Feed aggregator

Here's How to Ensure Your Incident Response Strategy is Ready for Holiday Hackers

The Hacker News - Tue, 11/22/2022 - 07:07
The best line of defense against holiday hacking schemes is a comprehensive incident response strategy that focuses on end-user vulnerabilities.  The holiday season is upon us and with it a slew of cybersecurity scams preying on end-user vulnerabilities. Because employees often use their business emails and cell phones as their primary point of contact, these scams quickly become a threat to
Categories: Cyber Security News

Two Estonian citizens arrested in $575M cryptocurrency fraud scheme

Security Affairs - Tue, 11/22/2022 - 05:56
Two Estonian citizens were arrested in Tallinn for allegedly running a $575 million cryptocurrency fraud scheme.

Two Estonian nationals were arrested in Tallinn, Estonia, after being indicted in the US for running a fraudulent cryptocurrency Ponzi scheme that caused more than $575 million in losses.

According to the indictment, Sergei Potapenko and Ivan Turõgin, both 37, allegedly defrauded hundreds of thousands of victims through a crypto Ponzi scheme. The duo used shell companies to launder the cash from the fraudulent activity and to buy real estate and luxury cars.

“They induced victims to enter into fraudulent equipment rental contracts with the defendants’ cryptocurrency mining service called HashFlare. They also caused victims to invest in a virtual currency bank called Polybius Bank.” reads the press release published by DoJ. “In reality, Polybius was never actually a bank, and never paid out the promised dividends. Victims paid more than $575 million to Potapenko and Turõgin’s companies.”

The defendants are accused to have defrauded the victims between December 2013 and August 2019, they operated with other co-conspirators residing in Estonia, Belarus, and Switzerland.

Potapenko and Turõgin tricked the investors into believing that HashFlare was a massive cryptocurrency mining operation, the victims were requested to pay for rent computing power and receive a proportional part of the cryptocurrencies mined. The bad news for the investors is that HashFlare did not have the virtual currency mining equipment it claimed to have.

According to the indictment, HashFlare’s equipment performed Bitcoin mining at a rate of less than one percent of the computing power it claimed to have.

When investors asked to withdraw their mining proceeds, the defendants either resisted making the payments or in some cases, they paid off the investors using virtual currency that were purchased on the open market.

HashFlare shut down its operations in 2019, but since May 2017, the duo started offering investments in a company called Polybius, which they claimed to form a bank specializing in virtual currency. 

“They promised to pay investors dividends from Polybius’s profits. The men raised at least $25 million in this scheme and transferred most of the money to other bank accounts and virtual currency wallets they controlled. Polybius never formed a bank or paid any dividends.” continues the DoJ.

According to the indictment, the defendants also conspired to launder their criminal proceeds through shell companies and phony contracts and invoices. The money laundering conspiracy involved “at least 75 real properties, six luxury vehicles, cryptocurrency wallets, and thousands of cryptocurrency mining machines.”

Potapenjo and Turõgin are being charged with conspiracy to commit wire fraud, 16 counts of wire fraud, and one count of conspiracy to commit money laundering. Both could face a maximum penalty of 20 years in prison.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, cryptocurrency fraud scheme)

The post Two Estonian citizens arrested in $575M cryptocurrency fraud scheme appeared first on Security Affairs.

Categories: Cyber Security News

Luna Moth Gang Invests in Call Centers to Target Businesses with Callback Phishing Campaigns

The Hacker News - Tue, 11/22/2022 - 04:45
The Luna Moth campaign has extorted hundreds of thousands of dollars from several victims in the legal and retail sectors. The attacks are notable for employing a technique called callback phishing or telephone-oriented attack delivery (TOAD), wherein the victims are social engineered into making a phone call through phishing emails containing invoices and subscription-themed lures. Palo Alto
Categories: Cyber Security News

U.S. Authorities Seize Domains Used in 'Pig butchering' Cryptocurrency Scams

The Hacker News - Tue, 11/22/2022 - 04:10
The U.S. Justice Department (DoJ) on Monday announced the takedown of seven domain names in connection to a "pig butchering" cryptocurrency scam. The fraudulent scheme, which operated from May to August 2022, netted the actors over $10 million from five victims, the DoJ said. Pig butchering, also called Sha Zhu Pan, is a type of scam in which swindlers lure unsuspecting investors into sending
Categories: Cyber Security News

Emotet is back and delivers payloads like IcedID and Bumblebee

Security Affairs - Tue, 11/22/2022 - 03:39
The Emotet malware is back and experts warn of a high-volume malspam campaign delivering payloads like IcedID and Bumblebee.

Proofpoint researchers warn of the return of the Emotet malware, in early November the experts observed a high-volume malspam campaign delivering payloads like IcedID and Bumblebee.

The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542.

The infamous banking trojan was also used to deliver other malicious code, such as Trickbot and QBot trojans, or ransomware such as ContiProLockRyuk, and Egregor.

In April, the operators of the infamous Emotet botnet started testing new attack techniques in response to Microsoft’s move to disable Visual Basic for Applications (VBA) macros by default.

In June, Proofpoint experts spotted a new variant of the Emotet bot that uses a new module to steal credit card information stored in the Chrome web browser.

Over time, Emotet operators have enhanced their attack chain by employing multiple attack vectors to remain under the radar.

The Emotet operators remained inactive between July and November 2022.

Threat actors were spotted distributing hundreds of thousands of emails per day, this activity suggests Emotet is returning to its full functionality acting as a delivery network for major malware families.

The experts noticed multiple changes to the bot and its payloads, and the operators introduced changes to the malware modules, loader, and packer. Below are the changes observed by Proofpoint:

  • New Excel attachment visual lures
  • Changes to the Emotet binary
  • IcedID loader dropped by Emotet is a light new version of the loader
  • Reports of Bumblebee dropped in addition to IcedID

“The volume of emails that Emotet sending bots attempt to deliver each day is in the hundreds of thousands. These numbers are comparable to historic averages. Hence, it does not appear that the Emotet botnet lost any significant spamming capability during the inactive period.” reads the report published by Proofpoint.

The wave of attacks observed by the security firm primarily targeted the U.S., the U.K., Japan, Germany, Italy, France, Spain, Mexico, and Brazil.

The emails observed in recent attacks typically used a weaponized Excel attachment or a password-protected zip attachment containing an Excel file inside. The Excel files contain XL4 macros that download the Emotet payload from several (typically four) built-in URLs.

The novelty of the Excel files used in recent campaigns is that they contain instructions for recipients to copy the file to a Microsoft Office Template location and run it from there instead. This location is “trusted,” which means that opening a document located in this folder will not display any warnings. 

“However, while moving a file to a template location, the operating system asks users to confirm and that administrator permissions are required to do such a move.” observed the experts. “It remains unclear how effective this technique is. While there is no longer a need for users to enable macros with an extra click, there is instead a need to perform a file move, acknowledge the dialog, and the user must have Administrator privileges.”

The Emotet variant employed in recent attacks supports new commands, has a new implementation of the communication loop, uses a new check-in packet format, and a new packer.

Currentt version of the bot supports 5 commands:

  • 1 – Update bot
  • 2 – Load module
  • 3 – Load executable
  • 4 – Load executable via regsvr32.exe
  • 16343 – invoke rundll32.exe with a random named DLL and the export PluginInit

The last two were added to the latest version of the botnet.

“Overall, these modifications made to the client indicate the developers are trying to deter researchers and reduce the number of fake or captive bots that exist within the botnet. The addition of commands related to IcedID and the widespread drop of a new IcedID loader might mean a change of ownership or at least the start of a relationship between IcedID and Emotet.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Moshen Dragon)

The post Emotet is back and delivers payloads like IcedID and Bumblebee appeared first on Security Affairs.

Categories: Cyber Security News

Expert published PoC exploit code for macOS sandbox escape flaw

Security Affairs - Mon, 11/21/2022 - 16:19
A researcher published details and proof-of-concept (PoC) code for High-Severity macOS Sandbox escape vulnerability tracked as CVE-2022-26696.

Researcher Wojciech Reguła (@_r3ggi) of SecuRing published technical details and proof-of-concept (PoC) code for a macOS sandbox escape vulnerability tracked as CVE-2022-26696 (CVSS score of 7.8).

In a wrap-up published by Regula, the researcher observed that the problem is caused by a strange behavior he observed in a sandboxed macOS app that may launch any application that won’t inherit the main app’s sandbox profile.

According to ZDI, This vulnerability allows remote attackers to escape the sandbox on affected installations of Apple macOS. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

“A sandboxed process may be able to circumvent sandbox restrictions.” reads the advisory published by Apple that addressed the flaw with improved environment sanitization.

According to ZDI, a remote attacker can trigger the flaw to escape the sandbox on vulnerable Apple macOS installs. ZDI pointed out that an attacker can exploit the bug only he has first obtained the ability to execute low-privileged code on the target system.

“This vulnerability allows remote attackers to escape the sandbox on affected installations of Apple macOS. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.” reads the report published by ZDI. “The specific flaw exists within the handling of XPC messages in the LaunchServices component. A crafted message can trigger execution of a privileged operation. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the current user.”

The issue was reported to the vendor on December 22, 2021 and it was disclosed on August 15, 2022.

Regula focused his analysis on an Objective-C method of the Terminal.app.

“+[TTApplication isRunningInInstallEnvironment] will return YES when the __OSINSTALL_ENVIRONMENT environment variable was set.” wrote the expert. “So, when Terminal.app starts, some of the environment variables were not cleared when +[TTApplication isRunningInInstallEnvironment] returned YES. Great, with simple command injection I was able to execute code within the Terminal.app context without any sandbox!”

The expert was able to weaponize the flaw by embedding the exploit in a Word document and load the Mythic’s JXA payload.

“Executing code within the Terminal.app context can be really dangerous as it can also have some TCC permissions already granted.” Regula explained.

Reguła shared a video PoC that demonstrates how to weaponize Word document to escape the sandbox and execute code within the Terminal.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, macOS Sandbox Escape)

The post Expert published PoC exploit code for macOS sandbox escape flaw appeared first on Security Affairs.

Categories: Cyber Security News

Daixin Ransomware Gang Steals 5 Million AirAsia Passengers' and Employees' Data

The Hacker News - Mon, 11/21/2022 - 10:16
The cybercrime group called Daixin Team has leaked sample data belonging to AirAsia, a Malaysian low-cost airline, on its data leak portal. The development comes a little over a week after the company fell victim to a ransomware attack on November 11 and 12, per DataBreaches.net. The threat actors allegedly claim to have obtained the personal data associated with five million
Categories: Cyber Security News

Google won a lawsuit against the Glupteba botnet operators

Security Affairs - Mon, 11/21/2022 - 09:33
Google won a lawsuit filed against two Russian nationals involved in the operations of the Glupteba botnet.

This week, Google announced it has won a nearly year-long legal battle against the Glupteba botnet. Glupteba is a highly sophisticated botnet composed of millions of compromised Windows devices. Unlike other botnets, Gluteba leverages cryptocurrency blockchains as a command-and-control mechanism in an attempt to make it more resilient to takeover.

“This means that a conventional botnet can be disabled by taking the server at the hardcoded address offline. The Glupteba malware, however, instructs infected computers to look for the addresses of its C2 servers by referencing transactions associated with specific accounts on the Bitcoin blockchain. The blockchain is not controlled by any central authority, and each transaction is disseminated to and viewable by any user on the blockchain.” states the court owner. “These features make the Glupteba botnet unusually resistant to disruption. If the botnet’s C2 servers are disabled, then its operators can simply set up new servers and broadcast their addresses on the blockchain.”

The IT giant won a lawsuit filed against two Russian nationals involved in the operations of the botnet, the court’s ruling sets an important legal precedent in the fight against cybercrime.

In December 2021, the company’s Threat Analysis Group (TAG) shared the actions it took to disrupt the operations of the Glupteba botnet and announced it has filed a case in the Southern District of New York against its operators.

“This week, we were pleased to see the end to a nearly year-long legal battle against the Glupteba botnet” reads the announcement published by Google. “We made the explicit decision to name the criminal actors behind Glupteba as defendants in the suit, to expose them and their various shell companies. This is not a common tactic, but we felt it was important to try and disrupt their ability to operate covertly online.”

The U.S. District Court issued monetary sanctions against both the Russian-based defendants and their US-based lawyer and required them to pay the legal fees to Google.

“In exchange, the Defendants would receive Google’s agreement not to report them to law enforcement, and a payment of $1 million per defendant, plus $110,000 in attorney’s fees. The Defendants stated that, although they do not currently have access to the private keys, Valtron would be willing to provide them with the private keys if the case were settled.” continues the court order.

The sentence is considered very important and demonstrates that crooks can have monetary consequences for engaging in cyber criminal activities like this one.

It is now clear that the Defendants appeared in this Court not to proceed in good faith to defend against Google’s claims but with the intent to abuse the court system and discovery rules to reap a profit from Google,” said Federal Judge Denise Cote in her decision Tuesday.

Google pointed out that Glupteba operators have resumed activity using platforms and IoT devices that are not operated by Google. However, the company confirmed that its operation caused a 78% reduction in the number of infected hosts.

“But there’s a lot more work to be done. Legal cases that expose the criminal elements behind these types of operations are just one tool that Google uses to protect our services and the people and businesses who use them.” concludes the announcement.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Glupteba botnet)

The post Google won a lawsuit against the Glupteba botnet operators appeared first on Security Affairs.

Categories: Cyber Security News

Notorious Emotet Malware Returns With High-Volume Malspam Campaign

The Hacker News - Mon, 11/21/2022 - 09:24
The notorious Emotet malware has returned with renewed vigor as part of a high-volume malspam campaign designed to drop payloads like IcedID and Bumblebee. "Hundreds of thousands of emails per day" have been sent since early November 2022, enterprise security company Proofpoint said last week, adding, "the new activity suggests Emotet is returning to its full functionality acting as a delivery
Categories: Cyber Security News

Been Doing It The Same Way For Years? Think Again.

The Hacker News - Mon, 11/21/2022 - 08:00
[Want Bob to stop complaining? Change your practices.] [Don't delay change – it can cost you] ["Always done it that way"? Think again.] [Why you should think again about doing it the old way] [Why you should think again about doing it the same old way] As IT professionals, we all reach a certain point in our IT career where we realize that some of our everyday tasks are done the same way year
Categories: Cyber Security News

Google provides rules to detect tens of cracked versions of Cobalt Strike

Security Affairs - Mon, 11/21/2022 - 06:41
Researchers at Google Cloud identified 34 different hacked release versions of the Cobalt Strike tool in the wild.

Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named ‘Beacon’ on the victim machine. The Beacon includes a wealth of functionality for the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. 

Google Cloud researchers announced to have discovered 34 different Cobalt Strike hacked release versions with a total of 275 unique JAR files across these versions.

Google Cloud Threat Intelligence (GCTI) researchers developed a set of YARA rules to detect hacked variants in the wild with a high degree of accuracy. The researchers noticed that each Cobalt Strike version contains approximately 10 to 100 attack template binaries

The experts were able to locate versions of the Cobalt Strike JAR file starting with version 1.44 (which was released in 2012) up to the latest version at the time of publishing the analysis, Cobalt Strike 4.7.

The researchers cataloged the stagers, templates, and beacons, including the XOR encodings used by Cobalt Strike since version 1.44.

GCTI noticed that the cracked versions of the post-exploitation tool used in the attack in the wild are not the latest versions from the vendor Fortra, but are typically at least one release version behind. For this reason, Google researchers focused on these versions.

“We focused on these versions by crafting hundreds of unique signatures that we integrated as a collection of community signatures available in VirusTotal.” states the report published by Google. “We also released these signatures as open source to cybersecurity vendors who are interested in deploying them within their own products, continuing our commitment to improving open source security across the industry.”

The activity conducted by Google aims at improving the detection of malicious activities involving hacked version of the tool. It is an important work that did not impact legitimate versions of the tools used by penetration testing and “red teams”.

“We wanted to enable better detection of actions done by bad actors, and we needed a surgical approach to excise the bad versions while leaving the legitimate ones untouched. This required detecting the exact version of the Cobalt Strike component.” concludes the post. “By targeting only the non-current versions of the components, we can leave the most recent versions alone, the version that paying customers are using.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, cybersecurity)

The post Google provides rules to detect tens of cracked versions of Cobalt Strike appeared first on Security Affairs.

Categories: Cyber Security News

Podstawy Bezpieczeństwa: Jak zadbać o bezpieczeństwo dziecka w sieci – poradnik dla rodziców, cz. 2

ZaufanaTrzeciaStrona.pl - Mon, 11/21/2022 - 05:09

Raczej się nie pomylimy, stwierdzając, że dzieci korzystają ze smartfonów równie często jak dorośli. W dzisiejszym artykule pokazujemy krok po kroku, w jaki sposób Google Family Link może pomóc uchronić je przed zagrożeniami płynącymi z sieci.

Opisane przez nas w poprzednim odcinku narzędzie Microsoft Family Safety może się sprawdzić na komputerach i laptopach z systemem Windows, ale nie spełnia swoich obietnic związanych z monitorowaniem należących do dzieci smartfonów i tabletów.… Czytaj dalej

The post Podstawy Bezpieczeństwa: Jak zadbać o bezpieczeństwo dziecka w sieci – poradnik dla rodziców, cz. 2 first appeared on Zaufana Trzecia Strona.

Google Wins Lawsuit Against Russians Linked to Blockchain-based Glupteba Botnet

The Hacker News - Mon, 11/21/2022 - 05:02
Google has won a lawsuit filed against two Russian nationals in connection with the operation of a botnet called Glupteba, the company said last week. The U.S. District Court for the Southern District of New York imposed monetary sanctions against the defendants and their U.S.-based legal counsel. The defendants have also been asked to pay Google's attorney fees. The defendants' move to press
Categories: Cyber Security News

Octocrypt, Alice, and AXLocker Ransomware, new threats in the wild

Security Affairs - Mon, 11/21/2022 - 03:31
Experts from Cyble Research and Intelligence Labs (CRIL) discovered three new ransomware families: AXLocker, Octocrypt, and Alice Ransomware.

Threat intelligence firm Cyble announced the discovery of three new ransomware families named AXLocker, Octocrypt, and Alice Ransomware.

The AXLocker ransomware encrypts victims’ files and steals Discord tokens from the infected machine. The analysis of the code revealed that the startencryption() function implements the capability to search files by enumerating the available directories on the C:\ drive. The malware only targets specific file extensions and excludes a list of directories from the encryption process.

The AXLocker ransomware uses the AES encryption algorithm to encrypt files, unlike other ransomware it does not change the name or extension of the encrypted files.

“After encrypting the victim’s files, the ransomware collects and sends sensitive information such as Computer name, Username, Machine IP address, System UUID, and Discord tokens to TA.” reads the analysis published by Cyble.

The malware uses regex to find the Discord tokens in the local storage files, then sends them to the Discord server along with other information.

Once the ransomware has encrypted the files, it shows a pop-up window that contains a ransom note with instructions to contact the operators. The ransom note doesn’t include the amount requested to the victims to recover their files.

Cyble also discovered a new ransomware strain dubbed Octocrypt, it is a Golang ransomware and its operators are adopting the Ransomware-as-a-Service (RaaS) business model. The malware appeared in the threat landscape around October 2022 and is offered for USD400.

“The Octocrypt web panel builder interface allows TAs to generate ransomware binary executables by entering options such as API URL, Crypto address, Crypto amount, and Contact email address.” continues Cyble.

The third ransomware strain discovered by Cyble dubbed “Alice” is also offered as a Ransomware-as-a-Service (RaaS).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, AXLocker ransomware)

The post Octocrypt, Alice, and AXLocker Ransomware, new threats in the wild appeared first on Security Affairs.

Categories: Cyber Security News

Google Identifies 34 Cracked Versions of Popular Cobalt Strike Hacking Toolkit in the Wild

The Hacker News - Mon, 11/21/2022 - 00:42
Google Cloud last week disclosed that it identified 34 different hacked release versions of the Cobalt Strike tool in the wild, the earliest of which shipped in November 2012. The versions, spanning 1.44 to 4.7, add up to a total of 275 unique JAR files, according to findings from the Google Cloud Threat Intelligence (GCTI) team. The latest version of Cobalt Strike is version 4.7.2. Cobalt
Categories: Cyber Security News

Security Affairs newsletter Round 394

Security Affairs - Sun, 11/20/2022 - 16:55
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

If you want to also receive for free the newsletter with the international press subscribe here.

DEV-0569 group uses Google Ads to distribute Royal RansomwareBlack Friday and Cyber Monday, crooks are already at workNew improved versions of LodaRAT spotted in the wildAtlassian fixed 2 critical flaws in Crowd and Bitbucket productsHive Ransomware extorted over $100M in ransom payments from over 1,300 companiesOngoing supply chain attack targets Python developers with WASP StealerChina-based Fangxiao group behind a long-running phishing campaignTwo public schools in Michigan hit by a ransomware attackMagento and Adobe Commerce websites under attack
Tank, the leader of the Zeus cybercrime gang, was arrested by the Swiss police
Iran-linked threat actors compromise US Federal NetworkF5 fixed 2 high-severity Remote Code Execution bugs in its productsLazarus APT uses DTrack backdoor in attacks against LATAM and European orgsNew RapperBot Campaign targets game servers with DDoS attacksBeginning 2023 Google plans to rollout the initial Privacy Sandbox BetaHappy birthday Security Affairs … 11 years together!Experts found critical RCE in Spotify’s BackstageExperts revealed details of critical SQLi and access issues in Zendesk ExploreChina-linked APT Billbug breached a certificate authority in Asia
Previously undetected Earth Longzhi APT group is a subgroup of APT41
Avast details Worok espionage group’s compromise chainMassive Black hat SEO campaign used +15K WordPress sitesKmsdBot, a new evasive bot for cryptomining activity and DDoS attacksCERT-UA warns of multiple Somnia ransomware attacks against organizations in UkraineHave board directors any liability for a cyberattack against their company?Ukraine Police dismantled a transnational fraud group that made €200 million per yearLockbit gang leaked data stolen from global high-tech giant Thales

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

The post Security Affairs newsletter Round 394 appeared first on Security Affairs.

Categories: Cyber Security News

DEV-0569 group uses Google Ads to distribute Royal Ransomware

Security Affairs - Sat, 11/19/2022 - 14:27
Microsoft warns that a threat actor, tracked as DEV-0569, is using Google Ads to distribute the recently discovered Royal ransomware.

Researchers from the Microsoft Security Threat Intelligence team warned that a threat actor, tracked as DEV-0569, is using Google Ads to distribute various payloads, including the recently discovered Royal ransomware.

The DEV-0569 group carries out malvertising campaigns to spread links to a signed malware downloader posing as software installers or fake updates embedded in spam messages, fake forum pages, and blog comments.

“The malicious files, which are malware downloaders known as BATLOADER, pose as installers or updates for legitimate applications like Microsoft Teams or Zoom.” reads the report published by Microsoft. “When launched, BATLOADER uses MSI Custom Actions to launch malicious PowerShell activity or run batch scripts to aid in disabling security solutions and lead to the delivery of various encrypted malware payloads that is decrypted and launched with PowerShell commands.”

DEV-0569 relies heavily on defense evasion techniques and employed the open-source tool Nsudo to disable antivirus solutions in recent campaigns.

The downloader, tracked as BATLOADER, shares similarities with another malware called ZLoader.

From August to October 2022, DEV-0569 attempted to spread the BATLOADER via malicious links in phishing emails, posed as legitimate installers for multiple popular applications, including TeamViewer, Adobe Flash Player, Zoom, and AnyDesk.

The BATLOADER was hosted on domains created by the group to appear as legitimate software download sites (i.e. anydeskos[.]com) and on legitimate repositories like GitHub and OneDrive.

The attackers also used file formats like Virtual Hard Disk (VHD) posing as legitimate software. The VHDs also contain malicious scripts used to download DEV-0569’s payloads.

“DEV-0569 has used varied infection chains using PowerShell and batch scripts that ultimately led to the download of malware payloads like information stealers or a legitimate remote management tool used for persistence on the network,” continues the report. “The management tool can also be an access point for the staging and spread of ransomware.”

In late October 2022, Microsoft observed a malvertising campaign leveraging Google Ads that point to the legitimate traffic distribution system (TDS) Keitaro, which allows to customize advertising campaigns via tracking ad traffic and user- or device-based filtering. The TDS was used to redirect the user to a legitimate download site, or under certain conditions, to the site hosting the BATLOADER.

The DEV-0569 group used Keitaro to deliver the payloads to specified IP ranges and targets and of course to avoid IP ranges known to be associated with sandboxing solutions.

It further positions the group to serve as an initial access broker for other ransomware operations, joining the likes of malware such as EmotetIcedIDQakbot.

“Since DEV-0569’s phishing scheme abuses legitimate services, organizations can also leverage mail flow rules to capture suspicious keywords or review broad exceptions, such as those related to IP ranges and domain-level allow lists.” concludes the IT giant. “Enabling Safe Links for emails, Microsoft Teams, and Office Apps can also help address this threat.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, DEV-0569)

The post DEV-0569 group uses Google Ads to distribute Royal Ransomware appeared first on Security Affairs.

Categories: Cyber Security News

Weekendowa Lektura: odcinek 494 [2022-11-19]. Bierzcie i czytajcie

ZaufanaTrzeciaStrona.pl - Sat, 11/19/2022 - 13:56

Zapraszamy do nowego wydania Weekendowej Lektury. Opisy nowych ataków, szczegóły świeżo odkrytych luk, analizy niedawno namierzonych szkodników – każdy znajdzie coś dla siebie. Życzymy zatem udanej lektury.

W dzisiejszym wydaniu szczególnie polecamy w części fabularnej wyniki eksperymentu, który miał sprawdzić, czy da się skutecznie wpłynąć na algorytm rekomendowania treści YouTube’a (pkt 2), darmowy e-book z przeglądem ataków, do których doszło w latach 2020-2022 (pkt 6) oraz opowieść o byłym rosyjskim szpiegu, który uciekł do kraju NATO i został tam schwytany (pkt 10).… Czytaj dalej

The post Weekendowa Lektura: odcinek 494 [2022-11-19]. Bierzcie i czytajcie first appeared on Zaufana Trzecia Strona.

Black Friday and Cyber Monday, crooks are already at work

Security Affairs - Sat, 11/19/2022 - 10:56
Every year during Black Friday and Cyber Monday, crooks take advantage of the bad habits of users with fraudulent schema.

Researchers at Bitdefender Antispam Lab have analyzed during the last weeks the fraudulent activities associated with Black Friday and Cyber Monday.

The experts noticed that between October 26 and November 6, the rate of unsolicited Black Friday emails peaked on Nov 9, when reached 26% of all Black Friday-related messages.

The experts pointed out that the majority of all Black Friday spam (by volume) (56%) received in the same period was marked as a scam.

Approximately one out of four (27%) of all Black Friday spam emails (by volume) targeted online users in the US and in Ireland (24%). Most of the Black Friday-related spam (49%) originated from IP addresses in the US, followed by Germany (16%).

The malicious messages used various subjects in an attempt to trick the recipients into visiting the bogus websites to receive huge discounts.

Below are some of the subject lines observed by Bitdefender:

  • black friday sale louis vuitton bags up to 86 off shop online now
  • black friday ray ban oakley costa sunglasses up to 90 off shop online now
  • cyber monday starts now but only for you
  • 25 nov 2022 is black Friday
  • Claim Your $500 Home Depot Gift Card Now!
  • claim your 100 walmart reward just in time for black Friday
  • profitezvite de nosoffresspéciale (aimed at German shoppers)
  • richiedi un prestito per te 200 di buoni  in regalo (aimed at Italian shoppers)
  • black friday sale 70 rabatt auf sofort (aimed at German shoppers)

The report provides details about some of the Black Friday scams analyzed by the experts, such as Louis Vuitton and Ray Ban sales scams. The scammers were offering impressive discounts that could be obtained by purchasing from fake shops.

Other campaigns observed by the experts invited recipients to claim gift cards from popular retailers like Home Depot.

In this case, the spam messages include links to fake online survey pages that have nothing to do with the retailer’s gift card.

Once the recipients have completed the survey (even if they provide the wrong answers to all questions), they were directed to another page where we could choose the ‘prize.’ Then the recipients have to pay for the shipment by providing personal and financial data.

“We scored an iPhone 13, though. The displayed page uses the recipients’ IP address to display a localized version of the scam – in our case Romania.  We need to pay 15 RON (roughly 3.06 USD) for shipping and enter our name and address.” continues the report. “After entering our shipping details, we were prompted to enter our payment information, including cc number and CVV code.”

Researchers also spotted fake PayPal and Amazon voucher worth 1,000 euros used in campaigns aimed at German users. In these campaigns, recipients are urged to enter personally identifiable information and confirm their email addresses. Then the attackers sent malicious links to the email addresses provided by the users.

Below are the recommendations provided by Bitdefender:

  • Always check the sender’s email address and look for typos
  • Never interact with unsolicited giveaway correspondence
  • Shop on legitimate websites you already know
  • Researcher any new vendor
  • Never access links or attachments you receive from unknown sources – Use a Bitdefender security solution to fend off scam and phishing links
  • Add an extra layer of security and privacy to your device when shopping this Black Friday with Bitdefender Premium Security.  With anti-phishing and advanced threat protection to block nasty internet threats, ransomware protection, VPN for safe shopping, and a dedicated Password Manager, you can steer clear of malicious attacks and protect your data

The experts also published a guide for a secure holiday shopping.

Safe shopping everyone!

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, scam)

The post Black Friday and Cyber Monday, crooks are already at work appeared first on Security Affairs.

Categories: Cyber Security News

Częściowe obejście Same Origin Policy w Chromium, czyli „Google Roulette”

Sekurak.pl - Sat, 11/19/2022 - 08:48

Wyobraźcie sobie, że odwiedzasz jakąś stronę webową, np. developers.google.com, która prosi o uruchomienie konsoli javascriptowej w przeglądarce i wykonanie w niej funkcji: magic(). Czy zrobilibyście to? Oczywiście ta funkcja może mieć dostęp do wszystkiego w ramach originu https://developers.google.com, ale nie powinna mieć dostępu do danych z innych domen. A może...

Artykuł Częściowe obejście Same Origin Policy w Chromium, czyli „Google Roulette” pochodzi z serwisu Sekurak.

Pages