Akira Ransomware Attacking Airline Industry With Legitimate Tools

andreasc
-
0
Akira Ransomware Attacking Airline Industry With Legitimate Tools
[ad_1]

Airlines often become the target of hackers as they contain sensitive personal and financial details of passengers as well as travel schedules and loyalty programs.

Since airlines are attractive to threat actors, disrupting their operations can be quite damaging to their economic and reputational statuses.

Cybersecurity researchers at BlackBerry discovered that in Latin America, an Akira ransomware attack targeted an airline in June 2024 by using SSH to gain initial access reconnaissance and persistence through legitimate tools and LOLBAS.

Akira Ransomware Attacking Airline

Before employing the ransomware, the Linux-based attacker had exfiltrated critical data.

AKIRA is also known as Storm-1567 RaaS group (aka Punk Spider and GOLD SAHARA), which embraces the double-extortion method and often abuses legitimate software.

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files

This group began its activities in March 2023 and has already received over $42 million in ransoms from more than 250 organizations worldwide, operating across different sectors of the economy.

Akira not only focuses on Windows systems but also has Linux variants, such as one for VMware ESXi virtual machines, which shows how versatile it can be for any IT environment.

Attack chain (Source – BlackBerry)

The attack on Latin American airlines by Akira ransomware was executed by exploiting an unpatched Veeam backup server via CVE-2023-27532.

Previously, the operators of Akira gained access by utilizing CVE-2020-3259 and CVE-2023-20269.

SSH was used to gain entry into the system by attackers who created an admin user and employed legitimate tools such as Advanced IP Scanner for their recon. In 133 minutes, they were able to exfiltrate some data through WinSCP.

Antivirus protection was turned off the following day, and the network was infected with Akira ransomware (w.exe). Shadow copies were deleted to restrict recovery.

This attack used different sound programs and LOLBAS methodologies like smbexec from Impacket, NetScan, and AnyDesk for persistence.

This incident involved sophisticated tactics aimed at making maximum impacts both in terms of consequential damages and ransom amounts that could be paid to secure the release of affected files, BlackBerry researchers said.

This Latin American airline was hit by Akira ransomware using the endpoint logs, which showed that Remmina was used, and this suggests that the attackers were likely Linux-based.

Data exfiltration occurred via IP 77.247.126.158. Within UTC working hours for two days, the attack indicates actors may be from a timezone close to or in UTC, possibly Western Europe.

Akira is a Ransomware-as-a-Service operation that normally targets small and medium-sized businesses but has also attacked some large companies in North America and Europe.

The occurrence underlines the critical nature of immediate patching and software updates within corporate networks in order to block such sophisticated cyber threats and highlight the expansion of this group into Latin America, among other things.

“Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!”- Free Demo


[ad_2]
Source link

Disney “breached”, data dumped online

andreasc
-
0
Disney “breached”, data dumped online
[ad_1]

A group of cybercriminals going by the handle NullBulge claims to have downloaded the Slack channels used by Disney’s developers.

Tweet by NullBulge

“#DisneySlackLeak

#Disney has had their entire dev slack dumped. 1.1TiB of files and chat messages. Anything we could get our hands on, we downloaded and packaged up. Want to see what goes on behind the doors? go grab it.”

The group says it got a hold of a huge amount of data, including unreleased projects and login info:

“1.2 TB of data, almost10,000 channels, every message and file possible, dumped. Unreleased projects, raw images and code, some logins, links to internal api/web pages, and more! Have fun sifting through it, there is a lot there. We tried to hold off until we got deeper in, but our inside man got cold feet and kicked us out! I thought we had something special {name}! Consider the dropping of literally every bit of personal info you have, from logins to credit cards to SSN, as a warning for people in the future.”

This seems to indicate that the group was helped by an insider, and that it might have obtained even more had that person not backed out of assisting. It’s unlikely that NullBulge had access to customer data through these Slack channels, but it does look as if the group accessed a lot of material that Disney was working on.

Calling itself a hacktivist group that aims for better compensation and protection of artists’ rights, the group then announced the breach on infamous data leak site BreachForums and provided screenshots of its findings.

Post on BreachForums with screenshots
Post by NullBulge on BreachForums

“Hi there folks, it is us again.

Yesterday we leaked some small DB, now we leak the big guns.

1.1TiB of data. almost 10,000 channels, every message and file possible, dumped. Unreleased projects, raw images and code, some logins, links to internal api/web pages, and more! Have fun sifting through it, there is a lot there.

Perfect for gathering intelligence and more.”

The earlier post NullBulge is referring to is a WordPress database dump of the howwelove[.]com domain. We have no idea what the group’s beef with this relationships-focused website is.

Disney is yet to make a comment. We’ll keep this post updated with the latest developments

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Summer mega sale

Go into your vacation knowing you’re much more secure: This summer you can get a huge 50% off a Malwarebytes Standard subscription or Malwarebytes Identity bundle. Run, don’t walk!


[ad_2]
Source link

Why I Ditched My Apple Watch for Samsung’s Galaxy Ultra

andreasc
-
0
Why I Ditched My Apple Watch for Samsung’s Galaxy Ultra
[ad_1]

I’ve been an Android user since 2009 when I purchased the Motorola Droid from Verizon. I started working here at AndroidHeadlines in 2012, and since then, I’ve reviewed almost every smartphone and most smartwatches ever since. In 2020, I got bored of the same old and bought an iPhone 12 Pro. Shortly after that, I traded in my Fitbit for an Apple Watch Series 5. I quickly fell in love. The main reason why I ditched my Fitbit was because it decided it was “too far” away from my phone to sync, even though it was literally touching it.

After a couple of years, I upgraded to the Apple Watch Ultra and never looked back. Since switching to the iPhone and Apple Watch, I’ve reviewed a fair number of Wear OS watches, including the first Google Pixel Watch, the OnePlus Watch 2, and the Galaxy Watch 6 Classic, and I even bought the Galaxy Watch 5 only to return it. But the Galaxy Watch Ultra is the watch that is making me ditch the Apple Watch for good.

When the leaks of the Galaxy Watch Ultra started to come out, I was intrigued. Not so much because it would look a lot like Apple’s option, but because it’s a big watch. I never used to like big watches, but the Apple Watch Ultra changed that for me. When I saw the Galaxy Watch Ultra in person last week ahead of Unpacked, I was sold.

After Unpacked, I picked up my review devices, and if it weren’t for the fact I needed a phone to connect my Galaxy Watch Ultra too, it would have been the first thing I unboxed. And so far, I’m loving this watch.

Samsung Galaxy Watch Ultra AM AH 12

 What Samsung did right

With the Galaxy Watch Ultra, Samsung did a lot right, but there are still some complaints here. It’s a big watch, with “cushions” on the corners to help keep it from getting destroyed. That’s because this watch is made for hikers, bikers, and more. However, I wish that Samsung had added more battery inside this watch since it is larger. Instead, it has the same battery size as the Galaxy Watch 6 Classic 47mm. It’s okay since the watch lasts multiple days on a charge, but a bigger battery would definitely be welcome.

Speaking of battery life, it’s pretty decent. So far, I’ve found that with AOD on, I’d get right around 48 hours or two full days. With it off, it’s a little over three days. That’s still more than the Apple Watch Ultra.

The new processor inside the Galaxy Watch Ultra is also very snappy, the Exynos W1000. While some thought it was laggy from the hands-on demos, that’s not entirely true. It was laggy due to the demo software being loaded onto the device. Without that software, it’s as smooth as butter.

Samsung Galaxy Watch Ultra AM AH 02

What Samsung’s missing

The biggest thing missing from the Galaxy Watch Ultra is the rotating bezel. It’s a feature that Samsung introduced quite some time ago with the Samsung Gear S2 back in 2015. It’s a fan favorite and an incredible way to navigate through Wear OS on your wrist. It’s a bit strange that it was not included on the Galaxy Watch Ultra, even on the Quick Button, which actually rotates but does nothing.

There are some things that Apple has in its watchOS that are still missing from Wear OS. Like a super easy way to open up Google Wallet. You can open Apple Pay by double-tapping the second button on the watch; that doesn’t work on the Galaxy Watch Ultra. And besides tracking my activity, that’s the second thing I do with my watch most often. I will say that the Tiles are better than Apple’s widgets on the watch, but things like the Google Home Tile are still a bit cumbersome compared to using Apple’s Homekit on its watches.

The last thing that Samsung is missing is a more robust health app. Samsung Health is pretty good, and does have better challenges than Apple has. But Apple’s Health app has so many different things that it can track for you, it really leaves Samsung in the dust. I’m someone who has a Vitamin D deficiency, so I try to spend more time outside in the sun. The Apple Watch can track that for me, I found that at Google I/O I spent about 10 hours outside which was crazy. But the Galaxy Watch Ultra does not do that. That’s just one example of what the Apple Health app can record, but I really hope Samsung does add more of those features to its health app.

Samsung Galaxy Watch Ultra AM AH 2

Why Samsung got me to ditch the Apple Watch?

Most of this year, I’ve been wanting to ditch my Apple Watch. But there are a few things that really kept me on the Apple Watch. One, was how easy Apple Pay is to use on it. Another specific app that is not available on Android is Flighty. It’s a really good app to use for someone that travels a lot like me. It gives me updates on my flight, oftentimes before the Airline does. And having that on my wrist is really useful.

The Galaxy Watch Ultra has gotten me to stick around, even though I have not written the review yet, I do plan to stick with it until at least the Pixel Watch 3 launches next month. The more and more I look at the Galaxy Watch Ultra, the more I like this polarizing design.


[ad_2]
Source link

Google Announced 5x Raise In Its Bug Bounty Program Rewards

andreasc
-
0
Google Announced 5x Raise In Its Bug Bounty Program Rewards
[ad_1]

A lucrative opportunity to win hefty bounties has arrived for security researchers. Google has increased the bug bounty payouts for its Vulnerability Reward Program by fivefold, rewarding up to $151,000.

Google Increased Bug Bounty Rewards To Lure Researchers

According to the recent updates Google shared for bug hunters, the tech giant has announced a five-fold increase in its bug bounty program rewards.

Google Vulnerability Rewards Program (VRP) has long been an attractive money-making opportunity for security researchers to earn well-deserved bounties for their security findings. However, as Google stated, the subsequent security upgrades in Google products have made finding bugs challenging for the security community. Hence, the firm decided to remunerate the researchers for the time and effort involved in this task.

As per the revised reward limits, researchers can earn a maximum reward of $101,010 for a high-severity remote code execution vulnerability report. Plus, for an exceptional vulnerability report, Google applies a 1.5x modifier to jazz up the rewards, thus making $151,515 the maximum reward amount.

This 1.5x modifier doesn’t only apply to the RCE reports. Instead, Google has introduced this reward-enhancing formula for all bug reports. That means in addition to a five-times increase, researchers may also earn even higher payouts for exceptional reports. Some examples that Google listed are shared below.

Example Vulnerability New Reward Old Reward
A logic flaw leading to an accounts.google.com @gmail.com account takeover ($50,000 * 1.5) = $75,000 $13,337
XSS on idx.google.com ($10,000 * 1.5) = $15,000 $3,133.70
A logic flaw disclosing PII on home.nest.com (a tier 1 acquisition domain) ($2,500 * 1.5) = $3,750 $500

While the 1.5x modifier applies to exceptional-quality reports only, Google also decided to reward good-quality and low-quality reports with a 1x and 0.5x increase, respectively.

Besides, Google has also modified the application tiers for its bug bounty program, making it more transparent for the researchers. Interested researchers may find the details here to apply accordingly.

Let us know your thoughts in the comments.


[ad_2]
Source link

This 55-inch Roku Pro Series 4K TV is only $699

andreasc
-
0
This 55-inch Roku Pro Series 4K TV is only $699
[ad_1]

Roku announced its first set of TVs last year, which included the Select and Pro models. The Pro model is a more high-end TV set with a QLED panel, and today it is on sale ahead of Prime Day. You can save $200 on this 55-inch Roku Pro series TV, which is now just $699.

That is actually a really incredible price for this TV, seeing as most other QLED 4K TVs are much closer to $1,000. And this one does have Roku built-in.

Roku built-in is not new for TVs; it’s what has made companies like TCL and Hisense so popular here in the US. But now we’re getting TVs straight from Roku, which means that their software is going to be even more integrated. With Roku, you can, of course, watch live TV and even use your cable box. So whether you want to cut the cord or not, Roku has you covered here.

Of course, Roku also has a slew of great apps available, including Netflix, Apple TV+, Peacock, Hulu, The Roku Channel and many more. Popular FAST channels like Tubi and Pluto TV are also available.

Roku has included a QLED panel on this TV, which provides you with some incredible color accuracy here and is pretty bright. This panel is also a 120Hz panel, making it great for gaming. Dolby Vision IQ is included, as well as the new Roku Voice Remote Pro.

If you’re in the market for a new TV, this is definitely a good one to pick up, and at the lowest price ever.

Buy at Amazon


[ad_2]
Source link

ViperSoftX Weaponizing AutoIt And CLR For Stealthy PowerShell Execution

andreasc
-
0
ViperSoftX Weaponizing AutoIt And CLR For Stealthy PowerShell Execution
[ad_1]

ViperSoftX is an advanced malware that has become more complicated since its recognition in 2020, to the extent that eBooks are used on Torrent sites to spread across systems. 

Unlike other kinds of malware developers who mainly focus on developing new code instead of improving evasion techniques, ViperSoftX’s creators make use of various components from offensive security scripts.

Due to this, ViperSoftX is a major threat to users who want to have effective countermeasures.

It needs a significant comprehension of its infection chain, payload execution as well and stealth techniques for the development of strong preventive measures.

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files

Cybersecurity researchers at Trellix recently discovered that the newest variant of the malware uses CLR (Common Language Runtime) to load PowerShell commands into AutoIt dynamically and, in turn, improves its own evasive abilities and for stealthy PowerShell execution.

ViperSoftX Weaponizing AutoIt & CLR

It all begins when victims download what looks to be a legitimate book from a rogue torrent.

This RAR archive contains hidden threats such as a folder, deceptive shortcut files, and scripts that pretend to be pictures.

Infection flow (Source – Trellix)

When the shortcut is run, it triggers a series of commands that uncover the hidden folder, name the sizes for the disk in a specific manner, create enduring Windows tasks, and drop hidden AutoIt scripts into the operating system.

Rar folder content (Source – Trellix)

This complex multi-stage attack leverages file obfuscation and automation to deploy malware while evading detection.

eBook torrent link (Source – Trellix)

Researchers said it leverages AutoIt’s ability to interact with the .NET CLR framework, enabling PowerShell command execution.

The malware employs advanced mechanisms to evade AMSI, decrypt multi-layered payloads, and collect information from the system to target cryptocurrency wallets.

Afterward, the data, including highly detailed user system information, is sent to its C2 server through false hostnames and Base64-encoded user agents.

Through this layered evasion technique and legitimate traffic blending, ViperSoftX can successfully penetrate targeted systems without detecting or stealing cryptocurrencies.

To send collected data to a remote server, the pOPSKX function establishes a web client, sets up headers, and sends an abnormal POST request with a content length of 0 for avoidance.

It then checks the “worker” header of the server to determine if there is a need for more work and whether the global worker variable should be true or false.

There are also Cloudflare services that obfuscate where the traffic comes from, making it impossible to trace.

The viperSoftx malware itself finds relevant information, takes note of it, and shares this data with command and control (C2) servers.

Then, it performs screen captures on screenshots in the Windows systems clipboard, looks for other payloads on the internet, runs reconnaissance tools or utilities against targets, and uses a self-destruction mechanism where necessary.

With CLR, PowerShell can be run in AutoIt to evade detection and patching Antimalware Scan Interface (AMSI).

Understanding ViperSoftX’s tactics and developing comprehensive defenses can mitigate its threat.

“Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!”- Free Demo


[ad_2]
Source link

Crypto Scammer Returns $9.27 Million Out of $24M Crypto Theft

andreasc
-
0
Crypto Scammer Returns $9.27 Million Out of $24M Crypto Theft
[ad_1]

Crypto scammer sensationally returns $9.27 million to a victim after $24 million theft. Unprecedented move in crypto crime. Scam Sniffer reveals shocking details.

A crypto scammer has returned $9.27 million in stablecoins to a victim. This restitution, equating to 38.26% of the total stolen amount, was reported by Scam Sniffer, an anti-scam platform focused on the cryptocurrency industry.

Scam Sniffer disclosed the details of this unusual event on its official X account, revealing that the original theft occurred in September 2023. During this incident, the victim lost $24.23 million in various crypto assets, including rETH and stETH coins.

The scam was executed through a sophisticated phishing attack which successfully deceived the victim and resulted in the loss of such a significant sum. Scam Sniffer pointed out that the victim signed off on “increaseAllowance” transfers, a common tactic used by scammers to gain access to a victim’s crypto holdings.

Further investigation by Scam Sniffer linked the scammer’s address to several phishing websites within the crypto space. Additionally, some of the stolen funds were moved to @FixedFloat, a platform known for its rapid crypto exchange services.

This partial restitution of funds represents an unusual and rare occurrence in the world of crypto scams, bringing a glimmer of hope to victims of such fraudulent schemes.

Not the first time

This is not the first time that a scammer has returned some of the stolen crypto to their victims. There have been numerous such cases in the past, for instance, the following:

March 2018Hacker returned $17 million worth of stolen Ethereum

April 2020Hacker returned $25 million after their IP address was exposed

October 2020Hacker stole $24M, returns $2.5M to Harvest Finance DeFi

January 2020Multichain hacker returned $1m, keeps $150k as a bug bounty

March 2023Hacker Returned $200 Million Stolen from London’s Euler Finance

If your business involves cryptocurrency-related legal activities, you require the highest level of security to protect not only your assets but also customer funds and data. For your convenience, here is a list of the 6 best crypto bug bounty programs.


[ad_2]
Source link

Hackers Exploited Windows MSHTML Vulnerability For Over A Year

andreasc
-
0
Hackers Exploited Windows MSHTML Vulnerability For Over A Year
[ad_1]

Researchers revealed that the recently patched Windows MSHTML vulnerability remained under attack for over a year before Microsoft could fix it. While the vulnerability has now received a patch, it remains crucial for all vulnerable systems to apply the fix and scan their systems for potential infiltration.

Windows MSHTML Vulnerability Exploit Works Against Windows 10, 11 Alike

According to Check Point Research (CPR), criminal hackers had exploited the recently fixed Windows MSHTML vulnerability for eighteen months.

As explained, the exploit worked because of the vulnerable “mhtml” trick that allowed the adversary to call Internet Explorer instead of Microsoft Edge.

While Microsoft has replaced the Internet Explorer browser with Microsoft Edge, ending support in 2022, it remains somewhat accessible on Windows 10 systems, where it was available at the time of OS launch. In fact, CPR observed the same behavior with the latest Windows 11 too, which makes even the most recent Windows systems vulnerable to the MSHTML attack.

Regarding the exploit, the researchers stated that the attackers used a previously unknown trick to lure users into opening maliciously crafted files. The trick allowed the attackers to create files with .url extensions, which would call Internet Explorer due to the use of mhtml: URI handler.

However, to evade detection, the attackers hid the “.url” extension, making the files appear as PDF files. Clicking the file would open the Internet Explorer browser, downloading an archive with the data-stealing malware from the attacker-controlled web page. While the process would generate several prompts that may alarm a savvy user, an average user may not pay attention to the prompts, eventually falling prey to the attack.

The researchers have explained the entire attack strategy in their post.

Microsoft Fixed The Vulnerability with July 2024 Patch Tuesday

Upon discovering the vulnerability, Check Point Research reported the matter to Microsoft in May 2024. In response, the tech giant patched the vulnerability with the July 2024 Patch Tuesday updates, disclosing the flaw as a zero-day.

Though the patch has arrived, the researchers still advise the users to remain cautious when opening .url files from untrusted sources.

Let us know your thoughts in the comments.


[ad_2]
Source link

The Impressive Bose SoundLink Flex Bluetooth speaker is now just $99

andreasc
-
0
The Impressive Bose SoundLink Flex Bluetooth speaker is now just $99
[ad_1]

Amazon has the new Bose SoundLink Flex Bluetooth speaker on sale today, where you can save $50 off of this speaker. Bringing the price down to just $99. That’s a pretty good price for a Bluetooth speaker of this caliber actually. It’s actually a larger discount than that price shows you, this is because Bose rarely ever discounts its products. Typically only around Black Friday/Cyber Monday and Prime Day, and that’s about it. So not only is this price drop rare, but it is also the lowest the Bose Soundlink Flex has ever been.

The Bose SoundLink Flex comes in three colors: Black, White, Smoke, and Stone Blue. The Stone Blue is a really nice color, actually. It’s a waterproof speaker (certified at IP67), so you can feel free to take it to the beach, or the lake. And even use it in the shower. Making it great for outdoor adventures.

Bose says that the SoundLink Flex is packed with exclusive technologies and has a custom-engineered transducer for deep, clear, and immersive audio at home or on the go. Thanks to the proprietary PositionIQTechnology inside, this speaker can automatically detect the position of your portable Bluetooth speaker for optimal sound quality in any orientation or environment.

The battery life here is also pretty impressive. We’re looking at about 12 hours of continuous playback. That will get you through a day at the beach without any issues. It recharges using a USB-C port. Which is great to see. As a lot of other speakers are looking to cut costs and sticking with micro USB for charging still.

There’s also a nice carabiner on the speaker, so you can use it to attach to your backpack and listen to music while you biking down a trail this summer. It’s a really great product to take on any outdoor adventure this summer. Especially now that everything is opening up again.

You can pick up the Bose SoundLink Flex Bluetooth speaker from Amazon today by clicking the link down below.

Buy at Amazon


[ad_2]
Source link

Cellopoint Secure Email Gateway Flaw-Attackers Execute Arbitrary Code

andreasc
-
0
Cellopoint Secure Email Gateway Flaw-Attackers Execute Arbitrary Code
[ad_1]

A critical vulnerability has been discovered in the Cellopoint Secure Email Gateway, identified as CVE-2024-6744.

This flaw assigned a CVSS score of 9.8, poses a severe risk to organizations using this email security solution.

According to the Twcert report, the vulnerability resides in the Secure Email Gateway’s SMTP Listener component, specifically in versions before 4.5.0. The flaw stems from improper user input validation, leading to a buffer overflow condition.

This weakness allows an unauthenticated, remote attacker to execute arbitrary system commands on the affected server, potentially compromising the entire email infrastructure.

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files

Technical Details

CVE IDCVSS ScoreVectorAffected Products
CVE-2024-67449.8 (Critical)CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HSecure Email Gateway before version 4.5.0

Cellopoint has responded promptly to this critical issue by releasing a patch, Build_20240529, which addresses the vulnerability.

All organizations using the affected versions of Secure Email Gateway must install this patch immediately to mitigate the risk of exploitation.

The discovery of CVE-2024-6744 highlights the ongoing challenges in securing email gateways, which are critical components of enterprise communication infrastructure.

An attacker’s ability to execute arbitrary code remotely without authentication underscores the importance of regular security updates and vigilant monitoring. Cellopoint has been credited with identifying and addressing this vulnerability.

The public disclosure of this flaw on July 15, 2024, aims to ensure that all affected users are aware and can take necessary action to protect their systems.

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo


[ad_2]
Source link
1...343536...1,452Page 35 of 1,452