Hackers Attacking Linux SSH Servers to Deploy Scanner Malware

0
[ad_1]

Hackers often target Linux SSH servers due to their widespread use in hosting critical services, and the following loopholes make them vulnerable, providing opportunities to hackers for unauthorized access and potential exploitation:-

  • Weak passwords
  • Unpatched vulnerabilities
  • Misconfigurations

Cybersecurity researchers at AhnLab Security Emergency Response Center (ASEC) recently identified that hackers actively attack the Linux SSH servers to deploy scanner malware.

Technical analysis

Threat actors target poorly managed servers, seeking IP and SSH credentials for DDoS and CoinMiner malware. IP scanning identifies active SSH ports, followed by brute force attacks. More CoinMiners mean increased cryptocurrency mining. 

DDoS attacks grow in power with more controlled bots, and to install more malware, actors need target information besides DDoS and CoinMiners, malware scans, and attacks vulnerable systems. 

Meanwhile, SSH scanner malware DDoS bots and CoinMiners may be installed. Besides this, some actors install scanners, selling breached info on the dark web.

Here below, we have mentioned all the common malware that is installed in attacks against poorly managed Linux SSH servers:-

  • ShellBot
  • Tsunami
  • ChinaZ DDoS Bot
  • XMRig CoinMiner
  • Mirai
  • Gafgyt
  • XorDDoS

Threat actors deploy malware on Linux servers after logging in with stolen SSH credentials.

Classification of malware targeting Linux SSH servers
Classification of malware targeting Linux SSH servers (Source – ASEC)

Threat actor scans for active SSH (port 22) systems using stolen credentials for malware installation. 

The CPU core check command confirms the successful login. The actor downloads a compressed file with a port scanner and SSH attack tool. Notable commands include:-

Threat actor runs “go” script for port scanning, banner grabbing, and SSH dictionary attacks. “gob” and “rand” scripts allow IP class customization. 

The results are saved in “bios.txt” and banners in “banner.log.” The “prg” tool extracts IPs with “SSH-2.0-OpenSSH” from “bios.txt” to use in dictionary attacks, and the successful logins are stored in “ssh_vuln.” 

Besides this, the total CPU cores are checked using “grep -c ^processor /proc/cpuinfo.” After scanning and obtaining credentials, the actor repeats the process and installs the same tools.

Recommendations

To safeguard cybersecurity, researchers recommended the following mitigations:-

  • Always use strong
  • Regularly changed passwords
  • Update patches
  • Employ firewalls
  • Exercise caution with updated security versions like V3

[ad_2]
Source link

How to recognize AI-generated phishing mails

0
[ad_1]

Phishing is the art of sending an email with the aim of getting users to open a malicious file or click on a link to then steal credentials. But most phishers aren’t very good, and the success rate is relatively low: In 2021, the average click rate for a phishing campaign was 17.8%.

However, now cybercriminals have AI to write their emails, which might well improve their phishing success rates. Here’s why.

The old clues for telling if something was a phishing mail were:

  1. It asks you to update/fill in personal information.
  2. The URL on the email and the URL that displays when you hover over the link are different from one another.
  3. The “From” address is an imitation of a legitimate address, especially from a known brand.
  4. The formatting and design are different from what you usually receive from a brand.
  5. The content is badly written and may well include typos.
  6. There is a sense of urgency in the message, encouraging you to quickly perform an action.
  7. The email contains an attachment you weren’t expecting.

While most of these are still valid, there are a few checks you can strike off your list due to the introduction of AI.

When a phisher is using a Large Language Model (LLM) like ChatGPT, a few simple instructions are all it takes to make the email look as if it came from the intended sender. And LLMs do not make grammatical errors or put extra spaces between words (unless you ask them to).

They’re not limited to one language ether. AI can write the same mail in every desired language and make it look as if you are dealing with a native speaker. It’s also easier to create phishing emails tailored to the intended target.

All in all, the amount of work needed to create an effective phishing email has been reduced dramatically, and the number of phishing emails has gone up accordingly. In the last year, there’s been a 1,265% increase in malicious phishing emails, and a 967% rise in credential phishing in particular.

Because of AI, it’s become much harder to recognize phishing emails, which makes things almost impossible for filtering software. According to email security provider Egress 71% of email attacks created through Ai go undetected.

So how do you recognize AI phishing emails?

Here are some ideas:

Number 4 above—The formatting and design are different from what you usually receive from a brand—is helpful. Compare the email with any previous communications you have from the supposed sender. If there are inconsistencies in the tone, style, or vocabulary, this could indicate that the message is a phishing attempt.

Number 5—The content is badly written and may well include typos—AI phishing emails may still use generic greetings, such as “Dear user” or “Dear customer,” instead of addressing the recipient by name. Also, look for generic or mismatched signatures that do not align with the sender’s typical signature.

Number 7—The email contains an attachment you weren’t expecting—If you know the person who sent the email but don’t trust the content, contact the sender through an alternate communication method to verify whether they actually sent it.

For organizations it is important to have a clear reporting procedure and actively follow up on reported suspected phishing emails. If your employees never hear back about a reported phishing email, they are less likely to report the next one. A pat on the shoulder for catching one goes a long way. A lot further than the more common shame-and-blame punishments for clicking a malicious link.

Repetitive phishing training that neither aligns to how users engage with email, nor provides appropriate tools for responding to ambiguous emails are a waste of time, money, and the patience of the employee.

And most of all, make sure that your own communications, internal and external, don’t look like phishing attempts.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.


[ad_2]
Source link

Google nixed plan to lower Google Play Store Tax in 2021 fearing a huge drop in revenue

0
[ad_1]
It was an epic lawsuit and it was an Epic lawsuit. Two weeks ago a federal jury found that the Google Play Store violated antitrust laws. Google’s in-app payment processing platform and the process of distributing Android apps were both run as monopolies said the jury in Epic v. Google. Epic sued Google after the game developer was sent packing from the Play Store along with its popular Fortnite game after Epic promoted its own in-app payment processing system which violated Play Store rules.
According to a report published by Bloomberg, Google seriously considered changing the in-app payment processing platform from which it was taking 15% to 30% of in-app revenue. In 2021, Google considered an overhaul to the Play Store billing model which was called Project Everest. This was discovered in documents that were released as part of the Epic v. Google antitrust suit.

Google found itself in a tight spot. On one hand, it was worried that if it didn’t make any change to the Play Store’s in-app payment processing platform, it would be done in by regulatory overreach. On the other hand, making changes to the platform could seriously impact the company’s revenue. During an in-house presentation, Google said, “We can defend the status quo for a few months. Making proposed changes sooner may help support reasonable legislation, position Google as a leader, and prevent more draconian legislation.”

Project Everest would have stopped Google from taking its 15% to 30% cut of in-app revenue and instead, developers would be charged for various services related to listing their apps in the Play Store with additional charges tacked on for user downloads and updates. But making this switch would cost Google in the form of a $1 billion to $2 billion decline in annual revenue from apps and $6 billion to $9 billion in revenue from games. 

Google employees floated the idea of having app developers handle in-app payment processing themselves in exchange for paying Google a lower fee. Google calculated that this option would reduce annual Play Store revenue between $250 million and $1.3 billion.
Also two weeks ago, Google announced the terms of a settlement it made back in September with all 50 states, the District of Columbia, and two US territories for $700 million. After giving the states $70 million of the settlement for penalties, restitution, disgorgement, and fees, the remaining $630 million will be shared among Play Store customers who will get a minimum of $2 each.

[ad_2]
Source link

Vietnamese Group Hacks and Sells Bedroom Camera Footage

0
[ad_1]

A group of Vietnamese individuals involved in cybercrime is hacking into home security cameras of unsuspecting users and selling private and intimate footage on Telegram for a mere $16.

A Vietnam-based Telegram group has been discovered selling private footage obtained from hacked security cameras, showcasing what they describe as ‘dark corners’ and ‘hot scenes.’ Security experts attribute this privacy breach to poor password hygiene as the primary cause.”

In 2021, cybersecurity researchers at BitDefender debated whether Telegram, an encrypted messaging app, had become the new dark web. As the world approaches 2024, the significance of this argument has never been more evident.

According to details shared by security researcher Minh Hung, who first discovered the notorious Telegram group and published by Vnexpress, the group offers three packages for accessing the hacked footage.

The cheapest package costs 150,000 Vietnamese Dong ($6.16), while the highest package costs VND500,000 ($20.53). The top tier, ‘Super VIP,’ includes 4 years’ worth of hacked footage from hundreds of cameras and live access for VND800,000 ($32.84).

This group claims to specialize in hacking into “private cameras of families and shops in Vietnam” and invited Hung to join them on the channel.

Hackread.com also managed to identify Vietnamese-language Telegram channels offering malicious footage stolen from hacked home security cameras. The screenshots below were taken by Hackread.com:

On the other hand, according to Vnexpress’s report, Hung could watch the videos for the first and second packages, but with the third package, he could download an application from a camera firm and watch live feeds using the provided QR codes. Hung suspected it to be a scam but paid VND800,000 to check it out.

Hung further discovered that the timestamps on security camera feeds matched the current time. Using the application, he could access 15 cameras installed in clothing shops and spas, including bedrooms, living rooms, and dressing rooms.

Should You Install Security Cameras in Your Bedroom?

Installing security cameras in your bedroom raises significant privacy concerns and is generally considered a bad idea. The bedroom is an intimate space where individuals expect the highest level of privacy. Placing cameras in this area not only invades personal boundaries but also raises ethical issues.

The footage captured in bedrooms can include highly sensitive and personal moments, compromising one’s privacy and dignity. Beyond the ethical aspect, it also poses a risk of unauthorized access by hackers, as demonstrated by this article.

Additionally, such surveillance within the confines of a home may lead to legal implications, as it potentially violates laws related to privacy. To maintain a sense of security and privacy, it is advisable to install cameras in public areas of the home while avoiding intrusion into personal spaces like bedrooms.

How to Protect Your Security Camera from Hackers?

whether at home or work, protecting your security cameras from hackers is crucial to protect your privacy and security. Here are some vital tips to help you enhance the security of your security camera system:

  1. Update Firmware Regularly:
    Ensure that your security camera’s firmware is up to date. Manufacturers often release updates that address security vulnerabilities, so regularly check for and install firmware updates.
  2. Use Strong Passwords:
    Create strong, unique passwords for your camera’s login credentials. Avoid default passwords and choose a combination of letters, numbers, and special characters. Change passwords regularly and avoid using easily guessable information.
  3. Network Security:
    Secure your home network by setting up a strong Wi-Fi password and using WPA3 encryption if available. Restrict access to your network by using a strong, unique network password.
  4. ALWAYS Change Default Settings:
    Change default usernames and passwords on your security cameras. Default credentials are often well-known and exploited by hackers.
  5. Enable Two-Factor Authentication (2FA):
    Whenever possible, enable two-factor authentication on your security camera accounts. This adds an extra layer of security by requiring a second form of verification, such as a code sent to your mobile device.
  6. Regularly Check for Suspicious Activity:
    Monitor your camera system for any unusual or unauthorized access. Regularly review footage and set up alerts for suspicious activities, such as multiple failed login attempts.
  7. Keep Cameras Offline When Not in Use:
    Consider disconnecting your security cameras from the internet when you don’t need remote access. This can be done by configuring your router to block camera access during certain hours.
  8. Purchase from Reputable Brands:
    Choose security cameras from reputable manufacturers with a track record of providing regular firmware updates and security patches.
  9. Secure Physical Access:
    Ensure that physical access to your cameras is restricted. Place cameras in locations that are not easily accessible, and consider installing them at a height to prevent tampering.
  10. Regularly Review Camera Logs:
    Some advanced camera systems provide logs of access and activities. Regularly review these logs for any suspicious entries.
  1. ThroughTek Flaw Exposed Millions of IoT Cameras to Spying
  2. Whitehat hacker shows how to detect hidden cameras in hotels
  3. 3TB of clips from exposed home security cameras posted online
  4. This creepy site shows live footage from 73K Private Security Cameras
  5. Israeli Rabbi arrested for hacking CCTV cam at women’ bathing suit shop

[ad_2]
Source link

A week in security (December 18 – December 24)

0
[ad_1]

Last week on Malwarebytes Labs:

Stay safe and happy holidays!


Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.


[ad_2]
Source link

X/Twitter forgets to pay millions in bonuses, a federal judge steps in

0
[ad_1]

Just in time for the holiday vibe, a federal judge ruled that X/Twitter violated contracts by failing to pay millions of dollars in bonuses that the social media company had promised its employees.

Reuters is reporting on the story of Mark Schobinger, Twitter’s senior director of compensation before leaving Elon Musk’s company in May. Mark sued X/Twitter the very next month, claiming breach of contract. His problem is that before and after billionaire Musk bought Twitter last year, the company promised employees 50% of their 2022 target bonuses – and never made those payments.

Now, US District Judge Vince Chhabria denied Twitter’s motion to dismiss the case, ruling that Schobinger plausibly stated a breach of contract claim under California law and he was covered by a bonus plan.
“Once Schobinger did what Twitter asked, Twitter’s offer to pay him a bonus in return became a binding contract under California law. And by allegedly refusing to pay Schobinger his promised bonus, Twitter violated that contract”, the judge wrote.The counterpart – that’s X/Twitter – and their lawyers argued that the company made only an oral promise that was not a contract and that Texas law should govern the case.

Meanwhile, Meta gets fined in Italy


Meanwhile, Meta is not too far back, bringing its fair share of holiday scandals as well. The Facebook, Instagram parent company was just fined in Italy for breaches of a ban on the advertising of gambling.

Meta has been fined €5.85 million ($6.45 million) in connection with profiles and accounts on Facebook and Instagram, as well as sponsored content that promoted either betting or games with cash prizes, communications watchdog AGCOM said in a statement on Friday.

Similar fines were set aside for YouTube (€2.25 million) and Twitch (€900,000) recently.


[ad_2]
Source link

Gmail on iOS now lets you unsubscribe fast and easy with a single tap on a new button

0
[ad_1]
It’s been more than a month since the last time we talked about one much-needed feature for the Gmail app: an Unsubscribe button that’s convenient and spares you the need to scroll and poke around in menus.

Back in November, it became known that the Gmail team was testing a tweak for Android users to let them unsubscribe from unwanted mail quickly and easily – now, it’s not Android phones that get it.

Instead, the iOS users get it first (via Android Authority) and the solution is quietly rolling out.

There’s a prominent “Unsubscribe” button in Gmail for iOS and users are seeing it right below the email’s subject line and above the email content. The report has some screenshots to get a better idea of the updated user interface, here they are:

Instead of tapping the 3-dot menu icon at the top of the message window and then searching for “Unsubscribe” (or scrolling to the bottom of the email and looking for the sender’s “Unsubscribe” button), this new solution is far more convenient and time-saving. No scrolling, no searching, just a single tap on the button and you’re ready to go. This iOS Gmail app addition is similar to the web version’s unsubscribe button, which is placed below the subject line and next to the sender’s details.

So far, the new unsubscribe button is not yet to be found on Android devices. Quite the irony in the light of the fact that Android is Google’s own platform, but that’s not the first time Google has brought features to iOS before Android – like the option to delete the last 15 minutes of the browsing history in the Google app, and the ability to crop videos in Google Photos.

[ad_2]
Source link

WhatsApp rolls out a new interface and brings that Instagram vibe

0
[ad_1]
The WhatsApp beta for Android (v.2.24.1.6) update brings a new interface when sharing channel updates to Status.

For now, the feature is available to some beta testers, but it’ll be rolled out to more people in the coming weeks (via WABetaInfo).

As seen above, those who have received the v.2.24.1.6 update may explore a new interface that enhances the way users view a channel update from a status update. Specifically, WhatsApp will create a dedicated layout for the channel update, with the aim of providing clarity that the content posted on Status originates from a channel.

Those who want to check it out and see if this feature is already available to their accounts, can simply share a channel update to their status (the quickest method to do this is by forwarding a channel update). It’s also important to note that WhatsApp has recently introduced another entry point within the status subtitle, allowing users to promptly access and view the content from the associated channel.The WhatsApp experts at WABetaInfo say that the refreshed interface offers an intuitive layout, “making it easier for users to interact and access shared channel updates”. They also note that this interface aligns with contemporary design trends – “it’s very similar to the layout offered by Instagram when sharing posts as Instagram Stories”.

[ad_2]
Source link

How ransomware extortion is evolving

0
[ad_1]

The ransomware extortion landscape is evolving with threat actors adopting new methods to blackmail and threaten their victims. Single-extortion, where cyber criminals demand payment to decrypt locked data or systems is quickly becoming less frequent with ransomware groups increasingly adopting double-extortion – where threat actors demand a ransom payment to decrypt victim data/systems and then threaten to publish stolen data unless the ransom is paid. Triple-extortion is also on the rise, such as distributed denial-of-service (DDoS) attacks or further intimidation of the victim/their customers, employees and stakeholders into paying a ransom.

This played out recently when notorious ransomware group BlackCat/APLHV filed a US Securities and Exchange Commission (SEC) complaint against one of its alleged victims for failing to comply with a four-day cyber attack disclosure rule. The unprecedented move took the threat group’s extortion efforts to a new level after it claimed to have recently breached and stolen data from the software company MeridianLink.

Cyber Security Hub spoke with Dr Jason Nurse, Institute of Cyber Security for Society at the University of Kent, and a co-lead of the Royal United Services Institute’s (RUSI) Ransomware Harms and the Victim Experience project, about the changing ransomware extortion landscape and the threats it poses to businesses.

Cyber Security Hub: In what ways are ransomware extortion methods evolving?

Dr Jason Nurse: Ransomware attacks have evolved significantly, displaying increased sophistication and harm-potential. In the past, cyber criminals sought to paralyze an organization’s systems and extort a ransom for access to be restored. In response to businesses enhancing their recovery capabilities and resisting payment, our research has discovered that attackers have adapted their methods to inflict a wider variety of harms.

CSH: What impact are evolving extortion methods having on the ransomware threats faced by organizations?

JN: The evolution of extortion methods means that the ransomware threat is pervasive and a persistent challenge for organizations. We found an extensive range of harms in our recent analysis of impacts from ransomware attacks. As businesses respond to the threat by bolstering their defenses – through measures like improving intrusion prevention systems, employee training and reinforcing backup strategies – cyber criminals promptly adjust their strategies to up the ante.

The significance of this threat has prompted increased government involvement. The Counter Ransomware Initiative (CRI) is an excellent example of such an effort and the recent agreement by CRI member states not to pay ransoms using government funds is certainly a powerful step forward in addressing this complex issue.

CSH: What do evolving extortion trends signify about today’s ransomware threat actors?

JN: The evolving trends in ransomware extortion mechanisms highlight a significant characteristic of today’s threat actors – their unwavering determination. These actors exhibit a remarkable readiness to adapt in any manner necessary to heighten the prospects of securing a ransom payment. Naming and shaming victim organizations on dark web notice boards, contacting individuals who do business with those organizations and disclosing sensitive corporate data all highlight a surprising level of resolve.

What has undoubtedly shocked most of the security community, however, has been the engagement of one cyber criminal group with the SEC. In this instance, the group filed a complaint alleging a business’s failure to disclose a purported data breach instigated by the hackers. This places an organization in a challenging position, considering reporting obligations, notification procedures and the broader implications of negative publicity.

CSH: What’s your advice to any organization being extorted following a ransomware attack?

JN: Payment is not the only option – and should certainly not be the first option. The organization must recognize that ransomware groups will employ various tactics to push for a payment. If an organization is being extorted, the initial step should involve isolating all infected systems from the central network or shutting them down altogether. The organization can then engage with law enforcement, regulatory bodies, cyber insurance providers and, depending on the expertise internally, incident response firms for support in their response.

Some of these services may have access to decryption keys (e.g. No More Ransom), offer threat intelligence about the attacker, provide insights into the repercussions of payment and furnish information about the attacker’s affiliations with other entities. Such resources prove invaluable as the organization deliberates on the most effective response to the extortion attempt.

CSH: How can security stay ahead of ransomware extortion?

JN: This is very much an arms race. Cyber attackers are constantly exploring ways to increase the effectiveness of their ransomware extortion tactics. Conversely, defenders are continually preparing and responding to the best of their ability. A proactive strategy for cyber security to get ahead of the threat of ransomware involves developing a better understanding of all its facets – the attackers, the attack vectors, the harms, the payment mechanism, etc. – and tackling each of them directly.

For instance, there have been cases where law enforcement has tracked down attackers and regained extorted funds and apprehended those responsible for attacks. Our research is driven by the conviction that only through a nuanced understanding of the diverse harms stemming from ransomware extortion can we formulate improved policies and mechanisms to address this pervasive threat.



[ad_2]
Source link

Ransomware is being spread via poisoned Google ads

0
[ad_1]

RomCom ransomware is being spread via poisoned Google adverts for legitimate software companies including Chat-GPT, PDF Reader Pro and Devolutions’ Remote Desktop Manager.

According to researchers at IT security company Trend Micro, malicious actors are using Google advertisements for trusted companies to entice people into clicking on the advert and downloading RomCom ransomware onto their devices. The malicious actors are doing this through the use of fake sites set up to look like legitimate ones with poisoned uploads that execute the malware on victims’ devices once it is downloaded.

By using paid advertisements slots and SEO tactics, malicious actors can ensure that the poisoned uploads remain at the top of Google’s search results, meaning that more people are likely to fall victim to these trojanized adverts.

RomCom ransomware has been linked to a Cuban ransomware affiliate dubbed ‘Tropical Scorpius’ by Trend Micro. The malware is responsible for a number of attacks across the globe, including those against Ukrainian government agencies in October 2022.

Once it is downloaded onto a device, the backdoor malware can cause damage to victims in a number of ways, including executing more malicious files on the infected device, running malicious programs and exfiltrating data from the compromised devices. It can also run spyware in hidden windows, set up proxy servers for malicious activities and even compress and send files on the infected device to servers owned by the malicious actors.

RomCom ransomware also has the ability to take screenshots on the device, meaning that any confidential, personal or compromising information entered into the device can be used by the hackers for their own means. This includes gaining access to financial services like banks, cryptocurrency wallets and other payment services, access chat messages stored on the device and steal all login credentials entered into the device.

Bumblebee ransomware spread via poisoned Google ads

In April of this year, it was found that malicious actors were employing SEO tactics and paying for targeted advertisements to entice victims into clicking on malware.

Cyber security company Secureworks found malicious actors had been using poisoned ad installers as trojans to spread Bumblebee malware. These ad installers were associated with a number of well-known companies including Zoom, Citrix Workspace, Cisco AnyConnect and OpenAI’s ChatGPT. For example, Secureworks researchers found that a malicious actor had not only created a poisoned ad installer for Cisco AnyConnect, but a fake download page for the malware as well. They were able to do this by exploiting a compromised WordPress site.

Once Bumblebee malware is downloaded, malicious actors most often use it to launch ransomware within the infected device. In one case, Secureworks researchers found that the malicious actor moved laterally across the device, downloading and launching a number of applications and software programs including legitimate remote access tools AnyDesk and Dameware as well as penetration testing malware Colbalt Strike. 



[ad_2]
Source link