Search This Blog

Number of fake delivery services increased in Russia


Alexander Vurasko, a leading Infosecurity analyst at Softline Company, said that during the pandemic, scammers learned how to qualitatively fake food and electronics delivery sites.  Over the past four months, 56 clones have appeared at Delivery Club, and at least 30 at Yandex.Food. Companies try to quickly block such resources, but they do not always succeed.

The expert noted that the peak of the appearance of such Internet resources was recorded in April.

In addition to food sites, experts found fake Samsung online stores and Citilink online electronics hypermarket.

These sites almost completely copy the original ones: they have a catalog with hundreds of items, users can choose a restaurant, order dishes, enter the delivery address and pay for the order with a Bankcard.

Alexei Drozd, head of the information security department at SerchInform, noted that in April, the use of the delivery theme in the domain name increased: if in February there were 53 domain registrations with the word delivery, then in April — 288. According to him, this means that a high-quality Grabber has appeared on the Darknet,  a program that can reliably copy the look and content of the site.

Fraudsters actively used such software, but it is more difficult to copy marketplaces with a complex structure than a regular website, and if they already succeed, then we should expect new large phishing waves, warns Mr. Drozd. According to him, phishing sites live up to the first complaints from users or copyright holders, so it is important that companies themselves fight phishing.

Moreover, on the fake Delivery Club, after entering the card data, users need to enter the code from the SMS, so it can not be excluded that at this moment "someone links their number to your mobile Bank", noted the Telegram channel In4security, which discovered such a resource.

Kaspersky Lab also noticed sites that mimic well-known food delivery services. Hackers always use popular brands, says Tatiana Sidorina, a senior content analyst at the company.

Here's All you Need to Know About Instagram Reels; Launched Globally in Over 50 Countries


As TikTok fell prey to extensive criticism and was labeled as a 'threat to security' by governments, resulting in the banning of the popular video-sharing platform, the creators have long ago started weighing what's next!

In the wake of TikTok's future succumbing to uncertainties, Instagram has rolled out a new feature 'Reels', that appear to be in direct competition with what TikTok had to offer.

Starting today, Instagram is launching "Reels" feature for its users in more than 50 countries, it is seen as a remarkable and well-timed attempt by Instagram to capitalize upon the global turmoil in the creative sphere of social media. It's also a potential opportunity for Instagram to expand its identity from a photo app to a video entertainment platform.

With the expansion, now the feature will be available in major international markets including India, the U.S., the U.K., France, Brazil, Germany, Australia, Mexico, Spain, Argentina, Japan, and many others.

In a similar manner like TikTok, Instagram Reels will allow people to create mini-clips with music that they can share with their followers, these short-form videos will be discoverable while users browse the "Explore" tab on Instagram.

Reels let users record 15 seconds long video clips and add filters, effects, and popular music onto them, the feature is entirely embedded inside Instagram's original app and is not to be mistaken for being an add-on or a separate app. It is not a different world altogether like TikTok or Vine, but just 'yet another thing' one can do on Instagram.

While announcing the release of "Reels", the company said in a blog, "It's a new way to create and discover short, entertaining videos on Instagram."

"Reels invites you to create fun videos to share with your friends or anyone on Instagram. Record and edit 15-second multi-clip videos with audio, effects, and new creative tools. You can share reels with your followers on Feed, and, if you have a public account, make them available to the wider Instagram community through a new space in Explore. Reels in Explore offers anyone the chance to become a creator on Instagram and reach new audiences on a global stage."

How to Create Reels?


"Select Reels at the bottom of the Instagram camera. You'll see a variety of creative editing tools on the left side of your screen to help create your reel, including:"

"Audio: Search for a song from the Instagram music library. You can also use your own original audio by simply recording a reel with it. When you share a reel with original audio, your audio will be attributed to you, and if you have a public account, people can create reels with your audio by selecting “Use Audio” from your reel.

AR Effects: Select one of the many effects in our effect gallery, created both by Instagram and creators all over the world, to record multiple clips with different effects.

Timer and Countdown: Set the timer to record any of your clips hands-free. Once you press record, you’ll see a 3-2-1 countdown, before recording begins for the amount of time you selected.

Align: Line up objects from your previous clip before recording your next to help create seamless transitions for moments like outfit changes or adding new friends into your reel.

Speed: Choose to speed up or slow down part of the video or audio you selected. This can help you stay on a beat or make slow-motion videos." Instagram explained in the blog.

The scale of data leaks of patients with coronavirus in Russia has become known


More than a third of all cases of leaks of personal data of patients with coronavirus, as well as suspected cases, occurred in Russia.

According to InfoWatch, in just the first half of 2020, there were 72 cases of personal data leakage related to coronavirus infection, of which 25 were in the Russian Federation. Leaks in Russia were caused by employees of hospitals, airports, and other organizations with access to information resources. In general, for this reason, 75% of leaks occurred in the world, another 25% were due to hacker attacks.

The company clarified that in 64% of cases worldwide, personal data associated with coronavirus was compromised in the form of lists. Patient lists were photographed and distributed via messengers or social media groups. Some leaks were due to the accidental sending of data by managers to the wrong email addresses.

According to InfoWatch, 96% of cases on the territory of the Russian Federation are leaks of lists, and 4% are leaks of databases.  In all cases, data leaks occurred due to willful violations. InfoWatch stressed that the disclosure of such data often led to a negative attitude towards coronavirus patients from the society.

The Russian Federal Headquarters for coronavirus declined to comment.  Moreover, the press service of the Moscow Department of Information Technology reported that since the beginning of 2020, there have been no leaks of personal data from the information systems of the Moscow government.

In Russia, there are no adequate penalties for organizations in which personal data leaks occurred, said Igor Bederov, CEO of Internet search. In addition, there is still no understanding of the need to protect personal data in electronic systems. There are not enough qualified specialists in this industry. As a result, network cloud storage used by companies, including for processing personal data, is poorly protected.

WastedLocker ransomware uses a sophisticated trick by abusing Windows features to avoid detection


WastedLocker has been in the highlights for a successful attack on wearable tech and smartwatch manufacturer Garmin and was paid around 10 million for a decryption key. The ransomware is rumored to be working for the Russian Hacking group Evil Corp, a notorious hacking crew with numerous high profile attacks in their resume.


But the security researchers at Sophos discovered how the ransomware was using the inner workings of Windows to avoid detection by anti-ransomware tools and the method they say is quite ingenious and sophisticated.

 "That's really sophisticated stuff, you're digging way down into the things that only the people who wrote the internals of Windows should have a concept of, how the mechanisms might work and how they can confuse security tools and anti-ransomware detection," Chester Wisniewski, a principal research scientist at Sophos said.
How WastedLocker uses Windows Cache to hide itself 

Usually, anti-ransomware softwares monitor Operating System files for any suspicious behavior like an unknown process performing various functions like opening a file, writing to it, and then closing the file - it will trigger behavior detection and catch any malicious file. But WastedLocker, unlike other traditional ransomware stores the files on Windows Cache and operates from that file and not the original.

 Windows cache to speed up processes, stores commonly used files in it so as when the system requires a command, it first checks for the file in the cache and load it from there rather than the drive making the operation much faster.

 This ransomware opens a file in the Cache, read it there and close the original file. The software will now encrypt the file stored on the cache and not the original. When many changes are done on the file, the file becomes "dirty" and Windows Cache updates the original file with the changes. Since all these commands are done by a legitimate source and Windows itself - it tricks the detection software into believing the process is a system originated and legit thereby bypassing exposure.

 This ability to go undetected makes WastedLocker the most lethal ransomware we have seen yet.

Google Bans Hacked Political Content Ahead of the US Elections, Implements New Google Ads Policy


The presidential elections in the US are near. Keeping this in mind, Google has announced a new policy that will ban ads that advertise hacked political content or propaganda. This new policy will come into effect from 1 September 2020, as per the news available on Google's support page. After the new rule is implemented, the third party players won't be able to purchase ad-space on Google ads, directly or indirectly linked to the hacked content of any political party.

However, ads related to news articles or other pages that contain hacked political material may be allowed. But the news article and the page shouldn't be linked to the political content in any way, says the policy. The violators of this new Google Ads policy (Ad Buyers) will first receive a warning to remove the ad from their account or face account suspension after seven days.


The policy is made observing the 2016 US Elections. 

The new Google Ads policy is made to avoid the 2016 US presidential elections scenario. As we all know, during the 2016 election campaigns in the US, the Russian hackers were able to break into the servers of various political factions associated with the Democratic Party. The breach resulted in data leaks of the Democratic party on WikiLeaks and DC leaks. The attack resulted in biased media coverage and online ads on various social media and platforms that discussed the hacked political content. Google will become the first company to make such a move when the policy is enacted on 1 September.

Twitter, in a similar incident, banned the distribution of hacked content on its platform in 2018 before the US midterm elections. It included not only political content but every other hacked material. It resulted in an unofficial ban of the ads on Twitter, as they need tweets to advertise. According to Google's policy, the following is not allowed: "Ads that directly facilitate or advertise access to hacked material related to political entities within the scope of Google's elections ads policies. This applies to all protected material obtained through the unauthorized intrusion or access of a computer, computer network, or personal electronic device, even if distributed by a third party."

Personal data of one million Moscow car owners were put up for sale on the Internet


On July 24, an archive with a database of motorists was put up for sale on one of the forums specializing in selling databases and organizing information leaks. It contains Excel files of about 1 million lines with personal data of drivers in Moscow and the Moscow region, relevant at the end of 2019. The starting price is $1.5 thousand. The seller also attached a screenshot of the table. So, the file contains the following lines: date of registration of the car, state registration plate, brand, model, year of manufacture, last name, first name and patronymic of the owner, his phone number and date of birth, registration region, VIN-code, series and number of the registration certificate and passport numbers of the vehicle.

This is not the first time a car owner database has been leaked.  In the Darknet, you can find similar databases with information for 2017 and 2018 on specialized forums and online exchanges.
DeviceLock founder Ashot Hovhannisyan suggests that this time the base is being sold by an insider in a major insurance company or union.

According to Pavel Myasoedov, partner and Director of the Intellectual Reserve company, one line in a similar archive is sold at a price of 6-300 rubles ($4), depending on the amount of data contained.
The entire leak can cost about 1 bitcoin ($11.1 thousand).Information security experts believe that the base could be of interest to car theft and social engineering scammers.

According to Alexey Kubarev, DLP Solar Dozor development Manager, knowing the VIN number allows hackers to get information about the alarm system installed on the car, and the owner's data helps to determine the parking place: "There may be various types of fraud involving the accident, the payment of fines, with the registration of fake license plates on the vehicle, fake rights to cars, and so on."

Against the background of frequent scandals with large-scale leaks of citizens data, the State Duma of the Russian Federation has already thought about tightening responsibility for the dissemination of such information. "Leaks from the Ministry of Internal Affairs occur regularly. This indicates, on the one hand, a low degree of information security, and on the other — a high level of corruption,” said Alexander Khinshtein, chairman of the State Duma Committee on Information Policy.

The Council of the EU and Its First-Ever Sanctions against Persons or Entities Involved in Various Cyber-Attacks



The Council of the European Union imposed its first-ever sanction against persons or entities engaged with different cyber-attacks focusing on European citizens and its member states. 

The sanctions imposed include a ban for people traveling to any EU nations and a freeze of assets on persons and entities. 

The order has been issued against six individuals and three entities liable for or associated with different cyber-attacks. Out of the six individuals sanctioned they include two Chinese citizens and four Russian nationals. 

The companies associated with carrying out these cyber-attacks incorporate an export firm situated in North Korea, and technology companies from China and Russia.

The entities responsible for or engaged with different cyber-attacks incorporate some publicly referred to ones as 'WannaCry', 'NotPetya', and 'Operation Cloud Hopper,' just as an endeavored cyber-attack against the organization for the prohibition of chemical weapons.




As per the European Council, the detailed of these persons or entities are: 

 1. Two Chinese Individuals—Gao Qiang and Zhang Shilong—and a technology firm, named Tianjin Huaying Haitai Science and Technology Development Co. Ltd, for the Operation Cloud Hopper. 

 2. Four Russian nationals (also wanted by the FBI) — Alexey Valeryevich, Aleksei Sergeyvich, Evgenii Mikhaylovich, and Oleg Mikhaylovich—for attempting to target the Organisation for the Prohibition of Chemical Weapons (OPCW), in the Netherlands. 

 3. A Russian technology firm (exposed by the NSA) — Main Centre for Special Technologies (GTsST) of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation—for the NotPetya ransomware attack in 2017 and the cyber-attacks directed at a Ukrainian power grid in the winter of 2015 and 2016. 

 4. A North Korean export firm — Chosun Expo, for the WannaCry ransomware attack that made havoc by disrupting information systems worldwide in 2017 and linked to the well-known Lazarus group. 

The Council says, “Sanctions are one of the options available in the EU's cyber diplomacy toolbox to prevent, deter and respond to malicious cyber activities directed against the EU or its member states, and today is the first time the EU has used this tool." 

As indicated by the European Union, the two Chinese nationals who carried out Operation Cloud Hopper are members from the APT10 threat actor group, otherwise called 'Red Apollo,' 'Stone Panda,' 'MenuPass' and 'Potassium.' 

On the other hand, the four Russian nationals were agents of the Russian Intelligence agency GRU who once expected to hack into the Wi-Fi network of the OPCW, which, if effective, would have permitted them to compromise the OPCW's on-going investigatory work.

Twitter Hack: Three Arrested in the Bitcoin Scam


Graham Clark, a resident of Tampa Florida has been arrested under charges of being involved in July’s Twitter hack that targeted the handles of famous personalities including the CEO of SpaceX and Tesla Inc., Elon Musk, and former President of the US Barack Obama, to name a few. The other two suspects arrested by Californian authorities are Nima “Rolex” Fazeli of Orlando and Mason “Chaewon” Sheppard from Bognor Regis, U.K.

The alleged three ran a scheme under which they hijacked the twitter accounts of various public figures and posted tweets advertising a bitcoin scam from these high-profile accounts. In order to acquire access to internal support tools and these Twitter accounts, Clark compromised a Twitter employee and made use of his credentials. After gaining access to 130 accounts belonging to politicians and celebrities, he tweeted Bitcoin scam messages from 45 and accessed direct messages inbox of 36 of them and stopped with downloading the Twitter Data for a total of 7 accounts. Reportedly, the three cybercriminals involved made a profit worth $120,000 worth of bitcoins as a result of the scam.

Among the affected accounts were Amazon’s founder, Jeff Bezos, Microsoft’s CEO Bill Gates, Kim Kardashian West and Joe Biden.

According to operation led by the FBI in collaboration with the Secret Service and IRS, 17-year-old, Graham Clark is identified as the mastermind of the sophisticated incident; the teenager is just a high-school graduate who will be prosecuted by Hillsborough State authorities.

Bearing charges of conspiracy to commit wire fraud and money laundering, aiding the mastermind in orchestrating the attack, Sheppard is subjected to 45 years of imprisonment as the maximum penalty.

In a related video news conference, State Attorney, Warren said, "I want to congratulate our federal law enforcement partners, the US Attorney’s Office for the Northern District of California, the FBI, the IRS, the US Secret Service, and the Florida Department of Law enforcement. These partners worked extremely quickly to investigate and identify the perpetrators of this sophisticated and extensive fraud."

"This defendant lives here in Tampa, he committed the crimes here, and he’ll be prosecuted here,"

"The State Attorney's Office is handling this prosecution rather than federal prosecutors because Florida law allows for us greater flexibility to charge a minor as an adult in a financial fraud case like this." He added.

Meanwhile, in the regard, Twitter said "We appreciate the swift actions of law enforcement in this investigation and will continue to cooperate as the case progresses.

"For our part, we are focused on being transparent and providing updates regularly."

Florida Teen Responsible for Hijacking High Profile Twitter Accounts Arrested, Faces 30 Felony Charges


US police authorities in a press conference on Friday said they had arrested the main accused and two other suspects responsible for a major Twitter hack earlier this month. The main accused is recognized as Graham Ivan Clark, 17 years teen who lives in Tampa, Florida. WFLA-TV, a Florida-based news agency that reported the incident for the first time, said that it was the main suspect (Clark), who was arrested for the Twitter attack. The arrest happened through a national collaboration IRS, Secret Service, the FBI, and the DOJ.


Andrew Warren, State Attorney of Hillsborough, charged Clark responsible for the 15th July Twitter incident. Clark was alleged for being the "mastermind" behind the attack in which the 'suspects hijacked various high profile Twitter accounts.' The hackers used these accounts to tweet about fake cryptocurrency scams. Here's a list of hijacked accounts: Joe Biden, Barrack Obama, Bill Gates, Kanye West, Elon Musk, Apple, Jeff Bezos, Uber, Michael Bloomberg, Kim Kardashian, and various others. According to officials, the hack resulted in getting $1,00,000 worth amount transferred to Clark's account within a day.

Clark now faces 30 felony charges. These include: 

  • Communications Fraud 
  • Organizing Fraud 
  • Use of personal information for frauds 
  • Accessing electronic device without legal authority


The charges specified above were declared through Livestream by the Hillsborough State Attorney. In the beginning, Warren didn't specify whether Clark had other associates working for him. After the press conference, it came to public notice that two other suspects were working with Clark, identified as Mason Sheppard, 19, alias name "Chaewon," and Nima Fazeli, 22, alias name "Rolex." The suspect's arrest happened just after Twitter had published its inquiry report related to th 15th July Twitter hack.

Some of the critical points in the report are mentioned below:

  • The incident happened on 20th July 2020 
  • To gain access to Twitter employees' accounts, hackers used phone bases social engineering systems. Hackers got access to the slack accounts and gained credentials (Yet to be confirmed) 
  • Hackers escaped the 2 step authentication; the report doesn't mention whether backend accounts or slack accounts. 
  • After this, hackers used Twitter's tech support tools to control the accounts. 
  • Hackers breached 130 accounts 
  • Hackers also attempted to sell some of the high profile Twitter profiles.

IBM announces 1000 STEM internship opportunities for students


Petrarch once said, "Sameness is the mother of disgust, variety the cure". And we as a society believe quite strongly in diversity, it is the core of our harmonious existence; even research proves that diverse companies produce 19% more revenue. Most companies today give considerable weightage to being diverse and inclusive, one of them being IBM.

IBM, a highly innovative and research-focused company has always been inclusive in its approach with its ingenious programs like "creating new pathways to science, technology, engineering and math careers with Pathways in Technology Early College High School also known as P-TECH".

 "The fight against racism and racial inequality is as urgent as ever. Despite much progress since the Civil Rights movement, Black people are still significantly affected by poverty, unemployment, segregated housing, and other injustices in the United States.", they wrote on their website.

And with the same thought, IBM has announced to provide 1000 internships for the United States P-TECH students instead of the 150 they used to earlier.

"At IBM, one way we are taking action in advocating for social justice and racial equality is by advancing education, skills, and jobs. Today, as part of our ongoing efforts, we are pleased to announce the creation of 1,000 paid internships for P-TECH students in the United States from now until December 31, 2021. This commitment is a 10x incremental increase from our most recent internship goals." announced the company.

P-TECH is a unique program by IBM, where students from grade 9-11 are prepared with STEM training, mentorship, and work experience. The students earn a high school diploma, a two-year associate degree and work experience, and ample opportunities to enter the tech field. STEM, a science, technology, engineering, and mathematics field has lead the global innovation bar but it is also a field where still minorities are much unrepresented and IBM steps to endeavor this issue with their 1000 free internships program.

 "We aspire to create more open and equitable pathways to employment for all regardless of background. It’s about generating the skills and training that lead to good jobs. We will continue the fight to bring new faces to the tech industry that truly reflect the demographics of our communities.", IBM writes on P-TECH programs announcing the new internship opportunities.

Telegram Takes Down Islamist Propaganda on its Platform, Extremist Groups Struggle


The social networks and US military have imposed high regulations to control Islamist propaganda on social media and have been able to take down Islamic State terrorist groups. After this move, experts say these groups are now struggling to recover their control on the mainstream social media apps and networks. As most of the major social networking sites have choked the group, the Islamist group has tried to build its propaganda on small sites. But even there, it has met by strong regulations by the authorities. According to Europol, an EU (European Union) law agency, the social networking companies have tried to bring down these Islamist propaganda content growing on their websites, in an attempt to take down the extremist group activities on social media.


Europol, in its report, said, "While Google and Instagram deployed resilience mechanisms across their services, Telegram was the online service provider receiving most of the referral requests during this Action Day. As a result, a significant portion of key actors within the IS network on Telegram were pushed away." These extremist groups used Telegram as their primary platform of propaganda until 2019.

According to Europol, Telegram had removed up to 5000 terrorist profiles and bots in two days, in an effort against shutting down the Islamist propaganda. Earlier, it was only able to take down 200-300 accounts on average. After that incident, the extremist groups moved towards more covert apps like the Russian "TamTam" and "Hoop Messenger." Canada hosts these websites. The IS, in apparent desperation, has also started using chat services designed for blockchain developers to spread their messages. In 2016-17, the US cyber command took action against these extremist groups. It shut down recruitment groups and suppressed their further attempts to spread the messages.

Currently, the US cyber command has presidential approval to combat IS propaganda with cyberattacks. They have also widened their jurisdiction area since then. "In the past year and a half, Telegram has also put forth a considerable effort to root out the abusers of the platform by bolstering its technical capacity in countering malicious content and establishing a close partnership with Europol," says Europol.

Online Michigan Bar Exam Hit by a Distributed Denial of Service (DDoS) Attack



The recently conducted online Michigan bar exam was briefly taken down as it was hit by a rather "sophisticated" cyberattack. 

The test had been hit by a distributed denial of service (DDoS) attack, which includes a hacker or group endeavoring to bring down a server by overpowering it with traffic according to ExamSoft, one of the three vendors offering the exam that certifies potential attorneys. 

The incident marked the first DDoS attack the organization had encountered at a network level, ExamSoft said, and it worked with the Michigan Board of Law Examiners to give test-takers more time to take the test after it was ready for action once more. 

The company noted that "at no time" was any information compromised, and that it had the option to “thwart the attack, albeit with a minor delay” for test-takers. 

The Michigan Supreme Court tweeted preceding the organization's statement that a "technical glitch" had made the test go down, and those test takers were “emailed passwords and the test day will be extended to allow for the delay for some test takers to access the second module.” 

As per the court, those taking the test with provisions from the Americans with Disabilities Act were not affected by the episode.

 “All exam takers were successfully able to start and complete all modules of the Michigan Bar exam,” the organization wrote. 

“This was a sophisticated attack specifically aimed at the login process for the ExamSoft portal which corresponded with an exam session for the Michigan Bar,” ExamSoft said in a statement on Tuesday. 

United for Diploma Privilege, a national gathering of law students, graduates, professors, and lawyers pushing for the bar exam to be postponed during the COVID-19 pandemic, raised worries about data privacy issues associated with the cyberattack.  

Numerous states have opted to offer the bar exam in-person this month, while others will offer the test online in early October. 

A spokesperson for the National Conference of Bar Examiners (NCBE), which drafts a segment of the test, told 'The Hill' just earlier this month that states and jurisdiction could decide to offer the test through vendors such as ExamSoft, Extegrity and ILG Technologies.


COVID-19 used as a lure for Cyber Attacks: Report suggest massive increase in Phishing Trends


Since the starting of the year, 2020 has been a bearer of bad news and Covid seems like a bad punch line. With 14 Million cases, the pandemic has wreaked havoc not only on human life but other sectors of business and economy as well; especially impacting cybersecurity, giving a sweet opportunity for hackers and scammers to con people.


According to recent research by Positive Technologies, there has been a 25% increase in phishing attacks in quarter one (Q1)of this year as compared to Q4 of 2019 and 13% of these phishing attacks were related to COVID-19. One of the analysts at Position Technologies said, “Hackers were quick to use common concerns about coronavirus as lures in phishing emails. One out of every five emails was sent to government agencies.”

The researchers also noted that 23 of the tenacious and active APT (Advanced Persistent Threat) groups targeted financial and medical institutions, government agencies, and industries. Around 34% of the attacks on organizations were ransomware ( malware attackers demanding money ransom in order to decrypt files and to not reveal stolen data). One out of every 10 ransomware was targeted at an organization.

This year has seen ransomware evolving into much-feared threat with Maze ransomware collaborating with other ransomware groups and publishing the stolen data on their website. Another ransomware Snake released in the beginning of this year, even deletes backups and snapshots.

Many security analysts discourse that the report from the research isn't all that surprising as COVID-19 has been used as a lure and click-bait to trap users desperate for info on the pandemic.

Jamie Akhtar, CEO of CyberSmart says, “enormous spike in phishing campaigns, fake websites and social profiles that were deliberately impersonating COVID-19 and healthcare-related authorities as hackers exploited the unprepared public.”

 Adding, “Many of these phishing emails can be extremely convincing and are not likely to end soon.

“Businesses and their employees can protect themselves against these attacks in the future by using email filtering that will detect and flag suspicious email addresses and malicious links or attachments, but these often don't catch everything. Training employees on how to spot suspicious and phishing emails is the best way to prevent these kinds of attacks.”

Google Banned 29 Android Apps Containing Adware


A research discovered that almost all the malware are designed to target android users and in order to prevent users from installing adware filled apps built to stealthily access their banking and social media credentials; Google has made a continuous effort including the introduction of ‘Google Play Protect’. The main idea behind Play protect is to keep your device, apps, and data secure by automatically scanning the apps in real-time and identifying any potentially malicious apps. Despite the strength of Google’s machine learning algorithms and constantly improving real-time technology, the operations of Potentially Harmful Applications (PHAs) do not seem to halt any time soon as cybercriminals are devising new methods to evade detection by Play Protect also.

Recently, Google pulled off 29 apps from the Play Store as they were found to be infected with adware, most of these apps were present in the facade of photo editing apps having a feature of ‘blur’, which was also the codename of the investigation called as “CHARTREUSEBLUR”- that unveiled the malicious operations. The apps were discovered as a part of the White Ope’ Satori threat intelligence team. In total, these Android apps had more than 3.5 million downloads.

As per the observations, these malicious apps were promoting irrelevant advertisements which are said to be used to keep away from detection. After the victim installs any of these apps, the icon to launch the app would immediately disappear from the home screen and won’t be found anywhere, making it highly inconvenient for the users to remove the adware laden apps from their devices. Moreover, there was no open function to be found on the Play Store either.

In order to stay on a safer side, the investigation team advised Android users to stay wary of adware filled apps by examining reviews properly before downloading and not to fall for fake 5-star reviews. Apps that seem new and have received a whopping number of downloads in a short period of time should be strictly avoided.

Recently banned 29 Android applications included Color Call Flash, Photo Blur, Photo Blur Master, Super Call Screen, Square Blur Master, Blur Photo Editor, Super Call Flash, Auto Picture Cut, Square Blur Photo, Magic Call Flash amid a few others.

The data of clients of the Russian bank Alfa-Bank leaked to the Network


On June 22, a message appeared on the Darknet about the sale of a database of clients of the largest Russian banks. The seller did not specify how many records he has on hand but assured that he is ready to upload 5 thousand lines of information per week.

One of the Russian Newspapers had a screenshot of a test fragment of the Alfa-Bank database, which contains 64 lines. Each of them has the full name, city of residence, mobile phone number of the citizen, as well as the account balance and document renewal date.

A newspaper managed to reach up to six clients using these numbers. Two of them confirmed that they have an account with Alfa-Bank and confirmed the relevance of the balance.

Alfa-Bank confirmed that they know about the data leak of several dozen clients.
The seller of Alfa-Bank's database said that he also has confidential information of clients of other credit organizations.

"I can sell a database of VTB clients with a balance of 500 thousand rubles or more with an update from July 17 for 100 rubles per entry," claimed the seller. However, the Russian newspaper was not able to get test fragments of these databases.

The newspaper also contacted two other sellers who offered information about users of Gazprombank, VTB, Pochta Bank, Promsvyazbank, and Home Credit Bank.
Information about the account balance is classified as a Bank secret. Knowing such confidential details makes it easier for attackers to steal money using social engineering techniques.

"There are two ways to get bases on the black market. One of them is the leak of data by an insider from a Bank or company. The second option is through remote banking vulnerabilities," said Ashot Hovhannisyan, founder of the DLBI leak intelligence service.
According to him, the reason for the ongoing leaks is inefficient investments in security. Companies often protect their systems from hacking from outside, but not from insiders.

The National Security and Defense Council of Ukraine reported a leak of IP addresses of government websites


The leaked list of hidden government IP addresses of government websites occurred in Ukraine. This is stated in the statement of the National Security and Defense Council (NSDC).

It is noted that specialists of the National Cyber Security Coordination Center under the National Security and Defense Council of Ukraine have found in the DarkNet a list of almost 3 million sites using the Cloudflare service to protect against DDoS and a number of other cyberattacks. The list contains real IP-addresses of sites that are under threat of attacks on them.

"The list contains real IP addresses of sites, which creates threats to direct attacks on them. Among these addresses are 45 with the domain" gov.ua" and more than 6,500 with the domain "ua", in particular, resources belonging to critical infrastructure objects",  specified in the message on the official website of the NSDC.

According to Ukrainian experts, some data on Ukrainian sites are outdated, and some are still relevant. In this regard, according to the NSDC, there is a threat to the main subjects of cybersecurity.

It was found that Cloudflare provides network services to hide real IP addresses to mitigate DDoS attacks.

In January of this year, the national police of Ukraine opened criminal proceedings due to a hacker attack on the website of Burisma Holdings. According to Assistant to the Interior Minister Artem Minyailo, the attack "was most likely carried out in cooperation with the Russian special services." To conduct an investigation, Ukraine turned to the US Federal Bureau of Investigation.

In May 2020, representatives of the state service for special communications and information protection of Ukraine announced hacker attacks on the websites of state bodies of Ukraine, including the portal of the office of President Vladimir Zelensky. In the period from 6 to 12 may, more than 10.9 thousand suspicious actions were recorded on state information resources.

New Network Protocols Abused To Launch Large-Scale Distributed Denial of Service (DDoS) Attacks


The Federal Bureau of Investigation issued an alert just the previous week cautioning about the discovery of new network protocols that have been exploited to launch large-scale distributed denial of service (DDoS) attacks. 

The alert records three network protocols and a web application as newfound DDoS attack vectors.  

The list incorporates CoAP (Constrained Application Protocol), WS-DD (Web Services Dynamic Discovery), ARMS (Apple Remote Management Service), and the Jenkins web-based automation software. 

Three of the four (CoAP, WS-DD, ARMS) have just been exploited in reality to launch monstrous DDoS attacks, the FBI said dependent on ZDNet's previous reporting. 


 COAP 

In December 2018, cyber actors began exploiting the multicast and command transmission features of the Constrained Application Protocol (CoAP) to lead DDoS reflection and amplification assaults, bringing about an enhancement factor of 34, as indicated by open-source reporting. 


WS-DD 

In May and August 2019, cyber actors abused the Web Services Dynamic Discovery (WS-DD) convention to launch more than 130 DDoS attacks, with some reaching sizes of more than 350 Gigabits for every second (Gbps), in two separate influxes of attack, as indicated by open-source reporting. 


ARMS 

In October 2019, cyber actors abused the Apple Remote Management Service (ARMS), a part of the Apple Remote Desktop (ARD) feature, to lead DDoS amplification attacks, according to open-source reporting. 


JENKINS 

In February 2020, UK security researchers identified a vulnerability in the inherent network discovery protocols of Jenkins servers-free, open-source, automation workers used to help the software development process that cyber actors could exploit to conduct DDoS amplification attacks - as indicated by open-source reporting. 

FBI officials believe that these new DDoS threats will keep on being exploited further to cause downtime and damages for the 'foreseeable future'. 

The reason for the alert is to warn US companies about the 'imminent danger', so they can put resources into DDoS mitigation systems and create partnerships with their internet service providers to quickly respond to any attacks utilizing these new vectors. 

As of now, these four new DDoS attack vectors have been utilized inconsistently, however, industry specialists anticipate that them to become widely abused by DDoS-for-hire services.

Prometei: A Cryptomining Botnet that Attacks Microsoft's Vulnerabilities


An unknown Botnet called "Prometei" is attacking windows and Microsoft devices (vulnerable) using brute force SMb exploits. According to Cisco Talos, these SMB vulnerabilities help in mining cryptocurrency. The botnet has affected around a thousand devices. It came in March; however, according to experts at Cisco Talos, the campaign could only generate a small amount of $5000 in four months of its activities. The botnet was working since the beginning of March and took a blow on 8th June. However, the botnet kept working on its mining operations to steal credentials. According to experts, the botnet is working for somebody based in Europe, a single developer.


"Despite their activities being visible in logs, some botnets successfully fly under detection teams' radar, possibly due to their small size or constant development on the adversary's part. Prometei is just one of these types of networks that focuses on Monero mining. It has been successful in keeping its computing power constant over the three months we've been tracking it," says Cisco Talo's report.
Vanja Svajcer, a cybersecurity expert, says that earning $1250 monthly is more than average for a European. Therefore, the developer would 've made a fair profit from the botnet. Besides crypto mining, it can also steal private credentials and escape without getting traced.

About SMB attack 

The hacker exploits the Windows Server Message Block protocol using a vulnerability. After this, the hackers retrieve passwords from Mimikatz, which is an open-source app for credential authentication. To spread itself in SMB protocol, the hackers use the RdpcIip.exe spreader module. This spreader tries to authenticate SMB operation using retrieved credentials or a temporary guest profile, which doesn't require any password. If the spreader can infiltrate, it uses a Windows app to launch the botnet remotely. But if the attack fails, the hackers can use other versions of vulnerabilities to start botnet.

To protect yourself, Cisco Talos says, "defenders need to be constantly vigilant and monitor systems' behavior within their network. Attackers are like water — they will attempt to find the smallest crack to seep in. While organizations need to be focused on protecting their most valuable assets, they should not ignore threats that are not particularly targeted toward their infrastructure."

Firefox expected to release a fix for their "Camera active after phone locks" bug this October


A bug in Mozilla Firefox enabled websites to keep the smartphone camera active even after leaving the browser or locking the phone. The company is working on fixing the bug and are planning to release the fix around October this year.


The bug was first reported by Appear TV, a video delivery platform last year in July. The bug activates when a user opens a video streaming app from their Mozilla Firefox browser in their Android smartphone.

It was first noticed by Appear TV when the video kept playing in the background even when it should have stopped that is the video kept playing in the background even when the user moved out of the browser or pushed it to the background or locked the phone. This raised concerns over user's privacy and bandwidth loss. "From our analysis, a website is allowed to retain access to your camera or microphone whilst you're using other apps, or even if the phone is locked," said a privacy app, Traced in talks with ZDNet. "While there are times you might want the microphone or video to keep working in the background, your camera should never record you when your phone is locked".

On Fixing the Issue

 "As is the case with dedicated conferencing apps, we provide a system notification that lets people know when a website within Firefox is accessing the camera or microphone, but recognize that we can do better, especially since this gets hidden when the screen is locked," a Mozilla spokesperson said in a statement.

"This bug [fix] aims to address this by defaulting to audio-only when the screen is locked," Mozilla added. "[The fix] is scheduled for release at the platform-level this October, and for consumers shortly after."

Mozilla has been working on a next-generation browser Firefox Nightly with more focus on privacy to replace their current browser for Android. The update is out for testing.

"Meanwhile, our next-generation browser for Android, now available for testing as Firefox Nightly, already has a prominent notification for when sites access this hardware as well," said Mozilla.

Botnet Activity Goes Down; Revived Emotet Suffers Hindrances in Operations by A Vigilante Hacker


An anonymous vigilante hacker has been actively involved in obstructing 2019's most widespread cybercrime operation, Emotet that made a comeback recently. He has been sabotaging the malicious affairs and protecting users from getting affected by removing Emotet payloads and inserting animated GIFs at their places. Acting as an intruder, he replaced Emotet payloads with animated GIFs on certain hacked WordPress sites, meaning when victims would open the infected Office files, the malware would not be downloaded and executed on their computers, saving them from the infection.

Emotet is a banking Trojan that was first spotted in the year 2014 by security researchers, it was primarily designed to sneak onto the victim's computer and mine sensitive data. Later, the banking malware was updated; newer versions came up with spamming and malware delivery functionality. Emotet is equipped with capabilities to escape anti-malware detection, it uses worm-like abilities that help it proliferate through connected systems. Mainly, the infection is spread via malspam, however, it may also be sent through malicious scripts, links, or macro-enabled documents.

Started off casually a few days ago, on the 21st of July, the act of sabotaging the operations has become a major concern for the Emotet authors, affecting a significant fragment of the malware botnet’s revived campaign. Essentially, the sabotage has been possible owing to the fact that Emotet authors are not employing the best web shells in the market, it was noted earlier in 2019 also that the criminals involved in Emotet operations were using open-source scripts and identical password for all the web shells, risking the security of its infrastructure and making it vulnerable to hijacks just by a simple guess of password.

While giving insights on the matter, Kevin Beaumont said in 2019, “The Emotet payload distribution method is super insecure, they deploy an open-source webshell off Github into the WordPress sites they hack, all with the same password, so anybody can change the payloads infected PCs are receiving.