Source: www.databreachtoday.com – Author: 1 Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Geo Focus: Asia Espionage Group Used SoftEther VPN Client to Exploit Targeted Networks Jayant Chakravarti (@JayJay_Tech) • June 24, 2024     Taipei city skyline (Image: Shutterstock) A Chinese state-sponsored group tracked as RedJuliett is using open-source VPN client SoftEther […]

La entrada Chinese Hackers Caught Spying on Taiwanese Firms – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Crypto portfolio tracking app Coinstats has found itself at the center of a security breach, impacting approximately 1,590 user wallets. The Coinstats data breach, which occurred on June 22, 2024, has been attributed to a group with alleged ties to North Korea, marking a concerning development for crypto investors.  Coinstats swiftly responded to the breach by taking down its application temporarily. This proactive measure was aimed at containing the data breach at Coinstats and preventing further unauthorized access to user data and funds.  The affected wallets, constituting about 1.3% of all Coinstats wallets, were primarily those created directly within the app. Fortunately, wallets connected to external exchanges and platforms remained unaffected, providing some relief amidst the security scare.

Understanding the Coinstats Data Breach 

[caption id="attachment_78679" align="alignnone" width="733"] Source: Coinstats on X[/caption] In a public statement addressing the breach, Coinstats reassured its user base that the incident has been mitigated, and immediate steps have been taken to secure the platform. Users whose wallet addresses were compromised were advised to take action by transferring their funds using exported private keys. A spreadsheet link was provided for users to check if their wallets were among those affected. CEO Narek Gevorgyan highlighted the seriousness of the situation, acknowledging the challenges posed by the Coinstats cyberattack while emphasizing Coinstats' commitment to restoring normal operations swiftly and securely. Gevorgyan outlined that comprehensive security measures were being implemented during the restoration process to fortify the platform against future vulnerabilities. "We're actively working to bring the app back online as quickly as possible. Thank you for your patience," stated Gevorgyan in an update shared via Coinstats' official channels.

North Korea-linked Hackers Behind the Data Breach at Coinstats

The revelation of North Korea-linked hackers being behind the breach adds a geopolitical dimension to the Coinstats data breach incident, highlighting the global reach and sophisticated tactics employed by cyber threat actors targeting digital assets and platforms. This aspect of the breach highlights the need for heightened cybersecurity measures across the cryptocurrency sector. In a similar case, another crypto firm, BtcTurk faced a cyberattack on its hot wallets on June 22, 2024. Binance Binance CEO Richard Teng confirmed this attack, pledging ongoing support for BtcTurk's investigation. Cryptocurrency investigator ZachXBT hinted at a possible link between the breach and a $54 million Avalanche transfer.  Coinstats users have been urged to remain vigilant and monitor their accounts closely for any unauthorized transactions or suspicious activities. The company assured its users that it is actively investigating the extent of funds moved during the breach and pledged to provide updates as new information becomes available. In response to the breach, regulatory bodies and industry stakeholders may scrutinize Coinstats' security practices and response protocols. The outcome of such scrutiny could influence future cybersecurity standards within the cryptocurrency industry, potentially leading to more stringent requirements for platform security and user protection.

The attacks on a software provider, CDK Global, affect systems that store customer records and automate paperwork and data for sales and service.

© Tristan Spinski for The New York Times

Researchers have discovered that various threat actors groups associated with Chinese state-linked espionage have been conducting a sustained hacking campaign targeting telecommunications operators in an unnamed Asian country since at least 2021. The attackers relied on custom malware and tactics tied to several China-linked espionage groups, suggesting Chinese state sponsorship.

Malware Variants Used in Chinese Espionage Campaign

Researchers from Symantec observed the use of several custom malware linked to China-based threat actors, including:

• Coolclient: A backdoor used by the Fireant group that logs keystrokes and communicates with command servers. The campaign utilized a version delivered via a trojanized VLC media player. It is linked to the Fireant group, also known as Mustang Panda or Earth Preta.
• Quickheal: A backdoor associated with the Needleminer group, also known as RedFoxtrot or Nomad Panda. The variant used in the campaign was nearly identical to those documented in 2021. It communicated with a command server at swiftandfast[.]net.
• Rainyday: A backdoor tied to the Firefly group, also known as Naikon. Multiple variants were deployed using trojanized executables to sideload malicious loaders and decrypt payloads. At least one loader variant matched those linked to Firefly in 2021.

The attackers also used a variety of tactics, techniques, and procedures (TTPs) to compromise targets. These included keylogging malware that were possibly custom-developed, and port scanning tools to identify vulnerable systems. They also employed credential theft through the dumping of registry hives and exploited the Remote Desktop Protocol (RDP). Additionally, they used a publicly available tool, Responder, to act as a Link-Local Multicast Name Resolution (LLMNR), NetBIOS Name Service (NBT-NS) and multicast DNS (mDNS) poisoner. Nearly all victims in the campaign were telecoms operators, along with a services company that caters to the telecoms sector and a university in a different country in Asia. The researchers suggested that the campaign may even date as far back as the year 2020.

Campaign Motives and Attribution

The custom malware exclusively used by Fireant, Needleminer and Firefly provides strong evidence that this campaign involves Chinese state-sponsored groups. Firefly has been linked to a Chinese military intelligence unit by the U.S.-China Commission. The level of coordination between the groups involved is unclear but possibilities include independent action, personnel/tool sharing, or active collaboration. The ultimate motives behind the hacking campaign remain uncertain. Potential objectives include intelligence gathering on the telecommunications sector, eavesdropping on voice and data communications, or developing disruptive capabilities against critical infrastructure. To protect against these threats, telecom operators and other organizations should ensure they have the latest protection updates and implement robust security measures to detect and block malicious files. The researchers shared several Indicators of compromise and file hashes to help defenders detect against the campaign. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Source: www.databreachtoday.com – Author: 1 Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Network Firewalls, Network Access Control UNC3886 Targeted Edge Devices for Persistence, Mandiant Says Akshaya Asokan (asokan_akshaya) • June 19, 2024     Likely Chinese state hackers targeted edge devices including VMware ESXi servers. (Image: Shutterstock) A suspected Chinese hacking group […]

La entrada Chinese Hackers Used Open-Source Rootkits for Espionage – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Several pro-Russia hacker groups have allegedly carried out a massive Distributed Denial-of-Service (DDoS) attack in Romania on June 18, 2024. The Romania Cyberattack has affected critical websites, including the official site of Romania and portals of the country’s stock exchange and financial institutions. The attack was allegedly conducted by NoName in collaboration with the Russian Cyber Army, HackNet, and CyberDragon and Terminus. The extent of the damage, however, remains unclear.

Details About Romania Cyberattack

According to NoName, the cyberattack was carried out on Romania for its pro-Ukraine stance in the Russia-Ukraine war. In its post on X, NoName claimed, “Together with colleagues shipped another batch of DDoS missiles to Romanian government websites.” The threat actor claimed to have attacked the following websites:

• The Government of Romania: This is not the first time that the country’s official site was hacked. In 2022, Pro-Russia hacker group Killnet claimed to have carried out cyberattacks on websites of the government and Defense Ministry. However, at that time, the Romania Government claimed that there was no compromise of data due to the attack and the websites were soon restored.
• National Bank of Romania: The National Bank of Romania is the central bank of Romania and was established in April 1880. Its headquarters are in the capital city of Bucharest.
• Aedificium Bank for Housing: A banking firm that provides residential lending, home loans, savings, and financing services. It was founded in 2004 and has branches in the European Union (EU), and Europe, Middle East, and Africa (EMEA).
• Bucharest Stock Exchange: The Bucharest Stock Exchange is the stock exchange of Romania located in Bucharest. As of 2023, there were 85 companies listed on the BVB.

Despite the bold claims made by the NoName group, the extent of the Romania cyberattack, details of compromised data, or the motive behind the attack remain undisclosed. A visual examination of the affected organizations’ websites shows that all the listed websites are experiencing accessibility issues. These issues range from “403 Forbidden” errors to prolonged loading times, indicating a probable disruption or compromise. The situation is dynamic and continues to unravel. It is imperative to approach this information cautiously, as unverified claims in the cybersecurity world are not uncommon. The alleged NoName attack highlights the persistent threat of cyberattacks on critical entities, such as government organizations and financial institutions. However, official statements from the targeted organizations have yet to be released, leaving room for skepticism regarding the severity and authenticity of the Romania cyberattack claim. Until official communication is provided by the affected organizations, the true nature and impact of the alleged NoName attack remain uncertain.

Romania Cyberattacks Are Not Uncommon

This isn’t the first instance of NoName targeting organizations in Romania. In March this year, NoName attacked the Ministry of Internal Affairs, The Service of Special Communications, and the Central Government. In February, Over a hundred Romanian healthcare facilities were affected by a ransomware attack by an unknown hacker, with some doctors forced to resort to pen and paper.

How to Mitigate NoName DDoS attacks

Mitigation against NoName’s DDoS attacks require prolonged cloud protection tools and specialized software and filtering tools to detect the flow of traffic before it can hit the servers. In some cases, certain antivirus software can be successful in detecting threats that can be used by organizations to launch DDoS attacks. A robust and essential cyber hygiene practice to avoid threats includes patching vulnerabilities and not opening phishing emails that are specially crafted to look like urgent communications from legitimate government organizations and other spoofed entities. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Source: www.databreachtoday.com – Author: 1 Cybercrime , Fraud Management & Cybercrime , Government Justice Says Sagar Steven Singh and Nicholas Ceraolo Doxed and Threatened Victims Chris Riotta (@chrisriotta) • June 17, 2024     Image: Shutterstock Two hackers pleaded guilty Monday in federal court to conspiring to commit computer intrusion and aggravated identity theft. Authorities […]

La entrada Hackers Plead Guilty After Breaching Law Enforcement Portal – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

PTaaS involves outsourcing penetration testing activities to a trusted third-party service provider, saving busy internal teams valuable time and offering an objective outsider’s perspective of their systems.

The post Penetration-Testing-as-a-Service: An Essential Component of the Cybersecurity Toolkit appeared first on Security Boulevard.

Brad Smith testified before a House committee a year after Chinese hackers infiltrated Microsoft’s technology and penetrated government networks.

© Eric Lee/The New York Times

Brad Smith testified before a House committee a year after Chinese hackers infiltrated Microsoft’s technology and penetrated government networks.

© Eric Lee/The New York Times

Source: www.databreachtoday.com – Author: 1 Breach Notification , Cybercrime , Fraud Management & Cybercrime Threat Actor GhostR Says It Stole 34 GB of Data Prajeet Nair (@prajeetspeaks) • June 9, 2024     Image: Shutterstock A financially motivated hacker claims to have stolen over 34 gigabytes of data belonging to Singapore-based Telecom company Absolute Telecom […]

La entrada Hackers Claim They Breached Telecom Firm in Singapore – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Ukrainian cyber defenders uncovered the resurgence of Vermin hackers after a two-year hiatus. The hacker group is targeting the country’s defense forces with spear-phishing emails that infect their systems with SPECTR malware, which acts as a remote access trojan (RAT). The Computer Emergency Response Team of Ukraine (CERT-UA) in collaboration with the Cybersecurity Center of the Armed Forces of Ukraine detected and investigated a spear-phishing campaign targeting the Ukrainian Defense Forces. The campaign was orchestrated by the Vermin hacker group, which CERT-UA tracks as UAC-0020. This cyber campaign, marking the return of the Vermin group after a prolonged absence, has been named “SickSync” for easier identification and reference. Ukraine attributes the Vermin hackers to the law enforcement agencies in the occupied Luhansk region. CERT-UA has earlier claimed that the server equipment of the Vermin group has been hosted at the technical site of a Luhansk cloud hosting provider vServerCo (AS58271) for many years. Palo Alto’s Unit 42 had tracked a similar campaign of the Vermin hackers in 2018 targeting Ukrainians with phishing lures related to the Ukrainian Ministry of Defense.

Vermin Hackers’ Latest Campaign Details

The latest attack that involves the use of SPECTR malware marks Vermin's first significant activity since March 2022. SPECTR, a malware known since at least 2018, was used extensively in the current campaign aimed at the Ukrainian defense forces. The attackers leveraged the legitimate Syncthing software’s synchronization functionality to download stolen documents, files, passwords and other sensitive information from compromised computers. Syncthing supports peer-to-peer connections, meaning it can sync files between devices on a local network or between remote devices over the Internet. It is a free and open-source synchronization application that supports Windows, macOS, Linux, Android, Solaris, Darwin and BSD operating systems. The Vermin hackers exploited this legitimate software for data exfiltration, the CERT-UA said. Ukrainian cyber defenders last month reported that Russian hackers were employing a similar tactic of using legitimate remote monitoring software to spy on Ukraine and and its allies.

Vermin Attack Vectors

The attack was initiated via a spear-phishing email containing a password-protected archive file named “turrel.fop.vovchok.rar.” This archive contained a RarSFX archive “turrel.fop.ovchok.sfx.rar.scr” with the following contents:

• pdf: a decoy file.
• exe: an EXE installer created using InnoSetup (a free installer for Windows programs), containing both legitimate Syncthing components and SPECTR malware files. The “sync.exe” file was modified to change directory names, scheduled tasks, and disable user notifications, embedding the SPECTR malware within the SyncThing environment.
• bat: a BAT file for initial execution.

RarSFX is a temporary installation files folder created by Bitdefender. It is used as Self Extracting Archives unpack site.

SPECTR Malware Components

SPECTR malware is loaded with the capabilities of a RAT and consists of the following modules:

1. SpecMon: Calls “PluginLoader.dll” to execute DLL files containing the "IPlugin" class.
2. Screengrabber: Takes screenshots every 10 seconds if certain program windows are detected (e.g., Word, Excel, Signal, WhatsApp).
3. FileGrabber: Uses “robocopy.exe” to copy files with specific extensions (e.g., .pdf, .docx, .jpg) from user directories to %APPDATA%\sync\Slave_Sync\.
4. Usb: Copies files from USB media with certain extensions using “robocopy.exe.”
5. Social: Steals authentication data from messengers like Telegram, Signal, and Skype.
6. Browsers: Steals browser data including authentication and session data from Firefox, Edge, Chrome and other Chromium-based browsers.

All this stolen information is stored in “%APPDATA%\sync\Slave_Sync\” location and transferred to the attacker’s computer using Syncthing's synchronization functionality. [caption id="attachment_75531" align="alignnone" width="1024"] Example of an email and the contents of a malicious installer of Vermin hackers (Source: CERT-UA)[/caption]

Network IoCs and Preventive Measures

To identify potential misuse of Syncthing, the CERT-UA recommended monitoring interactions with the Syncthing infrastructure, specifically “*.syncthing.net” domains. Users are also requested to implement the following preventive measures for enhanced protection against Vermin hackers: Email Security: Implement robust email filtering and phishing protection to prevent malicious attachments from reaching end users. Endpoint Protection: Utilize advanced endpoint detection and response (EDR) solutions to detect and block malware execution. Network Monitoring: Monitor network traffic for unusual peer-to-peer connections, particularly involving Syncthing infrastructure. User Awareness: Conduct regular cybersecurity training for employees to recognize and report phishing attempts.

Source: www.databreachtoday.com – Author: 1 Cybercrime , Fraud Management & Cybercrime Threat Actor GhostR Says They Stole 846 GB of Data Prajeet Nair (@prajeetspeaks) • June 4, 2024     GhostR claimed on BreachForums to have stolen 846 gigabytes of data from an Australian logistics company. (Image: Shutterstock) Financially motivated hackers with a track record […]

La entrada Hackers Claim They Breached Australian Logistics Company – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Its disclosure came after RansomHub claimed responsibility for the cyberattack and threatened to release client data on the dark web.

© Li Qiang for The New York Times

For two weeks at the 140-hospital system, doctors and nurses have had little access to digital records for patient histories, resorting to paper and faxes to treat people.

© Lauren Justice for The New York Times

Declining sales and a cyberattack ignite new worries at spring art auctions.

The auctioneer’s website was taken offline on Thursday evening and remained down on Friday, days before its spring auctions were set to begin.

© Dia Dipasupil/Getty Images

Several lawmakers questioned whether the company had become so large — with tentacles in every aspect of the nation’s medical care — that the effects of the hack were outsize.

© Ting Shen for The New York Times

Digital security is about so much more than malware. That wasn’t always the case. 

When I started Malwarebytes more than 16 years ago, malware was the primary security concern—the annoying pop-ups, the fast-spreading viruses, the catastrophic worms—and throughout our company’s history, Malwarebytes routinely excelled against this threat. We caught malware that other vendors missed, and we pioneered malware detection methods beyond the signature-based industry standard.  

I’m proud of our success, but it wasn’t just our technology that got us here. It was our attitude.  

At Malwarebytes, we believe that everyone has the right to a secure digital life, no matter their budget, which is why our malware removal tool was free when it launched and remains free today. Our ad blocking tool, Browser Guard is also available to all without a charge. This was very much not the norm in cybersecurity, but I believe it was—and will always be—the right thing to do.  

Today, I am proud to add to our legacy of empowering individuals regardless of their wallet by releasing a new, free tool that better educates and prepares people for modern threats that abuse exposed data to target online identities. I’d like to welcome everyone to try our new Digital Footprint Portal.  

See your exposed data in our new Digital Footprint Portal.

By simply entering an email address, anyone can discover what information of theirs is available on the dark web to hackers, cybercriminals, and scammers. From our safe portal, everyday people can view past password breaches, active social media profiles, potential leaks of government ID info, and more.  

More than a decade ago, Malwarebytes revolutionized the antivirus industry by prioritizing the security of all individuals. Today, Malwarebytes is now also revolutionizing digital life protection by safeguarding the data that serves as the backbone of your identity, your privacy, your reputation, and your well-being online.  

Why data matters 

I can’t tell you how many times I’ve read that “data is the new oil” without reading any explanations as to why people should care.  

Here’s my attempt at clarifying the matter: Too much of our lives are put online without our control.  

Creating a social media account requires handing over your full name and birthdate. Completing any online shopping order requires detailing your address and credit card number. Getting approved for a mortgage requires the exchange of several documents that reveal your salary and your employer. Buying a plane ticket could necessitate your passport info. Messaging your doctor could involve sending a few photos that you’d like to keep private.  

As we know, a lot of this data is valuable to advertisers—this is what pundits focus on when they invoke the value of “oil” in discussing modern data collection—but this data is also valuable to an entirely separate group that has learned to abuse private information in novel and frightening ways: Cybercriminals.  

Long ago, cybercriminals would steal your username and password by fooling you with an urgently worded phishing email. Today, while this tactic is still being used, there’s a much easier path to data theft. Cybercriminals can simply buy your information on the dark web.  

That information can include credit card numbers—where the risk of financial fraud is obvious—and even more regulated forms of identity, like Social Security Numbers and passport info. Equipped with enough forms of “proof,” online thieves can fool a bank into routing your money elsewhere or trick a lender into opening a new line of credit in your name.  

Where the risk truly lies, however, is in fraudulent account access.  

If you’ve ever been involved in a company’s data breach (which is extremely likely), there’s a chance that the username and password that were associated with that data breach can be bought on the dark web for just pennies. Even though each data breach involves just one username and password for each account, cybercriminals know that many people frequently reuse passwords across multiple accounts. After illegally purchasing your login credentials that were exposed in one data breach, thieves will use those same credentials to try to log into more popular, sensitive online accounts, like your online banking, your email, and your social media.  

If any of these attempts at digital safe-cracking works, the potential for harm is enormous.  

With just your email login and password, cybercriminals can ransack photos that are stored in an associated cloud drive and use those for extortion. They can search for attachments that reveal credit card numbers, passport info, and ID cards and then use that information to fool a bank into letting them access your funds. They can pose as you in bogus emails and make fraudulent requests for money from your family and friends. They can even change your password and lock you out forever. 

This is the future of personal cybercrime, and as a company committed to stopping cyberthreats everywhere, we understand that we have a role to play in protecting people.  

We will always stop malware. We will always advise to create and use unique passwords and multifactor authentication. But today, we’re expanding our responsibility and helping you truly see the modern threats that could leverage your data.  

With the Digital Footprint Portal, who you are online is finally visible to you—not just cybercriminals. Use it today to understand where your data has been leaked, what passwords have been exposed, and how you can protect yourself online.  

Digitally safe 

Malwarebytes and the cybersecurity industry at large could not have predicted today’s most pressing threats against online identities and reputations, but that doesn’t mean we get to ignore them. The truth is that Malwarebytes was founded with a belief broader than anti-malware protection. Malwarebytes was founded to keep people safe.  

As cybercriminals change their tactics, as scammers needle their way onto online platforms, and as thieves steal and abuse the sensitive data that everyone places online, Malwarebytes will always stay one step ahead. The future isn’t about worms, viruses, Trojans, scams, pig butchering, or any other single scam. It’s about holistic digital life protection. We’re excited to help you get there.