UK Police's Forensic firm targeted in cyber attack









An investigation has been launched after a ransomware attack targeted the UK’s largest private forensics provider, which is widely used by forces across the country. 

The firm Eurofins scientists detected a breach of its systems on June 2. After following the report, police have suspended all its work with the company. The company carries out DNA analysis, toxicology, ballistics and computer forensics work.

The National Police Chiefs’ Council, Chief Constable James Vaughan, said in a statement: “We have put our national contingency plans in place, which will see urgent submissions and priority work diverted to alternative suppliers to be dealt with as quickly as possible.’’

“It is too early to fully quantify the impact, but we are working at pace with partners to understand and mitigate the risks. We will share more information as soon as we can.”

The company has been told to return the casework that had not been started. They deal with more than 70,000 cases ever year, including murders and terrorism.  



Beware of new phishing scam that’s attacking Google Calendar

No matter which corner of the internet you visit, you'll find scammers trying to take advantage of you. You may already know to be skeptical of emails, Facebook posts, and dating profiles that seem too good to be true. And some times they even try to take control of our data - primarily the financial data - using the alleged calls from customer care executives. Quite frankly, no one is immune to receiving such unsolicited messages or emails. But thanks to their popularity, everyone knows the drill to safeguard themselves. Just don't click on suspicious emails or links and don't reveal your financial information to anyone and you are good to go. You know this. I know this and even scammers know this. And so now, reports are that there's a new type of security threat that targets your Google Calendar.

Scammers are using Google Calendar and other calendar apps to target innocent users in a new type of phishing scam, according to a global security firm.

Findings from the threat intelligence firm Kaspersky show there's been a recent wave of scam artists using hyperlink-embedded events to gain access to people's sensitive information. They start by spamming Google Calendar users with seemingly benign calendar invites. Anyone can accept the invitations, but the real targets are users with the default setting that automatically adds every event they're invited to to their Google Calendar. Once it's been added, Google sends notifications related to the event, making it seem more trustworthy.

The scam is thought to have happened throughout May this year.

The fake invitations contained a malicious website link that encouraged users to input their personal details, often in the form of a simple questionnaire that promised the chance to win money or other prizes if completed.

Kaspersky researchers say that users can safeguard themselves by turning off the automatic adding of invites to your Google Calendar app.

Sim swapping attacks hit US cryptocurrency users

Something strange happened last week, with tens of US-based cryptocurrency users seeing SIM swapping attacks.

Numerous members of the cryptocurrency community have been hit by SIM swapping attacks over the past week, in what appears to be a coordinated wave of attacks.

SIM swapping, also known as SIM jacking, is a type of ATO (account take over) attack during which a malicious threat actor uses various techniques (usually social engineering) to transfers a victim's phone number to their own SIM card.

The purpose of this attack is so that hackers can reset passwords or receive 2FA verification codes and access protected accounts.

These types of attacks have been going on for half a decade now, but they've exploded in 2017 and 2018 when attackers started focusing on attacking members of the cryptocurrency community, so they could gain access to online accounts used for managing large sums of Bitcoin, Ethereum, and other cryptocurrencies.

But while these attacks were very popular last year, this year, the number of SIM swapping attacks appeared to have gone down, especially after law enforcement started cracking down and arresting some of the hackers involved in these schemes.

Something happened last week

But despite a period of calm in the first half of the year, a rash of SIM swapping attacks have been reported in the second half of May, and especially over the past week.

Several users tweeted their horrific experiences.

Some of them have publicly admitted to losing funds, such as Sean Coonce, who penned a blog post about how he lost over $100,000 worth of cryptocurrency due to a SIM swapping attack.

Some victims avoided getting hacked

Some other victims candidly admitted to losing funds, while others said the SIM swapping attacks were unsuccessful because they switched to using hardware security tokens to protect accounts, instead of the classic SMS-based 2FA system.

The Russian Embassy responded to accusations from London in cyber attacks


The Press Secretary of the Russian Embassy in the UK said that the cyber attacks, which were stated by the British Minister, are not a real problem, but only a reason for the forcing of anti-Russian sentiment.

Recall that on Thursday, British Foreign Minister Jeremy Hunt once again accused Russia of carrying out cyber attacks in order to "undermine the critical infrastructure" and "change the results of the elections" in many countries.

The diplomatic mission stressed that the Russian side "repeatedly at various levels offered British partners cooperation on the issue of cyber threats". However, there has been no reaction from London.

The diplomats expressed the opinion that the new anti-Russian statement of the British Minister indicates that the Russian cyber attacks are not a problem for the British authorities, but an occasion to " forcing anti-Russian sentiments on an international scale."

The Russian Embassy stressed that such statements cause regret and serious concern. In addition, they added that, perhaps, London in this way hides preparations for a cyber attack on Russia.

However, no one in Europe believes Hunt. The President of the Czech Republic Milos Zeman commented on the allegations of Russian influence on the elections.

"Fake news is that Russians, Chinese or someone else influence the elections. Such false news is aimed at creating panic, they are spread by those who are afraid of losing. They are looking for an excuse to lose the election in advance," the Czech leader said.

It is worth noting that Russia has repeatedly denied all the allegations of attempts to influence democratic processes in different countries. Western countries have repeatedly attacked Moscow on this issue.

Earlier, for example, the State Secretary Mike Pompeo said that Russia interfered in the US elections in 2012, in 2008 and in 2004. However, he did not provide any evidence of his words.

Russian Senator Alexei Pushkov drew attention to the fact that from Pompeo's statements it can be concluded that "Russia has been interfering in the US elections since he went to school." At the same time, he noted with irony that maybe Moscow chose Pompeo.

Hacker stole $1.75 million from church





The hackers have successfully stolen $1.75 million from the church Saint Ambrose Catholic Parish  using a successful BEC(Business Email Compromise) in which hackers trick email users to send the money in wrong banks. The attack was discovered on April 17 after contractor  of Vision 2020 project inquired church for not receiving monthly installment .

BEC which is also known as Email Account Compromise (EAC)  are very common among hackers where not much technical skills are required, it just rely on tricking people into wiring money to trusted bank while bank accounts are usually controlled by the hackers.

The Parish’s website posted, “With 16,000 members made up of 5,00 families, Saint Ambrose is the second largest church in the Diocese of Cleveland and the largest church in Brunswick, Ohio."

Pastor Father Bob Stec sent a letter to the Parish saying “On Wednesday, Marous Brothers called inquiring as to why we had not paid our monthly payment on the project for the past two months totaling approximately $1,750,000. This was shocking news to us, as we have been very prompt on our payments every month and have received all the appropriate confirmations from the bank that the wire transfers of money to Marous were executed/confirmed.”

After  an FBI investigation of the cyber attack  incident, it was found that the hackers hacked the  the parish's email system through phishing attack and were able to trick the staff   convincing them that the contractor had changed their bank account and making them transfer money to the fraudulent bank  account.

According to the investigation only email system of the Parish was hacked while the database that is "stored in a secure cloud-based system. This allows for many layers of security/protection of our parish database information."

According to the reports of  cleveland.com, Father Stec's letter also states “We are now working closely with the Diocese, legal counsel, the insurance program, and the FBI to investigate the situation further and file the appropriate insurance claims. At the same time, we brought in information technology consultants to review the security and stability of our system, change all passwords, and verify the integrity of our databases and other pertinent information. They have determined the breach was limited to only two email accounts. “.

The parish has  submitted an insurance claim to pay to the contractor in timely manner for the project 2020.


Hacker from Novovoronezh was convicted of a cyber attack on the library

A resident of Novovoronezh received a year of imprisonment for a cyber attack on the Kurgan Regional Universal Scientific Library. The crime was solved by employees of the FSB of the Voronezh region.

According to the Press Service of the Voronezh Prosecutor's Office, in February 2018, 24-year-old Mikhail Nazarov installed malicious software on his PC with which allowed him to destroy, block, modify or copy the information and to bypass its protection. The guy found the Internet resource of the Government of the Kurgan region, namely the Library and committed a series of cyber attacks. Why the young man chose this resource is not specified.

However, hacker came to the attention of the FSB, whose officers seized cyber attacks and detained the attacker. Law enforcement authorities opened a criminal case under the article “Creating, using and distributing malicious computer programs”. The maximum penalty under this article is 4 years of imprisonment.

The Court found the young man guilty and sentenced him to one year in prison conditionally. Nazarov received a shorter sentence since he admitted his guilt.

We will remind that earlier the Court of the Voronezh region has sentenced a 30-year-old local resident to one and a half years of imprisonment and 10 thousand roubles a fine for hacker attacks on State sites of Siberia and the Far East. Moreover, the hacker managed to hack the websites of commercial organizations. The man used the hacked services for personal mercenary purposes, including mining.

Russian Speaking Hacker Compromises and Gains the Full Control of the Government Network Systems



Another rush of cyber-attacks from a Russian speaking hacker has been recently discovered by researchers and distinguished as one who utilizes the weaponized TeamViewer, the most mainstream and popular device used for remote desktop control, desktop sharing, online gatherings, web conferencing as well as record exchange between computers, to compromise and deal with the Government network systems.

This malignant campaign ceaselessly utilizes TeamViewer by adding TeamViewer DLL in order to deliver powerful malware that steals sensitive data and money from the various governments with addition to the financial systems.

In view of the whole infection chain, the tools created and utilized in this attack, the underground activity influences the analysts to believe that the attack was led by a financially inspired Russian speaking hacker.

The underlying phase of this infection chain begins by delivering a spam email under the subject of "Military Financing Program" with the attached malevolent XLSM document with installed macros.

A well-crafted malevolent document acted like the U.S Department of State which is marked as "top secret” persuading the victims to open it. When the victims open that 'decoy document' and empower the macro, there are two files extricated from the hex encoded cells in the XLSM document.



The first one is a legitimate AutoHotkeyU32.exe program, the second one on the other hand is an AutoHotkeyU32.ahk which is also an AHK script to communicate with C&C server to download the additional script and execute it.

By means of using this strategy, attackers concealing the TeamViewer interface from the users view, sparing the current TeamViewer session credentials to a text file and allows the exchange and execution of extra EXE o DLL documents 

In light of the Telemetry record, this attack is said to be focusing on nations including Nepal, Guyana, Kenya, Italy, Liberia, Bermuda, Lebano public financial sector in addition to the government officials.


Russian Hackers attacked European Embassies






According to a report in Check Point Research, Russian hackers attacked several European embassies by sending them malicious email attachments disguised as official documents.

The European embassies in Italy, Guyana, Nepal, Liberia, Bermuda, Lebanon and Kenya were targeted by the hackers . The malicious email attachment looked like document from United States State department and contained Microsoft Excel sheets that contained macros, once those macros were opened, the hackers took complete control of the infected system through TeamViewer, which is a popular remote access service.

According to the Press release “It is hard to tell if there are geopolitical motives behind this campaign by looking solely at the list of countries it was targeting,” it further added “since it was not after a specific region and the victims came from different places in the world”

According to the Checkpoint government officials from revenue were the intended target “They all appear to be handpicked government officials from several revenue authorities,” the press release says.

CheckPoint suggested that the attackers are from Russia but denied the possibility of state — sponsored attack. One of the hacker was traced back and it was found that it has a registration on carding forum as a username “Evapiks," the hacker has instructed how to carry out cyberattacks on forums . Because of the attackers involvement in the carding community, checkPoint suggested the attack  could have been “Money motivated”


Banking Malware Being Distributed By Hackers Via Password Protected Zip Files!





Cyber-cons have a new way of wreaking havoc. Hackers have found another unique way to bypass security. Reportedly the infamous BOM technique’s to blame.

The “Byte Order Mark” technique goes about altering the host’s files on the windows system.

The major superpower of the BOM is helping the threat actor group to be under the line of display or detection.

The researchers from a very widely known anti-virus firm noticed a new campaign that majorly worked on spear phishing.

The spear phishing process would help to deliver the infected files to the victim’s system.

The moment the user attempts to open the ZIP file using their default browser, it all crashes and an error sign pops up, saying.

According to the researchers, the legit ZIP files start with “PK” and are of (0x 504B). The BOM have extra three bytes (0x EFBBBF) found within UTF-8 text files.

In some systems the ZIP archive format goes undetected but in some systems it’s recognized as a UTF-8 text file and the malicious payload isn’t extracted.

The same files on the other hand could be opened via third-party functions to name a few 7-Zip & WinRAR.

Once the extraction of the file is done, the malware is executed thence beginning the infection process.

Systems using third party utilities are more susceptible to such malware attacks than the rest.

The malicious executable is just a tool to help load the main payload inserted within the main source section.

The malware originates from a DDL along with a BICDAT function encrypted with the XOR based algorithm.
The library then downloads a second stage of payload, the password protected ZIP file.
The dcyber crownloaded payload material is encrypted using similar functions as the inserted payload.
After having extracted the necessary files the last and final payload is launched, which goes by the name of “Banking RAT malware.”
This RAT scours information like access card codes, dates of birth, account passwords, electronic signature, e-banking passwords and etc from the system.

Krasnoyarsk hacker tried to hack the State procurement site

The Krasnoyarsk court imprisoned a resident of Krasnoyarsk who tried to hack the State procurement site of the Vladimir region but was caught by the FSB.

According to the Prosecutor, in February 2016 hacker installed on his computer a special program for illegally copying files from other electronic devices. Further, he tried to hack the State procurement site of the administration of the Vladimir region and get logins and passwords to some data. However, the attempt to hack the State resource was identified and stopped by the FSB officers.

It should be noted that the defendant was an information security officer at a large Russian bank.

The court found the man guilty and sentenced him to 2 years of imprisonment with a fine of 50 thousand rubles.

The hacker disagreed with the decision of the court and tried to appeal the verdict, but the regional court rejected his arguments and left the decision of the court of the first instance unchanged.



Venezuelan blackout due to cyber-attack, says president


Over the last two months, Venezuela has been going through a political and economic crisis with two claimants to the President’s chair and the US imposing sanctions to pressure the incumbent regime. Matters reached a head last week when opposition leader Juan Guaidó, who has declared himself acting President and has the support of the West, returned home after a self-imposed exile to cheering crowds in Caracas. He is trying to force out left-wing dictator Nicolas Maduro, President since 2013, who has declared himself the winner of a controversial election.

Guaidó, 35, was born in the beach town of Vargas, which was severely hit by flash floods in 1999. The family moved to Caracas, where Guaidó studied engineering. It was in 2006 that Guaidó emerged in politics, as one of the principal leaders campaigning for freedom of the press amid a crackdown by then President Hogo Chávez. Guaidó formed his party, Voluntad Popular, which is today leading the fight against Maduro. This year, Guaidó’s party declared him President of the National Assembly, the country’s Parliament.

Ever since the global crude oil downturn, Venezuela has slipped into an economic crisis. Its crime rate has doubled and inflation multiplied. The West-imposed sanctions have now led to a prolonged electricity blackout.

Seventeen people have died in Venezuela's massive power outage, "murdered" by the government of President Nicolas Maduro, opposition leader Juan Guaido alleged Sunday.

The blackout heightened tensions between the opposition and government loyalists, who accuse each other of being responsible for the collapse of the power grid.

Venezuelan president says complete blackout caused by 'an international cyber-attack' with support from within.
Venezuela's President Nicolas Maduro says the country's complete electrical failure has been caused by "an international cyber-attack" but that his administration has "defeated their coup".

Guaido, Venezuela's self-declared interim president, said Sunday that 16 states continued to be completely without power, while six had partial power. He said the private sector had lost at least $400 million from power outages.

Electricity was cut to 70% of the South American nation late last week, and officials warned that hospitals were at risk.’

"Venezuela has truly collapsed already," Guaido told CNN Sunday in an interview in a sweltering hotel room in the Venezuelan capital -- another byproduct of the blackouts.

Enterprise VPN Provider Citrix, Hacked; 6TB of Sensitive Data Stolen



Enterprise VPN provider, Citrix, was subjected to a hack which is doubted to have stolen private data pertaining to the company’s technology.

On Friday, Citrix told that FBI informed them about "international cyber criminals" working their way into the organization’s networks.

They were further told that most probably the criminals resorted to the technique of “password spraying” to break into the company’s networks. They did do by appropriately guessing the password to an account which belongs to the company.

The hackers involved are reported to be a part of an Iranian Hacking group which has attacked over 200 companies, along with multiple government agencies, technology firms and gas, and oil companies.

Referenced from a blog post by Resecurity, the cybersecurity firm contacted Citrix in an attempt to warn them about the hack which was on the way.

And, while refraining from telling the origins of the source from where the firm learned of the hack, it said that it "has shared the acquired intelligence with law enforcement and partners for mitigation."

While FBI denied commenting on the matter, Resecurity drew a connection between the hackers and a nation state, "due to strong targeting on government, military-industrial complex, energy companies, financial institutions and large enterprises involved in critical areas of economy."

Citrix expressed a probability of business documents being acquired and downloaded by the attackers and told in a notice, "The specific documents that may have been accessed, however, are currently unknown."

"Citrix has taken action to contain this incident. We commenced a forensic investigation; engaged a leading cybersecurity firm to assist; took actions to secure our internal network; and continue to cooperate with the FBI," the company further included in the notice.



Anonymous Threat Group Compromised 1 Million Web Pages of Popular Brands like Coca-Cola and McDonalds’s



Around 1 million Israeli based webpages owned by renowned brands like McDonalds’s and Coca-Cola have been compromised by an anonymous group of hackers who notably breached the websites of leading brands which were introduced for Israel natives with address ‘co.il’  – Cocacola.co.il and McDonalds.co.il and etcetera.  

The hacker group employed third-party accessibility plug-in known as ‘nagich.co.il’ which loaded infected JavaScript code that compromised the website and assisted the threat actors in exploiting and corrupting a million of web pages.

There’s a critical vulnerability which existed in the disabled page accessibility plug-in, Nagich, it permitted access to more than 1 million Israel based webpages and primarily assisted the attackers in corrupting the webpages.

Besides websites of renowned brands – Coca-Cola, McDonald’s and Toys"R"Us, other popular websites namely Ynet and Calcalist also fall prey to this breach. Reportedly, the attackers corrupted these websites and displayed political messages.

The Nagich website is not a usual site, it’s a website which contains an accessibility plugin - a Javascript which runs on a website which opts for this service and provides it a multitude of options. 

On giving necessary permissions, the severe vulnerability can run code on the website which means it can make any changes in our site and do whatever it wants. Hackers exploited it to replace the malicious code with an embedded link with the motives of corrupting webpages.

Due to the delay in taking remedial measures to patch the vulnerability, Nagich officials, in a way led hackers to compromise hundreds of webpages.  



Iranian Hackers Come Worryingly close To Israel’s Missile Warning System





Israel's military scrambles to protect alerts from being undermined as Iranian hackers came 'worryingly close' to their missile warning system. In the wake of observing them to recognize their intent, the military blocked them after distinguishing the hackers in 2017 and when it turned out to be clear what their objective was.

Brigadier General Noam Shaar, outgoing head of the cyber defense division in the army's Cyber Defense Directorate, who has been associated with building up Israel's cyber defense operations for as far back as 20 years, says that,“We dealt with them and built another barrier and another monitoring system to make sure we could stop them if they tried again. We can’t wait until Iranian cyber becomes a major, major threat,”

While the U.S. - based cyber security firm FireEye Inc. in the wake of following attackers for a while, said in January that Iran could be behind a rush of hacks on government and communications infrastructure over the Middle East, North Africa, Europe and North America, Iran’s Information and Communications Technology Ministry and Telecommunications Ministry had no remarks on its supposed exercises.

In any case Iran has blamed Israel for cyber-attacks, as well, most recently in November when it said it rebuffed an Israeli cyber-attack on its telecommunications infrastructure.

Rhea Siers, a former senior official at the U.S. National Security Office, even says that, “The Iranians have been eager ‘to make themselves known’ in the cyber domain and have certainly done so, while it is certainly true that Israel is a key Iranian cyber target, that is different than assessing Iran’s strength across the entire cyber domain.”


New attack lets hackers run bad code despite users leaving web page

Academics from Greece have devised a new browser-based attack that can allow hackers to run malicious code inside users' browsers even after users have closed or navigated away from the web page on which they got infected.

This new attack, called MarioNet, opens the door for assembling giant botnets from users' browsers. These botnets can be used for in-browser crypto-mining (crypto jacking), DDoS attacks, malicious files hosting/sharing, distributed password cracking, creating proxy networks, advertising click-fraud, and traffic stats boosting, researchers said.
The MarioNet attack is an upgrade to a similar concept of creating a browser-based botnet that was described in the Puppetnets research paper 12 years ago, in 2007.

The difference between the two is that MarioNet can survive after users close the browser tab or move away from the website hosting the malicious code.
This is possible because modern web browsers now support a new API called Service Workers. This mechanism allows a website to isolate operations that rendering a page's user interface from operations that handle intense computational tasks so that the web page UI doesn't freeze when processing large quantities of data.

Technically, Service Workers are an update to an older API called Web Workers. However, unlike web workers, a service worker, once registered and activated, can live and run in the page's background, without requiring the user to continue browsing through the site that loaded the service worker.

MarioNet (a clever spelling of "marionette") takes advantage of the powers provided by service workers in modern browsers.

The attack routine consists of registering a service worker when the user lands on an attacker-controlled website and then abusing the Service Worker SyncManager interface to keep the service worker alive after the user navigates away.

The attack is silent and doesn't require any type of user interaction because browsers don't alert users or ask for permission before registering a service worker. Everything happens under the browser's hood as the user waits for the website to load, and users have no clue that websites have registered service workers as there's no visible indicator in any web browser.

Attacks on the US Companies by Chinese and Iranian Hackers Renewed


As a result of Trump pulling the U.S out of the Iran nuclear deal last year and the trade disputes between the U.S and China, Iranian and Chinese hackers heavily attacked corporations and government agencies in the United States. Security experts are of the opinion that these hackers have been fuelled by the conflicts of the past.

Referencing from the briefing of seven people who gave a glimpse of the incidents, the recent attacks which targeted multiple US corporations, government agencies, American banks, and various businesses were more brutal than those which were carried out in past. These people were not permitted to publicly discuss the details. 

Analysts and security researchers at National Security Agency sourced the attacks to Iran. Meanwhile, FireEye, which is a privately owned security firm, instigated an emergency order when the government shutdown took place last month. They did so by the Department of Homeland Security.

Reportedly, these Iranian attacks occurred simultaneously with a renewed Chinese offensive configured to steal sensitive data related to military and trade from U.S tech companies and military contractors.

Commenting on the matter, Joel Brenner, a former leader of United States counterintelligence under the director of national intelligence said, “Cyber is one of the ways adversaries can attack us and retaliate in effective and nasty ways that are well below the threshold of an armed attack or laws of war,”






Ransomware, RDP Logins and Credit Card Details being sold on the Dark Web



Offered at various rates on the dark web markets, there are various hacking tools which can be employed to assist and propel cybercrime, these tools are traded illicitly in the form of Cybercrime as a service.

Empire Market, DreamPoint, Wall Street Market and Berlusconi Market are some of the dark web markets known to have been hosting the hacking tools.

Referring to the findings of Eset, an array of ransomware packages has been put up for sale along with hackers providing updates, technical assistance and permit to C&C servers.

RaaS (ransomware-as-as-service) is a service which lets hackers host their product on the dark web, which further allows individuals to avail the services with their own customization and requirement. 

Besides RaaS, there are RDP logins which are traded on the dark web markets to provide access to RDP servers across the world. Notably, it is priced between the US $8-15 per server on the basis of country and operating system.

The third variant is DDoS attacks, attackers have placed botnets out for sale in order to launch DDoS attacks or to send spam emails and the price for this one depends upon the time duration for which one avails the botnet service.

Though some hackers display the tools which they employed while carrying out malicious activities, the majority of them are hidden behind tools which shield them with anonymity as they continue building up a profitable cybercrime industry which is an amalgamation of marketing, advertising, updations, customer care, and user manual.