Daft name, serious risk: Kit from ActionTec and Sagemcom remotely ruined and required replacement.

The post ‘Pumpkin Eclipse’ — 600,000+ Rural ISP Routers Bricked Beyond Repair appeared first on Security Boulevard.

As per recent reports a new social engineering attack attributed to the North Korea-linked Kimsuky hacking group is targeting human rights activists using fake Facebook accounts. This tactic, involving fictitious identities, marks a significant shift from their typical email-based spear-phishing strategies. According to a report by South Korean cybersecurity firm Genians, the attackers pose as […]

The post Alert: Kimsuky Hacking Group Targets Human Rights Activists appeared first on TuxCare.

The post Alert: Kimsuky Hacking Group Targets Human Rights Activists appeared first on Security Boulevard.

Is your website vulnerable to web-automated attacks? Learn how AI can help protect your business and customers from the growing threat of cybercrime.

The post From Phishing to Fraud: How AI Can Safeguard Your Customers appeared first on Security Boulevard.

The U.S. Treasury Department sanctioned three Chinese nationals on Tuesday for their alleged involvement in operating the 911 S5 proxy botnet widely used for fraudulent activities, including credit card theft and Coronavirus Aid, Relief, and Economic Security program frauds. The sanctions are aimed at curbing the operations linked to the botnet, which caused major financial losses amounting to "billions" of dollars to the U.S. government.

The Rise and Demise of 911 S5 Botnet

The botnet in question played a critical role in executing numerous fraudulent schemes through stolen residential IP addresses.

"The 911 S5 botnet compromised approximately 19 million IP addresses and facilitated the submission of tens of thousands of fraudulent applications related to the Coronavirus Aid, Relief, and Economic Security Act programs by its users, resulting in the loss of billions of dollars to the U.S. government."

911 S5 is a residential proxy botnet that allows its paying users, often cybercriminals, to select the IP addresses they can use to connect to the internet using intermediary, internet-connected computers that have been compromised without the computer owners’ knowledge. 911 S5 essentially enables cybercriminals to conceal their originating location, effectively defeating fraud detection systems, the U.S. Treasury explained. The 911 S5 botnet was also implicated in a series of bomb threats made in July 2022, according to the Treasury. Investigators found links of IP addresses within the proxy botnet network being used in this incident. The network was connected to 911 S5, a residential proxy service that allowed users to mask their IP addresses by routing their web activity through compromised devices. The 911 S5 service went offline in July 2022, following a purported hacking incident that damaged essential data. The disruption was reported by independent journalist Brian Krebs. Despite its shutdown, the impacts of its previous operations continued to reverberate, leading to the current sanctions.

The Individuals and Businesses Sanctioned

The sanctioned individuals include Yunhe Wang, allegedly the administrator of the botnet; Jingping Liu, accused of laundering proceeds for Wang; and Yanni Zheng, who reportedly acted as power of attorney for Wang and facilitated business transactions on his behalf through the company Spicy Code Company Limited. The men are believed to reside in Singapore and Thailand, countries that were acknowledged as partners in the sanctions announcement. Three businesses registered in Thailand were also sanctioned for their connections to Wang. These sanctions require that any property and interests owned by the three men within the U.S. be reported to the Treasury, and prohibit U.S. citizens or residents from engaging in business with them. Only these three individuals and the businesses implicated in their fraudulent schemes were sanctioned by the Treasury, but no indictments or legal actions were revealed by the U.S. Department of Justice (DOJ), as is the case in many other instances.

Broader Ongoing Cybersecurity Concerns

The sanctions against these individuals are part of a broader effort by the U.S. government to address cybersecurity threats linked to state-sponsored hacking groups. Google-owned cybersecurity firm Mandiant warned last week that Chinese state hackers are increasingly using vast proxy server networks, built from compromised online devices and virtual private servers, to evade detection during their cyberespionage campaigns. In January, the DOJ announced the takedown of a botnet associated with Volt Typhoon, a hacking group with ties to the Chinese government. This group was known for infecting home and office routers with malware to obscure its hacking activities. The concerted actions by U.S. authorities and private defenders highlight the ongoing challenges and complexities in combating cybercrime and protecting critical financial and infrastructural systems from sophisticated malicious actors. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Cyber attack tactics are evolving, according to a new report, from advanced campaigns to exploiting weaknesses, and cybersecurity teams should be optimally employed.

The post HP Report Surfaces Shifts in Cyber Attack Tactics appeared first on Security Boulevard.

AttackIQ has released two new attack graphs that seek to emulate the Tactics, Techniques and Procedures (TTPs) associated with and exhibited by the open-source Remote Access Trojan AsyncRAT during its activities in 2023.

The post Emulating the Open-Source Remote Access Trojan (RAT) AsyncRAT appeared first on AttackIQ.

The post Emulating the Open-Source Remote Access Trojan (RAT) AsyncRAT appeared first on Security Boulevard.

Online shopping has become a go-to method of purchasing for many people now, especially after lockdowns and easy accessibility to global stores. However, all the fun benefits of deals, discount codes, and door-step deliveries, mean a plethora of cybersecurity issues for safe online shopping.  Here is a list of ways that you can ensure you stay protected and secure when participating in safe online shopping. Some may be obvious, but are incredibly effective, nonetheless. Keep reading to find out how you can keep having fun shopping online while also reducing your vulnerability to attacks and hacks.  

10 Tips for Safe Online Shopping

1. Safe passwords 

Ensuring that your password is unique and strong is essential. Refraining from using obvious words in relation to you like your name or personal information isn’t the way to go! Ensuring the use of multiple different types of characters such as (@#_$%!&), along with not using the same passwords regularly on different sites is recommended. Changing passwords on individual sites also helps as it allows for less easily guessed instances.  

2. Debit cards over credit cards 

It’s recommended that when it comes to safe online shopping, using payment gateways like PayPal, Venmo, or Stripe is better. Other than those, credit cards should be preferred over debit as debit cards are linked to your bank account whilst credit cards can be protected better. Debit cards create higher risk events of personal and sensitive data being obtained.  

3. Enable multi-factor authentication 

Multi-factor authentication is an added utility which means that there is another safety layer added before anyone can access your account after knowing your username or password.  Multi-factor authentication protects in 3 layers: first your passwords, or then something personal to only you like your fingerprint, or facial recognition. The 3rd way is through MFA apps, or getting a code sent through your messages or your email, to make sure you can do safe online shopping and the purchase you’re making is actually coming from you.

4. Check bank statements 

  This one is much simpler. Turning on automatic payment notifications to track every payment made will help you track when your money was spent and if it has gone somewhere genuine. If the charge seems fraudulent, you can then take the necessary steps to contact your bank and have them pause or shut your card so that further fraudulent purchases can be stopped.  

5. Wi-Fi: Make sure it’s at home or secure instead of publicly available 

When not using your own Wi-Fi, ensure you’re using secure, private networks for safe online shopping. Public Wi-Fi networks are much easier to access for scammers as poorly protected connections allow any information you find, very easily retrievable for them. This is especially dangerous if the public Wi-Fi network you’re using is at a mall while you try to access banking or payment sites for any purchases you will be making. 

6. Use secure websites 

The key to safe online shopping is to use a secure website.  The padlock icon near the URL and the URL itself starting with HTTPS means you’re on the right track- The S in the end stands for secure. If that final S isn’t visible, it means that you’re dealing with a site that isn’t encrypted. Search engines like Google tend to flag sites that don’t have a valid Secure Sockets Layer (SSL) certificate as unsecure. It’s better to not input your payment details into sites like these. 

7. Be wary of emails 

Email scams known as phishing have become the most common forms of scamming nowadays. Your inbox may contain an email that may present you with deals, discounts, and sales through names and links which are close misspellings of popular websites. They are easy to fall for and may be hard to detect if the email somehow automatically fails to end up in your spam folder.  

8. Don’t buy from links that seem malicious/ don’t come from a trusted source 

Other than e-mails, social media is also a place where links that can’t be trusted would be presented to you. Be wary of TikTok advertisements or ads shown between your Instagram stories which present you with deals and offers that seem too good to be true. Now, it becomes harder to tell with the use of deepfakes and AI to show the promotion of these scam products by influential people.  

9. Data backup 

Ensuring that personal information and data are regularly backed up on your device or saved on the external hard disk is essential now due to ransomware attackers that can access your device and close off your access to important files or delete them entirely. Ensuring you have completed software updates is essential too as they help in ensuring fewer ransomware attacks and vulnerabilities on your devices to invasions.  

10. Protect your device/connect securely 

Some other ways to protect your device through your connection is: One, with a VPN, or two, by ensuring no details are saved on your browsers. VPN or Virtual Private Network encrypts your data and masks your IP addresses. This makes your identity, location, and browser activity hidden from potential attackers. Secondly, make sure that your device forgets your credit card details or password details. If these are remembered by your browsers, it makes these pieces of information immensely easy for attackers to obtain as they are all stored in one place when accessed by them.  While some of these may seem more easily achievable and accessible than others, they’re all a step in making sure your information is protected. We recommend regularly practicing all the above tips. These steps work even better together. So make sure to update your passwords and data backups, apply VPNs, stay wary of phishing emails, and practice safe online shopping. 

FAQs on Safe Online Shopping 

What is the most trusted safe online shopping site? 

Determining the most trusted online shopping site involves considering several key factors. Reputation is crucial, with established brands like Amazon and Flipkart often ranking high due to their track record of customer satisfaction.  Security is paramount, with HTTPS encryption and clear data privacy policies being essential indicators. Customer reviews on platforms like Trustpilot offer valuable insights into user experiences. Additionally, convenient payment options and positive personal experiences play a significant role in establishing trust.

Which online shopping practice is safest? 

For a safe online shopping experience, it's crucial to implement multiple security measures and exercise caution throughout the process. Begin by verifying the authenticity of the website and remain wary of deals that appear too good to be true. Stay vigilant against phishing scams and opt for credit cards over debit cards, as they typically offer better fraud protection. Ensure your passwords are strong and unique, and consider enabling multi-factor authentication for added security. Avoid using public Wi-Fi networks for shopping, and for an extra layer of protection, consider using a VPN. By following these steps, you can enhance your online safety and protect yourself against potential threats while shopping online.

What is a safe online shopping site?  

A safe online site uses HTTPS encryption, signified by a padlock symbol and "HTTPS" in the URL bar. It should also have a clear and concise privacy policy. 

What are fake shopping websites?  

Fake shopping websites are designed to look legitimate but steal your personal information or payment details. They often offer deals that seem too good to be true. 

Which websites can I trust?  

Amazon offers an extensive range of products with fast shipping. eBay, the largest online auction site, offers both new and used items, but it's essential to check seller reviews. AliExpress provides diverse products at budget-friendly prices, backed by seller ratings. Dealextreme offers competitive pricing, urging buyers to check reviews for confidence. In Fashion, Asos offers a wide range of clothing, footwear, and accessories for diverse preferences. Farfetch specializes in luxury fashion, featuring exclusive brands for discerning shoppers. Notino, a European-based online store, offers fragrances and cosmetics from popular brands at attractive prices. For Discounts, Cashback World provides benefits and discounts on purchases from partnered companies, online and offline, enabling savings across various products and services.

How to check a fake website?  

To discern the authenticity of a website, several key indicators can be examined. Firstly, verify the presence of HTTPS encryption and a valid SSL certificate. Next, scrutinize the website's content for any typos or grammatical errors, which can often signal a lack of professionalism.  Conduct thorough research into the company behind the website, looking for a physical address and phone number to ensure legitimacy. Additionally, reading online reviews caliasdasdn provide valuable insights into the experiences of previous customers. Finally, consider utilizing website safety checkers like F-Secure Online Shopping Checker for an extra layer of security and assurance. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Ransomware is a serious threat, so be prepared! The average ransom demand is high, and paying doesn’t guarantee recovery. Backups are crucial for recovery, but testing and proper storage are essential.   Ransomware attacks have become a significant threat to organizations of all sizes, and these malicious attacks can encrypt sensitive data, disrupt operations, and […]

The post Essential Strategies for Recovering from Ransomware Attacks appeared first on TuxCare.

The post Essential Strategies for Recovering from Ransomware Attacks appeared first on Security Boulevard.

Source: go.theregister.com – Author: Team Register Interview The cyberattacks against Las Vegas casinos over the summer put a big target on the backs of prime suspects Scattered Spider, according to Mandiant CTO Charles Carmakal. The Google-owned security biz has been tracking the loosely knit crew – believed to be teens and twenty-somethings located in the […]

La entrada Casino cyberattacks put a bullseye on Scattered Spider – and the FBI is closing in – Source: go.theregister.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Read 10 remaining paragraphs | Comments

Source: thehackernews.com – Author: . May 23, 2024NewsroomRansomware / Virtualization Ransomware attacks targeting VMware ESXi infrastructure following an established pattern regardless of the file-encrypting malware deployed. “Virtualization platforms are a core component of organizational IT infrastructure, yet they often suffer from inherent misconfigurations and vulnerabilities, making them a lucrative and highly effective target for threat […]

La entrada Ransomware Attacks Exploit VMware ESXi Vulnerabilities in Alarming Pattern – Source:thehackernews.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

A new study reveals that Tesla's keyless entry system in its latest Model 3 remains vulnerable to relay attacks despite its upgrade to ultra-wideband (UWB) radio which had been touted as a solution to relay attacks. A relay attack tricks a car into unlocking by relaying signals from an owner's key fob or smartphone, often from a distance. This technique has been used to steal numerous car models for years as it tricks cars entry systems to respond as if the real owner was nearby.

Relay Attacks Remain a Concern for Ultra-Wideband Keyless Systems

For over a decade, car thieves have used relay attacks to steal vehicles with keyless entry systems. This technique, which requires minimal equipment, has remained a significant threat despite advancements in car security technology. The ultra-wideband technology was touted by some as a supposed fix and possible end to these relay attacks, with a pending patent filed by Ford Global Technologies LLC (an R&D subsidiary of Ford Motor) describing it as 'most advanced known solution to relay attacks'. [caption id="attachment_69869" align="alignnone" width="1034"] Source: patents.google.com[/caption] However, recent research from cybersecurity firm GoGoByte reveals that some of the latest high-end cars such as the Tesla Model 3 incorporating the ultra-wideband technology, remain vulnerable.The researchers, demonstrated a successful relay attack against the latest Tesla Model 3 despite its UWB upgrade, using less than $100 worth of radio equipment to unlock the car instantly. This vulnerability is particularly concerning as the keyless entry system also controls the car immobilizer that prevents engines from starting until the right key is recognized, potentially allowing an attacker to drive away with the car when successfully compromised.

PIN-to-Drive Feature Advised as Critical Safeguard

In 2021, documents supposedly originating from a Tesla filing to the US Federal Communications Commission, detailed the implementation of the ultra-wideband technology and described it as immune to relay attacks. However, the founder of the cybersecurity firm emphasized the importance of enabling Tesla's optional PIN-to-drive feature. When enabled, this option requires a four-digit security code to be entered before starting the car, serving as a crucial defense against relay attacks. According to the Wired report, Tesla responded to an email of the researcher's findings by acknowledging the issue but stated that the behavior was as expected and the ultra-wideband technology was not intended to stop relay attacks or intended to prevent car theft. The automotive company stated that it was working on improving the reliability of the technology and that ranging enforcements would be implemented when reliability upgrades were completed. The researchers noted that at least two other carmakers implementing the technology in their cars, also faced the same vulnerability. Noting the ability of Tesla to push over-the-air(OTA) updates to to its cars, the researchers stated that a future update could possibly contain a fix to deal with relay attacks. However, the researchers expressed their belief that the public should be aware of this issue while realizing they were far from immune until then. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Deepfake Zoom of Doom: Construction giant Arup Group revealed as victim of January theft—10% of net profit lost.

The post CFO Deepfake Redux — Arup Lost $26M via Video appeared first on Security Boulevard.

A Georgia man was sentenced to 10 years in prison after being convicted of money laundering and conspiracy in connection with a digital fraud network that included business email compromise (BEC) attacks, romance scams, and healthcare benefits frauds, the U.S. Department of Justice announced. Malachi Mullings, 31, from Sandy Springs scammed over $4.5 million from his victims and laundered the proceeds through 20 bank accounts opened in the name of a shell company, The Mullings Group LLC. The scams relied on a variety of common techniques used in BEC scams and targeted elderly individuals of a health care benefit program, private companies and romance scam victims. “In one instance, Mullings laundered $310,000 that was fraudulently diverted from a state Medicaid program and had been intended as reimbursement for a hospital,” the Justice Department said. In another instance, Mullings was able to get $260,000 from a romance scam, which he used to buy a Ferrari. The sentencing of Mullings comes after he pleaded guilty in January 2023 to one count of conspiracy to commit money laundering and seven counts of various money laundering offenses. Mullings was first charged in February 2022, along with nine others from multiple states across the country. They were all charged in connection with multiple business email compromise, money laundering and wire fraud schemes that targeted Medicare, state Medicaid programs, private health insurers, and numerous other victims, which resulted in more than $11.1 million in total losses. “These defendants defrauded numerous individuals, companies, and federal programs, resulting in millions of dollars in financial losses to vital federal programs meant to provide assistance to those in need,” said U.S. Attorney Ryan Buchanan, at the time. “Millions of American citizens rely on Medicaid, Medicare, and other health care systems for their health care needs. These subjects utilized complex financial schemes, such as BECs and money laundering, to defraud and undermine health care systems across the United States,” said Luis Quesada, who at the time was Assistant Director of the FBI’s Criminal Investigative Division.

“Elder fraud and romance fraud schemes utilized by the subjects often target our most vulnerable citizens and the FBI is committed to pursuing justice for those who were victimized by these schemes.”

Together, the fraud schemes of these 10 scammers deceived five state Medicaid programs, two Medicare Administrative Contractors, and two private health insurers, who made payments to them and their co-conspirators instead of depositing the reimbursement payments into bank accounts belonging to the hospitals.

Elder Fraud Growing: FBI Data

Elder fraud complaints increased by 14% in 2023, according to a recently released report by the FBI’s Internet Crime Complaint Center (IC3). The associated losses reported by those over the age of 60 topped at $3.4 billion, an almost 11% increase in reported losses from 2022. While tech support scams were the most widely reported kind of elder fraud, personal data breaches, confidence and romance scams, non-payment or non-delivery scams, and investment scams rounded out the top five most common types of elder fraud reported to IC3 last year. [caption id="attachment_69765" align="aligncenter" width="1400"] Source: IC3[/caption] Investment scams were the costliest elder fraud in 2023 and cost victims more than $1.2 billion in losses last year. Tech support scams, business email compromise scams, confidence and romance scams, government impersonation scams, and personal data breaches, all respectively cost victims hundreds of millions of dollars in 2023. [caption id="attachment_69767" align="aligncenter" width="1400"] Source: IC3[/caption] On the state level, Florida ranked second in the country for the number of complaints and reported losses.

“It’s disturbing to hear the stories of financial hardship these schemes create,” said FBI Tampa Field Special Agent Rodney Crawford.

“Combatting the financial exploitation of those over 60 years of age continues to be a priority of the FBI,” said FBI Assistant Director Michael Nordwall, who leads the Bureau’s Criminal Investigative Division. “Along with our partners, we continually work to aid victims and to identify and investigate the individuals and criminal organizations that perpetrate these schemes and target the elderly.” The agency regards elderly fraud as a more insidious threat than the report shows. Many of these crimes likely go unreported, as “only about half” of the fraud scam complaints that get through to IC3 include IC3 data, the report said. Media Disclaimer: This article is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Bishkek, the capital of Kyrgyzstan, is currently reeling under severe mob violence and escalating cyberattacks on Kyrgyzstan, marking a turbulent period for the nation.

The recent upheaval, primarily targeting foreign students, has drawn significant international attention and diplomatic concerns, particularly from India and Pakistan.

The Catalyst for Chaos

The unrest began on the night of May 17-18, following a viral video allegedly depicting a fight between Kyrgyz and Egyptian medical students on May 13. The video, which rapidly spread across social media, purportedly showed Kyrgyz students in conflict with Egyptian students. This incident triggered widespread mob violence, with locals directing their aggression towards foreign students, exacerbating tensions in Bishkek. Despite the lack of verified evidence that the individuals involved were Kyrgyz youths, the video sparked significant social unrest. The ensuing chaos resulted in 28 injuries, including three foreigners, prompting riot police to intervene and cordon off areas where mobs had gathered. Footage circulating online showed mobs attacking foreign students in the streets and even within dormitories, creating an environment of fear and hostility for international students.

Cyberattacks on Kyrgyzstan Compound the Crisis

Amidst the physical violence, Kyrgyzstan's digital infrastructure is under severe attack from various hacktivist groups. These coordinated cyberattacks on Kyrgyzstan have targeted critical governmental and private sector systems, exacerbating the already volatile situation. Several hacktivist groups are involved in these cyber assaults:

• Team Insane PK has allegedly attacked the Ministry of Agriculture, the Education Portal of the Ministry of Emergency Situations, Saima Telecom, the Climate Monitoring Platform (http://climatehub.kg), and multiple universities including Osh State University and Kyrgyz State Medical Academy.
• Silent Cyber Force, another Pakistan-based group, has also allegedly targeted Kyrgyzstan’s Ministry of Defence and Ministry of Agriculture.

[caption id="attachment_69159" align="aligncenter" width="881"] Source: X[/caption] [caption id="attachment_69158" align="aligncenter" width="922"] Source: X[/caption]

• Golden Don’s has allegedly launched cyberattacks on the Ministry of Economy and Commerce, the Kyrgyzstan Visa Website, and Kyrgyzstan Turkish Manas University.
• Anon Sec BD from Bangladesh has allegedly attacked MBank and Finca Bank.
• An individual hacktivist known as 'rajib' allegedly targeted Kyrgyzstan’s railway’s official portal.
• Sylhet Gang has allegedly disrupted the Kyrgyz Ministry of Foreign Affairs and the Kyrgyz telecommunication network Nur, causing significant outages.

Furthermore, there are claims that the Mysterious Team Bangladesh is planning future cyberattacks on Kyrgyzstan. [caption id="attachment_69160" align="aligncenter" width="868"] Source: X[/caption] One of the hacktivist groups, Silent Cyber Force, posted a message titled "Greetings Citizens Of The World," condemning the violence against foreign students and declaring their intention to take down Kyrgyzstan's governmental websites and large networks. Their message explicitly mentioned targeting various international adversaries but stated that the current focus is on Kyrgyzstan due to the perceived inaction of its government in protecting foreign students. [caption id="attachment_69155" align="aligncenter" width="788"] Source: X[/caption] Despite these threats, the official websites of the targeted institutions appeared to be functioning normally when accessed. This raises questions about the hackers' actual capabilities or possible tactical delays in executing their threats. The full extent and impact of these cyberattacks on Kyrgyzstan will become clearer once official statements are released.

The Implications and the Need for Vigilance

The combination of physical violence and digital attacks underlines the critical need for enhanced security measures in both physical and cyber domains. These cyber-threats not only disrupt governmental operations but also pose significant risks to essential services that affect both citizens and foreign nationals in Kyrgyzstan. The current situation in Kyrgyzstan highlights the vulnerability of digital infrastructure during periods of social unrest. Hacktivist groups are leveraging the chaos to further their agendas, targeting key institutions and spreading fear and disruption. The ongoing cyberattacks on Kyrgyzstan demonstrate the importance of cyber threat intelligence and the need for comprehensive cybersecurity strategies to protect national infrastructure. In response to these developments, it is imperative for Kyrgyzstan to strengthen its cybersecurity defenses and enhance its physical security measures to safeguard all residents, including foreign students. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

AttackIQ has released a new attack graph in response to the recently published CISA Advisory (AA24-131A) which disseminates known Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs) associated to Black Basta ransomware, a ransomware variant whose operators have encrypted and stolen data from at least 12 out of 16 critical infrastructure sectors, including the Healthcare and Public Health (HPH) Sector.

The post Response to CISA Advisory (AA24-131A): #StopRansomware: Black Basta appeared first on AttackIQ.

The post Response to CISA Advisory (AA24-131A): #StopRansomware: Black Basta appeared first on Security Boulevard.

Hackers can find templates for DocuSign and other companies for their phishing campaigns on dark web marketplaces for as little as $10.

The post Hackers Use Fake DocuSign Templates to Scam Organizations appeared first on Security Boulevard.

Phish Ahoy! Hacker took advantage of Dell’s lack of anti-scraping defense.

The post Dell Hell Redux — More Personal Info Stolen by ‘Menelik’ appeared first on Security Boulevard.

A few weeks ago, Best Buy revealed its plans to deploy generative AI to transform its customer service function. It’s betting on the technology to create “new and more convenient ways for customers to get the solutions they need” and to help its customer service reps develop more personalized connections with its consumers. By the […]

The post Navigating the New Frontier of AI-Driven Cybersecurity Threats appeared first on Security Boulevard.

It’s never been more important for businesses to invest in the best security measures available to them. Hackers and cybercriminals are constantly attempting to attack organizations and access their data. What’s more, cyber attacks are becoming increasingly sophisticated and new threats are constantly emerging.  So, it’s vital that businesses stay up-to-date with security measures to […]

The post How an Intrusion Detection System Can Ensure End-User Security appeared first on TuxCare.

The post How an Intrusion Detection System Can Ensure End-User Security appeared first on Security Boulevard.

In the realm of cybersecurity, vigilance is paramount. Recently, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) flagged a critical vulnerability in GitLab, a popular platform for collaborative software development. This GitLab password exploit tracked as CVE-2023-7028, has been actively exploited in the wild, posing significant risks to organizations utilizing GitLab for their development workflows. […]

The post CISA Alert: GitLab Password Exploit – Act Now For Protection appeared first on TuxCare.

The post CISA Alert: GitLab Password Exploit – Act Now For Protection appeared first on Security Boulevard.

The 2024 RSA Conference can be summed up in two letters: AI. AI was everywhere. It was the main topic of more than 130 sessions. Almost every company with a booth in the Expo Hall advertised AI as a component in their solution. Even casual conversations with colleagues over lunch turned to AI. In 2023, … Continued

The post The Rise of AI and Blended Attacks: Key Takeaways from RSAC 2024 appeared first on DTEX Systems Inc.

The post The Rise of AI and Blended Attacks: Key Takeaways from RSAC 2024 appeared first on Security Boulevard.

It was probably inevitable. Threat researchers detected bad actors using stolen credentials to target LLMs, with the eventual goal of selling the access to other hackers.

The post Novel LLMjacking Attacks Target Cloud-Based AI Models appeared first on Security Boulevard.

Following Australia's vocal support for Ukraine, the nation finds itself targeted by a Cyber Army Russia Reborn cyberattack. The recent alleged Distributed Denial of Service (DDoS) attacks on Australian entities, including two prominent organizations in Australia — Auditco and Wavcabs. The DDoS attacks, orchestrated by Cyber Army Russia Reborn, seem to be a response to Australia's solidarity with Ukraine. While the precise motives behind these attacks remain unclear, the timing suggests a correlation between Australia's stance and the cyber onslaught.

Cyber Army Russia Reborn Cyberattack Targets Australia

[caption id="attachment_68069" align="alignnone" width="641"] Source: X[/caption] Wavcabs, a transportation service, and Auditco, an auditing company, were among the targets of these Cyber Army Russia Reborn cyberattacks. Wavcabs' online services were disrupted, with users encountering connection timeouts when attempting to access the website. Similarly, Auditco faced technical difficulties, as indicated by error code 522 on their site earlier.  [caption id="attachment_68071" align="alignnone" width="656"] Source: X[/caption] The Cyber Express has reached out to both organizations to learn more about this Cyber Army Russia Reborn cyberattack. Despite the severity of these cyber incidents, both Wavcabs and Auditco have not issued official statements regarding the attacks.  The lack of response leaves the claims of Cyber Army Russia Reborn's involvement unverified, highlighting the complexity of attributing cyberattacks to specific actors.

Australia's Support for Ukraine

These assaults on Australian companies occur as the nation reaffirms its support for Ukraine. The Albanese Government's commitment to aiding Ukraine was recently reinforced with a $100 million assistance package. Deputy Prime Minister and Minister for Defence, Richard Marles, revealed the assistance during a visit to Ukraine, where he witnessed firsthand the impact of Russia's aggression. Australia's $100 million aid package to Ukraine includes $50 million for military assistance, prioritizing Australian defense industry support for uncrewed aerial systems and essential equipment. Another $50 million is designated for short-range air defense systems, alongside the provision of air-to-ground precision munitions.  Amidst ongoing cyberattacks on Australia, the nation’s unwavering support for Ukraine highlights the complexities of modern warfare and the critical need for cybersecurity measures. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We'll update this post once we have more information on these cyberattacks on Australian companies or any official confirmation from the listed organizations.  Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

This is another attack that convinces the AI to ignore road signs:

Due to the way CMOS cameras operate, rapidly changing light from fast flashing diodes can be used to vary the color. For example, the shade of red on a stop sign could look different on each line depending on the time between the diode flash and the line capture.

The result is the camera capturing an image full of lines that don’t quite match each other. The information is cropped and sent to the classifier, usually based on deep neural networks, for interpretation. Because it’s full of lines that don’t match, the classifier doesn’t recognize the image as a traffic sign...

The post New Attack Against Self-Driving Car AI appeared first on Security Boulevard.

This is another attack that convinces the AI to ignore road signs:

Due to the way CMOS cameras operate, rapidly changing light from fast flashing diodes can be used to vary the color. For example, the shade of red on a stop sign could look different on each line depending on the time between the diode flash and the line capture.

The result is the camera capturing an image full of lines that don’t quite match each other. The information is cropped and sent to the classifier, usually based on deep neural networks, for interpretation. Because it’s full of lines that don’t match, the classifier doesn’t recognize the image as a traffic sign.

So far, all of this has been demonstrated before.

Yet these researchers not only executed on the distortion of light, they did it repeatedly, elongating the length of the interference. This meant an unrecognizable image wasn’t just a single anomaly among many accurate images, but rather a constant unrecognizable image the classifier couldn’t assess, and a serious security concern.

[…]

The researchers developed two versions of a stable attack. The first was GhostStripe1, which is not targeted and does not require access to the vehicle, we’re told. It employs a vehicle tracker to monitor the victim’s real-time location and dynamically adjust the LED flickering accordingly.

GhostStripe2 is targeted and does require access to the vehicle, which could perhaps be covertly done by a hacker while the vehicle is undergoing maintenance. It involves placing a transducer on the power wire of the camera to detect framing moments and refine timing control.

Research paper.

Recently, a wave of malware attacks has surfaced, exploiting vulnerabilities in the update mechanism of the eScan antivirus software. This eScan antivirus backdoor exploit distributes backdoors and cryptocurrency miners, such as XMRig, posing a significant threat to large corporate networks. In this blog, we’ll look into the details of this eScan antivirus backdoor exploit and […]

The post Backdoors and Miners Amid eScan Antivirus Backdoor Exploit appeared first on TuxCare.

The post Backdoors and Miners Amid eScan Antivirus Backdoor Exploit appeared first on Security Boulevard.

Data sourced from over 40 million exposures that pose high-impact risks to numerous critical business entities revealed that Active Directory typically accounts for 80% of all security exposures identified in organizations. The research from XM Cyber in collaboration with the Cyentia Institute found that identity and credential misconfigurations fuel a striking majority of security exposures across organizations. Among these exposures, a third directly jeopardize critical assets, serving as a prime target for adversaries seeking to exploit vulnerabilities.

Active Directory Exposures Dominate the Attack Surface

Active Directory accounts for over half of entities identified across all environments, as per the report from XM Cyber. Thus, a significant portion of security exposures lies within a company's Active Directory, a vital component for user-network resource connectivity. However, this critical infrastructure also presents an attractive target for attackers as it interests them with additional elevated rights. “An attacker who has compromised an Active Directory account could use it to elevate privileges, conceal malicious activity in the network, execute malicious code and even gain access to the cloud environment,” XM Cyber explained. “Many of these exposures stem from the inherent nature of dynamic configuration issues in Active Directory as well as the challenge of keeping it updated. This creates a blind spot that appears secure on the surface but hides a nest of problems that many security tools can’t see,” the report said. Misconfigurations and credential attacks emerge as the top contributors to these exposures, introducing gaps that traditional security tools often overlook, such as issues in member management and password resets. These issues “present a challenge for nearly every organization,” XM Cyber said. Techniques like credential harvesting, dumping, relay and domain credentials feature prominently in the list of top techniques identified by attack path analysis for AWS, Azure and GCP, and Tools like Mimikatz make these techniques even easier to execute and thus make it extremely popular. Poor practices also make credential-related attack paths more easy and potent. XM Cyber said it identified highly privileged Active Directory credentials cached on multiple machines in 79% of organizations, and one in five of those have admin-level permissions on 100 or more devices. Furthermore, poor endpoint hygiene afflicts the majority of environments, with over 25% of devices lacking EDR coverage or containing cached credentials, offering attackers ample entry points to establish footholds. These overlooked vulnerabilities in identity and endpoint security form a fertile ground for hackers, demanding urgent attention from organizations. Zur Ulianitzky, Vice President of Security Research at XM Cyber, emphasized the necessity of broadening exposure management beyond vulnerabilities to encompass all potential adversary pathways, including misconfigurations and user behavior. The research revealed that a mere 2% of exposures exist on critical 'choke points,' where adversaries exploit vulnerabilities to access crucial assets.

CVEs are a Drop in the Ocean

Despite organizations' focus on managing traditional software vulnerabilities tracked by CVE identifiers, these efforts barely scratch the surface. XM Cyber's analysis uncovered approximately 15,000 exposures per organization, with CVE-based vulnerabilities constituting less than 1% of this extensive exposure landscape. Even concerning exposures affecting critical assets, CVEs represent only a minute fraction, highlighting significant blind spots in security programs fixated solely on vulnerability patching.

Exposed Critical Assets in the Cloud

Active Directory is the largest attack surface, according to XM Cyber, but the largest share of exposures to critical assets is in the cloud. Cloud environments, amidst rapid adoption by organizations, are not immune to exposure risks. Over half (56%) of exposures affecting critical assets are traced back to cloud platforms, presenting a significant threat as attackers seamlessly traverse between on-premises and cloud environments. This fluid movement poses a substantial risk to cloud-based assets, allowing attackers to compromise critical resources with minimal effort.

Exposure Risks Across Sectors

Industry-specific analysis from the report reveals discrepancies in exposure risks across sectors. Industries like Energy and Manufacturing exhibit a higher proportion of internet-exposed critical assets affected by exposures compared to Financial Services organizations, despite the latter's larger digital footprint. Healthcare providers, facing inherent challenges in minimizing risk, contend with a median number of exposures five times higher than the Energy and Utilities sector, emphasizing the need for tailored exposure management strategies. Exposure Management is currently beyond addressing only vulnerabilities and CVEs. Organizations need to adopt a holistic and ongoing Exposure Management approach, incorporating attack path modeling to pinpoint and resolve infrastructure weak points. Emphasis should be placed on tackling identity issues, Active Directory exposures and cloud cyber hygiene, while advocating for tailored solutions according to industry and scale. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Last week on Malwarebytes Labs:

• How to change your Social Security Number
• Apple warns people of mercenary attacks via threat notification system
• How to check if your data was exposed in the AT&T breach
• Microsoft’s April 2024 Patch Tuesday includes two actively exploited zero-day vulnerabilities
• How to protect yourself from online harassment
• Introducing the Digital Footprint Portal
• New ransomware group demands Change Healthcare ransom
• Active Nitrogen campaign delivered via malicious ads for PuTTY, FileZilla
• 35-year long identity theft leads to imprisonment for victim
• Porn panic imperils privacy online, with Alec Muffett (re-air): Lock and Code S05E08

Stay safe!

---

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Apple has reportedly sent alerts to individuals in 92 nations on Wednesday, April 10, to say it’s detected that they may have been a victim of a mercenary attack. The company says it has sent out these types of threat notifications to over 150 countries since the start in 2021.

Mercenary spyware is used by governments to target people like journalists, political activists, and similar targets, and involves the use of sophisticated tools like Pegasus. Pegasus is one of the world’s most advanced and invasive spyware tools, known to utilize zero-day vulnerabilities against mobile devices.

The second number became known when Apple changed the wording of the relevant support page. The change also included the title that went from “About Apple threat notifications and protecting against state-sponsored attacks” to “About Apple threat notifications and protecting against mercenary spyware.”

If you look at the before and after, you’ll also notice an extra paragraph, again with the emphasis on the change from “state-sponsored attacks” to “mercenary spyware.”

The cause for the difference in wording might be because “state-sponsored” is often used to indicate attacks targeted at entities, like governments or companies, while these mercenary attacks tend to be directed at individual people.

The extra paragraph specifically calls out the NSO Group and the Pegasus spyware it sells. While the NSO Group claims to only sell to “government clients,” we have no reason to take its word for it.

Apple says that when it detects activity consistent with a mercenary spyware attack it uses two different means of notifying the users about the attack:

• Displays a Threat Notification at the top of the page after the user signs into appleid.apple.com.
• Sends an email and iMessage notification to the email addresses and phone numbers associated with the user’s Apple ID.

Apple says it doesn’t want to share information about what triggers these notifications, since that might help mercenary spyware attackers adapt their behavior to evade detection in the future.

The NSO Group itself argued in a court case started by Meta for spying on WhatsApp users, that it should be recognized as a foreign government agent and, therefore, be entitled to immunity under US law limiting lawsuits against foreign countries.

NSO Group has also said that its tool is increasingly necessary in an era when end-to-end encryption is widely available to criminals.

How to stay safe

Apple advises iPhone users to:

• Enable Lockdown mode.
• Keep devices up to date.
• Protect devices with a passcode.
• Use Multi-Factor-Authentication (MFA) for your Apple ID.
• Only install apps from the App Store.
• Use strong and unique passwords online.
• Don’t click on links or attachments from unknown senders.

We’d like to add:

• Use an anti-malware solution on your device.
• If you’re not sure about something that’s been sent to you, verify it with the person or company via another communcation channel.
• Use a password manager.

---

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

It’s yet another hardware side-channel attack:

The threat resides in the chips’ data memory-dependent prefetcher, a hardware optimization that predicts the memory addresses of data that running code is likely to access in the near future. By loading the contents into the CPU cache before it’s actually needed, the DMP, as the feature is abbreviated, reduces latency between the main memory and the CPU, a common bottleneck in modern computing. DMPs are a relatively new phenomenon found only in M-series chips and Intel’s 13th-generation Raptor Lake microarchitecture, although older forms of prefetchers have been common for years.

[…]

The breakthrough of the new research is that it exposes a previously overlooked behavior of DMPs in Apple silicon: Sometimes they confuse memory content, such as key material, with the pointer value that is used to load other data. As a result, the DMP often reads the data and attempts to treat it as an address to perform memory access. This “dereferencing” of “pointers”—meaning the reading of data and leaking it through a side channel—­is a flagrant violation of the constant-time paradigm.

[…]

The attack, which the researchers have named GoFetch, uses an application that doesn’t require root access, only the same user privileges needed by most third-party applications installed on a macOS system. M-series chips are divided into what are known as clusters. The M1, for example, has two clusters: one containing four efficiency cores and the other four performance cores. As long as the GoFetch app and the targeted cryptography app are running on the same performance cluster—­even when on separate cores within that cluster­—GoFetch can mine enough secrets to leak a secret key.

The attack works against both classical encryption algorithms and a newer generation of encryption that has been hardened to withstand anticipated attacks from quantum computers. The GoFetch app requires less than an hour to extract a 2048-bit RSA key and a little over two hours to extract a 2048-bit Diffie-Hellman key. The attack takes 54 minutes to extract the material required to assemble a Kyber-512 key and about 10 hours for a Dilithium-2 key, not counting offline time needed to process the raw data.

The GoFetch app connects to the targeted app and feeds it inputs that it signs or decrypts. As its doing this, it extracts the app secret key that it uses to perform these cryptographic operations. This mechanism means the targeted app need not perform any cryptographic operations on its own during the collection period.

Note that exploiting the vulnerability requires running a malicious app on the target computer. So it could be worse. On the other hand, like many of these hardware side-channel attacks, it’s not possible to patch.

Slashdot thread.