Search This Blog

Showing posts with label Cybersecurity. Show all posts

U.S Suffers A Massive Wave Of Cyberattacks In Healthcare Industry, FBI Issues Alert

 

Cybercriminals are attacking the U.S. healthcare systems, destroying the network infrastructures, and stealing critical data. The U.S. federal agencies have issued an alarm that healthcare is in great danger of cyberattacks and intrusions. Hackers have become more active in attacking healthcare networks. The rise in hacking attempts had led to a risk of breach of patient privacy, which is a critical issue during the Covid-19 pandemic, as the cases are at an all-time high. 

The FBI and other agencies in a joint report mentioned that they had verified information about cyberattacks on U.S. healthcare providers and hospitals. The warning also emphasized that few criminal groups are now targetting the healthcare industry to steal critical data and disrupt health care services. The ransomware attacks can scramble data into jargon. Only the security keys that the hacker has can reassemble data. The hacker demands payment in turn for providing the security keys. According to cybersecurity experts, the criminal groups had attacked more than five U.S hospitals until this week, and the figures can go up to a hundred. The election is almost near, and a Russian hacking group attacks the healthcare systems. 

According to the Guardian, "The federal alert was co-authored by the Department of Homeland Security and the Department of Health and Human Services." The attack's motive is not clear, but it seems that it was most likely to be money. Cybersecurity firm Mandiant says that this is the most dangerous cyber threat ever witnessed in the U.S. Another firm, Hold Security, states that it is the first time they have seen a massive cyberattack of such scale in the U.S. 

We should note that the attack's timing before the elections and during the pandemic makes it a severe cyber threat. In the past 18 months, the U.S has experienced a wave of ransomware attacks, with targets like schools, government authorities, and cities. "The cybercriminals launching the attacks use a strain of ransomware known as Ryuk, which is seeded through a network of zombie computers called Trickbot that Microsoft began trying to counter earlier in October," reports the Guardian.

Russian Hackers Infiltrate U.S Government Networks and Steal Data

 

In a recent cybersecurity incident, the U.S. government issued a statement claiming that state-sponsored Russian hackers attacked the U.S. agencies and successfully breached the government networks. CISA (Cybersecurity and Infrastructure Security Agency) and FBI (Federal Bureau of Investigation) issued a joint report regarding the issue, confirm the U.S. government officials. 

"The Russian-sponsored APT actor is obtaining user and administrator credentials to establish initial access, enable lateral movement once inside the network, and locate high-value assets to exfiltrate data. To date, the FBI and CISA have no information to indicate this APT actor has intentionally disrupted any aviation, education, elections, or government operations. However, the actor may be seeking access to obtain future disruption options, to influence U.S. policies and actions, or to delegitimize SLTT government entities," reports FBI and CISA. 

According to the U.S. agencies, the hacking group is called Energetic Bear (code name used by the cybersecurity industry). The hacking group is also infamous as Koala, Crouching Yeti, Havex, Dragonfly, TeamSpy, Berserk Bear, and TEMP. Isotope. From February 2020, the hackers targeted multiple US SLTT (state, local, territorial, and tribal) government networks. According to the FBI and CISA, the hackers also attacked aviation industry companies. As per the reports, Energetic Bear was able to attack government network infrastructures. By October 2020, it also stole data from two government servers. The attacks mentioned in the current CISA and FBI reports were also mentioned in a previous joint advisory report. In the earlier report, the agencies revealed how the Energetic Bear attacked the U.S. government's networks using Windows bugs and VPN appliances. 

The present joint report links the attacks to the hacking group. It also provides information about the group's tactics and strategies. As per the experts, the Russian hackers used common vulnerabilities to breach the network gears and exfiltrate data. According to Cyberscoop, "IP addresses used in the hacking were previously employed by the TEMP. Isotope group, according to Mandiant. The hackers exploited a recently revealed vulnerability in a protocol that Microsoft uses to authenticate its users. CISA, on Sept. 18, ordered all federal civilian agencies to update their software to address the flaw because of the risk it carried."

Internet of Things (IoT): Greater Threat for Businesses Reopening Amid COVID-19 Pandemic

 

Businesses have increasingly adopted IoT devices, especially amid the COVID-19 pandemic to keep their operations safe. Over the past year, the number of IoT devices employed by various organizations in their network has risen by a remarkable margin, as per research conducted by Palo Alto Networks' threat intelligence arm, Unit 42. 
 
While looking into the current IoT supply ecosystem, Unit 42 explained the multi exploits and vulnerabilities affecting IoT supply chains. The research also examined potential kinds of motivation for exploiting the IoT supply chain, illustrating how no layer is completely immune to the threat.  

The analysis of the same has been reported during this year's National Cybersecurity Awareness Month (NCSAM), which is encouraging the individual's role in protecting their part of cyberspace and stressing personal accountability and the significance of taking proactive measures to strengthen cybersecurity. 
 
The analysis also noted that supply chain attacks in IoT are of two types – through a piece of hardware modified to bring alterations in a device's performance or from software downloaded in a particular device that has been affected to hide malware. 
 
While highlighting a common breach of ethics, the research mentioned the incorporation of third-party and hardware components without making a list of the components added to the device. The practice makes it hard to find how many products from the same manufacturer are infected when a vulnerability is found on any of the components. Additionally, it also becomes difficult to determine how many devices across various vendors have been affected in general, by the vulnerability.

"The main goals for cyberespionage campaigns are maintaining long-term access to confidential information and to affected systems without being detected. The wide range of IoT devices, the access they have, the size of the user base, and the presence of trusted certificates make supply chain vendors attractive targets to advanced persistent threat (APT) groups..." the report stated. 
 
"In 2018, Operation ShadowHammer revealed that legitimate ASUS security certificates (such as “ASUSTeK Computer Inc.”) were abused by attackers and signed trojanized softwares, which misled targeted victims to install backdoors in their system and download additional malicious payloads onto their machines." 
 
While putting things in a cybercrime perspective, the report noted - "The potential access and impact of compromising a large number of IoT devices also make IoT vendors and unprotected devices popular choices for financially motivated cybercriminals. A NICTER report in 2019 shows close to 48% of dark web threats detected are IoT related. Also in 2019, Trend Micro researchers looked into cybercriminals in Russian-, Portuguese-, English-, Arabic-, and Spanish-speaking marketplaces and discovered various illicit services and products that are actively exploiting IoT devices." 
 
The report stressed the need to "enlist" all the devices connected to a certain network as it will help in identifying devices and their manufacturers, enabling administrators to patch, monitor, or even disconnect the devices when needed. There are instances when all the vulnerable devices are unknown in the absence of a complete list, therefore it is imperative to have complete visibility of the list of all the connected devices in order to defend your infrastructure. 

Impact of Covid-19 Web Threats on Cybersecurity, A Report from Beginning to End

 

Cyberattacks during the Covid-19 pandemic exposed the flawed systems of cybersecurity. We should glance at these attacks and learn new ways to strengthen cybersecurity infrastructure from experience.

Impact of cyberattacks during the pandemic- 

Until the first quarter of 2020, the FBI's cyber division reported a 3-4 times surge in cyberattacks complaints since the start of Covid-19. According to Interpol and FBI data, there has been a massive increase in ransomware, phishing, DDoS and malware attacks; since the coronavirus pandemic. Hackers used email platforms to carry out their web threats. 

Interpol reports, "Cybercriminals are taking advantage of the widespread global communications on the coronavirus to mask their activities. Hospitals, medical centers, and public institutions are being targeted by cybercriminals for ransomware attacks – since they are overwhelmed with the health crisis and cannot afford to be locked out of their systems, the criminals believe they are likely to pay the ransom. The ransomware can enter their systems through emails containing infected links or attachments, compromised employee credentials, or exploiting a system's vulnerability."  

Most of the attacks are disguised under the theme of Covid-19. Hackers copy fake organization platforms like WHO to commit frauds and target victims. Via these platforms, the hackers lure their victims into transferring money, providing banking details, stealing personal user data. All these attacks resulted in making COVID-19 themed attacks the highest in 2020. 

What can we learn from these attacks? 

Hackers use panic and fear to target their victims. The malware and phishing attacks during the Covid-19 pandemic prove that attackers use fear to intimidate their targets. In March alone, experts discovered more than 40000 high risk and 2000 malicious domains. In April 2020, Google reported around 240 million coronaviruses themed malware and spams. Google website says, "Every day, Gmail blocks more than 100 million phishing emails. During the last week, we saw 18 million daily malware and phishing emails related to COVID-19. This is in addition to more than 240 million COVID-related daily spam messages. Our ML models have evolved to understand and filter these threats, and we continue to block more than 99.9% of spam, phishing, and malware from reaching our users."

Deepfake Bots on Telegram, Italian Authorities Investigating

 

Cybercriminals are using a newly created Artificial Intelligence bot to generate and share deepfake nude images of women on the messaging platform Telegram. The Italian Data Protection Authority has begun to investigate the matter following the news by a visual threat intelligence firm Sensity, which exposed the 'deepfake ecosystem' — estimating that almost 104,852 fake images have been created and shared with a large audience via public Telegram channels as of July 2020. 
 
The bots are programmed to create fake nudes having watermarks or displaying nudity partially. Users upon accessing the partially nude image, pay for the whole photo to be revealed to them. They can do so by simply submitting a picture of any woman to the bot and get back a full version wherein clothes are digitally removed using the software called "DeepNude", which uses neural networks to make images appear "realistically nude". Sometimes, it's done for free of cost as well. 
 
According to the claims of the programmer who created DeepNude, he took down the app long ago. However, the software is still widely accessible on open source repositories for cybercriminals to exploit. Allegedly, it has been reverse-engineered and made available on torrenting websites, as per the reports by Sensity. 
 
In a conversation with Motherboard, Danielle Citron, professor of law at the University of Maryland Carey School of Law, called it an "invasion of sexual privacy", "Yes, it isn’t your actual vagina, but... others think that they are seeing you naked."   

"As a deepfake victim said to me—it felt like thousands saw her naked, she felt her body wasn’t her own anymore," she further told. 
 
More than 50% of these pictures are being obtained through victims' social media accounts or from anonymous sources. The women who are being targeted are from all across the globe including the U.S., Italy, Russia, and Argentina.
 
Quite alarmingly, the bot has also been noticed sharing child pornography as most of the pictures circulated belonged to underage girls. The company headquartered in Amsterdam also told that the vicious Telegram network is build up of 101,080 members approximately. 

In an email to Motherboard, the unknown creator of DeepNude, who goes by the name Alberto, confirmed that the software only works with women as nude pictures of women are easier to find online, however, he's planning to make a male version too. The software is based on an open-source algorithm "pix2pix" that uses generative adversarial networks (GANs). 
 
"The networks are multiple because each one has a different task: locate the clothes. Mask the clothes. Speculate anatomical positions. Render it," he told. "All this makes processing slow (30 seconds in a normal computer), but this can be improved and accelerated in the future."

Iran Suffers Largescale Cyberattacks, Two Government Organizations Affected

 

In a recent cybersecurity incident, Iran has confirmed that it suffered two significant cyberattacks. One such attack even targeted Iran's government organizations. IT department of the Iranian government reported that the hackers attacked Iran's two major institutions. However, no hacking group has claimed responsibility for the attack as of now. The Iranian government is yet to confirm whether the actors involved in the breach were domestic or foreign. The earlier target of the attacks happened on Monday and Tuesday is still not confirmed by the government. 

Jerusalem Post reports that the Iranian government made the news of attacks official when the incident started getting heat on social media. Another news agency said that the attacks had damaged Iranian ports' electronic infrastructures. Radio Farda, a US-funded agency, says that the attack targets are likely to be Iran's ports, banks, and maritime organizations; the news, however, isn't confirmed. Tasnim, a quasi-official news outlet, reports that the country's spokesperson said the 'nation's sworn enemies carried out the cyberattacks.' 

The organization reports that the government has blocked the attacks' further efforts and has put a stop to the attacker's ambitions. The spokesperson of the Iranian government's IT department, Abolghasem Sadeghi, says that the attack caused various government institutes to stop their internet services temporarily to aoid further damage. He comments on the episode as 'large scale' and says an investigation has been set up to inquire about the breach. The authorities haven't released other information. 

According to the Jerusalem Post, "Iranian Minister of Communications and Information Technology Mohammad Javad Azari Jahromi claimed that its security shield repelled two of the three attacks in December. Jahromi claimed that the Islamic Republic's national cybersecurity wall, known as Digital Fortress or Dezhfa, helped thwart 33 million cyberattacks against the country in 2019, according to Fars News Service." In a similar attack happened last year, it reported "Intelligence and cybersecurity officials familiar with the incident told the Post that the attack was carried out by "Israeli operatives," possibly in retaliation for an earlier cyber attack on Israel's civilian water system."

Cybersecurity Staff Shortage During Covid-19 Impacts Businesses Worldwide




Covid-19 pandemic has impacted business worldwide, primarily online. Due to this, cybersecurity has become a significant concern for organizations. The threat of cyberattacks and hackers has raised questions and new challenges over the issue of security. The foremost challenge that the industry is facing is the cybersecurity shortage of talent. What the industry needs the most right now are brilliant cyber minds.

ESG's 2019 survey reports that around 53% of business organizations have a deficit of cybersecurity staff. Another research by (ISC)2 says that there is a shortage of about 4 Million cybersecurity staff, meaning that organizations would require a growth rate of 142% to fill the staff deficit in the future. Earlier, there was no exact data to predict how much the COVID-19 problem would impact this issue. However, currently, it is quite clear that the pandemic situation is proving to be problematic. The coronavirus situation has compelled companies and their employees to work from home. 

The WFH trend may be beneficial for the companies, but it also raises attacks from hackers and criminal actors. The issue requires organizations and employees to be cautious while working from home, keeping productive strategies and effectiveness in mind all the time. Working from home, employees have to use safe communication platforms to be safe from cyberattacks and hackers. According to Infosecurity, "the loss of sensitive patient information is not the only cybersecurity threat. Taking advantage of a less secure employee environment, cyber-criminals have intensified their attempts at gaining access to sensitive data by using social engineering techniques. A report from Microsoft states that there are around 30,000 attacks per day that exploit this method." 

Besides this, the most important thing is building secure cyberspace for sharing company files over the internet. "Cybersecurity military officers go through intensive training and acquire a wide range of skills to protect their country from foreign invasion of cyber-capabilities, so it is no wonder big tech companies often seek out the most skilled officers. You should pay attention to military veterans from this field since many of them remain jobless," reports Infosecurity.

Ryuk Ransomware Attacks Union Health Services, Disrupts Hospitals Nationwide



Universal Health Services (UHS) is shut down after a ransomware attack by hackers. Fortune 5oo organization, UHS runs a network of more than 500 hospitals in the nation. Ryuk ransomware is said to be responsible for this attack. The attack took place earlier this week when the employees on Reddit and other platforms reported the issue. According to these discussions on Reddit, it was clear from the comments that many UHS locations took a hit and needed a manual process to re-start.
One user said they had a lot of paperwork as the computers were shut down. Another user said they had to send their patients away, but the lab operations were working fine. However, they didn't have any computer-based access to anything. Another user said that their UHS was shut down. The employees had to handwrite everything and were not allowed to use their computers.

UHS, in its official statement, said, "The I.T. Network across Universal Health Services (UHS) facilities is currently offline, as the company works through a security incident caused by malware. The cyberattack occurred early Sunday morning when the company shut down all networks across the U.S. enterprise. We have no indication that any patient or employee data has been accessed, copied, or misused. The company's U.K. operations have not been impacted." However, UHS has not cleared the type of cyberattack it experienced, but the employees say it is likely to be Ryuk ransomware. 

According to one UHS employee, all the encrypted files had a .ryk extension. Hacked computers also had a ransom note labeled as 'shadow of the universe,' which the Ryuk ransomware uses in its attacks. Employees on Reddit also expressed concern about the health of patients due to the shutdown of the computers. One even said (not verified) that four patients had died due to the delay in care. "We are making steady progress with recovery efforts. Specific applications have already started coming online again, with others projected to be restored on a rolling basis across the U.S.," the UHS statement reads.

Every Organization Should Ask These 8 Questions Before Choosing Their Cybersecurity Provider


Being cybersecurity ready offers many advantages, but your organization can always target hackers unless you do not know critical details. According to a Junior Research report in 2019, the expense of cybersecurity breaches in 2024 will reach to $5 Trillion every year from $3 Trillion currently. The data is helpful, especially for large organizations that depend on third-party cybersecurity services for their day to day operations. Data by Opus and Ponemon Institute shows that 60% of organization attacks happen due to the third-party actors. Data breaches can destroy the brand image of any organization and also result in a financial crisis. To limit data breaches, the organization should have a reliable third-party vendor that it can trust.

Here's why any organization should research while preferring a new provider and why third-party threats are pressing. Fewer vendors mean fewer threats. Currently, companies depend on many vendors to perform their day to day operations. For instance, in 2019, Apple alone had 200 supplier companies. In most of the cases, these threats come from third-party vendors. For instance, hackers attacked Agama, a cryptocurrency app which had vulnerabilities in its third party javascript library.

According to Juniper, "the new research, The Future of Cybercrime & Security: Threat Analysis, Impact Assessment & Mitigation Strategies 2019-2024 noted that while the cost per breach will steadily rise in the future, the levels of data disclosed will make headlines but not impact breach costs directly, as most fines and lost business are not directly related to breach sizes. 

How to choose a reliable vendor? 
  1. Are your vendor's offerings compatible with your organization's needs? 
  2. Your cybersecurity provider should have an excellent cyber score. 
  3. Did your vendor experience any data breach or attack in the past? 
  4. If the provider has an immediate incident response project. 
  5. Whether your cybersecurity provider offers 'right to inquire.' 
  6. If the vendor has an intelligence program for potential threats. 
  7. Whether the vendor has industry certification or not. 
  8. If the third party provider has a chief information security officer or a security contact. 
Answers to these questions will help your organization select third-party cybersecurity provider wisely.

Gamer Alert: More than 10 Billion Attacks On Gaming Industry In 2 Years


According to cybersecurity firm Akamai's recent report titled "State of the Internet/Security," the gaming sector has suffered a big hit in the previous two years. Experts have reported around 10 Billion cyberattacks on the gaming industry between June 2018 and June 2020.

Akamai recorded 100 Billion credential stuffing attacks during this period, out of which 10 Billion amount to attacks on the gaming sector. Besides credential stuffing, Akamai also recorded web application attacks. Hackers targeted around 150 Million web application attacks on the gaming sector.

"This report was planned and mostly written during the COVID-19 lockdown, and if there is one thing that's kept our team san; it is constant social interaction and the knowledge that we're not alone in our anxieties and concerns," says the report. Web application attacks mostly deployed SQL injections and LFI ( Local File Inclusion ) attacks as per the latest published report. It is because hackers can sensitive information of users on the game server using SQL and LFI.

The data can include usernames, account info, passwords, etc. Besides this, experts say that the gaming sector is also a primary target for DDoS (distributed denial-of-service) attacks. Between July 2019 and July 2020, Akamai identified 5,600 DDoS attacks, out of which hackers targeted 3000 attacks on the gaming sector. The increase in the attacks can be because most gamers don't pay much attention to cybersecurity.

According to data, 55% of gamers experienced suspicious activity in their accounts. However, just 20% of these gamers expressed concern about the compromise. Around 50% of hacked players feel that security is a mutual responsibility between gamers and gaming companies. 

Akamai emphasized their concern over the gaming sector becoming an easy target for the hackers. According to Akamai's report, "Web attacks are constant. Credential stuffing attacks can turn data breaches from the days of old (meaning last week) into new incidents that impact thousands (sometimes millions) of people and organizations of all sizes. DDoS attacks disrupt the world of instant communication and connection. These are problems that gamers, consumers, and business leaders face daily. This year, these issues have only gotten worse, and the stress caused by them was compounded by an invisible, deadly threat known as COVID-19."

179 Dark Net Vendors Arrested in a Massive International Sting; 500 kg Drugs Seized


Global police agencies have confiscated over $6.5m both in cash and virtual currencies, 64 firearms, and 1,100 pounds of drugs - arresting 179 vendors across 6 countries including the U.S and Europe in one of the biggest raid on dark web marketplaces. The international sting operation saw considerable co-operation from Law enforcement agencies all over the world including the US, UK, Germany, Europe, Canada, Europe, Sweden, Austria, and the Netherlands.

The 500kg of drugs recovered by investigators during the operation included fentanyl, methamphetamine, oxycodone, ecstasy, cocaine, hydrocodone, MDMA, and several other medicines containing addictive substances, as per the findings.

The authorities dubbed the global sting operation as 'DisrupTor' and while announcing it, they claimed in a press release that the "golden age of the dark web marketplace is over." The roots of the operation go back to May 3, 2019; the day German authorities seized the dark web drug market, "Wallstreet market" and arrested its operators.

"Operations such as these highlight the capability of law enforcement to counter encryption and anonymity of dark web market places. Police no longer only take down such illegal marketplaces – they also chase down the criminals buying and selling illegal goods through such sites." The press release further read.

According to the Justice Department, it was the largest international law enforcement operation that targeted opioid traffickers on the dark web. The investigation witnessed an extensive range of investigators ranging from the FBI, ICE, DEA, Customs and Border Protection (CBP), to the Defense Department.

Commenting on the success of the operation, the head of Europol’s European Cybercrime Centre (EC3), Edvardas Šileris said, “Law enforcement is most effective when working together, and today’s announcement sends a strong message to criminals selling or buying illicit goods on the dark web: the hidden internet is no longer hidden, and your anonymous activity is not anonymous. Law enforcement is committed to tracking down criminals, no matter where they operate – be it on the streets or behind a computer screen.”

“With the spike in opioid-related overdose deaths during the Covid-19 pandemic, we recognize that today’s announcement is important and timely,” said Christopher Wray, FBI director. “The FBI wants to assure the American public, and the world, that we are committed to identifying dark net drug dealers and bringing them to justice.” He further added.

Five Steps That Will Boost Your Cybersecurity And Assure Business Community In Real Life

 

The concept of business and marketing has seen a tremendous change for a few years. Business continuity meant protecting your company in times of crisis. However, it is about recovering from large scale cyberattacks as quickly as possible in the present times. These threats can include malware, phishing emails, DDoS attacks, ransomware, etc.


 
In recent times, there has been a rapid change in the field of cybersecurity too. It has now become a vital part of an organization's business continuity, in protecting employee data, intellectual property, operational plans, R&D, etc. Due to this, a question arises of 'how corporate and IT experts can work hand in hand' to protect an organization and promote its business. 

To achieve these goals, a simple five steps method, if followed, can ensure your organization's cybersecurity and prevent it from threats and cyberattacks. 

1. Prioritize: Threat intelligence should be acquired, and it should be prioritized to formulate a defense plan. Keep in mind that simulation attacks won't be much helpful as real-time attacks. Simulated attacks won't tell you the real strengths and weaknesses. This information helps experts identify the threats they must be more careful about and build a counter-testing testing plan. 

2. Measure: You should examine whether the measures you are taking to protect your business is helpful. If not, your preventive actions are ineffective. The plan should include analyzing threat adversaries and technical attacks, and how your people respond to it. 

3. Optimize: This step involves analyzing the gaps or barriers that you identified in the measuring stage. An effective business means overcoming these gaps and barriers. When the controls are optimized, the testing can then provide more measurable results that will make your security more robust. 

4. Rationalize: Is your investment in security measures proving beneficial or just a waste of money. With the help of testing data acquired after optimizing controls, the experts now know where to cut costs and invest more. It allows a business to save money while keeping the risk factor under control. 

5. Monitor: The final and most crucial step involves keeping a constant eye on changing the IT environment trends. There might come new challenges that your company might have to face; therefore, there should be a continuous evaluation of potential threats that might impact your business.

Hackers Attack Gaming Industry, Sell Player Accounts on Darkweb


Generating a tremendous revenue of $120.1 billion in 2019, the gaming industry is one of the largest and fastest-growing sectors. But this success comes at a high cost as it attracts hackers as a potential target. However, cyber-attacks in the video game industry are hard to trace, making the sector vulnerable to cybercriminals in recent times.



About the attacks
As per recent research, there exist covert markets that trade stolen gaming accounts. These trades can generate an unbelievable amount of $1 billion annually with this business. The Fortnite and Minecraft together amount to 70% of what these underground markets make. According to reports, Roblox, Runescape, Fortnite, and Minecraft are responsible for generating $700 annually. Experts at Night Lion security say that hackers selling stolen Fortnite player accounts are making up to $1 million annually.

Recent developments 
Hackers are now operating as a hierarchical organization, appointing designations for different work. The structured enterprise has positions like developers, senior managers, project managers, sales, and public relations to sensationalize their services.

  • The actors are using open cloud services and digital platforms to conduct their business. 
  • The hackers steal in-game inventories like skins, crates, and coupons from player accounts and sell them on the black market for a lower price. 
  • These hackers often target top gaming accounts and steal player profiles to trade them for lower prices in the underground market. 

Recent attacks 

  • Last month, experts found a game named "Fall Guys: Ultimate Knockout," which contained malicious javascript API. It stole data from target players' discord and browser. 
  • In June 2020, around 1.3 million Stalker Online players' accounts were stolen and sold on the dark web later. 
  • In July 2020, a Nintendo leak revealed the game's details before they were officially launched in the market. 


The gaming industry now faces a bigger challenge to protect its community from the rising attacks. A proactive and multi-layered approach can help gamming companies protect their customers, along with products and services. However, gamers should be careful, too, avoiding re-use of the same password on other platforms.

Iranian Threat Actors Have Modified Their Strategies, Attacks Now More Effective


Since the dawn of the digital age, Iranian hackers have been infamous for their attacks on critical infrastructures, targeting governments, and hacking large corporate networks. The main motive behind these attacks is getting espionage intelligence, steal confidential information, ransomware attacks, and target massive data networks. Since 2019, the hackers have been using developed strategies that are more effective in causing damage to the targets, resulting in better monetary benefits, says the Bloomsbury news.


Attack details

  • Earlier this year in April, hacking group APT34 (otherwise knowns as OilRig) launched a modified version of the backdoor named 'RDAT.' The backdoor uses the C2 channel, which can hide commands and data under images via attachments. 
  • Earlier this year in May, APT34 also added a new tool to its hacking inventory, known as DNSExfiltrator. The tool has allowed hackers to become the first hacking group that uses the DoH (DNS-over-HTTPS) protocol in its attacks. 

Keeping view of these new modifications in the hacking realm, organizations should know that the criminals are evolving and modifying their methods over time. It suggests that hackers have become more powerful and possess a more significant threat to the cybersecurity world.

Other developments 

  • In August 2020, the FBI issued a security alert about the hacking group going by the name of 'Fox Kitten' attacking potentially weak F5 networks. The hacker's purpose was to attack private and public U.S. government organizations. 
  • In July 2020, making its comeback, threat actor Charming Kitten launched a cyberespionage campaign, using WhatsApp and LinkedIn to imitate Persian speaking journalists. The targets included the U.S. government, Israeli scholars belonging to Tel Aviv and Haifa universities. 
  • In June 2020, an amateur hacking group from Iran attacked Asian companies using 'Dharma' ransomware. 

According to intelligence reports, the hackers used widely available hacking tools to target companies in China, Russia, Japan, and India. From July 2020, threat actor Fox Kitten is also infamous for giving small corporate networks access on hacking forums. According to experts, it is just trying to generate revenue using other income channels, using systems that lack any intelligence value but provide Iran money.

A Brief Summary of The Potential Threats Revealed in Black Hat 2020 Conference


Cybersecurity experts had a lot to say about possible cybersecurity threats in the USA Black Hat Conference.




Main Highlights

US Presidential Elections
As the US awaits its presidential elections, cybersecurity has become a significant issue. In the conference, experts came out with various solutions to election-related cybersecurity threats that might arise during the campaigning and offered new ideas to strengthen the infrastructure.

Exploits and Vulnerabilities 
Cybersecurity expert Matt Vixey presented research on cybersecurity exploits. The main idea is that cyberattacks can only be prevented if there's a proper system involved; in other words, a plan-of-action. Here, the 'Human factor' risk is involved, and the hackers attack it.

DNS Attacks 
In recent times, DNS encryptions and its security have come into question. Hackers have come with a new way to breach the encryption; the technique is known as DOH (DNS-over-HTTPS). The key speaker for the topic was Mr. Eldridge Alexander, Cisco's Duo Labs, Security Research, and Development manager.

Cyberthreats and COVID-19 
The COVID-19 pandemic saw a surge in cybersecurity threats. With people working from home, hackers saw new targets that were easy to attack. Keeping this particular issue in mind, Shyam Sundar Ramaswami presented several ways to identify pandemic based malware or malspam, including a rapid statics analysis approach.

A world without passwords 
Imagine a world with no passwords, a world where all the systems are integrated with a unique authorization model. Wolfgang Goerlich and Chris Demundo presented their 'Zero Trust' theory, where systems would not need to require passwords, making a secure cyber world.

Possible Threats

  • Influence Campaigns- Misuse of social media platforms to disseminate fake news and misinformation has become a critical problem, especially during the election campaigns. 
  • According to James Pevur, satellite communications are open to surveillance and monitoring. Hackers can easily bug communication using a few sophisticated gadgets. 
  • Botnets- Hackers can use high watt devices and turn them into Botnets, attacking energy campaigns. 
  • Experts say that open source tools can be used by hackers to create fake websites or channels that look the same as the original. It can allow the influence of public opinion.

APT36: A Pakistani Hacking Group, Strengthens Its Operations and Finds New Targets


Famous as APT36, Transparent Tribe is a hacking group that works from Pakistan. APT36 is infamous for monitoring and spying over government activities and military operations in Afghanistan and India. As per the latest reports, APT36 has now strengthened its workforce with better tools and strategies

About the incident 

APT36 usually focuses on using the same TTP (tactics, techniques, and procedures) except in a few cases where it uses different strategies for unique programs.


Some key highlights-

  • According to the reports, APT36 has sharpened its tools and activities. It involves attacking campaigns on a much larger scale and specifically targeting Afghanistan. 
  • Usually, APT36 uses 'custom.net' malware, commonly known as 'crimson rat.' APT36 has been using other malware recently, including python-based 'Peppy rat.' 
  • In the period between June2019-June2020, 200 samples were collected, which showed the Transparent Tribe Commission's components. 

Mode of operation 

  • APT36 uses spear-phishing emails containing MS-Office files, which are encoded with the malware. After successful execution, the malware can steal sensitive information, private credentials, capture screenshots, steal logs and keys, and regulate the microphone and webcam. 
  • Besides this, APT36 also uses the USBworm. It is a multipurpose malware that can steal information and function as a worm to attack any network and exploit vulnerabilities. 


APT36 attacks


  • APT36 attacked Indian railways in June and stole important information 
  • Earlier this year, APT36 deployed spear-phishing emails, posing to work as an authentic communication of government of India 
  • Cybersecurity experts have observed that APT36's primary targets include military and diplomacy from the past one year. According to them, the attacks will not decrease in the foreseeable future; on the other hand, they expect it to rise. 

According to Kaspersky's report, "we found two different server versions, the one being a version that we named "A," compiled in 2017, 2018, and 2019, and including a feature for installing the USBWorm component and executing commands on remote machines. The version that we named "B" was compiled in 2018 and again at the end of 2019. The existence of two versions confirms that this software is still under development, and the APT group is working to enhance it."

FBI Arrests Russian Hacker, Who Tried To Convince An Employee to Hack His Nevada Company


A hacker from Russia went to America and asked an employee of a Nevada company to install a malware in their company network. 

In a recent incident, the U.S Department of Justice declared charges against a Russian hacker today. The Russian national had traveled all the way to America to ask an American employee if he could set up malware, offering him $1,000,000 for the job. As per the court's reports today, the culprit, a 27-year-old hacker from Russia, named Egor Igorevich Kriuchkov, is found as a criminal member of an infamous Russian hacking group. The purpose of the attack was to gain internal access to the company's network and hack confidential information, later to be used as extortion for ransom purposes.


According to the company employee, Igor told him that to prevent the company from knowing about the primary attack, his team of hackers would launch DDoS attacks as a decoy to distract the corporate."The purpose of the conspiracy was to recruit an employee of a company to surreptitiously transmit malware provided by the coconspirators into the company's computer system, exfiltrate data from the company's network, and threaten to disclose the data online unless the company paid the coconspirators' ransom demand," says the court document.

However, Igor's heist plan failed when the employee who was contacted reported this incident to the FBI. The FBI kept a watch on Igor for the first few days, observing his every move. When it finally had all the evidence for the prosecution, the FBI arrested Igor last Saturday.

Timeline of Igor's visit to his arrest- 
  • Igor contacts employee CHSI (identified by the court) via WhatsApp and briefs him about the attack. Both used to be friends two years ago. 
  • Igor arrives in the U.S, meets with CHSI at a bar. 
  • On Igor's last day of the trip, he gives CHS1 all the details about the 'special project.' 
  • In the later events, the FBI contacts Igor, who tries to flee the country at that moment and is finally arrested.

Facebook Struggles Against Hate Speech and Misinformation, Fails to Take Actions


In the last month, FB CEO Mark Zuckerberg and others met with civil rights activists to discuss FB's way of dealing with the rising hate speeches on the platform. The activists were not too happy about Facebook's failure to deal with hate speeches and misinformation. As it seems, the civil rights group took an 'advertising boycott' action against the social media giant and expressed their stark criticism. According to these civil groups, they have had enough with Mark Zuckerberg's incompetency to deal with white supremacy, propaganda, and voters suppression on FB.


This move to boycott Facebook came as a response to Donald Trump's recent statement on FB. Trump said that anti-racism protesters should be treated with physical violence, and he also spread misinformation about mail-in voting. FB, however, denies these allegations, saying these posts didn't violate community policies. Even after such incidents, the company ensures that everything's alright, and it just needs to toughen up its enforcement actions.

"Facebook stands firmly against hate. Being a platform where everyone can make their voice heard is core to our mission, but that doesn't mean it's acceptable for people to spread hate. It's not. We have clear policies against hatred – and we constantly strive to get better and faster at enforcing them. We have made real progress over the years, but this work is never finished, and we know what a big responsibility Facebook has to get better at finding and removing hateful content." "Later this morning, Mark and I, alongside our team, are meeting with the organizers of the Stop Hate for Profit campaign followed by a meeting with other civil rights leaders who have worked closely with us on our efforts to address civil rights," said COO Sheryl Sandberg in her FB post.

In another incident, FB refused to take action against T. Raja Singh, an Indian politician from BJP. According to the Wall Street Journal, the company didn't apply its hate speech policies on Raja's Islamophobic remarks. FB employees admitted that the politicians' statements were enough to terminate his FB account. The company refused to, as according to the FB executive in India, could hurt FB's business in India.

Russian Hackers Use Linux Malware Drovorub, NSA and FBI Finds Out


The NSA and FBI released a joint report today, which told about a new kind of Linux malware. According to these two intelligence agencies, state-sponsored military Russian hackers are using this new malware. These hackers used Drovorub to plant backdoors inside breached networks. Fancy Bear and Sednit (APT28) are behind these attacks. The NSA and FBI have notified major private and public companies to stay aware of the malware and implement protective measures to keep safe. The malware comes with an implant and is a multi-component system. It comes with a file transfer kit, a C2 server, a kernel module tool, and a port-forwarding module.


The malware is a kind of Swiss army knife. Using Drovorub, hackers can do many things like controlling the target's systems and stealing data and personal files. Besides this, Drovorub is designed to work in stealth mode. It uses rootkit technologies to stay undetected. It allows hackers to deploy malware at different places and systems, which allows attack at any given instant. Regarding the cyberattacks issue, the US has always been a primary target for cybercriminals due to its sophisticated technology environment.

There's no substantial evidence as to the motive behind this attack. However, experts believe that the purpose might be espionage or tampering the upcoming presidential elections. The joint report of FBI and NSA says, "The Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), military unit 26165, is deploying previously undisclosed malware for Linux® systems, called Drovorub, as part of its cyberespionage operations. GTsSS malicious cyber activity has formerly been attributed by the private sector using the names Fancy Bear, APT28, Strontium, and various other identifiers."

To stay safe, the agency has recommended US companies updating Linux systems to the latest update kernel version 3.7. "To prevent an order from being susceptible to Drovorub's hiding and persistence, system administrators should upgrade to Linux Kernel 3.7 or later to take full advantage of kernel signing enforcement. Additionally, system owners are advised to configure systems to load only modules with a valid digital signature making it more difficult for an actor to introduce a malicious kernel module into the system," says the US intelligence agencies' report.

Online Exam Tool ProctorU Breached, Half A Million User Accounts Leaked Online


Around half a million online users were affected due to the breach of online examination software called "ProctorU," a platform widely used in teaching institutes. The hackers, belonging to Shiny Hunters Group, recently posted the leaked data on the web, which contained details of 444,267 users, confirm the cybersecurity experts. ProctorU is a tool that provides institutions automatic monitoring options while conducting the examination. ProctorU, an American firm, built the application.


The data leaked belong to different individuals and organizations, including various education institutes, companies, and users of the breached software. The data leak is part of a bigger scheme of the Shiny Hunters Group, say some sources. They have posted other leaks in the recent weel. More than 386 Million users' data was published online in the past week by hackers. The companies affected include- Couchsurfing, WattPad, Minted, Bhinneka, Dunzo, Dave.com, and many others. The data leaked online include sensitive user information like which include usernames, passwords, full names of the individuals, contact no, and residential address.

Various universities worldwide have been affected by this breach, as they relied on ProctorU for conducting online examinations, keeping the social distancing in mind due to the coronavirus. Sydney University had done the same and used ProctorU to conduct its semester examinations. The University released a statement related to the breach expressing concern for the event. But the University of Sydney has come under a lot of criticism from the users as well as experts. According to them, ProctorU violates the student privacy policy, as given in the University.

Students have complained that the techniques ProctorU uses to keep a watch can be very intrusive and personal. During the examination, the tool asked students to show their surroundings, and also had control over the user's computer. It could be possible that ProctorU could send these data to third parties. "We consistently warned the University that this could happen. We demand the University immediately suspend the use of ProctorU, as that is the only way to guarantee that students are not exposed again in the future," said the Student Council of the University.