Search This Blog

Showing posts with label Cybersecurity. Show all posts

Every Organization Should Ask These 8 Questions Before Choosing Their Cybersecurity Provider


Being cybersecurity ready offers many advantages, but your organization can always target hackers unless you do not know critical details. According to a Junior Research report in 2019, the expense of cybersecurity breaches in 2024 will reach to $5 Trillion every year from $3 Trillion currently. The data is helpful, especially for large organizations that depend on third-party cybersecurity services for their day to day operations. Data by Opus and Ponemon Institute shows that 60% of organization attacks happen due to the third-party actors. Data breaches can destroy the brand image of any organization and also result in a financial crisis. To limit data breaches, the organization should have a reliable third-party vendor that it can trust.

Here's why any organization should research while preferring a new provider and why third-party threats are pressing. Fewer vendors mean fewer threats. Currently, companies depend on many vendors to perform their day to day operations. For instance, in 2019, Apple alone had 200 supplier companies. In most of the cases, these threats come from third-party vendors. For instance, hackers attacked Agama, a cryptocurrency app which had vulnerabilities in its third party javascript library.

According to Juniper, "the new research, The Future of Cybercrime & Security: Threat Analysis, Impact Assessment & Mitigation Strategies 2019-2024 noted that while the cost per breach will steadily rise in the future, the levels of data disclosed will make headlines but not impact breach costs directly, as most fines and lost business are not directly related to breach sizes. 

How to choose a reliable vendor? 
  1. Are your vendor's offerings compatible with your organization's needs? 
  2. Your cybersecurity provider should have an excellent cyber score. 
  3. Did your vendor experience any data breach or attack in the past? 
  4. If the provider has an immediate incident response project. 
  5. Whether your cybersecurity provider offers 'right to inquire.' 
  6. If the vendor has an intelligence program for potential threats. 
  7. Whether the vendor has industry certification or not. 
  8. If the third party provider has a chief information security officer or a security contact. 
Answers to these questions will help your organization select third-party cybersecurity provider wisely.

Gamer Alert: More than 10 Billion Attacks On Gaming Industry In 2 Years


According to cybersecurity firm Akamai's recent report titled "State of the Internet/Security," the gaming sector has suffered a big hit in the previous two years. Experts have reported around 10 Billion cyberattacks on the gaming industry between June 2018 and June 2020.

Akamai recorded 100 Billion credential stuffing attacks during this period, out of which 10 Billion amount to attacks on the gaming sector. Besides credential stuffing, Akamai also recorded web application attacks. Hackers targeted around 150 Million web application attacks on the gaming sector.

"This report was planned and mostly written during the COVID-19 lockdown, and if there is one thing that's kept our team san; it is constant social interaction and the knowledge that we're not alone in our anxieties and concerns," says the report. Web application attacks mostly deployed SQL injections and LFI ( Local File Inclusion ) attacks as per the latest published report. It is because hackers can sensitive information of users on the game server using SQL and LFI.

The data can include usernames, account info, passwords, etc. Besides this, experts say that the gaming sector is also a primary target for DDoS (distributed denial-of-service) attacks. Between July 2019 and July 2020, Akamai identified 5,600 DDoS attacks, out of which hackers targeted 3000 attacks on the gaming sector. The increase in the attacks can be because most gamers don't pay much attention to cybersecurity.

According to data, 55% of gamers experienced suspicious activity in their accounts. However, just 20% of these gamers expressed concern about the compromise. Around 50% of hacked players feel that security is a mutual responsibility between gamers and gaming companies. 

Akamai emphasized their concern over the gaming sector becoming an easy target for the hackers. According to Akamai's report, "Web attacks are constant. Credential stuffing attacks can turn data breaches from the days of old (meaning last week) into new incidents that impact thousands (sometimes millions) of people and organizations of all sizes. DDoS attacks disrupt the world of instant communication and connection. These are problems that gamers, consumers, and business leaders face daily. This year, these issues have only gotten worse, and the stress caused by them was compounded by an invisible, deadly threat known as COVID-19."

179 Dark Net Vendors Arrested in a Massive International Sting; 500 kg Drugs Seized


Global police agencies have confiscated over $6.5m both in cash and virtual currencies, 64 firearms, and 1,100 pounds of drugs - arresting 179 vendors across 6 countries including the U.S and Europe in one of the biggest raid on dark web marketplaces. The international sting operation saw considerable co-operation from Law enforcement agencies all over the world including the US, UK, Germany, Europe, Canada, Europe, Sweden, Austria, and the Netherlands.

The 500kg of drugs recovered by investigators during the operation included fentanyl, methamphetamine, oxycodone, ecstasy, cocaine, hydrocodone, MDMA, and several other medicines containing addictive substances, as per the findings.

The authorities dubbed the global sting operation as 'DisrupTor' and while announcing it, they claimed in a press release that the "golden age of the dark web marketplace is over." The roots of the operation go back to May 3, 2019; the day German authorities seized the dark web drug market, "Wallstreet market" and arrested its operators.

"Operations such as these highlight the capability of law enforcement to counter encryption and anonymity of dark web market places. Police no longer only take down such illegal marketplaces – they also chase down the criminals buying and selling illegal goods through such sites." The press release further read.

According to the Justice Department, it was the largest international law enforcement operation that targeted opioid traffickers on the dark web. The investigation witnessed an extensive range of investigators ranging from the FBI, ICE, DEA, Customs and Border Protection (CBP), to the Defense Department.

Commenting on the success of the operation, the head of Europol’s European Cybercrime Centre (EC3), Edvardas Šileris said, “Law enforcement is most effective when working together, and today’s announcement sends a strong message to criminals selling or buying illicit goods on the dark web: the hidden internet is no longer hidden, and your anonymous activity is not anonymous. Law enforcement is committed to tracking down criminals, no matter where they operate – be it on the streets or behind a computer screen.”

“With the spike in opioid-related overdose deaths during the Covid-19 pandemic, we recognize that today’s announcement is important and timely,” said Christopher Wray, FBI director. “The FBI wants to assure the American public, and the world, that we are committed to identifying dark net drug dealers and bringing them to justice.” He further added.

Five Steps That Will Boost Your Cybersecurity And Assure Business Community In Real Life

 

The concept of business and marketing has seen a tremendous change for a few years. Business continuity meant protecting your company in times of crisis. However, it is about recovering from large scale cyberattacks as quickly as possible in the present times. These threats can include malware, phishing emails, DDoS attacks, ransomware, etc.


 
In recent times, there has been a rapid change in the field of cybersecurity too. It has now become a vital part of an organization's business continuity, in protecting employee data, intellectual property, operational plans, R&D, etc. Due to this, a question arises of 'how corporate and IT experts can work hand in hand' to protect an organization and promote its business. 

To achieve these goals, a simple five steps method, if followed, can ensure your organization's cybersecurity and prevent it from threats and cyberattacks. 

1. Prioritize: Threat intelligence should be acquired, and it should be prioritized to formulate a defense plan. Keep in mind that simulation attacks won't be much helpful as real-time attacks. Simulated attacks won't tell you the real strengths and weaknesses. This information helps experts identify the threats they must be more careful about and build a counter-testing testing plan. 

2. Measure: You should examine whether the measures you are taking to protect your business is helpful. If not, your preventive actions are ineffective. The plan should include analyzing threat adversaries and technical attacks, and how your people respond to it. 

3. Optimize: This step involves analyzing the gaps or barriers that you identified in the measuring stage. An effective business means overcoming these gaps and barriers. When the controls are optimized, the testing can then provide more measurable results that will make your security more robust. 

4. Rationalize: Is your investment in security measures proving beneficial or just a waste of money. With the help of testing data acquired after optimizing controls, the experts now know where to cut costs and invest more. It allows a business to save money while keeping the risk factor under control. 

5. Monitor: The final and most crucial step involves keeping a constant eye on changing the IT environment trends. There might come new challenges that your company might have to face; therefore, there should be a continuous evaluation of potential threats that might impact your business.

Hackers Attack Gaming Industry, Sell Player Accounts on Darkweb


Generating a tremendous revenue of $120.1 billion in 2019, the gaming industry is one of the largest and fastest-growing sectors. But this success comes at a high cost as it attracts hackers as a potential target. However, cyber-attacks in the video game industry are hard to trace, making the sector vulnerable to cybercriminals in recent times.



About the attacks
As per recent research, there exist covert markets that trade stolen gaming accounts. These trades can generate an unbelievable amount of $1 billion annually with this business. The Fortnite and Minecraft together amount to 70% of what these underground markets make. According to reports, Roblox, Runescape, Fortnite, and Minecraft are responsible for generating $700 annually. Experts at Night Lion security say that hackers selling stolen Fortnite player accounts are making up to $1 million annually.

Recent developments 
Hackers are now operating as a hierarchical organization, appointing designations for different work. The structured enterprise has positions like developers, senior managers, project managers, sales, and public relations to sensationalize their services.

  • The actors are using open cloud services and digital platforms to conduct their business. 
  • The hackers steal in-game inventories like skins, crates, and coupons from player accounts and sell them on the black market for a lower price. 
  • These hackers often target top gaming accounts and steal player profiles to trade them for lower prices in the underground market. 

Recent attacks 

  • Last month, experts found a game named "Fall Guys: Ultimate Knockout," which contained malicious javascript API. It stole data from target players' discord and browser. 
  • In June 2020, around 1.3 million Stalker Online players' accounts were stolen and sold on the dark web later. 
  • In July 2020, a Nintendo leak revealed the game's details before they were officially launched in the market. 


The gaming industry now faces a bigger challenge to protect its community from the rising attacks. A proactive and multi-layered approach can help gamming companies protect their customers, along with products and services. However, gamers should be careful, too, avoiding re-use of the same password on other platforms.

Iranian Threat Actors Have Modified Their Strategies, Attacks Now More Effective


Since the dawn of the digital age, Iranian hackers have been infamous for their attacks on critical infrastructures, targeting governments, and hacking large corporate networks. The main motive behind these attacks is getting espionage intelligence, steal confidential information, ransomware attacks, and target massive data networks. Since 2019, the hackers have been using developed strategies that are more effective in causing damage to the targets, resulting in better monetary benefits, says the Bloomsbury news.


Attack details

  • Earlier this year in April, hacking group APT34 (otherwise knowns as OilRig) launched a modified version of the backdoor named 'RDAT.' The backdoor uses the C2 channel, which can hide commands and data under images via attachments. 
  • Earlier this year in May, APT34 also added a new tool to its hacking inventory, known as DNSExfiltrator. The tool has allowed hackers to become the first hacking group that uses the DoH (DNS-over-HTTPS) protocol in its attacks. 

Keeping view of these new modifications in the hacking realm, organizations should know that the criminals are evolving and modifying their methods over time. It suggests that hackers have become more powerful and possess a more significant threat to the cybersecurity world.

Other developments 

  • In August 2020, the FBI issued a security alert about the hacking group going by the name of 'Fox Kitten' attacking potentially weak F5 networks. The hacker's purpose was to attack private and public U.S. government organizations. 
  • In July 2020, making its comeback, threat actor Charming Kitten launched a cyberespionage campaign, using WhatsApp and LinkedIn to imitate Persian speaking journalists. The targets included the U.S. government, Israeli scholars belonging to Tel Aviv and Haifa universities. 
  • In June 2020, an amateur hacking group from Iran attacked Asian companies using 'Dharma' ransomware. 

According to intelligence reports, the hackers used widely available hacking tools to target companies in China, Russia, Japan, and India. From July 2020, threat actor Fox Kitten is also infamous for giving small corporate networks access on hacking forums. According to experts, it is just trying to generate revenue using other income channels, using systems that lack any intelligence value but provide Iran money.

A Brief Summary of The Potential Threats Revealed in Black Hat 2020 Conference


Cybersecurity experts had a lot to say about possible cybersecurity threats in the USA Black Hat Conference.




Main Highlights

US Presidential Elections
As the US awaits its presidential elections, cybersecurity has become a significant issue. In the conference, experts came out with various solutions to election-related cybersecurity threats that might arise during the campaigning and offered new ideas to strengthen the infrastructure.

Exploits and Vulnerabilities 
Cybersecurity expert Matt Vixey presented research on cybersecurity exploits. The main idea is that cyberattacks can only be prevented if there's a proper system involved; in other words, a plan-of-action. Here, the 'Human factor' risk is involved, and the hackers attack it.

DNS Attacks 
In recent times, DNS encryptions and its security have come into question. Hackers have come with a new way to breach the encryption; the technique is known as DOH (DNS-over-HTTPS). The key speaker for the topic was Mr. Eldridge Alexander, Cisco's Duo Labs, Security Research, and Development manager.

Cyberthreats and COVID-19 
The COVID-19 pandemic saw a surge in cybersecurity threats. With people working from home, hackers saw new targets that were easy to attack. Keeping this particular issue in mind, Shyam Sundar Ramaswami presented several ways to identify pandemic based malware or malspam, including a rapid statics analysis approach.

A world without passwords 
Imagine a world with no passwords, a world where all the systems are integrated with a unique authorization model. Wolfgang Goerlich and Chris Demundo presented their 'Zero Trust' theory, where systems would not need to require passwords, making a secure cyber world.

Possible Threats

  • Influence Campaigns- Misuse of social media platforms to disseminate fake news and misinformation has become a critical problem, especially during the election campaigns. 
  • According to James Pevur, satellite communications are open to surveillance and monitoring. Hackers can easily bug communication using a few sophisticated gadgets. 
  • Botnets- Hackers can use high watt devices and turn them into Botnets, attacking energy campaigns. 
  • Experts say that open source tools can be used by hackers to create fake websites or channels that look the same as the original. It can allow the influence of public opinion.

APT36: A Pakistani Hacking Group, Strengthens Its Operations and Finds New Targets


Famous as APT36, Transparent Tribe is a hacking group that works from Pakistan. APT36 is infamous for monitoring and spying over government activities and military operations in Afghanistan and India. As per the latest reports, APT36 has now strengthened its workforce with better tools and strategies

About the incident 

APT36 usually focuses on using the same TTP (tactics, techniques, and procedures) except in a few cases where it uses different strategies for unique programs.


Some key highlights-

  • According to the reports, APT36 has sharpened its tools and activities. It involves attacking campaigns on a much larger scale and specifically targeting Afghanistan. 
  • Usually, APT36 uses 'custom.net' malware, commonly known as 'crimson rat.' APT36 has been using other malware recently, including python-based 'Peppy rat.' 
  • In the period between June2019-June2020, 200 samples were collected, which showed the Transparent Tribe Commission's components. 

Mode of operation 

  • APT36 uses spear-phishing emails containing MS-Office files, which are encoded with the malware. After successful execution, the malware can steal sensitive information, private credentials, capture screenshots, steal logs and keys, and regulate the microphone and webcam. 
  • Besides this, APT36 also uses the USBworm. It is a multipurpose malware that can steal information and function as a worm to attack any network and exploit vulnerabilities. 


APT36 attacks


  • APT36 attacked Indian railways in June and stole important information 
  • Earlier this year, APT36 deployed spear-phishing emails, posing to work as an authentic communication of government of India 
  • Cybersecurity experts have observed that APT36's primary targets include military and diplomacy from the past one year. According to them, the attacks will not decrease in the foreseeable future; on the other hand, they expect it to rise. 

According to Kaspersky's report, "we found two different server versions, the one being a version that we named "A," compiled in 2017, 2018, and 2019, and including a feature for installing the USBWorm component and executing commands on remote machines. The version that we named "B" was compiled in 2018 and again at the end of 2019. The existence of two versions confirms that this software is still under development, and the APT group is working to enhance it."

FBI Arrests Russian Hacker, Who Tried To Convince An Employee to Hack His Nevada Company


A hacker from Russia went to America and asked an employee of a Nevada company to install a malware in their company network. 

In a recent incident, the U.S Department of Justice declared charges against a Russian hacker today. The Russian national had traveled all the way to America to ask an American employee if he could set up malware, offering him $1,000,000 for the job. As per the court's reports today, the culprit, a 27-year-old hacker from Russia, named Egor Igorevich Kriuchkov, is found as a criminal member of an infamous Russian hacking group. The purpose of the attack was to gain internal access to the company's network and hack confidential information, later to be used as extortion for ransom purposes.


According to the company employee, Igor told him that to prevent the company from knowing about the primary attack, his team of hackers would launch DDoS attacks as a decoy to distract the corporate."The purpose of the conspiracy was to recruit an employee of a company to surreptitiously transmit malware provided by the coconspirators into the company's computer system, exfiltrate data from the company's network, and threaten to disclose the data online unless the company paid the coconspirators' ransom demand," says the court document.

However, Igor's heist plan failed when the employee who was contacted reported this incident to the FBI. The FBI kept a watch on Igor for the first few days, observing his every move. When it finally had all the evidence for the prosecution, the FBI arrested Igor last Saturday.

Timeline of Igor's visit to his arrest- 
  • Igor contacts employee CHSI (identified by the court) via WhatsApp and briefs him about the attack. Both used to be friends two years ago. 
  • Igor arrives in the U.S, meets with CHSI at a bar. 
  • On Igor's last day of the trip, he gives CHS1 all the details about the 'special project.' 
  • In the later events, the FBI contacts Igor, who tries to flee the country at that moment and is finally arrested.

Facebook Struggles Against Hate Speech and Misinformation, Fails to Take Actions


In the last month, FB CEO Mark Zuckerberg and others met with civil rights activists to discuss FB's way of dealing with the rising hate speeches on the platform. The activists were not too happy about Facebook's failure to deal with hate speeches and misinformation. As it seems, the civil rights group took an 'advertising boycott' action against the social media giant and expressed their stark criticism. According to these civil groups, they have had enough with Mark Zuckerberg's incompetency to deal with white supremacy, propaganda, and voters suppression on FB.


This move to boycott Facebook came as a response to Donald Trump's recent statement on FB. Trump said that anti-racism protesters should be treated with physical violence, and he also spread misinformation about mail-in voting. FB, however, denies these allegations, saying these posts didn't violate community policies. Even after such incidents, the company ensures that everything's alright, and it just needs to toughen up its enforcement actions.

"Facebook stands firmly against hate. Being a platform where everyone can make their voice heard is core to our mission, but that doesn't mean it's acceptable for people to spread hate. It's not. We have clear policies against hatred – and we constantly strive to get better and faster at enforcing them. We have made real progress over the years, but this work is never finished, and we know what a big responsibility Facebook has to get better at finding and removing hateful content." "Later this morning, Mark and I, alongside our team, are meeting with the organizers of the Stop Hate for Profit campaign followed by a meeting with other civil rights leaders who have worked closely with us on our efforts to address civil rights," said COO Sheryl Sandberg in her FB post.

In another incident, FB refused to take action against T. Raja Singh, an Indian politician from BJP. According to the Wall Street Journal, the company didn't apply its hate speech policies on Raja's Islamophobic remarks. FB employees admitted that the politicians' statements were enough to terminate his FB account. The company refused to, as according to the FB executive in India, could hurt FB's business in India.

Russian Hackers Use Linux Malware Drovorub, NSA and FBI Finds Out


The NSA and FBI released a joint report today, which told about a new kind of Linux malware. According to these two intelligence agencies, state-sponsored military Russian hackers are using this new malware. These hackers used Drovorub to plant backdoors inside breached networks. Fancy Bear and Sednit (APT28) are behind these attacks. The NSA and FBI have notified major private and public companies to stay aware of the malware and implement protective measures to keep safe. The malware comes with an implant and is a multi-component system. It comes with a file transfer kit, a C2 server, a kernel module tool, and a port-forwarding module.


The malware is a kind of Swiss army knife. Using Drovorub, hackers can do many things like controlling the target's systems and stealing data and personal files. Besides this, Drovorub is designed to work in stealth mode. It uses rootkit technologies to stay undetected. It allows hackers to deploy malware at different places and systems, which allows attack at any given instant. Regarding the cyberattacks issue, the US has always been a primary target for cybercriminals due to its sophisticated technology environment.

There's no substantial evidence as to the motive behind this attack. However, experts believe that the purpose might be espionage or tampering the upcoming presidential elections. The joint report of FBI and NSA says, "The Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165, is deploying previously undisclosed malware for Linux® systems, called Drovorub, as part of its cyberespionage operations. GTsSS malicious cyber activity has formerly been attributed by the private sector using the names Fancy Bear, APT28, Strontium, and various other identifiers."

To stay safe, the agency has recommended US companies updating Linux systems to the latest update kernel version 3.7. "To prevent an order from being susceptible to Drovorub's hiding and persistence, system administrators should upgrade to Linux Kernel 3.7 or later to take full advantage of kernel signing enforcement. Additionally, system owners are advised to configure systems to load only modules with a valid digital signature making it more difficult for an actor to introduce a malicious kernel module into the system," says the US intelligence agencies' report.

Online Exam Tool ProctorU Breached, Half A Million User Accounts Leaked Online


Around half a million online users were affected due to the breach of online examination software called "ProctorU," a platform widely used in teaching institutes. The hackers, belonging to Shiny Hunters Group, recently posted the leaked data on the web, which contained details of 444,267 users, confirm the cybersecurity experts. ProctorU is a tool that provides institutions automatic monitoring options while conducting the examination. ProctorU, an American firm, built the application.


The data leaked belong to different individuals and organizations, including various education institutes, companies, and users of the breached software. The data leak is part of a bigger scheme of the Shiny Hunters Group, say some sources. They have posted other leaks in the recent weel. More than 386 Million users' data was published online in the past week by hackers. The companies affected include- Couchsurfing, WattPad, Minted, Bhinneka, Dunzo, Dave.com, and many others. The data leaked online include sensitive user information like which include usernames, passwords, full names of the individuals, contact no, and residential address.

Various universities worldwide have been affected by this breach, as they relied on ProctorU for conducting online examinations, keeping the social distancing in mind due to the coronavirus. Sydney University had done the same and used ProctorU to conduct its semester examinations. The University released a statement related to the breach expressing concern for the event. But the University of Sydney has come under a lot of criticism from the users as well as experts. According to them, ProctorU violates the student privacy policy, as given in the University.

Students have complained that the techniques ProctorU uses to keep a watch can be very intrusive and personal. During the examination, the tool asked students to show their surroundings, and also had control over the user's computer. It could be possible that ProctorU could send these data to third parties. "We consistently warned the University that this could happen. We demand the University immediately suspend the use of ProctorU, as that is the only way to guarantee that students are not exposed again in the future," said the Student Council of the University.

Florida Teen Responsible for Hijacking High Profile Twitter Accounts Arrested, Faces 30 Felony Charges


US police authorities in a press conference on Friday said they had arrested the main accused and two other suspects responsible for a major Twitter hack earlier this month. The main accused is recognized as Graham Ivan Clark, 17 years teen who lives in Tampa, Florida. WFLA-TV, a Florida-based news agency that reported the incident for the first time, said that it was the main suspect (Clark), who was arrested for the Twitter attack. The arrest happened through a national collaboration IRS, Secret Service, the FBI, and the DOJ.


Andrew Warren, State Attorney of Hillsborough, charged Clark responsible for the 15th July Twitter incident. Clark was alleged for being the "mastermind" behind the attack in which the 'suspects hijacked various high profile Twitter accounts.' The hackers used these accounts to tweet about fake cryptocurrency scams. Here's a list of hijacked accounts: Joe Biden, Barrack Obama, Bill Gates, Kanye West, Elon Musk, Apple, Jeff Bezos, Uber, Michael Bloomberg, Kim Kardashian, and various others. According to officials, the hack resulted in getting $1,00,000 worth amount transferred to Clark's account within a day.

Clark now faces 30 felony charges. These include: 

  • Communications Fraud 
  • Organizing Fraud 
  • Use of personal information for frauds 
  • Accessing electronic device without legal authority


The charges specified above were declared through Livestream by the Hillsborough State Attorney. In the beginning, Warren didn't specify whether Clark had other associates working for him. After the press conference, it came to public notice that two other suspects were working with Clark, identified as Mason Sheppard, 19, alias name "Chaewon," and Nima Fazeli, 22, alias name "Rolex." The suspect's arrest happened just after Twitter had published its inquiry report related to th 15th July Twitter hack.

Some of the critical points in the report are mentioned below:

  • The incident happened on 20th July 2020 
  • To gain access to Twitter employees' accounts, hackers used phone bases social engineering systems. Hackers got access to the slack accounts and gained credentials (Yet to be confirmed) 
  • Hackers escaped the 2 step authentication; the report doesn't mention whether backend accounts or slack accounts. 
  • After this, hackers used Twitter's tech support tools to control the accounts. 
  • Hackers breached 130 accounts 
  • Hackers also attempted to sell some of the high profile Twitter profiles.

Telegram Takes Down Islamist Propaganda on its Platform, Extremist Groups Struggle


The social networks and US military have imposed high regulations to control Islamist propaganda on social media and have been able to take down Islamic State terrorist groups. After this move, experts say these groups are now struggling to recover their control on the mainstream social media apps and networks. As most of the major social networking sites have choked the group, the Islamist group has tried to build its propaganda on small sites. But even there, it has met by strong regulations by the authorities. According to Europol, an EU (European Union) law agency, the social networking companies have tried to bring down these Islamist propaganda content growing on their websites, in an attempt to take down the extremist group activities on social media.


Europol, in its report, said, "While Google and Instagram deployed resilience mechanisms across their services, Telegram was the online service provider receiving most of the referral requests during this Action Day. As a result, a significant portion of key actors within the IS network on Telegram were pushed away." These extremist groups used Telegram as their primary platform of propaganda until 2019.

According to Europol, Telegram had removed up to 5000 terrorist profiles and bots in two days, in an effort against shutting down the Islamist propaganda. Earlier, it was only able to take down 200-300 accounts on average. After that incident, the extremist groups moved towards more covert apps like the Russian "TamTam" and "Hoop Messenger." Canada hosts these websites. The IS, in apparent desperation, has also started using chat services designed for blockchain developers to spread their messages. In 2016-17, the US cyber command took action against these extremist groups. It shut down recruitment groups and suppressed their further attempts to spread the messages.

Currently, the US cyber command has presidential approval to combat IS propaganda with cyberattacks. They have also widened their jurisdiction area since then. "In the past year and a half, Telegram has also put forth a considerable effort to root out the abusers of the platform by bolstering its technical capacity in countering malicious content and establishing a close partnership with Europol," says Europol.

Gothic Panda and Stone Panda: Chinese Hackers that Launched Mass Cyber Attacks on Indian Companies


Two Hacking groups from China named Gothic Panda and Stone Panda have been identified for organizing the majority of the cyber attacks on Indian companies in June 2020. Mumbai Mirror reported was the first to know about the incident. On 20th June, it published a report on its website regarding the issue. As per the cybersecurity experts, the word is that both the hacking groups are likely to work independently and not state-sponsored; however, they work in the interests of the Chinese government. According to experts, an anonymous source said that the attacks were launched under the disguise of VPN and Proxy Servers. After investigation, the attacks led us to Gothic Panda and State Panda, say the officials.

Chinese hackers launched more than 40,000 attacks. The hackers had used some unique malware to gain confidential data of the companies and later used the information for extortion. According to the reports, the hackers broke into at least six private/public companies' safety procedures. These include a government-regulated organization in Jammu and Kashmir and companies operating in New Delhi and Mumbai. The attacks were traced back to Souther Western Chinese province named Sichuan. These players also attempted to take down websites linked to companies that were involved in banking and finance.

The hackers used DDoS attacks (Distributed Denial of Service) and Internet Protocol Hijack. Experts say that these attacks, also called 'Probes,' look for vulnerabilities in a website's security features. In an incident where the hackers were able to crash the website, the home page was modified, and the content was changed with a foreign language. Experts say that there were no other successful probes except this incident.

In a DDoS attack, the hacker tries to rupture a cyber network, such as a website. For example, if a website page's utility provider's limit is 5000 requests/second, the hackers will pile it up with 5,00,000 requests/second and crash the website. Whereas in an Internet Protocol Hijack, the hacker tries to divert the course of traffic. In this case, the internet traffic was diverted through China for surveillance purposes.

Hackers Breached into Twilio's AWS; Company Confirms the Attack


In a recent cybersecurity breach incident, Twilio acknowledges that hackers breached into the company's cloud services (unsecured) and compromised its javascript SDK. The hackers modified the javascript that the company shares with the clients. Twilio, a famous cloud communications company, told a news agency about the incident, after an anonymous whistleblower had reported the issue to the agency. To summarise it all, a cybercriminal breached into Twilio's AWS (Amazon Web Services) S3 systems. It should be noted that the networks were unsecured and world-writable. The hacker modified the TaskRouter v1.20 SDK and attached some malicious codes designed to tell if the changes worked or not.


In response to the incident, Twilio says that the customer's privacy safety is the first and foremost concern for the company. Twilio confirms about the malware in the TaskRouter v1.20 SDK, and that it was the work of a 3rd party. The modification of the S3 bucket made the attack possible. According to Twilio, it immediately closed the S3 bucket after knowing the issue and has issued an inquiry into the incident. The company took roundabout 12 hours to deal with the issue. Currently, it has no proof if any of the customer accounts were stolen or not. However, it confirms that the hacker didn't break into the company's internal systems to modify coding or data.

 Twilio uses JavaScript SDK as a method to connect your business operations to its task router platforms. The company plans to publish a detailed report about the incident in a few days. However, a friendly suggestion to the users, if you have downloaded or installed an SDK copy, make sure that you have a legit copy.

 "Our investigation of the javascript that was added by the attacker leads us to believe that this attack was opportunistic because of the S3 bucket's misconfiguration. We believe that the attack was designed to serve malicious advertising to users on mobile devices," said Twilio to The Register as a response to the incident. It also says, "If you downloaded a copy of v1.20 of the TaskRouter JS SDK between July 19th, 2020 1:12 PM and July 20th, 10:30 PM PDT (UTC-07:00), you should re-download the SDK immediately and replace the old version with the one we currently serve."

Importance of Cybersecurity in the Healthcare Sector


Hackers and cybercriminals have targeted the healthcare sector for a long time. Among the healthcare industry, hospitals are generally the primary target for hackers, as they generate a lot of money. The hospitals hold very sensitive information of the patients, including credentials and personal data, and the hackers can take advantage of that. Due to the coronavirus pandemic, hospitals have received a large number of funds from the government and other agencies to deal with the issue, and the hackers are after the money.


The critical issue is that healthcare IT systems store patient credentials, including banking details, ID, and credit card details. Besides this, information such as patient's HIV details can be exposed, and cybercriminals can exploit for extortion. On the dark web, ID credentials can be sold for very profitable money, so the government and healthcare industry should take extra precautions to stay safe from cyber attacks. In the present pandemic crisis, blackmail has become one of the most common cyberattacks threats. Blackmail is different from ransomware; in the latter, the player holds company data as ransom by encrypting malware. Whereas, while blackmailing, the hacker threatens to expose critical data, unless his demands are met, which is mostly money.

In this scenario, the hospitals don't have any option but to compensate the cybercriminal as revealing patient information is not only dangerous but also against the doctor-patient confidentiality. In the starting phase of the COVID-19 outbreak, hackers across the world didn't target the healthcare industry. It created a false sense of security among the government and experts that the healthcare sector was safe from hackers and cyber attacks. It was all but long when the hackers finally decided to take a toll on cyberattacks on healthcare.

Therefore, the healthcare industry should step-up and create a robust cybersecurity infrastructure that ensures patients' privacy and security. General awareness of cybersecurity among citizens is also essential, especially sensitizing the hospital staff. Most important and the last one, healthcare institutes should team up with cybersecurity agencies that provide protection and security from cyber attacks and hackers.

Black Box: A New ATM Attack that Diebold Nixdorf Warns Off


A unique kind of ATM attack has come to surface called "Black Box." ATM developer Nixdorf warns the financial sector to stay on alert. The attack was widespread accross Europe recently. The Black Box ATM attacks are similar to Jackpotting, in which hackers make the ATMs dispense out cash in piles. Hackers use jackpotting to attach a malware in the ATM or use a black box instead. "Some of the successful attacks show a new adapted Modus Operandi on how the attack is performed.
"Although the fraudster is still connecting an external device, at this stage of our investigations, it appears that this device also contains parts of the software stack of the attacked ATM," says Diebold.


In the case of black-box attacks, the hacker tampers with the ATM's external casing and gets access to the port. The hacker can also put a hole in the machine to find internal wires and connectors. Once the hacker has access, he connects the black-box with the ATM through a laptop, building a connection with the internal systems. After this, the hacker then has control over the command options and uses it to dispense cash out of the ATM.

These kinds of jackpotting attacks on ATMs have happened for a decade. The jackpotting attacks have been quite famous among gangs, as the method is very cost-effective and profitable. Jackpotting attacks are more straightforward compared to cloning cards, ATM skimming, and laundering money, which consumes quite a lot of time. Another reason for the popularity of black-box attacks is that the noob hackers (amateur) don't have to spend a lot of money to get a black box. One can purchase a device and launch an ATM attack without having to spare a lot of time.

"In recent incidents, attackers focus on outdoor systems and are destroying parts of the fascia to gain physical access to the head compartment. Next, the USB cable between the CMD-V4 dispenser and the special electronics, or the cable between special electronics and the ATM PC, was unplugged. This cable is connected to the black box of the attacker to send illegitimate dispense commands," says Diebold on his website.

Welcome Chat App Harvesting User Data and Storing it in Unsecure Location


A messaging platform for Android, Welcome Chat spies upon its users and stores their data in an unsafe location that is accessible to the public. The authors of the app claim it to be available on the Google Play store, meanwhile, marketing it to be a secure platform for exchanging messages which however is not true by any means.

The website of the malicious 'Welcome Chat' app publicizes the platform as a secure communication Android solution, however, security researchers from ESET discovered the app being associated to a malicious operation having links to a Windows Trojan called 'BadPatch' which was employed by Gaza Hackers in a malicious campaign – a long-running cyber espionage campaign in the Middle-East. While the origins of the website advertising the app are unknown, the domain was registered by the developers in October 2019. Interestingly, the app doesn't only function as spyware but works perfectly as a chatting platform as well.

After downloading the app, users need to give permission for allowing installation from unknown sources as the app was not installed via the official app store. Once the Welcome Chat is activated, it asks permission to access the user's contacts, files, SMS, location details, and record audio. Although the list of permissions gets pretty exhaustive for a user to not doubt it, then again they are used to it, especially in case of a messaging platform.

As soon as the app receives all the permissions, it starts mining the victim's data which includes phone recordings, location details, SMS messages and sends it to the cybercriminals behind the malicious operation.

While giving insights about the app, Lukáš Štefanko, researcher at ESET, told, “In addition to Welcome Chat being an espionage tool, its operators left the data harvested from their victims freely available on the internet. And the app was never available on the official Android app store.”

“We did our best to discover a clean version of this app, to make its developer aware of the vulnerability. But our best guess is that no such app exists. Naturally, we made no effort to reach out to the malicious actors behind the espionage operation,” added Štefanko.

Hackers Attack Online Stores Stealing Credit Card Data, Experts Allege North Korea


According to the recent findings, there has been an incident of web skimming attacks on the European and American online store websites. The hackers responsible for the attacks are likely to be state-sponsored from North Korea. Research conducted by cybersecurity experts at Sansec reveals that the web skimming attacks that broke into the online retail stores started in May 2019. APT Lazarus and Hidden Cobra hacking groups were responsible for the attacks, planting payment skimmers to breach the security.



According to the new research, the hackers have now increased their activities. They have now set a larger target area and attack online stores using a skimming script, which steals the customer's banking credentials during the checkout stage. The researchers from Sansec claim that the attacks were carried out by Hidden Cobra because a similar hacking pattern was used in their previous attacks.

What is Magecart Attack? 
It is a web skimming attack in which hackers can steal banking credentials from the user and credit card details. However, in this incident, Hidden Cobra, after gaining access, launched a large scale attack on big online retail stores. Once hackers have unauthorized access, they deploy fake scripts on the websites' checkout pages. The skimmer then stores all the credentials that the user types during the checkout stage and sends it to the main Hidden Cobra servers. According to Sances data, in millions of online stores, up to 100 stores' websites are compromised on an average every day.

"To monetize the skimming operations, HIDDEN COBRA developed a global exfiltration network. This network utilizes legitimate sites that were hijacked and repurposed to serve as disguises for criminal activity. The system is also used to funnel the stolen assets so that they can be sold on dark web markets. Sansec has identified a number of these exfiltration nodes, including a modeling agency8 from Milan, a vintage music store9 from Tehran, and a family-run book store10 from New Jersey," says the Sansec report. Experts have now linked various attacks since 2019 to Hidden Cobra, say that the threat actors are very likely to be state-sponsored.