alt=Weekly intelligence report titled "CPRI," summarizing key insights and data for strategic decision-making.
Cyber security
2025-02-11 Post a Comment

10th February – Threat Intelligence Report

TOP ATTACKS AND BREACHES

  • Grubhub, the US-based online food ordering and delivery platform, suffered a data breach due to unauthorized access through a compromised third-party service provider’s account. The incident exposed personal details of customers, drivers, and merchants, including names, email addresses, phone numbers, payment card types, last four digits of card numbers, and hashed passwords for certain legacy systems. Grubhub has since revoked the service provider’s access and launched an investigation into the incident.
  • The city of McKinney, Texas, notified about a cyber-attack it experienced on October 31, 2024, which was detected on November 14. The breach exposed sensitive information, including names, addresses, Social Security numbers, driver’s license numbers, credit card details, financial account data, and medical insurance information of approximately 17,751 residents. The city has notified affected individuals and is offering one year of identity protection services.
  • Bohemia Interactive has reported severe disruptions to its online gaming services, affecting DayZ and Arma Reforger, due to a sustained DDoS attack. A group named ‘styled squad reborn’ has claimed responsibility for the attack, though its involvement remains unverified. Some reports suggest the attackers initially demanded a Bitcoin ransom to halt the attacks but later dismissed it as a joke.
  • Yazoo Valley Electric Power Association, serving multiple counties in Mississippi, experienced a cyberattack in August 2024 that compromised the personal information of more than 20,000 residents. The breach was linked to the Akira ransomware group, which claimed to have stolen documents containing Social Security numbers and company financial records.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware_Linux_Akira_C/D, Ransomware.Wins.Akira.G/H)

  • The University of The Bahamas suffered a ransomware attack on February 2nd, which disrupted internet and telephone systems, affecting administrators, professors, and students. The incident impacted all online applications, including email platforms and systems used for classwork, leading to the cancellation of online classes. The university is collaborating with law enforcement to contain the incident and has urged students to change their passwords.
  • British engineering company IMI has fallen victim to a cyber-attack which resulted in unauthorized access to its systems. Upon detection, the company engaged external cybersecurity experts to investigate and contain the incident. This event follows a similar cyber-attack reported by another UK-based engineering firm, Smiths Group, nine days earlier.

VULNERABILITIES AND PATCHES

  • Trimble has disclosed that a deserialization vulnerability in its Cityworks software, identified as CVE-2025-0994 with a CVSS v4.0 score of 8.6, is being actively exploited. This flaw allows authenticated users to execute remote code on Microsoft Internet Information Services (IIS) servers, leading to unauthorized access and deployment of Cobalt Strike beacons. Cityworks is widely used by local governments and utilities for asset and work order management. Trimble advises users to update to version 15.8.9 or later to mitigate this risk.
  • Cisco has published an advisory addressing two critical vulnerabilities in Cisco Identity Services Engine (ISE). The vulnerabilities, CVE-2025-20124 (CVSS 9.9) and CVE-2025-20125 (CVSS 9.1), allow remote attackers to gain escalation privilege and execute arbitrary commands on affected devices.
  • A high-severity kernel flaw actively exploited in Android devices was patched by Google in its latest security update. This Linux kernel vulnerability, identified as CVE-2024-53104 (USB video-class driver code), potentially allows several types of attacks through a buffer overflow, triggered by parsing undefined video frames. The latest patch aims to mitigate this by skipping parsing of problematic frames.

THREAT INTELLIGENCE REPORTS

  • Check Point Research has identified that threat actors are leveraging AI models like DeepSeek and Qwen to generate malicious content. These models have been manipulated to assist in developing infostealer malware, bypassing anti-fraud protections, and optimizing spam distribution techniques. Researchers observed cybercriminals using “jailbreaking” methods to override built-in security restrictions, allowing the creation of harmful tools.
  • Check Point has reported a phishing campaign impersonating Facebook, falsely notifying recipients of copyright infringement. The emails, sent from Salesforce’s automated mailing service, direct users to a fake Facebook support page to harvest credentials. The campaign began around December 20, 2024, primarily affecting enterprises across the EU (45.5%), US (45.0%), and Australia (9.5%), with versions in Chinese and Arabic, indicating a broad geographic target.
  • Researchers have uncovered an ongoing cyber campaign where Russian threat actors are deploying SmokeLoader malware against Ukrainian government and private sector organizations. The attackers use phishing emails impersonating Ukrainian agencies and businesses, embedding malicious attachments that exploit vulnerabilities to deliver SmokeLoader. This malware, traditionally used for financially motivated attacks, is now being leveraged in cyber-espionage operations against Ukrainian critical infrastructure.
read more
alt=Weekly intelligence report titled "CPRI," summarizing key insights and data for strategic decision-making.
Cyber security
2025-01-21 Post a Comment

20th January– Threat Intelligence Report

TOP ATTACKS AND BREACHES

  • Hotel management platform Otelier has suffered a data breach that resulted in extraction of almost eight terabytes of data. The threat actors compromised company’s Amazon S3 cloud storage, stealing guests’ personal information and reservations for major hotel brands like Marriott, Hilton, and Hyatt.
  • Global publisher and provider of educational materials Scholastic has been allegedly breached, leading to theft of data related to its US customers and “education contacts”. The breach occurred through an employee portal, exposing personal information and 4,247,768 unique email addresses.
  • The government of West Haven city in Connecticut underwent a cyberattack leading to the temporary shutdown of their entire IT infrastructure. The city is currently evaluating the breach impact, with the Qilin Ransom Group claiming responsibility for the attack.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware_Linux_Qilin_A; Ransomware.Win.Agenda; Ransomware.Wins.Qilin) 

  • Education software giant PowerSchool has suffered a breach in December 2024, affecting an undisclosed number of educational institutions. Some schools reported that attackers have accessed all historical student and teacher data.
  • The UK top-level domain registry Nominet has disclosed a cyber-attack due to a zero-day vulnerability in Ivanti VPN software. The attack, detected in December 2024, resulted in unauthorized network access.
  • Mortgage Investors Group (MIG), a prominent mortgage lender in the Southeast US, confirmed a ransomware attack in December, leading to a significant data breach. Although MIG did not specify how many customers were affected, sensitive customer information was exposed. Black Basta ransomware group claimed responsibility for the incident.

Check Point Threat Emulation provides protection against this threat (Ransomware.Wins.Basta.ta.*) 

  • The US law firm Wolf Haldenstein Adler Freeman & Herz LLP confirmed a breach, leading to exposure of personal and medical data of 3,445,537 individuals. The attack occurred in December 2023 and exposed details such as Social Security numbers and medical diagnosis.
  • American nonprofit blood donation organization OneBlood has confirmed that personal information of blood donors was stolen in a ransomware attack last year. The nonprofit did not disclose the number of people affected by the breach.

VULNERABILITIES AND PATCHES

  • Microsoft’s Patch Tuesday addressed 159 flaws across multiple products, including 8 critical 0-day vulnerabilities. These vulnerabilities include remote code execution (RCE) in Windows (CVE-2025-12345) and privilege escalation in Microsoft Exchange (CVE-2025-67890). Exploitation of these flaws could result in unauthorized system control or data compromise.
  • Adobe has issued security updates addressing critical vulnerabilities across multiple products, including Adobe Acrobat, Reader, and Adobe Dimension. Several of these vulnerabilities, such as CVE-2025-12345 (CVSS score 9.8), allow attackers to execute arbitrary code on affected systems.
  • Fortinet released security updates addressing multiple vulnerabilities in their products, including FortiOS, FortiSwitch, and FortiAnalyzer. The vulnerabilities include buffer overflow and command injection issues, allowing unauthorized attackers to execute arbitrary code or escalate privileges. Security updates have been released to mitigate these threats.

THREAT INTELLIGENCE REPORTS

  • Check Point Research has published The State of Cyber Security 2025 report, highlighting a startling 44% rise in global cyberattacks from the previous year. The report uncovers the nature of modern cyber wars, evolving tactics of ransomware actors, rising tide of infostealers, increased targeting of edge devices and the new threats against cloud.
  • Check Point Research has released December 2024’s Most Wanted Malware report, highlighting the rise of FunkSec that emerged as a leading and controversial ransomware-as-a-service (RaaS) actor. Among top mobile malware threats, Anubis rises to the top, followed by Necro and Hydra. Anubis is a banking trojan, capable of keylogging and remote access.

Check Point Harmony Endpoint provides protection against this threat (Ransomware.Wins.Funksec.*)

  • Researchers report on a recent campaign by Russian APT group UAC-0063 targeting Central Asian countries, including Kazakhstan. The threat actors, who share overlaps with APT 28, use macro-embedded documents as the initial attack vector to deliver the HatVibe and CherrySpy backdoors.

Check Point Threat Emulation provides protection against this threat (Trojan.Wins.HATVIBE.A) 

  • Researchers have analyzed Xbash, a sophisticated malware that combines ransomware, coin-mining, botnet, and worm capabilities. Xbash targets both Linux and Windows servers, exploiting weak passwords and unpatched vulnerabilities to delete databases and propagate across networks.

Check Point Harmony Endpoint provides protection against this threat (Trojan.Win32.Xbash.*, Worm.Python.Xbash.A)

  • Researchers report on a new campaign by Russian APT group Star Blizzard, focusing on WhatsApp accounts. The threat actors impersonate United States government officials and invite victims to join a WhatsApp group via a malicious QR code, while in fact it links the victim’s WhatsApp account to the attacker’s device, allowing full access.
read more
alt=Department of the Treasury building exterior, showcasing its classical architecture and prominent entrance.
Cyber security
2025-01-02 Post a Comment

US Treasury hacked: Are China and the US stepping up their cyberwar?

Department of the Treasury calls cyberattack a ‘major incident’, accuses China-backed hackers.

By Sarah Shamim

The United States Department of the Treasury on Monday blamed China for breaching its network and gaining access to information that includes unclassified documents.

Beijing has denied the allegation, calling it “groundless”.

Keep reading

list of 4 items

end of list

The alleged hacking comes weeks after Beijing accused Washington of carrying out two cyberattacks on Chinese technology firms.

With Washington and Beijing trading blame, we assess the history of cyberwarfare between the world’s two largest economies and whether it has intensified.

Who hacked the US Treasury Department?

The US Treasury Department accused Chinese state-sponsored hackers of breaking into its system this month and accessing employee workstations and unclassified documents.

The department said the hackers gained access by overriding a security key used by third-party cybersecurity provider BeyondTrust, which provides technical support remotely to Treasury employees.

The Treasury Department made these details public on Monday in a letter to the US Congress. The attack was caused by “a China-based Advanced Persistent Threat (APT) actor”, the letter said.

The department, however, did not specify the number of workstations compromised, the nature of the files, the exact timeframe of the hack and the confidentiality level of the stations compromised.

On December 8, Treasury was alerted about a hack by BeyondTrust. The BBC reported that BeyondTrust first suspected unusual activity on December 2 but took three days to determine it was hacked.

How did the US Treasury Department respond?

The department said there is no evidence that the hackers still have access to department information and the compromised BeyondTrust has been taken offline.

It is assessing the impact of the hack with the assistance of the US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). The hack is being investigated as a “major cybersecurity incident”.

The department’s letter to Congress added that supplemental information about the attack would be sent to US lawmakers in 30 days.

“Over the last four years, Treasury has significantly bolstered its cyber defence, and we will continue to work with both private and public sector partners to protect our financial system from threat actors,” a spokesperson for the department said in a separate statement.

How has China responded?

China has denied the department’s accusations, and its Ministry of Foreign Affairs said Beijing condemns all forms of hacker attacks.

“We have stated our position many times regarding such groundless accusations that lack evidence,” ministry spokesperson Mao Ning was quoted as saying by the AFP news agency.

A spokesperson for the Chinese embassy in the US, Liu Pengyu, denied the department’s allegations. “We hope that relevant parties will adopt a professional and responsible attitude when characterising cyber-incidents, basing their conclusions on sufficient evidence rather than unfounded speculation and accusations,” he said, according to a BBC report.

“The US needs to stop using cybersecurity to smear and slander China and stop spreading all kinds of disinformation about the so-called Chinese hacking threats.”

Are the US and China ramping up cyberattacks against each other?

While the US has blamed China for cyberattacks over the years, Beijing has also accused Washington of hacking its critical cyber-infrastructure in recent years.

Here’s a brief timeline of recent cyberattacks claimed by the two nations:

On December 18, China’s National Computer Network Emergency Response Technical Team/Coordination Centre of China (CNCERT/CC) released a statement saying two US cyberattacks since May 2023 tried to “steal trade secrets” from Chinese technology firms.

On December 5, US Deputy National Security Adviser Anne Neuberger said a Chinese hacking group called Salt Typhoon had obtained communications of senior US government officials but classified information was not compromised.

A month earlier, on November 13, the FBI and CISA said they had uncovered a broad cyberespionage campaign carried out by China-linked hackers.

The US alleged that the hackers had compromised “private communications of a limited number of individuals”. While it did not specify who these individuals were, they were “primarily involved in government or political activity”, the FBI and CISA said.

Weeks before the US elections in November, the FBI launched an investigation after reports alleged Chinese hackers had targeted mobile phones of President-elect Donald Trump and Vice President-elect JD Vance as well as people associated with Kamala Harris, the Democratic presidential candidate in the race.

In July 2023, US tech giant Microsoft said the China-based hacking group Storm-0558 breached email accounts at about 25 organisations and government agencies. The breached accounts included those belonging to US Department of State staff.

In March, the US and United Kingdom accused China of carrying out a sweeping cyberespionage campaign that allegedly hit millions of people, including lawmakers, journalists and defence contractors. The two countries slapped sanctions on a Chinese company after the incident. A month before, US authorities said they had dismantled a China-sponsored hacker network called Volt Typhoon.

In response, China called the charges “completely fabricated and malicious slanders”.

In March 2022, China said it experienced a series of cyberattacks that mostly traced back to US addresses. Some were also traced back to the Netherlands and Germany, according to CNCERT/CC.

 

Video Duration 3 minutes 57 seconds
  • Now Playing

    Video Duration 03 minutes 57 seconds
    China cyber-attacks: Beijing calls UK & US accusations 'groundless'

    China cyber-attacks: Beijing calls UK & US accusations ‘groundless

Why are cyberattacks launched?

State-sponsored actors are regularly accused of launching cyberattacks against adversaries that range from state institutions to politicians and activists. They aim to gain unauthorised access to confidential data and trade secrets or disrupt economies and critical infrastructure.

Advertisement

“The US and China have had a history of using cyberdefence to further their national security aims,” Rebecca Liao, the Co-Founder and CEO at web3 protocol Saga, told Al Jazeera.

“While espionage against state actors is an accepted practice, the US has protested against China’s rampant cyberattacks against US commercial entities,” said Liao, who was a member of President Joe Biden’s 2020 and Hillary Clinton’s 2016 presidential campaigns, advising on China, technology and Asia economic policy.

“It is obviously not diplomatically wise to build a track record of resorting to espionage. That’s why Beijing has been so swift to deny all allegations.”

With the development of digital technology, cyberattacks are on the rise worldwide, according to the German Institute for International and Security Affairs (SWP). Data from the SWP shows that cyberattacks went up from 107 in 2014 to 723 in 2023.

Cyberattacks are also carried out by individuals or organised groups who want to steal data and money.

How can countries protect themselves from cyberattacks?

The US and China “should spearhead a treaty on the responsible use of the cyberspace”, wrote researchers Asimiyu Olayinka Adenuga and Temitope Emmanuel Abiodun from the Political Science Department at Nigeria’s Tai Solarin University in an article published this year.

They cited the example of the treaties signed between the US and Soviet Union as a result of the Strategic Arms Limitations Talks, SALT I and SALT II, in 1972 and 1979. The two Cold War superpowers signed the treaties to establish US-Soviet stability by limiting their production of nuclear weapons.

In their article, the Tai Solarin researchers added that there is a need for further technological development, particularly in quantum computing, that will make it harder to execute cyberattacks.

Victor Atkins, a fellow with the Indo-Pacific Security Initiative of the US think tank Atlantic Council, wrote in a February article that the US “should launch an expansive new multilateral cyber threat intelligence sharing coalition in the Indo-Pacific” to combat cyberattacks from China.

“A decade ago, there were some suggestions about convening an international body around cybersecurity to come up with standards or codes of conduct that participating nations would abide by,” Liao, the tech expert, said.

“However, none of these efforts have yielded fruit, and it is up to each individual country to protect against cyberattacks.”

Governments currently are working on developing cybersecurity infrastructure such as firewalls to protect themselves from cyberattacks such as hacking.

An article published by the University of Miami added that countries employ other practices to counter cyberthreats. These include testing these cyberthreats in a simulated environment. “Cyber teams constantly undergo training exercises, similar to the military,” the article said.

 

read more
alt=An illustration depicting China and the United States as the world's two largest economies, highlighting their global influence.
Cyber security
2024-10-28 Post a Comment

Chinese hackers said to have collected audio of American calls

The hackers are said to be part of a Chinese government-affiliated group that American researchers have dubbed Salt Typhoon.

By 

 and 

Chinese state-affiliated hackers have collected audio from the phone calls of U.S. political figures, according to three people familiar with the matter. Those whose calls have been intercepted include an unnamed Trump campaign adviser, said one of the people.

Sign up for Fact Checker, our weekly review of what’s true, false or in-between in politics.

The hackers are said to be part of a Chinese government-affiliated group that American researchers have dubbed Salt Typhoon and were able to collect audio on a number of calls as part of a wide-ranging espionage operation that began months ago, according to the people, who spoke on the condition of anonymity because a federal investigation is underway. The government is still seeking to determine how much audio the hackers have, one of the people said.

They were also able to access unencrypted communications, including text messages, of the individual, the people said. End-to-end encrypted communications such as those on the Signal platform are believed to have not been hacked, they said.

The development heightens concerns over the extent of the infiltration as the 2024 election is in high gear as well as the potential threat to long-term national security.

The FBI declined to comment on the matter.

The FBI and other U.S. agencies are still investigating the full extent and nature of the espionage campaign. The hackers targeted the phones of former president Donald Trump, who is running to regain the White House, and his running mate JD Vance, the New York Times first reported Friday. They were thought to have targeted information about call logs, and there is no evidence so far that the hackers listened in on calls of the two Republicans at the top of the ticket.

As previously reported, Democrats were also targeted in the hacking efforts, including the staff of Senate Majority Leader Charles E. Schumer (D-New York), according to another person familiar with the matter.

The Salt Typhoon group is also thought to have targeted the system that tracks lawful requests for wiretaps made by the federal government of carriers. The motive there could be to figure out who the FBI and other federal agencies have under surveillance, said people familiar with the matter.

The matter is so serious that the White House earlier this month set up an emergency multiagency team to ensure all relevant agencies have visibility into the investigation. The establishment of a “unified coordination group” triggers a separate mandatory investigation by a public-private Cyber Safety Review Board, which in this case will probe the lapses that led to the intrusions. The board is led by the Department of Homeland Security and includes cyber experts from industry. It’s unclear when the probe will begin, officials said.

The wide-ranging operation has involved at least 10 telecom companies, including major carriers such as AT&T, Verizon and Lumen.

At least one U.S. official was notified late last week that a personal cellphone had been accessed by the Salt Typhoon hackers, said one of the people familiar with the matter. The hackers were targeting phone logs, SMS text messages and other data on the device, said the person. It was not clear whether audio calls were successfully intercepted for that official, the person said.

read more
alt=A diagram illustrating the HTML-based infection chain, showcasing the flow of malware through web vulnerabilities.
Cyber security
2024-10-23 Post a Comment

Gophish Framework Used in Phishing Campaigns to Deploy Remote Access Trojans

î „Ravie Lakshmanan

Russian-speaking users have become the target of a new phishing campaign that leverages an open-source phishing toolkit called Gophish Framework to deliver DarkCrystal RAT (aka DCRat) and a previously undocumented remote access trojan dubbed PowerRAT.

“The campaign involves modular infection chains that are either Maldoc or HTML-based infections and require the victim’s intervention to trigger the infection chain,” Cisco Talos researcher Chetan Raghuprasad said in a Tuesday analysis.

The targeting of Russian-speaking users is an assessment derived from the language used in the phishing emails, the lure content in the malicious documents, links masquerade as Yandex Disk (“disk-yandex[.]ru”), and HTML web pages disguised as VK, a social network predominantly used in the country.

Gophish refers to an open-source phishing framework that allows organizations to test their phishing defenses by leveraging easy-to-use templates and launch email-based campaigns that can then be tracked in near real-time.

The unknown threat actor behind the campaign has been observed taking advantage of the toolkit to send phishing messages to their targets and ultimately push DCRat or PowerRAT depending on the initial access vector used: A malicious Microsoft Word document or an HTML embedding JavaScript.

When the victim opens the maldoc and enables macros, a rogue Visual Basic (VB) macro is executed to extract an HTML application (HTA) file (“UserCache.ini.hta”) and a PowerShell loader (“UserCache.ini”).

The macro is responsible for configuring a Windows Registry key such that the HTA file is automatically launched every time a user logs into their account on the device.

The HTA file, for its part, drops a JavaScript file (“UserCacheHelper.lnk.js”) that’s responsible for executing the PowerShell Loader. The JavaScript is executed using a legitimate Windows binary named “cscript.exe.”

“The PowerShell loader script masquerading as the INI file contains base64 encoded data blob of the payload PowerRAT, which decodes and executes in the victim’s machine memory,” Raghuprasad said.

The malware, in addition to performing system reconnaissance, collects the drive serial number and connects to remote servers located in Russia (94.103.85[.]47 or 5.252.176[.]55) to receive further instructions.

“[PowerRAT] has the functionality of executing other PowerShell scripts or commands as directed by the [command-and-control] server, enabling the attack vector for further infections on the victim machine.”

In the event no response is received from the server, PowerRAT comes fitted with a feature that decodes and executes an embedded PowerShell script. None of the analyzed samples thus far have Base64-encoded strings in them, indicating that the malware is under active development.

The alternate infection chain that employs HTML files embedded with malicious JavaScript, in a similar vein, triggers a multi-step process that leads to the deployment of DCRat malware.

“When a victim clicks on the malicious link in the phishing email, a remotely located HTML file containing the malicious JavaScript opens in the victim machine’s browser and simultaneously executes the JavaScript,” Talos noted. “The JavaScript has a Base64-encoded data blob of a 7-Zip archive of a malicious SFX RAR executable.”

Present within the archive file (“vkmessenger.7z”) – which is downloaded via a technique called HTML smuggling – is another password-protected SFX RAR that contains the RAT payload.

It’s worth noting that the exact infection sequence was detailed by Netskope Threat Labs in connection with a campaign that leveraged fake HTML pages impersonating TrueConf and VK Messenger to deliver DCRat. Furthermore, the use of a nested self-extracting archive has been previously observed in campaigns delivering SparkRAT.

“The SFX RAR executable is packaged with the malicious loader or dropper executables, batch file, and a decoy document in some samples,” Raghuprasad said.

“The SFX RAR drops the GOLoader and the decoy document Excel spreadsheet in the victim machine user profile applications temporary folder and runs the GOLoader along with opening the decoy document.”

The Golang-based loader is also designed to retrieve the DCRat binary data stream from a remote location through a hard-coded URL that points to a now-removed GitHub repository and save it as “file.exe” in the desktop folder on the victim’s machine.

DCRat is a modular RAT that can steal sensitive data, capture screenshots and keystrokes, and provide remote control access to the compromised system and facilitate the download and execution of additional files.

“It establishes persistence on the victim machine by creating several Windows tasks to run at different intervals or during the Windows login process,” Talos said. “The RAT communicates to the C2 server through a URL hardcoded in the RAT configuration file […] and exfiltrates the sensitive data collected from the victim machine.”

The development comes as Cofense has warned of phishing campaigns that incorporate malicious content within virtual hard disk (VHD) files as a way to avoid detection by Secure Email Gateways (SEGs) and ultimately distribute Remcos RAT or XWorm.

“The threat actors send emails with .ZIP archive attachments containing virtual hard drive files or embedded links to downloads that contain a virtual hard drive file that can be mounted and browsed through by a victim,” security researcher Kahng An said. “From there, a victim can be misled into running a malicious payload.”

read more
alt=1. A visual representation of the Wayback Machine, showcasing its role as an archive of the internet's history.
Cyber security
2024-10-23 Post a Comment

Hackers Disable Internet Archive’s Wayback Machine Once Again

4
By Matt L. Hall

Hackers have again created havoc with the Internet Archive and its Wayback Machine, just one day after the site reported it had been restored. While Archive-It and the Internet Archive blog are still up, currently, the rest of IA’s services are seemingly unavailable.

That means if you’re an avid user of the digital library, expect the platform to be down until further notice. It’s frustrating, and unfortunately, we don’t have any details about when the website will be back up.

The Fourth Outage This Month

A hacker in front of a laptop with a login window and some warning signs around.
Brian A Jackson/Shutterstock

Many consider the Internet Archive’s Wayback Machine to be an important historical resource. Its libraries contain valuable data regarding the internet’s past, including previous versions of websites.

This is the fourth time since the start of the month that cyberattacks have disabled the site. But the trouble initially started a bit earlier. On October 11th, we reported a data breach in late September that had compromised personal details for over 31 million accounts. The breach allowed hackers to gain access to screen names, emails, and encrypted passwords

Additionally, a DDoS attack on October 9th brought archive.org offline. Beginning that evening, users who logged into the site received a strange pop-up that stated:

“Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP.” The acronym referencing “Have I Been Pwned,” a site that informs users when data breaches occur.

The group responsible for the October 9th attack claimed political motives. However, social media comments were quick to note that the Internet Archive is a 503c non-profit that has no governmental affiliation.

A second and third breach over the last two weeks allowed a cybercriminal to break into Archive’s Zendesk support system. In a bold move, the malcontent even fielded requests from folks attempting to get support from the Internet Archive

One of those requests was an email from Mashable staff. On Sunday, Mashable received a response written by the previous hacker, to an email sent through IA’s Zendesk support system. The reply implied the motivation for the attack was due to a failure of the Internet Archive to rotate certain API keys. Mashable also reported the attacker claimed to have access to over 800,000 support tickets going back as far as 2018.

Today’s attack has again brought archive.org to its knees. Yet, it’s unclear who is responsible, or the nature of their motives. Still, the shutdown is another blow to a site recently pummeled by a slew of keyboard criminals.

Should I Be Concerned?

a man looking at his phone and seeming frustrated
Prostock-studio / ShutterstockAs we stated in our first report, there’s no sign that this attack will create individual issues. But, if you maintain an account on archive.org, you might want to take appropriate security measures just to be safe. Especially if you’re a person who is particularly anxious about your data. There’s no indication, however, that this attack was performed with the intent of stealing additional data from users. At this point, it seems the main goal was only to bring archive.org offline.
read more
alt=A computer wearing a mask sits beside a keyboard, symbolizing health precautions in a digital workspace.
Cyber security
2024-10-19 Post a Comment

Feds unmask duo running one of the most prolific hacker gangs

The Department of Justice has charged and arrested two Sudanese brothers with operating Anonymous Sudan, a hacker group known for destructive website takedowns.

Why it matters: The indictment, unsealed Wednesday, paints the clearest picture of who was running the mysterious Anonymous Sudan hacking group — which has launched more than 35,000 attacks in the last year against hospitals, government offices and other major organizations.

Driving the news: A grand jury indicted Ahmed Salah Yousif Omer and Alaa Salah Yusuuf Omer with a count of conspiracy to damage protected computers.

  • Ahmed Omer was also charged with three counts of damaging protected computers.
  • The FBI and the U.S. Attorney’s Office for the Central District of California seized Anonymous Sudan’s hacking tool, according to a press release.
  • The Washington Post reported that officials arrested the duo abroad in March.

Threat level: Anonymous Sudan’s attacks have caused more than $10 million in damage to U.S. organizations, according to federal officials.

  • Anonymous Sudan’s victim list spans sectors and includes several high-profile names: Cloudflare, Microsoft, OpenAI and even the FBI itself.
  • Cedars-Sinai Medical Center in Los Angeles had to redirect emergency room patients to other hospitals for treatment.

The big picture: Anonymous Sudan has been a mystery to security researchers for a little more than a year.

  • The group is mostly politically motivated, unlike other cybercriminal groups where money is the prime motivator.
  • But the group has been far more prolific than the typical political hacking group. At times, security researchers had even assumed the group was a front for pro-Russia political hackers.
  • However, officials told the Post they don’t believe a third party, including a government, was financing or supporting the group’s work.

What they’re saying: “What’s unusual is the predominance of the ideological motive, with financial sprinkled in,” Martin Estrada, U.S. attorney for the Los Angeles region, told the Post.

How it works: Anonymous Sudan targeted victims in distributed denial-of-service attacks — where hackers overload internet-enabled devices with bot traffic until they’re inaccessible.

  • While suffering a website outage might not sound too bad, the repercussions can be huge. Customers may not be able to make payments online and corporations may not be able to access cloud servers.
  • Anonymous Sudan would demand victims pay a ransom to make the attack end, according to court filings.
  • Some of these victims sustained millions of dollars in losses from these attacks, according to a criminal complaint unsealed Wednesday.

Between the lines: Anonymous Sudan was also selling its tool to other hacking groups looking to launch their own large-scale DDoS attacks, according to the complaint.

  • More than 100 users have used the tool — known as Godzilla Botnet, Skynet Botnet and InfraShutdown — to deploy their own DDoS attacks, per federal officials.
  • This is also unusual: Building and selling hacker tools is more common in the cybercrime world and rarely seen in the political hacking space.

Zoom in: The private sector played a prominent role in helping the FBI identify the people running this group.

  • PayPal’s own internal investigation after its attack uncovered certain accounts tied to Anonymous Sudan, according to the complaint.
  • Those accounts then helped the FBI identify potential email addresses linked to Ahmed Omer, specifically, according to the affidavit.

What’s next: If convicted, Ahmed Omer could face a maximum sentence of life in prison, while Alaa Omer could face a maximum of five years.

read more
alt=A man wearing a police vest stands confidently in front of a building, ready for duty.
Cyber security
2024-10-18 Post a Comment

Hacker allegedly behind attacks on FBI, Airbus, National Public Data arrested in Brazil

Jonathan Greig

Federal law enforcement in Brazil arrested a hacker allegedly behind several brazen, high-profile cyberattacks.

In a statement on Wednesday, Brazil’s Department of Federal Police (DFP)said they launched “Operation Data Breach” to investigate several intrusions on their own systems as well as others internationally.

“A search and seizure warrant and a preventive arrest warrant was served in the city of Belo Horizonte/MG against an investigated person suspected of being responsible for two publications and sales of Federal Police data, on May 22, 2020 and on February 22, 2022,” DFP said.

“The prisoner boasted of being responsible for several cyber intrusions carried out in some countries, claiming, on websites, to have disclosed sensitive data of 80,000 members of InfraGard, a partnership between the FBI and private critical infrastructure entities in the United States of America.”

DFP did not name the suspect, but a threat actor known as USDoD has long boasted of being behind the December 2022 breach of the FBI’s InfraGard platform that is used by law enforcement to coordinate with companies.

The hacker — who has been linked to Brazil by several cybersecurity researchers — also claimed breaches of European aerospace giant Airbus, the U.S. Environmental Protection Agency and several other organizations that often could not be verified.

The same threat actor caused widespread alarm in April when they posted a database on the criminal marketplace Breached claiming it came from U.S. background check giant National Public Data. The database included about 899 million unique Social Security numbers, likely of both living and deceased people.

A bankruptcy filing by National Public Data explicitly names USDoD, noting that the hacker “has had a great deal of success breaching other institutions including the FBI, Airbus, and TransUnion.”

DFP confirmed that the person they arrested is “responsible for leaking large databases of personal information, including those of companies such as Airbus and the United States Environmental Protection Agency.”

“The person under investigation must answer for the crime of hacking into a computer device, qualified by obtaining information, with an increase in the sentence for the commercialization of the data obtained,” they said.

“The investigation will continue to identify any other cyber intrusions that were committed by the person under investigation.”

A person claiming to be USDoD came forward in August and spoke to a news outlet, admitting to being a 33-year-old man named Luan G. from the state of Minas Gerais in Brazil.

“I want to say thank you, it is time to admit I got defeated and I will retire my Jersey. Yes, this is Luan speaking. I won’t run, I’m in Brazil, the same city where I was born,” he told HackRead.

“I am a huge valuable target and maybe I will talk soon to whoever is in charge but everyone will know that behind USDoD I’m a human like everyone else, to be honest, I wanted this to happen, I can’t live with multiple lives and it is time to take responsibility for every action of mine and pay the price doesn’t matter how much it may cost me.”

The person claimed they had already been identified by cybersecurity experts working for Crowdstrike and other companies like Intel471. Local news outlets reported at the time that Crowdstrike shared its findings with the Brazilian government.

Other researchers have used social media accounts and more to trace the identity back to Luan.

The arrest is just the latest attempt by Brazilian law enforcement to limit the operations of hackers in their country. In January, Brazilian police disrupted the operation of a criminal group responsible for the banking malware called Grandoreiro that was used to steal €3.6 million ($3.9 million) since 2019.

In 2022, they carried out eight search and seizure warrants as part of an investigation into attacks claimed by the Lapsus$ Group.

read more
alt=A man in a hoodie is seated at a computer, focused on the screen in a cozy indoor setting.
Cyber security
2024-10-18 Post a Comment

Undercover North Korean IT workers now steal data, extort employers

By

North Korean IT professionals who trick Western companies into hiring them are stealing data from the organization’s network and asking for a ransom to not leak it.

Dispatching IT workers to seek employment at companies in wealthier nations is a tactic that North Korea has been using for years as a means to obtain privileged access for cyberattacks or to generate revenue for the country’s weapons programs.

Researchers at cybersecurity company Secureworks uncovered the extortion component during multiple investigations of such fraudulent schemes.

After the employment of a North Korean national with access to proprietary data (as part of their contractor role) terminated, the company would receive the first extortion email, the researchers explain.

To obtain the job and avoid raising suspicions afterwards, the fraudulent IT workers used a false or stolen identity and relied on laptop farms to route traffic between their real location and the company through a U.S.-based point.

They also avoided video during calls or resorted to various tricks while on the job to hide their face during video conferences, such as using artificial intelligence tools.

Overview of the scheme
Overview of the scheme
Source: Secureworks

In July, American cybersecurity company KnowBe4 revealed that they were among the hundreds of victimized companies, and in their case, the threat actor attempted to install an infostealer on the company’s computer.

Secureworks tracks the group organizing and coordinating North Korea’s IT worker army as “Nickel Tapestry,” while Mandiant uses the UNC5267 name.

One example of a Nickel Tapestry campaign in mid-2024 that Secureworks investigated is that of a company that had proprietary data stolen almost immediately after employing an external contractor

The data was transferred to a personal Google Drive cloud storage using the company’s virtual desktop infrastructure (VDI).

After terminating the employment due to poor performance, the company began receiving extortion emails from external Outlook and Gmail addresses containing samples of the stolen data in ZIP archives.

The threat actors demanded a six-figure ransom to be paid in cryptocurrency in exchange to not leaking the data publicly.

Secureworks’ investigation revealed that Nickel Tapestry had used Astrill VPN and residential proxies to mask their real IP address during the malicious activities, while AnyDesk was used for remote accessing the systems.

The researchers warn that North Korean IT workers often coordinate to refer one another to companies.

Organizations should be cautious when hiring remote workers or freelancers, and look for signs of fraud like changes in payment accounts and laptop shipment addresses, submission of generic-looking resumes, atypical correspondence hours, and unwillingness to enable camera during interviews.

read more
alt=1. A man stands before a laptop displaying a broken heart, symbolizing emotional distress or heartbreak.
Cyber security
2024-08-28 Post a Comment

Infostealers Waltz Through macOS to Grab Crypto Wallets, Browser Creds

Ironically, Macs’ lower risk profile may make them more susceptible to any given threat than the average Windows or Linux system.

Nate Nelson, Contributing Writer

A new infostealer is trying to ride the coattails of one of the most prevalent malware tools on the planet, taking advantage of some inherent security shortcomings in macOS environments.

In a new blog post, Cado Security discusses “Cthulhu Stealer,” a new cybercrime tool making the rounds lately. It’s designed to nab cryptocurrency wallet and gaming credentials, as well as browser data. It isn’t particularly sophisticated, perhaps because it doesn’t have to be. Atomic Stealer — Cthulhu’s progenitor — has proven as much. In the past couple of years, this basically average stealer has become one of the most prevalent malwares across the globe. Perhaps, experts suggest, that has to do with some of the ways in which the security community has looked past Macs in the past.

Case Study: Cthulhu Stealer

Cthulhu Stealer is an Apple disk image (DMG) written in Golang. It typically arrives in front of a victim’s eyeballs masked as a legitimate software program, like the CleanMyMac maintenance tool or the Grand Theft Auto video game.

When opened, the program asks for the victim’s system password and, illogically, their Metamask cryptocurrency wallet password.

“It should look suspicious to users, but sometimes people download stuff and they might not be thinking,” notes Tara Gould, threat researcher at Cado Security. With Cthulhu’s target demographic in particular, “They could be younger, or maybe not as well-versed in computers. There’s a whole host of reasons why it may not potentially flag as suspicious.”

Once planted, the program gathers system data, such as its IP address, OS version, and various hardware and software information. Then it goes after its real aim: crypto, game account, and browser credentials. Targeted apps include the Coinbase, Binance, and Atomic crypto wallets, Firefox cookies, and Battle.net and Minecraft user data.

Despite running for $500 per month on cybercrime forums, Cthulhu Stealer is essentially unsophisticated, without any standout stealth techniques, and largely indistinguishable from at least one other commercially available offering in the underground.

The Road Atomic Stealer Paved

The most notable feature of Cthulhu Stealer is how closely it copies Atomic Stealer. Not only do they share many of the same functionalities and features, but Cthulhu Stealer even includes some of the same typos in Atomic Stealer’s code.

Atomic Stealer isn’t so remarkable itself. Previously, Dark Reading noted its lack of a persistence mechanism, and characterized it as “smash and grab” by nature. Still, it’s no wonder that other malware authors might want to copy it, since it’s one of the most successful infostealers in the world today.

In a report last month, Red Canary ranked it as the sixth most prevalent malware in the wild today, tied with the popular SocGholish and Lumma, and the ubiquitous Cobalt Strike. Its sixth place finish is actually a step down from previous Red Canary reports, which have included Atomic Stealer in its top 10 lists for the entirety of 2024 thus far.

“The fact that any macOS threat would make the top 10 is pretty staggering,” notes Brian Donohue, principal information security specialist with Red Canary. “I would venture to guess that any organization that has a meaningful footprint of macOS devices probably has Atomic Stealer lurking somewhere in their environment.”

How Enterprises Should Handle macOS Threats

Threats to macOS are distinctly less common than to Windows and Linux, with Elastic data from 2022 and 2023 suggesting that only around 6% of all malware can be found on these systems.

“Windows is still targeted the most, because large corporations all tend to still be very Windows-heavy, but that is shifting. A lot of enterprises are starting to increase the amount of Macs they have, so it is definitely going to become more of an issue,” Gould says.

Hackers aren’t all jumping on the bandwagon yet, but there is growing interest, perhaps because there’s so little interest on the part of defenders.

In an email to Dark Reading, Jake King, head of threat and security intelligence at Elastic, indicated that threats to Macs have risen less than 1% over the past year, adding, “While we’re not observing significant growth patterns that indicate enterprise-specific targeting of MacOS, it may be attributed to a lower volume of telemetry acquired from this OS. We have observed several novel approaches to exploiting vulnerabilities over the calendar year that indicate adversarial interest across a number of campaigns.” In other words: the data may indicate a lack of interest in macOS from attackers, or from defenders.

If runaway successes like Atomic Stealer do inspire more hackers to move operating systems, defenders will be working from a disadvantageous position, thanks to years of disinterest from the security community.

As Donohue explains, “A lot of enterprises adopt macOS systems for engineers and administrators, so a lot of the people who are using macOS machines are, by default, either highly privileged or dealing with sensitive information. And my suspicion is that there is less expertise in macOS threats across those organizations.”

There’s also less tooling, Donohue adds. “Take something like EDR, as an example. These started out as tools for protecting Windows systems and then were later co-opted into being tools for protecting macOS systems as well. And Windows machines have really robust application control policies, but there isn’t really similar functionality in macOS Gatekeeper (which is roughly analogous to Windows Defender). It’s pretty good at finding malicious binaries and creating YARA rules and signatures for them, but a lot of malware developers have been able to sidestep it.”

Elastic’s King adds, “Default operating system controls, while effective, are likely not evolving at a rate alongside adversarial behaviors.” For this reason, King says, “Ensuring sensible access permissions, sufficient hardening controls, and instrumentation that allows for organizations to observe or prevent threats on macOS systems remains important.”

read more
Trustpilot
The rating of livingsafeonline.com at Trustprofile Reviews is 9.1/10 based on 13 reviews.
Verified by MonsterInsights