• Oracle’s massive April Update, Cisco’s NX-OS fix and many more: Patch Tuesday - Week 3, April 2019
    Oracle’s massive April Update, Cisco’s NX-OS fix and many more: Patch Tuesday - Week 3, April 2019Read More
  • Threat actors use .tk redirects as front for new PushKa notification scam
    Threat actors are using .tk redirects as a front for a new PushKa notification scam. Cybercriminals behind this campaign rely on a combination of site redirects and push notifications to send spam ads to victims. Disposable .info domains are used extensively in order to carry out this scam.Read More
  • Unprotected database belonging to JustDial exposes personal information of almost 100 million users
    An unprotected database belonging to JustDial exposed personal information of almost 100 million users. The unprotected database exposed the personal information of almost 100 million users who accessed the service via its website, mobile app, or by calling its customer care number. The exposed data includes JustDial users’ names, email addresses, mobile numbers, location addresses, genders, dates of birth, photos, designations, company names, and more.Read More
  • ‘NamPoHyu Virus’ ransomware target vulnerable Samba servers
    ‘NamPoHyu Virus’ ransomware targets vulnerable Samba servers. The ransomware was first detected in March 2019. The attackers are directly launching the malware on vulnerable Samba servers by brute forcing the passwords.Read More
  • After FBI agents, hackers now release personal information of AAF members
    After FBI agents, hackers now release personal information of AAF members. In the last week, the hacker group who goes by the name of ‘PokemonGo Team’ had uploaded the personal information of several Federal agents. The hackers could have exploited a flaw in the third-party software used by the websites associated with the FBINAA in order to steal the data.Read More
  • eGobbler hacking group launches flurry of malvertising campaigns to steal 500 million iOS users’ sessions
    The eGobbler hacking group has launched a flurry of malvertising campaigns to steal iOS users’ sessions. More than 500 million iOS users have been targeted in massive malvertising campaigns conducted for almost a week. The attacks are primarily focused on users in the US and European countries.Read More
  • Ukranian Government and Military targeted with spear phishing campaign
    Ukranian Government and Military has been targeted with a spear phishing campaign. The spear phishing campaign drops a powerful backdoor dubbed ‘RATVERMIN’ as part of a second-stage payload delivered with the help of a Powershell script. Researchers suspect that the attackers behind the spear phishing campaign might be associated with the Luhansk People's Republic (LPR) group.Read More
  • A new variant of Hawkeye keylogger ‘Reborn v9’ arises
    A new variant of Hawkeye keylogger ‘Reborn v9’ is rising in the cybercrime market. HawkEye Reborn v9 is currently marketed as an ‘Advance Monitoring Solution’ and is currently being sold using a licensing model. HawkEye Reborn v9 also includes a ‘Terms of Service agreement’ which forbids buyers from using the software on systems without permission and from scanning its executables using antivirus software.Read More
  • U.S. Army Researchers Identify New Way to Improve Cybersecurity
    Researchers at the U.S. Army Combat Capabilities Development Command’s Army Research Laboratory, the Army’s corporate research laboratory also known as ARL, and Towson University may have identified a new way to improve network security. Many cybersecurity systems use distributed network intrusion detection that allows a small number of highly trained analysts to monitor several networks at the same time, reducing cost through economies of scale and more efficiently leveraging limited cybersecurity expertise; however, this approach requires data be transmitted from network intrusion detection sensors on the defended network to central analysis severs. Working on the theory that malicious network activity would manifest its maliciousness early, the researchers developed a tool that would stop transmitting traffic after a given number of messages had be transmitted. “This strategy should be effective in reducing the amount of network traffic sent from the sensor to central analyst system,” said Sidney Smith, an ARL researcher and the study’s lead author.Read More
  • RevengeRAT Distributed via Bit.ly, BlogSpot, and Pastebin C2 Infrastructure
    Palo Alto Networks' Unit 42 discovered that the threat actors behind the campaign dubbed "Aggah" employed the C2 infrastructure built using only legitimate services to drop RevengeRAT (also known as Revetrat) payloads on organizations from "Technology, Retail, Manufacturing, State/Local Government, Hospitality, Medical, Technology, and other Professional business. "Our analysis of the delivery document revealed it was built to load a malicious macro-enabled document from a remote server via Template Injection," found Unit 42's researchers. Also, "These macros use BlogSpot posts to obtain a script that uses multiple Pastebin pastes to download additional scripts, which ultimately result in the final payload being RevengeRAT configured with a duckdns[. Lure image used in decoy document The campaign was first detected by Unit 42 on March 27 after the decoy file camouflaged to look like an official document from a financial institution with a "Your account is locked" email subject was sent to entities from a Middle Eastern country.Read More
  • Attackers Compromise Admin Account to Infect Manufacturing Company With BitPaymer Ransomware
    Threat actors compromised an account with administrator privileges to infect a manufacturing company with BitPaymer ransomware. A Trend Micro investigation found that digital attackers sent some commands via PsExec — a command-line tool for executing processes on remote computers — to copy and execute a variant of BitPaymer between 9:40 p.m. and 11:03 p.m. on Feb. 18, 2019. These attack attempts occurred remotely and filelessly, though Trend Micro did detect binaries associated with Dridex, a banking Trojan that ESET linked to BitPaymer’s creators last year. Not a New BitPaymer Variant Ransom.Win32.BITPAYMER.TGACAJ, the BitPaymer variant involved in this attack, was unique in that it used the victim organization’s name in its ransom note and as an extension name for encrypted files. How to Defend Against a Ransomware Infection Security professionals can help defend against ransomware by using an endpoint detection and response (EDR) tool to monitor IT devices for suspicious activity.Read More
  • Scammers are selling 3.2 million payment records stolen from Indian cardholders
    India now ranks third internationally when it comes to the number of stolen records for sale on the dark web, following the U.S. and U.K. “Criminals continuously search for payment cards from specific banks that provide the highest return on investment, and largely spend money only when confident that they stand to make a profit,” researchers said in a report. Many payment breaches go unreported in India, meaning banks are slow to stop cards from being used for fraudulent purposes, said Stas Alforov, Gemini Advisory’s director of research and development. The median price of the stolen card data in India jumped from roughly $7 in 2017 to $17 last year, Gemini Advisory found. “The rising cost of Indian compromised payment cards and the demand for such cards suggests that criminals have identified multiple reliable ways of monetizing such data,” Alforov said.Read More
  • Report Finds More than Half of Ransomware Victims Would Pay the Ransom
    Telstra’s 2019 Security Report has found that majority of the respondents who have been victims of ransomware attacks have paid the attackers to unlock files. Of the 320 Australian respondents, 51 per cent said that they had paid ransomware attackers to regain access to encrypted files. Further, the Report found that 77 per cent of Australian businesses that had paid a ransom were able to retrieve their data after making the payment. Whilst this was the lowest rate of data retrieval post-payment out of the 13 countries in the survey, 79 per cent of the Australian respondents still said that they would pay the ransom again if they had no back-up files available. The Report also found that the number of ransomware attacks on Australian businesses was relatively higher than other developed countries such as the United Kingdom, Germany and France. Thirty two per cent of the Australian respondents indicated that their business had been interrupted ‘on a weekly or monthly basis’ from ransomware attacks.Read More
  • Millions of records about Middle Eastern drivers left in an insecure database
    Written by Jeff Stone Apr 18, 2019 | CYBERSCOOP Records containing sensitive information on perhaps millions of Iranian drivers was left unsecured in a publicly available database for days, according to security research published Thursday. More than 6.7 million records from 2017 and 2018 were estimated to be exposed in a database discovered by researcher Bob Diachenko. Information included drivers’ first and last names, their Iranian ID numbers stored in plain text, their phone numbers, and other data such as invoice information. ]” Diachenko says he was able to contact some of the drivers included in the database, and that he has notified Iran’s Computer Emergency Response Team about the data exposure. Researchers previously have discovered numerous vulnerabilities in MongoDB databases, which allow users to store vast quantities of information in a single place. Diachenko previously found personal data belonging to 202 million Chinese job seekers and, later, 24 million financial records.Read More
  • Hacking Team’s New Owner: ‘We’re Starting From Scratch’
    At the beginning of April, Swiss-Italian company InTheCyber announced that it had acquired a majority stake into Hacking Team, and that it was merging the two companies into a new one called Memento Labs. Lezzi, who’s worked in the cybersecurity industry for years, was adamant that Memento Labs needs to “get the company back on its feet.” That means revamping the product and rewriting the code almost from the ground up. David Vincenzetti, one of the founders of Hacking Team, is out, according to Lezzi. Vincenzetti’s role, as of now, is of informal advisor to Lezzi, who was quick to point out that Vincenzetti has no formal role in the new company. When asked about the Saudi investors, who own 20 percent of the company, Lezzi was less forthcoming, saying he’s never met them. Lezzi said that, for now, the new company will keep Hacking Team’s customers.Read More
  • Shopify API flaw offered access to revenue data of thousands of stores
    A security flaw in a Shopify API endpoint has been discovered by a researcher which can be exploited to leak the revenue and traffic data of thousands of stores. This API was meant to be used to internally fetch sales data for graph presentations, but the system was found to be leaking the revenue data of two unnamed Shopify stores, one of which had been removed from the platform. The researcher set up a new store and used $storeName on the same API endpoint to test whether or not the system was vulnerable to an Insecure Direct Object Reference (IDOR) bug. A further test of these records using a Bash script was then implemented, resulting in a list of vulnerable stores which were leaking the "sales data of Shopify merchants that includes a monthly breakdown of revenue in USD of thousands of stores from 2015 until today." "We have a list of vulnerable stores, so if we query any of them, we would get a breakdown of monthly revenue data in USD of the current store during its lifetime," the researcher added.Read More
  • Cyberwar against NATO: Who are Earworm and APT28?
    This practice has meant that the group has been able to steal confidential, sensitive data from several of the most important institutions and governments in the world. Evidence seems to suggest that the members of Earworm, also known as Zebocracy, are linked to APT28 (also known as Fancy Bear), a cybercriminal group that has been stealing government intelligence for years, especially from countries it considers to be enemies. The UK’s National Cyber Security Centre has also accused Earworm and Russia intelligence of carrying out attacks on several countries’ institutional cybersecurity. This software was installed on the computer, and was able to automatically download other malware tools. This software was installed on the computer, and was able to automatically download other malware tools. Wherever possible, an institution’s most sensitive and confidential information should be stored in systems with no Internet connection.Read More
  • DLL Cryptomix Ransomware Variant Installed Via Remote Desktop
    The DLL Cryptomix Ransomware Variant In this variant, the ransom note continues to be named _HELP_INSTRUCTIONS_.TXT, but now uses the dllteam@protonmail.com, dllteam1@protonmail.com, dllpc@mail.com, dllpc@tuta.io, laremohan@tuta.io, claremohan@yandex.com, and mohanclare@yandex.com email addresses for a victim to contact for payment information. DLL CryptoMix Ransom Note With this version, when a file is encrypted by the ransomware it will modify the filename and then append the .DLL extension to encrypted file's name. How to protect yourself from Ransomware In order to protect yourself from ransomware it is important that you use good computing habits and security software. The most important step is to always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack.  You should also make sure that you do not have any computers running remote desktop services connected directly to the Internet.Read More