Search This Blog

Showing posts with label Hackers. Show all posts

NATO's Cloud Platform Hacked

 

The SOA & IdM platform is utilized by NATO and is classified as secret. It was used to conduct various critical functions inside the Polaris programme. The North Atlantic Treaty Organization (NATO), commonly known as the North Atlantic Alliance, is an intergovernmental military alliance made up of 30 European and North American countries. 

The organization is responsible for carrying out the North Atlantic Treaty, which was signed on April 04, 1949. NATO is a collective defense organization in which NATO's independent member states commit to defending each other in the event of an external attack. NATO's headquarters are in Haren, Brussels, Belgium, and Allied Command Operations' headquarters is near Mons, Belgium. 

Polaris was developed as part of NATO's IT modernization effort and uses the SOA & IdM platform to provide centralized security, integration, and hosting information management. The military alliance classified the platform as a secret because it performs multiple key roles. 

According to the hackers, they used a backdoor to make copies of the data on this platform and attempted to blackmail Everis. They went even further, making jokes about handing over the stolen material to Russian intelligence. 

Paul Howland, Polaris Program Officer explained the benefits of the program: “This project has the potential to be a game-changer in how NATO will develop and deploy its operational services in the future. It will drive innovation and reduce costs. Operational by ensuring a much greater reuse of deployed capacities". 

The hackers who carried out the attack said they had no idea they could take advantage of a flaw in the NATO platform at first. Furthermore, they concentrated solely on Everis' corporate data in Latin America, despite NATO's announcement that it was ready to respond to a cyber-attack. One of the secure NATO systems was among Everis' subsidiaries, much to their astonishment. 

After analyzing the company and discovering documents connected to drones and military defense systems, the hackers continued stealing more data from Everis networks. They justified their actions by claiming that they were not "for peace on earth and in the cyber world" when they slowed the development of the Polaris programme. The hackers sought a ransom of XMR 14,500 from Everis in exchange for not linking the company's identity to the LATAM Airlines data breach. They've also demanded this money in exchange for not revealing any NATO data.

Latest Campaign by Molerats Hackers Target Middle Eastern Governments

 

After two months of break, a Middle Eastern advanced persistent-threat (APT) organization has resurfaced and is targeting government institutions in the Middle East -- global government bodies affiliated with geopolitics as a part of its recent malicious activities. 

Proofpoint, a company headquartered in Sunnyvale, ascribed this action to a politically motivated threat actor tracked as TA402, colloquially known as Molerats or GazaHackerTeam. 

TA402 is supposed to work for objectives that are consistent with military or Palestinian state goals. The threat actor has been operating for a decade with a history of compromising associations mainly in Israel and Palestine. The attacks covered verticals such as technology, telecoms, finance, the academy, the army, the media, and governments. 

The two months' break in the operation is not apparent, but the Proofpoint researchers have suggested that it could have played a part either in the holy month of Ramadan or in the recent incidents in the region as well as in the violence which followed in May. 

The current wave of attacks started with spear-phishing Arabic-listed emails carrying PDF files embedded in a geofenced malicious URL that can only selectively route victims to the password-protected file if the source IP address of these files is in the targeted Middle East nations. 

The beneficiaries outside of the target Group are relocated to benign websites like Al Akhbar (www.al-akhbar.com) and Al Jazeera (www.aljazeera.net), generally Arabic language news websites. 

The last step on the infection chain entailed an extraction of the archive to drop a customized implant named LastConn, which is a new version or upgrade of a backdoor called SharpStages that was revealed in December 2020 by Cybereason researcher, as Molerats espionage campaign targeting the Middle East. 

The LastConn is executed with a Decoy document, the malware relies largely on Dropbox API for downloading and executing cloud-hosted files in addition to arbitrary instructions and screenshots that are then returned to Dropbox. 

The continually expanding toolkit of TA402 emphasizes that the Group continues to develop and adapt tailored malware implants to sneak up past defenses and detect thwarts. 

"TA402 is a highly effective and capable threat actor that remains a serious threat, especially to entities operating in and working with government or other geopolitical entities in the Middle East," the researchers concluded. "It is likely TA402 continues its targeting largely focused on the Middle East region."

By Tempering Apps In Samsung, Hackers can Spy the Users

 

Hackers can now snoop on users by manipulating the pre-installed Samsung apps. 

Hackers can monitor users and probably control the whole system altogether. Alarmingly, the vulnerabilities appear to be part of a much larger group of exploitable flaws. A security scientist of Samsung summarized the situation to the bug bounty program of the technological giant. 

Samsung works to patch numerous vulnerabilities that impact its smartphones, that can be exploited to spy or control the system in the wild. 

Sergey Toshin — the creator of the Oversecured mobile app security company — uncovered more than a dozen flaws that affect Samsung devices from the beginning of the year. 

The information in three of them is currently light due to the noteworthy risk to users. Toshin said that the less pressing of these problems would allow attackers to obtain SMS messages if they deceived the victim without going into particulars. 

However, the other two are more problematic, as they are more robust. No action by Samsung's device owner is required to exploit them. An attacker might use it to read and/or write high permission arbitrary files. 

It is uncertain when the improvements are presented to the consumers because generally the process takes approximately two months to assure that the patch doesn't cause other complications. 

All three safety vulnerabilities have been reported responsibly by Toshin and are currently awaiting the bounties. 

The hacker has earned about $30,000 from Samsung alone since the beginning of the year, to reveal 14 vulnerabilities. Meanwhile, three more vulnerabilities await a patch. In a blog post Toshin shares technical specifics and proof-of-concept user instructions on seven of these issues that have been patched beforehand, bringing $20,690 in bounties. 

For discovering and acquainting Samsung about the issues (CVE-2021-25393) in the Settings app that arbitrarily allowed hackers to gain access to read/write Toshin won a hefty bounty of $5460. 

To mitigate possible security threats, users should use the latest firmware upgrades from the fabricators. 

Toshin has identified over 550 vulnerabilities through HackerOne's platform and several bug bounty programs over the US $1 million in bug prizes.

The Samsung Group is a global South Korean conglomerate based in Samsung Town, Seoul. It consists of many affiliates and the majority of them are under the mark of Samsung (business conglomerate). Also, it is the most prominent South Korean chaebol. 

Iranian Hackers Attacked Websites of an African Bank and US Federal Library

 

According to Iran Briefing, hackers posing as Iranians targeted the websites of the Sierra Leone Commercial African Bank and the United States Federal Depository Library Program, by posting pro-Iranian remarks and graphics. 

The website of Sierra Leone Commercial Bank was found to be "H4ck3D IRANIAN HACKER" in Google search results. 

The words "hacked by Iranian hacker, hacked by shield Iran" were written in Twitter screenshots on a drawing of former IRGC Quds Force commander Qasem Soleimani, who was killed in a US airstrike. 

According to CBC News, the library program's website was updated with a bloodied picture of US President Donald Trump being punched in the face, as well as a message is written in Farsi and English that read "martyrdom was Soleimani's... reward for years of implacable efforts," and another caption that read "this is only a small part of Iran's cyber ability!" 

A spokesman from the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency verified the incident. Though the hack has still proven to be the activity of Iranian state-sponsored actors. 

The representative stated, “We are aware the website of the Federal Depository Library Program [FDLP] was defaced with pro-Iranian, anti-US messaging”. 

“At this time, there is no confirmation that this was the action of Iranian state-sponsored actors”. 

The website has been removed from the internet and is no longer accessible. In coordination with the FDLP and other government partners, the Cybersecurity and Infrastructure Security Agency (CISA) is keeping an eye on the situation. 

According to another senior US official, the defacement was a minor event carried out by Iranian sympathizers. Former US Secretary of State Mike Pompeo indicated at the time that a cyberattack by Iran against the US could be a possible retaliation. 

It's unclear whether the hackers had a government position or had any connection to Iran. The hack occurs at a time when tensions between the US and Iran are still high following the assassination of Qasem Soleimani, the chief of Iran's Revolutionary Guards Corps Quds Force, by a US strike in Baghdad on Jan. 2. 

Iran has already threatened retaliation for the assassination, implying that US assets and interests in the Middle East, as well as US allies, may be targeted.

Ex-SEC Enforcer: Crypto Investors are Enabling Hackers

 

The founder of the Securities and Exchange Commission's internet enforcement bureau warned Thursday that investors in bitcoin and other digital currencies are helping online hackers. 

“Ransomware is hitting everywhere and they’re all collecting it in bitcoin because there’s no way they’re going to get caught. So you’re also enabling it,” John Reed Stark, now head of his own cybersecurity firm told in an interview to CNBC. 

Stark stated cryptocurrencies have almost no practical use, in contrast trading them to the speculation that previously boosted AMC Entertainment and other meme stocks like GameStop to great heights. Cryptocurrencies also require registration and other procedures that would improve the visibility of U.S. capital markets, he added. 

“At least with GameStop and AMC you’re not necessarily hurting anyone. ... But with crypto, you are really hurting a lot of people, and that sort of risk I don’t think is a good one for society,” Stark said. 

He also called crypto the essence of ransomware, a type of malicious software that can disrupt and even block computer networks. 

Brazil's JBS, the world's largest meatpacker, has resumed most production after a weekend ransomware attack, the latest in a line of hacks. JBS blames hackers to have links with Russia.

In May, Colonial Pipeline, the largest US fuel pipeline, paid ransomware demands last month after its operations were shut down for nearly a week. The FBI estimates the attack on Colonial Pipeline was carried out by DarkSide, which is a Russian-linked group that demanded $5 million to restore service. DarkSide eventually shut down after receiving $90 million cryptocurrency payments and last year, roughly $406 million in crypto payments were made to cyberattackers. 

“The country is kind of falling apart from ransomware all because of crypto, and the main reason people own crypto is because they think someone else will buy it and make the price higher,” said Stark, who spent 18 years at the SEC’s Enforcement Division. “There’s no other reason to invest in it,” he stated.

BazaLoader Malware is Being Distributed by Hackers Using a Bogus Streaming Website

 

Proofpoint identified the phishing attempt in early May, which entailed hackers creating a phoney movie-streaming website named BravoMovies and stocking it with phoney movie posters and other materials to make it appear real to unwary visitors. It has nothing to offer for download other than BazaLoader malware, despite its pretty pictures and fun-sounding titles. BazaLoader is a malware loader that is used to spread ransomware and other types of malware, as well as steal sensitive data from infected computers. 

"BazaLoader is a downloader written in C++ that is used to download and execute additional modules. Proofpoint first observed BazaLoader in April 2020. It is currently used by multiple threat actors and frequently serves as a loader for disruptive malware including Ryuk and Conti ransomware. Proofpoint assesses with high confidence there is a strong overlap between the distribution and post-exploitation activity of BazaLoader and threat actors behind The Trick malware, also known as Trickbot," the security firm said. 

The BravoMovies campaign employs a complex infection chain similar to that employed by BazaLoader affiliates, who entice their victims to jump through a series of hurdles in order to activate malware payloads. It starts with an email informing recipients that their credit cards would be debited until they cancel their subscription to the service, which they never agreed to. 

The email includes a phone number for a call center with live people on the other end of the line, ready to send consumers to a website where they may purportedly cancel the phoney movie-streaming subscription. Those who fall for the trick, on the other hand, are directed to download a boobytrapped Excel spreadsheet that will trigger macros that will download BazaLoader. 

The call-center staff advises their customers to the BravoMovies website, where they should go to the Frequently Asked Questions page and unsubscribe using the "Subscription" page. They'll then be directed to download an Excel spreadsheet. If BazaLoader is enabled, the macros on the Excel sheet will download it. The second-stage payload in this campaign has yet to be discovered, according to Proofpoint experts. 

Proofpoint researchers first noticed the use of BazaLoader in February 2021, when a pre-Day Valentine's malware assault supplied lures to bogus flower and lingerie stores. It's also been spotted in a campaign for subscription pharmaceutical services.

Hackers Target Rogers With a New SMS Phishing Campaign

 

Rogers Communications Inc. is advising Canadians to be wary of SMS phishing scams that promise to refund consumers for a system outage that occurred earlier last week. Users were unable to use cellular voice and data networks after the network experienced a nationwide blackout a week ago. Threat actors are also sending fraudulent text messages to recipients, instructing them to click on a link to receive a rebate. 

An SMS circulated on social media falsely reports that “R0GERS WIRELESS INC.” (spelled with a zero instead of an O) is providing a $50 credit to anyone who clicks on a link provided.

Rogers Communications Inc. is a communications and publishing corporation based in Canada. With substantial additional telecommunications and mass media infrastructure, it mainly functions in the areas of cellular broadcasting, cable television, telephony, and Internet connectivity. Rogers' offices are located in Toronto and Ontario. While the business dates back to 1925, when Edward S. Rogers Sr. formed Rogers Vacuum Tube Company to market battery less radios, the current venture dates back to 1960, when Ted Rogers and a partner purchased the CHFI-FM radio station, and then became part-owners of a consortium that created the CFTO television station.

Rogers replied that it never sends credit alerts via text message and advises anyone who receives one to ignore the embedded link. Furthermore, the credit amount will vary based on the cellular plan and will not include a registration link, according to the company. 

According to Ericsson, the 16-hour wireless system blackout on April 19th was triggered by a software update that caused devices to be disconnected from the network. A message from Rogers CTO Jorge Fernandes to customers the next day said, "We have addressed the software issue and our engineering and technical teams will continue to work around the clock with the Ericsson team to restore full services for our customers." 

The links in these texts all point to websites that are hosted on an IP address rather than a domain name. It's unclear what information was phished because the pages have all been taken offline, but it's definitely Rogers customers' personal and account information. 

Rogers is aware of the scam and has advised users to "forward the content of the SMS to 7726 (SPAM), to register it for investigation/blocking from the network," according to a tweet from the company.

Hotbit Shut Down all Services After a Cyberattack

 

After an alleged cyberattack on Thursday, cryptocurrency trading site Hotbit has shut down all of its services. A note on the platform's website reads, “Hotbit just suffered a serious cyber-attack starting around 08:00 PM UTC, April 29, 2021, which led to the paralysation of a number of some basic services.”   

While the hackers were unable to obtain access to Hotbit's wallets, they were able to penetrate the platform's user database. Customers should ignore all contact from people pretending to be members of the exchange, according to the Hotbit team. Hotbit has reported that pending trading orders are cancelled to avoid damages when all regular activities are suspended during the ongoing maintenance. During the upkeep, the exchange also agreed to cover all damages incurred by exchange-traded funds listed on its website.

Before restoring servers and facilities, the exchange is looking for any evidence of computer tampering that may have contaminated any of the frequently backed up data. Due to the time required to review backup data before beginning the system restoration process, customers were advised that the investigation and recovery process could take anything from 7 to 14 days. 

The attackers have obtained access to plain text customer information (phone number, email address, and asset data) contained in Hotbit's servers, according to the company. Despite the fact that customers' passwords and 2FA keys were secured, the exchange advised consumers to update their passwords on all other web sites where they used the same credentials. 

Alex Zhou, Hotbit's chief security officer, told users on the exchange's Telegram group that customer funds were unaffected by the attack, saying: “The attacker tried to break into the wallet server to steal funds but the action was identified and blocked successfully by Hotbit risk control system. All users’ funds are safe. At the same time, Hotbit is in the process of transferring all funds in hot wallet to cold wallet, the details of the whole integration could be seen on the chain,” he said. 

Multiple token outflows from one of Hotbit's established wallets to another address that currently holds around $14 million in many altcoins, according to data from Ethereum transaction tracking platform Etherscan.

According to comments on social media and in the platform's Telegram forum, the length of time provided for the maintenance is causing considerable unrest among Hotbit users.

Tag Barnakle Targets Various Web Servers with Malicious Ads

 

In a persistent campaign that features malicious ads on tens of millions, if not hundreds of millions, computers, the criminals have infiltrated more than 120 ad servers and introduced malicious code to legitimate announcements that redirect visitors to sites that promote malware and fraud. This has been going on since the past year, thus attracting benign devices in all external appearances. The malicious activity group behind this campaign is identified by the name Tag Barnakle.

Malvertising is the phenomenon of advertising while the viewers are visiting trustworthy websites. The advertising includes JavaScript that exploits software faults surreptitiously and attempts to make tourists download an unsafe application, pay computer support charges fraudulently or perform other dangerous acts. In general, Internet fraudsters pose as shoppers and pay ad distribution networks for malicious advertising to be shown on individual pages. 

Resources are needed to infiltrate the ad ecosystem as a legitimate buyer. Firstly, scammers need to spend time studying the functioning of the industry and then create a reputable entity. The strategy also calls for the payment of money for space to display malicious advertising. Though this is not the method used by a malvertising group called Tag Barnakle. 

“Tag Barnakle, on the other hand, can bypass this initial hurdle completely by going straight for the jugular—mass compromise of ad serving infrastructure,” Confiant researcher Eliya Stein wrote in a blog. “Likely, they’re also able to boast an ROI [return on investment] that would eclipse their rivals as they don’t need to spend a dime to run ad campaigns.” 

Over the previous year, Tag Barnakle infected  more than 120 servers running Revive, an open-source application for companies who want to run their ad server instead of a third-party provider. Once an advertising server has been hacked, Tag Barnakle loads it with a malicious payload. The group does not use customer fingerprint identification to recognize the most enticing targets, to assure the malicious ads are received only in limited numbers. The servers which supply the targets with a secondary payload also use coating techniques to ensure they also fly below the radar.

As Confiant posted on Tag Barnakle last year, the community found that about 60 Revive servers had been compromised. This feature allowed the group to distribute advertising on over 360 web assets. The commercials have triggered fake Adobe Flash updates that install malware on desktop computers while it is running. Tag Barnakle targets both iPhone and Android customers this time. Web pages receiving an ad from an affected server provide extremely confused JavaScript to decide if a visitor uses an iPhone or Android smartphone. 

The advertisements are mainly aimed at highlighting fake protection, safety, or VPN apps with secret subscription fees or “siphon off traffic for nefarious ends.” The advertising may also be extended to thousands of individual websites with ad servers frequently combined with several publicity exchanges. Confident does not know how many terminal users are comprised but the company considers the number to be huge.

The Code Testing Company CodeCov Suffers a Data Breach Which Went Undetected for Months

 

U.S. federal authorities are investigating a safety violation at Codecov, which works on selling a tool that allows developers to calculate their codebase coverage and works for more than 29,000 clients worldwide. The organization acknowledged the violation and reported that for months it remained unnoticed. 

The violation impacted an unaccompanied number of customers, including Atlassian, Proctor & Gamble, GoDaddy, and Washington Post. To be specific, attackers used a bug of the Docker image to access a Bash Uploader script to map development environments and report back to the company in the company production. In the wake of the discovery of the violation on April 1st, 2021, a follow-up investigation discovered that the threat actor had access to their system for months, at least since 31 January. Three additional bash uploaders were also affected by the vulnerability, including the Codecov CircleCI Orb, Codecov-actions for GitHub, and Codecov Bitrise Phase. 

Codecov website, CEO Jerrod Engelberg clarified in the security update that the cybercriminals gained unauthorized access, to the Bash Uploader scripts, while modifying and accessing the passwords, tokens, or keys stored in continuous customer integration environments, datastores, and application code that can be manipulated using these credentials, tokens, or keys. The information was then transferred to a non-Codecov third-party server. The possibility for downstream effects on Codecov users may be high, but the extent of harm will depend on several factors like the identification and motifs of the actor, the way that Codecov structures its network, and what protocols, configurations, and access policies every user is using for their code environment. 

Codecov is not a publicly traded firm, which employs a few dozen of candidates and measures its annual turnover in the smallest million dollars per year. On contrary, it employs just a few candidates; Despite the high profile of a few of their clients, they have not been particularly in attention since 2014 and this indicates that the threat actor must have done a good deal of research before choosing them as a target. 

The degree of segmentation of Codecov's network could also partly decide what information and data of customers the threat actors had been able to access. They are equally unable to pull open-source code from the internet directly and use it. “It seems like every time I hire a new developer, that’s the first thing they do with the code they write, so we have to put automated checks in there so the moment somebody tries to do that, they get caught and it stops,” said Zanni. 

As a standard practice, many have cited robust code signing policies. The infringement reflected the "huge ROI for attackers to attack the supply chain," and John Loucaides, Vice President of Research and Development at a vulnerability research firm, said that any alteration to the code must be vetted by other parties before approval. 

Bambenek says that although attackers have gone completely unnoticed for months, detecting and revealing a trivial change in the code in three months is amazing for a small company with limited resources like Codecov. He correlated it with SolarWinds, which skipped significant improvements in Orion's software construction platform, if not longer, by at least a year, both by itself and by a multitude of customers and federal agencies with higher budgets. 

“Codecov maintains a variety of information security policies, procedures, practices, and controls. We continually monitor our network and systems for unusual activity, but Codecov, like any other company, is not immune to this type of event,” Engelberg stated in the regard. “We regret any inconvenience this may cause and are committed to minimizing any potential impact on you, our users, and customers.”

Warning: Your WhatsApp May Be Hacked and There’s Nothing You Can Do

 

If one is not careful, things might get really unpleasant for WhatsApp users. A new vulnerability has been discovered that could enable a remote attacker to deactivate WhatsApp on one’s phone using nothing more than their phone number. 

Alarmingly, two-factor authentication would be ineffective in preventing this from happening. The way these attack works is that it requires some amount of error by the user themselves but at the next step that should be designed to protect this, the two-factor authentication also doesn’t do anything to prevent the attack. 

According to Forbes, security researchers Luis Márquez Carpintero and Ernesto Canales Perea demonstrated vulnerability and were able to disable WhatsApp on a user's phone. 

According to the report, there are two parts to this vulnerability. The first is the method for installing WhatsApp on any system. When one installs WhatsApp on their phone, they will get an SMS code to verify the SIM card and phone number. A hacker can do the same thing by installing WhatsApp on their phone using the phone number. The user will begin to receive six-digit codes via SMS at this stage, indicating that someone has requested the code for installing WhatsApp on their phone. There is nothing one can do at this moment as WhatsApp will continue to work normally. 

Since this is a part of the hacking process, these codes will appear frequently. For a duration of 12 hours, WhatsApp's verification process will limit the number of codes that can be submitted and disable the ability to create more codes. During this time, WhatsApp will continue to function normally. However, one should not deactivate WhatsApp on their phone and then try to reinstall it at this time. This vulnerability is expected to impact both WhatsApp for Android and WhatsApp for iPhone. 

In the next step, the hacker generates an email ID and then sends an email to support@whatsapp.com claiming that the phone in which WhatsApp is enabled has been stolen or misplaced and that they need to deactivate WhatsApp for that number—which is the user’s phone number. WhatsApp may send an email to confirm the user’s phone number, but they have no way of knowing whether the email is being sent by a hacker or the legitimate owner. The user phone number's WhatsApp will be deactivated after a while. When they open the app again, they will see a message that says "Your phone number is no longer registered with WhatsApp on this phone." 

The reasonable next step would be to try to reinstall WhatsApp on one’s account. According to the report, no code will be sent via SMS, and the app will tell the user to "Wait before requesting an SMS or a call.", which is because now the user’s phone is also subjected to the same limitation as that of the hacker. 

After the 12-hour mark has elapsed, if the attacker waits for the 12-hour period and sends a mail to WhatsApp again, the user will not be able to set up WhatsApp on his phone even if they receive the text messages with codes. 

The researchers indicate that WhatsApp breaks down and gets confused after the third 12-hour cycle and instead of a countdown, simply says “try again after -1 seconds”. The user’s phone and the attacker's phone are both treated the same way. And this is where the issue arises. If the attacker waits until now to email WhatsApp again to deactivate the number, the user won't be able to reregister for the app on their phone once they have been kicked out. The researchers told Forbes, "It's too late." 

“There is no way of opting out of being discovered on WhatsApp. Anyone can type in a phone number to locate the associated account if it exists. Ideally, a move towards being more privacy-focused would help protect users from this, as well as forcing people to implement a two-step verification PIN,” ESET’s Jake Moore told Forbes. 

WhatsApp's response to Forbes' Zak Doffman, unfortunately, does not evoke much trust. All they state is, “providing an email address with your two-step verification helps our customer service team assist people should they ever encounter this unlikely problem. The circumstances identified by this researcher would violate our terms of service and we encourage anyone who needs help to email our support team so we can investigate.”

Slack and Discord are Being Hijacked by Hackers to Distribute Malware

 

A few famous online collaboration tools, including the likes of Slack and Discord, are being hijacked by hackers to disperse malware, experts have cautioned.

Cisco's security division, Talos, published new research on Wednesday featuring how, throughout the span of the Covid-19 pandemic, collaboration tools like Slack and, considerably more generally, Discord have become convenient mechanisms for cybercriminals. With developing frequency, they're being utilized to serve up malware to victims in the form of a link that looks reliable. In different cases, hackers have integrated Discord into their malware to remotely control their code running on tainted machines, and even to steal information from victims. 

Cisco's researchers caution that none of the methods they found really exploits a clear hackable vulnerability in Slack or Discord, or even requires Slack or Discord to be installed on the victims' machine. All things considered, they essentially exploit some little-analyzed features of those collaboration platforms, alongside their ubiquity and the trust that both clients and systems administrators have come to place in them. 

"People are way more likely to do things like click a Discord link than they would have been in the past, because they’re used to seeing their friends and colleagues posting files to Discord and sending them a link," says Cisco Talos security researcher Nick Biasini. "Everybody’s using collaboration apps, everybody has some familiarity with them, and bad guys have noticed that they can abuse them." 

With regards to information exfiltration, the Discord API, for instance, has demonstrated to be quite an effective tool. As the webhook functionality (originally intended to send automated alerts) was intended to have the option to convey any kind of information, and malware oftentimes uses it to ensure stolen information arrives at its intended destination. 

“Webhooks are essentially a URL that a client can send a message to, which in turn posts that message to the specified channel — all without using the actual Discord application,” the researchers say. “The Discord domain helps attackers disguise the exfiltration of data by making it look like any other traffic coming across the network.”

As texting applications grow in popularity, the threats will develop with them. Organizations should know about the dangers, and cautiously pick which platform to utilize, the researchers concluded.

MIDC’s Server Hacked, Threat to Destroy Data

 

The server of Maharashtra Industrial Development Corporation was hacked as of late. The ransomware 'SYNack' affected the applications and database servers facilitated at the MIDC headquarters in Mumbai by encrypting the information put away in these servers. Hackers have demanded Rs 500 crore, they have mailed a demand of Rs 500 crore on MIDC's official mail ID, sources said. 

The malware additionally tainted some desktop PCs across various office areas of the MIDC. The assailants had attached a ransom note giving details of the assault and the steps needed to be taken to approach them for decryption of information. Nonetheless, no sum was directly referenced in the ransom note, a statement given by the MIDC expressed. After the hack, every one of the 16 regional workplaces in the state, including the head office in Mumbai, has been shut down. 

The total data of all the industrial estates, entrepreneurs, government elements, and different plans identified with MIDC is accessible on an online system. The whole work has come to a halt since last Monday after the hack. The MIDC approached the police after which the Cyber Crime Police started their probe into the hacking incident, joint commissioner of police, crime, Milind Bharambe affirmed to the FPJ. 

 A statement issued by the MIDC read, "On Sunday, March 21, at around 2:30 AM, we received automated alerts that our applications were down. On further analysis during the day, the ransomware attack was confirmed. MIDC’s applications are hosted on ESDS cloud (services managed by ESDS, Cloud Service Provider) and local servers (managed by MIDC internal team). We have Trend Micro anti-virus license for end-point security monitoring. The details of the ransomware were shared with Trend Micro for further analysis." 

"As an immediate measure, the MIDC systems were disconnected from the network to contain the spread of the virus. The backup files for different application servers were stored on a different network segment on Cloud DC and were not infected. As per the recommendations from Cyber Security experts, several steps are being taken to control the spread of virus and minimize the impact," the statement read further.

Forex Broker Leaked Customer Records

 

White hat hackers have disclosed a significant leak of client information by online forex dealer FBS Markets. This incorporates a great many confidential records, including names, passwords, email addresses, passport numbers, national IDs, credit cards, financial transactions and more. Details of the security breach, which has since been rectified after the dealer was cautioned, were uncovered by Chase Williams, a white hat hacker and site security expert, on the website WizCase. At this stage it isn't evident whether any of the leaked information has been utilized for deceitful purposes by threat actors.

The information leak was revealed as a part of a progressing WizCase research project that scans for unstable servers, and tries to set up who the proprietors of those servers are. WizCase informed FBS of the issue. Williams said that FBS left a server containing right around 20 TB of information and over 16bn records exposed. Regardless of containing very sensitive financial data, the server was left open without any password protection of encryption. WizCase's group said the FBS data “was accessible to anyone.” “The breach is a danger to both FBS and its customers,” WizCase said. “User information on online trading platforms should be well secured to prevent similar data leaks.”

The broker said, “The protection of our clients privacy is one of the core values of FBS, and we stick to the highest protection standards. FBS has never had such major accidents. In October 2020 we faced an overheating on the server which affected our logs recording. During the time when we were setting up a new ElasticSearch server, several wrong subnet masks were added accidentally, which led to the possibility to access the server for a very limited number of people only, in a certain part of the world.” 

FBS added that it had completed a technical audit and that to its knowledge no information had been downloaded. It has contacted the customers affected and whose information may have been undermined and encouraged them on what to do. FBS has additionally moved to a more encoded VPN and has introduced an intrusion detection system. New rules for working with the forex brokers infrastructure have been applied and other safety efforts have additionally been carried out.

32 Indian Organisations Attacked by Hackers via Microsoft Exchange Server

 

A new study published last Monday on 8th March cautioned stating that financial and banking institutions in India have been the most preferred target for cyberattacks by con men. At least 32 Indian firms were attacked by hackers who exploited vulnerabilities on unpatched Microsoft business emails. 
However according to Check Point Research, the organizations of finance and banking (28 percent) are being preceded by government/military (16 percent), manufacturing (12.5 percent), insurance/legal (9.5 percent) in the list of attacked institutions. Overall, in the past few years, hacking operations have multiplied over six times (or tripled) in companies utilizing resources of unpatched on-site servers. 

The most attacked country, without a doubt, was the US (21 percent of all exploit attempts), it was preceded by the Netherlands (12 percent) and Turkey (12 percent) along with India. The industry sector was mostly aimed at government/military (27% of all operations), and then production (22%), accompanied by software vendors (9%), researchers pointed out. 

"A full race has started among hackers and security professionals. Global experts are using massive preventative efforts to combat hackers who are working day-in and day-out to produce an exploit that can successfully leverage the remote code execution vulnerabilities in Microsoft Exchange," said the researchers from the cybersecurity firm. 

Amid reports that some five separate hacker organizations target Microsoft's company email servers, a new family of ransomware has also been found by the tech giant. Identified as "DearCry," the latest ransomware is "used after an initial compromise of unpatched on-premises Exchange servers," stated Microsoft last week in a tweet. The vulnerabilities are the same as those that Microsoft connects with a recent hacking community named Hafnium, which is funded by China. 

A patch for its Exchange Server service, the world's most common email server, was released by Microsoft on 3rd March. The Exchange server provides both incoming and outgoing emails, calendar invites, and nearly everything available within Outlook. 

In January, two vulnerabilities were identified by DEVCORE's Orange Tsai, a security company based in Taiwan. Microsoft was unaware of the full magnitudes of these results and was asked to examine its Exchange server more closely. Five more important vulnerabilities were identified in the research. These vulnerabilities enable an attacker to check messages without authenticating from an Exchange server or accessing an email account. Additional vulnerability chaining helps attackers to take over all the mail servers entirely. 

"If your organization's Microsoft Exchange server is exposed to the internet, and if it has not been updated with the latest patches, nor protected by a third-party software, then you should assume the server is completely compromised," warned Lotem Finkelsteen, Manager of Threat Intelligence, Check Point Software.

Medical Records of Two US Based Hospitals Leaked on Dark Web

 

Two major US hospitals, the Leon Medical Centers in Miami, and Nocona General Hospital in Texas have recently been hit by active ransomware attacks that have allowed hackers to steal and compromise medical records connected with tens of thousands of patients and employees. These two hospitals have eight facilities in Miami and three facilities in Texas. Patients of these two US hospital chains had their addresses, birthdays, and colonoscopy results published on the dark web as a result of the hack. Hackers released detailed patient information in an obvious effort to defraud them for money. 

The documents that have been uploaded to a website on the dark web that attackers use to identify and extort victims contain the personal identity records of patients, such as their names, addresses, treatment history as well as medical diagnosis. The posted information also includes letters to health insurers. One folder includes background inspections on the hospital personnel. The "2018 colonoscopies” Excel file includes 102 complete names, dates, and treatment information and a 'yes' or 'no' area to show whether the patient has a “normal colon.” 

Cybersecurity experts are well acquainted with the gang of hackers who released the files. Usually, the actors first encrypt the files of the victim and ask them to pay but this happens very occasionally that they post such files openly on the dark web without asking to pay. But it seems a similar incident happened with Nocona and therefore the explanation why the files are released is still unknown. In comparison to a more enigmatic situation, while an attorney representing the Nocona General Hospital said that no malware infection or ransom demands appeared to exist. 

On the other hand, Leon Medical has taken immediate action in detecting problems that caused unauthorized access to its systems to take place and aims to tackle them. "Leon Medical is still in the process of a thorough review to identify all individuals whose information was impacted by this incident and will be providing written notice as soon as possible to individuals that Leon Medical determines have been impacted by this incident," it said. 

Since the cyberattack has been discovered, the Leon Medical Centre, with the assistance of Internet security experts, promptly took over the compromised networks and conducted an inquiry into the existence and severity of the incident. The FBI and the Department of Health and Human Services (DHS) have both been alerted about the misuse of patient information by the healthcare business. 

The leak reveals how hackers have attacked American hospitals, small companies, colleges, and public computers in recent years, infecting them frequently with extortion malware that locks computers and makes them inoperative. Further hackers ask for payment to open files, normally in Bitcoin. The majority of health institutions are not prepared for cyber threats as well as fewer services are available to answer such concerns and therefore they are the primary target of such hackers.

Hackers Used Internet Explorer Zero-Day Vulnerability To Target Security Researchers

 

In recent times, during the attacks against the security and vulnerability researchers in North Korea, an Internet Explorer zero-day vulnerability has been discovered. The zero-day vulnerability is a computer software vulnerability unknown to individuals who need to minimize the harm. Hackers may use the vulnerability to change computer systems, files, machines, and networks to the detriment of the vulnerability. 

Google announced last month that the Lazarus-sponsored state-based North Korean hacking community carried out attacks on security scholars in social engineers, wherein the hacking community used social networks as a tool to target security researchers and used custom backdoor malware. The Lazarus group is a North Korea based persistent threat group (APT), which has gained a lot of prominence in the preceding years as various CyberAttacks have been attributed to the threat group. 

The threat actors have developed comprehensive online "security researcher" personas who then use social media to connect with renowned security researchers to contribute to the vulnerability and exploit growth to execute their attacks. 

In this regard, the attackers have sent malignant Visual Studio Projects and links to the website that hosts the exploit kits to install backdoors in the computers of the researchers. Microsoft also announced that it had monitored the assault and saw Lazarus exchanging MHTML files containing malicious java scripts with the researchers. The server command and control at the time of the investigation was down and therefore no further payloads were investigated by Microsoft. 

Recently in this social-engineering campaign, South Korean cybersecurity company ENKI claimed that Lazarus attacked MHTML files on their squad. Although the attacks were ineffective, they analyzed payloads downloaded from MHT files and found that they contained a vulnerability exploit for Internet Explorer. 

MHT/MHTML is a file format that is used by Internet Explorer to store a web page and services in one file. MHT / MHTML file is sometimes also known as MIME HTML. The MHT file transmitted to ENKI investigators was confirmed to be an exploit of Chrome 85 RCE and called "Chrome_85_RCE_Full_Exploit_Code.mht." 

On further executing the MHT/MHTML file, Internet Explorer will automatically start to display the MHT file contents. ENKI stated that a malicious javascript would download two payloads with one containing a zero-day version of Internet Explorer if the execution of the script was allowed. ENKI has affirmed that they have reported the bug to Microsoft and for which they were later contacted by a Microsoft employee. 

Concerning the aforementioned incident, Microsoft has said that they have investigated every aspect of the report and will surely provide an update in near future, “Microsoft has a customer commitment to investigate reported security issues and we will provide updates for impacted devices as soon as possible.”

Patrons Become Victim to Depop Hacks

 

Since the lockdown started in March, there has been a significant spike in online shopping. This has become a big attraction for people looking for items on famous sites and apps. However, like every online shopping app, there could be issues for consumers, such as hacking, data breach, cyber fraud, etc. And this pandemic came out as a golden opportunity for the Scammers since they have managed to continue plaguing a variety of internet resources. 

One "have a go" tactic of the hackers is "credential stuffing" which requires the use of automated software to log into accounts repeatedly, entering previously uncovered usernames and login information from data breaches of other common online services. However, this dupe won't work if a person doesn't have the same password on many sites or has changed their passwords after being subjected to a data breach. 

One such incident of hacking and data breach has happened with 21 years old, Birmingham based law student, Amelia Strike who was unknowingly logged out of her Depop social shopping app account in October. Regarding which she said that "I thought I had just forgotten my password when I couldn't get back in, but a couple of days passed and I realized something wasn't right”, further adding, "I just felt so violated”. 

Later she received a post from a stranger on Instagram, alerting that her account had been taken over by a hacker auctioning Apple Air Pod headphone for £50. She also figured out that the hacker was scamming a lot of Depop customers under her name. The hacker was instructing the patrons to make the payment via PayPal’s “Friend and Family” option. Well, this method of payment overrides Depop's fees and does not offer any protection to buyers. 

She was fast enough to act against the scammer by using her brother’s Depop account and commenting on the offending post and contact for help from the app firm. Her query was noticed, and the firm removed the posts done by the hacker, within few hours and her password was reset. Amelia Strike notices at least three Depop patrons who had made payment by the unauthorized method to the hacker. 

In Amelia Strike's case, to get users to believe scam listing, the hacker even uploaded a picture of her name to a post-it note next to the headphones that were allegedly for sale. This is a common technique used by people selling second-hand goods online to show that images have not been taken from another listing. 

Nevertheless, she is not only the one whose Depop account was hacked, other 14 users have also reported similar cases. And in all such cases, the fraudsters insisted that they be charged directly rather than via the app. Further Depop has requested the patrons to pay via the authentic method and has stated, “We consistently communicate this to our community and reinforce that the only safe way to purchase is on the Depop app or website via the buy button.”

Remote Images Used by Hackers to Evade Email Filters

 

Phishing emails impersonating well-known brands like Microsoft or PayPal need visual content to be successful. From brand logos to colorful pictures, images give a visual cue to the recipient that the email is innocuous and authentic. However, pictures add a visual component of authenticity to in any case fake emails: they likewise make the work of filtering emails a lot harder. Image spam has consistently been a very mainstream strategy for evading an email's textual content analysis, as there is no important content that can be separated from the text email parts. 

On the off chance that the detection of identical images is moderately simple—thanks to signatures based on cryptographic hashing algorithms, for example, MD5—the detection of similar pictures requires complex and costly algorithms. Without a doubt, to evade detection, phishers manipulate the pictures marginally, changing the compression level, colorimetry, or geometry to bypass email filters. They will probably make each picture unique to evade signature-based technologies.

Remote pictures have emerged as the most recent filter bypassing method by hackers hoping to exploit shortcomings in email security technology. In contrast to embedded images, which can be analysed progressively by email filters, remote pictures are facilitated on the web and accordingly should be fetched prior to being analysed. In 2020, the utilization of remote image-based dangers surged. In November 2020 alone, Vade Secure broke down 26.2 million remote pictures and hindered 262 million emails highlighting noxious remote pictures. 

Analyzing a remote picture requires getting it over a network. Exploiting this shortcoming, cybercriminals utilize extra strategies to make the process more cumbersome for security scanners, such as:

 • Multiple redirections

 • Cloaking techniques

 • Abuse of high-reputation domains 

The way towards blocking picture-based threats requires Computer Vision, a scientific field that manages how PCs can acquire a high-level understanding of visual content. Vade Secure implemented the first Computer Vision technology dependent on Deep Learning models (VGG-16, ResNet) in mid-2020 to distinguish brand logos in emails and sites. The Deep Learning models have been trained on a combination of gathered pictures and artificially created pictures. 

The outcome is that large numbers of these emails go undetected. For clients, this regularly implies accepting a phishing email and reporting it, just to get it once more, and sometimes, on numerous occasions.

Hackers Hijacked Smart Devices and Live-Streamed Swatting Incidents

 

Technology is ameliorating at a great pace and here we are becoming the victims of our doings. In the current modern era, our reliance on technology is bound to skyrocket, however, various other factors need to be checked to ensure a durable sense of security and privacy. Several misconceptions and lack of knowledge among users are what allow hackers to make gigantic gains. 

In light of that, recently, one such incident took place where the hackers hijacked various smart home devices and live-streamed police raids simultaneously on various innocent natives of the settlement. Then, hackers made a hoax call to the police and authorities on 911, which lead to “Swatting”. In this regard, the FBI confirmed that these hackers have even spoken to the acknowledging officers operating via the hacked kit. 

What is “Swatting”?

The hackers are aggravating Swatting attacks, which is an offense. The operators attempt to befool authorities by 
making a hoax telephonic call and falsely stating that the current state of affair is an emergency and they should straight away be at their disposal at the said residence with armed forces. 

It should be noted that this was not the first time an incident of such sort has taken place. The FBI had clearly stated that there are “deadly” risks and appalling outcomes of such attacks. One such fake hoax call costed the life of an innocent person three years back when the police shot that man in Kansas over the information handed over to them by the hackers. 

Why such incidents happen where the hackers easily enter the secured digital systems of owners? 

Following the incident and investigating the matter at hand, the FBI has given valuable insights about the subject, the officials clarified that such “pranks” become a success because the victims have reused the watchwords from other devices and services for setting up the same smart home device as well, making attackers' work exceedingly simple.

On the hub of confidential information, the Dark Web, such credentials of devices are easily hacked and sold and concurrently bought; and when we use the same watchwords for multiple devices and services, as a consequence, it becomes easy for hackers to enter the security system and break the firewall. 

“The [perpetrators] call emergency services to report a crime,” the FBI told. 

“The offender watches the Livestream footage and engages with the responding police through the camera and speakers. In some cases, the offender also live streams the incident on shared online community platforms.”

With an upsurge in similar cases, the FBI has urged the victims as well as the owners of the smart devices/services that they must change their watchwords immediately and should also update the same regularly.