An unidentified hacker group has stolen more than $100million from Californian cryptocurrency firm Harmony.

Last Thursday, the company made the announcement via Twitter. They said that they had identified a theft occurring on the Horizon bridge amounting to approximately $100m.

The first Tweet reads, “we have begun working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds.”

Harmony published the cryptocurrency address of the malicious actor and reassured customers that the rest of the funds held on its blockchain were safe.

“Note this does not impact the trustless BTC bridge; its funds and assets stored on decentralized vaults are safe at this time.”

The company said that it notified exchanges of the theft and stopped the Horizon bridge to prevent further transactions.

One of the posts reads, “The team is all hands on deck as investigations continue.”

“We will keep everyone up-to-date as we investigate this further and obtain more information.”

The company posted an update on Sunday, offering a $1m bounty for the return of the Horizon bridge funds and sharing exploit information.

They added, “Harmony will advocate for no criminal charges when funds are returned.”

The company’s founder Stephen Tse also posted on Twitter on Thursday, saying that confidentiality was key to maintaining integrity as part of this ongoing investigation.

“The omission of specific details is to protect sensitive data in the interest of our community.  Incident response has found no evidence of smart contract code breach. No evidence of any vulnerability on the Horizon platform was found. Our consensus layer of the Harmony blockchain remains secure.”

Tse added that the team found evidence that private keys were compromised, leading to the breach of the Horizon Bridge and funds being stolen from the Ethereum side of the bridge.

“The attacker was able to access and decrypt a number of these keys, some of which were used to sign the unauthorized transactions. Stolen assets include BUSD, USDC, ETH, and WBTC.”

There have been many other cryptocurrency thefts this year so far, including a group of fraudsters making nearly $1.7m by promising cryptocurrency giveaways on YouTube, in April.

The post $100m Stolen from California Based Cryptocurrency Firm by Unidentified Hackers appeared first on IT Security Guru.

The ransomware-as-a-service (RaaS) Black Basta has struck 50 victims in the U.S., Canada, the U.K., Australia, and New Zealand within two months of its emergence in the cybersecurity landscape.

The speed at which it has accumulated victims in such a short time frame has made it a prominent new threat for the cybersecurity of governments and a range of different industries.

“Black Basta has been observed targeting a range of industries, including manufacturing, construction, transportation, telcos, pharmaceuticals, cosmetics, plumbing and heating, automobile dealers, undergarments manufacturers, and more,” Cybereason said in a report.

Most recently the RaaS syndicate added Elbit Systems of America, a manufacturer of defense, aerospace, and security solutions, to its list of victims.

Similar to other ransomware operations, Black Basta is known to employ the tried-and-tested tactic of double extortion to plunder sensitive information from the targets and threaten to publish the stolen data unless a digital payment is made.

Intrusions involving the threat have also leveraged QBot as a conduit to maintain persistence on the compromised hosts and harvest credentials, before moving laterally across the network and deploying the file-encrypting malware

The Black Basta group is suspected to have been formed from the remnants of the Conti Group, an infamous ransomware group which decreased its activity after increased law enforcement scrutiny.

The Conti Group has denied involvement and last week shut down their last remaining public-facing infrastructure

According to a comprehensive report from Group-IB detailing its activities, the Conti group is believed to have victimized more than 850 entities since it was first observed in February 2020.

Dubbed “ARMattack” by the Singapore-headquartered company, the intrusions were primarily directed against U.S. organizations (37%), followed by Germany (3%), Switzerland (2%), the U.A.E. (2%), the Netherlands, Spain, France, the Czech Republic, Sweden, Denmark, and India (1% each).

“Conti’s increased activity and the data leak suggest that ransomware is no longer a game between average malware developers, but an illicit RaaS industry that gives jobs to hundreds of cybercriminals worldwide with various specializations,” Group-IB’s Ivan Pisarev said.

The post Cybersecurity Experts Warn of Emerging Threat of “Black Basta” Ransomware appeared first on IT Security Guru.

Police from South America and Europe have teamed up to take action against an organised crime group involved in human trafficking for sexual exploitation.

Between the 20th and 23rd June, the police swooped on 14 locations, arrested 10 and interviewed eight victims. Among the items seized in the searches were vehicles, hard drives, electronic equipment, over 40 mobile phones, SIM cards, payment cards, and documents.

Europol supported the French Border Police, the Portuguese Judicial Police, the Spanish National Police, and the Brazilian Federal Police during the operation, which saw coordinated raids in France, Spain and Portugal.

Europol said, “the criminal network is suspected to have exploited more than 100 victims, advertising them on specialized websites and managing their online accounts. They rented apartments and hotel rooms by the week, which were used for the sexual exploitation activities.”

“Investigators identified close to 60 such locations in France. It is estimated that the criminal network earned about €120,000 per month.”

The operation appears to have been well-organised internationally, with suspects using a “complex financial scheme” to direct their profits from France via Spanish, Belgian and Portuguese banks to Brazil. Here the money could be laundered more easily, according to reports.

Financial institutions are required by global regulations to track the unusual movement of money like this, which may indicate larger scale criminal activity such as human trafficking and sexual exploitation.

Apparently, an estimated 50% of this activity goes undetected, with 76% of banking professionals polled by BAE Systems Digital Intelligence believing that compliance has become a tick-box exercise.

The post Global Police Operation Cracks Down on Widespread Criminal Activity appeared first on IT Security Guru.

Jim is a veteran of cybersecurity. He has founded four successful companies, held senior positions at both Juniper and Akamai technologies, and now serves as CEO of Lookout. 

Lookout was founded in 2007 as an endpoint security service, but the acquisition of CipherCloud in March of 2021 marked the beginning of the company’s expansion into cloud security. Since then, Lookout has already facilitated huge advances within the cloud security sector. 

“Cloud security revolves around companies moving data and workloads into the cloud, our focus is securing the private data centres that store said data. Traditionally, the three elements of cloud security – software as a service (SaaS), enterprise applications that have been moved into the cloud, and traditional web access – are secured by three separate applications: Cloud Access Security Brokers (CASB), VPNs and zero trust technology, and secure web gateways respectively. Lookout and some other forward-thinking vendors have consolidated those applications into a single platform, defined by Gartner as a Security Service Edge (SSE),” Jim said. 

While Lookout isn’t the only company that has recognised the value of SSEs, Jim firmly believes that not only is his platform superior, but the company’s approach to cloud security as a whole is unique. 

“We are of the opinion that data is the most important thing in our business, and that our data-centric approach differentiates us from our competitors. We are unique in our conviction that security should be about data protection. A huge part of our business model lies in data loss protection (DLP) and encryption, and our primary focus is protecting key data in the cloud. This, combined with our common platform, sets us apart from any other vendor in the cloud security space,” he said. 

Looking to the future, Jim sees cloud security as the emerging trend in cybersecurity. He argues that COVID-19 and the shift to remote working accelerated the move to the cloud by as much as five years, with the security industry still playing catch up. 

“When the world first went into lockdown, IT professionals scrambled to move as much data as possible onto the cloud as fast as they could – this was necessary for business continuity as employees were forced to work from home. It’s important to remember that the work from home revolution was supported almost entirely by the cloud. Now that the dust has settled, we believe it’s essential that we shift our focus back to security.” 

Jim also believes that the impacts of regulations such as GDPR will only continue to grow in significance as organisations settle into their use of the cloud. 

“Let me give you an example of how important cloud security is now. Some of our customers are hospitals, and during the pandemic they had to move patient health records into the cloud. While this is great for accessibility, organisation and cost effectiveness, the move into the cloud exposed vast quantities of sensitive patient data – we cannot go any longer without addressing these issues, and that’s where Lookout comes in,” he said. 

Aside from cloud security, Jim says that identity management is a key facet of Lookout’s future. Just this month Lookout acquired SaferPass, a password management company, with the intent of providing both endpoint and cloud security, alongside identity management as a holistic package, particularly to midsize businesses. 

The post A conversation with Jim Dolce, CEO of Lookout appeared first on IT Security Guru.

On Tuesday President Biden signed two pieces of legislation into law which were aimed at enhancing the cybersecurity capabilities of federal, state and local governments.

The signing was preceded by an earlier law which increased the ability of the federal government to collect data about cyberattacks.

These laws are a direct response to the marked increase in cybersecurity attacks following the Covid-19 pandemic and the rise in the digital marketplace as well as the infamous SolarWinds hack which compromised nine federal agencies.

Portions of the new law address cybercrime by establishing a program, the Federal Rotational Cyber Workforce Program Act, to allow cybersecurity professionals to rotate through multiple federal agencies and enhance their expertise. 

The bill also requires the Office of Personnel Management (OPM) to distribute lists of open positions in the program to government employees annually.

The second signed law is the State and Local Government Cybersecurity Act which requires the National Cybersecurity and Communications Integration Center to share security tools and protocols with state, local, tribal and territorial governments.

“For hackers, state and local governments are an attractive target — we must increase support to these entities so that they can strengthen their systems and better defend themselves from harmful cyber-attack,” Rep. Joe Neguse (D-Colo.), who introduced the bill, said in a statement after the House’s passage.

The post Biden signs cyber bills into law appeared first on IT Security Guru.

A “dangerous piece of functionality” has been discovered in Microsoft 365 suite that could be potentially abused by a malicious actor to ransom files stored on SharePoint and OneDrive and launch attacks on cloud infrastructure.

The cloud ransomware attack allows file-encrypting malware to launch and “encrypt files stored on SharePoint and OneDrive in a way that makes them unrecoverable without dedicated backups or a decryption key from the attacker,” according to a Proofpoint report.

The infection sequence can be carried out using a combination of Microsoft APIs, PowerShell scripts, and command-line interface (CLI) scripts.

The attack relies on a Microsoft 365 featured called AutoSave that creates copies of older file versions as and when users make edits to a file stored on SharePoint Online or OneDrive.

It uses unauthorised access to target a user’s SharePoint Online or OneDrive account, followed by abusing the access to exfiltrate and encrypt files. The three most common avenues to obtain the initial foothold involve directly breaching the account via phishing or brute-force attacks, taking over the web session of a logged-in user, or tricking a user into authorising a rogue third-party OAuth application.

The encryption phase in this attack requires locking each file on SharePoint Online or OneDrive more than the permitted versioning limit.

By leveraging the access to the account, an attacker can either create too many versions of a file or reduce the version limit of a document library to a low number such as ‘1’ and then proceed to encrypt each file.

The researchers said, “Now all original (pre-attacker) versions of the files are lost, leaving only the encrypted versions of each file in the cloud account… At this point, the attacker can ask for a ransom from the organization.”

Microsoft noted that older versions of the files can potentially be recovered and restored for an additional 14 days with the assistance of Microsoft Support, however Proofpoint found this unsuccessful.

A Microsoft spokesperson told The Hacker News publication that: “This technique requires a user to have already been fully compromised by an attacker. We encourage our customers to practice safe computing habits, including exercising caution when clicking on links to webpages, opening unknown file attachments, or accepting file transfers.”

To avoid such attacks, it is recommended to use a strong password police, prevent large-scale data downloads to unmanaged devices, mandate multi-factor authentication (MFA), and maintain periodic external backups of cloud files with sensitive data.

Microsoft drew attention to a OneDrive ransomware detection feature that notifies Microsoft 365 users of a potential attack and allows victims to restore their files. Microsoft is also encouraging their business customers to use conditional access to block or limit access to SharePoint and OnePoint content from unmanaged devices.

Proofpoint said: “Files stored in a hybrid state on both endpoint and cloud such as through cloud sync folders will reduce the impact of this novel risk as the attacker will not have access to the local/endpoint files… To perform a full ransom flow, the attacker will have to compromise the endpoint and the cloud account to access the endpoint and cloud-stored files.”

The post Microsoft Office 365 Feature Could Help Ransomware Attackers Infiltrate Cloud Files appeared first on IT Security Guru.

Israeli cybersecurity company Check point said in a report that they had found a threat cluster, tied to the hacking group Tropic Trooper, which had been spotted using a previously undocumented malware coded in Nim language.

Tropic Trooper, also known by the monikers Earth Centaur, KeyBoy, and Pirate Panda, has a track record of striking targets located in Taiwan, Hong Kong, and the Philippines, primarily focusing on government, healthcare, transportation, and high-tech industries.

The novel malware, dubbed Nimbda, is “bundled with a Chinese language greyware ‘SMS Bomber’ tool that is most likely illegally distributed in the Chinese-speaking web” and is being used to strike targets as part of a newly discovered campaign.

“Whoever crafted the Nim loader took special care to give it the same executable icon as the SMS Bomber that it drops and executes,” the researchers said. “Therefore the entire bundle works as a trojanized binary.”

An SMS Bomber is a technique which, as the name mentions, renders a phone number unusable via a barrage of denial-of-service (Ddos).

The latest attack began with the tampered SMS Bomber tool which launched an embedded executable while also injecting a separate piece of shell-code in a notepad.exe process.

This initial attack kicks of an infection process where the infected program downloads a next-stage binary from an obfuscated IP address specified in a markdown file that’s hosted in an attacker-controlled GitHub or Gitee repository.

The retrieved binary is an upgraded version of a trojan named Yahoyah that’s designed to collect information about local wireless networks in the victim machine’s vicinity as well as other system metadata and exfiltrate the details back to a command-and-control (C2) server.

“The observed activity cluster paints a picture of a focused, determined actor with a clear goal in mind,” the researchers concluded.

The post Chinese Hackers Distributing SMS Bomber Tool with Malware Hidden Inside appeared first on IT Security Guru.

Cybersecurity officials from the Computer Emergency Response Team of Ukraine (CERT-UA) exposed two new hacking campaigns against targets there this week.

One utilized a phony tax collection document purportedly sent by the national tax agency and the other using a malicious document that discussed the threat of nuclear attack from Russia.

The officials warned that malicious Microsoft Word documents were being distributed by emails supposedly from the State Tax Service of Ukraine.

Once opened, the malware would load a Cobalt Strike Beacon which gives an attacker a connection to target systems and enabling other malicious behavior.

The new hacking campaigns have been linked to a group known as UAC-0098 which has been blamed for other Ukrainian entities in the wake of the Russian invasion on February 24.

The campaigns also show links to TrickBot, a known malware variant associated with various Russian cybercrime groups.

“According to the set of characteristic features, we consider it possible to associate the detected activity with the activities of the APT28 group,” the agency said. APT28, also known as Fancy Bear, is a well-known Russian military intelligence hacking crew.

Ukraine’s State Service of Special Communications and Information Protection said in a statement on its website that the campaign targeted unspecified critical infrastructure within Ukraine.

The post Ukrainian cybersecurity officials disclose two new hacking campaigns appeared first on IT Security Guru.

Malwarebytes announced in a Tuesday analysis that two malware domains of the newly discovered Magecart skimming campaign, “scanalytic[.]org” and “js.staticounter[.]net” , are part of a broader infrastructure used to carry out intrusions.

The earliest evidence of the campaign’s activity, based on the additional domains uncovered, suggests it dates back to at least May 2020.

Jérôme Segura, director of Threat Intelligence at Crunchbase said: “We were able to connect these two domains with a previous campaign from November 2021 which was the first instance to our knowledge of a skimmer checking for the use of virtual machines.”

Magecart is a cybercrime syndicate that specializes in cyberattacks on e-commerce storefronts and is composed of dozens of subgroups. Their trademark involved digital credit card theft by injecting JavaScript code.

It is unclear if Magecart is an organization with direction or simply unconnected groups who use the same method of attack.

In 2015 the attacks gained notoriety for singling out the Magneto commerce platform. Since then the syndicate has expanded to a notable WordPress plugin named WooCommerce.

WordPress has emerged as the top CMS platform for credit card skimming malware with skimmers concealed in the website in the form of fake images and JavaScript theme files.

“Attackers follow the money, so it was only a matter of time before they shifted their focus toward the most popular e-commerce platform on the web,” Sucuri’s Ben Martin noted.

The post Newly Discovered Magecart Infrastructure Reveals the Scale of Ongoing Campaign appeared first on IT Security Guru.

Researchers at SentinelLabs announced on June 9th that they had identified a small but potent APT (Advanced Persistent Threat) with links to the Chinese state.

Researchers say one of the tactics and techniques of Aoqin Dragon include using pornographic themed malicious documents as bait to entice victims to download them.

The APT, named Aoqin Dragon by researchers, has flown under the radar for nearly a decade by using evolving stealth tactics.

In the first years of recorded operation, Aoqin Dragon relied on exploiting old vulnerabilities – specifically, CVE-2012-0158 and CVE-2010-3333 – which potential targets may have not yet addressed.

Since 2018, Aoqin Dragon has utilized fake removable devices as their infection vector. This functions when a user clicks to open what seems to be a removable device folder and then they in fact initiate a chain reaction which downloads a backdoor and C2 connection to their machine.

Not only that, the malware copies itself to any actual removable devices connected to the host machine, in order to continue its spread beyond the host and, hopefully, into the target’s broader network.

They’ve used DNS tunneling – manipulating the internet’s domain name system to sneak data past firewalls. One backdoor leverage – known as Mongall – encrypts communication data between host and C2 server.

Targets have tended to fall in just a few buckets – government, education and telecoms, all in and around Southeast Asia. Researchers assert “the targeting of Aoqin Dragon closely aligns with the Chinese government’s political interests.”

Mike Parkin, senior technical engineer at Vulcan Cyber, wrote in a statement. “Properly identifying and tracking State and State Sponsored threat actors can be challenging. SentinelOne releasing the information now on an APT group that has apparently been active for almost a decade, and doesn’t appear in other lists, shows how hard it can be ‘to be sure’ when you’re identifying a new threat actor.”

The post China-linked APT Flew Under Radar for Decade appeared first on IT Security Guru.

Security researchers have discovered a new malicious spam campaign that delivers the ‘Matanbuchus’ malware to drop Cobalt Strike beacons on compromised machines.

Cobalt Strike is a penetration testing suite that is frequently used by threat actors for lateral movement and to drop additional payloads.

First spotted in February 2021 in advertisements on the dark web, Matanbuchus is a malware-as-a-service (MaaS) project that was promoted as a $2,500 loader that launches executables directly into system memory.

Palo Alto Networks’ Unit 42 analysed the malware in June 2021 and mapped extensive parts of its operational infrastructure. The malware’s features include launching PowerShell commands, establishing persistence via the addition of task schedules, and leveraging standalone executables to load DLL payloads.

Threat analyst Brad Duncan captured and examined (in a lab environment) a sample of the malware.

The malspam campaign uses lures that pretend to be replies to previous email conversations, so they feature a ‘Re:’ in the subject line.

These emails carry a ZIP attachment that contains an HTML file that generates a new ZIP ar5chive. This then extracts an MSI package digitally signed with a valid certificate issued by DigiCert for “Westeast Tech Consulting Corp.”

Running the MSI installer supposedly initiates an Adobe Acrobat font catalogue update that ends with an error message, aiming to distract the victim.

In the background, two Matanbuchus DLL payloads (“main.dll”) are dropped in two different locations, a scheduled task is created to maintain persistence across system reboots, and communication with the command and control (C2) server is established.

Finally, the malware loads the Cobalt Strike payload from the C2 server.

Cobalt Strike as a second-stage payload in Matanbuchus malspam campaign was first reported by DCSO, a German security company, on 23rd May 2022. The also noticed that Qakbot was also delivered in some cases.

Duncan has also posted on his website traffic samples, artefacts, indicators of compromise (IoCs), and examples.

The post New Phishing Attack Infects Devices With Cobalt Strike appeared first on IT Security Guru.

A former software engineer at Amazon Web Services was convicted of wire fraud and computer intrusions in the U.S. for her role in the 2019 theft of personal data of nearly 100 million people in the Capital One Data Breach.

Paige Thomson was found guilty of wire fraud and five counts of unauthorized access to a protected computer and damaging a protected computer.

She was acquitted of other charges which included aggravated identity theft and access device fraud.

The incident in question was the 2019 Capital One data breach where the personal information of 100 million credit card applicants in the United States and 6 million in Canada was released to ransomers.

The information included names, dates of birth, Social Security numbers, email addresses and phone numbers.

Capital One has since assured its customers that “no credit card account numbers or log-in credentials were compromised” and that more than 99% of the Social Security numbers that the company has on file weren’t affected.

Thomson was accused of using a custom tool to located misconfigured Amazon Web Service servers and using these servers to siphon out data as well as to plant cryptocurrency mining software.

“She wanted data, she wanted money, and she wanted to brag,” Assistant U.S. Attorney Andrew Friedman told the jury in the closing arguments, according to a press statement from the Justice Department.

In December 2021, Capital One agreed to pay $190 million to settle a class action lawsuit regarding the data breach.

The post Former Amazon Employee Found Guilty in 2019 Capital One Data Breach appeared first on IT Security Guru.

The post UK Government Proposes New Post-Brexit Data Laws appeared first on IT Security Guru.

Cato Networks, a Tel-Aviv based network security company, announced on Tuesday that it was going to be adding network-based capabilities to their Cato SASE cloud product.

The Cato SASE Cloud (secure access service edge) was born out of the explosion of remote users and Software as a Service (SaaS) applications. From this came a need for better network-based security. 

SASE combines wide-area networking (WAN) with network security services and, in a world first, Cato turned them into a single cloud-based security system.

Using intuitive algorithms and deep network insight, Cato SASE cloud detects and prevents the spread of ransomware across the enterprise without having to deploy endpoint agents. 

“Ransomware protection has become job one for every CISO and CIO, but too often enterprise defense strategies remain vulnerable whether by threat actors bypassing endpoint defenses or by manipulating insiders to spread ransomware,” says Etay Maor, senior director of security strategy at Cato Networks.

“By identifying ransomware by its underlying network characteristics, security teams can protect the enterprise regardless of the threat vector.”

Cato researchers adapted their algorithms through rigorous training of their product, testing their work against Cato’s massive data warehouse, a data lake of end-to-end attributes for all traffic flows processed by the Cato SASE Cloud. 

Now, the Cato SASE cloud can inspect all server message block (SMB), the protocol Microsoft uses to share files and folders, for ransomware.

Once trained, the algorithms monitor traffic flows that contain file properties, shared volume access data, network behavior, and time intervals for malware. Once the malware is detected, it is cordoned off from other machines and the customer is notified.

The post Cato SASE Cloud Updated to Allow for Network-based Security appeared first on IT Security Guru.

A researcher has created a website that uses your installed Google Chrome extensions to generate a fingerprint (or tracking hash) of your device that can be used to track you digitally.

Digital fingerprints can be used based on various characteristics of a device connecting to a website, including GPU performance, installed Windows applications, hardware configuration, a device’s screen resolution, and installed fonts. It is then possible to track a device across websites using the same method.

Over the weekend, web developer ‘z0ccc’ shared a new fingerprinting site called ‘Extension Fingerprints’ that generates a tracking hash based on a browser’s installed Google Chrome extensions.

It is possible to declare certain assets as ‘web accessible resources’ that other extensions or web pages can access, when creating a Chrome browser extension.

These resources are typically image files, which are declared using the ‘web_accessible_resources’ property in a browser extension’s manifest file.

Disclosed in 2019, it is possible to use web-accessible resources to check for installed extensions and then generate a fingerprint of a visitor’s browser based on the combination of extensions found.

Z0ccc says, in order to prevent detection, that some extensions use a secret token that is required to access a web resource. The researcher has discovered a ‘Resource timing comparison’ method that can be used to detect if the extension is installed.

Z0ccc explained on the project’s GitHub page that, “resources of protected extensions will take longer to fetch than resources of extensions that are not installed. By comparing the timing differences you can accurately determine if the protected extensions are installed.”

To illustrate the method, z0ccc created an Extension Fingerprints website that will check a visitor’s browser for the existence of web-accessible resources in over 1000 popular extensions available on the Google Chrome Web Store. Some of the extensions identified by the site include uBlock, LastPass and Rakuten.

Based on the combination of installed extensions, the website will generate a hacking hash that can be used to track that particular browser.

Adding other characteristics to the fingerprinting model can further refine the fingerprint, making the hashes unique per user.

The Extensions Fingerprints site only works with Chromium browsers installing extensions from the Chrome Web Store. This method will work with Microsoft Edge, however it would need to be modified to use extension IDs from Microsoft’s extension store.

The method does not work with Mozilla Firefox add-ons as Firefox extension IDs are unique for ever browser instance.

Z0ccc’s tests showed that uBlock is the most common extension fingerprint installed.

Z0ccc said, “by far the most popular is having no extensions installed. As previously said I do not collect specific extension data but in my own testing it seems that having only uBlock installed is a common extension fingerprint.”

“Having 3+ detectable extensions installed seems to always make your fingerprint very unique.”

Extension Fingerprints has been released as an open-source React project on GitHub, allowing anyone to see how to query for the presence of installed extensions.

The post Google Chrome Extentions Can Be Fingerprinted to Track Users Digitally appeared first on IT Security Guru.

Lookout has announced the discovery of an enterprise-grade Android surveillanceware currently used by the government of Kazakhstan within its borders. Lookout researchers also found evidence of deployment of the spyware – which Lookout researchers have named “Hermit” – in Italy and in northeastern Syria.  

Hermit is likely developed by Italian spyware vendor RCS Lab S.p.A. and Tykelab Srl, a telecommunications solutions company that may be operating as a front company. RCS Lab, a known developer that has past dealings with countries such as Syria, operates in the same market as Pegasus developer NSO Group Technologies and Gamma Group, which created FinFisher. This discovery appears to mark the first time that a current client of RCS Lab’s mobile spyware has been publicly identified. 

Hermit is a modular surveillanceware that hides its malicious capabilities in packages downloaded after it has been deployed. Researchers were able to obtain and analyze 16 of the 25 known modules. The modules, along with the core malware’s permissions, enable Hermit to exploit a rooted device, record audio and make and redirect phone calls, as well as collect data such as call logs, contacts, photos, device location and SMS messages. 

“This discovery gives us an in-depth look into a spyware vendor’s activities and how sophisticated app-based spyware operates,” said Justin Albrecht, Threat Intelligence researcher at Lookout. “Based on how customizable Hermit is, including its anti-analysis capabilities and even the way it carefully handles data, it’s clear that this is well-developed tooling designed to provide surveillance capabilities to nation-state customers. What’s also interesting is that we were able to confirm Kazakhstan as a probable current customer of RCS Lab. It’s not often that you are able to identify a spyware vendor’s clientele.” 

Lookout researchers theorize that the spyware is distributed via SMS messages pretending to come from a legitimate source. The malware samples analyzed impersonated the applications of telecommunications companies or smartphone manufacturers. Hermit tricks users by serving up the legitimate webpages of the brands it impersonates as it kickstarts malicious activities in the background. 

The post Lookout Discovers Android Spyware Deployed in Kazakhstan appeared first on IT Security Guru.

A German Green Party spokesperson told POLITICO that email accounts belonging to the party had been compromised in a cybersecurity incident.

Omid Nouripour and Ricarda Lang, the party’s co-leaders, were among the hacking victims, in which some messages were forwarded to external servers. Additionally, German magazine Der Spiegel reported Thursday that the attack also affected the party’s intranet IT system “Grüne Netz” where it exchanges confidential information.

The party spokesperson added “more than these email addresses are affected. It is about emails with the domain ‘@gruene.de’.” The spokesperson declined to say whether German government officials were also affected.

The email accounts were not fully infiltrated and hackers had no direct access. Only the communications of compromised accounts were automatically forwarded.

The attacks were discovered initially discovered by the party’s IT service provider. The party informed authorities and field a legal complaint on May 30.

The post German Green Party’s Emails Compromised by Hackers appeared first on IT Security Guru.

Content management system (CMS) provider WordPress has forcibly updated over a million sites in order to patch a critical vulnerability affecting the Ninja Forms plugin.

The Wordfence threat intelligence team spotted the flaw in June and documented it in an advisory by the company on Thursday.

The document said that the code injection vulnerability made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including one that resulted in Object Injection.

The post read, “we determined that this could lead to a variety of exploit chains due to the various classes and functions that the Ninja Forms plugin contains.”

“One potentially critical exploit chain, in particular, involves the use of the NF_Admin_Processes_ImportForm class to achieve remote code execution via deserialization, though there would need to be another plugin or theme installed on the site with a usable gadget.”

The researchers also stated that there was some evidence suggesting the vulnerability was being actively exploited in the wild.

“As such, we are alerting our users immediately to the presence of this vulnerability.”

After being notified of the issue, WordPress released a patch that was automatically applied to sites running the following versions of the plugin: 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4 and 3.6.11.

Wordfence warned, “nonetheless, we strongly recommend ensuring that your site has been updated to one of the patched versions as soon as possible since automatic updates are not always successful.”

The company also said it would update the text of the advisory as they learn more about the types of explicit chains attackers are using to take advantage of this vulnerability.

Back in February, researchers found a bug in another popular WordPress plugin, UpDraft Plus, affecting more than three million websites.

The post WordPress Update Millions of Sites to patch a Critical Vulnerability Affecting the Ninja Forms Plugin appeared first on IT Security Guru.

A man from California was sentenced to time in prison on Wednesday after being found guilty of hacking thousands of iCloud accounts, stealing people’s nude images and videos and sharing them with conspirators.

Hao Huo Chi acted under the online name of ‘icloudripper4you’. He would have illegally obtained the iCloud account credentials of approximately 4700 victims and shared their content with other people on more than 300 occasions.

US District Judge Kathryn Kimball Mizelle sentenced Chi to nine years in federal prison for conspiracy and computer fraud. Chi pleaded guilty last October.

Attorney Roger Hanberg said, “Chi victimized hundreds of women across the country, making them fear for their safety and reputations.”

“This sentence reflects the resolve of the U.S. Attorney’s Office to hold cybercriminals responsible for their crimes.”

Chi operated for several years on Anon-IB, an ‘anonymous image’ sharing website designed to encourage users to post explicit or sexual photos, according to documents obtained by the court.

The man allegedly used an unnamed foreign-based, end-to-end encrypted email service to share images with his conspirators, some of whom released the personal images into the public sphere.

Anon-IB has since been taken offline, but, during his time on the site, Chi reportedly collected around 3.5 TB of victim data on both physical and cloud storage, containing content stolen from more than 500 victims.

David Walker, the FBI Tampa Division Special Agent in Charge, said, “this man led a terror campaign from his computer, causing fear and distress to hundreds of victims.”

“The FBI is committed to protecting the American people by exposing these cybercriminals and bringing them to justice.”

A similar case took place in October 2021, when IT specialist Justin Sean Johnson admitted using his professional technical skills to hack thousands of University of Pittsburgh Medical Centre (UPMC) employees’ online accounts, including iClouds.

The post US Man Sentenced to Nine Years in Prison After Hacking Thousands of iCloud Accounts appeared first on IT Security Guru.

A sophisticated Chinese advanced persistent threat (APT) actor exploited a critical security vulnerability in Sophos’ firewall product that came to public attention earlier this year to infiltrate an unnamed South Asian target as part of a highly-targeted attack.

Volexity said in a report, “the attacker implement[ed] an interesting web shell backdoor, create[d] a secondary form of persistence, and ultimately launch[ed] attacks against the customer’s staff… These attacks aimed to further breach cloud-hosted web servers hosting the organization’s public-facing websites.”

The zero-day flaw is tracked as CVE-2022-1040 (CVSS score: 9.8), and concerns an authentication bypass vulnerability that can be weaponised to execute arbitrary code remotely. The flaw affects Sophos Firewall versions 18.5 MR3 (18.5.3) and earlier.

Volexity issued a patch for the flaw on 25th March 2022. They noted that the flaw was abused to “target a small set of specific organisations primarily in the South Asia region” and that it had notified the affected entities directly.

According to the cybersecurity firm, evidence of exploitation of the flaw commenced on 5th March 2022, when it detected anomalous network activity origionating from an unnamed customer’s Sophos Firewall running the then up-to-date version. Nearly three weeks later the vulnerability was disclosed to the public.

Volexity said, “the attacker was using access to the firewall to conduct man-in-the-middle (MitM) attacks… The attacker used data collected from these MitM attacks to compromise additional systems outside of the network where the firewall resided.”

The infection sequence post the firewall breach further entailed backdooring a legitimate component of the security software with the Behinder web shell that could be remotely accessed from any URL.

The Behinder web shell was also leveraged earlier this month by Chinese APT groups in a separate set of intrusions exploiting a zero-day flaw in Atlassian Confluence Server systems (CVE-2022-26134).

The attacker is said to have created VPN user accounts to facilitate remote access. They then modified DNS reponses for specially targeted websites, primarily the victim’s content management system (CMS) with the goal of intercepting session cookies and user credentials.

The access to session cookies equipped the malicious party to take control of the WordPress site and install a second web shell named IceScorpion, with the attacker using it to deploy three open-source implants on the web server, including PupyRAT, Pantegana, and Silver.

“DriftingCloud is an effective, well equipped, and persistent threat actor targeting five poisons-related targets. They are able to develop or purchase zero-day exploits to achieve their goals, tipping the scales in their favour when it comes to gaining entry to target networks.”

The post Chinese Hackers Exploited Critical Security Vulnerability in Sophos Firewall appeared first on IT Security Guru.