650,000+ Malicious Domains Registered Resembling ChatGPT

0
[ad_1]

Hackers abuse the ChatGPT name for malicious domains to exploit the credibility associated with the ChatGPT model, deceiving users into trusting fraudulent websites. 

Leveraging the model’s reputation enables them to trick individuals into:-

  • Revealing sensitive information
  • Downloading malicious content

H2 2023’s ransomware from ESET highlight isn’t typical, as it’s the “MOVEit hack” by the Russian ransomware group Cl0p, and here below, we have mentioned all the other names of Cl0p:-

  • Lace Tempest
  • FIN11
  • TA505
  • Evil Corp

This ransomware group is well-known for using ransomware in large-scale hacks; this time, their massive campaign used a zero-day vulnerability (CVE-2023-34362) in MOVEit on May 27. 

The flaw, held since 2021, enabled unauthorized access, showcasing Cl0p’s evolution beyond traditional ransomware exploits. Recently, the cybersecurity researchers at ESET discovered more than 650,000 malicious domains registered resembling ChatGPT.

Massive Ransomware Attacks

The Russian ransomware group, Cl0p, hit global firms and US agencies in this attack. A notable change is that now they leak data on the open web if the ransom isn’t paid, it’s a tactic shared with the ALPHV ransomware gang.

The FBI notes ransomware evolving with multi-variant attacks like:-

  • Deployment of multiple ransomware variants
  • Use of wipers following data theft and encryption

In IoT, cybersecurity researchers find and disable the Mozi botnet with a discovered kill switch.

The Mozi botnet, which has been among the largest in three years, fell suddenly, prompting questions on kill switch use by developers or Chinese authorities. 

Besides this, the new threat, Android/Pandora, hits the following types of Android devices for DDoS attacks in the same landscape:-

  • Smart TVs
  • TV boxes
  • Mobile devices

Cybersecurity researchers pinpoint the campaigns hitting ChatGPT users and numerous tries to access shady domains like-

Apart from this, the threats include insecure handling of OpenAI API keys, stressing the need for key privacy protection.

Cybersecurity analysts discovered a significant surge in the use of Android spyware like “SpinOk.” H2 2023 sees a surge in three-year-old JS/Agent and persistent Magecart attacks on unpatched websites. 

Moreover, the prevention is possible with better security measures by developers and admins.

Cryptostealers surge with Lumma Stealer, a malware-as-a-service infostealer targeting crypto wallets. But, Bitcoin’s value rises without matching the increased cryptocurrency threats. 

All these evolutions in the cybersecurity landscape highlight the diverse threat tactics.


[ad_2]
Source link

Microsoft Disabled App Installer Following Malware Abuse

0
[ad_1]

After detecting App Installer abuse for malware distribution for several months, Microsoft disabled the protocol handler by default. The tech giant took this initiative in a bid to protect the customers from further threats.

Microsoft App Installer Disabled By Default

According to a recent blog post, Microsoft has disabled the App Installer (ms-appinstaller) protocol handler by default for its users.

The App Installer – precisely, ms-appinstaller URI (Uniform Resource Identifier) scheme (protocol) – facilitated users in direct installation of apps from the internet. It streamlined app installations, completing the process faster while using minimal disk resources.

Microsoft launched this feature with some newer versions of Windows 10. However, the tech giant had to disable it by default as it detected numerous exploitations of the protocol from different malware groups.

As elaborated, the firm observed the threat actors abusing the current implementation of the ms-appinstaller protocol handler for malware and ransomware distribution. They even detected the hacker groups distributing malware kits tailored to abuse the feature for stealth malware installations. Microsoft named some financially motivated threat actor groups, including the Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, actively abusing the feature.

Microsoft found the feature abuse and the subsequent malware campaigns to be around since mid-November 2023. The threat actors used various techniques to distribute malware, predominantly relying on social engineering and phishing.

The tech giant observed numerous malicious websites to be distributing the malware by impersonating legit software, such as Zoom, TeamViewer, Tableau and AnyDesk. Whereas, in case of Storm-1674, the threat actors distributed the malicious web page links via Teams to trick users.

After detecting these malware campaigns going around with an exponential rise, the tech giant decided to disable the feature to prevent malware abuse. Hence, Microsoft disabled the ms-appinstaller URI scheme handler by default in App Installer build 1.21.3421.0.

While this move will likely prevent the threat, Microsoft still advised the users to stay vigilant while interacting with web links.

Let us know your thoughts in the comments.


[ad_2]
Source link

Researchers Crack Tesla Autopilot with ‘Elon Mode,’ Access Critical Data

0
[ad_1]

Is it impossible to crack Tesla autopilot? Not for these German researchers who’ve just unveiled ‘Elon Mode’ to exploit the popular autopilot feature.

Three cybersecurity researchers from Technische Universität Berlin (Technical University of Berlin/TU Berlin) have successfully hacked Tesla’s autopilot system. Their exploit, achieved with relatively inexpensive equipment, grants access to internal hardware and even unlocks a hidden “Elon mode” with enhanced capabilities.

TU Berlin’s doctoral students Christian Werling, Niclas Kühnapfel, and Hans-Niklas Jacob used tools costing around €600 (£520 – $660) to root the ARM64-based circuit board of Tesla’s autopilot. This allowed them to extract arbitrary code and user data, including cryptographic keys and important system parts. They also accessed a deleted GPS coordinates video as it wasn’t overwritten. 

However, the biggest catch was the exposing of the hidden “Elon mode,” which was discovered in June 2023 by a Twitter user (Now X) @greentheonly. This feature is a part of Tesla’s self-driving technology but has never been acknowledged by the company. 

For your information, Tesla’s “Elon mode” is a hands-free, full self-driving feature through which vehicles can self-drive without driver input or monitoring. However, as per TU Berlin researchers, this hack could enable premium features for free. They could enable additional performance capabilities and disable safety features through this mode.

It is worth noting that @greentheonly, the cybersecurity researcher, is the same individual who, in May 2020, uncovered sensitive customer data in Tesla car parts being sold on the multinational e-commerce platform eBay.

This isn’t the first time security loopholes have been discovered in Tesla vehicles. Hackread.com has previously reported a Tesla infotainment AMD processor hack that enabled free seat heaters.

For your information, in August 2023, researchers from TU Berlin and Oleg Drokin reported a flaw in Tesla’s Bluetooth system that led to unlocking in-car purchasable features. They gained root access to the MCU-Z infotainment system, allowing them complete control over the vehicle’s operating system and activation and deactivation of its systems.

Researchers Crack Tesla Autopilot with 'Elon Mode,' Access Critical Data

As per a report from the German news outlet Der Spiegel, this research was conducted in a controlled environment. Der Spiegel’s report reads that manipulating the autopilot of other people’s parked Tesla vehicles is unlikely because such attacks are not feasible outside the laboratory.

Still, this research has confirmed the existence of the yet-rumored “Elon Mode” and may affect consumers’ trust in Tesla’s safety architecture. It exposes autopilot system gaps, raising concerns about potential misuse and ethical implications, emphasizing the need for robust cybersecurity measures.

Watch the presentation

Nevertheless, after informing Tesla, the researchers presented these findings at the Chaos Computer Club congress in Hamburg. Tesla has not released its statement so far. We will update our readers when the company responds.

  1. Bug bounty: Hack Tesla Model 3 to win your Model 3
  2. Tesla cars can be remotely hacked using drone, WIFI dongle
  3. Whistleblower Leak Reveals Tesla Data Breach, Affects 75,000
  4. Researchers found another way to hack Tesla Model X Key Fob
  5. Researchers show how to unlock Tesla wireless key fobs in 2 secs

[ad_2]
Source link

Multiple Malware Exploit Google Cookie Flaw For Session Hijacking

0
[ad_1]

Researchers have found numerous malware groups actively exploiting a Google Cookie vulnerability for session hijacking. The exploit not only allows access to the target account but also resists disruption by regenerating valid cookies for persistent access.

Google Cookie Exploit Active In The Wild

A recent report from CloudSEK highlights a new Google cookie exploit actively under attack. The exploit allows persistent access to the target Google account while bypassing the existing security measures.

The exploit first surfaced online via a Telegram channel, where the poster “PRISMA” shared details about the vulnerability in an undocumented Google OAuth endpoint “MultiLogin.” The threat actor posted about a zero-day allowing session hijacking and persistent access to the target account. As explained, the exploit allowed cookie regeneration in the event of session disruption, hence garnering significant attention from various threat actors.

While the exact origin of the exploit remained veiled initially, later, another threat actor behind the infamous Lumma infostealer reverse-engineered the script and found the vulnerable MultiLogin endpoint. The attackers then integrated the exploit in the malware with an advanced blackboxing approach.

Following Lumma, various other malware groups also started integrating the said feature in their malware, such as Rhadamanthys, Stealc, Meduza, RisePro, and WhiteSnake.

This ripple effect eventually caught CloudSEK’s attention, which then discovered the vulnerability by reverse-engineering the malware variant. Describing the vulnerable endpoint, the researchers stated in their report,

“The MultiLogin endpoint, as revealed through Chromium’s source code, is an internal mechanism designed for synchronizing Google accounts across services. It facilitates a consistent user experience by ensuring that browser account states align with Google’s authentication cookies.”

CloudSEK has shared a detailed technical analysis of this exploit in their report. These findings highlight the importance of continuous and vigilant monitoring for security vulnerabilities to prevent stealth attack strategies. Besides, the researchers also emphasize the importance of human intelligence sources to keep abreast of the latest threats.

Let us know your thoughts in the comments.


[ad_2]
Source link

New Terrapin Attack Demonstrates SSH Vulnerabilities

0
[ad_1]

Researchers have devised a new attack strategy, called “Terrapin,” that exploits vulnerabilities in the SSH protocol. While vendors are moving on with mitigating the flaws, it may take some time for the patches to be available worldwide.

Terrapin Attack Breaks SSH Protocol Security

A team of researchers from the Ruhr University Bochum has devised the Terrapin attack as a demonstration of existing vulnerabilities in the SSH protocol.

SSH (Secure Shell) is a trusted encryption protocol for maintaining and protecting network services, providing users with a secure access to the servers. The protocol encrypts the client-server connection over the internet, preventing intrusions.

Given its sense of security, SSH is common across networks globally. It also means that any vulnerabilities in this encryption protocol, if exploited, can impart severe damage. That’s what the researchers have explained in their recent study.

Briefly, the researchers have come up with the Terrapin attack as a means to break the SSH secure channel. The attack works by carefully adjusting the sequence numbers during the SSH handshake, allowing the attacker to access and/or remove messages from the beginning of the client-server connection, leaving no traces behind.

Regarding the real-world application of the Terrapin attack, the researchers stated,

“The attack can be performed in practice, allowing an attacker to downgrade the connection’s security by truncating the extension negotiation message (RFC8308) from the transcript. The truncation can lead to using less secure client authentication algorithms and deactivating specific countermeasures against keystroke timing attacks in OpenSSH 9.5.

An adversary may also use Terrapin to exploit implementation flaws, such as those the researchers discovered in the AsyncSSH. The attacker may sign the victim’s client into another account without traces, gaining MiTM access at the session layer.

The researchers have shared the technical details about the Terrapin attack in their research paper alongside setting up a dedicated web page elaborating on the matter. Besides, the vulnerabilities exploited in this attack have received the following CVE IDs.

  • CVE-2023-48795: General Protocol Flaw
  • CVE-2023-46445: Rogue Extension Negotiation Attack in AsyncSSH
  • CVE-2023-46446: Rogue Session Attack in AsyncSSH

What Next?

Exploiting Terrapin necessarily requires an active MiTM access at the TCP/IP layer for the adversary. Besides, it requires “either ChaCha20-Poly1305, or any CBC cipher in combination with Encrypt-then-MAC as the connection’s encryption mode.”

Although this combination is common across the SSH ecosystem, making at least 70% of the servers vulnerable, admins can mitigate the flaw by temporarily disabling the affected [email protected] encryption and [email protected] MAC algorithms in the SSH server configuration of your SSH server (or client). The researchers advise using unaffected algorithms like AES-GCM.

Nonetheless, admins should consider it a temporary workaround until they receive a permanent patch. The researchers confirm that numerous vendors have upgraded their SSH implementations to support strict key exchange, preventing an adversary from injecting packets during the initial unencrypted handshake. Yet, patching all vulnerable SSH clients and servers globally may take time.

Until then, to help users stay updated about the vulnerability status of their servers, the researchers have released a dedicated Terrapin Scanner tool on GitHub.

Let us know your thoughts in the comments.


[ad_2]
Source link

Microsoft Deprecates Application Guard For Edge For Business

0
[ad_1]

After serving users for several years, Microsoft Application Guard bids farewell as the tech giant deprecates the feature. The feature will no longer be available for some Edge for Business users. Nonetheless, they can look for other Edge security options to ensure browser protection.

Microsoft Deprecates Application Guard Feature

As announced recently, Microsoft deprecates the “Application Guard” security feature for Edge for Business users. This deprecation also applies to the Windows Isolated App Launched APIs.

Microsoft’s Application Guard emerged as a dedicated security solution for power users, protecting business apps like Microsoft Office and Edge browser. The feature helps users prevent threats from malicious sites by opening untrusted sites in a sandboxed environment.

This feature first became available for public in 2019 for Edge browsers. Later, Microsoft rolled out its browser extensions for other browsers like Mozilla Firefox and Google Chrome.

And now, after serving users for about five years, the feature reaches its end of life as Microsoft confirms no further updates to it.

Nonetheless, it doesn’t mean that the users are left vulnerable. Microsoft urged users to go through the Microsoft Edge for Business whitepaper to find other security options to apply.

While the tech giant hasn’t announced specific reasons for this step, it isn’t surprising since Microsoft previously deprecated the Application Guard for Microsoft Office. At that time also, the firm announced deprecating the Windows Security Isolation APIs. Besides, the tech giant advised users to switch to Microsoft Defender for Endpoint attack surface reduction rules, Protected View, and Windows Defender Application Control.

Besides this Application Guard security feature, Microsoft also announced deprecating other features, including Windows Mixed Reality (including the Mixed Reality Portal app and Windows Mixed Reality for SteamVR and Steam VR Beta), Legacy console mode (will only be available as an on-demand feature), and Windows speech recognition, which Microsoft has replaced with Voice Access. The deprecating features will no longer be updated and won’t be available for future releases.

Let us know your thoughts in the comments.


[ad_2]
Source link

A week in security (December 25 – December 31)

0
[ad_1]

December 29, 2023 – Ransomware gangs don’t always win, and when they don’t, it feels pretty great.

December 27, 2023 – We look at the three most common methods that ransomware groups use to avoid being detected.

December 26, 2023 – Cybercriminals now have AI to write their phishing emails, which might well improve their success rates. Here’s what to watch out for.

December 25, 2023 – A list of topics we covered in the week of December 18 to December 24 of 2023

December 21, 2023 – Xfinity has notified customers that due to exploitation of the Citrix Bleed vulnerability, attackers were able to access personal data of almost 36 million customers.


[ad_2]
Source link

Xamalicious Android Malware Targeted Users Via Play Store Apps

0
[ad_1]

Heads up, Android users! Double-check your devices for possible Xamalicious infection, as the malware has flooded the Google Play Store with malicious apps. While Google removed the malicious apps from the Play Store upon knowing the matter, the malware may continue to run on infected devices unless removed manually.

Xamalicious Malware Infected Android Devices Via Play Store

McAfee Mobile Research Team researchers have reported detecting multiple malicious apps on the Google Play Store that are involved in spreading new malware. Identified as “Xamalicious,” the new malware flooded the Play Store with at least 25 different applications to target Android devices.

In brief, the researchers found this malware implemented as a backdoor with the Xamarin framework that supports Android and iOS app development with .NET and C#. Upon reaching the target device, the malware exploits the accessibility privileges to communicate with its C&C server and download the second-stage payload.

This second payload that injects as an assembly DLL at runtime level takes control of the device. It then acts as a trojan and spyware, performing various malicious actions without requiring user interaction.

Besides, the researchers also found an app, “CashMagnet,” associated with this malware, performing ad frauds on target devices.

The apps spreading Xamalicious have existed on the Google Play Store since mid-2020, garnering a huge user base. The researchers estimated around 327,000 devices to have suffered Xamalicious infections. The malware managed to stay undetected all along by exploiting the Xamarin framework alongside leveraging obfuscation techniques.

Google Removed The Malware From The Play Store

Upon discovering the malware campaign, the researchers promptly reported the matter to Google, which then removed all suspected apps from the Play Store.

Nonetheless, while the threat may no longer spread from the Play Store, the malware may continue its activities on infected devices. Hence, users must keep an eye on Google Play Protect warnings highlighting the malicious app if found running on the device. Moreover, users should remain careful when downloading apps, even from the Play Store, opting only for apps from trusted developers.

Let us know your thoughts in the comments.


[ad_2]
Source link

Latest Spotify beta for Android causes untimely crashes during the holiday season

0
[ad_1]

Murphy’s first law: “Anything that can go wrong will go wrong”. And, in the most inconvenient moment, of course.

If you’re an Android user and you’re part of Spotify’s beta testing community, you might’ve experienced some showstopping bugs following the latest beta update (via 9to5Google).

If your Spotify app is constantly crashing on Android lately, you’re not alone. The latest beta update for Spotify on Android is causing the app to crash before it even fully opens.

The problem beta update was released in the past couple of days, amidst the holiday season when many people are carefully picking up tracks and building Spotify playlists.

The exact version of the beta is 8.9.2.169 and, in theory, you could get a working Spotify by simply removing the current crashing version and then re-installing a stable version from the Play Store. Don’t forget that in the uninstallation process the content you’ve downloaded for offline use will be removed as well.

The app’s latest beta problems started on December 30 and there are numerous X/Twitter reports on the issue stating that the app is completely inoperable and unable to open. “Unlike the last time a crashing issue hit the app, too, things aren’t left functional in connecting services like Android Auto. Spotify is just left not working in any capacity”, notes the 9to5Google article.

[ad_2]
Source link

For WhatsApp users on Android, 2024 is the year they’ll be like iPhone owners (thanks to this Google Drive change)

0
[ad_1]

“In the coming months, if you choose to backup your WhatsApp chats on an Android device, your backup will start counting toward your Google Account storage limit”.

Remember this PSA? WhatsApp made it some time ago, as we covered it in mid-November (while the rumors have been floating for almost two years).

Now, it’s happening, as users who are part of WhatsApp’s beta testing program are reporting their chat and media backups are counted as part of their Google Drive storage limit (via Gizmochina). For free users, that’s 15GB in total (all of which is shared for your Google Drive, Google Photos, and Gmail).

That’s similar to what WhatsApp users on iPhone and iOS have been experiencing for years – the only difference is that the free cloud storage tier on the iOS is limited to 5GB, not 15GB like Google’s.

So, the plan is for Meta, WhatsApp’s parent company, to enforce the backup storage change to all Android users in the first half of 2024. Users will receive a 30-day notification beforehand, displayed as a banner in the app’s Chat Backup settings.

For those who do not want anything WhatsApp-related to occupy their Google Drive gigabytes, there are alternative options available:

  1. You can do local backups and use the built-in WhatsApp Chat Transfer tool to seamlessly migrate your data to a new device.
  2. Or you can be space-efficient and back up only text messages, excluding media files.

[ad_2]
Source link