Search This Blog

Showing posts with label cybercriminals. Show all posts

WooCommerce Multi Currency Bug Allows Customers to Modify the Cost of Items on Online Stores


A security flaw in the WooCommerce Multi Currency plugin might allow any consumer to alter product prices in online stores. WooCommerce Multi Currency enables consumers to switch currencies and assists the shop in accepting multi-currency payments. It is possible to set the exchange rate manually or automatically. The plugin may automatically detect the customer's location and display the price in their local currency. 

WooCommerce is a WordPress-based eCommerce plugin; the Multi Currency plugin from Envato, on the other hand, allows WooCommerce users to customise prices for foreign customers. On the Envato Marketplace, it has a total of 7,700 sales. 

According to Ninja Technologies Network (NinTechNet), the problem is a broken access-control vulnerability in Multi Currency version 2.1.17 and lower, which affects the “Import Fixed Price” feature, which allows eCommerce sites to set custom prices, overwriting any prices calculated automatically by exchange rate. 

“The import function, import_csv(), is loaded by the wmc_bulk_fixed_price AJAX hook in the “woocommerce-multi-currency/includes/import-export/import-csv.php” script,” according to a NinTechNet analysis on Monday. “The function lacks a capability check and a security nonce, and therefore is accessible to all authenticated users, which includes WooCommerce customers.” 

Cybercriminals might take advantage of the flaw by uploading a specially prepared CSV file to the site that contains the current currency of a product as well as the product ID. According to experts, this permits them to modify the price of one or more items. A comma-separated values (CSV) file allows you to save data in a tabular format. Most spreadsheet programmes, such as Microsoft Excel or Google Spreadsheets, can open SV files. They vary from other spreadsheet file types in that they can only contain a single sheet and do not store cell, column, or row information. In addition, formulas cannot be saved in this format. 

“The vulnerability is particularly damaging for online shops selling digital goods because the attacker will have time to download the goods,” they said. “It is important to verify every order because the hack doesn’t change the product’s price in the backend, hence the shop manager may unlikely notice it immediately.” 

Patching needs for WooCommerce users have been increasing recently. Envato's WooCommerce Dynamic Pricing and Discounts plugin was discovered to have two security vulnerabilities in late August, which may allow unauthenticated attackers to inject malicious code onto websites running unpatched versions. This can lead to a number of assaults, such as website redirection to phishing pages, the injection of malicious scripts on product pages, and so on.

Cybercriminals Tricked Britons into Downloading Flubot Malware


Hackers are mimicking delivery services and sending phishing text messages to Britons in an attempt to get them to download the Flubot malware. It's capable of intercepting messages and stealing financial information. Three, one of the UK's most popular mobile networks, has issued a warning about a phishing scam that has reportedly affected all network operators. “Many people in the UK have been targeted with a text message that looks like it’s from a delivery service, or it may say that you’ve received a voicemail,” the company warned in a blog post.

The message instructs you to install an app in order to monitor a package or listen to voicemail. Some messages claim to be from DHL, Amazon, Asda, and Argos. If a victim is tricked into participating in the malicious campaign, the scammer has access to their entire Android smartphone. This includes the possibility of stealing credit card data and online banking login passwords. 

To evade detection, the attacker disables the Android OS's built-in protection and prevents the installation of many third-party security software packages, which many users would employ to remove unwanted malware. 

First, the victim receives an SMS message impersonating a well-known shipping logistics company, such as FedEx, DHL, or Correos. The message's call to action is for the user to click a link to download and install an app with the same familiar branding as the SMS message, but which is actually harmful and contains the FluBot malware.

FluBot, once installed and given the necessary rights, unleashes a slew of features, including SMS spamming, credit card and banking credential theft, and spyware. The contact list is taken from the device and sent to the threat actor's servers, giving them access to more personal information and allowing them to launch new attacks on other potential victims. 

SMS and notifications from telecom carriers can be intercepted, browser sites can be visited, and overlays can be presented to capture credentials. To prevent detection by the operating system's built-in security, the malicious app also disables Google Play Protect. 

According to Three, this fraud attack has impacted all network operators. Despite the fact that the majority of messages were blocked, a tiny number of Three subscribers may have received them. As a result, the company advises staying aware and being cautious when clicking on any links sent by text message. 

“If your device has been infected with the Flubot malware, you may have been charged for text messages over your plan. If so, we’ll arrange a refund for you as soon as possible,” the company stated.

Detecting Cobalt Strike: Cybercrime Attacks


One of the latest researches revealed that cybercriminals who employ malware often use the Cobalt Strike tool to release multiple payloads after checking a compromised network. Cobalt Strike is paid penetration testing software that provides access to cyber attackers to execute an agent named 'Beacon' into the system of targeted personality. 

Cobalt Strike sends out beacons to detect network vulnerabilities which then deliver malware to create fake command-and-control (C2) profiles that appear genuine. Beacon provides so many functions to the attackers including, keylogging, SOCKS proxying, file transfer, privilege escalation, port scanning, mimikatz, and lateral movement. 

Cobalt Strike comes with a toolkit for developing shellcode loaders, named Artifact Kit. The Cobalt Strike tool kit is used by both parties including the security community as well as cybercriminals. 

Secureworks Counter Threat Unit (CTU) researchers’ team conducted an investigation on the use of Cobalt Strike to get information like when and how the tool has been used by the threat actors. The acquired information will work in favor of organizations to secure their systems against threat actors. 

Having a comprehensive understanding of the threat actor's end goal is essential while trying to secure the system. For instance, the financially motivated GOLD LAGOON cybercriminals group employs the Qakbot botnet to drop Cobalt Strike into the victims’ machine. CTU researchers team learned that GOLD LAGOON is executing Cobalt Strike to Qakbot-infected hosts that are often identified as members of an Active Directory domain. The group that has been active since 2007 also facilitates other cybercriminal groups that drop various ransomware families in compromised networks. 

The early detection of compromised interwork helps cybersecurity communities to recover or fix the victims’ system as soon as possible as highlighted by two similar incidents. 

In the first event, Secureworks incident responders helped the victim recover from a REvil ransomware attack. In the second incident, Secureworks Taegis™ XDR countermeasures detected and alerted the malicious Qakbot and Cobalt Strike activity into the system that enabled network protectors to mitigate the intrusion before the ransomware was deployed. However, the presence of illegal Cobalt Strike versions on the dark web gives chances to threat actors to misuse it.

Node.js Pushes Out Immediate Fixes for the Severe HTTP Bug


Node.js has released patches for a high-severity vulnerability that could be used by attackers to corrupt the process and cause unexpected behaviour including application crashes and possibly remote code execution (RCE). The CVE-2021-22930 use-after-free vulnerability affects the way HTTP2 streams are handled in the language. 

Node.js is a back-end JavaScript runtime environment that runs on the V8 engine and executes JavaScript code outside of a browser. Node.js allows developers to utilise JavaScript to create command-line tools and server-side scripting, which involves running scripts on the server before sending the page to the user's browser. This week, Node.js released patches for CVE-2021-22930, a high-severity use-after-free vulnerability. 

When a programme tries to access a resource at a memory address that has already been freed and no longer holds the resource, it is called a use-after-free vulnerability. In some situations, this might result in data corruption, unexpected behaviours including programme crashes, or even remote code execution (RCE). The changes were included in the most recent Node.js release 16.6.0, as well as versions 12.22.4 (LTS) and 14.17.4. (LTS). This flaw was discovered by Eran Levin, who is credited with reporting it. 

"We normally like to give advance notice and provide releases in which the only changes are security fixes, but since this vulnerability was already public we felt it was more important to get this fix out fast in releases that were already planned," announced Red Hat principal software engineer and NodeJS Technical Steering Committee (TSC) member Daniel Bevenius. 

When Node.js read incoming RST_STREAM frames with no error code or cancel code, the vulnerability was exploited. In HTTP/2 applications, the RST_STREAM frame is issued by the host when it wants to close a connection. In a client-server architecture, for example, a client programme would send a RST_STREAM frame to the server to terminate the connection. When the server receives the frame, it will stop replying to the client and terminate the connection. The server might then discard any "DATA" frames it was about to send to the client.

When a RST_STREAM frame was received by the server with a "cancel" code (nghttp2_cancel) in vulnerable Node.js versions, the receiver would try to "force purge" any data received. After that, an automatic call-back would perform the "close" function a second time, aiming to free up the memory that had already been freed in the previous phase. 

And, as a result of the double-free error, the application might crash or behave erratically. On June 8th, 2021, Matthew Douglass posted a public thread about this issue, which was previously considered of as a "bug" rather than an exploitable vulnerability.

Criminals Targeted Security Gaps at Financial Services Firms as Employees Moved to WFH


According to a report released on Tuesday by the international Financial Stability Board (FSB), criminals targeted security flaws at financial services organizations as their employees switched to working from home. The Financial Stability Board (FSB) was established after the G20 London meeting in April 2009 to offer non-binding recommendations on the global financial system and to coordinate financial policies for the G20 group of nations. 

“Working from home (WFH) arrangements propelled the adoption of new technologies and accelerated digitalization in financial services,” the report states. Phishing, spyware, and ransomware were used to target workers at home. Between February 2020 and April 2021, the number of crimes increased from less than 5000 per week to more than 200,000 per week. 

On July 8, 2021, the Cyber Security Agency of Singapore (CSA) released data suggesting that cybercrime accounted for 43% of all crime in the city-state in 2020. "Although the number of phishing incidents remained stable and website defacements declined slightly, malicious cyber activities remain a concern amid a rapidly evolving global cyber landscape and increased digitalization brought about by the COVID-19 pandemic," said the agency. 

Ransomware attacks increased by 154% from 35 in 2019 to 89 in 2020, ranging from "indiscriminate, opportunistic attacks" to "Big Game Hunting," according to the CSA. They also used leak and shame techniques, as well as RaaS (Ransomware-as-a-Service) models. Between 2019 and 2020, the number of hostile command-and-control servers increased by 94%, with Emotet and Cobalt Strike malware accounting for one-third of the total. 

As IT departments tried to secure remote workers, increased dependence on virtual private networks and unsecured WiFi access points “posed new types of hurdles in terms of patching and other cyber security issues,” according to the FSB assessment. External providers, according to the research, also built cracks for hackers to exploit. According to the report, "While outsourcing to third-party providers, such as cloud services, seems to have enhanced operational resilience at financial institutions, increased reliance on such services may give rise to new challenges and vulnerabilities." 

Working from home isn't going away any time soon. According to Gartner, nearly half of knowledge employees will be working remotely by 2022. Even Apple's retail team follows a hybrid work schedule. Institutions' cyber risk management systems, incident reporting, response and recovery efforts, and how they manage cloud and other third-party services should all be adjusted properly, according to the FSB.

TrickBot Makes a Comeback with a VNC Module


The ongoing revival of malicious TrickBot malware has been revealed by cybersecurity researchers and shows that the Russia-based transnational cybercriminals group is now working behind scenes to upgrade the attack infrastructure in reaction to the recent countermeasures by police forces. 

The new uncovered capabilities are utilized to monitor and collect intelligence on victims by using a unique communication protocol that hides data exchanges among servers and victims [command and control], making attacks hard to identify. Also, no indication of slowing down is shown by TrickBot. 

Botnets are created by placing hundreds or thousands of hijacked devices on a network managed by criminal operators that are usually used to perform denial-of-network attacks against illicit trafficking companies and key infrastructure. However, malevolent actors may also employ botnets with control over these devices to disseminate malware and spam or to implement ransomware file encryption on compromised computers. 

TrickBot is also the same. The well-known cybercrime gang — known as Wizard Spider — has tracked the way infected machines steal confidential information from their sides and pivots across a network and even loads other malware, like ransomware, with their infection chains constantly improved by adding modules that offer new functionalities, to enhance their efficiency. 

"TrickBot has evolved to use a complex infrastructure that compromises third-party servers and uses them to host malware," Lumen's Black Lotus Labs disclosed last October. "It also infects consumer appliances such as DSL routers, and its criminal operators constantly rotate their IP addresses and infected hosts to make disruption of their crime as difficult as possible."

The threat actor has now been identified, as per Bitdefender. The threat actor has actively built an updated version of the "vncDll" module that uses selected profile targets for surveillance and intelligence gathering. "tvncDll" was the name of the new version. 

The botnet has managed to survive two takedown efforts by Microsoft and the United States Cyber Command, which have operators developing firmware intrusion elements that enable hackers to plant backdoors in the Unified Extensible Firmware Interface (UEFI), to avoid anti-virus detection, software update or even complete wipe and reinstallation of the operating system of the computer. 

The new module is meant to interact with a server identified in its configuration file as one of nine Command and Control (C2) servers, using the server, to collect several commands, download further malware payloads, and exfiltrate information from your machine. 

Further, the researchers also indicate that they have uncovered a "viewer tool," that is used by attackers to connect with victims on servers C2.

Brazilian Cybercriminals Created Fake Accounts for Uber, Lyft and DoorDash


According to a recent report by the Federal Bureau of Investigation (FBI), a Brazilian organization is planning to defraud users of digital networks such as Uber, Lyft, and DoorDash, among others. According to authorities, this group may have used fake IDs to build driver or delivery accounts on these sites in order to sell them to people who were not qualified for the companies' policies. 

This scam may have also included the use of GPS counterfeiting technologies to trick drivers into taking longer trips and earning more money. Furthermore, the Department of Justice (DOJ) states that this organization would have begun operations in 2019 and would have expanded its operations after the pandemic paralyzed many restaurants and supermarkets. 

The gang, which worked mainly in Massachusetts but also in California, Florida, and Illinois, communicated through a WhatsApp group called "Mafia," where they allegedly agreed on similar pricing strategies to avoid undercutting each other's income, according to the FBI. 

The party leased driver accounts on a weekly basis, according to court records. A ride-hailing service driver account costs between $250 and $300 per week, while a food delivery web account costs $150 per week. The FBI claimed to have tracked more than 2,000 accounts created by gang members during their investigation. 

According to the agents in charge of the investigation, the suspects made hundreds of thousands of dollars from this scheme, depositing their earnings in bank accounts under their control and withdrawing small sums of money on a regular basis to avoid attracting the attention of the authorities. Thousands of dollars were also made by criminals due to referral incentives for new accounts. One of the gang members received USD 194,800 through DoorDash's user referral system for 487 accounts they had on the website, according to a screenshot posted on the group's WhatsApp page. 

The DOJ has charged 19 Brazilian people so far, as well as revealing that six members of the fraudulent party are still on the run. The Department of Justice reported the second round of charges against five Brazilian citizens last week. Four were apprehended and charged in a San Diego court, while a fifth is still on the run and assumed to be in Brazil.

OpenBullet Exploited for Credential Stuffing


Credential stuffing, a form of access-related cybercrime, is on the rise and shows no signs of slowing down. Between January 2018 and December 2019, there were 88 billion credential stuffing attacks, according to an Akamai survey.

Credential stuffing is a form of cyberattack in which compromised account credentials are used to obtain unauthorized access to user accounts through large-scale automatic login requests directed towards a web application, usually consisting of lists of usernames and/or email addresses and the corresponding passwords (often from a data breach). Credential stuffing attacks, unlike credential hacking, do not try to brute force or guess any passwords. Using standard web automation software like Selenium, cURL, PhantomJS, or tools built especially for these types of attacks like Sentry MBA, SNIPR, STORM, Blackbullet, and Openbullet, the intruder easily automates the logins for a significant number (thousands to millions) of previously discovered credential pairs. 

Since many users repeat the same username/password combination across different pages, credential stuffing attacks are likely. According to one poll, 81 percent of users have reused a password across two or more sites, and 25% of users use the same password across a number of their accounts. 

OpenBullet is a free web-testing tool that allows users to make particular requests on specific web pages. The open-source tool is available on GitHub and can be used for a variety of activities, including data scraping and sorting, automatic penetration testing, and Selenium unit testing. 

For legitimate reasons, such as penetration testing, the app allows users to try several "login:password" variations as credential brute-force attacks on various websites. Cybercriminals, on the other hand, will use it to find legitimate passwords on various websites for nefarious purposes.

A user can import prebuilt configuration files or configs into OpenBullet, one for each website to be checked. It also has a modular editor for making changes to configurations as desired. This is a required function since websites also make minor changes to the way users link to them in order to combat automatic tools like OpenBullet. OpenBullet's GitHub profile, for example, has a note that the tool should not be used for credential stuffing on websites that the user does not own. 

The Federal Trade Commission (FTC) released an advisory in 2017 advising businesses about how to combat credential stuffing, including requiring safe passwords and preventing attacks.

Fake Microsoft DirectX 12 Distributes Malware


Cybercriminals have built a bogus Microsoft DirectX 12 download page in order to spread ransomware that steals cryptocurrency wallets and passwords. Despite the fact that the website has a contact form, a privacy policy, a disclaimer, and a DMCA infringement page, the website and the services it distributes are not valid.

Users will be routed to an external website when they press the Download buttons, which will prompt them to download a file. You'll be sent a file called '6080b4' [VirusTotal] or '6083040a' [VirusTotal] depending on whether you want the 32-bit or 64-bit edition. All of these files contribute to malware that attempts to steal files, passwords, and cryptocurrency wallets from their victims.

When the bogus DirectX 12 installers are launched, they silently download and execute malware from a remote site, as discovered by security researcher Oliver Hough. This malware is a data-stealing Trojan that tries to snatch a victim's cookies, directories, device records, installed programs, and even a snapshot of the current desktop. The malware authors are attempting to steal a number of cryptocurrency wallets for Windows applications, including Ledge er Live, Waves.Exchange, Coinomi, Electrum, Electron Cash, BTCP Electrum, Jaxx, Exodus, MultiBit HD, Aomtic, and Monero. 

All of the information is gathered in a %Temp% folder, which the malware will zip up and give back to the attacker. The data will then be analysed and used for other nefarious purposes by the attack. To spread malware, threat actors are rapidly building fake websites, some of which are much more persuasive than others.

Ficker ransomware is already spreading across websites impersonating Microsoft Store and Spotify, according to ESET. Details and user accounts stored in web browsers, email applications, and FTP clients are stolen by the malware. It can even rob from your bitcoin wallet, exfiltrate documents, and take screenshots of your running applications. 

As part of a larger ransomware campaign targeting cybersecurity experts, the Lazarus Group has set up a bogus protection firm and social media accounts. For a fictitious Turkish business called SecuriElite, the attackers built a website, as well as a Twitter and LinkedIn account. When the Google security team was focusing on tracking down the state-backed hackers, the firm was allegedly providing offensive security services.

Critical RCE can Compromise Juniper Networks Devices


A critical vulnerability fixed as of late by networking and cybersecurity solutions supplier Juniper Networks could permit an attacker to remotely hijack or disrupt affected devices. The security hole, followed as CVE-2021-0254 and affecting the Junos operating system, was found by Nguyễn Hoàng Thạch, otherwise known as d4rkn3ss, a researcher with Singapore-based cybersecurity organization STAR Labs. 

The researcher disclosed to SecurityWeek that the vulnerability, which he says is the most serious bug he has ever distinguished in a Juniper product, was reported to the vendor more than half a year ago.

“A buffer size validation vulnerability in the overlayd service of Juniper Networks Junos OS may allow an unauthenticated remote attacker to send specially crafted packets to the device, triggering a partial Denial of Service (DoS) condition, or leading to remote code execution (RCE). Continued receipt and processing of these packets will sustain the partial DoS.” reads the security advisory published by the company. “The overlayd daemon handles Overlay OAM packets, such as ping and traceroute, sent to the overlay. The service runs as root by default and listens for UDP connections on port 4789. This issue results from improper buffer size validation, which can lead to a buffer overflow. Unauthenticated attackers can send specially crafted packets to trigger this vulnerability, resulting in possible remote code execution.” 

As per Nguyễn, an attacker who effectively exploits this vulnerability can acquire root admittance to the targeted system and afterward install a backdoor or configure the device “in any way they want.” The flaw can be exploited on its own and an assailant would not have to chain it with different vulnerabilities. 

Assaults from the internet are conceivable in theory, however, the vulnerable gadgets are normally not exposed to the web. The researcher believes that if such a system can be reached from the internet, it is likely misconfigured. 

The organization noticed that the overlays daemon runs naturally on MX and ACX series routers and QFX series switches. Different platforms are vulnerable if a Virtual Extensible LAN (VXLAN) overlay network is configured. Juniper said it had not known about any vindictive assaults exploiting this vulnerability, yet noticed that an assault can be dispatched against default configurations.

Hackers Send Fake Census Form Alerts to UK Respondents


The United Kingdom, like every other country, runs a census every ten years. The census asks residents a number of questions regarding the address of individuals, their age, name, nationality, employment, health, education, and language. (The census here is mandatory and participants are obliged to provide answers)
The census happens in the year that ends with number-1, except Scotland, the census is postponed until 2022 due to the Covid-19 pandemic. Due to the Covid-19 pandemic, most of the respondents are filling their services online, they are getting a unique 16 digit access code from the government to each resident via snail-mail. The participant can go to the official government census website, enter the 16 digit login code, saving him the arduous work of filling the form by hand, and snail-mail it back. If the participant fails to fill the census form before 21-03-2021, the government will send a chain of warning notifications with a unique 16 digit code, requesting the participant to fill the form and also fining €1000 if he fails to do so.
Naked Security reports, "the criminals did make some grammatical mistakes in their forms that a native speaker of English might notice, and these would be another giveaway, along with the fake domain name, but the crooks have cloned the UK Office for National Statistics “look and feel” very believably."
Stay alert of forged forms-
If the participant hasn't filled the form yet but may soon do it, he/she should stay wary of fake "census reminders" that are sent by the hackers. And if you've already filled your form, be on alert if you think there have to be some modifications in the details. The hackers are trying to take advantage of the online census by luring the participants into phishing attacks and stealing their data.
The fake form may ask for your postcode instead of your 16 digits unique code (the hackers could've also sent a fake 16 digit code but they chose not to), after that, the hackers will ask you similar questions that you may answer while filling out the original forms. However, in the fake form case, you end up exposing your personal details to the hackers, instead of sending your details to Office for National Statistics.

How to stay safe?

1. Check the Domain name before filling the form on the official website.
2. Don't open links that you may receive via SMS or e-mail.
3. Stay alert of the text messages that you may receive, please go through the message before filling the form.

Attackers Targeted Robinhood with a Phishing Campaign


Attackers have targeted clients of stock-trading broker Robinhood with a phishing campaign planned to steal their credentials and spread malware utilizing counterfeit tax documents, the organization has cautioned.

Robinhood Markets, Inc. is an American financial services organization settled in Menlo Park, California, known for offering commission-free trades of stocks and exchange-traded funds through a mobile application presented in March 2015. Robinhood is a FINRA-managed broker-dealer, enlisted with the U.S. Securities and Exchange Commission, and is a member of the Securities Investor Protection Corporation. The organization's revenue comes from three fundamental sources: interest earned on customers' cash balances, selling order information to high-frequency traders (a practice for which the SEC opened an investigation into the company in September 2020), and margin lending. As of 2020, Robinhood had 13 million clients. 

Robinhood, has confronted various regulatory and legal difficulties along the way, sent an email to clients Thursday warning of a phishing scam “that may have reached some of our customers.” 

Attackers targeted clients in two ways, as per the email. One assault vector utilized phishing emails with links to counterfeit Robinhood sites provoking visitors to enter their login credentials, including authentication codes the organization uses to help guarantee the security of individuals' accounts. Other emails saw assailants exploiting the tax season, requesting potential victims to download counterfeit tax files, for example, Form 1099—that included malware, as per the email. 

“There tends to be an increase in these types of emails around tax season, so we ask that you be extra careful about how you access your Robinhood account,” as per the email. Robinhood recommended individuals check the strength of safety features of the application on their gadgets, manually eliminating any gadgets they don't perceive from accessing and resetting passwords on the off chance that they believe they might be in danger. The organization likewise urged clients to reach out to its support team directly from the Robinhood application or its site. 

One of the main grievances among Robinhood clients was that they couldn't reach the company for support, causing regulators like the Securities and Exchange Commission (SEC) to become de facto customer support for the platform’s clients.

What are Smishing Attacks? How to Prevent Them?


Smishing is a cyber assault that utilizes SMS text messages to delude its victims into giving sensitive data to a cybercriminal. Sensitive data incorporates your account name and password, name, banking account, or credit card numbers. The cybercriminal may likewise implant a short URL link into the text message, inviting the client to tap on the link which in most cases is a redirect to a pernicious site. Smishing is identified with two other 'smishing' cyber assaults, phishing and vishing. 

Cybercriminals today are essentially inspired by monetary benefit. They create code intended to obfuscate your sensitive data for benefit. At the point when they acquire this information, they may hope to sell your compromised credit card or credentials on the dark web. They may likewise utilize sensitive information to open an account in your name or hold your information ransom in exchange for a large pay-out. 

Back in May 2018, Fifth Third Bank clients were the targets of a smishing assault. The assailants claimed to represent Fifth Third Bank. They contrived a plan to caution clients that their accounts were locked. Within the body of the text message, they gave a link to the clients to open their accounts. The link took the clueless client to a phony webpage that seemed to be like Fifth Third's genuine site. The phishing site prompted the visitors to enter their user name and password, one-time code, and PIN codes to open their account. The cybercriminals then utilized the stolen account data to expunge almost $68,000 from 17 ATMs across three states. 

Some of the ways to prevent smishing attacks are: 

• Try not to react to text messages that demand private or monetary data from you. 

• On the off chance that you get a message that has all the earmarks of being from your bank, financial institution, or other entity that you work with, contact that business directly to decide whether they sent you a genuine solicitation. Review this entity’s policy on sending text messages to clients. 

• On the off chance that a text message is encouraging you to act or react rapidly, pause and consider the big picture. Recall that crooks utilize this as a strategy to get you to do what they need. 

• Never reply to a dubious text message without doing your research and checking the source.

“Netbounce” Threat Actor Tries to Evade Detection


On the 12th of February, FortiGuard Labs got a solicitation through email from an individual representing an organization called Packity Networks asking to whitelist their software. The sender guaranteed it to be a false-positive that causes a critical effect on their business. At that point, the file at the link was named malevolent only by Fortinet and Dr.Web sandbox. 

Despite the fact that, from the start, the solicitation appeared to be innocent, and basically no other security vendor had flagged the file, FortiGuard said it generally investigates such demands thoroughly before complying. The investigation prompted the disclosure of another group called "Netbounce" and it uncovered their malware delivery infrastructure. What made this stand apart among others is their one-of-a-kind set of tools and techniques. FortiGuard was able to discover a few variations created in-house by this group, each serving a different purpose. 

The background checks directed by FortiGuard on Secured Network Stack and Packity Networks Inc. yielded no outcomes; there were no enrolled organizations or official references to these elements, nor could they discover any employee profiles online. However, based on a Twitter account, Packity appears to have had some online presence other than their site for at least two years, and they found reviews for the software.

Despite the fact that the executables were signed with the same certificate, FortiGuard saw that the certificate was issued with an unrelated email address, The certificate was issued on September 2nd, 2020, so they looked for more seasoned certificates utilized by Packity and tracked down an older installer. Looking at the more seasoned signature affirmed that the contact data is indeed unrelated to the organization. In spite of the fact that it might appear to be odd that an alternate email was utilized, the new certificate was issued precisely when the previous certificate expired, on September 3rd, 2020, which may indicate it's not vindictive. 

The signature with the new certificate doesn't have a timestamp countersignature. This is highly uncommon when signing code, and the "official" setup file from the site has a timestamp. Along these lines, FortiGuard's suspicions were still not resolved.

SITA Data Breach Exposes Numerous Airlines


After SITA gave an official statement last Thursday affirming it had been the subject of a sophisticated cyberattack, more airlines affirmed they had been directly influenced. It seems the SITA security breach affected all carrier members of Star Alliance and the One World alliance. In a statement, SITA representative Edna Ayme-Yahil declined to say the number of airlines that were affected by the breach. The organization additionally didn't give numerous details on the kind of information compromised, however it noticed that the information incorporates some personal data of airline customers, including frequent flyer account data. 

"Each affected airline has been provided with the details of the exact type of data that has been compromised, including details of the number of data records within each of the relevant data categories,"Ayme-Yahil said. Up until now, Singapore Airlines, Air New Zealand, Lufthansa, Malaysia Airlines, Finnair, Japan Airlines, Cathay Pacific, and South Korea's Juju Air have independently disclosed the impact from the breach, she noted. 

Star Alliance member Singapore Airlines, for instance, said that 580,000 members from its KrisFlyer and PPS loyalty program have had information exposed by the breach, despite the fact that the carrier isn't a SITA Passenger Service System client. Singapore said the breach doesn't include credit card information or data such as itineraries, passport numbers, and email addresses. Star Alliance member Lufthansa said 1.35 million Miles and More members have been affected by the breach. Member names and status levels were exposed, however, no passwords or email addresses were exposed. 

Tomi Pienimaki, the chief digital officer for Oneworld member Finnair, said around 10% of the carrier's loyalty customers have been targeted. "To be honest, I was not surprised in itself that the air industry was subjected to such an attack, because the industry is in a difficult situation and therefore vulnerable," he wrote in a LinkedIn post. "Once we have been informed, all we have to do is clarify the matter and ensure the integrity of our own systems day and night." 

"SITA acted swiftly and initiated targeted containment measures," the company said. "The matter remains under continued investigation by SITA's Security Incident Response Team with the support of leading external experts in cybersecurity."

Cybercriminals Finding Ways to Bypass 3D Secure


Security researchers with threat intelligence firm Gemini Advisory say that they have noticed dark web exercises identified with bypassing 3D Secure (3DS), which is intended to improve the security of online credit and debit card transactions. Designed as an additional protection layer for these transactions, 3DS has seen a few releases, with the recent one, namely version 2.0, likewise intended to accommodate cell phones, allowing for authentication using a fingerprint or facial recognition. 

In addition to different social engineering strategies that assailants can use to go around 3DS, phishing and scam pages permit them to fool victims into revealing their card details and payment verification information. Gemini's security researchers say that vulnerabilities in prior renditions of 3DS might have been abused to bypass security. The utilization of a password for the transaction was one of these issues, as this was sometimes a personal identification number (PIN) that cybercriminals had been able to acquire utilizing different methods. 

Utilizing different social engineering methods, for example, impersonating bank representatives, cybercriminals can collect a great deal of data from victims, including name, ID number, telephone number, physical and email address, mother's maiden name, driver's license numbers, and such. Armed with some personally identifiable information (PII), the assailant could fool the victim into sharing additional details. 

One technique suggested by some cybercriminals for bypassing 3DS includes calling up the victim from a telephone number that spoofs the number on the rear of the payment card and fooling them into verifying a transaction currently being made by the fraudster by claiming it is needed for identity verification purposes. The utilization of phishing sites that copy real online shops can likewise permit hackers to gather the victims' card data and trick them into approving a payment employing 3DS. Sometimes, the attackers may utilize malware to target clients' cell phones and recover 3DS verification codes.

“The older versions of 3DS, such as version 1.0 (which is still widely used around the world), are susceptible to hackers who find ways to bypass their security features. Gemini Advisory assesses with moderate confidence that cybercriminals will likely continue to rely on social engineering and phishing to bypass 3DS security measures,” Gemini concludes.

Hacker Attacked a Water Plant in Florida


A hacker penetrated computer networks at Oldsmar, Florida, water treatment plant, remotely delivering a 100-fold boost in a chemical that is exceptionally perilous in concentrated sums. In an assault with the possibility to harm public health, the hacker on February 5 accessed a city computer and changed the level of sodium hydroxide which is utilized to eliminate metals and control acidity, from 100 parts for each million to 11,100 parts for every million, as per Bob Gualtieri, who serves as the sheriff of Pinellas County. 

This is a “significant and potentially dangerous increase,” Gualtieri said at a Monday press conference. The attacker momentarily entered the computer system at 8 a.m. on Feb. 5, before leaving and returning at about 1:30 p.m. for roughly three to five minutes, Gualtieri said. In that window, the operator of the water plant could see the attacker on screen, “with the mouse being moved about to open various software functions that control the water being treated in the system,” Gualtieri said. 

When the hacker left the computer system, the operator whose computer was remotely taken over promptly brought down the level of the chemical, otherwise called lye. This move forestalled any harm to people in general and the drinking water, Gualtieri said. He said there were extra counteraction measures inside the water system that would have kept polluted water from reaching the public. It isn't yet known whether the break originated from the U.S., or outside of the country, Gualtieri said. Oldsmar, with a population of almost 15,000, is situated around 15 miles northwest of Tampa.

“Many of the victims appear to have been selected arbitrarily, such as small critical infrastructure asset owners and operators who serve a limited population set,” said Daniel Kapellmann Zafra, manager of analysis at Mandiant Threat Intelligence. Through “remote interaction with these systems,” the hackers have engaged in “limited-impact operations.” None of those examples brought about any damage to individuals or infrastructure, Zafra said. “We believe that the increasing interest of low sophisticated actors in industrial control systems is the result of the increased availability of tools and resources that allow malicious actors to learn about interactions with these systems,” he added.

CHwapi Hospital Suffers a Ransomware Attack


On Sunday night, the CHwapi hospital in Belgium witnessed a cyberattack that incited the facility to divert emergency patients to different emergency hospitals and defer surgeries. 

As per the attackers, they utilized Windows BitLocker to encrypt 40 workers and 100TB of information. In the wake of encrypting devices, the attackers state they left ransom notes named ransom.txt on the domain controllers and backup servers. 

"We attack chwapi hospital in Belgium 2 days ago. and set up a ransom note on servers. but the IT management team not give this information to hospital management. hospital management makes a press release and said there is no ransom note, but this is a lie. something is going on," the attackers wrote in an email. Rather than utilizing conventional ransomware, this group utilizes off-the-shelf software, for example, Windows BitLocker and DiskCryptor to encrypt documents and lock admittance to the disk partitions with a password. The attackers revealed that they don't encrypt each gadget on the network and only target servers holding a lot of records, for example, file servers and backup servers.

As reported by local media group L'Avenir, 80 of the hospital centers' 300 servers were affected by the attack, constraining staff and nurses to surrender computerized entries and turn to pen and paper for patient assessments. Patient information was not compromised, as per CHwapi. 

To communicate with the victims, this hacking group makes ransom notes containing a Bitmessage ID that can be utilized to negotiate a ransom. This group states that they are not part of a Ransomware-as-a-Service (RaaS) and do not steal or leak information. Some ransomware groups have expressed that they will try not to encrypt hospitals and give a free decryptor in the event that they are encrypted. 

As a precautionary measure, the hospital has totally cut off any communications with the rest of the world. “We do not communicate with the outside and we do not receive anything either before having made an even more precise diagnosis of what is happening internally,” Didier Delval, general director of CHwapi, said in a statement. Authorities said any patients affected by hospital service interruptions will be told by phone, where conceivable. 

While the hospital's services are gradually recuperating and surgical operations have resumed, CHwapi continues to cancel some services and divert dire cases to different hospitals.

Maze Ransomware: Exfiltration and Extortion


New research by New Zealand organization Emsisoft has discovered that a cyber-blackmail tactic initially debuted by ransomware gang MAZE has been adopted by over a dozen other criminal cyber gangs. Initially observed in May of 2019, the maze was a prominent part of consistent, yet unremarkable, extortion campaigns. However, as of late a sizable uptick have been seen in Maze campaigns, including numerous prominent, high-profile attacks. The attackers behind Maze have previously claimed credit for assaults on both Allied Financial just as well as the City of Pensacola Florida. 

The globally renowned security software organization, Emsisoft declared a ransomware crisis in the last month of 2019. Their most recent ransomware report shows that this specific sort of malware has hugely affected the United States in 2020. Emsisoft threat analyst Brett Callow described the numbers in "The State of Ransomware in the US: Report and Statistics 2020" as "pretty grim." 

At least 2,354 US governments, medical services offices, and schools were affected by ransomware last year, including 113 federal, state, and municipal governments and agencies, 560 healthcare facilities, and 1,681 schools, universities, and colleges. Researchers noticed that the assaults caused huge, and in some cases perilous, disturbance: ambulances carrying emergency patients had to be redirected, cancer treatments were deferred, lab test results were difficult to reach, clinic workers were furloughed and 911 services were interfered with. 

In 2020, MAZE turned into the first ransomware group to be observed exfiltrating information from its victims and utilizing the threat of publication as extra leverage to coerce payment. As per a November report by Coveware, some ransomware gangs that exfiltrate information don't erase it, even in the wake of accepting a ransom from their victims. Coveware noticed REvil (Sodinokibi) requesting a second ransom payment for stolen information it had just been paid to delete.

Maze ransomware doesn't simply demand payment for a decryptor however exfiltrates victim information and threatens to leak it publicly if the target doesn’t pay up. This “double whammy” heaps on yet more strain to persuade the victim to cave into the cybercriminals' demand. The onus presently is on organizations to ensure they have a trusted security arrangement demonstrated to forestall ransomware from executing in the first place, as restoration of data from a backup won't save them.

Rogue: An Android Malware That Gives Hackers Full Control Over a Phone


Another sort of Android malware that provides hackers with nearly-full access to a client's Android cell phone is doing rounds on underground forums. Colloquially known as 'Rogue' Remote Administration Tool (RAT), the malware infects victims with a keylogger – permitting attackers to effectively monitor the utilization of sites and applications to take usernames and passwords, just as more delicate data like a client's financial data. The malware, as per reports, is accessible on underground forums for as low as $29.99 (generally Rs 2,200).

This low-cost malware undermines a full-scale takeover of a victim's cell phone, observing the GPS area on the target, taking screenshots, utilizing the camera to take pictures, secretly recording sound from calls, and more. The virus does this while being hidden from the owner of the cell phone. All an attacker requires is their own cell phone to give commands on an infected device. This malware has been detailed by cybersecurity researchers at Checkpoint Research as a mix of two past groups of Android RATs - Cosmos and Hawkshaw - and exhibits the advancement of malware improvement on the dark web. 

Rogue is crafted by Triangulum and HeXaGoN Dev, known Android malware creators that have been selling their vindictive products on underground markets for quite a long while. For the development of Rogue, the malware creator evidently joined forces with HexaGoN Dev, which specializes in the building of Android RATs. Beforehand, Triangulum bought projects from NexaGoN Dev. "The mix of HeXaGon Dev's programming skills and Triangulum's social marketing abilities clearly posed a legitimate threat," Check Point's security researchers note.

While there is no single manner by which hackers introduce Rogue, it is normally pushed on a victim's cell phone either by phishing, malevolent applications, or other such techniques. In the wake of being downloaded on a cell phone, Rogue asks for permissions that it needs for the hacker to remotely get to a cell phone. When the permissions are in all actuality, Rogue registers itself as the device administrator and conceals its icon from the home screen. 

The best way to try not to succumb to this is to not click on suspicious links or download applications from outside sources other than Google Play and Apple App Store. Further, it is additionally imperative to ensure all security updates are installed on the device.