Search This Blog

Showing posts with label Hackers. Show all posts

Hackers Impersonate Bank Customers and Make $500k in Fraudulent Credit Card Payments

 

Hackers from other countries were able to impersonate 75 bank clients and made $500,000 in fraudulent credit card payments. This was accomplished using a clever way of intercepting one-time passwords (OTPs) sent by banks via SMS text messages. In a joint statement released on Wednesday, the Infocomm Media Development Authority (IMDA), the Monetary Authority of Singapore (MAS), and the Singapore Police Force detailed how hackers redirected SMS OTPs from banks to foreign mobile networks systems. 

The SMS diversion method, they said, “requires highly sophisticated expertise to compromise the systems of overseas telecommunication networks”. Last year's fraudulent transactions took place between September and December. The bank clients claimed that they did not initiate the transactions and that they did not get the SMS OTPs that were required to complete them. 

According to Mr. Wong, the MAS' deputy chairman, the Monetary Authority of Singapore (MAS) would engage with financial institutions to fine-tune the existing framework on fraudulent payment transactions, which covers the responsibilities and liabilities of banks and customers in such instances. 

Between September last year and February, the police received 89 reports of fraudulent card transactions using SMS one-time passwords (OTPs), according to Mr. Wong. Ms. Yeo Wan Ling (Pasir-Ris Punggol GRC) had inquired if bank-related cyber frauds had increased in the previous six months.

"While these cases represent less than 0.1 percent of fraudulent online card transactions reported, and the number of cases has come down since March 2021, it is nevertheless concerning," Mr. Wong said. 

Singapore's financial and telecommunications networks have not been hacked, according to the authorities. Affected customers who took efforts to safeguard their credentials would not be charged for any of the fraudulent transactions as a gesture of goodwill from the banks, according to the authorities. The names of the banks involved were kept under wraps. 

The cybercriminals utilized this method to get the victims' credit card information and mobile phone numbers in this incident. They also got into the networks of international telecoms and exploited them to alter the location information of the Singapore victims' mobile phones. 

By doing so, the hackers deceived Singapore telecom networks into believing that Singapore phone numbers were roaming overseas on the networks of other countries. The hackers subsequently made fraudulent online card payments using the victims' stolen credit card information.

As a result, when banks issued SMS OTPs to victims to authenticate transactions, the criminals were able to reroute these text messages to foreign mobile network systems. The fraudulent card payments were subsequently completed using the stolen OTPs. This corresponds to the victims' claims that they did not get the OTPs.

Anonymous Hacktivists Leak 180 GB of Data from Web Host Epik

 

One of the most prominent hacktivists gangs, Anonymous, has returned. Security analysts have verified that the most recent attack by malicious hackers focuses on Epik, an alt-right web host company. 

Anonymous Hacktivist group claims that they have seized gigabytes of Epik's data which supplies several customers with the domain name, hosting, and DNS services. Among many other places on the right-wing are the GOP in Texas, Gab, Parler, and 8chan. The information stolen was disclosed as a torrent document. The hacktivist group states that the data package, which has a size of over 180 GB, includes a "decade's worth of data from the company." 

Epik is a web and domain registrar service provider company that caters to certain right-wing customers. The company is a leading service provider: it helps organizations that normally disconnect IT, service providers. 

"The data set is all that's needed to trace actual ownership and management of the fascist side of the Internet that has eluded researchers, activists, and, well, just about everybody," said the Anonymous hackers. 

The allegedly disclosed database might enable anyone to know the identity of Epik client as well as other personally identifiable information as per Ars Technica's latest revelation. 

Likewise, Anonymous's current cyber operation named “Operation Jane” was launched in September following the passing of the Texas Heartbeat Act. The restricted abortion law authorizes the enforcement of the six-week prohibition on abortion, not necessarily by government entities or by the police. Any Texas resident who carries out or aids in facilitating unlawful abortion can take a civil complaint, and demand at least $10,000 in penalties, according to that act. 

Different SQL databases hold client records for every domain name hosting Epik are among the data sets. Ars investigated a tiny section of the leaked dataset, including an Epik mailbox that contained Epik CEO Rob Monster letters from a source. 

"We are not aware of any breach. We take the security of our clients' data extremely seriously, and we are investigating the allegation," an Epik representative told Ars. 

Before the attack, Anonymous altered the Texas GOP homepage with "Texas: Taking voices from women to promote theocratic erosion of church/state barriers," substituting references to "Help Texas Stay Red." "Texas." The group has also placed "donate" links to Planned Parenthood for reproductive health services.

This Aspiring Hacker was Caught in a Quite Embarrassing Manner

 

The US Department of Justice (DoJ) has arrested a Ukrainian citizen for using a botnet to hack people's passwords. He was caught by his alleged messages to vape shops in Ukraine, including an invoice with his home location. 

Glib Oleksandr Ivanov-Tolpintsev is accused by the Department of Justice of deploying a botnet to break passwords of targeted individuals, which he subsequently sold on the dark web. According to his indictment, Ivanov-Tolpintsev made over $80,000 from the operation. 

The press release from the DoJ reads, “During the course of the conspiracy, Ivanov-Tolpintsev stated that his botnet was capable of decrypting the login credentials of at least 2,000 computers every week...Once sold [on the dark web], credentials were used to facilitate a wide range of illegal activity, including tax fraud and ransomware attacks.” 

On October 3, 2020, Polish police arrested Ivanov-Tolpintsev in Korczowa, Poland, and he was extradited to the United States to stand prosecution for these offenses. 

Amateur Blunders 

According to an IRS affidavit, investigators tracked down Ivanov-Tolpintsev by looking at the contents of the Gmail accounts he used to conduct his dark web activities. 

Many digital receipts from online vape shops were sent to one of these accounts, revealing Ivanov Tolpintsev's name and contact information. 

Furthermore, Ivanov-normal Tolpintsev's email account was set as the recovery address for these accounts. Exploring the contents of his regular account showed a plethora of personally identifying information, including passport scans and Google Photos photos.

The government was able to assemble enough evidence to convince a court to order Ivanov Tolpintsev's arrest and extradition because of his carelessness in separating his criminal digital identity from his physical one. 

Although the investigators haven't revealed much about Ivanov Tolpintsev's botnet case but the case highlights the dangers of depending solely on a password to protect an account. 

Since breaking and auctioning passwords on the dark web may lead to significant attacks like the one on the United Nations, security experts have been urging to implement multi-factor authentication (MFA) systems.

To Disseminate Malware, Hackers are Increasingly Relying on DaaS Platforms

 

According to cybersecurity specialists, malware authors are increasingly depending on dropper-as-a-service (DaaS) platforms to propagate their malicious inventions. Sophos recently published a report detailing the rise of DaaS platforms that infect victims who visit piracy websites in search of cracked versions of major business and consumer software. 

A dropper is a programme that, when run, executes malicious code as a payload. The dropper is similar to a trojan, and it may have additional functions, but its primary goal is to get malware onto a victim's computer, which can be downloaded over the internet or unpacked from data within the dropper.

A customer pays for a dropper-as-a-service to deliver their malware to these systems through droppers. Typically, the DaaS employs a network of websites to transmit droppers to victims' computers, which then install and execute the customer's malware. Droppers could be camouflaged as legitimate or cracked software that netizens are fooled into installing. 

“During our recent investigation into an ongoing Raccoon Stealer (an information-stealing malware) campaign, we found that the malware was being distributed by a network of websites acting as a “dropper as a service,” serving up a variety of other malware packages,” Sophos researchers Sean Gallagher, Yusuf Polat shared in a joint blog post. 

The Sophos duo, who were assisted by Anand Ajjan and Andrew Brandt, dubbed this part of the "malware-industrial complex," saying that such services made it "very inexpensive for would-be cybercriminals with limited expertise to get started" in the criminal underworld. For 1,000 virus installs using droppers, some of these firms charge as little as $2. 

The researchers point out that DaaS frequently bundles a variety of unrelated malware in a single dropper, including click-fraud bots, information stealers, and even ransomware.

The Raccoon Stealer campaign was not the only one that used DaaS, according to the researchers. Sophos continued to see more malware and other dangerous information transmitted over the same network of sites even after the campaign had stopped. “We discovered multiple networks using the same basic tactics in our research. All of these networks use search engine optimization to put a “bait” webpage on the first page of results for search engine queries seeking “crack” versions of a variety of software products,” said the researchers.

The US State Department was Recently Hit by a Cyber Attack

 

According to a Fox News correspondent, the US State Department was hit by a cyberattack, and the Department of Defense Cyber Command was notified of a potentially significant breach. The date of the breach is unknown, but it is thought to have occurred a few weeks ago, according to the Fox News reporter's Twitter thread. The current mission of the State Department to withdraw Americans and allies from Afghanistan has "not been harmed," according to the reporter. 

Without confirming any incident, a reliable source told Reuters that the State Department has not encountered any substantial disruptions and that its operations have not been hampered in any manner. On Saturday, a State Department official told CNBC that the agency "takes seriously its responsibility to safeguard its information and takes constant steps to ensure it is protected."

“For security reasons, we are not in a position to discuss the nature or scope of any alleged cybersecurity incidents at this time,” the spokesperson said. 

The Senate Committee on Homeland Security and Government Affairs gave the State Department's information security programme a D grade earlier this month, the lowest possible rating given by the government model. The panel found the department to be "ineffective in four of five function areas." 

“Auditors identified weaknesses related to State’s protection of sensitive information and noted the Department did not have an effective data protection and privacy program in place,” it added. The Senate committee also discovered that the department was unable to demonstrate that it had violated data security measures while in transit and at rest. 

According to a cybersecurity report by the Senate Committee, the agency was unable to provide documentation for 60% of the sample employees evaluated who had access to its classified network. On its classified and unclassified networks, the State Department left thousands of employee accounts active even after they had left the agency for significant periods of time—in some cases as long as 152 days after employees quit, retired, or were dismissed. 

“Former employees or hackers could use those unexpired credentials to gain access to State’s sensitive and classified information, while appearing to be an authorized user,” the report stated.

DHS Called On Hackers to Join Government During Black Hat Speech



Department of Homeland Security Secretary Alejandro Mayorkas at a conference of Black Hat motivated participants to come forward and share their creativity, ideas, and boldness with the government agencies on defining the future of cybersecurity policy that has not been mapped yet. 

“We need your creativity, your ideas, your boldness, and your willingness to push limits. We need you to help us navigate a path that has not yet been mapped,” Mayorkas said. “What’s at stake here is nothing less than the future of the internet, the future of our economic and national security, and the future of our country.” 

Mayorkas introduced the upcoming program named the Cyber Talent Management System which will redefine hiring requirements for cybersecurity roles in the government agencies and payment will also be adjusted according to the current workforce environment. He motivated the participants to “lead the charge on the inside,” by joining the Cybersecurity and Infrastructure Security Agency and DHS. 

“This initiative…will give us more flexibility to hire the very best cyber talent and ensure we can compete more effectively with the private sector,” he said. 

According to the present statistics, under the Biden administration hiring is a major focus of DHS. Currently, the firm is trying to fill a number of open cybersecurity jobs within the agency and to recruit more diverse talent in cybersecurity. 

Furthermore, Mayorkas said that they are observing the current scenario if young talents are not interested in working with the federal government. However, security specialists have an opportunity to “bridge the gap between the hacker community and the federal government” by collaborating with the agency, he added. He concluded his speech by comparing the current state of cybersecurity with the mid-18th-century struggle between Britain, China, and Russia. 

“We are competing for the future of cyberspace – one in which friends gather, colleagues communicate, businesses sell, consumers buy, dissidents organize, horrific crimes occur, governments hear from their citizens, and information is widely and quickly disseminated,” he said.

Wiper Malware Used in Attack Against Iranian Railway

 

The cyber-attack that crippled Iran's national railway system at the beginning of the month was caused by a disk-wiping malware strain called Meteor, not a ransomware attack, as per the research published by security firms Amnpardaz and SentinelOne. 

According to Reuters, the attack caused train services to be affected as well as the transport ministry's website to fall down. But the assault wasn't simply meant to cause havoc. A number for travelers to contact for further information about the difficulties was also put into displays at train stations by the attackers. 

As per Juan Andres Guerrero-Saade, Principal Threat Researcher at SentinelOne, this is the first time this malware has been used and also stated Meteor is yet to be linked to a previously identified group. 

Meteor malware: A part of a well-planned attack

The Meteor wiper was precisely one of three components of a broader malware arsenal placed on the systems of the Iranian railway computers on July 9, according to the firm's research. 

The attacks, which SentinelOne tracked under the codename of MeteorExpress, and led to trains being canceled or delayed across Iran, involved: 
1.Meteor – malware that wiped the infected computer’s filesystem. 
2.A file named mssetup.exe that played the role of an old-school screen locker to lock the user out of their PC. 
3.And a file named nti.exe that rewrote the victim computer’s master boot record (MBR). 

Although Guerrero-Saade did not state how or where the attack began, he did mention that once inside a network, the attackers utilized group policies to deploy their malware, deleted shadow volume copies to stop data recovery, and disconnected infected hosts from their local domain controller, to avoid sysadmins from quickly fixing infected systems. 

Infected computers' filesystems were deleted after the attack, and their displays flashed a message instructing victims to contact a phone number associated with Supreme Leader Ayatollah Ali Khamenei's office, all as a prank from the attackers' perspective. 

The MeteorExpress campaign and wiper assaults appeared to be a witty prank directed at Iranian government officials, the malware employed was not. Meteor and all of the other MeteorExpress elements comprised "a bizarre amalgam of custom code," according to Guerrero-Saade, that combined open-source components with old software and custom-written parts that were "rife with sanity checks, error checking, and redundancy in accomplishing its goals." 

The Meteor code included some of the same features as the screen-locking component or the adjacent deployment batch scripts. The SentinelOne researcher stated, “Even their batch scripts include extensive error checking, a feature seldom encountered with deployment scripts.” 

While certain sections of the malware looked to have been developed by a skilled and professional developer, Guerrero-Saade also notes that the MeteorExpress attack's irregular nature indicates the malware and the overall operation were cobbled together in a hurry by several teams.

SentinelOne stated it's unknown if Meteor was put together especially for this operation or if we'll see the malware strain in a different form in the future because it was assembled just six months before the attack on the Iranian railway system.

Facebook says Iranian Hackers Targeted U.S. Military Personnel

 

On Thursday, Facebook announced that it had shut down approximately 200 accounts operated by a group of hackers in Iran as part of a cyber-spying operation that focused primarily on US military officials and others working in defense and aerospace firms. 

The group, termed 'Tortoiseshell' by security experts, utilized fraudulent online identities to interact with targets, establish confidence over time (often months), and lead them to other sites where they were duped into clicking malicious links that infected their devices with spying software, according to Facebook. 

In a blog post, Facebook's investigative team stated, "This activity had the hallmarks of a well-resourced and persistent operation while relying on relatively strong operational security measures to hide who's behind it." 

Thus according to Facebook, the group created dubious identities on numerous social media sites to look more legitimate, frequently impersonating recruiters or staff of aerospace and defense firms. LinkedIn, which is controlled by Microsoft, announced the removal of several accounts, while Twitter said it was "actively investigating" the data in Facebook's report. 

The virus was distributed via email, chat, and collaboration platforms, according to Facebook, including malicious Microsoft Excel spreadsheets. In a statement, a Microsoft spokesman said the company was aware and following this actor, and that it takes action when harmful behavior is detected. 

Google stated it had discovered and prevented phishing on Gmail as well as provided user warnings. Slack, a workplace messaging service, claimed it has taken action against hackers who exploited the platform for social engineering and had shut down any Workspaces that broke its rules. 

According to Facebook, the hackers utilized customized domains to entice their targets, including phony defense recruitment websites and internet infrastructure that spoofed a real job search website for the US Department of Labor. 

In a campaign that began in mid-2020, Facebook claimed the hackers mostly targeted users in the United States, as well as some in the United Kingdom and Europe. It did not name the firms whose employees were targeted, but its chief of cyber espionage, Mike Dvilyanski, said the "fewer than 200 individuals" who were targeted were being alerted. 

The campaign appeared to demonstrate an extension of the group's operations, which had previously been claimed to focus mostly on the Middle East's I.T. and other businesses, according to Facebook. A section of the malware employed by the organization was developed by Mahak Rayan Afraz (MRA), a Tehran-based IT firm with links to the Islamic Revolutionary Guard Corps, as per the inquiry. 

Mahak Rayan Afraz's contact information was not readily available to Reuters, and former employees of the firm did not respond to LinkedIn messages sent to them. A request for comment from Iran's mission to the United Nations in New York was not promptly reported. The allegations that MRA is involved in Iranian state cyber espionage are not new. MRA was one of the numerous contractors suspected of assisting the IRGC's elite Quds Force, according to cybersecurity firm Recorded Future. 

Iranian spies, like other espionage services, have long been alleged of farming out their missions to a variety of domestic contractors. Facebook stated the fraudulent domains had been prohibited from being shared, while Google said the domains had been placed to its "blocklist."

Hackers Have Devised a New Trick to Disable Macro Security Warnings

 

Threat actors have found a novel method for disabling macro security warnings in malspam assaults that use non-malicious documents. Microsoft Office macro malware that uses social engineering to infect computers has been a common feature of the threat landscape in recent years. Malware authors are constantly refining their strategies in order to avoid detection. Macro obfuscation, DDE, living off the land tools (LOLBAS), and even legacy-supported XLS formats are among the strategies used. 

Threat actors are now employing non-malicious documents to disable security warnings before executing macro code on the recipient's computer, according to McAfee Labs analysts. Without any malicious code present in the first spammed attachment macro, hackers download and run malicious DLLs (ZLoader). Zloader has been active since at least 2016, and it was used to propagate Zeus-like banking trojans (i.e. Zeus OpenSSL). It steals several functionalities from the renowned Zeus 2.0.8.9 banking Trojan. 

The assault chain begins with a spam mail that uses a Microsoft Word document to download a password-protected Microsoft Excel file from a remote server once opened. Only when the victim has enabled the macros hidden in the Word document could the downloads begin. “After downloading the XLS file, the Word VBA reads the cell contents from XLS and creates a new macro for the same XLS file and writes the cell contents to XLS VBA macros as functions.” read the analysis published by McAfee. 

“Once the macros are written and ready, the Word document sets the policy in the registry to ‘Disable Excel Macro Warning’ and invokes the malicious macro function from the Excel file. The Excel file now downloads the ZLoader payload. The ZLoader payload is then executed using rundll32.exe.” 

Word VBA extracts the content of the cells from the XLS file and uses it to generate a new macro for the same XLS file, writing the cell contents to XLS VBA macros as functions. Once the macros are finished, the Word document disables the macro security warnings by setting the registry policy (HKEY CURRENT USERSoftwareMicrosoftOffice12.0ExcelSecurityAccessVBOM) to Disable Excel Macro Warning and runs the malicious Excel macro function. The Excel file then uses rundll32.exe to download and run the Zloader payload. 

“Malicious documents have been an entry point for most malware families and these attacks have been evolving their infection techniques and obfuscation, not just limiting to direct downloads of payload from VBA, but creating agents dynamically to download payloads,” the researchers conclude.

EA Faces Criticism After Ignoring Warnings from Cybersecurity Researchers

 

After dismissing cybersecurity researchers' warnings in December 2020 that various flaws left the firm extremely vulnerable to hackers, gaming giant Electronic Arts is facing even more criticism from the cybersecurity industry. Electronic Arts Inc. is a video game developer and publisher based in Redwood City, California. As of May 2020, it is the second-largest gaming firm in America and Europe, after Activision Blizzard and ahead of Take-Two Interactive and Ubisoft in terms of revenue and market value.  

Cyberpion, an Israeli cybersecurity firm, contacted EA late last year to warn them about a number of domains that could be taken over, as well as misconfigured and potentially unknown assets and domains with misconfigured DNS records. Despite delivering EA a detailed document outlining the difficulties as well as a proof of concept, Cyberpion co-founder Ori Engelberg claims EA did nothing to fix the flaws. 

According to Engelberg, EA acknowledged receiving the information about the vulnerabilities and stated that they will contact Cyberpion if they had any further questions, but they never did. "We inspect the entire internet but as gamers, we are customers of EA. So many of our employees play FIFA and other games. We love EA so we wanted to contact them to help because their online presence is significant," Engelberg said. 

"What we found is the ability to take over assets of EA. It is more than just taking the assets of EA, it is about what can be done with these assets because we know EA. We know that if somebody can send emails from the domains of EA to us, the customers, or to suppliers of EA or to employees of EA, then that's the easiest door to the company. It isn't even a door. It is something simpler," Engelberg added. He said that malicious actors might use the stolen domains to send emails appearing to be from EA, asking customers to transfer account details or other data.

Last week, it was revealed that a "chain of vulnerabilities" might have allowed attackers to obtain access to personal information and take control of accounts, causing EA to face outrage. In recent weeks, Motherboard reported that EA's large data breach was caused by a hacker's ability to obtain access to an account by abusing Slack privileges. 

Hackers boasted on forums about stealing 780 GB of data from the company and acquiring full access to FIFA 21 matchmaking servers, FIFA 22 API keys, and various Microsoft Xbox and Sony software development kits. They also claim to have a lot more, such as the Frostbite source code and debugging tools, which is used to power EA's most popular games like Battlefield, FIFA, and Madden.

The Salvation Army in the UK was Infected with Ransomware

 

The Register has uncovered that criminals infected the Salvation Army in the United Kingdom with ransomware and stole the organization's data. A spokeswoman for the Salvation Army confirmed that the evangelical Christian church and charity had been hacked and that it had notified UK regulators. 

She said, “We are investigating an IT incident affecting a number of our corporate IT systems. We have informed the Charity Commission and the Information Commissioner’s Office, are also in dialogue with our key partners and staff, and are working to notify any other relevant third parties. We can also confirm that our services for the vulnerable people who depend on us are not impacted and continue as normal.” 

There is currently no other information concerning the event, such as the identity of the attackers or the material that was accessed. Furthermore, no data has been found on any known ransomware gang websites. Salvation Army workers and volunteers, on the other hand, have been instructed to keep a tight eye on their accounts for any unusual banking activity or suspicious contact. 

Jake Moore, a cybersecurity specialist with Slovakian antivirus firm ESET, told The Register: “It is vital that those who could be at risk are equipped with the knowledge of how to mitigate further attacks. The first few days and weeks after a breach are the most important, as criminals will be quick to take advantage of the situation and strike while they still can.”

 “Those who may believe they have had their details taken must contact their banks to add extra fraud protection and to be on guard for extra attempts such as unsolicited calls or emails phishing for extra information,” added ESET’s Moore. 

Other information security industry sources speculated that the attacks were carried either by the Conti or Pysa ransomware gangs. Conti was the ransomware strain used by the WizardSpider gang in the Irish Health Service attack, which came dangerously close to paralyzing Irish hospitals as employees were forced to revert to pre-computer era paper-based systems. Pysa, meanwhile, has been detected targeting schools and other “soft underbelly” targets, like the Hackney Council breach late last year. 

The current ransomware attack has shown that no organization is immune to ransomware and that it must be prepared to confront attacks at any time. Keith Glancey, systems engineering manager at Infoblox, commented: “This latest attack on the UK arm of the Salvation Army shows that ransomware is growing in sophistication and that actors are getting bolder. No organization is off-limits, even those in the charity sector.”

Hackers are Remotely Erasing Western Digital Hard Drives

 

The whole goal of using a network-attached storage device is to have a hard drive where you can back up vital data and then retrieve the files when you're out and about. Unknown hackers, on the other hand, are turning Western Digital My Book NAS hard drives into nightmare backup tools by infiltrating users' computers and deleting all of their data. The My Books are controlled by WD My Book Live, an app that allows consumers to access their data and manage their NAS from anywhere. 

Last week, the drive manufacturer stated that certain owners' network-connected storage had been accessed unofficially and a complete reset had been triggered, though specifics on how seriously individuals should be concerned are still emerging. Western Digital said the WD My Book Live and WD My Book Live Duo drives are affected. They were first introduced in 2010, and the most recent firmware update was in 2015. The business has not stated how many drives are in circulation or estimated how many people are still using them. 

“Western Digital has determined that some My Book Live and My Book Live Duo devices are being compromised through exploitation of a remote command execution vulnerability,” the company said in a security bulletin. "In some cases, the attackers have triggered a factory reset that appears to erase all data on the device.” 

There is currently no proof that Western Digital's cloud services, firmware update servers, or client credentials have been compromised. Rather, the My Book Live drives were left directly available over the internet, “either through direct connection or by port forwarding that was enabled either manually or automatically via UPnP,” according to the report. According to the firm, hackers employed port scanning to identify possible victims.

“We do not yet understand why the attacker triggered the factory reset; however, we have obtained a sample of an affected device and are investigating further,” Western Digital added. “Additionally, some customers have reported that data recovery tools may be able to recover data from affected devices, and we are currently investigating the effectiveness of these tools.” 

While Western Digital advises customers to disconnect hard drives from the internet for safety, Reddit users' suggestions are much more cautious. On the assumption that hackers may have already loaded a malware or other exploit on the drives, the advice is to switch them off completely. This may then be set to activate, wiping the drive even if it isn't connected at the time.

NATO's Cloud Platform Hacked

 

The SOA & IdM platform is utilized by NATO and is classified as secret. It was used to conduct various critical functions inside the Polaris programme. The North Atlantic Treaty Organization (NATO), commonly known as the North Atlantic Alliance, is an intergovernmental military alliance made up of 30 European and North American countries. 

The organization is responsible for carrying out the North Atlantic Treaty, which was signed on April 04, 1949. NATO is a collective defense organization in which NATO's independent member states commit to defending each other in the event of an external attack. NATO's headquarters are in Haren, Brussels, Belgium, and Allied Command Operations' headquarters is near Mons, Belgium. 

Polaris was developed as part of NATO's IT modernization effort and uses the SOA & IdM platform to provide centralized security, integration, and hosting information management. The military alliance classified the platform as a secret because it performs multiple key roles. 

According to the hackers, they used a backdoor to make copies of the data on this platform and attempted to blackmail Everis. They went even further, making jokes about handing over the stolen material to Russian intelligence. 

Paul Howland, Polaris Program Officer explained the benefits of the program: “This project has the potential to be a game-changer in how NATO will develop and deploy its operational services in the future. It will drive innovation and reduce costs. Operational by ensuring a much greater reuse of deployed capacities". 

The hackers who carried out the attack said they had no idea they could take advantage of a flaw in the NATO platform at first. Furthermore, they concentrated solely on Everis' corporate data in Latin America, despite NATO's announcement that it was ready to respond to a cyber-attack. One of the secure NATO systems was among Everis' subsidiaries, much to their astonishment. 

After analyzing the company and discovering documents connected to drones and military defense systems, the hackers continued stealing more data from Everis networks. They justified their actions by claiming that they were not "for peace on earth and in the cyber world" when they slowed the development of the Polaris programme. The hackers sought a ransom of XMR 14,500 from Everis in exchange for not linking the company's identity to the LATAM Airlines data breach. They've also demanded this money in exchange for not revealing any NATO data.

Latest Campaign by Molerats Hackers Target Middle Eastern Governments

 

After two months of break, a Middle Eastern advanced persistent-threat (APT) organization has resurfaced and is targeting government institutions in the Middle East -- global government bodies affiliated with geopolitics as a part of its recent malicious activities. 

Proofpoint, a company headquartered in Sunnyvale, ascribed this action to a politically motivated threat actor tracked as TA402, colloquially known as Molerats or GazaHackerTeam. 

TA402 is supposed to work for objectives that are consistent with military or Palestinian state goals. The threat actor has been operating for a decade with a history of compromising associations mainly in Israel and Palestine. The attacks covered verticals such as technology, telecoms, finance, the academy, the army, the media, and governments. 

The two months' break in the operation is not apparent, but the Proofpoint researchers have suggested that it could have played a part either in the holy month of Ramadan or in the recent incidents in the region as well as in the violence which followed in May. 

The current wave of attacks started with spear-phishing Arabic-listed emails carrying PDF files embedded in a geofenced malicious URL that can only selectively route victims to the password-protected file if the source IP address of these files is in the targeted Middle East nations. 

The beneficiaries outside of the target Group are relocated to benign websites like Al Akhbar (www.al-akhbar.com) and Al Jazeera (www.aljazeera.net), generally Arabic language news websites. 

The last step on the infection chain entailed an extraction of the archive to drop a customized implant named LastConn, which is a new version or upgrade of a backdoor called SharpStages that was revealed in December 2020 by Cybereason researcher, as Molerats espionage campaign targeting the Middle East. 

The LastConn is executed with a Decoy document, the malware relies largely on Dropbox API for downloading and executing cloud-hosted files in addition to arbitrary instructions and screenshots that are then returned to Dropbox. 

The continually expanding toolkit of TA402 emphasizes that the Group continues to develop and adapt tailored malware implants to sneak up past defenses and detect thwarts. 

"TA402 is a highly effective and capable threat actor that remains a serious threat, especially to entities operating in and working with government or other geopolitical entities in the Middle East," the researchers concluded. "It is likely TA402 continues its targeting largely focused on the Middle East region."

By Tempering Apps In Samsung, Hackers can Spy the Users

 

Hackers can now snoop on users by manipulating the pre-installed Samsung apps. 

Hackers can monitor users and probably control the whole system altogether. Alarmingly, the vulnerabilities appear to be part of a much larger group of exploitable flaws. A security scientist of Samsung summarized the situation to the bug bounty program of the technological giant. 

Samsung works to patch numerous vulnerabilities that impact its smartphones, that can be exploited to spy or control the system in the wild. 

Sergey Toshin — the creator of the Oversecured mobile app security company — uncovered more than a dozen flaws that affect Samsung devices from the beginning of the year. 

The information in three of them is currently light due to the noteworthy risk to users. Toshin said that the less pressing of these problems would allow attackers to obtain SMS messages if they deceived the victim without going into particulars. 

However, the other two are more problematic, as they are more robust. No action by Samsung's device owner is required to exploit them. An attacker might use it to read and/or write high permission arbitrary files. 

It is uncertain when the improvements are presented to the consumers because generally the process takes approximately two months to assure that the patch doesn't cause other complications. 

All three safety vulnerabilities have been reported responsibly by Toshin and are currently awaiting the bounties. 

The hacker has earned about $30,000 from Samsung alone since the beginning of the year, to reveal 14 vulnerabilities. Meanwhile, three more vulnerabilities await a patch. In a blog post Toshin shares technical specifics and proof-of-concept user instructions on seven of these issues that have been patched beforehand, bringing $20,690 in bounties. 

For discovering and acquainting Samsung about the issues (CVE-2021-25393) in the Settings app that arbitrarily allowed hackers to gain access to read/write Toshin won a hefty bounty of $5460. 

To mitigate possible security threats, users should use the latest firmware upgrades from the fabricators. 

Toshin has identified over 550 vulnerabilities through HackerOne's platform and several bug bounty programs over the US $1 million in bug prizes.

The Samsung Group is a global South Korean conglomerate based in Samsung Town, Seoul. It consists of many affiliates and the majority of them are under the mark of Samsung (business conglomerate). Also, it is the most prominent South Korean chaebol. 

Iranian Hackers Attacked Websites of an African Bank and US Federal Library

 

According to Iran Briefing, hackers posing as Iranians targeted the websites of the Sierra Leone Commercial African Bank and the United States Federal Depository Library Program, by posting pro-Iranian remarks and graphics. 

The website of Sierra Leone Commercial Bank was found to be "H4ck3D IRANIAN HACKER" in Google search results. 

The words "hacked by Iranian hacker, hacked by shield Iran" were written in Twitter screenshots on a drawing of former IRGC Quds Force commander Qasem Soleimani, who was killed in a US airstrike. 

According to CBC News, the library program's website was updated with a bloodied picture of US President Donald Trump being punched in the face, as well as a message is written in Farsi and English that read "martyrdom was Soleimani's... reward for years of implacable efforts," and another caption that read "this is only a small part of Iran's cyber ability!" 

A spokesman from the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency verified the incident. Though the hack has still proven to be the activity of Iranian state-sponsored actors. 

The representative stated, “We are aware the website of the Federal Depository Library Program [FDLP] was defaced with pro-Iranian, anti-US messaging”. 

“At this time, there is no confirmation that this was the action of Iranian state-sponsored actors”. 

The website has been removed from the internet and is no longer accessible. In coordination with the FDLP and other government partners, the Cybersecurity and Infrastructure Security Agency (CISA) is keeping an eye on the situation. 

According to another senior US official, the defacement was a minor event carried out by Iranian sympathizers. Former US Secretary of State Mike Pompeo indicated at the time that a cyberattack by Iran against the US could be a possible retaliation. 

It's unclear whether the hackers had a government position or had any connection to Iran. The hack occurs at a time when tensions between the US and Iran are still high following the assassination of Qasem Soleimani, the chief of Iran's Revolutionary Guards Corps Quds Force, by a US strike in Baghdad on Jan. 2. 

Iran has already threatened retaliation for the assassination, implying that US assets and interests in the Middle East, as well as US allies, may be targeted.

Ex-SEC Enforcer: Crypto Investors are Enabling Hackers

 

The founder of the Securities and Exchange Commission's internet enforcement bureau warned Thursday that investors in bitcoin and other digital currencies are helping online hackers. 

“Ransomware is hitting everywhere and they’re all collecting it in bitcoin because there’s no way they’re going to get caught. So you’re also enabling it,” John Reed Stark, now head of his own cybersecurity firm told in an interview to CNBC. 

Stark stated cryptocurrencies have almost no practical use, in contrast trading them to the speculation that previously boosted AMC Entertainment and other meme stocks like GameStop to great heights. Cryptocurrencies also require registration and other procedures that would improve the visibility of U.S. capital markets, he added. 

“At least with GameStop and AMC you’re not necessarily hurting anyone. ... But with crypto, you are really hurting a lot of people, and that sort of risk I don’t think is a good one for society,” Stark said. 

He also called crypto the essence of ransomware, a type of malicious software that can disrupt and even block computer networks. 

Brazil's JBS, the world's largest meatpacker, has resumed most production after a weekend ransomware attack, the latest in a line of hacks. JBS blames hackers to have links with Russia.

In May, Colonial Pipeline, the largest US fuel pipeline, paid ransomware demands last month after its operations were shut down for nearly a week. The FBI estimates the attack on Colonial Pipeline was carried out by DarkSide, which is a Russian-linked group that demanded $5 million to restore service. DarkSide eventually shut down after receiving $90 million cryptocurrency payments and last year, roughly $406 million in crypto payments were made to cyberattackers. 

“The country is kind of falling apart from ransomware all because of crypto, and the main reason people own crypto is because they think someone else will buy it and make the price higher,” said Stark, who spent 18 years at the SEC’s Enforcement Division. “There’s no other reason to invest in it,” he stated.

BazaLoader Malware is Being Distributed by Hackers Using a Bogus Streaming Website

 

Proofpoint identified the phishing attempt in early May, which entailed hackers creating a phoney movie-streaming website named BravoMovies and stocking it with phoney movie posters and other materials to make it appear real to unwary visitors. It has nothing to offer for download other than BazaLoader malware, despite its pretty pictures and fun-sounding titles. BazaLoader is a malware loader that is used to spread ransomware and other types of malware, as well as steal sensitive data from infected computers. 

"BazaLoader is a downloader written in C++ that is used to download and execute additional modules. Proofpoint first observed BazaLoader in April 2020. It is currently used by multiple threat actors and frequently serves as a loader for disruptive malware including Ryuk and Conti ransomware. Proofpoint assesses with high confidence there is a strong overlap between the distribution and post-exploitation activity of BazaLoader and threat actors behind The Trick malware, also known as Trickbot," the security firm said. 

The BravoMovies campaign employs a complex infection chain similar to that employed by BazaLoader affiliates, who entice their victims to jump through a series of hurdles in order to activate malware payloads. It starts with an email informing recipients that their credit cards would be debited until they cancel their subscription to the service, which they never agreed to. 

The email includes a phone number for a call center with live people on the other end of the line, ready to send consumers to a website where they may purportedly cancel the phoney movie-streaming subscription. Those who fall for the trick, on the other hand, are directed to download a boobytrapped Excel spreadsheet that will trigger macros that will download BazaLoader. 

The call-center staff advises their customers to the BravoMovies website, where they should go to the Frequently Asked Questions page and unsubscribe using the "Subscription" page. They'll then be directed to download an Excel spreadsheet. If BazaLoader is enabled, the macros on the Excel sheet will download it. The second-stage payload in this campaign has yet to be discovered, according to Proofpoint experts. 

Proofpoint researchers first noticed the use of BazaLoader in February 2021, when a pre-Day Valentine's malware assault supplied lures to bogus flower and lingerie stores. It's also been spotted in a campaign for subscription pharmaceutical services.

Hackers Target Rogers With a New SMS Phishing Campaign

 

Rogers Communications Inc. is advising Canadians to be wary of SMS phishing scams that promise to refund consumers for a system outage that occurred earlier last week. Users were unable to use cellular voice and data networks after the network experienced a nationwide blackout a week ago. Threat actors are also sending fraudulent text messages to recipients, instructing them to click on a link to receive a rebate. 

An SMS circulated on social media falsely reports that “R0GERS WIRELESS INC.” (spelled with a zero instead of an O) is providing a $50 credit to anyone who clicks on a link provided.

Rogers Communications Inc. is a communications and publishing corporation based in Canada. With substantial additional telecommunications and mass media infrastructure, it mainly functions in the areas of cellular broadcasting, cable television, telephony, and Internet connectivity. Rogers' offices are located in Toronto and Ontario. While the business dates back to 1925, when Edward S. Rogers Sr. formed Rogers Vacuum Tube Company to market battery less radios, the current venture dates back to 1960, when Ted Rogers and a partner purchased the CHFI-FM radio station, and then became part-owners of a consortium that created the CFTO television station.

Rogers replied that it never sends credit alerts via text message and advises anyone who receives one to ignore the embedded link. Furthermore, the credit amount will vary based on the cellular plan and will not include a registration link, according to the company. 

According to Ericsson, the 16-hour wireless system blackout on April 19th was triggered by a software update that caused devices to be disconnected from the network. A message from Rogers CTO Jorge Fernandes to customers the next day said, "We have addressed the software issue and our engineering and technical teams will continue to work around the clock with the Ericsson team to restore full services for our customers." 

The links in these texts all point to websites that are hosted on an IP address rather than a domain name. It's unclear what information was phished because the pages have all been taken offline, but it's definitely Rogers customers' personal and account information. 

Rogers is aware of the scam and has advised users to "forward the content of the SMS to 7726 (SPAM), to register it for investigation/blocking from the network," according to a tweet from the company.

Hotbit Shut Down all Services After a Cyberattack

 

After an alleged cyberattack on Thursday, cryptocurrency trading site Hotbit has shut down all of its services. A note on the platform's website reads, “Hotbit just suffered a serious cyber-attack starting around 08:00 PM UTC, April 29, 2021, which led to the paralysation of a number of some basic services.”   

While the hackers were unable to obtain access to Hotbit's wallets, they were able to penetrate the platform's user database. Customers should ignore all contact from people pretending to be members of the exchange, according to the Hotbit team. Hotbit has reported that pending trading orders are cancelled to avoid damages when all regular activities are suspended during the ongoing maintenance. During the upkeep, the exchange also agreed to cover all damages incurred by exchange-traded funds listed on its website.

Before restoring servers and facilities, the exchange is looking for any evidence of computer tampering that may have contaminated any of the frequently backed up data. Due to the time required to review backup data before beginning the system restoration process, customers were advised that the investigation and recovery process could take anything from 7 to 14 days. 

The attackers have obtained access to plain text customer information (phone number, email address, and asset data) contained in Hotbit's servers, according to the company. Despite the fact that customers' passwords and 2FA keys were secured, the exchange advised consumers to update their passwords on all other web sites where they used the same credentials. 

Alex Zhou, Hotbit's chief security officer, told users on the exchange's Telegram group that customer funds were unaffected by the attack, saying: “The attacker tried to break into the wallet server to steal funds but the action was identified and blocked successfully by Hotbit risk control system. All users’ funds are safe. At the same time, Hotbit is in the process of transferring all funds in hot wallet to cold wallet, the details of the whole integration could be seen on the chain,” he said. 

Multiple token outflows from one of Hotbit's established wallets to another address that currently holds around $14 million in many altcoins, according to data from Ethereum transaction tracking platform Etherscan.

According to comments on social media and in the platform's Telegram forum, the length of time provided for the maintenance is causing considerable unrest among Hotbit users.