Trigona has been active for some time, with samples seen at the beginning of the year. However, those samples utilized email for negotiations and were not branded under a specific name.

As discovered by MalwareHunterTeam, starting in late October 2022, the ransomware operation launched a new Tor negotiation site where they officially named themselves 'Trigona.'

As Trigona is the name of a family of large stingless bees, the ransomware operation has adopted a logo showing a person in a cyber bee-like costume, shown below. 

Trigona ransomware operation's logo
Source: BleepingComputer

 

BleepingComputer is aware of numerous victims of the new ransomware operation, including a real estate company and what appears to be a village in Germany.

The Trigona Ransomware

BleepingComputer analyzed a recent sample of Trigona and found it supports various command line arguments that determine whether local or network files are encrypted, if a Windows autorun key is added, and whether a test victim ID (VID) or campaign ID (CID) should be used.

The command line arguments are listed below:

/full
/!autorun
/test_cid
/test_vid
/path
/!local
/!lan
/autorun_only

When encrypting files, Trigona will encrypt all files on a device except those in specific folders, such as the Windows and Program Files folders. In addition, the ransomware will rename encrypted files to use the ._locked extension. 

For example, the file 1.doc would be encrypted and renamed to 1.doc._locked, as shown below.

Files encrypted by Trigona
Source: BleepingComputer

 

The ransomware will also embed the encrypted decryption key, the campaign ID, and the victim ID (company name) in the encrypted files.

Encrypted file with file markers
Source: BleepingComputer

 

A ransom note named how_to_decrypt.hta will be created in each scanned folder. This note displays information about the attack, a link to the Tor negotiation site, and a link that copies an authorization key into the Windows clipboard needed to log in to the Tor negotiation site.

Trigona ransom note
Source: BleepingComputer

 

After logging into the Tor site, the victim will be shown information on how to buy Monero to pay a ransom and a support chat that they can use to negotiate with the threat actors. The site also offers the ability to decrypt five files, up to 5MB each, for free.

BleepingComputer has not seen any active negotiations, and it is not known how much money the threat actors are demanding from victims.

Trigona Tor negotiation site
Source: BleepingComputer

 

When a ransom is paid, the victims will receive a link to a decryptor and a keys.dat file, which contains the private decryption key.

The decryptor allows you to decrypt individual files or folders on the local device and network shares.

Scan and decrypt screens of the Trigona decryptor
Source: BleepingComputer

 

It is unclear how the operation breaches networks or deploy ransomware. Furthermore, while their ransom notes claim they steal data during attacks, BleepingComputer has not seen any proof of this.

However, their attacks have been increasing worldwide, and with the investment into a dedicated Tor platform, they will likely continue to expand their operations.

Source

Malvertising involves the injection of malicious JavaScript code in digital ads promoted by legitimate advertising networks, taking website visitors to pages that host phishing forms, drop malware, or operate scams.

The CashRewindo malvertising campaigns are spread across Europe, North and South America, Asia, and Africa, using customized language and currency to appear legitimate to the local audience.

Analysts at Confiant have been tracking 'CashRewindo' since 2018 and report the threat actor stands out for an unusually crafty approach in setting up malicious advertising operations with great attention to detail.

Domains get better with age

Domain aging is when threat actors register domains and wait years to use them, hoping to bypass security platforms.

This technique works as old domains that have not been involved in malicious activity for a long time earn trust on the Internet, making them unlikely to be flagged by security tools as suspicious.

Confiant says CashRewindo uses domains that have aged for at least two years before they are activated (have their certificates updated and a virtual server assigned).

The security firm was able to identify at least 487 domains used by the particular threat actor, some having been registered as far back as 2008 and used for the first time in 2022.

Victims end up on these landing sites by clicking on infected ads found on legitimate sites.

To evade "strong language" detection on legitimate sites, the threat actor flips between innocuous and call-to-action wording, usually starting the campaign carefully and switching to call-to-action ads later.

Mix of ads used by CashRewindo (Confiant)

 

The malicious ads also feature a tiny red circle that helps confuse computer vision detection modules so they cannot catch the fraud.

Global but highly targeted

Each CashRewindo campaign targets a particular audience, so the landing pages are configured to either show the scam or an innocuous or blank page for invalid targets.

Landing page with 'click here' button (Confiant)

 

This is done by checking the timezone, device platform, and language used on the visitor's system.

Users and devices outside the target audience clicking the embedded "Click Here" button will be redirected to an innocuous site.

Valid targets, on the other hand, will execute JavaScript code with the malicious code hiding inside a common library to evade request inspection.

Malicious JS snippet running on valid targets (Confiant)

 

Those users are taken to a scam page and eventually redirected to a fake cryptocurrency investment platform promising unrealistic investment returns.

Fraudulent investment site (Confiant)

 

Confiant reports that over 12 months, it has recorded over 1.5 million CashRewindo impressions, primarily targeting Windows devices.

Targeted platforms (Confiant)

 

As for which countries bring most of these impressions, the top 20 most targeted locations are shown in the table below.

Top 20 most targeted countries (Confiant)

 

Investment scams are widespread, but usually, threat actors prefer quantity over quality, pushing their hastily crafted fake sites to large pools of users and hosting the scam platforms on recently registered domains doomed to go offline quickly.

CashRewindo follows a different approach that requires more work but significantly improves the chances of success for the threat actor.

Any investment opportunity that guarantees returns is most likely a scam, so treat this as a big red flag and run an extensive background check before depositing any funds.

To fuel the operation's extortion attempts, the apps stole excessive amounts of data from mobile phones not usually required to offer loans.

In a new report by cybersecurity firm Lookout, researchers uncovered 251 Android 35 iOS lending apps that were downloaded a combined total of 15 million times, mostly from users in India, Colombia, Mexico, Nigeria, Thailand, the Philippines, and Uganda.

Lookout reported all of them to Google and Apple for removal and was successfully able to remove all of them.

Predatory loan apps

These loan apps found great success in developing countries where people have limited financial opportunities and where reports of fraud are less likely to be prosecuted.

When installed, the predatory loan apps requested users grant risky permissions that enabled the threat actors to access sensitive information on the device, such as the contact list, SMS content, photos, media, etc.

Risky permissions requested upon installation (Lookout)

 

As soon as the permissions are given, the apps immediately begin to upload sensitive data from the device to their own servers.

Data exfiltration requests (Lookout)

 

If the user doesn’t approve these permission requests, the app will not allow them to submit loan requests.

On the first launch, and permissions are granted, the user is requested to fill out a KYC (Know Your Customer) form, requesting photographs of government ID cards, etc.

KYC forms in the loan apps (Lookout)

 

Next, the apps offer users deceiving or straight-out false loan terms so they are convinced to move forward.

When the victims receive part of their loan, the interest rate terms change, or previously hidden fees emerge, sometimes reaching up to one-third of the total amount borrowed.

Some users also report that the apps reduced the repayment period from a promised 180 days to only eight days, imposing hefty interest and penalty fees when overdue.

Scammed user comments (Lookout)

 

With most people surprised and unable or unwilling to repay the loans, the app operators begin to harass them using the data stolen in the first stage, contacting people from the device's list and disclosing the debt to family and friends.

Some scammed users even report the lenders sent edited images stolen from the device to contacts, causing great distress.

Apple and Google intervene

Apple and Google allow micro-loan apps on their app stores but have stringent policies regulating their operation.

The guidelines dictate that the minimum repayment period should be 60 days, and the maximum annual percentage rate of charge should be 36%.

The above apps claimed terms that complied with these guidelines, but in practice, they followed a very different, much more aggressive approach, so the app stores removed them for term violations.

Unfortunately, there need to be more checks to prevent the operators of these apps from re-submit these types of apps to the app stores under different names, so users should be vigilant.

If you're interested in using a mobile loan app, read user reviews first, research the lender's reputation, and carefully consider the permission requests upon installation.

While TAG is Google's team of security experts focused on protecting Google users from state-sponsored attacks, it also keeps track of dozens of companies that enable governments to spy on dissidents, journalists, and political opponents using surveillance tools.

The search giant says the Barcelona-based software firm is one of these commercial surveillance vendors and not just a provider of custom security solutions as it officially claims.

"Continuing this work, today, we're sharing findings on an exploitation framework with likely ties to Variston IT, a company in Barcelona, Spain that claims to be a provider of custom security solutions," Google TAG's Clement Lecigne and Benoit Sevens said on Wednesday.

"Their Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox and Microsoft Defender and provides all the tools necessary to deploy a payload to a target device."

The exploitation framework consists of multiple components, each of them targeting specific security flaws in software on the targets' devices:

• Heliconia Noise: a web framework for deploying a Chrome renderer bug exploit followed by a Chrome sandbox escape to install agents on the targeted device
• Heliconia Soft: a web framework that deploys a PDF containing the Windows Defender exploit tracked as CVE-2021-42298
• Heliconia Files: a set of Firefox exploits for Linux and Windows, one tracked as CVE-2022-26485

For Heliconia Noise and Heliconia Soft, the exploits would ultimately deploy an agent named 'agent_simple' on the compromised device.

However, the sample of this framework analyzed by Google contained a dummy agent that runs and exits without executing any malicious code.

Google believes the framework's customer provides their own agent or it is part of another project they do not have access to.

Even though there's no evidence of active exploitation of the targeted security vulnerabilities, and Google, Mozilla, and Microsoft patched them in 2021 and early 2022, Google TAG says that "it appears likely these were utilized as zero-days in the wild."

A Variston IT spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.

Google's spyware vendor tracking efforts

In June, the company's TAG team also revealed that Italian spyware vendor RCS Labs was helped by some Internet Service Providers (ISPs) to deploy commercial surveillance tools on the devices of Android and iOS users in Italy and Kazakhstan.

During the attacks, the targets were prompted to install malicious apps (camouflaged as legitimate mobile carrier apps) in drive-by-downloads to get back online after their Internet connection was cut off with the help of their ISP.

One month earlier, Google TAG exposed another surveillance campaign when state-backed threat actors exploited five zero-day bugs to install Predator spyware developed by commercial spyware developer Cytrox.

Google said at the time that it's actively tracking over 30 vendors with varying levels of public exposure and sophistication selling surveillance capabilities or exploits to government-sponsored threat groups or actors.

"The growth of the spyware industry puts users at risk and makes the Internet less safe, and while surveillance technology may be legal under national or international laws, they are often used in harmful ways to conduct digital espionage against a range of groups," Google TAG added today.

"These abuses represent a serious risk to online safety which is why Google and TAG will continue to take action against, and publish research about, the commercial spyware industry."

Source

The financial penalty introduced by the new bill is set to whichever is greater:

• AU$50 million
• Three times the value of any benefit obtained through the misuse of information
• 30% of a company's adjusted turnover in the relevant period

Previously, the penalty for severe data exposures was AU$2.22 million, considered wholly inadequate to incentivize companies to improve their data security mechanisms.

The new bill comes in response to a series of recent cyberattacks against Australian companies, including ransomware and network breaches, resulting in the exposure of highly sensitive data for millions of people in the country.

"The Albanese Labor government has wasted no time in responding to recent major data breaches. We have announced, introduced, and delivered legislation in just over a month," reads the media announcement.

"These new, larger penalties send a clear message to large companies that they must do better to protect the data they collect."

The most notable incidents were the Optus telecommunication provider data breach that impacted 11 million people and the Medibank insurance firm ransomware attack that exposed the data of 9.7 million.

Apart from setting higher fines, the new bill also gives greater powers to the Office of the Australian Information Commissioner (OAIC) to get more involved in the privacy breach resolution and scope determination process.

OAIC has welcomed the passing of the amendment and promised Australians that it would use its enhanced role to protect individuals and the country's economy better.

"The updated penalties will bring Australian privacy law into closer alignment with competition and consumer remedies and international penalties under Europe's General Data Protection Regulation," stated Commissioner Angelene Falk.

"In seeking penalties or taking regulatory action, our approach will continue to be pragmatic, evidence-based, and proportionate."

For comparison, Europe's GDPR sets fines of up to 10 million Euros or (whichever is higher) up to 2% of the global turnover of the preceding fiscal year.

For "especially severe violations," the above is doubled to 20 million Euros and 4% of the annual turnover.

Source

"Technical investigations are ongoing due to abnormal attempts to access the site," Vatican spokesman Matteo Bruni said, without giving any further information.

The suspected hack came a day after Moscow criticised Pope Francis's latest condemnation of Russia's invasion of Ukraine.

In an interview with a Jesuit magazine, the pope had singled out troops from Chechnya and other ethnic minorities in Russia for their particular "cruelty" during the war.

Source

Online services often require you to enter a one-time code sent to your mobile number in order to verify your account. However, what happens when you don’t have a phone number or live in a country where a particular app or service is banned?

In this case, many users turn to virtual numbers to receive a one-time code so that they can verify their new accounts but these virtual numbers have to come from somewhere though.

A security researcher at the cybersecurity firm Evina has discovered a fake SMS app for Android that secretly uses the phone numbers of those who have installed it to send out one-time codes for other users according to BleepingComputer(opens in new tab). 

Hijacking phone numbers to help others verify their accounts

The app in question is called Symoo and it has been downloaded over 100,000 times. At the time of writing, it’s no longer available on the Google Play Store. Still though, it has a 3.4 star rating even though many users have complained it’s fake.

After being installed on a user’s device, Symoo requests permission to send and read text messages which isn’t surprising since the app’s description says it’s a “simple use sms application”. The app then asks the user to provide their phone number and a fake loading screen appears as an overlay. During this time, the creators of this malicious app send out multiple two-factor authentication (2FA) text messages to help others create and verify new online accounts.

Once the fake loading screen disappears, the app freezes and those who installed it aren’t able to use it for its intended purpose. While most users then uninstall Symoo, the damage is already done since the cybercriminals behind it already have your phone number.

Symoo isn’t the only app doing this as the security researcher who discovered it, Maxime Ingrao also found that SMS data extracted from it was sent to a domain used by the app Virtual Number. Just like with Symoo though, it has been removed from the Play Store.

How to stay safe if you downloaded this fake SMS app

(Image credit: Google)

If you downloaded Symoo or any other suspicious SMS apps, you need to delete them immediately. As I mentioned before though, the damage is already done since your phone number is in the hands of cybercriminals. As such, you may want to consider changing your number if you don’t want to constantly be interrupted with one-time codes from other users trying to create accounts.

At the same time, you need to be extra careful when downloading new apps onto your Android smartphone. While Google Play Protect is able to scan new apps and any installed on your device for malware, the same can’t be said for more elaborate scams like this one. For extra protection from other threats though, you may want to consider installing one of the best Android antivirus apps.

When it comes to protecting your phone number, you want to avoid giving it out freely and instead of third-party SMS apps, you should use the one that came installed with your phone. While there are some reputable text messaging apps for Android, it just isn’t worth the risk of having your mobile number exposed online.

Source

A researcher says the infected devices are then rented out as "virtual numbers" for relaying a one-time passcode used to verify a user while creating new accounts.

While the app has an overall rating of 3.4, many user reviews complain that it is fake, hijacks their phones, and generates multiple OTPs (one-time passwords) upon installation.

"Fake app I just download this app 4-5 times of OTP by Google, Airtel payment, Bank OTP, dream11 OTP, etc. Type of OTP comes at the time of login," reads one of the reviews.

Symoo app and user reviews on Google Play

 

Symoo was discovered by Evina's security researcher Maxime Ingrao, who reported it to Google but has yet to hear back from the Android team. At the time of writing, the app remains available on Google Play.

BleepingComputer has also contacted Google about Symoo, and we will update this story as soon as we receive a response.

Routing 2FA codes

Upon installation on the device, the app requests access to send and read SMS, which sounds normal since Symoo markets itself as an "easy to use" SMS app.

On the first screen, it asks the user to provide their phone number; after that, it overlays a fake loading screen that supposedly shows the progress of loading resources.

However, this process is prolonged, allowing the remote operators to send multiple 2FA (two-factor authentication) SMS texts for creating accounts on various services, read their content, and forward it back to the operators.

When completed, the app will freeze, never reaching the promised SMS interface, so users will typically uninstall it.

By this time, the app will have already used the Android users' phone numbers to generate fake accounts on various online platforms, and reviewers say that their messages are now filled with one-time passcodes for accounts they never created.

Selling the accounts

Since phone numbers are often the only possible way to verify accounts, people who want to engage in illegal or anonymous activities find these pseudonymous accounts useful.

Additionally, Maxime Ingrao discovered that the Symoo app exfiltrates SMS data to a domain used by another application, 'Virtual Number,' that was also on Google Play at some point but has since been removed.

The developer of the 'Virtual Number' app also created another app on Google Play called 'ActivationPW – Virtual numbers,' downloaded 10,000 times, which offers "Online numbers from more than 200 countries" that you can use to create an account.

Using this app, users can "rent" a number for less than 50 cents and, in many cases, use that number to verify the account.

ActivationPW mobile GUI

 

While it is unconfirmed, it is believed that the Symoo app is used to receive and forward OTP verification codes generated when people create accounts using ActivationPW.

If you are using these apps, you should uninstall them, if nothing else, because they copy your SMS content to their own servers.

Their privacy policy also discloses this behavior, though they say it is to "spam block and back up services."

"Income SMS (we store sms as part of the spam block and back up services with our third-party platform, cloud storage or telecom provider. (Note that we do not otherwise share these recordings with third parties)," reads the Symoo privacy policy.

Source

The Secure Boot security feature blocks untrusted operating systems bootloaders on computers with a Trusted Platform Module (TPM) chip and Unified Extensible Firmware Interface (UEFI) firmware to prevent malicious code like rootkits and bootkits from loading during the startup process.

Reported by ESET malware researcher Martin Smolar, the security flaw (CVE-2022-4020) was discovered in the HQSwSmiDxe DXE driver on some consumer Acer Notebook devices.

Attackers with high privileges can abuse it in low-complexity attacks that require no user interaction to alter UEFI Secure Boot settings by modifying the BootOrderSecureBootDisable NVRAM variable to disable Secure Boot.

"Researchers have identified a vulnerability that may allow changes to Secure Boot settings by creating NVRAM variables (actual value of the variable is not important, only the existence is checked by the affected firmware drivers)," Acer said.

After exploiting the vulnerability on affected Acer laptops and turning off Secure Boot, threat actors can hijack the OS loading process and load unsigned bootloaders to bypass or disable protections and deploy malicious payloads with system privileges.

The complete list of impacted Acer laptop models includes Acer Aspire A315-22, A115-21, A315-22G, Extensa EX215-21, and EX215-21G.

BIOS update available, Windows update incoming

"Acer recommends updating your BIOS to the latest version to resolve this issue. This update will be included as a critical Windows update," the company added.

Alternatively, customers can download the BIOS update from the company's support website and deploy it manually on affected systems.

Lenovo patched similar bugs found by ESET researchers in multiple ThinkBook, IdeaPad, and Yoga laptop models earlier this month that could allow attackers to deactivate UEFI Secure Boot.

Allowing threat actors to run unsigned, malicious code before OS boot can lead to severe consequences, including the deployment of malware that can persist between OS re-installations and bypassing anti-malware protections provided by security solutions.

In the case of Lenovo, the issue was caused by the company's developers including an early development driver in production drivers that could change secure boot settings from the OS.

In January, ESET found three other UEFI firmware flaws that could enable attackers to hijack the startup routine on more than 70 Lenovo device models running Windows.

Once applied, this default set of settings provides better protection for enterprise endpoints against advanced and emerging threats, including ransomware attacks.

"Initially, built-in protection will include turning tamper protection on for your tenant, with other default settings coming soon," Microsoft explains.

Until Redmond rolls out more default protection settings via built-in protection, admins can enable cloud 

This announcement comes after the company began to toggle on tamper protection for all new customers with Defender for Endpoint Plan 2 or Microsoft 365 E5 licenses starting last year.

In September, Redmond added that it would soon enable tamper protection by default on all Microsoft Defender for Endpoint (MDE) onboarded systems, locking Microsoft Defender Antivirus to secure default values and preventing any security settings changes.

"To further protect our customers, we are announcing that tamper protection will be turned on for all existing customers, unless it has been explicitly turned off in the Microsoft 365 Defender portal," said Josh Bregman, a Principal Product Manager at Microsoft, at the time.

This is achieved by blocking other apps from changing the settings for real-time and cloud-delivered protection, behavior monitoring, and Defender components like IOfficeAntivirus (IOAV) which handles the detection of suspicious Internet-downloaded files.

Microsoft 365 Defender portal tamper protection banner (Microsoft)

 

Rolling out to a tenant near you

 

Customers who haven't yet configured tamper protection in their enterprise environments will soon receive Microsoft 365 Defender portal notifications alerting them the feature will be turned on.

"Tamper protection will be turned on for your tenant, and will be applied to your organization's Windows devices," Microsoft says on its support portal.

"Whenever new devices are onboarded to Defender for Endpoint, built-in protection settings will be applied to any new devices running Windows."

However, admins can also change their built-in protection settings or choose to opt out:

1. Go to the Microsoft 365 Defender portal and sign in.
2. Go to Settings > Endpoints > Advanced features.
3. Set Tamper protection to On (if it's not already on), and then select Save preferences (don't leave this page yet)
4. Set Tamper protection to Off, and then select Save preferences.

Microsoft 365 admins can also exclude some devices on the network from tamper protection if there's an app compatibility concern by using Security Management for Defender for Endpoint or creating a profile in Microsoft Endpoint Manager.

Redmond also started rolling out built-in protection to Defender for Office 365 to tenants worldwide in November 2021 to provide the same level of protection from phishing emails to existing and new end users.

The malicious campaigns involved creating fake cryptocurrency investment sites with a similar appearance to well-known, legitimate platforms.

The threat actors then laundered money stolen from victims by moving it from Spanish banks to foreign financial entities where the criminals hoped it was away from the authorities' scrutiny or tracing ability.

Spain's law enforcement investigation was launched after the legal representative of one of the impersonated financial groups reported the case to the police.

During the operation, six members of the cybercrime organization were arrested in Madrid and Barcelona and will face charges of suspected fraud, money laundering, and usurpation of marital status.

Scam process

The cybercriminals created a network of fake bank websites that used the typosquatting technique, which involves registering domains similar to the official sites of real, impersonated banks.

By changing a character or swapping the position of two letters, the domains may still appear authentic to careless visitors.

Typically, victims end up on these sites by following links embedded in phishing emails, which is how the dismantled Spanish gang also drew traffic to its sites.

While the victims of the threat group originate from several countries in Europe, most of the fake websites targeted French people, and hence they impersonated French financial institutions.

The victims were made to believe they were investing money on these websites, but in reality, their deposits were sent directly to the crime group's bank accounts.

The stolen funds were moved to the scammers' bank accounts in Spain, Portugal, Poland, and France and subsequently moved to foreign entities in a money laundering effort. After bouncing around to obscure the money trace, the funds were eventually returned to Spanish accounts. 

The police's investigation determined the total amount of money sent to the crime group's final destination was €12,345,731.

Source

However, the solution saw mixed results after there were several reports of it scrubbing legitimate messages like One Time Passwords (OTP) as well. This led the authority to suspend the application altogether, with people relying on third-party spam blocking applications like Truecaller and Google Messages.

Unsolicited commercial communication or UCC has become a major concern in the country. Even after registering their numbers on TRAI's National Do Not Call (NDNC) registry, almost all Indian phone numbers are prone to spam text messages everyday from various unregistered telemarketers (UTM).

The Department of Telecommunication (DOT) had also planned to levy fines ranging from ₹1,000 per violation for 0-10 breaches, ₹5,000 each for 10-50 breaches, and ₹10,000 each for more than 50 breaches by registered telemarketers. However, the department is yet to implement the rule. Now, TRAI is trying new methods to curb spam messages.

The regulator announced in a press release (PDF) new methods that will significantly reduce spam messages.

TRAI in coordination with various stakeholders is taking necessary steps to check UCC from UTMs also. These steps include- implementation of UCC detect system, provision of Digital Consent Acquisition, intelligent scrubbing of the Headers & Message templates, using AI (Artificial Intelligence) & ML (Machine Language), etc.

The regulatory body also announced the formation of a Joint Committee of Regulators (JCR) that will comprise of TRAI itself, the Reserve Bank of India (RBI), the Securities and Exchanges Board of India (SEBI), and the Ministry of Consumer Affairs (MoCA). The committee will work to curb financial frauds that happen over phone or text messages.

According to a report from Truecaller, one spammer alone made over 202 million spam calls in 2021. Majority of the spam calls in India are sales or telemarketing calls. Another popular spam genre remains the KYC (know your customer) scam where a scamster pretends to be a representative from a bank or a digital payment services asking for documents mandated by the RBI.

Plenty of spam text messages and calls also make it outside the Indian borders which makes it even more important to regulate.

Although unwanted SMS can be tackled by the authority, it cannot do much to address WhatsApp spams until the internet-based messaging app takes an initiative itself.

Source: TRAI [PDF] (via The Register)

India's telco authority plans to implement AI and ML-based solutions to curb SMS spam

Google says Google should do a better job of patching Android phones

A new and trending TikTok challenge requires you to film yourself naked while using TikTok's "Invisible Body" filter, which removes the body from the video and replaces it with a blurry background.

This challenge has led to people posting videos of them allegedly naked but obscured by the filter. 

To capitalize on this, threat actors are creating TikTok videos that claim to offer a special "unfiltering" filter to remove TikTok's body masking effect and expose the TikTokers' nude bodies.

However, this software is fake and installs the "WASP Stealer (Discord Token Grabber)" malware, capable of stealing Discord accounts, passwords and credit cards stored on browsers, cryptocurrency wallets, and even files from a victim's computer.

These videos received over a million views shortly after being posted, with one of the threat actor's Discord servers amassing over 30,000 members.

Targeting TikTok trends

In a new report by cybersecurity firm Checkmarx, researchers found two TikTok videos posted by the attackers that quickly amassed over a million views combined.

The now-suspended TikTok users @learncyber and @kodibtc created the videos to promote a software app to "remove filter invisible body" offered on a Discord server named "Space Unfilter."

The threat actors have since moved this Discord server, but Checkmarx states that they had approximately 32,000 members at one point.

TikTok videos posted by the attackers (Checkmarx)

 

Once the victims join the Discord server, they see a link posted by a bot pointing to a GitHub repository that hosts the malware.

Discord server used in the attacks (Checkmarx)

 

This attack has been so successful that the malicious repository has achieved a "trending GitHub project" status, and while it has since been renamed, it currently has 103 stars and 18 forks.

GitHub repository hosting the malware downloader (Checkmarx)

 

The project files contained a Windows batch file (.bat) that, when executed, installs a malicious Python package (WASP downloader) and a ReadMe file that links to a YouTube video containing instructions on installing the TikTok "unfilter" tool.

Checkmarx analysts discovered that the attackers used multiple Python packages hosted on PyPI, including "tiktok-filter-api", "pyshftuler", "pyiopcs," and "pydesings," with new ones added every time the old packages are reported and removed.

Also, the attackers use the "StarJacking" technique on PyPI, linking their project to a popular GitHub project they have no association with to make it appear legitimate.

Malicious package on PyPI (Checkmarx)

 

The malicious package copies the original code but contains a modification for installing WASP malware on the host.

Malicious modification in the code (Checkmarx)

 

"It seems this attack is ongoing, and whenever the security team at Python deletes his packages, he quickly improvises and creates a new identity or simply uses a different name," reads the Checkmarx report.

"These attacks demonstrate again that cyber attackers have started to focus their attention on the open-source package ecosystem; We believe this trend will only accelerate in 2023."

At the time of writing this, the GitHub repository used by the attacker is still up, but the "TikTok unfilter" packages have been replaced by "Nitro generator" files.

The Discord server "Unfilter Space" was taken offline, with the threat actors claiming to have moved to another server.

“The Federal Communications Commission adopted new rules prohibiting communications equipment deemed to pose an unacceptable risk to national security from being authorized for importation or sale in the United States,” reads the press release from the FCC.

“These new rules are an important part of our ongoing actions to protect the American people from national security threats involving telecommunications,” commented Chairwoman J. Rosenworcel.

The U.S. ban covers not only the parent companies but their subsidiaries and affiliates as well.

The U.S. previously accused telecommunication hardware vendor Huawei of stealing intellectual property, research and development data, and for planting backdoors in their products that would potentially allow the Beijing government run espionage operations [1, 2].

Telecommunications technology from both Huawei (5G in particular) and ZTE have been banned or excluded over the past years in multiple countries, including Australia, New Zealand, India, Japan, the U.S., Canada, Romania, and the U.K.

Starting four years ago, some members of the European Union also expressed concerns about security threats from technology provided by Huawei and ZTE and excluded the two companies from bidding for various project.

Huawei has not been banned all over Europe, though, as some countries rely on the company for core parts for telecom operators, but multiple members have passed legislation to limit risks from Chinese telecom equipment suppliers.

Surveillance camera maker Dahua was added to the U.S. Department of Commerce’s ‘Entity List’ in October 2019, but sales of its equipment to consumers and private American companies weren’t banned.

In March 2021, the FCC included all five companies now banned from having a presence in the United States market on it list of communications equipment and services (Covered List) as they were "deemed to pose an unacceptable risk to the national security of the United States or the security and safety of United States persons."

Marking them as so means that Federal subsidies could no longer use or purchase equipment from these companies.

All four FCC members, who have different political orientations, voted unanimously to adopt the new measures against the five Chinese tech firms.

BleepingComputer has reached out to all five companies for a comment on FCC's decision but has not received a reply before publishing time.

A statement from Hikvision for China Daily says that FCC's decision has no impact on the U.S. national security but will affect small businesses, local authorities, school districts, and individual consumers as they will incur higher costs for similar technology.

Source

This concludes the DPC's investigation of potential GDPR violations by Meta, launched on April 14, 2021, following the publishing of data belonging to 533 million Facebook users on a hacker forum.

The exposed data included personal information, such as mobile numbers, Facebook IDs, names, genders, locations, relationship statuses, occupations, dates of birth, and email addresses. 

All of this data was shared on a well-known hacking forum, allowing the data to be used by threat actors for targeted attacks.

Facebook at the time said threat actors collected the data by exploiting a flaw in its "Contact Importer" tool to associate phone numbers with a Facebook ID and then scraping the rest of the information to build a profile for the user.

The platform said they had fixed the bug in 2019, and the data was collected before that.

DPC's investigation concluded that Meta (then Facebook) infringed Articles 25(1) and 25(2) of the GDPR, summarized as follows:

• 25(1) - The data controller shall implement appropriate technical and organizational measures, such as pseudonymization, and integrate the necessary safeguards into the processing to meet the requirements of this Regulation and protect the rights of data subjects.

• 25(2) - The controller shall implement appropriate technical and organizational measures to ensure that, by default, only personal data necessary for each processing purpose are processed. In particular, such measures shall ensure that, by default, personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.

“There was a comprehensive inquiry process, including cooperation with all of the other data protection supervisory authorities within the EU,” reads the DPC announcement.

“Those supervisory authorities agreed with the decision of the DPC.”

Data scraping

Data scrapers are automated bots that exploit open network APIs of platforms that hold user data, like Facebook, to extract publicly available information and create massive databases of user profiles.

While no hacking is involved, the data sets collected by scrapers can be combined with data from multiple points (sites), creating complete profiles on users, hence making their tracking from marketers or targeting from threat actors a lot more effective.

However, in Meta's case, the threat actors used a flaw in the Contact Importer on Facebook and Instagram to link phone numbers with this publicly scraped information, allowing them to create profiles containing private and public information.

Scraping is against the policies of most online platforms, but enforcing these rules is technically complicated, as it was recently highlighted with TikTok and WeChat.

LinkedIn took things to court to prevent data scraping on the platform, securing an injunction against legal scraper operators and preventing them from using data they already collected in this manner.

The DPC is considered the spearhead of GDPR compliance in the EU due to many tech companies operating from Ireland, so its decision is bound to create turbulence for other big data controllers, forcing them to re-evaluate their anti-scraping mechanisms.

Another massive, potentially more significant, data dump of millions of Twitter records has also been disclosed by a security researcher, demonstrating how widely abused this bug was by threat actors.

The data consists of scraped public information as well as private phone numbers and email addresses that are not meant to be public.

The Twitter data breach

Last July, a threat actor began selling the private information of over 5.4 million Twitter users on a hacking forum for $30,000.

While most of the data consisted of public information, such as Twitter IDs, names, login names, locations, and verified status, it also included private information, such as phone numbers and email addresses.

Forum post selling the scraped Twitter data - Source: BleepingComputer

 

This data was collected in December 2021 using a Twitter API vulnerability disclosed in the HackerOne bug bounty program that allowed people to submit phone numbers and email addresses into the API to retrieve the associated Twitter ID.

Using this ID, the threat actors could then scrape public information about the account to create a user record containing both private and public information, as shown below.

A redacted example of one of a leaked Twitter user record - Source: BleepingComputer

 

It is unclear if the HackerOne disclosure was leaked, but BleepingComputer was told that multiple threat actors were utilizing the bug to steal private information from Twitter.

After BleepingComputer shared a sample of the user records with Twitter, the social media company confirmed they had suffered a data breach using an API bug fixed in January 2022.

Pompompurin, the owner of the Breached hacking forum, told BleepingComputer this weekend that they were responsible for exploiting the bug and creating the massive dump of Twitter user records after another threat actor known as 'Devil' shared the vulnerability with them.

In addition to the 5.4 million records for sale, there were also an additional 1.4 million Twitter profiles for suspended users collected using a different API, bringing the total to almost 7 million Twitter profiles containing private information.

Pompompurin said that this second data dump was not sold and was only shared privately among a few people.

Twitter data shared on a hacking forum

In September, and now more recently, on November 24th, the 5.4 million Twitter records have now been shared for free on a hacking forum.

5.4 million Twitter records leaked online for free - Source: BleepingComputer

 

Pompompurin has confirmed to BleepingComputer that this is the same data that was for sale in August, and includes 5,485,635 Twitter user records.

These records contain either a private email address or phone number, and public scraped data, including the account's Twitter ID, name, screen name, verified status, location, URL, description, follower count, account creation date, friends count, favorites count, statuses count, and profile image URLs. 

An even larger data dump privately created

While it is concerning that threat actors released the 5.4 million records for free, an even larger data dump was allegedly created using the same vulnerability.

This data dump potentially contains tens of millions of Twitter records consisting of personal phone numbers collected using the same API bug, and public information, including verified status, account names, Twitter ID, bio, and screen name.

The news of this more significant data breach comes from security expert Chad Loder, who first broke the news on Twitter and was suspended soon after posting. Loder subsequently posted a redacted sample of this larger data breach on Mastodon.

"I have just received evidence of a massive Twitter data breach affecting millions of Twitter accounts in EU and US. I have contacted a sample of the affected accounts and they confirmed that the breached data is accurate. This breach occurred no earlier than 2021," Loder shared on Twitter.

Chad Loder sharing news of the larger breach on Mastodon - Source: BleepingComputer

 

BleepingComputer has obtained a sample file of this previously unknown Twitter data dump, which contains 1,377,132 phone numbers for users in France.

We have since confirmed with numerous users in this leak that the phone numbers are valid, verifying this additional data breach is real.

Furthermore, none of these phone numbers are present in the original data sold in August, illustrating how much larger Twitter's data breach was than previously disclosed and the large amount of user data circulating among threat actors.

Pompompurin also confirmed with BleepingComputer that they were not responsible and did not know who created this newly discovered data dump, indicating that other people were using this API vulnerability.

BleepingComputer has learned that this newly discovered data dump consists of numerous files broken up by country and area codes, including Europe, Israel, and the USA.

We were told that it consists of over 17 million records but could not independently confirm this.

As this data can be potentially used for targeted phishing attacks to gain access to login credentials, it is essential to scrutinize any email that claims to come from Twitter.

If you receive an email claiming your account was suspended, there are log in issues, or you are about to lose your verified status, and it prompts you to login on to a non-Twitter domain, ignore the emails and delete them as they are likely phishing attempts.

BleepingComputer reached out to Twitter on Thursday about this additional data dump of private information but has yet to receive a response.

The leaked data reportedly exposed thousands of car number plates, fines, crime report files, personnel details, investigation reports, and more.

Ragnar Locker listing the wrong victim (BleepingComputer)

 

This type of data can potentially expose people who reported crimes or abuse and could compromise ongoing law enforcement operations and investigations.

Belgian media outlets call this data leak one of the biggest of this kind that has impacted a public service in the country, exposing all data kept by Zwijndrecht police from 2006 until September 2022.

Police confirm attack

Zwijndrecht police responded to the local media coverage via a post on Facebook, downplaying the impact of the incident and saying that the hackers only accessed a part of the network where the police held administrative data.

The police say that the threat actors could only access data on the administrative network, therefore primarily affecting personnel.

Zwijndrecht police statement on Facebook

 

Chief of police at Zwijndrecht, Marc Snels, told the VRT news network that the data leak resulted from human error, and they are now contacting all exposed individuals to inform them about the incident.

"It is not the case that all data has been leaked. This network mainly contains personal information from our staff, such as personnel lists and photos from personnel parties," commented Snels to local media.

Wider impact than claimed

Although this incident has not impacted the national police network in Belgium, the breach on the local Zwijndrecht network is still significant for thousands of people.

Belgian journalist Kenneth Dée broke the news of the attack on Het Laatste Nieuws, sharing that the threat actors allegedly attacked a poorly protected Citrix endpoint to breach the police's network.

Dée's investigation of the data revealed telecom service subscriber metadata and SMS of people under covert police investigation.

Moreover, the leaked files contain footage from traffic cameras, exposing the whereabouts of individuals at specific dates and times.

"This is the largest law-enforcement leak in the history of Belgium and probably the most impactful leak we have ever seen in our country," Dée told Bleeping Computer.

"It should be a wakeup call for local police and the way they handle citizens' data, and hopefully, it will set things in motion towards changes on that front."

The country's data protection office has not yet announced an investigation on the case, but the prosecutor opened a criminal proceeding that focuses on the hacking incident itself.

Belgian lawyer and privacy activist Matthias Dobbelaere-Welvaert told BleepingComputer that exposed individuals should change everything they can, including license plates, identity cards, passports, etc.

"You can't easily change where you live, but even if you change all documents, the repercussions of this security incident could be for a lifetime, and theft identity is no joke," says Dobbelaere-Welvaert.

"It’s my opinion that as long as not all police network systems are adequately protected, no smart camera should be allowed to turn on."

Source

Google released the update to the Chrome Stable channel, the Chrome Extended Stable channel, and for Chrome for Android. Chrome Stable's version increases to 107.0.5304.121 for Mac and Linux and 107.0.5304.121/.122 for Windows, the Chrome Extended Stable version increases to 106.0.5249.199, and the Chrome for Android's version is 107.0.5304.141 after the update.

Desktop users of Chrome may run a manual check for updates to download the update immediately. All it takes is to load chrome://settings/help or select Chrome Menu > Help > About Google Chrome to do so. The page that opens displays the current version that is installed on the device and runs a check for updates. Any update that is found during the scan is downloaded and installed.

All updates address a single security issue in the browser. Google lists it as CVE-2022-4135: Heap buffer overflow in GPU, and assigned it a severity rating of high. High is second only to critical in the severity scale.

Google notes that the issue is exploited in the wild. Chrome users should update the browser immediately to protect the browser from potential attacks.

Google Chrome for Android updates automatically. There is no option to speed up the process, as Google Play lacks an option to run a manual scan for updates, similarly to how it is done on the desktop.

Google had patched 10 security issues in Chrome 107, which was released to the stable channel a few weeks ago. The search giant is testing a new security feature called Encrypted Client Hello (ECH) in Chrome Canary.

Brave updates as well

Brave Browser was one of the first third-party Chromium-based browsers to release an update that addresses the security issue. The release notes merely state that the browser has been updated to Chromium 107.0.5304.141, but the official Twitter account confirms that the update patches the security issue in the browser.

Brave desktop users may load brave://settings/help to display the installed version and run a check for updates.

Other browsers, including Microsoft Edge, Vivaldi or Opera, have no update available yet that addresses the security issue.

Source

EFI Development Kit, aka EDK, is an open source implementation of the Unified Extensible Firmware Interface (UEFI), which functions as an interface between the operating system and the firmware embedded in the device's hardware.

The firmware development environment, which is in its second iteration (EDK II), comes with its own cryptographic package called CryptoPkg that, in turn, makes use of services from the OpenSSL project.

Per firmware security company Binarly, the firmware image associated with Lenovo Thinkpad enterprise devices was found to use three different versions of OpenSSL: 0.9.8zb, 1.0.0a, and 1.0.2j, the last of which was released in 2018.

What's more, one of the firmware modules named InfineonTpmUpdateDxe relied on OpenSSL version 0.9.8zb that was shipped on August 4, 2014.

"The InfineonTpmUpdateDxe module is responsible for updating the firmware of Trusted Platform Module (TPM) on the Infineon chip," Binarly explained in a technical write-up last week.

"This clearly indicates the supply chain problem with third-party dependencies when it looks like these dependencies never received an update, even for critical security issues."

The diversity of OpenSSL versions aside, some of the firmware packages from Lenovo and Dell utilized an even older version (0.9.8l), which came out on November 5, 2009. HP's firmware code, likewise, used a 10-year-old version of the library (0.9.8w).

The fact that the device firmware uses multiple versions of OpenSSL in the same binary package highlights how third-party code dependencies can introduce more complexities in the supply chain ecosystem.

Binarly further pointed out the weaknesses in what's called a Software Bill of Materials (SBOM) that arises as a result of integrating compiled binary modules (aka closed source) in the firmware.

"We see an urgent need for an extra layer of SBOM Validation when it comes to compiled code to validate on the binary level, the list of third-party dependency information that matches the actual SBOM provided by the vendor," the company said.

"A 'trust-but-verify' approach is the best way to deal with SBOM failures and reduce supply chain risks."

Source

"In this latest campaign, the Black Basta ransomware gang is using QakBot malware to create an initial point of entry and move laterally within an organization's network," Cybereason researchers Joakim Kandefelt and Danielle Frankel said in a report shared with The Hacker News.

Black Basta, which emerged in April 2022, follows the tried-and-tested approach of double extortion to steal sensitive data from targeted companies and use it as a leverage to extort cryptocurrency payments by threatening to release the stolen information.

This is not the first time the ransomware crew has been observed using Qakbot (aka QBot, QuackBot, or Pinkslipbot). Last month, Trend Micro disclosed similar attacks that entailed the use of Qakbot to deliver the Brute Ratel C4 framework, which, in turn, was leveraged to drop Cobalt Strike.

The intrusion activity observed by Cybereason cuts out Brute Ratel C4 from the equation, instead using Qakbot to directly distribute Cobalt Strike on several machines in the infected environment.

The attack chain commences with a spear-phishing email bearing a malicious disk image file that, when opened, kickstarts the execution of Qbot, which, for its part, connects to a remote server to retrieve the Cobalt Strike payload.

At this stage, credential harvesting and lateral movement activities are carried out to place the red team framework on several servers, before breaching as many endpoints as possible using the collected passwords and launching the Black Basta ransomware.

"The threat actor obtained domain administrator privileges in less than two hours and moved to ransomware deployment in less than 12 hours," the researchers noted, adding over 10 different customers were impacted by the fresh set of attacks in the past two weeks.

In two instances spotted by the Israeli cybersecurity company, the intrusions not only deployed the ransomware but also locked the victims out of their networks by disabling the DNS service in a bid to make recovery more challenging.

Black Basta remains a highly active ransomware actor. According to data gathered by Malwarebytes, the ransomware cartel successfully targeted 25 companies in October 2022 alone, putting it behind LockBit, Karakurt, and BlackCat.

Source

Over a hundred of these arrests, including that of the platform's leader, were made by London's Metropolitan Police.

iSpoof offered cybercriminals so-called "spoofing" servers which allowed them to mask their phone numbers with one belonging to a trusted organization, making it appear to the victims as if their bank called them.

This call number spoofing made it possible for the crooks to conduct social engineering, phishing, and carry out "bank helpdesk" scams, stealing money, banking account credentials, and one-time codes.

"The services of the website allowed those who sign up and pay for the service to anonymously make spoofed calls, send recorded messages, and intercept one-time passwords," Europol said on Thursday.

"The users were able to impersonate an infinite number of entities (such as banks, retail companies, and government institutions) for financial gain and substantial losses to victims."

According to the announcement of the Metropolitan Police, between June 2021 and July 2022, iSpoof was used to make 10 million fraudulent calls worldwide.

Europol reports that iSpoof caused approximately $120,000,000 in losses, with the service's operators raking in estimated profits of $3,850,000 in the last 16 months.

Uncovering iSpoof

The cybercrime department of the Dutch police says it found the servers hosting iSpoof in Almere, a small town near Amsterdam, during a bank helpdesk fraud investigation.

This led to a new investigation focusing on the service, which led to the discovery of the iSpoof operator's location in London. They then informed Scotland Yard, which started its own in-depth investigation into the suspect.

Next, the police in the Netherlands placed a "tap" on the servers in Almere and gathered insight into how the service worked and who used it.

The UK police say the covert operation of tracking iSpoof closely started in June 2021, helping the law enforcement authorities map the criminal network.

Europol got involved in August 2021 to help the UK police collect evidence and intelligence from global law enforcement partners.

The owner of iSpoof was arrested on Sunday, November 6, 2022, in East London, and known iSpoof websites like "ispoof.cc" and "ispoof.me" were seized.

Seizure banner on ispoof.cc (BleepingComputer)

 

The administrators of the servers in Almere, two men, aged 19 and 22, were also arrested. The Dutch police underline they're now deanonymizing more service users based on evidence collected from the seized servers.

Following iSpoof's takedown, the service's users from dark web forums have been advised to "throw everything away."

The list of domains seized includes simexcbr.com, simexlua.com, simexwim.com, simexarts.com, simexrue.com, simexvtn.com, and simexbiz.com, all of them spoofing the one used by the Singapore International Monetary Exchange (SIMEX).

While originating from Asia, pig butchering scams have spread globally after cryptocurrency scammers realized that users of dating apps and social media sites (the "pigs") make for easy targets after building trust using various social engineering tactics.

Once "hooked," the victims are handled by other members of the cybercrime ring who also run fraudulent cryptocurrency investment platforms.

After being asked to invest and transfer the funds via prepaid cards, wire transfers, and cryptocurrency payments to attacker-controlled wallets or via ATMs, the scammers shut down their fake crypto investment portal and vanish with the victims' money.

Five victims lost over $10 million

As the U.S. Justice Department revealed in a press release this week, the fraud ring that used the seven seized domains tricked five victims into transferring more than $10 million to cryptocurrency deposit addresses immediately emptied by the scammers.

For instance, in August 2022, one of the victims told the investigators that one of the fraudsters—who reached out via LINE and WeChat mobile messengers—promoted a cryptocurrency investment platform using the simexlua.com domain.

After being tricked in May 2022 into installing a fake investment app and initially making a small $400 investment, the victims transferred roughly $9.6 million worth of USD Coin (USDC) to a deposit address provided by the scammers.

According to the affidavit unsealed on Wednesday, the fraudsters also sent "trading profit" notifications via the fraudulent app after each deposit to keep the victim "investing."

When the victim tried to withdraw some of the fake profits, totaling over $7 million per the fake in-app alerts, the scammers asked for additional payments of "taxes," "fees," and "security deposits" to prove they were "not involved in any illegal behavior."

"According to court records, from at least May through August 2022, scammers induced five victims in the United States by using the seven seized domains, which were all spoofed domains of the Singapore International Monetary Exchange," the Department of Justice said.

"After the victims transferred investments into the deposit addresses that the scammers provided through the seven seized domain names, the victims' funds were immediately transferred through numerous private wallets and swapping services in an effort to conceal the source of the funds. In total, the victims lost over $10 million."

simexbiz.com seizure banner (BleepingComputer)

FBI warns cryptocurrency investors

The FBI also recently warned about pig butchering scams highlighting its emergence as a highly profitable scheme worldwide where cybercriminals steal ever-increasing amounts of cryptocurrency from unsuspecting investors.

"Many victims report being directed to make wire transfers to overseas accounts or purchase large amounts of prepaid cards," the FBI warned last month.

"The use of cryptocurrency and cryptocurrency ATMs is also an emerging method of payment. Individual losses related to these schemes ranged from tens of thousands to millions of dollars."

The FBI also shared a list of some red flags that should let wannabe investors know they're the target of a "pig butchering" scam:

• You are contacted by a long-lost contact or a stranger on social media.
• The URL of the investment platform doesn't match the official website of a popular cryptocurrency market/exchange but is very similar (typo-squatting).
• The investment app you have downloaded generates warnings of being "untrusted" when launched on Windows, or your anti-virus marks it as potentially dangerous.
• The investment opportunity sounds too good to be true.

Those who suspect they may have been the victim of such scams are urged to file a report on IC3.gov's crime complaint center or to reach out to CryptoFraud@SecretService.gov.

Researchers say that the campaign was "highly targeted" and aimed at stealing contact and call data, device location, as well as messages from multiple apps.

VPN service impersonation

The operation has been attributed to an advanced threat actor tracked as Bahamut, which is believed to be a mercenary group providing hack-for-hire services.

ESET malware analyst Lukas Stefanko says that Bahamut repackaged the SoftVPN and OpenVPN apps for Android to include malicious code with spying functions.

By doing this, the actor ensured that the app would still provide VPN functionality to the victim while exfiltrating sensitive information from the mobile device.

To hide their operation and for credibility purposes, Bahamut used the name SecureVPN (which is a legitimate VPN service) and created a fake website [thesecurevpn] to distribute their malicious app.

Bahamut's fake SecureVPN website - source: ESET

 

Stefanko says that the hackers' fraudulent VPN app can steal contacts, call logs, location details, SMS, spy on chats in messaging apps like Signal, Viber, WhatsApp, Telegram, and Facebook's Messenger, as well as collect a list of files available in external storage.

ESET's researcher discovered eight versions of Bahamut's spying VPN app, all with chronological version numbers, suggesting active development.

All fake apps included code observed only in operations attributed to Bahamut in the past, such as the SecureChat campaign documented by cybersecurity companies Cyble and CoreSec360 [1, 2].

SQL queries Bahamut used in its malicious SecureChat and SecureVPN apps - source: ESET

 

It is worth noting that none of the trojanized VPN versions were available through Google Play, the official repository for Android resources, another indication of the targeted nature of the operation.

The method for the initial distribution vector is unknown but it could be anything from phishing over email, social media, or other communication channels.

Details about Bahamut operations emerged in the public space in 2017 when journalists at the investigative group Bellingcat published an article about the espionage actor targeting Middle Eastern human rights activists.

Connecting Bahamut to other threat actors is a tall order considering that the group relies greatly on publicly available tools, constantly changes tactics, and its targets are not in a particular region.

However, BlackBerry researchers note in an extensive report on Bahamut in 2020 that the group " appears to be not only well-funded and well-resourced, but also well-versed in security research and the cognitive biases analysts often possess."

Some threat actor groups Bahamut has been associated with include Windshift and Urpage.

Source

The law enforcement operation is codenamed "HAECHI III" and lasted between June 28 and November 23, 2022, allowing INTERPOL to arrest almost a thousand suspects.

"In total, the operation resulted in the arrest of 975 individuals and allowed investigators to resolve more than 1,600 cases," reads Interpol's announcement.

"In addition, almost 2,800 bank and virtual-asset accounts linked to the illicit proceeds of online financial crime were blocked."

The types of cybercrimes that generated the said amount include romance scams, voice phishing, sextortion, investment fraud, and money laundering associated with illegal online gambling.

As a result of the action, INTERPOL also generated 95 notices and diffusions while also detecting sixteen new crime trends that will help law enforcement around the globe take more targeted action against cybercriminals.

The new trends involve variations of romance scams and investment frauds that malicious actors constantly evolve to maintain an element of novelty.

Moreover, INTERPOL observed a rise in encrypted messaging apps used by scammers for exchanging information with victims in investment schemes.

INTERPOL agents arrests two scammers in Korea (INTERPOL)

 

Two highlights of operation HAECHI III are:

• The arrest of two Koreans in Greece and Italy who had embezzled $29,100,000 from 2,000 victims in Korea.
• The arrest of members of an India-based crime group that impersonated INTERPOL officers to call victims and trick them into sending them $159,000 in cryptocurrency.

INTERPOL’s announcement also underlines the effectiveness of its new anti-money laundering rapid response protocol mechanism (ARRP), which was tested for the first time in the agency’s previous operation, codenamed ‘Operation Jackal.’

Thanks to ARRP, an Irish company that fell victim to business email compromise (BEC) scammers had $1,250,000 million returned to them. This was the total amount the company lost to the BEC scammers, which ARRP helped trace and seize.

Since January 2022, when the pilot testing phase of ARRP started, the tool has helped recover $120,000,000 in cybercriminal proceeds.

Source