Search This Blog

Banks have assessed the security of digital ruble payments

Major Russian banks are ready to take part in testing the digital ruble and have no doubt that it will be in demand among customers

According to market participants, special attention should be paid to information security: digital rubles can be paid offline and, according to banks, such operations may become a tidbit for fraudsters.

The Bank of Russia presented the idea of a digital ruble in mid-October. It is assumed that it will be in the form of a unique digital code stored in a special electronic wallet and become a full-fledged means of payment on a par with the ordinary ruble. Its prototype is scheduled to be tested next year and the regulator presented its concept last Thursday.

"VTB is ready to take part in pilot projects related to the introduction of the digital ruble. VTB estimates that it may take about two years to create the infrastructure for the implementation of the digital currency," said Vadim Kulik, Deputy President and Chairman of the Bank's Management Board. Apart from VTB, other major credit institutions, including Russian Standard and Promsvyazbank, are ready to take part in the testing of the digital ruble.

Participants of the pilot project will have to solve a number of issues and put a special emphasis on the safety of operations for clients. "The main risks of payments in digital rubles are gaining unauthorized access to an electronic wallet and committing fraudulent operations using social engineering methods", said Andrei Makosko, head of information security service of Novikombank.

In addition, banks are afraid of the possibility of some overflow of funds from non-cash payments to digital rubles. According to the head of the Raiffeisenbank innovation center, Evgenia Ovchinnikova, this may affect the existing relationship between banks, shops and payment systems.

"It is also important that the digital ruble platform does not result in capital expenditures on the part of banks", emphasized Olga Makhovaya, director of innovations and data management at Rosbank.

The digital ruble is expected to help combat payment slavery when customer service is tied to a single credit institution.

Cybercriminals Are Using Google URLs as a Weapon to Spread Malware

 

Security researchers at Microsoft warned the organizations of a new phishing campaign, they have been tracking activity where contact forms published on websites are exploited to send malicious links to organizations via emails containing fake legal threats. The emails direct recipients to click on a link to review supposed evidence behind their allegations, but are instead led to downloading IcedID, an info-stealing malware. Microsoft Defender for Office 365 identifies and blocks these emails while shielding enterprises from this threat.

As a precautionary measure, Microsoft reported the threat to Google's security teams to warn them that threat actors are using legitimate Google URLs to deliver malware. The Google URLs are useful to the attackers because they will bypass email security filters. Seemingly, the attackers have also bypassed CAPTCHA challenges that are used to test whether the contact submission is from a human.

"Attackers are abusing legitimate infrastructure, such as websites' contact forms, to bypass protections, making this threat highly evasive. Besides, attackers use legitimate URLs, in this case, Google URLs that require targets to sign in with their Google credentials," the Microsoft 365 Defender Threat Intelligence Team stated. 

Microsoft is bothered by the methodology used by threat actors to steal information and has currently detected the criminals using the URLs in an email to deliver IcedID malware. However, it could just as easily be used to deliver other malware.

IcedID is an info-stealing malware that connects to a command-and-control server to download modules that conduct functions like stealing banking credentials and other data. It achieves persistence and downloads additional tools that let remote attackers pursue other malicious actions on a target system, including credential theft, lateral movement, and delivery of additional payloads.

"We have already alerted security groups at Google to bring attention to this threat as it takes advantage of Google URLs. We observed an influx of contact form emails targeted at enterprises by means of abusing companies' contact forms. This indicates that attackers may have used a tool that automates this process while circumventing CAPTCHA protections. As the emails are originating from the recipient's own contact form on their website, the email templates match what they would expect from an actual customer interaction or inquiry," Microsoft further notes.

Russian expert give tips on how to protect yourself from "eavesdropping" on your smartphone

A smartphone can "eavesdrop" on its owner, said information and computer security expert Sergei Vakulin. In an interview with Radio Sputnik, he explained who might need to record conversations and how to protect sensitive information

Some smartphone applications may record our conversations when we do not expect them to. Moreover, we ourselves provide them with this opportunity, giving them permission to access the microphone during the installation of the application, explained the expert on information and computer security Sergei Vakulin.

According to him, advertisers are primarily interested in obtaining such information.

"The app can spy on you to analyze your data and sell. Not just to collect it, but to sell it. We often have the situation where you took a loan from one bank, and you immediately get a call from another bank and offer another loan. Selling data - this is already a banal topic," the expert said in an interview with Radio Sputnik.

He clarified that once the app has gained access to the microphone, it will be able to turn it on whenever it wants, not just during a phone call. Sergey Vakulin claims that the recording function can be turned on even on a locked device.

"If you've given the app permission to access the microphone, it will be able to 'listen' to you even when it's locked. If you have access, the app can turn on the microphone at any time it wants and collect information," the expert explained.

According to him, you can protect yourself from eavesdropping by limiting the number of applications with access to the microphone.

Also, for particularly important conversations you can buy a phone without the ability to connect to modern communication networks.

"If you look closely at many officials and billionaires, both Russian and foreign, they walk around with push-button phones. A pushbutton phone will be very difficult to listen to, because there is no 3G, LTE and so on," explained Sergei Vakulin.

Research Study shows that 100 Million IOT Devices are at Risk

 

Forescout Research Labs has disclosed a new collection of DNS vulnerabilities in collaboration with JSOF, potentially impacting over 100 million consumer devices. The seemingly simple code that underpins how computers interact with the internet has identified a shocking number of vulnerabilities for researchers. As of now, there are 9 new vulnerabilities, including Internet of Things products and IT control servers, with approximately 100 million devices worldwide. 

The newly revealed bugs are the code that implements protocol of network communication for connecting devices to the internet in four ubiquitous TCP/IP stacks. In operating systems such as the FreeBSD open-source project and Nucleus NET of the industrial control company Siemens, the vulnerabilities are all related to how the “Domain Name System” Internet phone book is carried out. 

They all encourage an attacker to destroy a computer and take it offline or get remote control access. All the vulnerabilities found by Forescout and JSOF security scientists now have patches, but this does not necessarily lead to corrections in actual devices that frequently run outdated versions of software. 

“With all these findings I know it can seem like we’re just bringing problems to the table, but we're really trying to raise awareness, work with the community, and figure out ways to address it,” says Elisa Costante, vice president of research at Forescout. She further added, “We've analyzed more than 15 TCP/IP stacks both proprietary and open source and we've found that there's no real difference in quality. But these commonalities are also helpful because we've found they have similar weak spots. When we analyze a new stack we can go and look at these same places and share those common problems with other researchers as well as developers.” 

Researchers are yet to see indications of these types of vulnerabilities being actively exploited in the wild by attackers. But the exposure is noticeable in the hundreds, perhaps billions, of devices that have potentially been affected as per several different findings.

Similar failures of Forescout and JSOF have already found themselves exposed in hundreds of millions or potentially trillions of devices in other TCP/IP proprietary and open-source stacks around the world. 

“For better or worse, these devices have code in them that people wrote 20 years ago—with the security mentality of 20 years ago,” says Ang Cui, CEO of the IoT security firm Red Balloon Security. 

Although the fixes do not proliferate in the near future, they too are available. And some other halted mitigation measures will minimize the exposure, namely by ensuring that as many devices as possible do not link to the internet directly and by using an internal DNS server. 

Forescout's Costante noted that operational behaviour would be predictable and that attempts to exploit certain defects would be easier to identify. 

Forescout has published an open-source script for network administrators in their organizations to recognize potentially insecure IoT devices and servers. 

The organization also continues to maintain an access database library of inquiries, which scientists and developers could use to quickly identify similar DNS vulnerabilities. 

“It’s a widespread problem; it’s not just a problem for a specific kind of device,” says Costante.

Warning: Your WhatsApp May Be Hacked and There’s Nothing You Can Do

 

If one is not careful, things might get really unpleasant for WhatsApp users. A new vulnerability has been discovered that could enable a remote attacker to deactivate WhatsApp on one’s phone using nothing more than their phone number. 

Alarmingly, two-factor authentication would be ineffective in preventing this from happening. The way these attack works is that it requires some amount of error by the user themselves but at the next step that should be designed to protect this, the two-factor authentication also doesn’t do anything to prevent the attack. 

According to Forbes, security researchers Luis Márquez Carpintero and Ernesto Canales Perea demonstrated vulnerability and were able to disable WhatsApp on a user's phone. 

According to the report, there are two parts to this vulnerability. The first is the method for installing WhatsApp on any system. When one installs WhatsApp on their phone, they will get an SMS code to verify the SIM card and phone number. A hacker can do the same thing by installing WhatsApp on their phone using the phone number. The user will begin to receive six-digit codes via SMS at this stage, indicating that someone has requested the code for installing WhatsApp on their phone. There is nothing one can do at this moment as WhatsApp will continue to work normally. 

Since this is a part of the hacking process, these codes will appear frequently. For a duration of 12 hours, WhatsApp's verification process will limit the number of codes that can be submitted and disable the ability to create more codes. During this time, WhatsApp will continue to function normally. However, one should not deactivate WhatsApp on their phone and then try to reinstall it at this time. This vulnerability is expected to impact both WhatsApp for Android and WhatsApp for iPhone. 

In the next step, the hacker generates an email ID and then sends an email to support@whatsapp.com claiming that the phone in which WhatsApp is enabled has been stolen or misplaced and that they need to deactivate WhatsApp for that number—which is the user’s phone number. WhatsApp may send an email to confirm the user’s phone number, but they have no way of knowing whether the email is being sent by a hacker or the legitimate owner. The user phone number's WhatsApp will be deactivated after a while. When they open the app again, they will see a message that says "Your phone number is no longer registered with WhatsApp on this phone." 

The reasonable next step would be to try to reinstall WhatsApp on one’s account. According to the report, no code will be sent via SMS, and the app will tell the user to "Wait before requesting an SMS or a call.", which is because now the user’s phone is also subjected to the same limitation as that of the hacker. 

After the 12-hour mark has elapsed, if the attacker waits for the 12-hour period and sends a mail to WhatsApp again, the user will not be able to set up WhatsApp on his phone even if they receive the text messages with codes. 

The researchers indicate that WhatsApp breaks down and gets confused after the third 12-hour cycle and instead of a countdown, simply says “try again after -1 seconds”. The user’s phone and the attacker's phone are both treated the same way. And this is where the issue arises. If the attacker waits until now to email WhatsApp again to deactivate the number, the user won't be able to reregister for the app on their phone once they have been kicked out. The researchers told Forbes, "It's too late." 

“There is no way of opting out of being discovered on WhatsApp. Anyone can type in a phone number to locate the associated account if it exists. Ideally, a move towards being more privacy-focused would help protect users from this, as well as forcing people to implement a two-step verification PIN,” ESET’s Jake Moore told Forbes. 

WhatsApp's response to Forbes' Zak Doffman, unfortunately, does not evoke much trust. All they state is, “providing an email address with your two-step verification helps our customer service team assist people should they ever encounter this unlikely problem. The circumstances identified by this researcher would violate our terms of service and we encourage anyone who needs help to email our support team so we can investigate.”

Hackers Expose Contact and KYC Details of Upstox Clients

 

Upstox, India's second-biggest broking firm in terms of the number of active customers, disclosed that its databases, including contact details and know-your-customer (KYC) details, may have been breached. The Delhi-based discount brokerage firm, anyway thought that it has improved its security systems at its servers manifold recently, on the suggestions of a global cyber-security firm against a suspected data breach. 

The organization has guaranteed the customers that their funds and securities are protected and remain safe. Sources propose that Upstox has endured a huge information breach that has uncovered some significant information like Aadhaar, PAN, bank account numbers, canceled cheques, signatures, and photographs apart from other personally identifiable information like passport, mobile numbers, and email addresses.

“On receipt of e-mails claiming unauthorized access into our database, we have appointed a leading international cyber-security firm to investigate possibilities of breach of some KYC data stored in third-party data warehouse systems. This morning, hackers put up a sample of our data on the dark web,” a company spokesperson said in an e-mailed statement. 

The spokesperson added that as a proactive measure, the organization has started numerous security upgrades, especially at the third-party warehouses, continuous 24x7 monitoring, and additional ring-fencing of its network. 

“As a matter of abundant caution, we have also initiated a secure password reset via OTP for all Upstox users. Upstox takes customer security extremely seriously. Funds and securities of all Upstox customers are protected and remain safe. We have also duly reported this incident to the relevant authorities,” the spokesperson said. The spokesperson further said that at this point, “We don't know with certainty the number of customers whose data has been exposed.” 

Upstox, upheld by investors like Tiger Global and Ratan Tata, has more than 3,000,000 clients. In an announcement note on the organization site, Upstox co-founder and CEO Ravi Kumar said funds and securities of customers are protected and remain safe. 

“Funds can only be moved to your linked bank accounts and your securities are held with the relevant depositories. As a matter of abundant caution, we have also initiated a secure password reset via OTP. Through this time, we have also strongly fortified our systems to the highest standards,” he said.

NCSC Warns of Exploited VPN Servers: Here are the Safety Tips to Fix Your VPN

 

The UK’s Nationwide Cyber Safety Centre (NCSC) has published a new advisory warning that cybercriminals as well as Advanced Persistent Threat (APT) actors are actively searching for unpatched VPN servers and trying to exploit the CVE-2018-13379 susceptibility.

According to NCSC, a significant number of organizations in the UK have not fixed a Fortinet VPN vulnerability found in May 2019, resulting in the credentials of 50,000 vulnerable VPNs being stolen and revealed on a hacker forum. As such, the NCSC recommended organizations that are using such devices to assume they are now compromised and to start incident management procedures, where security updates have not been downloaded.

“The NCSC is advising organizations which are using Fortinet VPN devices where security updates have not been installed, to assume they are now compromised and to begin incident management procedures. Users of all Fortinet VPN devices should check whether the 2019 updates have been installed. If not, the NCSC recommends that as soon as possible, the affected device should be removed from service, returned to a factory default, reconfigured, and then returned to service,” NCSC stated.

Safety tips for users & organizations 

The first step is to check whether the 2019 update is installed on all Fortinet VPN devices or not. If not, the NCSC recommends installing it as soon as possible. Secondly, the corrupt devices should be removed from service, returned to a factory default, reconfigured, and then restored to service. 

While fixing the security loophole, organizations should examine all connected hosts and networks to detect any further attacker movement and activities. Anomalous connections in access logs for the SSL VPN service may also indicate the use of compromised credentials. Organizations should then make it a high priority to upgrade to the latest FortiOS versions to prevent reinfection. 

"The security of our customers is our first priority. For example, CVE-2018-13379 is an old vulnerability resolved in May 2019. Fortinet immediately issued a PSIRT advisory and communicated directly with customers and via corporate blog posts on multiple occasions in August 2019, July 2020, and again in April 2021 strongly recommending an upgrade," a Fortinet spokesperson told ZDNet.

500,000 Huawei Devices hit by the Joker Malware

 

Security researchers have discovered that over 500,000 Huawei smartphone users who inadvertently subscribe to premium mobile services have downloaded apps contaminated by the Joker malware. For the past couple of years the malware family of Joker has infected apps on Google's Play Store, but it is the first time on Huawei phones. Using the company's in-house platform - App Gallery, Huawei users are not actually able to access the Google Play Store due to business restrictions in the USA. Researchers also discovered in the App Gallery some 10 apparently harmful applications containing malicious command and control server connectivity code for installation and additional components. 

A source noted that “Doctor Web’s virus analysts have uncovered the first malware on App Gallery―the official app store from the Huawei Android device manufacturer. They turned out to be dangerous Android. Joker trojans function primarily to subscribe users to premium mobile services. In total, our specialists discovered that 10 modifications of these trojans have found their way onto App Gallery, with more than 538,000 users having installed them.”

However, the researchers mentioned that the malware might subscribe the user to up to five services, but that restriction could also be changed at any time by the threat actor. Digital keyboards, a camera app, a launcher, an online messenger, an adhesive set, coloring programs, and a game were included in the malicious applications list. Most of the applications were developed by one (Shanxi Kuailaipai Network Technology Co., Ltd.) developer and two from separate developers. More than 538,000 Huawei users have installed these 10 applications, as per the Doctor Web’s reports. 

Doctor Web notified Huawei of these applications and the company detected and removed them from the App Gallery. Although new users cannot download them anymore, whereas if the applications were on the devices of other users then they must be cleaned manually. Upon being enabled, the malware transmits a configuration file to the remote server, including a task list, premium service websites, and JavaScript which imitates user interaction states the researchers. 

The history of Joker malware goes back to 2017 and has consistently made its way through the Google Play store distributed games. In October 2019, Kaspersky Malware Researcher Tatyana Shishkova tweeted over 70 compromise applications that made it official. And the malware reports in Google Play continued to surge. In early 2020, Google announced the removal of some 1,700 Joker-infected applications. Joker remained in the shop last February and even in July of last year he still slips through Google's defenses.

New Malware Downloader Spotted in Targeted Campaigns

 

In recent weeks, a relatively sophisticated new malware downloader has emerged that, while not widely distributed yet, appears to be gaining momentum. Malwarebytes researchers recently discovered the Saint Bot dropper, as they have termed it, being used as part of the infection chain in targeted campaigns against government institutions in Georgia. 

Saint Bot was discovered by researchers while investigating a phishing email containing a zip file containing malware they had never seen before. The zip file included an obfuscated PowerShell script disguised as a link to a Bitcoin wallet. According to Malwarebytes, the script started a chain of infections that led to Saint Bot being dropped on the compromised system. 

In each case, the attackers used Saint Bot to drop information stealers and other malware downloaders. According to the security vendor, the new loader is probably being used by a few different threat actors, implying that there are likely other victims. 

One of the information stealers that Saint Bot has noticed dropping is Taurus, a malware tool designed to steal passwords, browser history, cookies, and data from auto-fill. The Taurus stealer can also steal FTP and email client credentials, as well as system information such as configuration details and installed software. According to Malwarebytes, while Saint Bot mostly has been observed dropping stealers, the dropper is designed to deliver any malware on a compromised system. 

Malware droppers are specialized tools designed to install various types of malware on victim systems. One of the most notable recent examples of such malware is Sunburst, the tool that was distributed via poisoned SolarWinds Orion software updates to some 18,000 organizations worldwide. In that case, the dropper was specifically designed to deliver targeted payloads on systems belonging to organizations of particular interest to the attackers. 

Basically, the downloaders are first-stage malware tools designed to deliver a wide range of secondary and tertiary commodity payloads, such as ransomware, banking Trojans, cryptominers, and other malicious tools. Some of the most popular droppers in recent years, such as Emotet, Trickbot, and Dridex, began as banking Trojans before their operators switched tactics and used their Trojans as malware-delivery vehicles for other criminals. 

Saint Bot, like many other droppers, has several unclear and anti-analysis features to help it avoid malware detection tools. It is designed to detect virtual machines and, in some cases, to detect but not execute on systems located in specific Commonwealth of Independent States countries, which include former Soviet bloc countries such as Russia, Azerbaijan, Armenia, Uzbekistan, Ukraine, and Moldova.

"As we were about to publish on this downloader, we identified a few new campaigns that appear to be politically motivated and where Saint Bot was being used as part of the infection chain. In particular, we observed malicious documents laced with exploits often accompanied by decoy files." a spokesman from Malwarebytes' threat intelligence team states. In all instances, Saint Bot was eventually used to drop stealers. 

According to Malwarebytes, while Saint Bot is not yet a widespread threat, there are indications that the malware's creators are still actively working on it. According to the security vendor, its investigation of the Saint Bot reveals that a previous version of the tool existed not long ago. " Additionally, we are also seeing new campaigns that appear to be from different customers, which would indicate that the malware author is involved in further customizing the product," a Malwarebytes spokesman said.

APKPure Compromised to Deliver Malware

 

APKPure, one of the biggest alternative application stores outside of the Google Play Store, was tainted with malware this week, permitting threat actors to disseminate Trojans to Android gadgets. In an incident that is like that of German telecommunications equipment manufacturer Gigaset, the APKPure customer variant 3.17.18 is said to have been altered trying to trick unsuspecting clients into downloading and installing noxious applications linked to the malevolent code incorporated into the APKpure application. The development was reported by researchers from Doctor Web and Kaspersky. 

“Doctor Web specialists have discovered a malicious functionality in APKPure—an official client application of popular third-party Android app store. The trojan built into it downloads and installs various apps, including other malware, without users’ permission.” reads a post published by Doctor Web. "This trojan belongs to the dangerous Android.Triada malware family capable of downloading, installing, and uninstalling software without users' permission," Doctor Web researchers added.

Triada was designed with the particular purpose to carry out financial frauds, typically hijacking financial SMS transactions. The most intriguing trait of the Triada Trojan is its modular architecture, which gives it theoretically a wide range of abilities. 

As per Kaspersky, the APKPure rendition 3.17.18 was altered to incorporate an advertisement SDK that goes about as a Trojan dropper intended to convey other malware to a victim's gadget. "This component can do several things: show ads on the lock screen; open browser tabs; collect information about the device; and, most unpleasant of all, download other malware," Kaspersky's Igor Golovin said. In light of the discoveries, APKPure has released another rendition of the application (form 3.17.19) on April 9 that eliminates the malevolent part. "Fixed a potential security problem, making APKPure safer to use," the developers behind the app distribution platform said in the release notes.

“If the user has a relatively recent version of the operating system, meaning Android 8 or higher, which doesn’t hand out root permissions willy-nilly, then it loads additional modules for the Triada Trojan. These modules, among other things, can buy premium subscriptions and download other malware. If the device is older, running Android 6 or 7, and without security updates installed (or in some cases not even released by the vendor), and thus more easily rootable, it could be the xHelper Trojan.” states Kaspersky.

Google Tricked Millions of Chrome Users in the Name of 'Privacy'

 

Google revealed last month that it is rolling out the Federated Learning of Cohorts (FLoC) program, an important part of its ‘Privacy Sandbox Project’ for Chrome. The company advertised FLoC as the latest, privacy-preserving option in Google Chrome to the third-party cookie.

But the real question is can Google truly preserve the privacy of its users? Well, the results of the FLoC trial don’t indicate that. Millions of Chrome users had no control of their involvement in the FLoC trial, they received no personal text, and, currently, they have no option to opt out from the FLoC trial. The only option to leave the trial is by blocking all third-party cookies on their Google Chrome browsers.

What is the FLoC program? 

FLoC is based on machine learning technology designed by Google and is meant to be an alternative to the kind of cookies that advertising technology firms use today to track you across the web. Instead of a personally-identifiable cookie, FLoC runs locally and examines your browsing pattern to group you into a cohort of like-minded people with similar interests (and doesn’t share your browsing history with Google). That cohort is particular enough to permit advertisers to do their thing and show you relevant ads, but without being so specific as to allow marketers to spot you personally. 

This "interest-based trial,” as Google likes to call it, allows you to hide within the crowd of users with similar interests. All the browser displays are cohort ID and all your browsing history and other data stay locally. Google has also started testing the FLoC cookie for some Chrome users which allows them to analyze the new system in an origin trial. 

Last month, Google’s FLoC trial announcement, gave Chrome users no alternative to quitting before the trial started. Instead, Google quietly started to expand its FLoC technology to Chrome users in the US, Canada, Mexico, Australia, New Zealand, Brazil, India, Japan, Indonesia, and the Philippines.

"When other browsers started blocking third-party cookies by default, we were excited about the direction, but worried about the immediate impact. Excited because we need a more private web, and we know third-party cookies aren’t the long-term answer. Overall we felt that blocking third-party cookies outright without viable alternatives for the ecosystem was responsible and even harmful, to the open and free web we all enjoy,” Marshall Vale, Google’s product manager, stated.

Iran Natanz Nuclear Facility Struck by a Blackout Labelled as an Act of “Nuclear Terrorism”

 

On Sunday 11th of April, just hours after newly developed centrifuges, which could enrich uranium faster were launched in Iran, the underground nuclear facility of Natanz lost its control. Iran labeled the blackout as an act of "nuclear terrorism." It raised regional tensions on Sunday as the world powers proceed to negotiations over Tehran's tattered nuclear deal. 

Amid arbitration over the troubling nuclear agreement with the world powers, this is the most recent event. As Iranian officials examined the failure, several news organizations in Israel speculated that this was a cyber-attack. Although the reports did not include an evaluation source, the Israeli media have close ties with the military and intelligence agencies of the country. 

If Israel triggered the blackout, the strains between the two countries which were already involved in the shadow conflict over the wider Middle East would now be increased. The USA, Israel's primary security partner, has also been complicating attempts to re-enter the nuclear agreement to restrict Tehran so that a nuclear weapon couldn't be pursued if the US so wishes. U.S. Defence Secretary Lloyd Austin arrived in Israel on Sunday when reports about the blackout came up for talks with Netanyahu and Israeli Defence Minister Benny Gantz.

Civil program spokesperson for nuclear programs Behrouz Kamalvandi told Iranian state TV that power in Natanz has been cut across all the installations which include above-ground workshops and underground halls. “We still do not know the reason for this electricity outage and have to look into it further,” he said. “Fortunately, there was no casualty or damage and there is no particular contamination or problem.” 

Malek Shariati Niasar, a Teheran-based politician who has been serving as spokesman on the Iranian energy committee, posted on Twitter that the incident seemed ‘very suspicious.’ He even said that lawmakers are looking for further information. The International Atomic Energy Agency in Vienna, which monitors the Iranian program, said that it was "aware of the media reports" but still did not elaborate on it. 

Tehran has scrapped all restrictions off its uranium stock after President Donald Trump withdrew from the Iran nuclear agreement in 2018. It now enriches up to 20% purity, a technological move away from 90% firearms. Iran maintains a peaceful nuclear policy. 

Natanz was primarily constructed underground to resist enemy airstrikes. In 2002, when satellite images depicted Iran constructing its underground centrifugal plant on a location some 200 km to the south of Tehran, it became a flashpoint for Western fears of Iran's nuclear program. At its sophisticated centrifuge assembly plant in July, Natanz encountered a mysterious explosion that the officials later identified as sabotage. Now Iran is reconstructing deep inside a nearby mountain to recreate the facility. 

Kan, a Public broadcaster , said Israel would probably have been behind the attack, referencing Israel's supposed responsibility for the attacks in Stuxnet a decade ago. Though no source or description of how this was evaluated was included in any of the reports.

Yanbian Gang Malware Continues With Large-Scale Distribution and C2

 

Fake banking apps laced with malware remain a crucial factor in the success of threat actors. For the Yanbian gang, a criminal group in Yanbian, China that targets organizations across Asia, it's a skill they have been honing for more than a decade. 

Since 2013, the Yanbian Gang has been targeting South Korean Android mobile banking customers with malicious Android apps impersonating major banks, including Shinhan Savings Bank, Saemaul Geumgo, Shinhan Finance, KB Kookmin Bank, and NH Savings Bank. RiskIQ's threat research team examined some of the threat group's most recent activity in this vector to examine their malware of choice as well as the large-scale hosting infrastructure they use to distribute and control it. 

Hundreds of Korean language-specific apps were discovered across an extensive list of IP addresses during the researchers' analysis of Yanbian Android apps. These apps were created to steal information from infected victims, such as loan application details, contacts, SMS messages, phone call details, call logs, and applications currently installed on the device. 

Since December 2020, RiskIQ's analysis has identified 377 individual samples of malicious Android apps developed and distributed by the Yanbian Gang. Many of these apps have multiple versions and set up services to run in the background of victim phones, both of which fit the Yanbian Gang's known method of operation. 

While these apps appear to be simple, they are capable of performing a variety of malicious activities that the victim is unaware of. Yanbian Gang actors obtain information not only about the victim, but also their contacts, installed applications, and even messages sent from the infected device. These apps also have a plethora of permissions that they can potentially abuse for malicious purposes that can be abused for malicious purposes. 

One of the discoveries of research was references to various URL paths that led to a specific IP address via HTTP. The Yanbian Gang refers to these paths as "methods," and they serve as Command and Control (C2), allowing the app to initiate device registration, assess device capabilities, steal information, and receive instructions from specified C2 servers. 

Researchers at RiskIQ observed one of the samples communicating using only some of these "methods," most likely due to the limited amount of data stored in their testing device and its lack of features. These communications were sent to the C2 server via encrypted HTTP POST and GET requests. 

The Yanbian Gang continues to target South Korean users with malware, tactics, and targeting similar to that previously reported in 2015. However, the group has evolved to separate infrastructure based on function and to switch hosting providers. Yanbian Gang actively leverages web servers hosting their call-to-action and malicious application delivery, C2 servers, and servers running the Real-Time Messaging Protocol that receive call information, according to RiskIQ.

Belden Says Health-Related Information Leaked in Cyberattack

 

Belden has uncovered that extra information was accessed and copied during their November 2020 cyberattack related to employees' medical care benefits and family members covered under their plan. Belden Incorporated is an American maker of networking, connectivity, and cable products. The organization designs, manufactures and markets signal transmission products for demanding applications. These items serve the industrial automation, enterprise, security, transportation, infrastructure, and residential markets. Belden is one of the biggest U.S.- based producers of high-speed electronic cables essentially utilized in industrial, enterprise, and broadcast markets. 

At that point, Belden said that the intruders may have copied some “personal information of current and former employees and limited company information regarding some business partners.” The organization portrayed the occurrence as a “sophisticated cyberattack”. 

“Personal information accessed and stolen may have contained such information as names, birthdates, government-issued identification numbers (for example, social security / national insurance), bank account information of North American employees on Belden payroll, home addresses, email addresses, and other general employment-related information. Limited company information accessed and stolen related to some of our business partners include bank account data and, for U.S. partners, their taxpayer ID numbers,” the company told at that point. 

In an update shared this week, Belden said further examination uncovered that the compromised servers additionally stored personal information on the spouses, dependents, and relatives of some employees. The organization likewise verified that some health-related information was exposed. 

“The health-related information that may have been compromised as part of this incident included individuals’ names, gender and benefits information, such as their UMI (member) number, group number, coverage category, primary source of coverage, the effective date of coverage, additional sources of coverages, the effective date of any additional coverage, their relationship to a Belden employee and other benefits information,” Belden said on Wednesday. “At this time we do not have reason to believe that any specific information related to any specific health conditions or diagnostic information was included in the incident,” it added. 

The organization's investigation concerning the incident is ongoing, however, it professes to be certain that the attackers have been bolted out of its systems. Affected people are being informed and offered identity monitoring services.

Cybercriminals Used Facebook Ads to Lure Users into Installing the Fake Clubhouse App

 

Audio-only app Clubhouse gained huge success over the last few months and now attackers are misusing the reputation and fame earned by the app by delivering Facebook ads, wherein they promote the Clubhouse app for PC to deliver the malware. Notably, the attackers have used the old tactics again because the PC version of the Clubhouse app is not yet released.

The Clubhouse app has nearly 8 million downloads so far. Therefore, malware designers have been busy taking advantage of Clubhouse's rising popularity, creating what they claim is a Clubhouse client for PCs, and then promoting those ads on Facebook to get users to download the app. 

As per a report by TechCrunch, this fake app is full of links to malware. The app also contains a screenshot of the fictional Clubhouse app for desktops, as visualized by the threat actors. Once users download and install the malicious app, it contacts a “command and control” server to perform various tasks. According to the report, running the app inside a secure “sandbox” disclosed that the malicious app tries to corrupt a desktop with ransomware.

Every Facebook page posing as Clubhouse only had a handful of likes but were still running at the time of publication. When TechCrunch reached out to Facebook, the company didn’t answer as to how many users have clicked on the ads directing to the fake Clubhouse websites.

In total, nine ads were posted this week between Tuesday and Thursday. Most of the ads stated a similar tagline that read: Clubhouse “is now available for PC.” While another featured a photo of co-founders Paul Davidson and Rohan Seth. Meanwhile, the clubhouse did not return a request for comment.

Fake advertisements can appear on social media platforms frequently and can slip through the net with ease, so it is important that account owners are aware of the risks with all advertisements on social media. Although social networks will take down any fake adverts once reported, the user must also err on the side of caution when clicking on any advert, and further research is always advised before clicking further into downloading anything. Therefore, this incident brings light to the fact that not all ads can be trusted when you are on any social media platform.

Bitcoin Touches the Peak at $60,000 – Everything you Need to Know!

 

On Saturday 13 March, Bitcoin, the world's largest cryptocurrency, had gone up again, touching an all-time milestone. As per Coin Desk reports, it increased to $60,0,065, up from a preceding $58,330 peak on February 21, by more than 2 percent. At 12.34 GMT on 13th March, the digital monetary reached $60,197 and remained at around $60,000. "It increased almost 6% in the past 24 hours alone." On the other hand,  Ethereum was 4.7% higher at $2,173.63. 

Whereas the volatility has dropped in the crypto market following the six consecutive months of the double-digit returns on bitcoin (BTC). Experts believe that there are indications that the horizon is moving significantly. 

At first, Bitcoin reached heights of $30,000 and $40,000 in January for a couple of days. Bitcoin’s worth is over $1 trillion in circulation. It retreated to $43,000 just after the high of February 21, following uncertainties about stimulus prospects as well as its effect on the US bond returns. Later for seven days, stocks and cryptocurrencies experienced decline alongside lateral trade for weeks before re-starting. After swelling from below $1,000 in January to close to $ 20,000 in December, Bitcoin, which was launched back in 2009, hit the headlines again. 

On Saturday 13th, the record came after the huge $1.9 trillion stimulus bill signed on Thursday by US President Joe Biden. The bill would provide most Americans with a check payment of $1,400, assist the unemployed, increase public health, and raise money for vaccine programs. Kraken Intelligence reports that with April being the second most successful month on average, bitcoin could be expected to finish higher and thus to bind up for the longest winning streak since the start of the cryptocurrency. 

Historical information shows that both bitcoin and Ethereum generally achieve a positive return portion in the second quarter of the calendar year. Since 2011, BTC has, on aggregate, returned 256 percent in 2Q, while ETH, on average, returned 141 percent in 2016. 

Due to the $58,786 market price of bitcoin in the March-end, it is assumed that in the second quarter of 2021, the price will end at 256 percent higher, also it can be expected to trade around $209,000 from 1 July 2021. The world's largest crypto-currency will stand at approximately $82,000, based on an average 2nd-quarter return of 39.5%. 

In the meantime, throughout March, Bitcoin's steady upward trend led to a drop in volatility of almost 40% point a month to 63%, almost three months down. The absence of market uncertainty led to a 5 percent decrease in trade volumes and to an annual drop of about 255 billion dollars. 

It has been praised as 'digital gold' by Bitcoin proponents claiming that it will address the inflation risks posed by large central banks and government stimulus packages aimed at tackling the economic effects of the crisis from the pandemic of the Covid-19. Critics consider the rally to be just a stimulus-powered bubble that will soon explode in the same direction as during the boom period 2017-2018.

New REvil Ransomware Version Automatically Logs Windows into Safe Mode

 

The REvil Ransomware is unstoppable when it comes to ingenious hacking tactics and techniques. The well-known ransomware has escalated its attack vector once again, this time by changing the victim's login password in order to reboot the computer into Windows Safe Mode. 

While malicious groups are constantly upgrading their attack strategies in order to fight security measures, the threat actors behind the REvil ransomware are especially skilled at honing their malware in order to make their attack campaigns more effective.

Last month, security researcher R3MRUM discovered a new sample of the REvil ransomware that improves the new Safe Mode encryption method by changing the logged-on user’s password and setting Windows to automatically login on reboot. The ransomware would update the user's password to ‘DTrump4ever’ if the -smode statement is used. 

Afterward, the ransomware configures the following Registry values for Windows to automatically log in with the new account information. It is currently unknown whether new REvil ransomware encryptor samples will continue to use the ‘DTrump4ever' password, but at least two samples submitted to VirusTotal in the last two days have done so. 

This latest strategy exemplifies how ransomware groups are actively refining their tactics in order to effectively encrypt users' devices and demand a ransom payment. 

Asteelflash, a world-leading French EMS company, confirmed last week that it has been the target of a cybersecurity incident, identifying the involvement of REvil ransomware. After initially setting the ransom at $12 million in Monero crypto, the attackers demanded Asteelflash pay a whopping $24 million ransom. However, as the negotiations didn’t reach a point of agreement in time, the actors raised the ransom to double the amount and leaked the first sample of the exfiltrated files. 

Acer, a computer manufacturer, was also hit by the REvil ransomware. REvil has demanded a ransom of $50 million, which may be the highest ever demanded ransom.

REvil has released a service for contact to news media, companies for the best pressure at no cost, and DDoS (L3, L7) as a paid service. Threat actors, or associated partners, will perform voice-scrambled VoIP calls to the media and victim’s business partners with information about the attack.

Slack and Discord are Being Hijacked by Hackers to Distribute Malware

 

A few famous online collaboration tools, including the likes of Slack and Discord, are being hijacked by hackers to disperse malware, experts have cautioned.

Cisco's security division, Talos, published new research on Wednesday featuring how, throughout the span of the Covid-19 pandemic, collaboration tools like Slack and, considerably more generally, Discord have become convenient mechanisms for cybercriminals. With developing frequency, they're being utilized to serve up malware to victims in the form of a link that looks reliable. In different cases, hackers have integrated Discord into their malware to remotely control their code running on tainted machines, and even to steal information from victims. 

Cisco's researchers caution that none of the methods they found really exploits a clear hackable vulnerability in Slack or Discord, or even requires Slack or Discord to be installed on the victims' machine. All things considered, they essentially exploit some little-analyzed features of those collaboration platforms, alongside their ubiquity and the trust that both clients and systems administrators have come to place in them. 

"People are way more likely to do things like click a Discord link than they would have been in the past, because they’re used to seeing their friends and colleagues posting files to Discord and sending them a link," says Cisco Talos security researcher Nick Biasini. "Everybody’s using collaboration apps, everybody has some familiarity with them, and bad guys have noticed that they can abuse them." 

With regards to information exfiltration, the Discord API, for instance, has demonstrated to be quite an effective tool. As the webhook functionality (originally intended to send automated alerts) was intended to have the option to convey any kind of information, and malware oftentimes uses it to ensure stolen information arrives at its intended destination. 

“Webhooks are essentially a URL that a client can send a message to, which in turn posts that message to the specified channel — all without using the actual Discord application,” the researchers say. “The Discord domain helps attackers disguise the exfiltration of data by making it look like any other traffic coming across the network.”

As texting applications grow in popularity, the threats will develop with them. Organizations should know about the dangers, and cautiously pick which platform to utilize, the researchers concluded.

Cybersecurity experts warned of a possible attack on Russian accounts in May

DeviceLock, a company engaged in the fight against data leaks, warned of the preparation of an attack on the accounts of Russians during the May holidays due to the sale of access to the switch of one of the mobile operators on the Darknet. 

In particular, it is reported that in early March a proposal appeared on the Darknet to sell access to the switch of one of the mobile operators, the connection to which allows to intercept control over the SS7 signaling system, which controls the traffic of mobile operators.

The experts said that they were asking $30,000 for access to the switch, so the purchase only makes sense if the hacker attack is being prepared on a large scale, capable of recouping the expense.

"Since attackers usually need from two weeks to a month to prepare an attack of this type, it can be timed to May holidays, when most Russians will loosen control over their accounts and other financial assets," summarized Olesya Yarmolenko, general director of Smart Line Inc (DeviceLock systems manufacturer).

According to her, this operator most likely has a cooperation agreement with one or more Russian cellular service providers. At the same time, according to DeviceLock data, in early April access to the switch could have reached the buyer from the CIS countries, and due to the active spread of online banking and relatively high account balances, Russia has always been the most desirable target for fraudsters on the Internet.

Sergey Nenakhov, head of the information security audit department at Infosecurity a Softline company, explained that the clients should switch the two-factor protection of critical services to push notifications instead of SMS, and also use special authenticator applications which generate one-time codes directly on the device itself.

It is also specified that VTB is aware of the risks of attacks on citizens through interception of messages, but the bank assured that the adopted set of technical measures does not allow attackers to use the technology to gain access to the clients' funds.

At the same time, representatives of mobile operators did not respond to inquiries about the risks of attacks through the SS7 standard.

Zoom Security Flaw: Now Hackers Can Take Control Of Your PC, Wait For Patch

 


Zoom security issues were lately troubling users worldwide, very often so. The Zoom video conferencing app was not in the limelight before the ongoing pandemic, however, since the inception of Covid-19, a lot has changed along with the ways of living, this was also the time when Zoom App underwent some regulatory security measures, owing to the suddenly enhanced reputation enjoyed by the app, as the work from home was necessitated by the pandemic. 

However, as of now, it is being observed that the security measures that had been taken a year ago are failing to secure users' data from threat actors.

Cybercriminals exploited a vulnerability and undertook a distant code execution (RCE) assault to take management of host PCs. The two Computest cyber safety intelligence observed the vulnerability on the Pwn2Own 2021 competition, organized by the Zero Day Initiative. The two Computest researchers Daan Keuter and Thijs Alkemade were awarded $200,000 for their findings. 

How does This work? 


Foremostly, the hacker has to be a part of the same organizational domain as the host PC’s user has to get permission from the host to join the meeting; When the attackers become part of a meeting, they will be able to execute a chain of three malware that will install an RCE backdoor on the victim’s PC. 

It can also be understood as — the threat actors can get access to your PC, and simultaneously will able to be able to implement remote commands that will then give access to your sensitive data.

Besides, what is even dangerous here is that the hackers can run their operations without the victim being required to do anything, therefore it is very essential to add more layers of security measures that can slow down the future operations of the attackers. 

The aforementioned operation runs on Mac, Windows, but on Zoom’s iOS and Android apps, it has not been checked yet. Notably, the browser version is safe. 

Currently, Zoom is yet to take measures, and the technical details of the attack have not been reported to the public, yet. Reportedly, the patch will arrive on Zoom for Mac and Windows within the next 90 days.