The malicious files were discovered by member of the Ahnlab Security Emergency Response Center (ASEC) through Google search results to queries for popular games

Google Search results linking to adware sites (ASEC)

 

Among the game titles abused for adware distribution purposes are Elden Ring, ROBLOX, Dark Souls 3, Red Dead Redemption 2, Need for Speed, Call of Duty, Portal 2, Minecraft, Legend of Zelda, Pokemon, Mario Kart, Animal Crossing, and more.

VHD files used in latest ChromeLoader campaign (ASEC)

 

A network of malvertising sites distributes the malicious files, which appear as legitimate game-related packages, that install the ChromeLoader extension.

ChromeLoader hijacks the browser searches to show advertisements. Itt also modifies the browser settings, and collects credentials and browser data.

According to Red Canary data, the malware bacame more prevalent in May 2022. In September 2022, VMware reported new variants carying out more sophisticated network activities. In some cases the actor even delivered the Enigma ransomware.

In all cases seen throughout 2022, ChromeLoader arrived on the target system as an ISO file. Lately, the operators appear to prefer the VHD packaging.

VHD files can be easily mounted on on a Windows system and are supported by multiple virtualization software.

The images include several files but only one of them, a shortcut called "Install.lnk," is visible. Deploying the shortcut triggers the execution of a batch script that decompresses the content of a ZIP archive.

Contents of VHD files (ASEC)

 

In the next step, the batch file executes "data.ini," a VBScript, and a JavaScript that fetches the final payload from a remote resource.

According to ASEC, ChromeLoader will start redirecting to advertisement sites, thus generating revenue for its operators.

The researchers say that the addresses hosting the payload are not longe accessible. They note that the malicious Chrome extension that ChromeLoader creates and executes can also collect credential data stored in the browser.

ASEC's report provides a short set of indicators of compromise that can help detect the ChromeLoader threat.

Users are advised to avoid downloading games from unofficial sources, and keep away from cracks for popular products as they typically have a high security risk.

Source

Microsoft maintains two Microsoft Defender products for Windows currently. There is the built-in Windows security application Microsoft Defender Antivirus and the Microsoft Defender app, which is available for Microsoft 365 subscribers.

Up until now, installation of Microsoft Defender was optional. Microsoft 365 subscribers could install the app from the Microsoft Store to use the extra features that if offers.

The three main features of Microsoft Defender for Microsoft 365 subscribers are that it adds a central dashboard for user devices, adds safety tools for family members, and includes identity theft monitoring. The latter option is provided by Experian and only available for subscribers in the United States. Microsoft Defender is also available for Android, iOS and Mac systems.

The central dashboard may be used to manage devices with Microsoft Defender installed, including Family devices.

Microsoft Defender vs. Microsoft Defender Antivirus

Microsoft describes the two products in the following way:

"Microsoft Defender is a security app that helps people and families stay safer online with malware protection, web protection, real-time security notifications, and security tips. Microsoft Defender is included in a Microsoft 365 Family or Personal subscription and works on your phone (Android or iOS), PC, and Mac."

"Windows Security, formerly known as Windows Defender Security Center, is an app built into Windows 10 or 11 that helps keep your PC more secure. It includes Microsoft Defender Antivirus, an antivirus tool that helps protect you against viruses, ransomware, and other malware."

Both Microsoft Defender products include anti-malware and web protection functions. Microsoft notes that the standalone Defender app works alongside non-Microsoft antimalware products on Windows.

Automatic installation of Microsoft Defender on Windows devices

Microsoft is sending out emails to Microsoft 365 Personal and Family subscribers currently that informs them about the automatic installation of the Microsoft Defender application when Microsoft 365 apps are installed. An update for these applications may also install the Microsoft Defender app on devices on which it is not installed on yet.

The automatic installation affects Windows devices only, according to Microsoft's email: "The Defender app will soon be automatically added to your Windows 10 or Windows 11 device during a routine update of your Microsoft 365 apps. Look for it in the Start Menu and make sure to sign in to activate your protections".

A Microsoft support document confirms the plan. There, Microsoft explains that " the Microsoft Defender app will be included in the Microsoft 365 installer" starting in late February 2023. The Microsoft Defender app will be installed automatically as part of the installation of Microsoft 365 on Windows 10 and 11 devices. Additionally, Microsoft Defender will be pushed as an update to devices that have Microsoft 365 apps installed already.

It is still required to sign-in to the application, once it is installed on the device.

Closing Words

Automatic installation of apps on user devices is always problematic, especially if users do not get a say in the matter. Microsoft Defender will soon be installed on millions of Windows 10 and 11 devices thanks to the automatic installation of the application. It remains to be seen how many Windows users will actually sign-in to the app and start using it.

Microsoft 365 subscribers who live outside the United States or use just a single device find little value in the application.

Source

Dish Network has been hit by a suspected ransomware attack that’s led to the company’s websites(Opens in a new window), its apps, and customer service systems going down. The outage is now on its fourth day.

The company’s main website currently features this message: “We are experiencing a system issue that our teams are working hard to resolve. For help with common issues, please select the Current Customer Support option below to see our FAQs and Troubleshooting guides.”

As The Verge notes(Opens in a new window), the outage hit when Dish CEO Erik Carlson was on an earnings call. He reportedly said the company was dealing with an “internal outage that’s continuing to affect our internal servers and IT telephony.”

Dish employees told(Opens in a new window) Bleeping Computer they are seeing “blank icons” on their Desktop, typical of a ransomware infection that has encrypted files.

According to a Dish employee who spoke to BleepingComputer, their manager had told them the incident “was caused by a known threat agent,” though the satellite-TV provider is currently in the dark on how they gained access. It is working with an “external vendor” to fix the outage.

BleepingComputer also reports that Dish customers are having issues when they try to sign in to TV channel apps like MTV & Starz with their Dish logins.

Dish customers have taken to social media to report that they cannot activate equipment or SIM cards from the company. Customers have also said they are being prevented from paying their bills.

In response to one customer who complained about the outage, the company’s Twitter support account tweeted(Opens in a new window) that an “internal systems issue is impacting some of our customer service operations,” adding, “we’ll be able to help you out as soon as our systems are back up.”

The same account also told(Opens in a new window) customers they won’t lose Dish service if they can't make a payment during the outage.

The multi-day outage has left employees, particularly those working remotely who rely on VPN logins, unable to work and unsure when the issue will be resolved.

An internal email sent by Dish higher-ups to employees and published by The Verge referred to “large VPN issues,” and requested staff who were unable to log into their VPN “stay tuned for further communication…as to when this shall be fixed.”

PCMag attempted to reach Dish in advance of publishing this story, but it is unclear if anyone at the company has access to their emails. A PR representative for Dish was also contacted but they did not immediately respond.

Source

Remote working brings benefits for employees, but by working from outside the company's internal network, there's also the added threat that employees are left more vulnerable to cyberattacks.

And if hackers can compromise a remote employee by stealing their corporate username and password, or infecting their computer with malware, it could become a costly network security risk for the entire organization.  

Data breaches, phishing campaigns, ransomware attacks, and business email compromise (BEC) are just some of the cybersecurity threats to organizations -- if cyberattackers can successfully target remote workers.

To help prevent this situation happening, the National Security Agency (NSA) has released 'Best Practices for Securing Your Home Network', which is a set of cybersecurity tips designed to help remote workers protect their networks -- and themselves -- from cyberattacks and hackers.

"In the age of telework, your home network can be used as an access point for nation-state actors and cybercriminals to steal sensitive information," said Neal Ziring, NSA cybersecurity technical director. "We can minimize this risk by securing our devices and networks, and through safe online behavior."

Acording to the NSA, here are some of the most important things you can do you to help secure your network and devices while working remotely.

Use modern operating systems, applications, and browsers – then keep them up to date

Using the most recent version of an operating system and keeping it updated with the latest security patches is one of the best ways to keep your device safe from cyberattacks.

The most recent operating system is the one which will be the most supported, while older operating systems might eventually stop receiving updates -- meaning that security patches may not be available if vulnerabilities, which could be exploited by attackers, are uncovered after the cut-off point.

In most cases, the updates will come in the form of a prompt that encourages you to restart your computer -- something you should do as soon as you can.

The same goes for applications, software, and web browsers -- using the latest version means you'll be using the latest security updates, which will prevent cyber criminals from exploiting known vulnerabilities in software to conduct attacks.

Image: Getty/Marko Geber

Keep your router secure and up to date

Your internet service provider (ISP) provides you with a router to connect to the internet. Many people don't really think about this device much, leaving it hidden in a corner after it's been installed.

But your router is an important part of your networking set-up, providing a gateway in and out of your home network -- something that can be exploited by cyber attackers if it isn't secured properly.

Like any other internet-connected device, you should make sure your router is kept updated with the latest security patches, which can be set up to download and install automatically.

If the router reaches end-of-life and becomes unsupported by the ISP, it should be replaced with a newer model that will receive updates.

Segment your wireless network

Segmenting your wireless connection, so there's separate Wi-Fi networks for your work and home devices, can be very helpful for keeping your devices secure.  

The NSA suggests that, at a minimum, your wireless network should be segmented between your primary Wi-Fi, guest Wi-Fi, and IoT network. This segmentation keeps less secure devices from directly communicating with your more secure devices.

Use strong passwords – and keep them safe with a password manager

Your passwords are the key to your online life, so it's vital to make them secure -- especially the ones you use to access corporate cloud environments. All of your passwords should be unique and complex, so they're not easy for an attacker to guess.

While remembering many different passwords is a challenge, this obstacle can be overcome by using a password manager -- which should also be secured with a strong, unique password.

It's also important not to store any passwords in plain text on your device. This will prevent your accounts being accessed if your device is lost or stolen.

Use multi-factor authentication for your accounts

Using multi-factor authentication (MFA) -- also known as two-factor authentication (2FA) -- whenever possible can keep all of your accounts secure.

Ideally, your employer will provide an authenticator to link to your corporate accounts, but it's also a good idea to secure your personal accounts with MFA. Application-based or hardware-based security keys are the most secure option. If that isn't possible, SMS-based MFA is better than no MFA.

Image: Getty/Luis Alvarez

Use security software

If you're working remotely, you should be using an antivirus product, one that's hopefully been provided by your employer. But in order to stay safe, it's also a good idea to install antivirus software on your personal devices, too -- and it doesn't need to cost a lot.  

Using antivirus software can alert you to potential threats, be they malicious attachments, websites or something else.

Follow email best practices  

Email is one of the most common and most effective attack vectors for malicious hackers, who can use it to trick you into giving them access to your password, clicking a malicious link or downloading malware. However, by following best practices around email cybersecurity, it's possible to avoid falling victim to email-based attacks.

The NSA recommends that you should avoid opening attachments or links from unsolicited emails and that you shouldn't click on links in attachments from unknown senders.

If you are uncertain if an email is legitimate or not, if possible you should identify the sender via secondary methods, such as a phone call, and delete the email if you're told it isn't really them.

The NSA also recommends that you should never open emails that make outlandish claims or offers that are "too good to be true" -- like an unexpected suggestion of a bonus or a pay raise.

Be careful when using social media

Social media services such as Facebook, Instagram, Twitter, and others are a good way to keep in contact with friends and family -- but they can also be a prime hunting ground for cyber criminals and other malicious hackers looking to conduct attacks.

Avoid posting information, such as addresses, phone numbers, places of employment, and other personal information, that can be used to target or harass you. Some scam artists use this information, along with pet names, first car make or model, and streets you have lived on, to figure out answers to account security questions.

You should also ensure that your personal social media accounts are set to friends only, to prevent unwanted eyes from snooping on your profile.

Also, take precautions with unsolicited requests, especially from strangers -- attackers could use in-app messaging services to conduct phishing attacks or deliver malware.

Image: Getty/Santiago Iñiguez/EyeEm

Be cautious when using public Wi-Fi spots

One of the great things about remote working is that you can do it from anywhere, so maybe instead of working from home, you decide to work from the local coffee shop for the day.

Yes, it has an internet connection -- but do you know how secure it is? The NSA warns that "public hotspots are more susceptible to malicious activity" -- which means you should take additional precautions when using public Wi-Fi, preferably avoiding it altogether.

Instead, the NSA recommends using a cellular network, such as your mobile Wi-Fi hotspot or 4G or 5G connectivity. If you must use public Wi-Fi, the NSA recommends using a trusted VPN provider to protect your connection from malicious activities and monitoring.

And if you're using your laptop in a public place, don't leave it unattended and available for other people to look at or steal.

Source

Last week, the university sent data breach notification letters to 897 individuals who submitted personal and health information as part of the graduate application to its Department of Economics, informing them that their info was accessed without authorization.

"On January 24, 2023, Stanford was notified that a folder containing the 2022-23 application files for admission to Stanford's Department of Economics' Ph.D. program was available through the department's website because of a misconfiguration of the folder's settings," the university told affected individuals.

"We promptly investigated this matter, which revealed that the unrestricted access to the applications began on December 5, 2022, and that there were two downloads of the application materials between December 5, 2022, and January 24, 2023."

The information exposed as a result of this breach comprises application and accompanying materials, including names, dates of birth, home and mailing addresses, phone numbers, email addresses, race and ethnicity, citizenship, and gender.

"The incident does not involve programs at Stanford other than the PhD program in Economics. It also does not involve undergraduate applications to the university," the university said in a separate statement on its website.

Financial and social security info not exposed

Some materials submitted during the Ph.D. application process also included applicants' health information. Social Security Numbers and financial data were not exposed during the incident because application files did not contain this type of data.

Stanford immediately blocked access to the files once it found out about the accidental exposure. At the moment, the university said that it found no evidence that the downloaded information has been misused.

"The confidentiality, privacy, and security of personal information are among our highest priorities, and we have security measures in place to protect this type of information," Stanford added.

"In response to this incident, we are updating our processes and policies related to electronic file storage security and will be retraining faculty and staff on the policies."

This incident follows an April 2021 data breach disclosed after the Clop ransomware group leaked documents stolen from Stanford School of Medicine's Accellion File Transfer Appliance (FTA) platform.

Data published online by the Clop cybercrime gang after the 2021 attack included names, addresses, email addresses, Social Security numbers, and financial information.

A Stanford spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.

Source

In 2021, Americans also reported losses of more than $5.8 billion to fraud, another massive increase of over 70% compared to 2020.

The FTC said on Thursday that 2.4 million consumers have reported losing money to scammers, most of them falling victim to imposter scams and online shopping scams throughout the last year.

The top five fraud categories also include scam reports involving prizes, sweepstakes, and lotteries, investments, and business and job opportunities.

"Consumers reported losing more money to investment scams—more than $3.8 billion—than any other category in 2022. That amount more than doubles the amount reported lost in 2021," the FTC said.

"The second highest reported loss amount came from imposter scams, with losses of $2.6 billion reported, up from $2.4 billion in 2021."

Fraud statistics in 2022 (FTC)

 

The FTC added 5.1 million consumer reports to its Consumer Sentinel Network (Sentinel) secure online database in 2022, with over 1.1 million reports of identity theft filed through the FTC's IdentityTheft.gov website.

The consumer protection agency also revealed last month that nearly 70,000 people had reported record losses of $1.3 billion to romance scams in 2022.

Unfortunately, these stats likely reflect just a fraction of the actual harm inflicted by romance scammers, given that most frauds are never reported.

You can report fraud attempts at ReportFraud.ftc.gov and file an identity theft report at IdentityTheft.gov.

Once included in the Sentinel database, your report will be available to roughly 2,800 federal, state, local, and international law enforcement professionals.

Each report can help investigators find the fraudsters and make it easier to discover trends and educate the public.

Source

As the company explained, exclusions targeting the Temporary ASP.NET Files and Inetsrv folders and the PowerShell and w3wp processes are not required since they're no longer affecting stability or performance.

However, admins should make a point out of scanning these locations and processes because they're often abused in attacks to deploy malware.

"Keeping these exclusions may prevent detections of IIS webshells and backdoor modules, which represent the most common security issues," the Exchange Team said.

"We've validated that removing these processes and folders doesn't affect performance or stability when using Microsoft Defender on Exchange Server 2019 running the latest Exchange Server updates."

You can also safely remove these exclusions from servers running Exchange Server 2016 and Exchange Server 2013 but you should monitor them and be ready to mitigate any issues that might come up.

The list of folder and process exclusions that should be removed from file-level antivirus scanners includes:

%SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files
%SystemRoot%\System32\Inetsrv
%SystemRoot%\System32\WindowsPowerShell\v1.0\PowerShell.exe
%SystemRoot%\System32\inetsrv\w3wp.exe

This comes after threat actors have been using malicious Internet Information Services (IIS) web server extensions and modules to backdoor unpatched Microsoft Exchange servers worldwide.

To defend against attacks using similar tactics, you should always keep your Exchange servers up to date, use anti-malware and security solutions, restrict access to IIS virtual directories, prioritize alerts, and regularly inspect config files and bin folders for suspicious files.

Redmond also recently urged customers to keep on-premises Exchange servers up-to-date by applying the latest Cumulative Update (CU) to have them ready to deploy emergency security updates.

It is also recommended to always run the Exchange Server Health Checker script after deploying updates to detect common configuration issues or other issues that can be fixed with a simple environment configuration change.

As security researchers at the Shadowserver Foundation found in January, tens of thousands of Internet-exposed Microsoft Exchange servers (over 60,000 at the time) are still vulnerable to attacks leveraging ProxyNotShell exploits.

Shodan also shows many Exchange servers exposed online, with thousands of them defenseless against attacks targeting the ProxyShell and ProxyLogon flaws, two of the most exploited vulnerabilities of 2021.

The suspects, all young men aged between 18 and 21, are charged with stealing sensitive data from victim networks and demanding a ransom. It is believed that they attacked thousands of companies.

Victims include online shops, software firms, social media companies, and institutions connected to critical infrastructure and services.

The threat actors demanded between €100,000 and €700,000, depending on the size of the organization they hacked. The extortion involved threats of leaking the data or destroying the company's digital infrastructure.

It is unclear if the hackers also encrypted files during the attacks or just stole data and threatened to leak it unless the victim paid a ransom.

The Dutch police say that even when victims paid the ransom, the hackers still sold the stolen data online for extra profit.

"The cybercrime team started the investigation in March 2021 in response to a declaration of data theft and threat to a large Dutch company," reads the police announcement.

It is estimated that the hackers stole personal data belonging to tens of millions of individuals, including names, email addresses, telephone numbers, bank account numbers, credit card details, account passwords, license plates, and passport details.

This information can be used in phishing and social engineering attacks, and various fraudulent activities.

Amsterdam's cybercrime unit has noticed a worrying trend among data brokers who now process stolen data to refine the records and make the databases easily searchable. This gives them better sales prospects and maximizes their profits from successful network intrusions.

Source

Obtrusive "open in app" pop-ups aim to take visitors to a space where browsers' privacy protections features do not apply, allowing the app author to freely gather extensive user data.

Brave will now block this annoyance starting version 1.49 for Windows and Android (already available on iOS since v1.44), allowing users to browse the web without unexpected interruptions.

Reddit prompt to visit the site through the app (Brave)

 

"Brave will hide "open in app" annoyances by enabling the "Fanboy's Mobile Notifications List," maintained in part by folks working at Brave," the software developer informs.

Users can disable the feature from the settings menu by deactivating the "Fanboy's Mobile Notifications List" under the custom and regional filters.

MSN suggesting to read news item on app
(BleepingComputer)

 

Brave version 1.49 will also add protections against "pool-party" attacks that aim to persistently track users by abusing characteristics in the implementation of browser features.

A pool-party attack can help attackers to track their targets' browsing behavior across website. They require limited shared resources, or "pools," to create side channels that allow tracking and circumvent privacy protections in browsers.

Pool-party attacks are powerful, pervasive, and practical. Unfortunately, they appear to impact all modern web browsers, including Brave.

Although Brave had updated its defenses against these attacks in version 1.35, its engineers have found that sites now employ alternative ways that can bypass existing protections.

Another feature planned for version 1.49 is partial support for procedural cosmetic filters, which are used to specify which page elements should be hidden when blocking ads.

For starters, Brave supports two of the most popular procedural cosmetic filters, but there are plans to add more in future releases.

Finally, Brave version 1.50 for Android will introduce more screen attribute-based fingerprinting protections to prevent sites from profiling and tracking users based on their device screen size.

Brave will now prevent trackers from accessing screen size and browser position and will report slightly different randomized values to each site for each browser session, making persistent tracking impossible.

Source

"Upon learning of this incident, Dole moved quickly to contain the threat and engaged leading third-party cybersecurity experts, who have been working in partnership with Dole’s internal teams to remediate the issue and secure systems," Dole stated on its website. The company added that it has notified law enforcement about the incident and is cooperating with their investigation.

This confirmation followed a CNN report that the company experienced a cyberattack that significantly affected its operations.

Emanuel Lazopoulos, senior vice president at Dole's Fresh Vegetables division, sent the following memo to retailers (via BleepingComputer):

Good afternoon,

Dole Food Company is in the midst of a Cyber Attack and have subsequently shut down our systems throughout North America. Our IT group is working hard on mitigating the issues in order to get our systems up and running ASAP. Our plants are shut down for the day and all shipments are on hold. All our businesses are implementing our Crisis Management Protocol to resume “business as usual” post haste, inclusive of our Manual Backup Program if needed. Please bear with us as we navigate our way and hopefully we will minimize this event.

Thank you for your patience and your salesperson will keep you updated and informed of our progress.

The hack, which was previously unreported, resulted in some grocery shoppers complaining on social media that some stores were not carrying Dole prepackaged salad kits. CNN interviewed managers from stores in New Mexico and Texas who said that they were unable to stock Dole products due to the attack. "They [customers] are upset, but it happens," said a produce manager of Clayton Ranch Market in Clayton, New Mexico. "We can’t do nothing about it except [put in the orders]."

As of this writing, it is not yet known how Dole fell victim to the ransomware attack. Nonetheless, to protect your PCs from such attacks, do not open links or attachments from unsolicited emails because they could contain malware. Keep your antivirus software updated, and always backup your files on an external storage system like a flash drive, hard drive, or the cloud.

Source: CNN

Source

The Federal Bureau of Investigation (FBI) in the US is advising people to use ad blockers as part of a warning about the threat of scams online.

In a public service announcement, the security agency’s internet complaints department says ad-blocking extensions can help to protect users against fraudulent online adverts that appear in search results. Cybercriminals are behind such ads that are made to look like messages from real brands and businesses, it says.

The dupes, which can sometimes appear at the top of a search results page, contain links to fake websites or malicious software downloads that try to pinch your login details or financial information.

By endorsing ad blockers, which scrub or hide content identified as ads from websites, the FBI is effectively giving the thumbs-up to a divisive tool that many internet publishers (including news sites) actively discourage visitors from using.

As such, its warning illustrates just how perilous the internet advertising environment has become. Online ad sellers such as Google and Microsoft are locked in a ceaseless duel with cybercriminals, who try to create thousands of accounts to bypass their security systems when purchasing ads.

Despite constantly scouring their services for scams using ad verification and certification policies, it seems that some fakes are still seeping through their nets.

In July, researchers from Malwarebytes found that bad actors were creating fake search ads that mimicked websites including YouTube, Amazon and Facebook. Earlier in the year, Google removed ads that impersonated the customer support accounts of internet providers including BT and Sky.

More broadly, there have been many scams in the UK since the start of the Covid-19 pandemic. These include phishing messages sent via email and SMS; cryptocurrency scams that falsely claim to be endorsed by celebrities; fraudulent calls from overseas; and fake offers around major shopping events such as Black Friday.

US security agencies are practising what they preach: the National Security Agency (NSA), Central Intelligence Agency (CIA), FBI and others in the US intelligence community are already reportedly using network-based ad-blocking technologies, according to a copy of a letter sent by Congress and shared with tech news site Motherboard.

The FBI’s other tips for staying safe online echo the advice offered by Trading Standards in the UK. These include checking the authenticity of an ad by making sure the URL it contains is free from typos and other errors, and searching for businesses and financial institutions by typing in their full website address.

Source

ChatGPT gained immense traction since its launch in November 2022, becoming the most rapidly growing consumer application in modern history with more then100 million users by January 2023.

This massive popularity and rapid growth forced OpenAI to throttle the use of the tool and launched a $20/month paid tier (ChatGPT Plus) for individuals who want to use the chatbot with no availability restrictions.

The move created conditions for threat actors to take advantage of the tool's popularity by promising uninterrupted and free-of-charge access to premium ChatGPT. The offers are galse and the goal is to lure users into installing malware or to provide account credentials.

Security researcher Dominic Alvieri was among the first to notice one such example using the domain "chat-gpt-pc.online" to infect visitors with the Redline info-stealing malware under the guise of a download for a ChatGPT Windows desktop client.

That website was promoted by a Facebook page that used official ChatGPT logos to trick users into getting redirected to the malicious site.

Fake Facebook page (Cyble)

 

Alvieri also spotted fake ChatGPT apps being promoted on Google Play and third-party Android app stores, to push dubious software onto people's devices.

Fake ChatGPT apps on the Play Store (Alvieri)

 

Researchers at Cyble have published a relevant report today where they present additional findings regarding the malware distribution campaign discovered by Alvieri, as well as other malicious operations exploiting ChatGPT's popularity.

Cyble discovered "chatgpt-go.online" which distributes malware that steals clipboard contents and the Aurora stealer.

Additionally, "chat-gpt-pc[.]online" delivered the Lumma stealer in Cyble's tests. Another domain, "openai-pc-pro[.]online," drops an unknown malware family.

In addition to the above, Cyble discovered a credit card stealing page at "pay.chatgptftw.com" that supposedly offers visitors a payment portal to purchase ChatGPT Plus.

Phishing site stealing credit card details (Cyble)

 

When it comes to fake apps, Cyble says it discovered over 50 malicious applications that use the ChatGPT's icon and a similar name, all of them being fake and attempting to harmful activities on users' devices.

Two examples highlighted in the report are 'chatGPT1,' which is an SMS billing fraud app, and 'AI Photo,' which contains the Spynote malware, which can steal call logs, contact lists, SMS, and files from the device.

Spynote malware stealing call data from the infected device (Cyble)

 

ChatGPT is exclusively an online-based tool available only at "chat.openai.com" and does not offer any mobile or desktop apps for any operating systems at the moment.

Any other apps or sites claiming to be ChatGPT are fakes attempting to scam or infect with malware and should be considered at least suspicious and users should avoid them.

Source

Also known as dpxaker, Dariy Pankov is now charged with access device fraud and computer fraud and faces a maximum sentence of 47 years in federal prison if convicted on all counts.

"The powerful malware was capable of compromising protected computers by decrypting login credentials, such as passwords," the Justice Department said in a press release on Wednesday.

"Pankov used NLBrute to obtain the login credentials of tens of thousands of computers located all over the world. He marketed, sold, and had others sell on his behalf, NLBrute to other cybercriminals for a fee."

The suspect also sold credentials he stole from his victims on a dark web marketplace where cybercriminals were selling access to compromised devices and networks.

Those who bought the stolen login information used it in various malicious campaigns, ranging from tax fraud and ransomware attacks.

At least $350,000 obtained from selling stolen credentials

The investigators could trace $358,437 withdrawn by Pankov from the illegal marketplace between August 2016 and January 2019, obtained from selling access to hacked computers.

According to the indictment, among the tens of thousands of stolen credentials he put for sale, the defendant also sold the login information of a law firm in the Middle District of Florida to an undercover law-enforcement officer for $19.25 on June 15, 2018.

NLBrute was also used by threat actors linked to multiple Ransomware-as-a-Service (RaaS) operations, including REvil, Dharma, and Netwalker, to brute force their way into victims' Remote Desktop Protocol (RDP) servers and further compromise their networks.

Last week, the Justice Department announced that Russian national Vladislav Klyushin was convicted of his involvement in a hacking scheme that led to $90 million in illegal profits via securities trades based on non-public info stolen from U.S. networks.

In January, the Russian founder of the Hong Kong-registered cryptocurrency exchange Bitzlato was also arrested and charged with helping cybercriminals launder illegally obtained money.

How to enable passwordless login in Bitwarden on desktop

1. Open the Bitwarden desktop app on your PC.

2. Unlock your Vault using your master password.

3. Go to the File > Settings page.

4. Click the checkbox next to the option that says "Approve Login Requests".

5. Switch to your web browser, and access the Bitwarden web vault https://vault.bitwarden.com/

6. Enter your email address in the username field.

7. Click the continue button, and the page will prompt you to enter your Master Password. It also has an option to "Login with Device". (1st screenshot)

8. Select the option, and the page will display a message that reads "Log in initiated", and says that a notification has been sent to your device. It also shows a fingerprint phrase, which is a combination of random words.

9. Switch out to the Bitwarden desktop app, and you should see a pop-up window that gives you the details of the login attempt. This push notification lists the IP address where the request was made from, the time, and the browser used for signing in. The fingerprint phrase is also displayed in this panel. You can use this information to check whether it is a legitimate login attempt or not, i.e. if it is from your device or elsewhere.

10. Click the confirm login button to allow the passwordless login attempt. Or, hit the deny login button to block access to your account.

Note: The process to enable the log in with device option on the Bitwarden mobile app for Android and iOS is slightly different. You should follow my previous article to get it working.

You will be prompted to enter the 2FA code if you have enabled (and you should) two-step login for your Bitwarden account. Not seeing the option to log in with device option in your browser? You should update the Bitwarden desktop app and try again. It is also worth mentioning that the button will only appear on browsers that you have logged into before, i.e. it works on recognized devices only.

Some people may argue that this is a disadvantage. Let's say you want to access your Bitwarden vault on a friend's computer or a system that you don't normally use. It could be safer to not type your master password to prevent key logging attempts. But, is it really safe to access your vault on a device that may or may not be secure? I think that's the logic behind Bitwarden's implementation of only allowing recognized devices (and browsers) to use the passwordless login feature.

Is this passwordless login method secure? How does it work?

As outlined in the above diagram, the web vault sends an encrypted authentication request to the device with the Bitwarden app. The latter sends the outcome (approve/deny), which is also done via the same end-to-end encrypted communication method (public + private key pair). Bitwarden says that this is a zero knowledge encryption method. Refer to step 2 in the above guide, you will need to have the vault unlocked on your desktop to approve a login request made on the web, that's an added layer of security, as are the fingerprint phrase and the 2FA verification.

Essentially, Bitwarden's passwordless login reduces the requirement of unlocking your vault multiple times on your devices. For example, normally, you would enter the master password to unlock your vault in the desktop (or mobile) app. When you want to access your account via the web vault or the browser extension, you would have to enter the password again. With the passwordless login method, you only need to enter the password once (in the desktop or mobile app). It is somewhat similar in terms of using Windows Hello and TouchID, but passwordless login is simpler and does not require special hardware (like a fingerprint reader).

What happens if you lose access to a device?

You won't be locked out of your vault. The passwordless login system, is as the name suggests, a different way to log in to your account. So in the unfortunate event where you cannot access your phone, you can still use your master password to unlock the vault via a web browser, or via another device where you used it on previously.

It's up to you to decide whether you want to use the feature or not, it's not enabled by default. The option is not available for the web extensions for browsers yet. The official announcement can be found here.

Have you tried Bitwarden's passwordless login?

Bitwarden's desktop app now supports passwordless login for web vault

For those not in the know, a botnet is a network of computers infected with malware and controlled without the owner's knowledge to send spam messages, distribute malware, and steal sensitive data.

BitSight, a cybersecurity ratings company, said that it is currently recording more than 50,000 unique systems infected with the Mylobot botnet every day. While this is a decrease from 250,000 during the start of 2020, BitSight believes that they are only seeing part of the full botnet.

Mylobot was first documented in 2018 by cybersecurity company Deep Instinct, which found that the botnet had anti-analysis techniques and downloader abilities. A few months later, the botnet was observed as well by technology company Lumen's Black Lotus Labs. "What makes Mylobot dangerous is its ability to download and execute any type of payload after it infects a host," its blog stated. "This means at any time, it could download any other type of malware the attacker desires."

The Mylobot botnet has the following features:

• Anti-virtual machine, sandbox, and debugging techniques

• Wrapping internal parts with an encrypted resource file

• Code injection

• Process hollowing: a security exploit wherein an attacker removes code in an executable file and replaces it with a malicious one

• Reflective EXE: the act of executing EXE files directly from memory, without having them on disk

   

Most notably, however, Mylobot can remain idle for 14 days to evade detection. Once this period lapses, the botnet then contacts its command-and-control (C&C) center and awaits for further instructions. After it receives its directives, it transforms an infected PC into a proxy. The infected machine will then be able to handle various connections and relay traffic sent through the C&C server.

In 2020, the Mylobot botnet was found sending extortion emails to users based on their online usage. If a user visited a pornographic website, they would later receive an email that threatens to leak their explicit video recorded through the webcam unless they pay about $2,700 in cryptocurrency.

To protect your systems from botnet attacks, keep your programs updated as this prevents botnet malware from exploiting software vulnerabilities. Closely monitor your network as well for unusual network activity. Finally, refrain from opening files from unknown or suspicious sources.

Source: BitSight via The Hacker News

'Mylobot' botnet infecting 50,000 devices per day worldwide

Vulnerabilities are a certainty in software, and developers will always assume that their software is vulnerable in some way, shape, or form to some kind of attack. However, it's not always possible for companies to identify every single problem with a piece of software, and often, a fix for a vulnerability may result in another vulnerability cropping up elsewhere. Bug bounties and vulnerability reward programs are important in order to incentivize security researchers to look a little bit closer at software, while also pushing would-be bad actors to get an immediate payout and alert the company of the problem instead. 2022 was the biggest year for Google's Vulnerability Reward Programs yet.

In 2022, Google paid out $12 million in bounty rewards, spread out over more than 2,900 security vulnerabilities. The highest of which was a payout in the Android Vulnerability Program, in the form of a payment of $605,000. Android's Vulnerability Reward Program as a whole saw $4.8 million paid out in rewards, and the Android Chipset Security Reward Program, an invite-only reward program, rewarded $468,000 over more than 700 reports.

As for Google Chrome, the Chrome Vulnerability Reward Program saw a total of $4 million in payouts. $3.5 million of that went towards rewarding researchers who discovered 363 bugs in Google Chrome, and nearly $500,000 of that went towards researchers finding bugs in ChromeOS. This year, the Chrome VRP has added a new category last year for memory-corruption bugs in highly privileged processes to incentivize researchers to target those areas.

As a large contributor to the open source software community (OSS), Google also introduced a vulnerability reward program for its own OSS programs. Over 100 people have participated in the project and received rewards totaling more than $110,000.

If you're interested in figuring out how to find bugs and vulnerabilities yourself, Google launched Bug Hunters University (BHU) last year as well. There are instructional videos, guides on making reports, and security researchers such as LiveOverflow and stacksmashing (formerly Ghidra Ninja) are contributors to BHU. Google has made continued efforts in financially supporting security researchers who find bugs and vulnerabilities in Google software, and you can check out the "Hacking Google" miniseries on YouTube for a behind-the-scenes look.

Source

These other processors play important roles, as they may offer specialized functionality to the system, be it by improving security, helping speed up image & video processing, or managing cellular communications.

The main processor, the Application Processor, was at the center of security in recent years. Threat actors devised methods and programs to exploit vulnerabilities, and manufacturers such as Google patched these and added more security features to make new exploits more difficult.

Google noticed the rise of a new attack vector in recent time. This one focused on "other parts of the software stack", including firmware according to Google. Firmware can best be described as software that powers devices. What makes firmware particularly interesting from a threat actor's perspective are several characteristics:

• Firmware is executed early when a device is powered on.
• It may be difficult to update firmware, especially if it has been attacked successfully.
• Firmware manipulations may grant malware persistency.

Firmware attacks are not as widespread as phishing or the spreading of malicious applications for Android. Firmware attacks are sophisticated, and most focus on lucrative targets and not broad attacks. While that makes it less likely that regular Android users will become the victims of such attacks, it is nevertheless important to deal with this threat.

Google announced plans to improve firmware defenses in future versions of Android. Google launched compiler-based mitigations in Android over the last years that added more layers of defense across the platform. The company wants to use the same methodology to harden the security of firmware that runs on Android.

Google is working with "ecosystem partners" to harden the security of firmware on Android. The company gives two examples. First, by using compiler-based sanitizers and other exploit mitigations in firmware, and second, by enabling additional memory safety features in firmware.

Compiler-based sanitizers are designed to detect bugs in code; Google uses them for other software projects, including its Google Chrome web browser, already. These would prevent exploits that target memory corruption vulnerabilities according to Google.

Google admits that these exploit mitigations are difficult to implement in firmware running on bare metal targets. One of the challenges that engineers face is that these systems are often resource-constrained and designed to "run a very specific set of functions".  Improperly designed mitigations could result in functionality, performance or stability issues on the device.

The main goal is to maximize impact of the mitigations while minimizing the performance and stability impact of them.

Firmware hardening is one of Google's top priorities when it comes to Android security. Google plans to expand these mitigations to more "bare metal targets" in the future, and hopes that its partners will do the same.

The company has yet to reveal when this new wave of mitigations will become available. Google published the first preview of Android 14 earlier this month. Instructions on installing the Android 14 Developer Preview are found here.

Source

The U.S. Department of Defense secured an exposed server on Monday that was spilling internal U.S. military emails to the open internet for the past two weeks.

The exposed server was hosted on Microsoft’s Azure government cloud for Department of Defense customers, which uses servers that are physically separated from other commercial customers and as such can be used to share sensitive but unclassified government data. The exposed server was part of an internal mailbox system storing about three terabytes of internal military emails, many pertaining to U.S. Special Operations Command, or USSOCOM, the U.S. military unit tasked with conducting special military operations.

But a misconfiguration left the server without a password, allowing anyone on the internet access to the sensitive mailbox data inside using only a web browser, just by knowing its IP address.

Anurag Sen, a good-faith security researcher known for discovering sensitive data that has been inadvertently published online, found the exposed server over the weekend and provided details to TechCrunch so we could alert the U.S. government.

The server was packed with internal military email messages, dating back years, some of which contained sensitive personnel information. One of the exposed files included a completed SF-86 questionnaire, which are filled out by federal employees seeking a security clearance and contain highly sensitive personal and health information for vetting individuals before they are cleared to handle classified information. These personnel questionnaires contain a significant amount of background information on security clearance holders valuable to foreign adversaries. In 2015, suspected Chinese hackers stole millions of sensitive background check files of government employees who sought security clearance in a data breach at the U.S. Office of Personnel Management.

None of the limited data seen by TechCrunch appeared to be classified, which would be consistent with USSOCOM’s civilian network, as classified networks are inaccessible from the internet.

According to a listing on Shodan, a search engine that crawls the web for exposed systems and databases, the mailbox server was first detected as spilling data on February 8. It’s not clear how the mailbox data became exposed to the public internet, but it’s likely due to a misconfiguration caused by human error.

TechCrunch contacted USSOCOM on Sunday morning during a U.S. holiday weekend but the exposed server wasn’t secured until Monday afternoon. When reached by email, a senior Pentagon official confirmed they had passed details of the exposed server to USSOCOM. The server was inaccessible soon after.

USSOCOM spokesperson Ken McGraw said in an email on Tuesday that an investigation, which began Monday, is under way. “We can confirm at this point is no one hacked U.S. Special Operations Command’s information systems,” said McGraw.

It’s not known if anyone other than Sen found the exposed data during the two-week window that the cloud server was accessible from the internet. TechCrunch asked the Department of Defense if it has the technical ability, such as logs, to detect any evidence of improper access or data exfiltration from the database, but the spokesperson did not say.

Source

Google Chrome's built-in password manager is barebones, especially when it is compared to dedicated password managers such as Bitwarden or KeePass. Currently, Chrome supports just a few features, including the saving of the username and password, an auto-sign in option, and an option to check passwords for data breaches.

It needs to be noted that most built-in password managers are as barebones as the Chrome one. It is a convenience feature that supports the basics for the most part.

Soon, Chrome users may add notes to saved passwords. The feature adds a useful option to the password manager. Notes may add valuable information to saved passwords, for example, a recovery code or a security question answer, the email address the account was created with, the date of password changes, and more.

Adding notes to Chrome passwords

The note addition to Chrome's password manager is a work in progress at this stage. Most options are hidden behind flags at this point and some may not be available or implemented in Chrome Stable either.

However, Chrome Stable supports the basic notes feature already, albeit only in the password manager directly; this makes it a tad uncomfortable to use, as it requires opening the password in the password manager to add or edit a note.

To enable the feature, Chrome users need to load chrome://flags/#password-notes in the browser's address bar and set the feature to Enabled. Notes is integrated into the password manager after the restart.

To add or edit notes, Chrome users may then open the password manager settings by loading chrome://settings/passwords in the address bar, or by going there manually via Menu > Settings > Autofill > Password Manager.

Once a stored password has been selected and the user has authenticated using the device's password, notes are listed on the page next to the username and password. A click on edit enables the editing of all fields, including the notes field.

New passwords may also be added manually to the password manager. These include a notes field as well, which may be filled out optionally.

Further improvements underway

Google is working on improving the visibility of password notes. Users of the browser may use the "manage password" icon in the address bar to see and edit notes directly.

Improving the visibility of notes and adding edit capabilities to the frontend off the browser improve the feature significantly. It is easier to edit a note quickly while on the site in many cases, and since notes may be displayed there as well, it may also prove useful for certain tasks, including account recovery tasks that require answers to security questions.

Now You: do you store passwords in browsers?

You may soon add notes to passwords in Google Chrome

The Korean tech giant says its new security system will be able to detect these threats when they reach the device as a message and to stop them before they do any damage.

Zero-click exploits

Zero-click exploits are sophisticated threats that leverage a vulnerability without requiring any interaction with the user.

Typically, attacks relying on zero-click exploits involve sending the target a message or file with malicious code to trigger a vulnerability on the device that gives the attacker access without the victim even opening the message or file.

Notable zero-click attacks targeted journalists and activists with NSO’s Pegasus spyware by leveraging the KISMET and FORCEDENTRY exploits in Apple's iMessage.

Apple tried to mitigate these security threats by introducing the Lockdown Mode, an operation mode designed for high-risk individuals that limits functionality and increases security of the device.

Samsung Message Guard

Samsung Message Guard is an isolated virtual space on the smartphone that acts as a temporary hosting location for newly arrived image files in PNG, JPG/JPEG, GIF, ICO, WEBP, BMP, and WBMP formats.

The system checks the files to determine if they hide malicious code. If so, they are locked in quarantine mode and blocked from accessing or interacting with the underlying operating system.

“Samsung Message Guard automatically neutralizes any potential threat hiding in image files before they have a chance to do you any harm,” explains Samsung in the feature announcement.

The new security system is added to Samsung’s multiple existing protection layers, most notably Samsung Knox, which can offer real-time threat detection and protection against malware.

Samsung Message Guard is available immediately for Galaxy S23, released on Friday, and it will gradually roll out to other Galaxy devices running One UI 5.1 or higher later in 2023.

Source

The targeting, which coincided and has since persisted following the country's military invasion of Ukraine in February 2022, focused heavily on the Ukrainian government and military entities, alongside critical infrastructure, utilities, public services, and media sectors.

Mandiant said it observed, "more destructive cyber attacks in Ukraine during the first four months of 2022 than in the previous eight years with attacks peaking around the start of the invasion."

As many as six unique wiper strains – including WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, Industroyer2, and SDelete – have been deployed against Ukrainian networks, suggesting a willingness on the part of Russian threat actors to forgo persistent access.

Phishing attacks aimed at NATO countries witnessed a 300% spike over the course of the same period. These efforts were driven by a Belarusian government-backed group dubbed PUSHCHA (aka Ghostwriter or UNC1151) that's aligned with Russia.

"Russian government-backed attackers have engaged in an aggressive, multi-pronged effort to gain a decisive wartime advantage in cyberspace, often with mixed results," TAG's Shane Huntley noted.

Some of the key actors involved in the efforts include FROZENBARENTS (aka Sandworm or Voodoo Bear), FROZENLAKE (aka APT28 or Fancy Bear), COLDRIVER (aka Callisto Group), FROZENVISTA (aka DEV-0586 or UNC2589), and SUMMIT (aka Turla or Venomous Bear).

The uptick in the intensity and frequency of the operations aside, the invasion has also been accompanied by the Kremlin engaging in covert and overt information operations designed to shape public perception with the goal of undermining the Ukrainian government, fracturing international support for Ukraine, and maintain domestic support for Russia.

"GRU-sponsored actors have used their access to steal sensitive information and release it to the public to further a narrative, or use that same access to conduct destructive cyber attacks or information operations campaigns," the tech giant said.

With the war splintering hacking groups over political allegiances, and in some cases, even causing them to close shop, the development further points to a "notable shift in the Eastern European cybercriminal ecosystem" in a manner that blurs the lines between financially motivated actors and state-sponsored attackers.

This is evidenced by the fact that UAC-0098, a threat actor that has historically delivered the IcedID malware, was observed repurposing its techniques to assault Ukraine as part of a set of ransomware attacks.

Some members of UAC-0098 are assessed to be former members of the now-defunct Conti cybercrime group. TrickBot, which was absorbed into the Conti operation last year prior to the latter's shutdown, has also resorted to systematically targeting Ukraine.

It's not just Russia, as the ongoing conflict has led Chinese government-backed attackers such as CURIOUS GORGE (aka UNC3742) and BASIN (aka Mustang Panda) to shift their focus towards Ukrainian and Western European targets for intelligence gathering.

"It is clear cyber will continue to play an integral role in future armed conflict, supplementing traditional forms of warfare," Huntley said.

The disclosure comes as the Computer Emergency Response Team of Ukraine (CERT-UA) warned of phishing emails targeting organizations and institutions that purport to be critical security updates but actually contain executables that lead to the deployment of remote desktop control software on the infected systems.

CERT-UA attributed the operation to a threat actor it tracks under the moniker UAC-0096, which was previously detected adopting the same modus operandi back in late January 2022 in the weeks leading to the war.

"A year after Russia launched its full-scale invasion of Ukraine, Russia remains unsuccessful in bringing Ukraine under its control as it struggles to overcome months of compounding strategic and tactical failures," cybersecurity firm Recorded Future said in a report published this month.

"Despite Russia's conventional military setbacks and its failure to substantively advance its agenda through cyber operations, Russia maintains its intent to bring Ukraine under Russian control," it added, while also highlighting its "burgeoning military cooperation with Iran and North Korea."

Source

"This case shows that we also have a great capacity to follow the money on the blockchain, even if the criminals use advanced methods," the agency said in a statement.

The development comes more than 10 months after the U.S. Treasury Department implicated the North Korea-backed hacking group for the theft of $620 million from the Ronin cross-chain bridge.

Then in September 2022, the U.S. government announced the recovery of more than $30 million worth of cryptocurrency, representing 10% of the stolen funds.

Økokrim said it worked with international law enforcement partners to follow and piece together the money trail, thereby making it more difficult for criminal actors to carry out money laundering activities.

"This is money that can support North Korea and their nuclear weapons programme," it further added. "It has therefore been important to track the cryptocurrency and try to stop the money when they try to withdraw it in physical assets."

The development comes as crypto exchanges Binance and Huobi froze accounts containing approximately $1.4 million in digital currency that originated from the June 2022 hack of Harmony's Horizon Bridge.

The attack, also blamed on the Lazarus Group, enabled the threat actors to launder some of the proceeds through Tornado Cash, which was sanctioned by the U.S. government in August 2022.

"The stolen funds remained dormant until recently, when our investigators began to see them funneled through complex chains of transactions, to exchanges," blockchain analytics firm Elliptic said last week.

What's more, there are indications that Blender – another cryptocurrency mixer that was sanctioned in May 2022 – may have resurrected as Sinbad, laundering nearly $100 million in Bitcoin from hacks attributed to the Lazarus Group, Elliptic's Tom Robinson told The Hacker News.

According to the company, funds siphoned in the wake of the Horizon Bridge heist were "laundered through a complex series of transactions involving exchanges, cross-chain bridges and mixers."

"Tornado Cash was used once again, but in place of Blender, another Bitcoin mixer was used: Sinbad."

Although the service launched only in early October 2022, it is estimated to have facilitated tens of millions of dollars from Horizon and other North Korea-linked hacks.

In the two-month period ranging from December 2022 to January 2023, the nation-state group has sent a total of 1,429.6 Bitcoin worth approximately $24.2 million to the mixer, Chainalysis revealed earlier this month.

The evidence that Sinbad is "highly likely" a rebrand of Blender stems from overlaps in the wallet address used, their nexus to Russia, and commonalities in the way both the mixers operate.

"Analysis of blockchain transactions shows that a Bitcoin wallet used to pay individuals who promoted Sinbad, itself received Bitcoin from the suspected Blender operator wallet," Elliptic said.

"Analysis of blockchain transactions shows that almost all of the early incoming transactions to Sinbad (some $22 million) originated from the suspected Blender operator wallet."

Sinbad's creator, who goes by the alias "Mehdi," told WIRED that the service was launched in response to "growing centralization of cryptocurrency" and that it's a legitimate legitimate privacy-preserving project along the lines of Monero, Zcash, Wasabi, and Tor.

The findings also arrive as healthcare entities are in the crosshairs of a new wave of ransomware attacks orchestrated by the Lazarus actors to generate illicit revenue for the sanctions-hit nation.

Profits made from these financially motivated attacks are used to fund other cyber activities that include spying on defense sector and defense industrial base organizations in South Korea and the U.S., per a joint advisory issued by the two countries.

But the law enforcement actions are yet to put a dampener on the threat actor's prolific attack spree, which has continued to evolve with new behaviors.

This comprises a wide range of anti-forensic techniques that are designed to erase traces of the intrusions as well as obstruct analysis, AhnLab Security Emergency response Center (ASEC) disclosed in a recent report.

"The Lazarus group performed a total of three techniques: data hiding, artifact wiping, and trail obfuscation," ASEC researchers said.

Source

As the media reported late last week, hackers from the SiegedSec threat actor group found the credentials belonging to an employee of the Australian-based collaboration software provider, Atlassian. They used those credentials to access Envoy, a third-party app that Atlassian uses for the coordination of in-office resources.

As it turns out, they found the credentials after they were erroneously published on a public repository.

Leaks on Telegram

After gathering the data found in Envoy, they leaked it on Telegram:

"We are leaking thousands of employee records as well as a few building floorplans. These employee records contain email addresses, phone numbers, names, and lots more~!"

Not long after the breach, cybersecurity researchers from Check Point Software analyzed the stolen dataset and confirmed it held two floor maps for the Sydney and San Francisco offices. What’s more, SiegedSec leaked a JSON file with data on Atlassian employees. Customer data was not affected by this incident.

Check Point then stated what was later confirmed by all parties: Atlassian’s systems weren’t directly breached, but the attackers rather accessed Envoy via stolen credentials.

"On February 15, 2023 we learned that data from Envoy, a third-party app that Atlassian uses to coordinate in-office resources, was compromised and published. Atlassian product and customer data is not accessible via the Envoy app and therefore not at risk," Atlassian told the publication.

"The safety of Atlassians is our priority, and we worked quickly to enhance physical security across our offices globally. We are actively investigating this incident and will continue to provide updates to employees as we learn more."

Envoy also said its systems weren’t compromised.

"We’re investigating this right now and are not aware of any compromise to our systems. Our initial research shows that a hacker gained access to an Atlassian employee's valid credentials to pivot and access the Atlassian employee directory and office floor plans held within Envoy’s app," the company told BleepingComputer.

"Envoy, like Atlassian, takes the security and privacy of our customers’ data incredibly seriously and has stringent measures in place to protect it."

“We can confirm Envoy’s systems were not compromised or breached and no other customer’s data was accessed,” the company later reiterated.

Via: BleepingComputer

Source

Just recently, however, Twitter announced that it will no longer offer everyone SMS authentication on the microblogging platform, with the option only remaining available to its Twitter Blue subscribers. And by March 20, regular users who don't switch to a different 2FA method will have SMS authentication removed from their accounts.

In all honesty, we at Neowin don't really understand why Twitter would offer SMS authentication to paying subscribers, given that it is actually one of the weakest types of 2FA. Even the Twitter account of its former CEO Jack Dorsey was hacked before as a result of the weaknesses of SMS authentication.

So why would you actually offer an unsecure authentication method to only your paying customers? Wouldn't it make more sense to just ditch the method entirely? If it's because Twitter wants to increase its Blue subscribers, we're pretty sure that it can find a more compelling feature to advertise instead of SMS authentication.

Nonetheless, if you're one of the many users who were affected by Twitter's bizarre decision, you can still secure your account without subscribing to Twitter Blue through an authentication app. With this method, you can retrieve your authentication code through an app instead of your SMS inbox. App-based authentication uses an algorithm linked to your device to continually generate numerical codes that expire every 30 seconds, so it is more secure than SMS.

How to set up app-based authentication on your Twitter account

App-based authentication is free and more secure.

1. Download an authenticator app to your phone. Popular choices include Microsoft Authenticator, Authy, and Google Authenticator.
2. Go to your Twitter account, then head over to Settings and Support > Settings and Privacy > Security and account access > Security > Two-factor authentication.
3. Switch on Authentication app. Follow the on-screen instructions. You may need to enter your password once to complete the setup process.

After successfully turning on app-based authentication, Twitter will give you a backup code. You will need to keep this code in a safe place like a password manager as it will allow you to log in to your account in case you lose access to your authentication app (like if you lose your phone).

Are you going to use app-based authentication once Twitter disables SMS authentication for regular users? Let us know in the comments section below.

Losing SMS authentication on Twitter? Here's how to keep your account secure for free

In one case against a single company, the fraudsters managed to pilfer €38,000,000 ($40.3M) within a couple of days, quickly moving the money across Europe, China, and eventually cashing out in Israel.

The investigation that led to the dismantling of the criminal network was a joint operation between Europol, French, Croatian, Hungarian, Portuguese, and Spanish police forces.

During the crackdown operation, the law enforcement authorities performed eight house searches seizing electronic equipment and cars and freezing bank accounts holding a total of €5,100,000 and another €350,000 in digital assets.

Moreover, the police arrested eight suspects (six in France and two in Israel), French and Israeli nationals, including the group leader, who was based in Israel.

The law enforcement operation unfolded gradually over five days between January 2022 and January 2023.

Impersonating CEOs

The fraudsters impersonated CEOs when approaching employees in the target organizations' financial departments and tricked them into performing payments to bank accounts under the scammer's control.

Typically, BEC scams rely on compromising the email accounts of the target organization to silently monitor communications and identify opportunities such as a pending payment to a contractor.

When the right time comes, the fraudsters send an email from the compromised user and request the accounting department to make a last-minute change to the receiving bank account details.

Alternatively, scammers may impersonate a contractor and request a payment out of the blue or impersonate the CEO to instruct the accountants to make an urgent transfer.

In December 2021, the attackers impersonated the CEO of a large French metallurgical company to divert €300,000 to a bank account in Hungary. A few days later, the scammers attempted to steal another €500,000, but the transfer was stopped upon the victim realized the fraud and reported it to the police.

In a subsequent case, the scammers targeted a real estate developer in Paris, impersonating lawyers who supposedly worked for a renowned accounting company in the country.

Investigators from multiple European countries connected the two cases with the help of Europol and uncovered the entire money laundering network used by the criminals in January 2022, when the first actions to take down the crime ring started.

Source