The European Union, a persistent challenge for tech giants, is once again making its presence felt. A recent report indicates that Apple might be facing a substantial fine (potentially reaching $539 million) imposed by the EU for creating “unfair trading conditions” for its rivals. Now, it seems TikTok is also under the EU’s scrutiny. Reuters reports that the European Union will launch an investigation into whether TikTok violated online content regulations designed to safeguard children and ensure transparent advertising. EU industry chief Thierry Breton decided after reviewing TikTok’s risk assessment report and its responses to information requests. If found guilty, TikTok could face a substantial fine.
Today we open an investigation into #TikTok over suspected breach of transparency & obligations to protect minors:
The EU’s Digital Services Act (DSA), which became effective for all online platforms on February 17, mandates that notably large online platforms and search engines take additional measures to combat illegal online content and protect public safety.If TikTok is found to have violated the rules outlined in the DSA, ByteDance, the owner of TikTok, could potentially face fines amounting to up to 6% of its global turnover. For context, statistics show that TikTok generated an estimated $9.4 billion in revenue in 2023. This could potentially result in a fine of around $500 million.
TikTok stated that it remains committed to collaborating with experts and the industry to ensure the safety of young people on its platform. The company also expressed its readiness to provide detailed explanations of its efforts to the European Commission. A TikTok spokesperson said:
TikTok has pioneered features and settings to protect teens and keep under 13s off the platform, issues the whole industry is grappling with.
The European Commission mentioned that the investigation will look into TikTok’s system design, including its algorithmic features, which might encourage addictive behaviors and lead to what’s known as the rabbit hole effect.
The rabbit hole effect is a metaphor that describes the phenomenon of becoming deeply engrossed in something, typically to the point of losing track of time or neglecting other responsibilities. It’s often used in the context of the internet, where algorithms and user engagement strategies can keep people clicking on related content for hours on end.
For reference, research shows that just on Android phones, we spent a whopping 2.3 trillion hours on social media in 2023, and TikTok is the king of the social media jungle.
The European Commission will also check if TikTok has set up measures that are suitable and proportional to guarantee a high level of privacy, safety, and security for minors. Apart from the concern for protecting minors, the Commission is examining whether TikTok offers a reliable database of ads on its platform, enabling researchers to analyze potential online risks. Stay tuned for updates.
Earlier this week, Europol and the UK’s National Crime Agency announced they had successfully taken down the dark web platform associated with LockBit, a notorious ransomware group.
LockBit has been one of the most active and prolific ransomware groups, and this operation is a significant win for law enforcement and the fight against ransomware.
LockBit, a notorious ransomware group, operates a leak site where they threaten to leak and publish stolen data from their victims. This site has now been taken down and replaced by a featured image that indicates law enforcement has taken control of the site.
LockBit Ransomware Gang
The image shows a takedown notice that a group of global intelligence agencies issued to a dark web site called Lockbit.
The image includes flags of the countries involved in the operation and logos of the police forces. It appears that the authorities have successfully taken down the infrastructure of this criminal group.
DocumentLive Account Takeover Attack Simulation
Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks.
Current Analysis:
The dark web leak site that LockBit used to name their victims who hadn’t paid the ransom is now under the control of the UK’s National Crime Agency.
Every single known Lockbit ransomware group website is either offline or displaying a seized by EUROPOL page.
It appears law enforcement has seized and/or taken down, at minimum, 22 Tor sites, in what is labeled ‘Operation Cronos’. pic.twitter.com/DbxofBI1mP
The message on the site indicates that the operation was part of “Operation Cronos,” which involved the FBI, Europol, and several other European and Asian law enforcement agencies.
About Lockbit Ransomware:
LockBit ransomware will still be a popular choice for cybercriminals in 2023. Since January 2020, LockBit affiliates have targeted organizations of varying sizes in critical infrastructure sectors, including banking, education, energy, healthcare, transportation, government and emergency services, food, and agriculture.
The LockBit ransomware group operates on a ransomware-as-a-service model and has been one of the most active threat actors globally.
Managed Care of North America Inc. was one of the previous victims of LockBit in May 2023. In June 2022, authorities in Arizona arrested a person believed to be affiliated with the gang and linked to other LockBit ransomware attacks that affected victims across the Americas, Europe, and Africa.
Foxsemicon Integrated Technology Inc., a division of Hon Hai Precision Industry Co. Ltd., was one of the most recent victims of LockBit in January.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
On the internet, people need to worry about more than just opening suspicious email attachments or entering their sensitive information into harmful websites—they also need to worry about their Google searches.
That’s because last year, as revealed in our 2024 ThreatDown State of Malware report, cybercriminals flocked to a malware delivery method that doesn’t require they know a victim’s email address, login credentials, personal information, or, anything, really.
Instead, cybercriminals just need to fool someone into clicking on a search result that looks remarkably legitimate.
This is the work of “malicious advertising,” or “malvertising,” for short. Malvertising is not malware itself. Instead, it’s a sneaky process of placing malware, viruses, or other cyber infections on a person’s computer, tablet, or smart phone. The malware that eventually slips onto a person’s device comes in many varieties, but cybercriminals tend to favor malware that can steal a person’s login credentials and information. With this newly stolen information, cybercriminals can then pry into sensitive online accounts that belong to the victim.
But before any of that digital theft can occur, cybercriminals must first ensnare a victim, and they do this by abusing the digital ad infrastructure underpinning Google search results.
Think about searching on Google for “running shoes”—you’ll likely see ads for Nike and Adidas. A Google search for “best carry-on luggage” will invariably produce ads for the consumer brands Monos and Away. And a Google search for a brand like Amazon will show, as expected, ads for Amazon.
But cybercriminals know this, and in response, they’ve created ads that look legitimate, but instead direct victims to malicious websites that carry malware. The websites themselves, too, bear a striking resemblance to whatever product or brand they’re imitating, so as to maintain a charade of legitimacy. From these websites, users download what they think is a valid piece of software, instead downloading malware that leaves them open to further attacks.
A malicious ad for the KeePass password manager appears as a legitimate ad.The real KeePass website (left) side-by-side with a malvertising site (right).
It’s true that malvertising is often understood as a risk to businesses, but the copycat websites that are created by cybercriminals can and often do impersonate popular brands for everyday users, too.
As revealed in our 2024 ThreatDown State of Malware report, the five most impersonated brands for malvertising last year included:
Amazon
Rufus
Weebly
NotePad++
TradingView
These five brands may not all carry the same familiarity, but their products and services capture a broad swath of user interest, from Weebly’s website creation products, to TradingView’s investment trading platform, to Rufus’s niche-but-useful portable OS booting tool.
Why the increase in malvertising last year?
If Google ads have been around for more than a decade, why are they only being abused by cybercriminals now? The truth is, malvertising has been around for years, but a particular resurgence was recorded more recently.
In 2022, cybercriminals lost access to one of their favorite methods of delivering malware.
That summer, Microsoft announced that it would finally block “macros” that were embedded into files that were downloaded from the internet. Macros are essentially instructions that users can program so that multiple tasks can be bundled together. The danger, though, is that cybercriminals would pre-program macros within certain files for Microsoft Word, Excel, or PowerPoint, and then send those files as malicious email attachments. Once those attachments were downloaded and opened by users, the embedded macros would trigger a set of instructions directing a person’s computer to install malware from a dangerous website online.
Macros were a scourge for cybersecurity for years, as they were effective and easy to deliver.
But when Microsoft restricted macro capabilities in 2022, cybercriminals needed to find another malware delivery channel. They focused on malvertising.
Today’s malvertising is increasingly sophisticated, as cybercriminals can create and purchase online ads that target specific types of users based on location and demographics. Concerningly, modern malvertising can even avoid basic fraud detection as cybercriminals can create websites that determine whether a user is a real person or simply a bot that is trawling the web to find and flag malicious activity.
How to protect against malvertising
The threat of malvertising is multi-layered: There are the fraudulent ads that cybercriminals place on Google search results, the malicious websites that imitate legitimate brands and companies to convince users to download malware, and the malware infection itself.
As such, any successful defense strategy must be multi-layered.
For safe browsing, people can rely on Malwarebytes Browser Guard, a browser extension that blocks third-party tracking and flags malicious websites known to be in the control of cybercriminals. As we wrote before:
“Malwarebytes Browser Guard provides additional protection to standard ad-blocking features by covering a larger area of the attack chain all the way to domains controlled by attackers. Thanks to its built-in heuristic engine it can also proactively block never-before-seen malicious websites.”
The problem with malvertising, though, is that new malicious websites are created every single day. Cybersecurity defenders, then, are often caught in a game of catch-up.
Here, users can find safety from Malwarebytes Premium, which provides real-time protection to detect and stop any cyberthreats that get installed onto a device, even if those threats are masquerading as legitimate apps or software.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
The Nothing Phone (2a) will become official on March 5. It will become the company’s third smartphone ever. Nothing has just revealed the SoC that the Nothing Phone (2a) will feature, and it’s not as surprising as you may think.
Nothing deliberately created some confusion yesterday. Carl Pei and its employees said that the chip is not the MediaTek Dimensity 7200. That managed to surprise pretty much everyone, as every single rumor thus far said it was. The phone even surfaced in benchmarks with that chip.
The Nothing Phone (2a) SoC has just been revealed… officially
Well, Nothing was trolling us, kind of. The Nothing Phone (2a) is fueled by the MediaTek Dimensity 7200 Pro. So it’s not exactly a different processor, it’s just a more powerful variant of the rumored one.
You have never heard of that chip as it was co-engineered by Nothing and MediaTek for the Nothing Phone (2a). It’s basically just a tweaked variant of the regular chip, as already mentioned.
Nothing revealed this info via a new video shared via social media. In that video, the company’s employees are talking about the process behind processor choice, and sharing more information about the chip itself.
The company was also considering the Snapdragon 7s Gen 2 and the Snapdragon 782G. The MediaTek Dimensity 7200 Pro is the more powerful processor, which is why the company opted for it.
Nothing realized that it may be a hard sell in the UK, as the Snapdragon is much more powerful, but they decided to go that route either way. Nothing believes this is the right chip to fuel the Nothing Phone (2a).
The MediaTek Dimensity 7200 Pro is using TSMC’s second-gen 4nm process
The MediaTek Dimensity 7200 Pro was made using TSMC’s second-generation 4nm process. That’s actually a good thing, and that chip is actually quite powerful, albeit still a mid-range chip. This is not surprising considering the fact the Nothing Phone (2a) will be a budget-oriented phone.
In the video embedded below, Nothing also shows what seems to be internals of the Nothing Phone (2a), you can also check them out in the image below. 12GB of RAM is also mentioned, and 8GB of boosted RAM as a possibility (virtual).
The resurgence of the Anatsa banking Trojan has sparked concerns among cybersecurity experts as it targets European financial institutions, posing a significant threat to mobile banking security. Over the past four months, the Anatsa campaign has exhibited a dynamic evolution, with five distinct waves targeting specific regions, including Slovakia, Slovenia, and Czechia, in addition to previous targets like the UK, Germany, and Spain.
Fraud detection company ThreatFabric detected a resurgence of the Anatsa banking Trojan in November 2023
The latest iteration of the Anatsa campaign, detected by ThreatFabric, demonstrates a sophisticated modus operandi. It employed multiple tactics to infiltrate mobile devices and execute malicious activities. Despite enhanced detection and protection mechanisms on Google Play, Anatsa droppers have successfully exploited AccessibilityService. It enabled them to automate the installation of payloads.
One notable aspect of the recent Anatsa campaign is the use of manufacturer-specific code targeting Samsung devices. This tailored approach suggests a strategic adaptation by threat actors to maximize the impact of their malware. While the campaign directly impacted Samsung users in this phase, the threat of similar tactics targeting other device manufacturers remains a concern.
Anatsa campaign has effectively bypassed AccessibilityService restrictions imposed by Android 13
Furthermore, the Anatsa campaign has effectively bypassed restrictions imposed by Android 13, enabling droppers to install payloads while evading detection. This technique, coupled with dynamically loaded DEX files, enhances the malware’s stealth capabilities. It poses challenges for security engines and increases the risk of successful infections.
The potential for device takeover by a malicious program poses a severe threat, with each installation increasing the risk of fraudulent activity and unauthorized access to sensitive information.
Beeping Computer has noted five applications that are linked to the Anatsa campaign. These include Phone Cleaner – File Explorer (com.volabs.androidcleaner), PDF Viewer – File Explorer (com.xolab.fileexplorer), PDF Reader – Viewer & Editor (com.jumbodub.fileexplorerpdfviewer), Phone Cleaner: File Explorer (com.appiclouds.phonecleaner), and PDF Reader: File Manager (com.tragisoap.fileandpdfmanager).
Google has responded to the matter
A Google spokesperson has informed BeepingComputer that Google Play has removed all of the five apps associated with this campaign. He added that Google Play Protect already protects Android devices against known versions of this malware. This is on by default on Android devices with Google Play Services.
The latest Zoom release addressed numerous security vulnerabilities in the software, including a critical flaw. Users should ensure to update their devices with the latest releases to avoid potential threats.
Critical Zoom Flaw Patched With Other Security Vulnerabilities
According to the latest security bulletin, at least seven different vulnerabilities existed in the video conferencing software Zoom. These vulnerabilities affected different Zoom clients, exposing users to global security threats.
These vulnerabilities even include a critical security fix for a privilege escalation flaw. Identified as CVE-2024-24691 (CVSS 9.6), Zoom described this vulnerability as an improper input validation that could allow an unauthenticated adversary to gain elevated privileges via network access. It affected the Zoom Desktop Client for Windows, Zoom VDI Client for Windows, Zoom Rooms Client for Windows, and Zoom Meeting SDK for Windows.
The other six vulnerabilities include the following.
CVE-2024-24697 (high severity; CVSS 7.2): This vulnerability affected Zoom 32-bit Windows clients, letting an authenticated adversary gain elevated privileges via local access by exploiting an untrusted search path.
CVE-2024-24696 (medium severity; CVSS 6.8): Improper input validation with Zoom in-meeting chat could lead to information disclosure to an authenticated attacker via network access.
CVE-2024-24699 (medium severity; CVSS 6.5): Business login error with Zoom clients’ in-meeting chat. Exploiting the flaw could result in information disclosure to an authenticated adversary.
CVE-2024-24690 (medium severity; CVSS 5.4): A denial of service vulnerability due to improper input validation.
CVE-2024-24698 (medium severity; CVSS 4.9): An information disclosure flaw that existed due to improper authentication, facilitating a privileged user with local access.
Zoom patched these vulnerabilities with different software releases, addressing some with Zoom version 5.16.5 and the rest with version 5.17.0. Given that the recent release, at the time of writing this story, is Zoom version 5.17.7, users should consider updating their systems with this release to receive all security fixes.
Besides, users must always ensure they use the latest software releases for any product to avoid exploits.
Official Xiaomi 14 Ultra camera samples are now available. The company shared them via its official Weibo account prior to the February 22 launch. Do note that the phone will launch in China on that date, while its global launch will follow on February 25.
Xiaomi revealed many camera specs of the phone yesterday, and now we get to see what the phone can do. The phone will include a 50-megapixel main camera (Sony’s LYT-900 camera sensor) with a variable aperture (f/1.63 – f/4.0). Xiaomi says that the light intake has increased by 136% compared to the Xiaomi 13 Ultra.
Two periscope telephoto cameras are also included here, both utilizing Sony’s IMX858 sensor. One is a 75mm equivalent lens with an f/1.8 aperture and 3.2x optical zoom. The second one has a 120mm focal length and is paired with an f/2.5 aperture (5x optical zoom). The fourth camera is a 50-megapixel camera too, and it has a 12mm focal length and a 122-degree FoV. That information is new.
Official Xiaomi 14 Ultra camera samples are here, and they look outstanding
With that in mind, the company shared a bunch of camera samples that you can check out below. Do note that these images have been compressed, however. You can check them out via the company’s official Weibo page in their original form.
Xiaomi focused on images from the phone’s telephoto cameras here, but there are some main camera samples too. You’ll find some really nice low-light camera samples in there, and the ones that look especially impressive, are the ones taken at sunset.
These camera samples look outstanding. The exposure is great, as is the detail. We’ll have to test out the camera ourselves to see if it’s really all that capable, as we always take official camera samples with a grain of salt.
The company also shared a bunch of portrait shots
If you check out the gallery below, however, you’ll see a bunch of portraits that the company shared. These also look great and do provide plenty of detail, while the shadows also look great.
Needless to say, this smartphone will be camera-focused, but it will have a lot to offer in general. We’re only a couple of days away from its launch event.
Progress has been made – but it remains to be seen if it’s towards a bright future or a bleak dystopia. Neuralink’s first human patient is now able to move a mouse through thinking about it, a Reuters report reads.
Last month, Neuralink implanted a chip in the brain of a human, after receiving approval for human trial recruitment in the Fall of 2023.
Back in 2022, the Neuralink project entered its human trial phase – prior to that, Neuralink carried out testing with primates, killing 15 of the 23 test monkeys.
Now, the patient zero with a brain chip appears to have fully recovered. This is great, but it’s remarkable that the patient is able to control a computer mouse using their thoughts, the startup’s founder Elon Musk said.
“Progress is good, and the patient seems to have made a full recovery, with neural effects that we are aware of. Patient is able to move a mouse around the screen by just thinking”, Musk said in a Spaces event on social media platform X.
Musk said Neuralink was now trying to get as many mouse button clicks as possible from the patient.
How is it done?
“In many ways, it’s like a Fitbit in your skull, with tiny wires,” Musk said of Neuralink’s device during the 2021 livestream event. The technology uses up to 1,024, 5-micron diameter wires “stitched” into a patient’s gray matter to make connections with neighboring neurons, delivering high-resolution sampling of the brain’s electrical emissions, and translating between analog electrical impulses and digital computer code.
As the report reads, the study uses a robot to surgically put a brain-computer interface implant in a region of the brain that controls the intention to move. The initial goal is to enable people to control a computer cursor or keyboard using their thoughts.
That’s great, can you do that to scroll through TikTok?
Musk has grand ambitions for Neuralink, saying it would facilitate speedy surgical insertions of its chip devices to treat conditions like obesity, autism, depression, and schizophrenia.
Threat actors use stealers to collect sensitive information from unsuspecting users covertly.
These tools are favored for their ability to infiltrate systems, remain undetected, and extract valuable data, which threat actors can exploit for financial gain and several malicious purposes.
Stealers offer a low-risk and high-reward method for threat actors to access valuable assets without a direct fight.
Cybersecurity researchers at Cisco recently discovered and warned of Agniane stealer attacking users to steal financial data.
Agniane Stealer Attacking Users
Agniane Stealer is a crypto-targeting malware that surged in August 2023. Researchers recently uncovered new insights into its URL pattern, file collection methods, and C2 protocol.
DocumentLive Account Takeover Attack Simulation
Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks.
The malware was actively marketed on Telegram (@agnianebot) and uses ConfuserEx Protector with a unique C2 method.
In November 2023, researchers’ threat hunting revealed passbook.bat.exe, a named PowerShell binary linked to Agniane Stealer.
Infections start with ZIP downloads from legit websites, following this URL pattern:-
http[s]://<domain name>/book_[A-Z0-9]+-\d+.zip
Extracted files drop passbook.bat with obfuscated payload by spawning passbook.bat.exe. This renamed PowerShell binary executes a series of obfuscated commands.
Execution chain (Source – Cisco)
Then, it dynamically builds and invokes an XORing payload from a BAT file by decompressing and loading it into memory reflectively.
Besides this, reversing the payload helps in getting the objectives of the threat actors.
The payload triggers a C# assembly that results in an executable with hash 5640c02b6d125d4e14e19709296b29b8ea34fe416e18b3d227bd79310d54b8df.
The file was unknown to online sandboxes, and emulating its activity on Cisco Secure Malware Analytics revealed anti-sandbox techniques.
However, the binary, which was obfuscated with ConfuserEx, restricts the dynamic analysis.
Content of the passbook.bat file (Source – Cisco)
The sample lacked a ConfuserEx signature but had similar obfuscation. On reversing, another binary that emerged in its resources was loaded reflectively.
This C# sample held the final payload, which was obfuscated directly with ConfuserEx.
The Passbook.bat.exe executes PowerShell to deobfuscate passbook.bat, then runs the tmp385C.tmp (header file name). This, in turn, reflectively loads the _CASH_78 C# app, which concludes with the Agniane Stealer.
Malware execution chain (Source – Cisco)
The Agniane Stealer steals credentials and files via a basic C2 protocol. It checks domain availability by requesting a specific URL and adds active C2 domains to a list. Then, it gathers file extensions from a C2 URL pattern.
Afterward, it requests a remote json file for error details and progresses based on the response.
The stealer employed many obfuscation and anti-detection methods to collect and exfiltrate files, credentials, passwords, credit cards, and wallets.
Moreover, its evasion tactics and broad data targeting could lure more threat actors to exploit its capabilities in the future.
IoCs
IoCs (Source – Cisco)
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
An individual residing in Vinnytsia, aged 31, has been apprehended for purportedly pilfering confidential data of Android users and exploiting their Google accounts belonging to citizens of the United States and Canada.
The cybercrime incident resulted in the perpetrator acquiring a total amount of more than UAH 3.5 million.
Modus Operandi of Hacker
In Vinnytsia, Ukraine, a hacker has developed multiple websites providing free software downloads. These downloads are often pirated and potentially contain malware or viruses that compromise the security of the user’s device.
The individual initiated a comprehensive online advertising initiative to promote the websites and enhance their credibility. This involved various technical strategies aimed at increasing the trustworthiness of the websites.
After users download and install software for free, they inadvertently install concealed malware within the programs.
The malware in question could infiltrate the devices without the user’s knowledge, providing the hacker unrestricted access to the system.
The perpetrator successfully monetized the unauthorized access by selling the exfiltrated data to nefarious actors on the internet. The proceeds generated from the sale were utilized to purchase a Mercedes-Benz GLE car, reads the report.
The Investigation:
Assisted by the KORD special force, the law enforcement personnel successfully located and apprehended the perpetrator.
Authorities conducted three comprehensive searches and confiscated a vehicle worth approximately 2.5 million hryvnias. We also obtained other crucial pieces of evidence during the operation.
The accused is liable for a maximum prison term of 8 years and seizure of assets due to charges of engaging in money laundering, hacking activities, and developing and circulating malicious software.
The investigation is underway to ascertain the identities of any possible accomplices involved in the case.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.