hackers At Advantage

Quite recently, a badly secured database fell prey to hijacking by hackers. Millions of users’ data was exposed. It was discovered by “Shodan Search Engine” last month. An infamous hacking group is speculated to be the reason.


A gigantic database containing records of over 275 million Indian citizens was found unprotected and now in the hands of a hacking group.

The database which was exploited comes from a widely used name of “MongoDB”.

The data in it seems to have come from various job portals, in light of the fields that were found out to be of “Resume IDs”, “functional areas” and “industry”.

Along with some not so confidential information some really personal details like name, email ID, gender, date of birth, salary and mobile number were found.
Reportedly, a hacking group which goes by the name of “Unistellar group” happens to be behind the hijacking of this already unprotected database.

Immediately after the unsafe database was discovered the cyber-security expert had informed the Indian Computer Emergency Response Team but in vain.

The database was open and laid bare for anyone to advantage for at least two weeks.

The owner of the database is yet to be known and it seems that it’s owned by an anonymous person or organization.

The details of over 275 million people were out but as it turns out no Indian job portal holds information of members of such a large number. 


Dell Computers Compromised To Hackers; SupportAssist Software To Blame




Reportedly, a vulnerability in Dell’s SupportAssist application could be easily exploited by hackers via which they could access administrative privileges.


The said administrative privileges would then aid the hackers to execute malicious code and take over the users’ entire system.

The victims of this security error haven’t reached a definable number yet but as all the Dell PCs with the latest Windows have the SupportAssist software all of them are open to attacks.

Since the aforementioned application doesn’t come pre-installed the PCs bought without Windows in them are safe.

The software aids Dell automatic driver updates like debugging and diagnostics.

Furthermore, debugging tools happen to have clear access to device’s systems, so when hackers attack, they gain full control of the system itself.

The hackers first try to get the victim to access a malicious web page and later trick them into downloading SupportAssist.

Henceforth the malware starts to run on the system with all the administrative privileges gained by default.

When the victims are on public Wi-Fi or large enterprise networks that’s when they are the most vulnerable to such an attack.

Then on the attacker would launch an Address Resolution Protocol hoaxing attacks and providing hackers the access to legitimate IP addresses within the network.

DNS attacks are also a strong possibility because of the lack of security on the existing routers.

After a young security researcher alerted Dell about the security flaw, the organization has been working on a patch.

Until then it would be the best choice to simply uninstall the application from the device.

Hackers have already exploited this vulnerability and hacked into a few internal devices of Dell owing it to the SupportAssist.


Per sources, a patch has already been released for the issue which is the version 3.2.0.90 of the SupportAssist application.





Is making hacking unprofitable the key to cyber-security?

Billions are being lost to cyber-crime each year, and the problem seems to be getting worse. So could we ever create unhackable computers beyond the reach of criminals and spies? Israeli researchers are coming up with some interesting solutions.

The key to stopping the hackers, explains Neatsun Ziv, vice president of cyber-security products at Tel Aviv-based Check Point Security Technologies, is to make hacking unprofitable.

"We're currently tracking 150 hacking groups a week, and they're making $100,000 a week each," he tells the BBC.

"If we raise the bar, they lose money. They don't want to lose money."

This means making it difficult enough for hackers to break in that they choose easier targets.

And this has been the main principle governing the cyber-security industry ever since it was invented - surrounding businesses with enough armour plating to make it too time-consuming for hackers to drill through. The rhinoceros approach, you might call it.

But some think the industry needs to be less rhinoceros and more chameleon, camouflaging itself against attack.

"We need to bring prevention back into the game," says Yuval Danieli, vice president of customer services at Israeli cyber-security firm Morphisec.

"Most of the world is busy with detection and remediation - threat hunting - instead of preventing the cyber-attack before it occurs."

Morphisec - born out of research done at Ben-Gurion University - has developed what it calls "moving target security". It's a way of scrambling the names, locations and references of each file and software application in a computer's memory to make it harder for malware to get its teeth stuck in to your system.

The mutation occurs each time the computer is turned on so the system is never configured the same way twice. The firm's tech is used to protect the London Stock Exchange and Japanese industrial robotics firm Yaskawa, as well as bank and hotel chains.

Broadcom WiFi Chipset Driver Defect Takes Its Toll On OSs, IoTs, Phones and Other Devices.




Reportedly, the flaws in the Broadcom WiFi chipset drivers are causing a lot of trouble for phones and operating systems that are exposed to it.


This means, attackers could be allowed to execute arbitrary code and initiate DOS. (Denial of Service)

As reported by an intern of a reputed lab, the Broadcom drivers and the open source “brcmfmac” driver possess several vulnerabilities.

As it turns out, the Broadcom drivers are susceptible to “two heap buffer overflows.” Whereas, the ‘brcmfmac’ drivers are susceptible to frame validation bypass as well as heap buffer overflow.

Per the Common Weakness Enumeration database, the heap buffer overflows could cause the software to run in an infinite loop, system crashes, along with execution of arbitrary code.


These above activities are evidently beyond the security policies and security services.

The aforementioned Broadcom WiFi chips are insidiously used by almost everyone without their knowing it. From a laptop through the IoT devices to the smart TVs all the devices have these chip drivers.


As these chips are enormously prevalent, they comprise of an even more enormous target range. Any simple vulnerability or flaw found in them could be a matter of serious risk.

The Broadcom WiFi chipset drivers could be easily exploited by the unauthenticated attackers by way of sending malicious “WiFi packets”.

These packets would later on help in initiating the arbitrary code execution. All the attacks would simply lead to Denial of Service.

In the list of the risks that stand to vulnerable devices, Denial of Service attacks and arbitrary code execution are on the top. These flaws were found also in Linux kernel and the firmware of Broadcom chips.

According to the source note, the four brcmfmac and Broadcom wl drivers vulnerability is of the sort, CVE-2019-8564, CVE-2019-9500, CVE-2019-9501, CVE-2019-9502, CVE-2019-9503.

·       CVE-2019-9503: When the driver receives the firmware event frame from the remote source, it gets discarded and isn’t processed. When the same is done from the host the appropriate handler is called. This validation could be bypassed if the bus used is a USB.

·       CVE-2019-9500: A malicious event frame could be constructed to trigger a heap buffer overflow.



·       CVE-2019-9501: The vendor is supplied with the information with data larger than 32 bytes and  a heap buffer overflow is triggered in “wlc_wpa_sup_eapol”

·       CVE-2019-9502: when the vendor information data length is larger than 164 bytes a heap buffer overflow is triggered in “wlc_wpa_plumb_gtk”

If the wl driver’s used with SoftMAC chipsets the vulnerabilities are triggered in the host’s kernel whereas, when used with FullMAC chipset, they are triggered in chipset’s firmware.

There are approximately over 160 vendors that stand vulnerable to Broadcom WiFi chipsets within their devices.

Two of Broadcom’s vulnerabilities were patched which were found in the open source brcmfmac Linux kernel.

CVE-2019-8564 vulnerability had been patched by Apple as a part of their security update, a day before the developer revealed the vulnerabilities.


Don't Dare Cancel Movie Tickets Online; You Could Be Subject To Fraud, "Vishing" To Blame!




A woman got scammed and was fraudulently ripped off of Rs.40,000 after she decided to cancel her movie tickets online. This is what exactly happened.


Reportedly a resident of Jankipuram, Lucknow, the aforementioned lady cancelled her movie tickets that she had booked via a popular website.

Things went sideways, when she called a "customer care executive" to claim a refund. 

This is a classic paradigm for "Vishing". The call version of Phishing, wrests money during the duration of the call.

Despite having cancelled her tickets within the stipulated period, the amount wasn't credited to her account.

She called the "customer care executive" and after he irritably answered she had to file a TOI report.

Furthermore she got a call from someone pretending to be from the ticket booking website she'd used.

The person lured her into giving away the details of her credit cards, putting up an act of helping her.

Pretty soon after the call was hung up, the woman noticed Rs. 40,000 missing from her account.


As customary to a "Vishing" fraud, the victim receives a call where the caller pretends to be a representative of a company.

To keep up the pretense, the caller would ask for the victim's details like name, date of birth and mobile number. Furthermore, the call's made from a landline.

The next step is pretty cliche. The victim ill be asked to reveal the details like their customer ID of online banking or credit/debit cards details.

Then come the bank account details followed by asking for the OTP on the victim's phone.

The main motive behind "Vishing" is hijacking the victim's online bank account and trying to harvest the money on it.

Cyber Tip:  No Legit Bank/Company Representative Would Ever Ask For Your Personal Details. Ever!

Canadian Internet Registration Authority’s Car Parking System Struck By Ransomware!








Reportedly, CIRA’s car parking system was infected via a ransomware and was hacked into to let people park for free.


Canadian Internet Registration Authority is a gigantic internet domain which has 2.8 million, under its wings with a .ca domain.

The yet anonymous cyber-cons compromised CIRA’s car parking system, aiding people to park without getting their parking passes scanned.

Allegedly, some other company manages the car parking under CIRA.

Initially the cause which was thought to be a power failure or mechanical system crash, turned out to be a ransomware attack.



The database which was used by the car parking system for management was specifically compromised.

That very database also holds tens and tens of employee credit cards which if in wrong hands could wreak serious havoc.

After further analysis it was discovered that the ransomware in question could possibly be “Darma”.

This ransomware goes about infecting computers by way of RDP connections restricting to system that run on RDP (Remote Desktop Protocol) online.

These cyber-cons target the RDP protocol which runs on 3389. After performing a brute force attack they tried to harvest administrative credentials.


Later on an attempt at performing malicious activities on the system as made.

The silver lining happens to be that the stored card details would reclaim all the damage done by the free parking.

According to CIRA’s security survey, 37% of businesses don’t employ anti-malware protections.

CIRA also cited that they have no way whatsoever of knowing what sort of security measures are employed by the car parking in question.


Crypto-jacking: A New Vector of the Cyber-Cons after Ransomware!




Apparently, according to the records of 2018, after getting bored with ransomware attacks, crypto-jacking has become the new tool of cyber-cons for harvesting crypto-currency.



Crypto-jacking by nature is more insidious and stealthy and hence in the past year has emerged as a better way of harvesting crypto-currency.

Initially, the best choice for doing the same was ransomware, but having surpassed it, Crypto-jacking is now cyber-cons’ favorite option.

2018, unlike any other year in the cyber-crime history saw a lot of cyber-attacks, wherein the crypto-jacking attacks constituted to be amongst the most.

The report of IBM strictly mentioned that the crypto-currency attacks hiked by quite a large number.

Whereas, ransomware attacks plummeted by 45% including both mobile and desktop platforms.

The major reason behind this shift of inclination towards crypto-jacking happens to be the less-disruptive and furtive disposition.

After a ransomware is introduced to the victim, the attack weapon goes waste after just one attack, leaving no chances for a recurrence.

Meanwhile, in the case of crypto-jacking, a recurrence is almost ensured, making it possible for more profits from a single weapon.

Somehow, crypto-jacking appears to be the more malicious of the two, which if ignored could lead to serious ramifications.

Reportedly, crypto-jacking could soon transform from currency mining to fabrication its own botnets to function spyware attacks.

Leaving the users with the only advice and option; to use the latest versions of anti-viruses and keep the systems updated.


Android Spyware "Triout" Back With Spying Abilities And New Malicious Schemes






An android malware in the guise of an online privacy app, is all set to cause a lot of harm as it’s resurfaced as a more malicious version of itself and has acquired spy abilities.

The application tries to trick the users into downloading and then starts working its method.

Triout, the application is created to help users dodge censorship on the internet.

The campaign had been active since May last year, under the guise of an adult 
application.

August, 2018 is when the spyware was discovered, because of the massive amounts of information it was harvesting, including photos, text conversations, and phone conversations.

Collecting GPS information about the victims and making the user’s location vulnerable are two of the other mal effects.


With changed tactics and better malicious effects to it, the malware is being distributed under the cloaks of a stolen but legit privacy tool from Google play store.

Psiphon is the privacy tool behind whose face version Triout is hiding. This application is widely used and has been downloaded like a million times.

Third party sites also provide this app on their platforms, in case hackers don’t seem to have access to play store of Google.

The fake version of Psiphon works in exactly the same way as the real version of it. The looks and the interface have all been cleverly matched.



A particular type of set of victims is being targeted via Triout so that it doesn’t raise much suspicion.

When the malware was discovered it was found to be targeting users from Germany and South Korea.

Spear-phishing is another concept that is reportedly being employed by the cyber-cons to ensure that the users download their malicious app.

The way to lure in the victims and the commands and controls of Triout have been cunningly altered to extract a hike in the success rate.


Reportedly, the updated versions of Triout are being uploaded from various distinct locations of the world, a few being Russia, France and US.

The origin of the campaign and the cyber-cons behind it are still behind the curtain and this is what makes Triout more malicious.

According to the leading security researchers, this application possesses super spying powers and is deliberately fabricated to perform activities like espionage.

The researchers implore the users to download applications only from official sites and try to steer clear off any suspicious looking applications and refrain from downloading it.


Thousands Of Users Thrashed By Extremely Real-looking-Fake-Scans Scam



Thousands of users have encountered a severe threat from scammers who are employing cunning use of JavaScript and HTML codes by way of “Potentially Unwanted Applications”.

A major security researching organization uncovered a recent development in the scamming area where PUAs and POAs are being employed.

These scams could be categorized as tech-support scams which primarily work on scaring the victim into doing something unforeseen by the victim themselves.

After fake-calls, potentially unwanted applications have become quite common, but the latest twist is the shrewd usage of JavaScript and HTML code.

These codes specifically work on making the fake scans seem implausibly real, making it faster and easier for the scanners to fool their prey.

The well-known Norton Security applications are basically being stolen from the aforementioned organization.

These scams are in no way comparable to the basic and obvious anti-virus scams that are run on a common basis.

The scammers make the scan look so legit that it never occurs to the victim to question it at all.

There sure is an alert which pops up. The users think of it to be as one from an anti-malware app, when it’s actually coming from a web browser.

The way the scanners go around is that they offer an infection to be paired up by way of a 10-second scan. This obviously lures the users in swiftly.

A web-based dashboard is being implemented by the scammers to manage and monitor all the scams that are happening.

Thousands of dollars have been wrested from the victims that too by using overtly basic, fake looking contrivances.

Last three months of 2018 had been really busy for Symantec, the aforementioned organization, as they’ve blocked PUA installations around 89 million times.

There are several points that have to be kept in mind, for instance, no pop up is capable of analyzing the hard drive and the real files on it.

No anti-malware supplication would ask the user to download a separate application for the update process.

The best way to get saved from this kind of threat is looking out for an alert that mentions the remaining days left in the so called “subscription”.

OTP Theft on the Rise in Bengaluru; Many IT Employees Fall Victim


Numerous IT employees fall victim to a new type of OTP theft currently on the rise in Bengaluru. No culprit has been caught so far as lakhs of rupees go stolen via the utilization of this technique.

This theft stands diverse as contrasted with the rest as here, an individual calling posing like a bank employee requests from the victim to provide with them their card number and CVV so as to update or review their debit or credit card.

And the 'unsuspecting victim' does not realize that any person would at present need an OTP to complete any exchange, in this way the scamster then says the victim will get a SMS, which would need to be sent back to the sender.

And such SMSes while not containing any intelligible content obviously, are in encoded shape.  Acting like links when the victims tap on them, the incoming SMS is consequently sent to the scamster's phone, which at that point completes the cash exchange — utilizing the OTP from the victim's record.

 “The thefts were initially of relatively small amounts of ₹5,000-10,000. However, of late, larger amounts ranging from ₹50,000 to up to a few lakhs have been stolen. We have not been able to apprehend anyone yet. The victims also include several IT employees,” says a cybercrime personnel further adding that such cases came to light about 2-3 months ago.


India as a country has not taken privacy seriously. Most of the time, most hackers are able to find out the bank you are banking with,” says Harsha Halvi, co-founder of TBG Labs, “OTP theft is more a privacy matter than a technological one. Perpetrators often gain the victim’s trust by dropping a name for reference, which would make the victim trust them. After that finding information about the victim’s bank is also quite easy,” he added later.

Although Halvi later recommends that since it is not possible to build up a product\software as a safeguard against this as there are many apps that request access to SMSes, the solution to this problem will only begin to emerge if the users are increasingly mindful and don't offer authorization to get to SMSes, at that point the developers will be compelled to change their strategy.

In this way, it proposed to the users, when accepting such calls, to check with the customer care numbers of their banks in order to smoothly avoid from being entrapped in such wreckage.