May 07 2021

Data leak implicates over 200,000 people in Amazon fake product review scam

Category: Cybercrime,Web SecurityDISC @ 12:46 am
screenshot-2021-05-06-at-10-13-14.png

There is an ongoing battle between the e-commerce giant and dubious sellers, worldwide, who wish to hamstring competitors and gain an edge by generating fake reviews for their products. 

This can include paying individuals to leave a glowing review or by offering free items in return for positive, public feedback. 

How they operate and stay under Amazon’s radar varies, but an open ElasticSearch server has exposed some of the inner workings of these schemes. 

On Thursday, Safety Detectives researchers revealed that the server, public and online, contained 7GB of data and over 13 million records appearing to be linked to a widespread fake review scam. 

It is not known who owns the server but there are indicators that the organization may originate from China due to messages written in Chinese, leaked during the incident. 

The database contained records involving roughly 200,000 – 250,000 users and Amazon marketplace vendors including user names, email addresses, PayPal addresses, links to Amazon profiles, and both WhatsApp and Telegram numbers, as well as records of direct messages between customers happy to provide fake reviews and traders willing to compensate them. 

According to the team, the leak may implicate  “more than 200,000 people in unethical activities.”

The database, and messages contained therein, revealed the tactics used by dubious sellers. One method is whereby vendors send a customer a link to the items or products they want 5-star reviews for, and the customer will then make a purchase. 

Several days after, the customer will leave a positive review and will send a message to the vendor, leading to payment via PayPal — which may be a ‘refund,’ while the item is kept for free. 

As refund payments are kept away from the Amazon platform, it is more difficult to detect fake, paid reviews. 

Data leak implicates over 200,000 people in Amazon fake product review scam

Tags: Amazon fake product review scam

May 01 2021

Identifying People Through Lack of Cell Phone Use

Category: Cybercrime,Smart PhoneDISC @ 11:46 am
Identifying People Through Lack of Cell Phone Use

But Faïd’s true mentors were the criminals he’d grown up idolizing onscreen. “He had a phenomenal memory,” his brother Abdeslam tells me. “And he was completely immersed in movies.” Abdeslam recalls an eight-year-old Rédoine returning home from a matinee of the 1975 French crime film Peur Sur la Ville (released in the U.S. as The Night Caller), starring Jean-Paul Belmondo, and enchanting their mother and his siblings with a scene-by-scene reenactment. “I’d seen the film,” Abdeslam says, “and his version was just as I remembered it.”

his former lawyer, Raphael Chiche, explained on French television in a documentary about Faïd. “He had to create his own methodology. What better way than movies to get inspired and learn the operational modes of criminality?”

The foresight with which Faïd planned these robberies led his associates to give him a nickname—Doc, after Doc McCoy, Steve McQueen’s character in 1972’s The Getaway, a bank robber on the run who, like Faïd, has a preternatural ability to visualize how jobs will play out. McCoy also made a habit of carrying out “thoughtful hits,” Faïd explains to me. “He had to rob in a precise and neat way.” Faïd likewise stresses the neatness of his own robberies. As he puts it, he executed his hits “as gentlemanly as possible.” He wants to be known as a master thief who took careful precautions to avoid acts of violence.

In this entertaining story of French serial criminal Rédoine Faïd and his jailbreaking ways, there’s this bit about cell phone surveillance:

A police notice issued after Fad's July 2018 escape from Rau which launched the largest manhunt in French history.

Tags: cell phones, crime, France, prison escapes, prisons

Apr 19 2021

Alarming Cybersecurity Stats: What You Need To Know For 2021

Category: Cyber Attack,Cyber Espionage,Cyber maturity,Cyber resilience,cyber security,Cyber Strategy,Cyber surveillance,Cyber Threats,Cyber War,Cybercrime,Cyberweapons,Information SecurityDISC @ 8:46 am
Cyber Attack A01

The year 2020 broke all records when it came to data lost in breaches and sheer numbers of cyber-attacks on companies, government, and individuals. In addition, the sophistication of threats increased from the application of emerging technologies such as machine learning, artificial intelligence, and 5G,  and especially from greater tactical cooperation among hacker groups and state actors. The recent Solar Winds attack, among others,  highlighted both the threat and sophistication of those realities.

The following informational links are compiled from recent statistics pulled from a variety of articles and blogs. As we head deeper into 2021, it is worth exploring these statistics and their potential cybersecurity implications in our changing digital landscape.

To make the information more useable, I have broken down the cybersecurity statistics in several categories, including Top Resources for Cybersecurity Stats, The State of Cybersecurity Readiness, Types of Cyber-threats, The Economics of Cybersecurity, and Data at Risk.

There are many other categories of cybersecurity that do need a deeper dive, including perspectives on The Cloud, Internet of Things, Open Source, Deep Fakes, the lack of qualified Cyber workers, and stats on many other types of cyber-attacks. The resources below help cover those various categories.

Top Resources for Cybersecurity Stats:

If you are interested in seeing comprehensive and timely updates on cybersecurity statistics, I highly recommend you bookmark these aggregation sites:

 300+ Terrifying Cybercrime and Cybersecurity Statistics & Trends (2021 EDITION) 300+ Terrifying Cybercrime & Cybersecurity Statistics [2021 EDITION] (comparitech.com)·        

The Best Cybersecurity Predictions For 2021 RoundupWhy Adam Grant’s Newest Book Should Be Required Reading For Your Company’s Current And Future LeadersIonQ Takes Quantum Computing Public With A $2 Billion Deal

134 Cybersecurity Statistics and Trends for 2021 134 Cybersecurity Statistics and Trends for 2021 | Varonis

 2019/2020 Cybersecurity Almanac: 100 Facts, Figures, Predictions and Statistics  (cybersecurityventures.com)

Source: The State of Cybersecurity Readiness:

Cyber-Security Threats, Actors, and Dynamic Mitigation

Related article:

Top Cyber Security Statistics, Facts & Trends in 2022

👇 Please Follow our LI page…


DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Tags: Cybersecurity Stats

Mar 22 2021

Details of a Computer Banking Scam

Category: CybercrimeDISC @ 11:09 pm
Details of a Computer Banking Scam

Types Of Online & Banking Frauds And How To Be Safe ?: Online Banking Scams and tips to be safe by [Sayed Mahboob Hasan Hashmi]

Tags: Computer Banking Scam

Mar 22 2021

FCC Boots Chinese Telecom Companies, Citing Security

Category: Cyber Attack,Cyber Communication,Cyber Espionage,cyber security,Cyber Spy,Cyber surveillance,Cyber Threats,Cyber War,CybercrimeDISC @ 11:01 am
FCC Boots Chinese Telecom Companies, Citing Security

he Federal Communications Commission’s (FCC) Public Safety and Homeland Security Bureau on March 12 identified five Chinese companies they said posed a threat to U.S. national security. These companies are: Huawei Technologies Co., ZTE Corp., Hytera Communications Corp., Hangzhou Hikvision Digital Technology Co. and Dahua Technology Co.

The declaration, according to the FCC, is in accordance with the requirements of the Secure and Trusted Communications Networks Act of 2019, which requires the FCC to “publish and maintain a list of communications equipment and services that pose an unacceptable risk to national security or the security and safety of U.S. persons.”

In June 2020, the FCC designated both ZTE and Huawei as national security threats. “… [B]ased on the overwhelming weight of evidence, the Bureau has designated Huawei and ZTE as national security risks to America’s communications networks—and to our 5G future,” said then-FCC chairman Ajit Pai. Pai continued, “Both companies have close ties to the Chinese Communist Party and China’s military apparatus, and both companies are broadly subject to Chinese law obligating them to cooperate with the country’s intelligence services.  The Bureau also took into account the findings and actions of congress, the executive branch, the intelligence community, our allies, and communications service providers in other countries. We cannot and will not allow the Chinese Communist Party to exploit network vulnerabilities and compromise our critical communications infrastructure. Today’s action will also protect the FCC’s Universal Service Fund—money that comes from fees paid by American consumers and businesses on their phone bills—from being used to underwrite these suppliers, which threaten our national security.”

ZTE’s petition for reconsideration in November 2020 was immediately rejected. Huawai also petitioned for reconsideration, and their appeal was rejected in December 2020, after a few weeks of deliberation.

FCC Boots Chinese Telecom Companies, Citing Security

Tags: Chinese Telecom

Mar 22 2021

How to stay ahead of the rise of synthetic fraud

Category: Cyber Attack,Cyber Threats,CybercrimeDISC @ 9:30 am
How to stay ahead of the rise of synthetic fraud

There are a number of reasons why synthetic fraud is on the rise, but there are also actions banks and other financial institutions can take to prevent this growing trend from doing damage.

Synthetic fraud on the rise

Banks around the world have faced difficulty in recognizing this type of complex fraud. Synthetic identity fraudsters are expert cybercriminals. They make use of the dark web to acquire legitimate personal information which they then blend with falsified information. They will then use this newly formed identity to establish a positive credit report and spend or borrow until they’ve maxed out their spending abilities.

They will often have multiple synthetic identities in play simultaneously to maximize the impact of their efforts. And it is hard to detect because these synthetic identities even have genuine profiles with the credit bureaus which the fraudsters creatively engineer.

An economic environment primed for fraud

Due to the economic toll the coronavirus pandemic has taken on the world, global GDP is expected to be negative this year. As a result, there has been and will continue to be an increase in the size of the banks’ loan portfolios, as businesses that are struggling to manage working capital requirements in a challenging commercial climate seek new lines of credit. The same demand for additional credit is similarly anticipated for retail customers.

As such, it will be easier to hide fraud within an environment where there is more lending activity, a larger portfolio to monitor and more losses to recover. This environment allows criminals to hide inside the noise of economic turmoil, while financial institutions struggle to cope with the sheer volume of applications, overwhelmed with the amount of identity checking they have to undertake.

It will also become harder to differentiate between delinquencies and defaults from genuine customers in distress and deliberate attacks from fraudsters as these loans come due for repayment.

Further, more individuals may be tempted to turn to fraud to maintain their lifestyles in an environment where they’ve lost jobs, financial security and are dealing with other economic difficulties.

How to stay ahead of the rise of synthetic fraud

Tags: synthetic fraud

Mar 13 2021

The fire in the OVH datacenter also impacted APTs and cybercrime groups

Category: APT,Cybercrime,data securityDISC @ 3:24 pm
The fire in the OVH datacenter also impacted APTs and cybercrime groups

OVH, one of the largest hosting providers in the world, has suffered this week a terrible fire that destroyed its data centers located in Strasbourg. The French plant in Strasbourg includes 4 data centers, SBG1, SBG2, SBG3, and SBG4 that were shut down due to the incident, and the fire started in SBG2 one.

The fire impacted the services of a large number of OVHs’ customers, for this reason the company urged them to implement their disaster recovery plans. 

Nation-state groups were also impacted by the incident, Costin Raiu, the Director of the Global Research and Analysis Team (GReAT) at Kaspersky Lab, revealed that 36% of 140 OVH servers used by various threat actors as C2 servers went offline. The servers were used by cybercrime gangs and APT groups, including Iran-linked Charming Kitten and APT39 groups, the Bahamut cybercrime group, and the Vietnam-linked OceanLotus APT.

Of course, the incident only impacted a small portion of the command and control infrastructure used by multiple threat actors in the wild, almost any group leverages on multiple service providers and bulletproof hosting to increase the resilience of their C2 infrastructure to takedown operated by law enforcement agencies with the help of security firms.
“In the top of ISPs hosting Command and control infrastructure, OVH is in the 9th position, according to our tracking data. Overall, they are hosting less than 2% of all the C2s used by APTs and sophisticated crime groups, way behind other hosts such as, CHOOPA.” Raiu told to The Reg.


“I believe this unfortunate incident will have a minimal impact on these groups operations; I’m also taking into account that most sophisticated malware has several C2s configured, especially to avoid take-downs and other risks. We’re happy to see nobody was hurt in the fire and hope OVH and their customers manage to recover quickly from the disaster.”

The fire in the OVH datacenter also impacted APTs and cybercrime groups

Tags: OVH datacenter

Mar 08 2021

UnityMiner targets unpatched QNAP NAS in cryptocurrency mining campaign

Category: Crypto,CybercrimeDISC @ 11:11 am
UnityMiner targets unpatched QNAP NAS in cryptocurrency mining campaign

Researchers at 360Netlab are warning of a cryptocurrency malware campaign targeting unpatched network-attached storage (NAS) devices.

via the unauthorized remote command execution vulnerability (CVE-2020-2506 & CVE-2020-2507)

Threat actors are exploiting two unauthorized remote command execution vulnerabilities, tracked as CVE-2020-2506 & CVE-2020-2507, in the Helpdesk app that have been fixed by the vendor in October 2020.

The flaws affect QNAP NAS firmware versions prior to August 2020.

The malware involved in the campaign was dubbed UnityMiner by 360 Netlab experts.

“On March 2, 2021, 360Netlab Threat Detection System started to report attacks targeting the widely used QNAP NAS devices via the unauthorized remote command execution vulnerability (CVE-2020-2506 & CVE-2020-2507, upon successful attack, the attacker will gain root privilege on the device and perform malicious mining activities.” reads the analysis published by 360 Netlab.

Threat actors customized the program by hiding the mining process and the real CPU memory resource usage information to hide the malicious activity to QNAP owners that could check their system usage via the WEB management interface.

The mining program is composed of unity_install.sh and Quick.tar.gz. unity_install.sh downloads, set up and execute cryptocurrency miner and hijack the manaRequest.cgi program of the NAS. Quick.tar.gz contains the miner program, the miner configuration file, the miner startup script and the forged manaRequest.cgi. Unity is an XMRig cryptocurrency miner.

360 Netlab shared its findings with the vendor on March 3rd, and due to the possible big impact, the researchers publicly disclosed the attacks.

All NAS devices with QNAP firmware released before August 2020 are currently vulnerable to these attacks. 

The experts reported 4,297,426 QNAP NAS potentially vulnerable devices exposed online, 951,486 having unique IP addresses, most of them are located in the United States, China, and Italy.

Tags: cryptocurrency mining, QNAP NAS, UnityMiner

Mar 05 2021

Ransomware empire prospers in pandemic-hit world. Attacks grow by 150%

Category: Cybercrime,RansomwareDISC @ 12:23 pm
Group-IB: ransomware empire prospers in pandemic-hit world. Attacks grow by 150%

Group-IB published a report titled “Ransomware Uncovered 2020-2021. analyzes ransomware landscape in 2020 and TTPs of major threat actors.

Group-IB, a global threat hunting and adversary-centric cyber intelligence company, has presented its new report “Ransomware Uncovered 2020-2021. The research dives deep into the global ransomware outbreak in 2020 and analyzes major players’ TTPs (tactics, techniques, and procedures).

By the end of 2020, the ransomware market, fuelled by the pandemic turbulence, had turned into the biggest cybercrime money artery. Based on the analysis of more than 500 attacks observed during Group-IB’s own incident response engagements and cyber threat intelligence activity, Group-IB estimates that the number of ransomware attacks grew by more than 150% in 2020, with many restless players having joined the Big Game Hunting last year.

In 2020, ransomware attacks on average caused 18 days of downtime for the affected companies, while the average ransom amount increased almost twofold. Ransomware operations turned into robust competitive business structures going after large enterprises, with MazeConti, and Egregor gangs having been at the forefront last year. North America, Europe, Latin America, and the Asia-Pacific became the most commonly attacked regions respectively.

To keep the cybersecurity professionals up to date with how ransomware gangs operate and help the defense teams thwart their attacks, Group-IB’s DFIR team has for the first time mapped the most commonly used TTPs in 2020 in accordance with MITRE ATT&CK®. If you are a cybersecurity executive, make sure your technical team receives a copy of this report for comprehensive threat hunting and detection tips. 

More on: Most Active Ransomware Gangs in 2020

ransomware

The growing threat of ransomware has put it in the spotlight of law enforcement. Some gangs operating under the Ransomware-as-a-Service (RaaS) model, such as Egregor and Netwalker, were impacted by the police efforts. Another notorious RaaS collective, Maze, called it quits at the end of 2020. Despite these events, the ransomware business continues prospering, with the Ransomware-as-a-Service model being of the driving forces behind this phenomenal growth. 

Ransomware empire prospers in pandemic-hit world.

Tags: Ransomware Gangs

Mar 05 2021

Fraud attempts skyrocketed in 2020 according to latest Financial Crime Report from Feedzai

Category: CybercrimeDISC @ 10:27 am
Fraud attempts skyrocketed in 2020 according to latest Financial Crime Report from Feedzai
Fraud attempts skyrocketed in 2020 according to latest Financial Crime Report from Feedzai

Feedzai, a cloud-based risk management platform, has announced its Financial Crime Report Q1, 2021. Feedzai’s data from financial transactions across the world shows a stark difference in consumer behaviour and financial crime in the Asia-Pacific (APAC) region as compared to Europe (EU) and North America (NA). A clear image appears – a hyper-digital world where east and west are in different recovery stages, reflecting different regional financial crime trends.

Overall, 2020 allowed fraudsters to rejoice at the rapid shift to digital banking and commerce while consumers got swindled by purchase, impersonation, money mule schemes, and account takeover scams.

650% Increase in Account Takeover (ATO) Scams in Q4

In an ATO attack, fraudsters obtain stolen credentials, account information, and passwords that belong to legitimate users. Once they access the account, they can transfer funds or buy goods with stolen credentials. Transfers occur when consumers move money from one account to another. The growing popularity of real-time payment functions, combined with the expansion of online banking, means that money moves quickly, and once it’s gone, it’s almost impossible to get back.

Feedzai’s fraud experts noticed an uptick of stolen credentials for sale on the dark web in 2020. The proliferation of stolen credentials, along with the exponential rise in online transactions, provided ideal conditions for fraudsters to blend in with legitimate consumer traffic without being detected.

250% Increase in Online Banking in Attempted Fraud on Online Banking

Online banking isn’t new, but it’s newly popular. There’s been a 200% increase in mobile banking, and fraudsters worked to blend in among them. Online banking experienced a 250% increase in attempted fraud. As expected, both telephone and branch fraud rates dropped to lower levels than they had been before the pandemic.

178% Fraud Rate Increase for Digital Media

In Q2 2020, during the height of global lockdowns, demand for books and streaming services such as music and movies increased. Demand remained strong in the APAC region, but NA and EU eventually returned to pre-pandemic baseline levels. The story around fraud is quite different, at least for NA and EU. In these regions, attempted fraud attacks increased a whopping 178% since January 2020.

48% Drop in Card Present Fraud Attacks; Volume Only Drops 20%

Card present transactions dropped by about 20% at the start of the pandemic and have consistently remained around that level. However, fraud attacks tumbled by an incredible 48%.

Card not present Transactions Drive 70% of Fraud Attacks

Fraudsters love CNP transactions, and without essential security measures such as machine learning, behavioral analytics, biometrics, and two-factor authentication (2FA), they likely will continue for some time to come.

Top 5 Transfer Fraud Schemes

Across the board, the pandemic was a boon for fraudsters and a burden for consumers. When it comes to transfers fraud, criminals were more drawn to the following five fraud schemes than to all others.

  1. Impersonation Scams – 23%
  2. Purchase Scams – 22%
  3. Account Takeover Scams – 22%
  4. Investment Scams – 6%
  5. Romance Scams – 3%

Top 5 Anti Money Laundering Red Flags

Tags: Cyber Frauds, Fraud attempts

Mar 02 2021

Search crimes – how the Gootkit gang poisons Google searches

Category: CybercrimeDISC @ 1:06 pm
Search crimes – how the Gootkit gang poisons Google searches

Ransomware gets the big headlines, because of the enormous blackmail demands that typically arrive at the end of ransomware attacks.

Indeed, the word “ransom” only expresses half the drama these days, because modern ransomware attacks usually involve the crooks making copies of all your data first before scrambling it.

The crooks then demand a combination payout, part ransom and part hush-money.

You’re not only paying to get the local copies of your data unscrambled, but also paying for a promise from the crooks that they’ll delete all the data they just stole instead of releasing it to the public.

But what about the very start of a ransomware attack?

Technically, that’s often a lot more interesting – and often more important, too, given that many ransomware attacks are merely the final blow to your network at the end of what may well have been an extended attack lasting days, weeks or even months.

Given the danger that arises as soon as the crooks sneak into your network, it’s as important to learn how malware gets delivered in the first place as it is to know what happens to your files when ransomware finally scrambles them.

With this in mind, SophosLabs has just published an intriguing report on a malware delivery ecosystem dubbed Gootloader.

You may have heard reference to Gootkit, a name given to the malware family of which Gootloader forms a part, because it’s been around for several years already.

But SophosLabs decided to give the initial delivery mechanism a name of its own and study it in its own right:

The Gootkit malware family has been around more than half a decade – a mature Trojan with functionality centered around banking credential theft. In recent years, almost as much effort has gone into improvement of its delivery method as has gone into the NodeJS-based malware itself.

In the past, Sophos and other security experts have bundled the discussion of the malware itself with analysis of the delivery mechanism, but as this method has been adopted to deliver a wider range of malicious code, we assert that this mechanism deserves scrutiny (and its own name), distinct from its payload, which is why we’ve decided to call it Gootloader.

The report goes into the sort of detail that is well worth knowing if you’re interested in how modern malware embeds and extends itself inside a network, including a discussion of so-called “fileless” attacks.

Search crimes – how the Gootkit gang poisons Google searches

Tags: Gootkit gang, poisons Google searches

Feb 28 2021

Npower shuts down app after hackers steal customer bank info

Category: Cyber Threats,Cybercrime,HackingDISC @ 11:03 pm
Npower shuts down app after hackers steal customer bank info  

Tags: Npower

Feb 26 2021

Microsoft releases open-source CodeQL queries to assess Solorigate compromise

Category: Botnet,Cyber Attack,Cyber Espionage,Cyber Spy,Cyber surveillance,Cyber Threats,Cyber War,CybercrimeDISC @ 10:54 am
Microsoft releases open-source CodeQL queries to assess Solorigate compromise

Microsoft announced the release of open-source CodeQL queries that it experts used during its investigation into the SolarWinds supply-chain attack

In early 2021, the US agencies FBI, CISA, ODNI, and the NSA released a joint statement that blames Russia for the SolarWinds supply chain attack.

The four agencies were part of the task force Cyber Unified Coordination Group (UCG) that was tasked for coordinating the investigation and remediation of the SolarWinds hack that had a significant impact on federal government networks.

The UCG said the attack was orchestrated by an Advanced Persistent Threat (APT) actor, likely Russian in origin.

According to the security experts, Russia-linked threat actors hacked into the SolarWinds in 2019 used the Sundrop malware to insert the Sunburst backdoor into the supply chain of the SolarWinds Orion monitoring product.

Microsoft, which was hit by the attack, published continuous updates on its investigation, and now released the source code of CodeQL queries, which were used by its experts to identify indicators of compromise (IoCs) associated with Solorigate.

“In this blog, we’ll share our journey in reviewing our codebases, highlighting one specific technique: the use of CodeQL queries to analyze our source code at scale and rule out the presence of the code-level indicators of compromise (IoCs) and coding patterns associated with Solorigate.” reads the blog post published by Microsoft. “We are open sourcing the CodeQL queries that we used in this investigation so that other organizations may perform a similar analysis. Note that the queries we cover in this blog simply serve to home in on source code that shares similarities with the source in the Solorigate implant, either in the syntactic elements (names, literals, etc.) or in functionality.”

Microsoft releases open-source CodeQL queries to assess Solorigate compromise

Tags: CodeQL, Solorigate compromise

Feb 25 2021

U.S. municipalities are the perfect target for cybercriminals in 2021

Category: CybercrimeDISC @ 6:50 pm
U.S. municipalities are the perfect target for cybercriminals in 2021

Tags: U.S. municipalities

Feb 25 2021

A Cryptomining botnet abuses Bitcoin blockchain transactions as C2 backup mechanism

Category: Crypto,CybercrimeDISC @ 2:42 pm
A Cryptomining botnet abuses Bitcoin blockchain transactions as C2 backup mechanism

Tags: Cryptomining botnet

Feb 22 2021

NSA Equation Group tool was used by Chinese hackers years before it was leaked online

Category: APT,Cyber Espionage,Cybercrime,HackingDISC @ 10:51 am
NSA Equation Group tool was used by Chinese hackers years before it was leaked online

The Chinese APT group had access to an NSA Equation Group, NSA hacking tool and used it years before it was leaked online by Shadow Brokers group.

Check Point Research team discovered that China-linked APT31 group (aka Zirconium.) used a tool dubbed Jian, which is a clone of NSA Equation Group ‘s “EpMe” hacking tool years before it was leaked online by Shadow Brokers hackers.

In 2015, Kaspersky first spotted the NSA Equation Group, it revealed it was operating since at least 2001 and targeted almost any industry with  sophisticated zero-day malware.

The arsenal of the hacking crew included sophisticated tools that requested a significant effort in terms of development, Kaspersky speculated the Equation Group has also interacted with operators behind Stuxnet and Flame malware. 

Based on the evidence collected on the various cyber espionage campaigns over the years, Kaspersky experts hypothesize that the National Security Agency (NSA) is linked to the Equation Group.

Jian used the same Windows zero-day exploit that was stolen from the NSA Equation Group ‘s arsenal for years before it was addressed by the IT giant. 

In 2017, the Shadow Brokers hacking group released a collection of hacking tools allegedly stolen from the US NSA, most of them exploited zero-day flaws in popular software.

One of these zero-day flaws, tracked as CVE-2017-0005, was a privileged escalation issue that affected Windows XP to Windows 8 operating systems,

“In this blog we show that CVE-2017-0005, a Windows Local-Privilege-Escalation (LPE) vulnerability that was attributed to a Chinese APT, was replicated based on an Equation Group exploit for the same vulnerability that the APT was able to access.” reads the analysis published by CheckPoint. ““EpMe”, the Equation Group exploit for CVE-2017-0005, is one of 4 different LPE exploits included in the DanderSpritz attack framework. EpMe dates back to at least 2013 – four years before APT31 was caught exploiting this vulnerability in the wild.”

Source: NSA Equation Group tool was used by Chinese hackers years before it was leaked online

Tags: Chinese hackers, NSA Equation Group tool, Spy war, Tiger trap

Feb 21 2021

Nigerian Instagram star helped North Korean hackers in $1.3B scheme

Category: Cybercrime,HackingDISC @ 12:05 am
Nigerian Instagram star helped North Korean hackers in $1.3B scheme: Feds

Nigerian Instagram star conspired with North Korean hackers to steal more than $1.3 billion from companies and banks in the U.S. and other countries, federal prosecutors said.

Ramon Olorunwa Abbas, 37, also known as “Ray Hushpuppi,” is being accused of helping three North Korean computer hackers steal the funds from companies and banks, including one in Malta, in February 2019, according to the Justice Department.

“North Korea’s operatives, using keyboards rather than guns, stealing digital wallets of cryptocurrency instead of sacks of cash, are the world’s leading bank robbers,” Assistant Attorney General John Demers of the Justice Department’s National Security Division said in a statement on Feb. 17.

Tags: Hushpuppi, Nigerian prince, North Korean hackers

Feb 19 2021

Experts spotted the first malware tailored for Apple M1 Chip, it is just the beginning

Category: Cyber Attack,Cybercrime,MalwareDISC @ 9:34 am
Experts spotted the first malware tailored for Apple M1 Chip, it is just the beginning

Apple launched its M1 chip and cybercriminals developed a malware sample specifically for it, the latest generation of Macs are their next targets.

The popular security researcher Patrick Wardle discovered one of the first malware designed to target latest generation of Apple devices using the company M1 chip.

The discovery suggests threat actors are tailoring their malware to target the latest generation of Mac devices using the own processors.

Wardle discovered a Safari adware extension, tracked as GoSearch22, that was initially developed to run on Intel x86 chips, and now it was adapted to run on M1 chips.

“What we do know is as this binary was detected in the wild (and submitted by a user via an Objective-See tool) …so whether it was notarized or not, macOS users were infected.” reads the analysis published by Wardle. “Looking at the (current) detection results (via the anti-virus engines on VirusTotal), it appears the GoSearch22.app is an instance of the prevalent, yet rather insidious, ‘Pirrit’ adware:”

Jan 26 2021

Ghost hack – criminals use deceased employee’s account to wreak havoc

Category: Cybercrime,Information SecurityDISC @ 12:00 pm
Ghost hack – criminals use deceased employee’s account to wreak havoc

Many, if not most, organisations will tell you that they have processes and procedures that they follow when employees leave.

In particular, most companies have a slick and quick procedure for removing ex-staff from the payroll.

Firstly, it doesn’t make economic sense to pay someone who is no longer entitled to the money; secondly, many countries require employers to withold payroll taxes automatically, to pay them in promptly, and to account for them accurately.

Why get into trouble with the tax office over former employees when you can have a simple “staff leaving” checklist that will help to keep you compliant and solvent at the same time?

Unfortunately, we’re not always quite so switched on (or, to be more precise, not quite so good at switching things off) when it comes to ex-staff and cybersecurity.

History is full of stories of havoc wreaked by ex-employees who maintained both their grudges and their paswords or access tokens after being fired or laid off.

Some of these revenge attacks have acquired legendary status, like the man from the splendidly named town of Maroochydore in Maroochy Shire in Queensland, Australia, who used insider information and a purloined computer to “hack” the council’s waste management system.

This crook quite literally, if you will pardon the expression, showered the shire with… well, with 1,000,000 litres of raw sewage, by operating all the right pumps in all the wrong ways.

As amusing as this crime sounds with 20 years of hindsight – it happened in the year 2000 – the disgruntled former contractor caused an environmental hazard, including polluting a tidal canal, that took days to clean up.

He was caught, tried and convicted of 27 counts of unauthorised computer access, and one count of wilfully and unlawfully causing serious environmental harm:

“Marine life died, the creek water turned black and the stench was unbearable for residents,” said Janelle Bryant, investigations manager for the Australian Environmental Protection Agency.

Then there was the US sysadmin who was fired in 2009 and decided to get his own back by planting keyloggers on his former employee’s network, harvesting passwords until he had access to the accounts of senior staff, and then remotely hacking into a presentation by the CEO to the board of directors.

Source: Ghost hack

Nov 08 2020

FBI: Hackers stole source code from US government agencies and private companies

Category: Cyber Attack,Cyber Espionage,Cyber Threats,Cybercrime,HackingDISC @ 2:22 pm

FBI blames intrusions on improperly configured SonarQube source code management tools.

FBI officials say that threat actors have abused these misconfigurations to access SonarQube instances, pivot to the connected source code repositories, and then access and steal proprietary or private/sensitive applications.

Officials provided two examples of past incidents:

“In August 2020, unknown threat actors leaked internal data from two organizations through a public lifecycle repository tool. The stolen data was sourced from SonarQube instances that used default port settings and admin credentials running on the affected organizations’ networks.

“This activity is similar toa previous data leak in July 2020, in which an identified cyber actor exfiltrated proprietary source code from enterprises throughpoorly secured SonarQube instances and published the exfiltrated source codeon a self-hosted public repository.”

Source: FBI: Hackers stole source code from US government agencies and private companies | ZDNet





« Previous PageNext Page »