(knowing that manually auto-translating Russian CyberSec news to English, is not a feasable concept and need to be automated, but as this blog is non-profit, it is for curiosity.)
Booking.com found an authentication vulnerability that allows account hijacking
A vulnerability has been found in Booking.com’s authentication system, allowing would-be attackers to gain control of users’ accounts and view their data, including payment information. The problems were pointed out by researchers at Salt Security. According to them, the breach lurked …
(src)
Proved possible side-channel attack on quantum era crypto algorithm
University researchers tested the resistance of cryptosystem CRYSTALS-Kyber to side-channel attacks and found that the use of machine learning can provide a private key. The results, according to the experts, indicate only the vulnerability of the implementation and not the weakness …
(src)
hacker arrested for stealing personal data of millions of users
Dutch police arrested three people, including an ethical hacker working for the Dutch Institute for Vulnerability Disclosure (DIVD). The criminals are accused of orchestrating double extortion attacks in which they published the personal data of millions of their victims on the darknet for use …
(src)
Chinese Mustang Panda hackers use a freshly created backdoor for advanced detection evasion
Chinese cyber espionage hacker group Mustang Panda has been spotted deploying a new custom backdoor called “MQsTTang”. Mustang Panda is a group of attackers targeting organizations in various fields around the world. In their attacks, aimed primarily at …
(src)
Dangerous vulnerabilities in TPM 2.0 library could affect billions of IoT and enterprise devices
Two dangerous vulnerabilities were discovered in the Trusted Platform Module (TPM) 2.0 reference library specification that could potentially lead to information disclosure or privilege escalation. CVE-2023-1017 Out of range write vulnerability ; CVE-2023-1017 Out of range read vulnerability ; CVE-2023-1017 Out of range read vulnerability ; CVE-2023-1017 Read vulnerability …
(src)
ooo Cisco has fixed a critical vulnerability in a number of its IP phones
On March 1, Cisco released security updates to address a critical vulnerability affecting its 6800, 7800, 7900 and 8800 series IP phones. The vulnerability, tracked under the identifier CVE-2023-20078, has a CVSS rating of 9.8 out of 10 and is described as a “command injection bug in …
(src)
YouTube video that causes Pixel smartphones to reboot
Users have found that Pixel devices powered by Google’s Tensor processors are rebooting when they try to watch an excerpt from the movie “Alien” in 4K HDR quality. The strange problem was reported by users from the Google Pixel subreddit. So, a man with the nickname OGPixel5 wrote that when you try to …
(src)
Critical vulnerabilities in WordPress plugin Houzez are being used to hijack sites
IS experts have warned that hackers are actively exploiting two critical vulnerabilities in the Houzez plugin for WordPress, which is mostly used on real estate sites. Houzez is a premium plugin that costs $69 and offers simple sheet management …
(src)
The Iron Tiger Group has developed a Linux version of the SysUpdate malware
A cybercriminal group APT27, better known as Iron Tiger, has developed a Linux version of its customized SysUpdate malware. The group, allegedly rooted in China, is now capable of attacking more corporate services. According to a report by Trend Micro, the attackers began testing L …
(src)
New record: hackers had access to the internal networks of media conglomerate News Corp. for two whole years
Last week, News Corp, an American multinational media holding company, revealed some unexpected news in a letter to its employees. In January the specialists of the corporation found out that unknown hackers had compromised the internal systems of the company 2 years ago and all this time the …
(src)
ooo CISA warns of active use of RCE vulnerability in ZK Java Framework
The U.S. Cybersecurity and Infrastructure Protection Agency (CISA) has added the CVE-2022-36537 vulnerability to its Catalogue of known exploited vulnerabilities after hackers began actively exploiting this flaw for remote code execution (RCE) attacks. CVE-2022-36537 (CVSS v3.1: 7.5 …
(src)
Hackers SCARLETEEL steal companies’ source code and data from Amazon’s cloud
An advanced campaign called “SCARLETEEL” is targeting publicly available web applications running in containers to infiltrate cloud services and steal sensitive data. SCARLETEEL was discovered by Sysdig (which specializes in cybersecurity analysis) during a response …
(src)
ooo BlackLotus has become the first UEFI bootkit to bypass Secure Boot in Windows 11
Researchers have warned of a serious cyberthreat: UEFI bootkit BlackLotus. This malware is the first of its class to bypass the Windows 11 operating system’s Secure Boot security barrier. The experts from the antivirus company BlackLotus drew attention to the interesting functionality of the …
(src)
A vulnerability was found that allows to organize mailing on behalf of an application
Few Russian applications from Google Play, RuStore, Huawei AppGallery contain vulnerability that allows hacker to send all users push-notifications with any content. We are talking about business and job search platforms, messengers, online movie theaters and dating applications. …
(src)
Exploit Patch RIG is attacking Internet Explorer again, successfully in one third of cases
RIG operators are making an average of 2,000 exploit attempts per day, according to IS company Prodaft. The success rate late last year reached a record high of 30% for this threat. Researchers accessed the RIG backend web panel and found that the exploit kit is still being used …
(src)
Surveillance researcher hacked his own bank account by imitating his voice with AI
Vice Motherboard journalist Joseph Cox has proven that the voice IDs used by banks in the US and Europe are not a very secure way to log into an account.
The system was fooled by a voice synthesized by the ElevenLabs AI service. Cox says that banks in the U.S. and Europe …
(src)
The PlugX Trojan is masquerading as a legitimate Windows debugger in a new campaign
Security researchers at Trend Micro Security Research Company have discovered that the RAT Trojan PlugX is masquerading as an open-source Windows debugger, dubbed “x64dbg,” in a new campaign to circumvent defenses and gain control over the target system. The Windows debugger is commonly used by …
(src)
Hackers stole classified U.S. Marshals Service documents
The U.S. Marshals Service (USMS) is investigating a cyberattack on its systems that led to the theft of sensitive law enforcement information. USMS is a bureau within the U.S. Department of Justice that supports all elements of the federal justice system by enforcing federal orders …
(src)
Critical vulnerabilities in WordPress plugin Houzez allow website hijacking
According to a new Patchstack report, hackers are actively exploiting 2 critical vulnerabilities in the WordPress plugin Houzez, used primarily on real estate sites. Houzez is a premium rate plugin that offers simple listing management and convenient customer service. The site produces …
(src)
The enterprising hackers from Blind Eagle attacked South American institutions in a rather interesting way
A BlackBerry research team reported on February 27 that a hacker group known as Blind Eagle, or APT-C-36, recently managed to pose as the state tax agency of Colombia and Ecuador to steal information from government, financial, and many other institutions …
(src)
Pirate Final Cut Pro infects macOS Users with Malicious Miner
Researchers have stumbled upon a malicious cryptomining campaign targeting macOS users. As bait, attackers are using a malicious version of the popular Final Cut Pro video editor, which most anti-viruses don’t detect yet. You can install this hidden malware on your computer …
(src)
ooo ChromeLoader now hides in popular games packages in VHD format
Cybersecurity specialists detected a new campaign of ChromeLoader malware. These attacks are distinguished by the use of VHD files with names of popular games. ChromeLoader was previously spread via ISO files. New malicious files drew attention of intruders from …
(src)
Russian man faces 47 years in US prison for creating NLBrute malware
A Russian citizen accused of developing the hacker tool NLBrute was sentenced in Florida for using the tool “to create a criminal empire. According to the U.S. Department of Justice, Darius Pankov, also known as “dpxaker,” created the NLBrute malware that hacked into the accounts of …
(src)
The founders of cryptocurrency platform Forsage DeFi are facing major fraud charges
A federal grand jury in the District of Oregon has indicted four Russian citizens, founders of cryptocurrency investment platform Forsage Decentralized Finance (DeFi), for running a global financial pyramid scheme that raised $340 million in investments. Forsage advertised the …
(src)
Hackers use popular macOS software to mine cryptocurrency
Popular professional multimedia software is used by hackers to deploy hidden cryptocurrency mining malware on macOS systems. The malicious campaign was discovered by Jamf Threat Labs. According to the experts, the XMRig cryptominer was launched using …
(src)
An attack using a patched vulnerability in Zoho ManageEngine is on the rise
Bitdefender IS specialists discovered that several threat actors have been exploiting a patched critical vulnerability in Zoho ManageEngine products since January 20, 2023. The RCE vulnerability CVE-2022-47966 (CVSS score: 9.8) allows an unauthenticated attacker to fully …
(src)
ooo ChatGPT won the Pwn2Own hacker contest
For the first time ever, bughunters used ChatGPT in a Pwn2Own contest to hack software used in industrial applications and won $20,000.
Last week in Miami, Florida, the Claroty Team82 used ChatGPT to conduct a remote code execution attack against Softing edgeAggregator Si …
(src)
more on this subject: For the first time ever, bughunters used ChatGPT in a Pwn2Own contest to hack software used in industrial applications and won $20,000.
Last week in Miami, Florida, the Claroty Team82 used ChatGPT to conduct a remote code execution attack against the Siemens Softing edgeAggregator, the software that provides interface communication between OT (operating technology) and IT in industrial applications.
Security researchers discovered a vulnerability in the unified architecture OPC (OPC UA) client in the edgeAggregator industrial software package.
OPC UA is a machine-to-machine communication protocol used in industrial automation.
After discovering the bug, researchers asked ChatGPT to develop an internal module for the OPC UA server to test the RCE exploit.
This module is needed to create a malicious server to attack a vulnerable client.
The experts admitted that they had to make a lot of modifications to the code to make the exploitation technique work and produce a workable server module.
ChatGPT provided a useful tool that saved the researchers time and allowed them to focus more on implementing the exploit, and spared them from having to learn how to write an internal module.
“It’s like searching Google multiple times for a particular code template and then adding multiple iterations of code modification depending on our specific needs, solely by specifying what we want to achieve,” the experts said.
The experts added that this is how cybercriminals will use ChatGPT in real-world attacks on industrial systems, without necessarily knowing all aspects of the specific target.
The experts added that it may not know how to write exploits, but it can provide “the last piece of the puzzle needed to succeed.”
The use of ChatGPT in this attack shows how AI can help turn a vulnerability into an exploit – provided you ask it the right questions and ignore the wrong answers.
(src)
Two critical vulnerabilities have been patched by Apple in the latest iOS and macOS updates
In nearly every iOS and macOS update, Apple includes numerous security enhancements to fix major vulnerabilities. iOS 16.3 and macOS Ventura 13.2, released in January, were no exception. The updates included fixes to a long list of issues, but two of them are particularly interesting. The Center for Re …
(src)
An exploit for a critical Fortinet vulnerability has been released
Cybersecurity researchers have released a PoC exploit for the critical CVE-2022-39952 (CVSS: 9.8) vulnerability in Fortinet’s FortiNAC network access control suite. Fortinet reported the security issue on Feb. 16 and warned that an unauthenticated attacker could use …
(src)
MyloBot botnet is spreading rapidly around the world
The sophisticated botnet known as MyloBot has compromised thousands of systems, most of which are located in India, the United States, Indonesia and Iran. According to BitSight, there are now more than 50,000 unique infected systems every day. When, for all of 2020, MyloBot …
(src)
ooo Samsung to protect Galaxy devices from zero-click attacks
Samsung has developed a new security system called Samsung Message Guard.
The novelty should help Galaxy smartphone users defend themselves against the so-called zero-click attacks, which use malicious image files.
Normally, zero-click exploits are attacks that use malicious images, or malicious software.
(src)
Experts noted active growth of rogue tokens that pretend to be Microsoft assets
Security experts at PeckShield have discovered a large number of tokens allegedly linked to ChatGPT chatbot.
Experts found at least 3 fraudulent tokens with the ticker BingChatGPT to steal funds.
Two of them have already lost almost 100% of their value and the third has lost 65%. The cybercriminals are using …
(src)
An unknown hacker stole Coinbase employee data
Cryptocurrency platform Coinbase reported that an unknown hacker stole the credentials of an employee trying to gain remote access to the company’s systems. The cybercriminal obtained the contact information of several Coinbase employees (names, phone numbers, e-mail …
(src)
Redirect to phishing sites and source code theft: web hosting giant GoDaddy announced about found vulnerability
American web hosting service provider GoDaddy reported on February 16 that it had discovered a critical vulnerability that allowed hackers to install malware on GoDaddy platform and steal the source code associated with some of the company’s services. GoDaddy said that in December of last year …
(src)
DeFi platform Platypus has had $8.5 million stolen
Decentralized finance platform (DeFi) Platypus announced on Feb. 16 that about $8.5 million in cryptocurrency was stolen by a hacker with whom the company is now in talks. According to Platypus, the attacker used a Flash Loans attack, a type of fraud that is subversive to the …
(src)
FBI investigates malicious activity on its own network
The U.S. Federal Bureau of Investigation (FBI) said it is investigating some malicious cyber activity on its own network.
Law enforcement officials say they discovered a “separate incident” and are now looking into its scope and impact. About the potential hacking of the FBI’s network today, Feb. 17, 2023, so …
(src)
Hackers used new Frebniis malware to compromise Microsoft IIS servers
Hackers are introducing new malware called “Frebniss” into Microsoft Internet Information Services (IIS).
The program covertly executes commands sent via web requests.
Frebniis was discovered by the Symantec Threat Hunter Team, which reported that unknown attackers …
(src)
A range of Microsoft Exchange vulnerabilities were exploited in a new ProxyShellMiner malware campaign
A new malware dubbed “ProxyShellMiner” exploits Microsoft Exchange ProxyShell vulnerabilities to deploy cryptocurrency miners and generate profit for attackers.
ProxyShell is the collective name for three Microsoft Exchange vulnerabilities discovered and patched by …
(src)
ClamAV news expert fixes critical hole allowing remote code execution
Clam AntiVirus (ClamAV) 1.0.1, 0.105.3 and 0.103.8 are released new versions of free antivirus software package. The developers revealed the vulnerability that could allow remote code execution. The vulnerability, dubbed CVE-2023-20032, affects p …
(src)
The heads of major IT companies are being investigated for collusion with the U.S. government
The heads of Apple, Amazon, Alphabet (Google’s parent company), Meta* and Microsoft are under investigation by U.S. Republican Party officials to determine if the companies engaged with the U.S. government on the issue of content moderation, especially on politics and COVID-19. Repub …
(src)
ooo Intel fixed 2 dangerous privilege escalation vulnerabilities in Intel SGX
Intel disclosed several recently discovered vulnerabilities affecting Intel Software Guard Extensions (SGX) technology and urged users to update their firmware.
A total of 31 security bulletins have been added to the Intel Security Center as of February 14. Five flaws were also fixed …
(src)
ooo CISA warns of urgent updates to Apple devices
Apple this week released updates to its iOS and Safari browsers on iPhone, iPad and Mac, addressing critical security vulnerabilities, including allowing apps to “monitor unprotected user data” through the “Shortcuts” app US authorities warn that in the event …
(src)
The APT group RedEyes has a RAT that accepts data from Windows and smartphones
During their parsing of January APT37 attacks AhnLab found out that North Korean hackers added M2RAT, a fileless malware, to their arsenal.
Attackers use steganography to hide payloads, and the Trojan itself tries to leave as few traces in the system as possible. Cyber group APT37, …
(src)
Federal grand jury convicted Vladislav Klushin
A U.S. federal grand jury in Boston on February 14 found Vladislav Klyushin, owner of an IT company in Moscow called M-13, guilty of fraud by electronic means and securities fraud, as well as conspiracy. According to prosecutors, Klushin and his four associates hacked into Donnelle networks …
(src)
In Spain, fraudsters arrested for stealing $5 million from Americans in a year
Spanish cybercops and the U.S. Secret Service eliminated a gang of fraudsters based in Madrid.
The Spanish National Police estimated that in less than a year nine social engineering adepts had stolen from 200 North American citizens and businesses more than 5 million euros, although in fact the total damage could be more than 5 million euros.
(src)
ooo 24-year-old US resident blackmailed girls for years who he stole social media accounts
According to a recent court filing in the United States, Amir Hossein Golshan, a 24-year-old SIM-Swapping scammer, seized the accounts of several media personalities on Instagram* and blackmailed them over a period of time.
In order to get the accounts back, the fraudster …
(src)
The RedEyes group hides malware in images and steals files from connected devices
APT37 (aka RedEyes, ScarCruft, Ricochet Chollima, Reaper, Group123 or InkySquid) is a North Korean cyber-espionage hacker group.
It is believed to be supported by the DPRK authorities.
It has recently been revealed that the group is using a new evasive malware called M …
(src)
New Beep malware is nearly impossible to detectLast week
Minerva analysts discovered a new stealthy malware called “Beep” that has many features to avoid analysis and detection by security software. Although the Beep malware is still under development and has yet to …
(src)
A whole range of Apple software products are prone to zero-day vulnerabilities
Apple on Monday released security updates for iOS, iPadOS, macOS and Safari to address zero-day vulnerabilities that the company said were actively exploited in the wild (ITW). The CVE-2023-23529 vulnerability is related to a Type Confusion bug in the browser engine We …
(src)
Phishing emails are being sent from NameCheap account on behalf of Metamask and DHL
Late last week, Namecheap customers were hit with a flood of fake emails aimed at stealing PII and cryptocurrency keys.
The emails were sent from the SendGrid platform (Twilio property), which the domain name registrar uses to send one-time authentication codes, notifications about in …
(src)
Hundreds of developers could lose cryptocurrency to PyPI malicious packages
Experts from Fortinet security company found 5 malicious packages in PyPI repository stealing passwords, Discord authentication cookies and cryptocurrency wallets from unsuspecting developers.
PyPI is a software repository for packages created in the Pyt programming language …
(src)
ooo Enigma, Vector and TgToxic: new threats to cryptocurrency holders
Researchers have noted an increase in malware activity targeting cryptocurrency account holders.
Enigma, Vector and TgToxic are among the most popular crypto threats of recent months.
Enigma is a modified version of Stealerium, an open-source C# malware that d …
(src)
In 93% of surveyed companies suspicious network activity was detected
The experts of Positive Technologies conducted a research on detecting network attacks and unwanted activity in the traffic.
According to the analysis results 100% of organizations had violations of information security regulations which could have been used by intruders.
(src)
Android 14 won’t let malware get dangerous rights
Google has released the first developer preview of Android 14.
Apps must now specify how they intend to use certain features of the device, data sharing will be limited and additional files downloaded by applications will only be available to read …
(src)
Street magic: fraudsters stole $4 million in cryptocurrency during a face-to-face meeting with their victim
Ahad Shams, co-founder of startup Webaverse, discovered in late November 2022 that $4 million was stolen from his cryptocurrency account.
The attackers did so right during a face-to-face meeting with the victim.
How? (is unkown, but personal meet up with Smart Phone was required)
In a detailed statement, Shams described how the criminals posed as investors, negotiated for weeks, set up a meeting in Rome, and then stole the money in an unknown manner.
“We are not yet 100 percent sure how this technically happened.”
“The scammers convinced us to transfer funds to a new wallet.”
“We created it ourselves and had complete control over it.
So we had to prove to them that we had the money,”
Shams wrote.
In the above-mentioned statement Shams described in great detail how the attackers got hold of him and carried out their plan.
Below we will try to convey the main point in a more concise form.
Ahad Shams was contacted by e-mail by a lawyer.
He represented the interests of a potential investor, Joseph Safra.
The email was from an existing legal organization with a functioning website;
Shams didn’t notice any catch at this stage.
The lawyer then sent him information about his client Joseph.
As it turned out later, the information about him turned out to be fake.
After weeks of email and video negotiations, Shams agreed to meet with Safra and his lawyer in Rome.
Safra warned in advance that he would need confirmation that Shams had the funds for the project.
According to Safra, a Trust Wallet cryptocurrency account would be sufficient proof.
Shams created the new Trust Wallet wallet while still at home, using his personal device and being on his home Wi-Fi network.
“We sat down across from these people and transferred $4 million (USD Coin) into my own Trust Wallet.”
“Mr. Safra asked to see the wallet balance and pulled out his phone to take some pictures.”
“However, he was not shown any information to make the transfer, such as ‘opening phrases’ or ‘private keys,'” Shams wrote.
Safra was fine with everything, but he needed to step out for a while to discuss everything with his colleagues.
He left in a hurry and then disappeared.
“We never saw him again. A few minutes later, the funds left the wallet.”
“I was in shock … I had no idea how these guys stole money from us,” Shams reported.
The theft was immediately reported to the Rome police, as well as to the FBI.
The official investigation, which is still ongoing, as well as a parallel investigation conducted by a private attorney, has not determined exactly how the cryptocurrency was stolen.
The laundering of the stolen money was extensive.
Investigators traced the movement of funds on the blockchain and discovered a very long chain.
The funds withdrawn from Shams’ wallet were split into six transactions, which were sent to six previously unused addresses.
Almost all of the USDC was converted to Ethereum (ETH), Wrapped Bitcoin (wBTC) and Tether (USDT) and then passed through 14 other wallets.
From there, funds were sent to four more new wallets.
About 83% of the funds are currently at one of these addresses.
This is far from the first case of this kind of fraud.
In 2021, NFT entrepreneur Jacob Riglin, founder of Dream Lab, reported on Twitter that $90,000 in cryptocurrency was stolen from him in a similar scheme.
It happened during a face-to-face meeting in Barcelona.
Riglin was also persuaded to open a new cryptocurrency wallet, transfer the currency there and show potential “investors”.
By the end of the meeting, there was no more money in the account.
Of course, 90 thousand and 4 million is not comparable amounts, but on the face of it the fact that crooks had been using such scheme for a long time was obvious.
Ahad Shams, the hero of the above epic, said that the theft of cryptocurrency did serious damage to his company, but didn’t break him.
Webaverse has enough money for the next 12-16 months and hopes to raise even more.
The investigation continues, and those involved in this story are looking to the future.
(src)
The Gootkit downloader has a new deployment method for delivering Cobalt Strike
According to a new Cybereason report, Gootkit malware is actively attacking medical and financial institutions in the United States, the United Kingdom and Australia.
In the attacks, Gootkit operators lure victims looking for agreements and contracts on DuckDuckGo and Google to an infected page, eventually leading …
(src)
Reddit’s internal documents and source code stolen
On the evening of February 5, a hacker gained access to Reddit’s internal business systems and stole internal documents and source code. The company claims that the cybercriminal used a phishing lure for Reddit employees with a landing page that mimicked Reddit’s internal network site. On this site, the malicious …
(src)
Malicious game mods for Dota 2 have infected hundreds of players with malware
Security researchers found four malicious game mods for Dota 2 that were used by attackers to compromise players’ systems.
According to Avast Threat Labs researchers, an unknown user created four game mods for the popular multiplayer online game Do …
(src)
QBot operators are now using OneNote to spread a Trojan via email
Sophos IS specialists have discovered a new QBot campaign, dubbed “QakNote,” that uses malicious Microsoft OneNote attachments to infect systems with a banking Trojan. A new report from Sophos says the campaign began on January 31, 2023 and uses OneNote files, with …
(src)
Exploit for dangerous bug in GoAnywhere MFT published
An exploit for a zero-day vulnerability in the GoAnywhere MFT administration console, heavily exploited by hackers, has been published online. Fortra, the company behind GoAnywhere MFT development, has been forced to release an emergency patch to fix the bug. GoAnywhere MFT is a tool for transferring f …
(src)
The GuLoader has become a major threat to e-commerce in the most tech-savvy countries
IS experts at Trellix said the e-commerce industries in South Korea and the United States are threatened by an ongoing campaign of GuLoader malware.
GuLoader (CloudEyE) is a VBS (Visual Basic Script) downloader that is used to spread RAT Trojans such as Remco …
(src)
New banking Trojan TgToxic is attacking Android users in Southeast Asia
Cybersecurity researchers at IS company Trend Micro reported on the ongoing malicious campaign of the banking Trojan TgToxic, which has been active since July 2022. The campaign includes attacks on cryptocurrency wallets, illegal money transfers and credential theft …
(src)
Police in Hong Kong uncover global phishing syndicate in collaboration with Interpol
Hong Kong police, in cooperation with Interpol, uncovered an international phishing syndicate that used 563 fake mobile apps to spy on and steal information from smartphones around the world. According to Raymond Lam Chuk-ho of the Bureau of Cyber Security and Technology …
(src)
An OpenSSH vulnerability threatening remote code execution has been fixed
OpenSSH 9.2, released last week, contained a patch for a double-free vulnerability that was introduced with a code change last July.
Exploit is unlikely, but users are urged to update the product because the dangerous bug can be triggered on default configuration server (sshd). Agreed …
(src)
Police cracked down on secure messenger Exclu and tracked criminals
Police in the Netherlands reported the shutdown of the encrypted communications platform Exclu.
Interestingly, before Exclu was shut down, law enforcers hacked the service and used it to follow criminals for a long time.
Exclu was selling six-month subscriptions to its app for 800 euros
(src)
Chinese Sunlogin Remote Control is being actively exploited by hackers to conduct BYOVD attacks
A new hacker campaign is exploiting vulnerabilities in Sunlogin Remote Control to deploy Sliver post-exploitation tools and conduct BYOVD attacks to disable anti-virus products.
Sliver is a post-exploitation toolkit created by BishopFox that attackers …
(src)
Julius “Zeekill” Kivimäki, former Lizard Squad hacker, arrested in France
Julius Kivimäki, also known as “Zeekill,” is a Finnish member of the Lizard Squad.
In 2015, when Kivimäki was just 17 years old, he was convicted of more than 50,000 counts of computer crimes. He was arrested again the other day while he was in France. Finnish …
(src)
ooo PixPirate, a new banking trojan for Android that uses a dangerous feature
A new banking Trojan for Android has targeted Brazilian financial institutions to commit fraud using the Pix payment platform.
Italian cybersecurity company Cleafy, which discovered the malware late last year, is tracking it under the name PixPirate. …
(src)
Cryptocurrency Dingo Token charges 99% transaction fee
Security researchers at Check Point Security have described Dingo Token as a potential scam after discovering a feature that allows the owner of the project to charge a fee of up to 99% of a transaction’s value.
Dingo Token is currently ranked 284th on CoinMarketCap with a p …
(src)
Jira patched a critical authentication vulnerability
Atlassian released patches fixing a critical vulnerability in Jira Service Management Server and Data Center software products. Attackers can exploit this breach to gain unauthorized access to affected installations. The vulnerability itself has a CVE-2023-22501 identifier and 9.4 …
(src)
Cryptocurrency scam called “pig slaughter” has infiltrated Apple App Store and Google Play Store
Fraudsters specializing in fake investments in supposedly promising cryptocurrency projects, stocks, bonds, futures and options have been discovered in the Apple and Google app stores.
Such attacks are called “pig slaughtering,” and scammers use social engineering against their victims (“pigs”).
Compromise of Google Fi has led to SIM card swapping attacks
Google Fi developers have warned customers that their personal data has been exposed by a leak from one of the major carriers on whose networks the company relies.
Some users have already reported that they have been victims of SIM card spoofing attacks. In an email, Google Fi reported …
(src)
ooo Google promotes virtualized malware designed to bypass anti-viruses
Cybersecurity researchers at SentinelLabs report that an ongoing campaign is using Google ads to distribute malware installers that use KoiVM virtualization technology to avoid detection when installing the FormBook infostealer.
KoiVM is a plugin for …
(src)
ooo DeFi-protocol BonqDAO lost $120 million after cyberattack
IS company PeckShield said hackers broke into the BonqDAO cryptoprotocol and stole $120 million in assets.
The attacker attacked the project’s blockchain price oracle and was able to increase the AllianceBlock token (ALBT) rate, issue a large number of Bonq Euro (BEUR) tokens and then exchange …
(src)
Researchers have discovered new vulnerabilities in the popular image processing utility ImageMagick
Researchers from Metabase Q company have revealed details of two vulnerabilities in ImageMagick software, which is a console image editor often used for batch processing of raster files.
The vulnerabilities found could potentially cause ImageMagick to “crash …
(src)
ooo New vulnerabilities found in American Megatrends software
AMI MegaRAC Baseboard Management Controller (BMC) software is used by system administrators for remote access to server hardware.
A couple of months ago, security experts found 3 serious vulnerabilities in it.
Now 2 more vulnerabilities have been found. The company …
(src)
Critical vulnerability in Qnap NAS allowed arbitrary code injection
Taiwan company QNAP has released a patch, fixing the critical vulnerability in NAS, which could allow the injection of arbitrary code.
The bug was rated as critical (9.8 out of 10 possible on the CVSS vulnerability assessment scale) and affects QTS 5.0.1 and QuTS …
(src)
Teen from France extradited to US to spend 116 years behind bars
Law enforcement authorities have extradited 22-year-old French citizen Sebastien Raoul to the United States, who is suspected of being “an important member” of the hacking group ShinyHunters (also known as Seyzo Kaizen).
Raoul was arrested on June 1, 2022, at Rabat International Airport in …
(src)
PlugX worm now spreads stealthily through USB drives
Palo Alto Networks Unit 42 cybersecurity researchers have discovered a new PlugX pattern that stealthily infects connected removable USB drives to spread malware to additional systems.
The PlugX worm infects USB devices by hiding its activity from the file system …
(src)
Fraudster pleads guilty to defrauding hundreds of single women of $1 million
A U.S. resident pleaded guilty to orchestrating an online fraud scheme in which he defrauded victims of $1 million by processing money through various bank accounts he controlled.
Mark Arome Okuo, 43, pleaded guilty in U.S. federal district court. He is now r …
(src)
A Russian scientist has discovered the vulnerability of a quantum cryptography protocol to a simulation attack
Dmitry Kronberg, a Russian mathematician, has identified errors in a quantum cryptography protocol that uses phase-time coding.
These errors allow “quantum hackers” to stealthily intercept data by simulating signal attenuation in the communication channel.
An article describing this hacking technique was …
(src)
White hackers will soon release the VMware vRealize Log RCE exploit to the public
Security researchers from the Horizon3 team will be posting an exploit next week that targets a chain of vulnerabilities to gain remote code execution on devices with VMware vRealize Log Insight.
Now known as VMware Aria Operations for Logs, the software …
(src)
Exploit for CryptoAPI vulnerability published
Akamai researchers have published a description and exploit for CVE-2022-34689 vulnerability affecting Windows CryptoAPI (Crypt32.dll), the main Windows component responsible for cryptographic operations. The bug could be used to forge x.509 certificates, and hackers will get in …
(src)
Dutch hacker sold personal data of almost all Austrian citizens
In May 2020, a 25-year-old hacker from the Netherlands (DataBox) put up for sale on the underground forum “RaidForums” a dataset containing the name, gender, address and date of birth of Austrian citizens. Police confirmed its authenticity. The data was stolen from a misconfigured cloud database, co …
(src)
Malware used a critical Realtek SDK bug in millions of attacks
Between August and October of last year, experts at Palo Alto Networks saw significant activity exploiting the CVE-2021-35394 vulnerability, exploited by several hacker groups at once. It accounted for more than 40% of the total number of incidents. The threat has a score of s …
(src)
New hidden trojan attacks Windows
Securonix researchers have discovered a Python-based RAT Trojan that gives its operators full control over compromised systems.
The experts called the Trojan PY#RATION.
It uses the WebSocket protocol to communicate with the command and control (C2) server and to extract data from the victim host. …
(src)
An exploit has been created to forge a certificate and hijack a legitimate site
Akamai researchers have developed an experimental exploit (PoC) for a publicly available x.509 certificate forgery vulnerability in the Windows CryptoAPI that was disclosed last year.
Microsoft quietly fixed the CVE-2022-34689 bug in August 2022, but did not publicly disclose it until October. Ex …
(src)
Some current vulnerabilities date back to last millennium
Orange Cyberdefense conducted an extensive vulnerability analysis in its “Security Navigator 2023” report and uncovered a wealth of useful information.
According to their data, 22 new threats are identified in different industries all over the world every day.
And the oldest, still unpatched actual …
(src)
Vulnerabilities in Signal messenger can read deleted messages
Cybersecurity researcher John Jackson discovered that flaws in the application allow an attacker to view deleted message attachments.
It can also remotely inject a malicious document into a chat room.
Cybersecurity researcher John Jackson found that application flaws allow an attacker to view deleted attachments in messages.
The experiment revealed that Signal messenger saves all sent attachments in the “C:\Users\foo\AppData\Roaming\Signal\attachments.noindex\*\” directory. If a user deletes an attachment from a chat, it is automatically removed from the directory. But if someone replies to the message with the attachment, the deleted image stays in the directory open.
Once sent in a chat, the image is saved in the directory as a normal file, but it can be viewed by changing the extension to “.png”.
In other words, an attacker who can access these files would not even need to decrypt them. In addition, there is no regular cache clearing in the folder, so unencrypted files just lie there in an unencrypted form.
Moreover, a cybercriminal can tamper with a file stored in the cache. However, the file will not be automatically replaced by the chat partners, since each Signal Desktop client has its own local cache.
If the victim forwards the existing thread to other chat rooms after swapping the file, it will contain the modified attachment and not the original one.
By going to the “attachments.noindex” folder on the victim machine, a copy of the file must be made in which the malicious shellcode can be injected.
When the file name is copied, the PDF is overwritten with the malicious PDF, which looks like the victim’s original file.
When sending the document, the victim will see the same file name and preview, but that PDF already contains malware.
The vulnerabilities have been assigned CVE-2023-24068 and CVE-2023-24069. The assessment and additional information about the flaws is unknown at this time.
(src)
comment: yes on the Desktop version of Signal, there is a folder: ~/.config/Signal/attachments.noindex which basically stores some “preview” images of web articles or pictures send.
While this is of concern, no need to panic (yet).
“If someone is able to breach the security of your device, they will likely be able to use your device on the same terms you would – listening to your Spotify playlists, checking your browser history, and perhaps opening Signal Desktop and viewing the contents of messages and shared files”
is not that something is wrong with Signal, but that in addition to using Signal it is important for privacy- and security-conscious people “to take precautions to secure their devices, like not leaving your computer unlocked, and to follow best security practices generally.”
Signal storing attachments unencrypted, he said that Jackson has a point
more on this subject: https://securityledger.com/2023/01/beware-images-video-shared-on-signal-hang-around/
75,000 WordPress websites are vulnerable to hacker attacks
LearnPress is a Learning Management System (LMS) plug-in that allows WordPress websites to easily create online courses, lessons, quizzes, and tests.
It provides website visitors with a user-friendly interface and requires no programming knowledge from the developer. Vulnerabilities in Pla …
(src)
Unknown malware terrorizes gambling companies
Cybersecurity researchers at SentinelLabs report that the Chinese-language group DragonSpark used an interpretation of Golang source code to avoid detection in spyware attacks against organizations in East Asia.
The cybercriminals’ attack vector is vulnerable database servers …
(src)
Hacked Wormhole blockchain bridge: Hacker starts turnover of $321 million in stolen assets
The hacker responsible for hacking the $321 million Wormhole blockchain bridge has begun a turnover of stolen assets. He transferred 95.6k Ethereum ($155 million) of the stolen funds to the OpenOcean decentralized exchange, cybersecurity firm Certik reported on Twitter . The blockchain data …
(src)
Microsoft has decided to undermine malware delivery via Excel XLL
Microsoft is working to strengthen XLL’s protection against abuse.
An update for Microsoft 365 is due out in March, introducing auto-blocking of such downloads from the Internet.
According to the justification for the update added to the Microsoft 365 roadmap, the measure is due to the growing popularity of this vector …
(src)
About 20,000 Cisco routers are vulnerable to RCE attacks
Earlier we wrote about two critical vulnerabilities, which Cisco doesn’t want to fix.
We’re talking about CVE-2023-20025 and CVE-2023-2002 vulnerabilities. By combining them attackers can bypass authentication and execute arbitrary commands in the underlying operating system of Ci …
(src)
Experts published an exploit for Samsung Galaxy App Store holes
Exploit for vulnerabilities in the official Samsung Galaxy App Store has appeared on the web.
Using it, attackers can install any application without user consent, as well as redirect it to a malicious site.
The breach was pointed out by researchers from the NCC Group in November and December …
(src)
Nearly $700 million seized from the founder of cryptocurrency exchange FTX.
The U.S. Attorney’s Office this week seized nearly $700 million in assets from FTX founder Sam Bankman-Fried, with the bulk of the seized assets held in the form of shares in Robinhood Markets. Ownership of about $525 million worth of Robinhood stock has been the subject of controversy …
(src)
Hackers stole the personal data of 37 million customers of U.S. telco T-Mobile
Unknown hackers, during an attack on the servers of the U.S. cellular operator T-Mobile stole the data of 37 million customers of the company. It was reported by The Wall Street Journal. It is reported that the attackers managed to get access to personal data of the subscribers, including names, dates of birth, phone …
(src)
The organizer of a criminal network in the USA faces 30 years in prison
Trevor Osagie, 31, of the Bronx, New York, USA, faces up to 30 years in prison in a bank fraud case. Trevor was the mastermind behind a nationwide fraud scheme with thousands of stolen bank accounts. According to the U.S. Department of Justice, Osagie had a network of partner …
(src)
An exploit for RCE vulnerability in Zoho ManageEngine has been published
Researchers have released a PoC exploit for an RCE vulnerability in several Zoho ManageEngine products. The issue, which allows remote execution of arbitrary code without authentication (CVE-2022-47966), is related to the use of an outdated and vulnerable version of the Apache Santuario library. This problem allowed …
(src)
Hackers modify DNS settings to redirect victims to malicious sites
The Roaming Mantis campaign has updated its Android malware to include a feature that changes DNS settings on vulnerable WiFi routers to spread malware to other devices.
The updated “Wroba.o/XLoader” variant was detected by Kaspersky Lab researchers, who …
(src)
liked this article?
- only together we can create a truly free world
- plz support dwaves to keep it up & running!
- (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
- really really hate advertisement
- contribute: whenever a solution was found, blog about it for others to find!
- talk about, recommend & link to this blog and articles
- thanks to all who contribute!
