CYBERSECURITY / DEFENSE / INTELLIGENCE

  • A recently open-sourced network mapping tool called SSH-Snake has been repurposed by threat actors to conduct malicious activities. “SSH-Snake is a self-modifying worm that leverages SSH credentials discovered on a compromised system to start spreading itself throughout the network,” Sysdig researcher Miguel Hernández said. “The worm automatically searches through known credential

    Go to source

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • In the past 2 years, we have observed a significant surge in hacktivism activity due to ongoing wars and geopolitical conflicts in various regions. Since the war against Ukraine began, we have witnessed a notable mobilization of non-state and state-backed actors alike, forming new groups or joining existing hacker collectives.  We understand hacktivism as a form of computer hacking that is

    Go to source

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • An installer for a tool likely used by the Russian Consular Department of the Ministry of Foreign Affairs (MID) has been backdoored to deliver a remote access trojan called Konni RAT (aka UpDog). The findings come from German cybersecurity company DCSO, which linked the activity as originating from the Democratic People’s Republic of Korea (DPRK)-nexus actors targeting Russia. The

    Go to source

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • An updated version of the ObserverStealer known as AsukaStealer was observed to be advertised as malware-as-a-service that was capable of collecting data from desktop screenshots, Steam Desktop Authenticator application, FileZilla sessions, Telegram sessions, Discord tokens, browser extensions, and cryptocurrency wallets.

    This year, on a Russian-language forum, the threat actor advertised AsukaStealer as a MaaS (Malware-as-a-service), providing an extensive list of features meant to steal confidential data from the targets.

    AsukaStealer malware is written in C++ and has flexible options and a web-based control panel. The malware authors or developers used the same C&C infrastructure to host AsukaStealer and ObserverStealer.

    Document
    Live Account Takeover Attack Simulation

    How do Hackers Bypass 2FA?

    Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks .

    Notable Features of AsukaStealer

    Cyble Research & Intelligence Labs (CRIL) discovered a malware-as-a-service (MaaS) known as “AsukaStealer” on February 2, 2024.

    The malware was sold on a Russian-language cybercrime forum, with the web panel version 0.9.7 being offered for USD 80 per month.

    On January 24, 2024, the AsukaStealer was marketed on another famous Russian forum under an alternate pseudonym.

    Advertisement of AsukaStealer on the forum
    Advertisement of AsukaStealer on the forum

    The stealer had certain noteworthy features, such as:

    Functional features: 

    • The native styler is written in C++ and is 280 kb.
    • Collects browser data (Cookies, Passwords, AccountsSync, Extensions) on Chromium (Edge, Google, OperaGX) and Gecko (Firefox, Waterfox) engines.
    • Collects Discord tokens.
    • Collects FileZilla sessions (FileGrabber|Standard config).
    • Collects Telegram sessions (ProcessGrabber|FileGrabber|Standard config).
    • Builds Steam (Standard config).
    • There is functionality for uploading a file after collecting the log (Loader).
    • Ability to install custom proxies.
    • Ability to send logs to telegram.
    • Collects a screenshot from the desktop.
    • Collecting maFiles from the Steam Desktop Authenticator application (ProcessGrabber|Standard config).
    • An anti-duplicate system.
    Total information collected by the malware
    Total information collected by the malware

    Configuration setup:

    • Customizable list of browsers [Chromium, Gecko].
    • Customizable FileGrabber/crypto wallet files.
    • Customizable list of extensions.
    • Customizable ProcessGrabber.
    • Customizable Loader.
    • Customizable Discord clients.

    Multiple files that were interacting with the IP address “5.42.66.25” were discovered by researchers; VirusTotal had identified and flagged these files as ObserverStealer.

    The  AsukaStealer and ObserverStealer’s C&C panels have remarkably similar features.

    The promoters of AsukaStealer MaaS also announced the termination of MaaS activities for ObserverStealer, which researchers noticed during the study in July 2023.

    This suggests that the same threat actors created and managed both stealer malware.

    ObserverStealer on offer and announcement of its closure
    ObserverStealer on offer and announcement of its closure

    Notably, this threat was classified by Symantec as File-based (Infostealer Trojan.Gen.MBT), Machine Learning-based (Heur.AdvML.B), and Web-based.

    All products with WebPulse enabled covered the observed domains and IPs under security categories.

    “Threat actors who are proficient in malware development and capable of hosting a sizable C&C infrastructure, continue to seize opportunities to offer malware-as-a-service (MaaS) to cater to underground communities and make profits within a short period of time”, researchers said.

    You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are extremely harmful, can wreak havoc, and damage your network.

    Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

    The post Beware of New AsukaStealer Steal Browser Passwords & Desktop Screens appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • In a significant move against cybercrime, the U.S. government has announced a bounty of up to $15 million for information that could lead to the identification, arrest, or conviction of individuals associated with the notorious LockBit ransomware group.

    This announcement comes as part of a broader crackdown on ransomware operations that have caused extensive damage to numerous organizations worldwide.

    Document
    Live Account Takeover Attack Simulation

    How do Hackers Bypass 2FA?

    Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks .

    Background on LockBit

    LockBit is a ransomware-as-a-service (RaaS) operation, which means its developers create ransomware software that affiliates then deploy against victims.

    The group has been responsible for high-profile cyberattacks, including those on chipmaker TSMC, consulting firm Accenture, and a Foxconn subsidiary.

    LockBit Ransomware Operator Data
    LockBit Ransomware Operator Data (Image Source: U.S. Department of State)

    In 2022, LockBit was identified as the most deployed ransomware variant globally by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

    Law Enforcement Actions

    Recently, international law enforcement agencies, including Europol and the U.K.’s National Crime Agency, have seized LockBit’s dark website, replacing it with a notice of control by authorities.

    This operation, known as “Operation Cronos,” involved the FBI and other law enforcement organizations from Australia, Japan, and Europe.

    The takedown of LockBit’s operations is considered a significant victory in the fight against ransomware.

    The U.S. Department of State’s Rewards for Justice program is offering the bounty, which includes $10 million for information on key leaders of the LockBit group and an additional $5 million for information leading to the arrest or conviction of anyone conspiring or attempting to participate in LockBit’s ransomware attacks.

    Ransomware attacks have become increasingly prevalent, with payments to attackers exceeding $1 billion in 2023.

    LockBit, in particular, has been one of the most active groups, with its ransomware variant targeting over 2,000 victims and receiving more than $120 million in ransom payments.

    The Challenge Ahead

    Despite the recent law enforcement success, the adaptability of ransomware gangs poses a continuous challenge.

    LockBit’s operators are believed to be based in Russia, complicating efforts for arrest due to geopolitical tensions.

    However, the U.S. government’s substantial reward offer underscores the seriousness with which it is pursuing these cyber criminals.

    The U.S. government’s reward offer marks a critical step in the global effort to combat ransomware.

    By incentivizing information that could lead to the dismantling of LockBit, authorities aim to disrupt the ransomware ecosystem and prevent future attacks.

    The fight against cybercrime remains a top priority, with the U.S. and its international partners committed to tracking down and prosecuting those responsible for these malicious activities.

    You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are extremely harmful, can wreak havoc, and damage your network.

    Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

    The post US to Pay $15M for Info About Lockbit Ransomware Operator Data appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Threat actors abuse Google Drive for several malicious activities due to its widespread use, easy file sharing, and collaboration features.

    These things provide a convenient platform to host and distribute malware. Integration with legitimate services makes detecting and blocking malicious content challenging.

    Cybersecurity researchers at Check Point recently found SMUGX in July 2023, linked to Earth Preta, hitting Europe. They also found a phishing email with PlugX in Taiwan tied to SMUGX.

    Researchers found a new variant, DOPLUGS, which differs from typical PlugX and is mainly used for downloading. 

    It employs the KillSomeOne module and was first reported by Sophos in 2020. Earth Preta campaign researchers analyze DOPLUGS, noting its backdoor commands, integration with KillSomeOne, and changes over time.

    Document
    Live Account Takeover Attack Simulation

    How do Hackers Bypass 2FA?

    Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks .

    Technical analysis

    DOPLUGS files found since July 2023 indicate victims from Taiwan and Mongolia. File names suggest social engineering tied to recent events, like the January 2024 Taiwanese presidential election.

    The “水源路二至五期整建住宅都市更新推動說明.pdf” decoy file relates to a Taiwanese urban renewal project in traditional Chinese.

    The decoy document (Source - Trend Micro)
    The decoy document (Source – Trend Micro)

    The Үер усны сэрэмжлүүлэг.pdf decoy warns of floods in Mongolia, in Mongolian. From 2022-2023 VirusTotal data (Asia-focused), Taiwan and Vietnam were prime targets, with fewer attacks in China, Singapore, Hong Kong, Japan, India, Malaysia, and Mongolia.

    The decoy document 'Үер усны сэрэмжлүүлэг.pdf' (Source - Trend Micro)
    The decoy document ‘Үер усны сэрэмжлүүлэг.pdf’ (Source – Trend Micro)

    The spear-phishing emails carry a Google Drive link, which leads to a password-protected archive with DOPLUGS malware. 

    Disguised as documents, LNK files in the RAR archive download MSI files from https://getfiledown[.]com/vgbskgyu, which helps trigger subsequent file drops.

    • %localappdata%\MPTfGRunFbCn\OneNotem.exe (legitimate executable)
    • %localappdata%\MPTfGRunFbCn\msi.dll (malicious DLL file)
    • %localappdata%\MPTfGRunFbCn\NoteLogger.dat (encrypted payload)
    Timeline of the malware evolution (Source - Trend Micro)
    Timeline of the malware evolution (Source – Trend Micro)

    DOPLUGS includes four backdoor commands, as it is a downloader. Among them, one downloads the PlugX malware.

    Infection flow of DOPLUGS (Source - Trend Micro)
    Infection flow of DOPLUGS (Source – Trend Micro)

    Researchers discovered a new DOPLUGS variant with a KillSomeOne module for malware distribution, information collection, and USB-based document theft.

    Unlike the previous version, it employs diverse infection methods. There are similarities with the prior DOPLUGS variant, but it has a distinctive infection approach.

    Besides this, it has four components, including a malicious DLL and encrypted payload.

    Earth Preta targets global government entities, especially in Asia-Pacific and Europe, using spear-phishing emails and Google Drive links. 

    DOPLUGS malware is a vital tool for downloading PlugX. Besides this, a 2018 DOPLUGS variant was also discovered with KillSomeOne module integration, indicating ongoing tool improvement.

    Since the Earth Preta remains active, the security teams should stay vigilant about Earth Preta’s tactics.

    You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are extremely harmful, can wreak havoc, and damage your network.

    Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

    The post Earth Preta Hackers Abuses Google Drive to Deploy DOPLUGS Malware appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • In a startling incident underscoring the growing menace of cybercrime, a woman’s Swiggy account was hacked, leading to fraudulent orders worth Rs 97,000.

    The Delhi Police swiftly acted on the complaint, arresting two individuals, Aniket Kalra (25) and Himanshu Kumar (23), from Gurugram, Haryana, for their involvement in this sophisticated scam.

    Document
    Live Account Takeover Attack Simulation

    How do Hackers Bypass 2FA?

    Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks .

    Impact & How Hack Orchested

    The victim, a resident of Sultanpur, faced a significant financial loss amounting to Rs 97,197 from her Lazy Pay account linked with Swiggy.

    This incident highlights the economic implications of cybercrime and raises concerns about the emotional and psychological impact on victims.

    The breach of personal security and privacy can lead to vulnerability and distress.

    The modus operandi of the hackers was ingeniously deceptive. They employed an Interactive Voice Response (IVR) system to trick victims into believing their Swiggy accounts were being accessed illegally.

    The victims were then coaxed into providing sensitive information, which the hackers used to place orders from the victims’ accounts.

    These orders were primarily for grocery items, later sold at discounted rates in the market.

    This method highlights modern-day hackers’ technical sophistication and psychological manipulation techniques.

    By exploiting the trust people place in automated systems and their fear of unauthorized account access, the hackers could carry out their fraudulent activities with alarming success.

    Arrest of Hackers

    The arrest of Aniket Kalra and Himanshu Kumar resulted from diligent police work, including analysis of call details and financial transactions.

    The investigation revealed that the duo had been using the IVR system to hack into Swiggy accounts, linking a phone number registered under fake ownership to the victim’s Swiggy account for order deliveries.

    This meticulous planning allowed them to evade detection for a time. Aniket, a former delivery boy for Zomato and Swiggy, confessed to buying grocery items at lower prices online and reselling them, thus profiting from each fraudulent transaction.

    This incident is a stark reminder of the vulnerabilities present in digital platforms and the importance of cybersecurity measures.

    Swiggy has responded by enhancing security features, including automatically delinking user wallets and BNPL accounts on new device logins or contact number changes and implementing two-factor authentication. 

    These steps are crucial in safeguarding users against such frauds in the future. The swift action by the Delhi Police in apprehending the culprits also sends a strong message to cybercriminals about the consequences of such illicit activities.

    However, it also emphasizes the need for users to remain vigilant and cautious, especially when dealing with unsolicited communications that seek personal information.

    Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

    The post Swiggy Account Hacked, Hackers Placed Orders Worth Rs 97,000 appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • The U.S. State Department has announced monetary rewards of up to $15 million for information that could lead to the identification of key leaders within the LockBit ransomware group and the arrest of any individual participating in the operation. “Since January 2020, LockBit actors have executed over 2,000 attacks against victims in the United States, and around the world, causing costly

    Go to source

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Getting new Patriot anti-air systems would be “painful,” a Defense Department official said.

    Go to source

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Audrey Decker unpacks the top news from this year’s Air & Space Forces Association Warfare Symposium.

    Go to source

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶