Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Elon Musk’s X Halt ...

 Cyber Essentials

Elon Musk’s X, formerly known as Twitter, has agreed to temporarily halt the collection and processing of personal data from European Union (EU) users for the development of its Artificial Intelligence (AI) systems. This decision comes in response to a legal challenge initiated by Ireland's Data Protection   show more ...

Commission (DPC) over concerns about the platform’s data practices, as reported by the Irish Independent. The DPC has raised serious questions about how X has been utilizing the personal information of millions of its European users to train its AI models, including the search tool known as Grok. The regulator alleges that the platform’s data handling practices may violate the stringent provisions of the General Data Protection Regulation (GDPR), the EU’s comprehensive data privacy law. Details of Ireland Court Proceedings In a bid to halt X’s data practices, the DPC has sought a court order to suspend, restrict, or prohibit the platform from further processing EU user data for AI purposes. The regulator argues that the urgency of the matter necessitates immediate intervention to protect the fundamental rights of data subjects. [caption id="attachment_86162" align="alignnone" width="931"] Source: X[/caption] X, however, has mounted a robust defense, asserting its full compliance with GDPR regulations. The company claims to have provided users with clear and transparent options to opt out of having their data used for AI training. Moreover, X argues that the DPC’s proposed orders are overly broad and could have crippling consequences for its operations in the EU. The case has far-reaching implications for the tech industry, as it marks the first time an Irish court has been called upon to adjudicate on a data protection dispute involving AI. The outcome of the proceedings is expected to set a significant precedent for how companies handle user data in the EU and could shape the future of AI development across the region. Adding to the complexity of the case, the DPC has also referred the matter to the European Data Protection Board (EDPB) to seek guidance on the legal framework governing the use of personal data for AI training. This move underscores the novel and challenging nature of the issues at stake and the need for a coordinated European approach to regulating AI. The legal battle between X and the DPC highlights the growing chasm between the rapid pace of technological advancement and the ability of regulators to keep up. The case serves as a stark reminder that the processing of personal data, even for cutting-edge applications like AI, is subject to strict legal constraints. Implications of X vs EU's Data Battle The legal showdown between X and the DPC is far from over. The DPC has underscored the urgency of the matter, highlighting the potential for irreparable harm if X is allowed to continue processing user data for AI training without appropriate safeguards. The regulator argues that the collection and use of this data without explicit consent constitutes a fundamental breach of privacy rights enshrined in the GDPR. X, on the other hand, has vigorously defended its actions, claiming that it has adhered to stringent data protection standards and provided users with ample opportunities to opt out of data sharing. The company has also raised concerns about the potential impact of the DPC’s proposed orders on its business operations and innovation. The case could have far-reaching implications for the tech industry. If the DPC prevails, it could set a precedent for stricter regulation of AI development and data usage across the EU. This could lead to increased compliance costs for tech companies and potentially stifling innovation. Conversely, a victory for X could embolden other tech giants to push the boundaries of data utilization, potentially undermining privacy protection. As the case progresses, the relationship between tech companies and regulators is entering a new era of complexity and tension. The outcome of this legal battle will undoubtedly shape the future of both industries.

image for Downgrade Attacks Co ...

 Cybersecurity News

A security researcher has uncovered a new threat within the Windows operating system that challenges the very notion of a fully-patched system. The new threat demonstrated by the researcher-built tool 'Windows Downdate' allows malicious actors to bypass critical built-in security measures and expose systems to   show more ...

previously fixed vulnerabilities. The technique relies on the deployment of undetectable and irreversible downgrades on critical components through the exploit of the Windows Update process. Windows Downdate Exploits Windows Update Architecture A researcher at SafeBreach identified the potential threat within the heart of the Windows Update process's architecture. The Windows update flow involves several steps, including the client requesting an update, the server validating the integrity of the update folder, and the server saving an action list that is executed during the reboot process. Researcher Alon Leviev discovered that while the update folder and the action list are subject to various security measures, there are still design flaws that can be exploited, as the integrity checks on the update folder are focused on the digitally signed catalog files, leaving the unsigned differential files as a potential attack vector. Additionally, the researcher found that the action list, which is Trusted Installer-enforced and not directly accessible to the client, is still stored in a registry key that can be targeted. The researcher was able to carefully manipulate the registry key to bypass Trusted Installer's protection and gain complete control over the update process. Using this knowledge of the flaws within the Windows Update Architecture, the researcher was able to develop the Windows Downdate tool, which can take over the Windows Update process and craft fully undetectable, invisible, persistent, and irreversible downgrades on critical OS components. The researcher's findings are particularly concerning, as Leviev was able to bypass the Windows Virtualization-Based Security (VBS) UEFI locks, which were engineered with the intent to protect against such attacks. The bypass allowed the researcher to downgrade the virtualization stack, including Credential Guard's Isolated User Mode Process, Secure Kernel, and Hyper-V's hypervisor, exposing past privilege escalation vulnerabilities. Leviev identified several key takeaways: Increased awareness and research are needed: The researcher found that there was a need for increased awareness of and research into OS-based downgrade attacks, and also found no mitigations preventing the downgrade of critical OS components in Microsoft Windows. Design flaws can be a significant attack surface: The researcher highlighted that design features within an operating system should always be reviewed and regarded as a relevant attack surface, regardless of how old the feature may be. Further examination of In-the-wild attacks: Leviev emphasized the importance of studying in-the-wild attacks and using them to consider other components or areas that could also be affected. Vendor Response and Community Collaboration Leviev has shared the findings with Microsoft, and the company is currently investigating the issue. In the meantime, the researcher is working to raise awareness and collaborate with the broader security community to help organizations protect themselves against this emerging threat. “We appreciate the work of SafeBreach in identifying and responsibly reporting this vulnerability through a coordinated vulnerability disclosure. We are actively developing mitigations to protect against these risks while following an extensive process involving a thorough investigation, update development across all affected versions, and compatibility testing, to ensure maximized customer protection with minimized operational disruption.” -Microsoft Microsoft has assigned the flaws two different CVEs, CVE-2024-21302 and CVE-2024-38202 as well as shared a related security update advisory. The implications of this finding are significant, and prompt for increased awareness and research into OS-based downgrade attacks, as well as increased priority for review of the fundamental design features within an operating system, and assessment of the nature of in-the-wild attacks. This type of attack is particularly insidious because it can bypass security measures such as Secure Boot and other security features. Earlier In 2023, the BlackLotus UEFI Bootkit employed a downgrade attack to bypass Secure Boot and gain persistence in systems.

image for UN Approves First Cy ...

 Cybersecurity News

The United Nations has approved a new cybercrime treaty, the first treaty of such nature to be adopted within the body. After three years of negotiations, UN member states approved the United Nations Convention Against Cybercrime by consensus on Thursday. The treaty will now be submitted to the General Assembly for   show more ...

formal adoption. "I consider the documents... adopted. Thank you very much, bravo to all!" expressed Algerian diplomat Faouzia Boumaiza Mebarki, chairwoman of the treaty drafting committee, to member applause. However, the move has faced fierce criticism from human rights activists and tech firms who warn of potential surveillance risks from governments. Lack of Safeguards in UN Cybercrime Treaty The new treaty is aimed at preventing and combating cybercrime more efficiently and effectively, particularly regarding child sexual abuse imagery and money laundering. However, critics argue that the treaty's broad scope and lack of human rights safeguards could facilitate government repression. Deborah Brown of Human Rights Watch (HRW) called it an 'unprecedented multilateral tool for surveillance' that will be a 'disaster for human rights and a dark moment for the UN.' The treaty's approval has also sparked a mixed reaction from countries, with some complaining that it includes too many human rights safeguards. While Russia, had supported the drafting process of the law, the nation had also complained that the treaty had become "oversaturated with human rights safeguards." The nation of Iran had unsuccessfully requested for the deletion of several clauses with "inherent flaws" within the cybercrime treaty. The treaty had been approved by consensus, with 102 countries voting against Iran's request, 23 in favour and 26 absentations. The treaty's title defines cybercrime to include any crime committed by using Information and Communications Technology systems," said Deborah Brown of Human Rights Watch. She added, "As a result, when governments pass domestic laws that criminalize any activity that uses the Internet in any way, they can point to this treaty to justify the enforcement of repressive laws. The treaty also requires governments to assist in the investigation of crimes deemed as serious under national law - meaning: offenses with a sentence of four years or more. This could include behaviors protected under international human rights law, such as same-sex conduct, criticizing one's government, or being a whistleblower. "The lack of human rights safeguards is disturbing and should worry us all," Brown said. "The current draft treaty defers to domestic law to provide for human-rights safeguards, which means that people are subject to the laws of individual countries, instead of benefiting from key human rights standards under international law," she added. Risks to Children's Rights The treaty attempts to address child sexual abuse material, but critics argue it could inadvertently criminalize the consensual conduct of children in similar-age relationships, contrary to guidance from the UN's Committee on the Rights of the Child. It would also put at risk the work of human rights organizations that document abuses of children's rights and that may have access to such material as part of their investigations," Brown said. Calls for Rejection The committee drafting the treaty was set up despite opposition from US and European governments, following the initial move by Russia in 2017. "This treaty is effectively a legal instrument of repression," Brown said. She cautioned, "It can be used to crack down on journalists, activists, LGBT people, free thinkers, and others across borders." Nick Ashton-Hart, representing the Cybersecurity Tech Accord delegation, which includes Microsoft and Meta, called for nations not to sign or implement the treaty, stating that it would be 'harmful to the digital environment generally and human rights in particular.' Nick felt that the UN committee adopted a convention without addressing major flaws identified by civil society, the private sector, and those of the UN's own human rights body. These human rights groups and technology companies in opposition to the cybercrime treaty, are urging UN member states to reject the current version of the cybercrime treaty, warning that it could facilitate transnational repression and undermine fundamental freedoms.

image for Why Healthcare CISOs ...

 Features

The healthcare sector, with its vast repositories of sensitive patient information, has become a prime target for cybercriminals. According to research, over one-quarter (28%) of all data breaches occurred within healthcare organizations, outpacing other sectors like financial services. A particularly concerning   show more ...

aspect is that 35% of these healthcare breaches were linked to third-party vendors, underscoring the critical importance of third-party risk management in healthcare. This trend highlights the critical need for third-party risk management in healthcare as a top priority for Chief Information Security Officers (CISOs). Implementing healthcare cybersecurity best practices is essential to safeguarding sensitive patient data and maintaining regulatory compliance. As cyberattacks across the healthcare supply chain continue to rise, CISO strategies for healthcare security must evolve to address these complex challenges, focusing on mitigating third-party risks that could expose organizations to significant threats. Why is Third-Party Risk Management in Healthcare Important? Third-party risk management in healthcare has emerged as a critical component of a robust cybersecurity strategy due to the increasing reliance on external vendors for essential services. The integration of third-party services, such as electronic health records (EHR) management, telemedicine platforms, cloud storage, and medical devices, undoubtedly improves operational efficiency. However, it also significantly heightens the risk of cyberattacks, as even a minor security flaw in a third-party vendor’s system can have catastrophic consequences for the healthcare provider. An example of this vulnerability is the cyberattack on Change Healthcare, a major provider of business and pharmacy operations services to the healthcare industry. This cyberattack proved devastating, causing widespread disruption and financial loss across hospitals, doctors, and medical groups due to delayed payments. Industry experts have labeled it one of the most damaging cyberattacks ever to hit the healthcare sector, illustrating the severe risks posed by third-party breaches. Hospitals and healthcare organizations face not only financial repercussions from such breaches but also significant risks to patient safety. This is why third-party risk management in healthcare has become a top priority for CISOs. By ensuring that all external partners adhere to strict security standards, CISOs can better protect sensitive patient data and maintain the integrity of their organization’s security posture. Implementing CISO strategies for healthcare security that focus on thorough vetting, continuous monitoring, and strict compliance with security protocols is essential to mitigating the risks associated with third-party vendors. Healthcare Cybersecurity Best Practices CISOs in healthcare must adopt a multi-layered approach to cybersecurity, ensuring that best practices are not only implemented within their organization but also extended to third-party vendors. This includes the following: Vendor Security Assessments: Conduct thorough security assessments of all third-party vendors before entering into any agreements. This should include evaluating their data protection techniques, compliance with industry regulations, and the robustness of their security infrastructure. Continuous Monitoring: Implement continuous monitoring of third-party vendors to detect any changes in their security posture. This allows for the timely identification and mitigation of potential risks before they can impact the healthcare organization. Contractual Obligations: Ensure that all third-party contracts include specific cybersecurity requirements, such as adherence to HIPAA regulations, data encryption standards, and incident response protocols. Other CISO Strategies for Healthcare Security Are Risk Scoring Methods for Healthcare Security: Implementing a risk scoring system allows CISOs to quantify the level of risk associated with each third-party vendor. This method involves evaluating various factors, such as the sensitivity of the data handled by the vendor, the vendor’s security history, and the potential impact of a breach. A higher risk score would indicate a need for stricter security controls and more frequent assessments. Segmentation and Access Control: Limit third-party access to only the necessary parts of the network. This minimizes the potential damage in case of a breach and ensures that sensitive healthcare data is only accessible to those who absolutely need it. Security Awareness Training: Extend security awareness training to third-party vendors, ensuring that they understand the specific threats facing the healthcare industry and the best practices to mitigate them. Healthcare Data Protection Techniques Protecting healthcare data is a top priority for CISOs, and this responsibility extends to any third-party vendors handling such data. Key data protection techniques include: Data Encryption: Ensure that all data, whether at rest or in transit, is encrypted using industry-standard encryption methods. This is particularly important when data is being transferred between the healthcare organization and a third-party vendor. Data Minimization: Encourage third-party vendors to practice data minimization, collecting and storing only the data necessary for their services. This reduces the risk of exposure in case of a breach. Regular Audits: Conduct regular audits of third-party vendors to ensure that they are adhering to the agreed-upon data protection standards. These audits should include a review of access logs, encryption practices, and overall security measures. Conclusion CISOs must remain vigilant in managing third-party risks. By implementing strong risk-scoring methods for healthcare security, enforcing strict data protection techniques, and extending healthcare cybersecurity best practices to third-party vendors, CISOs can significantly reduce the risk of breaches and ensure the safety of patient data. As the healthcare industry continues to rely on third-party services, effective risk management strategies will be crucial in maintaining trust and compliance in this highly regulated sector. Moreover, Cyble provides a strong third-party risk management tool for healthcare that helps to secure digital assets by actively monitoring and managing potential entry points across web and mobile apps, cloud devices, domains, email servers, IoT devices, and public code repositories.  By leveraging healthcare platforms can achieve effective third-party risk reduction for hospitals and strengthen their cybersecurity measures. Explore how Cyble can assist in cybersecurity for healthcare and ensure a comprehensive approach to third-party risk management in healthcare. Schedule a Demo Today!

image for Iran’s Fake News S ...

 Cybersecurity News

Microsoft's latest intelligence report has revealed alarming efforts by Iranian state-linked groups to meddle in the 2024 US presidential election. According to the report released by the Microsoft Threat Analysis Center (MTAC), Iranian operatives have significantly increased their influence activities,   show more ...

particularly through the creation of fake news websites targeting both left- and right-leaning voter groups. Fake Sites Targeting Republicans, Democrats The report details how these groups are using sophisticated methods to create content that resonates with specific voter demographics, stoking division and influencing public opinion. According to the tech-giant, one of the sites uncovered, "Nio Thinker," is tailored for left-leaning voters. It hosts articles that vehemently criticize former President Donald Trump, employing derogatory language such as calling him an "opioid-pilled elephant in the MAGA china shop" and a "raving mad litigiosaur." This type of inflammatory rhetoric is designed to further polarize the electorate and deepen existing divisions within the country. [caption id="attachment_86115" align="alignnone" width="1912"] One of the fake websites criticizing Donald Trump. Source: niothinker.com[/caption] On the other end of the political spectrum, another site named "Savannah Time" poses as a conservative news outlet, claiming to be a “trusted source for conservative news in the vibrant city of Savannah.” This site focuses on hot-button issues like LGBTQ+ rights and gender reassignment, topics that are likely to provoke strong reactions from its target audience. [caption id="attachment_86116" align="alignnone" width="1543"] Another site identified by Microsoft as a conservative news outlet. Source: savannahtime[/caption] According to Microsoft, the content on these sites is likely being generated using AI-enabled services, with some articles even plagiarizing from legitimate US publications, adding a veneer of credibility to their deceitful operations. In the words of Microsoft, "The evidence we found suggests the sites are using AI-enabled services to plagiarize at least some of their content from US publications." This underscores the level of sophistication behind these operations, as the Iranian groups are not just creating false content but are also stealing and repurposing genuine content to make their sites appear more legitimate. Beyond these influence campaigns, Microsoft has also identified other troubling activities by Iranian groups that suggest a broader strategy aimed at disrupting the US election process. One group has been laying the groundwork for operations that could escalate into more extreme actions, such as intimidation or inciting violence against political figures or groups. Microsoft’s report warns that this group's ultimate goal may be "inciting chaos, undermining authorities, and sowing doubt about election integrity." Another alarming activity identified by the tech company involves a spear-phishing attempt linked to the Islamic Revolutionary Guard Corps (IRGC). In June, a group associated with the IRGC sent a spear-phishing email to a high-ranking official on a US presidential campaign. The email was sent from the compromised account of a former senior advisor and contained a malicious link that would route through a domain controlled by the attackers before reaching its intended destination. Microsoft notes, "Within days of this activity, the same group unsuccessfully attempted to log into an account belonging to a former presidential candidate." In a separate incident, another Iranian group compromised the account of a county-level government employee in a swing state as part of a broader password spray operation. Although the group did not gain additional access beyond the single account, this activity is part of a larger pattern of Iranian operations focused on strategic intelligence collection, particularly in key sectors like satellite, defense, and health, often targeting US government organizations in swing states. Sharing Intelligence to Combat Misinformation: Microsoft Microsoft’s Threat Analysis Center, which tracks influence operations from nation-state groups around the world, has been closely monitoring these developments. Their report on Iran's activities is part of Microsoft’s broader Democracy Forward initiative, which aims to protect democratic processes from foreign interference. As the company stated, "We share intelligence like this so voters, government institutions, candidates, parties, and others can be aware of influence campaigns and protect themselves from threats." To counter these threats, Microsoft has been actively engaging with political candidates and parties, offering training and tools to help them safeguard their campaigns. The company also emphasizes the importance of combating election-related deepfakes and misinformation, aiming to promote greater awareness and education among the public. As the 2024 US presidential election draws nearer, the findings in Microsoft’s report serve as a stark reminder of the ongoing threats to democracy. It is crucial for all stakeholders—voters, government institutions, and political campaigns—to remain vigilant and proactive in defending against these sophisticated influence operations.

image for Phishing Scam Target ...

 Firewall Daily

A recent investigation by Cyble Research and Intelligence Lab (CRIL) revealed a new phishing scheme employed by Latrodectus and ACR Stealer.  This campaign involves a fraudulent website designed to mimic Google Safety Centre, aiming to deceive users into downloading malware masquerading as Google Authenticator. The   show more ...

malicious software delivered through this phishing site includes two notable threats: Latrodectus and ACR Stealer. CRIL's analysis reveals a sophisticated phishing operation leveraging a site, “googleaauthenticator[.]com,” closely resembling the genuine Google Safety Centre. The site’s objective is to trick users into downloading what appears to be a legitimate Google Authenticator app. However, this file is actually a malicious executable that installs both Latrodectus and ACR Stealer on the victim's system. Decoding the Latrodectus and ACR Stealer Campaigns [caption id="attachment_86137" align="alignnone" width="507"] Infection chain employed by Latrodectus and ACR Stealer (Source: Cyble)[/caption] Latrodectus and ACR Stealer are distinct types of malware each with specific functions intended to compromise security. ACR Stealer employs a technique known as the Dead Drop Resolver (DDR) to hide its Command and Control (C&C) server details. It embeds this information in seemingly harmless places, like the Steam Community site, to evade detection. Latrodectus, on the other hand, shows signs of active development, including updates to its encryption methods and the addition of new commands, suggesting ongoing refinement and increased sophistication. The phishing site uses Google's trusted branding to lure users into downloading a file named “GoogleAuthSetup.exe” from “hxxps://webipanalyzer[.]com/GoogleAuthSetup.exe.” Despite displaying a misleading "Unable to Install" error message, the file silently installs ACR Stealer and Latrodectus in the background. Once activated, ACR Stealer exfiltrates sensitive information to its C&C server, while Latrodectus maintains persistence on the victim’s machine and conducts further malicious activities. Technical Analysis of Latrodectus and ACR Stealer Campaigns The downloaded file acts as a loader, digitally signed to appear legitimate. It utilizes encryption to obscure the payloads, which are decrypted and saved to the %temp% directory upon execution. Latrodectus and ACR Stealer are then activated from this directory. The loader’s fake error message is designed to mislead users, making them believe the installation failed while the malware operates covertly. [caption id="attachment_86139" align="alignnone" width="754"] Writing files to the %temp% directory (Source: Cyble)[/caption] Latrodectus is programmed to check if it’s running from the %appdata% directory; if not, it copies itself there and runs from this more secure location. Meanwhile, ACR Stealer, identified by its SHA-256 hash, starts a process to extract sensitive data and communicates with its C&C server via DDR. This method obscures the server’s location by embedding it in legitimate platforms. Recent Developments and Recommendations In October 2023, researchers from Walmart highlighted Latrodectus in a blog post, noting its similarity to the IcedID malware. Updates to Latrodectus include changes to its encryption key and an increase in its command set from 11 to 12. The malware’s new version also features a more aggressive execution schedule, running every 10 minutes compared to previous versions that executed only at logon. This phishing attack demonstrates the increasing complexity and sophistication of cyber threats. By imitating a trusted Google service and deploying Latrodectus and ACR Stealer, the attackers are employing advanced tactics to exploit user trust and compromise sensitive information.  To protect against such attacks, users should only download Google Authenticator from official sources like the Google Play Store or Apple App Store. They should be cautious of ads and verify links before clicking. Organizations should monitor ad platforms for suspicious activity and use advanced threat detection tools to identify phishing attempts. It’s also crucial to verify website URLs, conduct user training on phishing recognition, and implement robust network security measures.

image for Rising Threat: Goldd ...

 Firewall Daily

In recent months, cybersecurity analysts have observed a troubling increase in the activity of Golddigger and Gigabud Android banking trojan. Since July 2024, Gigabud malware has seen a dramatic rise in detection rates. This uptick signifies a substantial increase in both the distribution and impact of the malware.   show more ...

Gigabud has adopted advanced phishing tactics, disguising itself as a legitimate airline application. These fraudulent apps are distributed through phishing websites that closely imitate the official Google Play Store, thereby deceiving users into downloading them. The Link Between Golddigger and Gigabud Malware [caption id="attachment_86100" align="alignnone" width="507"] Injection Chain (Source: Cyble)[/caption] According to Cyble Intelligence and Research Labs (CRIL), the malware’s geographical reach has expanded significantly. Initially focusing on regions like Vietnam and Thailand, Gigabud now targets users in Bangladesh, Indonesia, Mexico, South Africa, and Ethiopia. This broader scope indicates a strategic expansion in the malware’s operations, aiming to compromise a more extensive range of potential victims. The connection between Golddigger and Gigabud becomes clearer when examining their historical development. In January 2023, CRIL discovered a Gigabud campaign impersonating government entities to target users in Thailand, the Philippines, and Peru. By June 2023, Golddigger, another Android banking trojan, emerged, targeting Vietnamese users under the guise of a government entity. Recent analyses have highlighted significant similarities between the Golddigger and Gigabud malware. The source code of both strains shows notable overlap, suggesting that they may originate from the same Threat Actor (TA). This shared code and strategy indicate a coordinated approach in their malicious campaigns. Phishing Tactics and Geographic Expansion CRIL's research has identified various phishing sites designed to distribute Gigabud malware. These sites mimic the Google Play Store and pose as legitimate South African Airways and Ethiopian Airlines apps. [caption id="attachment_86103" align="alignnone" width="1024"] Golddigger and Gigabud campaign (Source: Cyble)[/caption] The use of such impersonation tactics reflects the malware’s expansion into new target regions, including South Africa and Ethiopia. Moreover, Gigabud malware has been observed impersonating Mexican banking institutions, such as "HeyBanco," and Indonesian government applications, including "M-Pajak." Fraudulent login pages for these institutions are created to trick users into entering their sensitive credentials, thus compromising their personal and financial information. The technical aspects of Gigabud malware reveal further similarities with Golddigger. Recent samples of Gigabud employ the Virbox packer, a technique also used by Golddigger. The Virbox packer obfuscates the malware’s true nature, making it more challenging for security solutions to detect and analyze the threat. One of the critical similarities between Golddigger and Gigabud is the use of the native file "libstrategy.so." This file is integral to the malware’s ability to interact with the user interface elements of targeted banking applications. The presence of this file in both malware strains highlights the shared tools and techniques employed by the attackers. Gigabud’s latest versions incorporate an impressive number of API endpoints—32, up from just 11 in earlier versions. These endpoints facilitate a range of malicious activities, including uploading recorded face videos, SMS messages, stolen bank details, and more. The addition of these features reflects an ongoing effort by the TA to enhance the malware's functionality and effectiveness. Recent samples of Gigabud have also shown a continued use of the "libstrategy.so" library, which is crucial for interacting with UI components on infected devices. [caption id="attachment_86107" align="alignnone" width="1024"] Golddigger and Gigabud share similar library (Source: Cyble)[/caption] This library includes parsed UI element IDs for various targeted banking applications and lock pattern windows from different mobile devices. The malware uses this information to execute malicious actions, such as locking and unlocking devices and targeting specific UI elements to steal financial data. Visual Evidence, Analysis, and Mitigation Strategies  To illustrate the extent of this overlap, consider the visual evidence from recent analyses. Figures highlight the phishing sites used to distribute Gigabud, such as those impersonating South African Airways and Ethiopian Airlines. Additionally, images of fake login pages for Mexican and Indonesian institutions reveal how Gigabud attempts to deceive users into revealing their credentials. Technical figures further demonstrate the use of common libraries and API endpoints. For instance, the comparison of old and new Gigabud samples shows how the malware’s code has evolved while retaining core similarities. The use of the Retrofit library for Command and Control (C&C) communication, along with consistent API endpoints, confirms the connection between newer and older versions of Gigabud. The investigation into Gigabud and Golddigger malware highlights a significant overlap, suggesting that the same TA is behind both strains. The recent increase in Gigabud’s activity, coupled with the shared techniques and tools, highlighted a sophisticated campaign employed by threat actors. The malware’s expansion into new regions and its continuous enhancement of features indicate a coordinated effort to target a broader audience. To protect against these persistent threats, users are advised to implement robust cybersecurity measures. These include activating biometric security features such as fingerprint or facial recognition, being cautious with links received via SMS or email, ensuring that Google Play Protect is enabled, and keeping devices, operating systems, and applications up to date. By following these best practices, users can better defend themselves against threats posed by Android malware like Golddigger and Gigabud.

image for SEC Won’t Bring Ch ...

 Cybersecurity News

In a surprising move, the U.S. Securities and Exchange Commission (SEC) has decided not to bring charges against Progress Software over last year's MOVEit software supply chain attack that exposed the data of millions of people. The attack, which was carried out by the Cl0p ransomware group, exploited a zero-day   show more ...

vulnerability in the MOVEit Transfer managed file transfer (MFT) product. This flaw, known as CVE-2023-34362, allowed the attackers to gain unauthorized access and steal sensitive data from a wide range of organizations worldwide. According to an August 6 Form 8-K filing, the SEC's Division of Enforcement concluded its investigation into Progress Software's handling of the incident and decided not to recommend any enforcement action. High-Profile Targets and Scale of Victims The MOVEit vulnerability exploit had impacted over 2,000 organizations and over 62 million individuals, with the majority of victims being from the United States.. High-profile victims include the BBC, Shell, Radisson Hotels Americas, and Johns Hopkins University. The education sector has been particularly hard hit, with around 10% of the affected organizations being educational institutions, including some of the world's top universities. Threat actors are often drawn to the wealth of valuable data held by these institutions, including personally identifiable information, financial records, and intellectual property. The vulnerability, CVE-2023-34362, allowed unauthenticated users to access the MOVEit Transfer database, execute code, and alter or delete database elements. The attack was carried out using a combination of social engineering and exploitation of the vulnerability, with the attackers gaining access to the data of clients who were using MOVEit services. SEC Decides To Not Investigate Progress Software Further The U.S. Securities and Exchange Commission (SEC) has decided not to bring charges against Progress Software over the 2023 MOVEit software supply chain attack. In its Form 8-K filing, it stated: On August 6, 2024, the Securities and Exchange Commission’s Division of Enforcement (the “SEC”) notified Progress Software Corporation (the “Company”) that the SEC has concluded its investigation of the Company and does not intend to recommend an enforcement action against the Company at this time (the “Termination Letter”). As previously disclosed, the Company received a subpoena from the SEC on October 2, 2023, as part of a fact-finding inquiry seeking various documents and information relating to the MOVEit vulnerability. The Termination Letter was provided under the guidelines set out in the final paragraph of Securities Act Release No. 5310. Earlier this year, Progress Software had warned against the existence of the new CVE-2024-5806 vulnerability, which could potentially lead to unauthorized access to sensitive data within its MOVEit Transfer solution.

image for Urgent: CISA Flags C ...

 Cybersecurity News

In a recent advisory, the Cybersecurity and Infrastructure Security Agency (CISA) has highlighted growing concerns regarding the exploitation of vulnerabilities in Cisco devices. The Cisco smart Install vulnerability, if left unaddressed, could potentially expose organizations to significant security threats. Among   show more ...

the primary concerns is the abuse of legacy features and the use of weak password types, which could lead to unauthorized access to critical system configuration files. Exploiting Legacy Features: The Cisco Smart Install Vulnerability CISA has observed malicious cyber actors leveraging outdated protocols and software to gain unauthorized access to system configuration files. A notable example is the exploitation of the legacy Cisco Smart Install feature. Although designed for convenience in deploying network devices, this feature has become a target for cybercriminals due to its vulnerabilities. CISA strongly recommends that organizations disable the Cisco Smart Install feature to mitigate this risk. Additionally, they urge IT teams to review the National Security Agency’s (NSA) Smart Install Protocol Misuse advisory and the Network Infrastructure Security Guide for detailed configuration guidance. These resources provide essential steps to enhance the security of network infrastructure and protect against potential exploitation. Weak Password Types: A Gateway for Cyberattacks Another critical issue identified by CISA is the continued use of weak password types on Cisco network devices. These password types, defined by the algorithms used to secure device passwords within system configuration files, are often susceptible to cracking attacks. Once a threat actor gains access to these files, they can compromise the entire network. CISA warns that access to system configuration files and passwords can lead to a complete network compromise. As such, it is imperative that organizations ensure all passwords on their network devices are protected with a strong algorithm. To address this concern, CISA recommends the implementation of Type 8 password protection for all Cisco devices. Type 8 is more secure than previous password types and is approved by the National Institute of Standards and Technology (NIST). By adopting Type 8, organizations can significantly reduce the risk of password-related vulnerabilities. Understanding Cisco Password Types: What to Use and What to Avoid Cisco devices offer a variety of password hashing and encryption schemes, each with varying levels of security. Below is a breakdown of the different password types, along with CISA’s and NSA’s recommendations: [caption id="attachment_86085" align="aligncenter" width="1012"] Source: NSA[/caption] Type 0: DO NOT USE Type 0 passwords are stored in plaintext within the configuration file, making them extremely vulnerable to exploitation. CISA and NSA strongly recommend against using Type 0. Type 4: DO NOT USE Although introduced to reduce vulnerability to brute force attempts, Type 4 has been found to be weaker than its predecessors due to implementation issues. It has been deprecated in Cisco operating systems developed after 2013, and its use is strongly discouraged. Type 5: Use with Caution Type 5 uses the MD5 hashing algorithm, which is not NIST approved and is relatively easy to crack with modern tools. Organizations should only use Type 5 if the hardware cannot support more secure algorithms like Type 6, 8, or 9. Type 6: Use Only When Necessary Type 6 employs a reversible AES encryption algorithm and should only be used when reversible encryption is needed or when Type 8 is not available. It is particularly recommended for securing VPN keys. Type 7: DO NOT USE Type 7 uses a simple substitution cipher that can be easily reversed using online tools. NSA strongly recommends against using Type 7. Type 8: RECOMMENDED Type 8 uses the PBKDF2 algorithm with SHA-256 and is the preferred choice for securing passwords in Cisco devices. It is more secure than previous types and has no known vulnerabilities. Type 9: Use with Caution While Type 9 is designed to be highly resistant to brute force attacks, it is not NIST approved and therefore not recommended by NSA for use on National Security Systems. Best Practices for Password Security In addition to recommending Type 8 password protection, CISA urges organizations to adopt a comprehensive approach to securing administrator accounts and passwords. The following best practices are essential to maintaining robust security: Store passwords with a strong hashing algorithm: Ensure that passwords are hashed using a secure algorithm, making it difficult for attackers to reverse-engineer the password. Avoid password reuse: Do not use the same password across multiple systems. This practice limits the impact of a password breach, as compromised credentials cannot be used to access other systems. Use strong and complex passwords: Passwords should be long, unique, and complex to prevent easy guessing or brute force attacks. Avoid group accounts: Group accounts that do not provide individual accountability should be avoided, as they can obscure the actions of malicious users and hinder forensic investigations. While multi-factor authentication (MFA) is strongly recommended by the NSA for administrators managing critical devices, there are scenarios where passwords alone must be used. In such cases, choosing strong password storage algorithms can make exploitation much more difficult for cybercriminals. To Wrap Up In light of these vulnerabilities, it is crucial for organizations to take proactive measures to secure their Cisco devices. By disabling legacy features like Smart Install and adopting strong password protection practices, organizations can significantly reduce the risk of cyberattacks. By following these guidelines, organizations can protect their networks from unauthorized access and ensure the integrity of their systems.

image for Security Giant ADT C ...

 Cybersecurity News

American building security giant ADT has confirmed that it experienced a cybersecurity incident after threat actors leaked allegedly stolen customer data on a popular hacking forum. The ADT data breach has raised concerns about the security of customer information, although the company has reassured its users that the   show more ...

impact on its core services and sensitive data is minimal. ADT Inc., known for its residential and business alarm monitoring services, was quick to respond to the incident. In a Form 8-K regulatory filing submitted to the Securities and Exchange Commission (SEC) on Thursday morning, ADT disclosed that unauthorized actors had breached its databases and stolen customer information. The company stated, "ADT Inc. recently experienced a cybersecurity incident during which unauthorized actors illegally accessed certain databases containing ADT customer order information." Response to ADT Data Breach Upon discovering the breach, ADT took immediate action to mitigate the damage. The company swiftly shut down the unauthorized access and launched an internal investigation, collaborating with top-tier third-party cybersecurity experts. Despite these efforts, the attackers managed to obtain limited customer information, including email addresses, phone numbers, and postal addresses. Importantly, ADT emphasized that, based on its current investigation, there is no evidence to suggest that customers' home security systems were compromised during the incident. Additionally, the company reassured customers that no sensitive financial information, such as credit card data or banking details, appears to have been accessed by the attackers. ADT's investigation is ongoing, and the company has taken steps to notify the customers it believes to have been affected. According to the company's statements, the impacted customers represent a small percentage of ADT's overall subscriber base. ADT has also indicated that the breach has not had a material impact on its operations, nor is it expected to significantly affect the company's financial condition, results of operations, or its ability to meet its 2024 financial guidance. When and How ADT Data Breach Uncovered The breach came to light after The Cyber Express Team reported that an individual or group operating under the alias "netnsher" claimed responsibility on August 1, 2024. The cybercriminals allegedly leaked over 30,812 records, including approximately 30,400 unique email addresses, on a popular hacking forum. This alleged leak contained sensitive customer information, including email addresses, physical addresses, user IDs, and purchase history. To verify the authenticity of the breach, "netnsher" provided a sample of the stolen data, which further fueled concerns about the scale of the breach. Following the ADT cybersecurity incident, The Cyber Express team reached out to ADT for comments on the incident. In their response, ADT confirmed their awareness of the breach and stated, "ADT is aware of this claim, and it is under investigation." The company reiterated its commitment to thoroughly investigating the breach and assessing its full impact on affected customers. Implications and Customer Concerns The ADT data breach has raised significant concerns among customers who rely on the company for their home and business security needs. While the breach did not compromise the actual security systems, the exposure of personal information, including email addresses and physical addresses, poses potential risks for phishing attacks and other forms of identity theft. Customers are understandably concerned about the potential misuse of their information and the possibility of being targeted by cybercriminals. The disclosure of personal details, even if not financial in nature, can lead to a range of security issues, from fraudulent account activity to targeted social engineering attacks. ADT has reassured its customers that it is taking the breach seriously and is committed to safeguarding their information. However, the incident highlights the growing challenge that even security companies face in protecting their digital assets from sophisticated cyber threats. Moving Forward As ADT continues its investigation into the breach, it will be crucial for the company to maintain transparency with its customers and the public. Providing clear and timely updates on the ADT data breach investigation's progress and the steps being taken to prevent future breaches will be key to rebuilding trust. In the meantime, affected customers are advised to remain vigilant for any suspicious activity related to their personal information. This includes monitoring their email accounts for phishing attempts, reviewing their financial statements for unauthorized transactions, and updating their passwords to more secure options.

image for Phishing-as-a-Servic ...

 Business

Researchers have discovered a phishing marketplace called ONNX Store, which gives cybercriminals access to tools for hijacking Microsoft 365 accounts, including a means for bypassing two-factor authentication (2FA). This enables threat actors to crank out phishing attacks on both Microsoft 365 and Office 365 email   show more ...

accounts. Corporate information security teams should be aware of this threat and tool up with anti-phishing protection. Lets take a closer look at the danger… A malicious attachment with a QR code and 2FA bypass The researchers report describes an attack using ONNX Store phishing tools that targets employees of several financial institutions. First, the victims receive emails seemingly from their HR departments on the topic of remuneration as bait. The emails contain PDF attachments containing a QR code to be scanned in order to gain access to a secure document with vital information about the recipients salary. The idea here is to get the victim to open the link not on a work computer — which most likely has anti-phishing protection, but on a personal smartphone — which may well not. The link opens a phishing site mimicking a Microsoft 365 login page. Here, the victim is asked to enter their username and password, followed by a one-time 2FA code. The fake Microsoft login page prompts victims to enter their credentials and a one-time 2FA code. Source All of this information of course goes straight to the attackers. One-time 2FA codes usually have a very short lifespan — often just 30 seconds. Therefore, to speed up delivery of information, the phishing kit uses the WebSocket protocol, which provides real-time communication. Armed with the stolen credentials and still-valid code, the attackers immediately log in to the account and gain full access to the victims correspondence. This access can then be exploited for business email compromise (BEC) and other attacks. Phishing-as-a-service: plenty of phish in the sea The hub of this phishing operation is the Telegram instant messenger. ONNX Store embraces automation to the fullest — all interaction with users is through Telegram bots. Its creators provide phishing services on a subscription basis. The prices are quite low: for example, a monthly subscription for harvesting Microsoft 365 account passwords would cost a potential attacker $200 without a 2FA bypass — $400 with it. Even small-time cybercriminals can afford that. For this modest investment, they get access to a set of finely-tuned phishing tools. All they have to do is to select an attackable target and devise a monetization scheme. How to protect your organization against advanced phishing Its the low-entry threshold that makes the phishing-as-a-service model such a threat: the circle of cybercriminals with dangerous tools at their disposal becomes much wider. Therefore, we strongly advise that you take preemptive measures against an advanced phishing attack on your organization. Heres what we recommend: Consider using FIDO U2F hardware tokens (also known as YubiKeys) or passkeys for 2FA. These tools negate even the most sophisticated covert phishing attacks. Deploy a reliable security solution with anti-phishing protection on all corporate devices, including smartphones and tablets. Conduct regular security-awareness training to train employees to recognize and deal with suspicious emails. Our interactive Kaspersky Automated Security Awareness Platform provides everything you need on this and more.

 Trends, Reports, Analysis

According to a report by Rapid7, a total of 21 new or rebranded groups have emerged since January 2024, alongside existing groups like LockBit, which has survived law enforcement crackdowns.

 Identity Theft, Fraud, Scams

The attack begins with a phishing email that directs recipients to what appears to be an Amazon account verification link. However, this link is a deceptive graphic hosted on Google Drawings, a component of the Google Workspace suite.

 Trends, Reports, Analysis

The sports and entertainment industries face unique cybersecurity challenges due to the rapid technological advancements being implemented. Cyber-physical systems like augmented reality and smart sensors increase security concerns.

 Govt., Critical Infrastructure

A ransomware drill focused on healthcare called Operation 911 was conducted at Black Hat USA 2024 by Las Vegas law enforcement, the FBI, and Semperis. During the drill, a simulated ransomware attack targeted a fictitious hospital.

 Security Products & Services

RustScan is a fast and versatile open-source port scanner with Adaptive Learning for optimal performance. It can scan all 65,000 ports in 3 seconds and supports a scripting engine for customization.

 Incident Response, Learnings

Ireland's Data Protection Commission (DPC) has taken Twitter to court over concerns regarding the use of AI user data. The DPC is specifically worried about the personal data of millions of European users being used to train AI systems for Grok.

 Feed

Gentoo Linux Security Advisory 202408-19 - Multiple vulnerabilities have been discovered in ncurses, the worst of which could lead to a denial of service. Versions greater than or equal to 6.4_p20230408 are affected.

 Feed

I2P is an anonymizing network, offering a simple layer that identity-sensitive applications can use to securely communicate. All data is wrapped with several layers of encryption, and the network is both distributed and dynamic, with no trusted parties. This is the source code release version.

 Feed

Faraday is a tool that introduces a new concept called IPE, or Integrated Penetration-Test Environment. It is a multiuser penetration test IDE designed for distribution, indexation and analysis of the generated data during the process of a security audit. The main purpose of Faraday is to re-use the available tools in the community to take advantage of them in a multiuser way.

 Feed

Debian Linux Security Advisory 5744-1 - Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code.

 Feed

Gentoo Linux Security Advisory 202408-15 - Multiple vulnerabilities have been discovered in Percona XtraBackup, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 8.0.29.22 are affected.

 Feed

Ubuntu Security Notice 6952-1 - Benedict Schlüter, Supraja Sridhara, Andrin Bertschi, and Shweta Shinde discovered that an untrusted hypervisor could inject malicious #VC interrupts and compromise the security guarantees of AMD SEV-SNP. This flaw is known as WeSee. A local attacker in control of the hypervisor could   show more ...

use this to expose sensitive information or possibly execute arbitrary code in the trusted execution environment. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

 Feed

Red Hat Security Advisory 2024-5147-03 - An update is now available for Red Hat JBoss Enterprise Application Platform 7.4. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for   show more ...

each vulnerability from the CVE link in the References section. Issues addressed include a denial of service vulnerability.

 Feed

Ubuntu Security Notice 6948-1 - It was discovered that Salt incorrectly handled crafted web requests. A remote attacker could possibly use this issue to run arbitrary commands. It was discovered that Salt incorrectly created certificates with weak file permissions. It was discovered that Salt incorrectly handled credential validation. A remote attacker could possibly use this issue to bypass authentication.

 Feed

Red Hat Security Advisory 2024-5145-03 - An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System base score, which gives a detailed   show more ...

severity rating, is available for each vulnerability from the CVE link in the References section. Issues addressed include a denial of service vulnerability.

 Feed

Red Hat Security Advisory 2024-5144-03 - An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System base score, which gives a detailed   show more ...

severity rating, is available for each vulnerability from the CVE link in the References section. Issues addressed include a denial of service vulnerability.

 Feed

Red Hat Security Advisory 2024-5143-03 - An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System base score, which gives a detailed   show more ...

severity rating, is available for each vulnerability from the CVE link in the References section. Issues addressed include a denial of service vulnerability.

 Feed

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has disclosed that threat actors are abusing the legacy Cisco Smart Install (SMI) feature with the aim of accessing sensitive data. The agency said it has seen adversaries "acquire system configuration files by leveraging available protocols or software on devices, such as abusing the legacy Cisco Smart Install feature." It also

 Feed

The U.S. Department of Justice (DoJ) on Thursday charged a 38-year-old individual from Nashville, Tennessee, for allegedly running a "laptop farm" to help get North Koreans remote jobs with American and British companies. Matthew Isaac Knoot is charged with conspiracy to cause damage to protected computers, conspiracy to launder monetary instruments, conspiracy to commit wire fraud, intentional

 Feed

Microsoft on Thursday disclosed four medium-severity security flaws in the open-source OpenVPN software that could be chained to achieve remote code execution (RCE) and local privilege escalation (LPE). "This attack chain could enable attackers to gain full control over targeted endpoints, potentially resulting in data breaches, system compromise, and unauthorized access to sensitive information

 Feed

Cybersecurity researchers have uncovered weaknesses in Sonos smart speakers that could be exploited by malicious actors to clandestinely eavesdrop on users. The vulnerabilities "led to an entire break in the security of Sonos's secure boot process across a wide range of devices and remotely being able to compromise several devices over the air," NCC Group security researchers Alex Plaskett and

 Feed

Cybersecurity researchers have discovered multiple critical flaws in Amazon Web Services (AWS) offerings that, if successfully exploited, could result in serious consequences. "The impact of these vulnerabilities range between remote code execution (RCE), full-service user takeover (which might provide powerful administrative access), manipulation of AI modules, exposing sensitive data, data

2024-08
Aggregator history
Friday, August 09
THU
FRI
SAT
SUN
MON
TUE
WED
AugustSeptemberOctober