Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Australia Arrests Ma ...

 Cyber News

Law enforcement’s latest takedown targets a shadowy network that has long eluded capture. The Australian Federal Police (AFP) have arrested and charged a 32-year-old man for creating and managing Ghost, an encrypted communication platform allegedly built to serve the criminal underworld. This takedown, dubbed   show more ...

Operation Kraken, marks a significant victory in the fight against encrypted criminal networks—a battle law enforcement has waged for over a decade. About 700 AFP officers executed search warrants across four states and territories, marking the operation’s pinnacle. Near-simultaneous raids unfolded in Ireland, Italy, Sweden, and Canada, signaling a coordinated effort to dismantle the network. Ghost’s alleged users, nearly 50 of whom are Australians, face charges ranging from drug trafficking to violent crimes. The Ghost Mastermind’s Fall The suspect, arrested at his Narwee home, allegedly managed the Ghost platform from Australia—a first for the nation. Although Ghost had operated for nearly a decade, the AFP only gained the upper hand in 2022 when international partners joined forces to infiltrate the platform. The effort resulted in police gaining access to encrypted messages, allowing them to intercept criminal activities in real-time. The global task force OTF NEXT, spearheaded by Europol, the FBI, and French Gendarmerie, brought together agencies from Canada, Sweden, Ireland, and others. The AFP played a pivotal role, creating a covert solution to modify Ghost’s software updates, effectively turning criminal users’ devices into evidence-gathering tools. Breaking the Myth of Anonymity For years, Ghost users believed the platform’s encryption shielded them from law enforcement. But as Deputy Commissioner McCartney put it, "the holy grail is always penetrating criminal platforms," and the AFP's success in infiltrating Ghost proves that belief wrong. The AFP prevented over 50 threats to life and disrupted the flow of illicit drugs and firearms, thanks to their newfound access. Ghost is just the latest in a string of encrypted networks taken down by law enforcement, following the likes of EncroChat, AN0M, Sky Global, and Phantom Secure. Each takedown sends the same message to criminals: no platform is truly secure from the combined efforts of global law enforcement. International Impact In Australia alone, Operation Kraken led to 38 arrests, the execution of 71 search warrants, and the seizure of over 200 kilograms of illicit drugs and 25 weapons. However, the operation’s reach extends far beyond Australian borders. 11 others were arrested in Ireland, one in Canada and one in Italy belonging to the Italian Sacra Corona Unita mafia group, the Europol said. Europol Executive Director Catherine De Bolle echoed the sentiment, stressing that no criminal network can evade their collective efforts. De Bolle emphasized Europol’s role in turning collaboration into actionable results, stating, "No matter how hidden these networks think they are, they can’t escape the law." Decoding the Ghost's Network Ghost wasn’t merely an app; it was a sophisticated system tailored for the needs of the underworld. Users could purchase it anonymously, and it employed three encryption standards. One standout feature allowed users to send a code that triggered the self-destruction of all messages on the target phone. This made it easier for criminal networks to evade detection, counter forensic efforts, and coordinate cross-border operations. [caption id="attachment_90094" align="aligncenter" width="600"] Ghost network's modified encrypted devices seized during raids. (Source: Europol)[/caption] The alleged mastermind worked with a network of resellers to distribute modified smartphones with encrypted software, each priced at around $2,350. The price tag included a six-month subscription to Ghost’s encrypted network and technical support for users—a level of service that underscores the scale of Ghost’s operations. Thousands of people worldwide used Ghost, and every day, exchanged roughly a thousand messages on the platform. [caption id="attachment_90091" align="aligncenter" width="600"] Image Source: AFP[/caption] By September 17, there were 376 active Ghost devices in Australia alone, most concentrated in New South Wales. The platform catered to a range of organized crime groups, from outlaw motorcycle gangs to international syndicates with ties to Italian and Middle Eastern organized crime. These groups used Ghost to coordinate drug trafficking, launder money, and even arrange contract killings. Road to Operation Kraken Ghost’s downfall began in 2022 when international law enforcement partners targeted the platform, leading the AFP to establish Operation Kraken. The task force deployed a unique technical solution that allowed them to access encrypted communications—a move that changed the course of the investigation. Among the most damning pieces of evidence gathered were the messages exchanged by users. These messages offered a glimpse into the high-stakes world of organized crime, where anonymity was paramount, and a single misstep could lead to deadly consequences. AFP Commissioner Reece Kershaw warned organized crime in 2021 that their days of relying on encrypted platforms were numbered. "The lives of many serious criminals dramatically changed when they realized their phone—and those who vouched for it—had betrayed them," he said in a statement. With Ghost's demise, that warning has become a reality for yet another criminal network. For the AFP, the operation isn’t just a technical win; it’s a showcase of their world-class capabilities in digital forensics, intelligence gathering, and covert operations. By infiltrating Ghost, the AFP not only stopped crimes in progress but also sent a clear signal to organized crime groups that their encrypted tools are not impenetrable. The Future of Encrypted Platforms The Ghost takedown raises questions about the future of encrypted communication platforms in organized crime. As law enforcement agencies continue to improve their technical capabilities, the arms race between criminal syndicates and global policing intensifies. Assistant Commissioner Tony Longhorn of Western Australia Police noted that organized crime syndicates continue to rely on encrypted platforms to distribute drugs and weapons. "The landscape of encrypted communications remains highly dynamic and segmented, posing ongoing challenges for law enforcement," Europol said. However, Longhorn emphasized that no platform offers true anonymity, and with every operation, law enforcement inches closer to closing that gap. Europol said it is focused on tackling criminal use of encrypted communications, while advocating for a balanced approach that respects privacy and legal standards. Private companies must also ensure their platforms aren't havens for criminals, providing lawful data access under judicial oversight, in line with fundamental rights. Law enforcement needs access to suspect communications to fight serious crimes, but this can coexist with privacy protection, cybersecurity, and strong legal safeguards. As the legal proceedings against the alleged Ghost administrator unfold, law enforcement agencies across the globe are watching closely. A Warning to Criminal Networks The successful infiltration and dismantling of Ghost echo a broader trend in law enforcement's approach to organized crime. Criminal platforms, once thought to be untouchable, are falling one by one. For the criminals who relied on Ghost, the game is over. And for those still using encrypted platforms, the message is clear: no network is safe forever. As Catherine De Bolle succinctly put it, "No matter how hidden these networks think they are, they can’t evade our collective effort."

image for Hezbollah’s Pager ...

 Cyber Warfare

A chilling incident unfolded in Lebanon on September 17, 2024, when hundreds of pagers used by Hezbollah members exploded simultaneously, resulting in nine deaths and leaving nearly 3,000 injured (at the time of publishing this report). Hezbollah’s pager explosions episode not only highlights the vulnerability of   show more ...

old-school technology to cyber-physical attacks but also raises concerns about the potential risks posed to more modern devices like smartphones. While the attack on pagers shocked many, it raises the question of smartphones being vulnerable to similar attacks. Why Hezbollah Still Uses Pagers? While pagers might seem like a gadget from the past, they are still in use today in sectors that require secure, simple communication. Hezbollah has relied on these devices instead of smartphones because pagers don’t connect to the internet or cellular networks, making them harder to hack, track, or surveil. Pagers typically function by receiving short messages through radio frequencies, which many believe provide an extra layer of security. However, the devastating explosions demonstrated that even this older technology is not immune to sophisticated cyber-physical attacks. [caption id="attachment_90079" align="alignnone" width="623"] Source: X[/caption] The exact method of how these pager explosions were orchestrated remains unclear, but several theories have emerged. One likely explanation is a deliberate tampering with the pagers' lithium-ion batteries, a common power source for these devices. If manipulated to overheat, these batteries can experience what's known as thermal runaway, a process that leads to rapid heat buildup and, eventually, an explosion. Supply Chain Infiltration Behind Hezbollah's Pager Explosions? The other theory that Lebanon has been claiming is that Israeli intelligence was behind the explosive sabotage of Hezbollah's pagers. According to reports, Israel’s Mossad spy agency embedded an explosive board into the pagers during the manufacturing process. These pagers were ordered a few months ago from Taiwan-based companies but were reportedly tampered with before reaching Hezbollah operatives. [caption id="attachment_90081" align="aligncenter" width="670"] A graphic illustration of what could have triggered the explosions. Source: The Telegraph[/caption] News agencies reported that around 3,000 of these pagers exploded when a coded message was sent to them, simultaneously activating the explosives. This tactic would align with previous operations attributed to Israeli intelligence, which has a history of covert actions aimed at disrupting Hezbollah's activities. This incident highlights how this type of supply chain infiltration emphasizes the growing risks of technological sabotage, even with devices that lack internet connectivity. Could Your Smartphone Be at Risk? If the Hezbollah pager incident was indeed a supply chain attack, it highlights the risks of vulnerabilities being embedded in technology at the manufacturing stage—a tactic that could e applied to other types of devices as well, including smartphones. While there are no confirmed instances of smartphones being hacked to intentionally explode, smartphones have been known to catch fire or explode due to battery defects. However, such incidents have been purely accidental, not caused by intentional cyberattacks. In theory, though, hackers could exploit a phone’s hardware vulnerabilities or manipulate its software to cause it to overheat, leading to a fire or explosion. Smartphones run on complex operating systems that can be infiltrated by malware. Although these attacks are typically aimed at stealing data, the same principle could, in theory, be applied to cause damage to the device itself. The Future of Cyber-Physical Attacks As the pager-explosion event demonstrates, the growing integration of technology into daily life opens new doors for cyber-physical attacks. While smartphones have yet to be targeted in this way, the potential for attacks using similar methods is concerning. The challenge lies in securing supply chains, monitoring hardware integrity, and ensuring that increasingly connected devices cannot be used as tools for harm.

image for U.S. Intelligence Ag ...

 Cyber News

U.S. intelligence agencies issued a warning today about a Chinese botnet that has compromised 260,000 devices around the globe, including small office/home office (SOHO) routers, firewalls, network-attached storage (NAS) and Internet of Things (IoT) devices from some of the biggest names in IT and networking. The FBI,   show more ...

National Security Agency (NSA) and the Cyber National Mission Force (CNMF) said in the advisory (PDF) that People’s Republic of China (PRC)-linked cyber actors have used the botnet to deploy distributed denial of service (DDoS) attacks and compromise targeted U.S. networks. Investigators have observed a total of 66 CVEs targeted in the campaign, in products and services from organizations such as ServiceNow, Fortinet, Zyxel, Apache, QNAP,  F5, Ivanti, Juniper, Citrix, WordPress, Ubiquiti, Confluence, Atlassian, Cisco, Netgear, IBM, D-Link, Microsoft, and even the widespread CVE-2024-4577 PHP vulnerability. U.S. agencies were joined by the "Five Eyes" alliance partners - cybersecurity agencies from Australia, New Zealand, Canada and the UK - in the announcement. Chinese Botnet Linked to Company, Threat Groups Integrity Technology Group, a PRC-based company with links to the Chinese government, has controlled and managed the botnet, which has been active since mid-2021, the agencies said. The botnet has regularly maintained “between tens to hundreds of thousands of compromised devices,” and as of June 2024, consisted of over 260,000 devices, nearly half of which are in the U.S. Victim devices have been observed in North America, South America, Europe, Africa, Southeast Asia and Australia. “While devices aged beyond their end-of-life dates are known to be more vulnerable to intrusion, many of the compromised devices in the Integrity Tech controlled botnet are likely still supported by their respective vendors,” the advisory said. Integrity Tech has used China Unicom Beijing Province Network IP addresses to control and manage the botnet. The same China Unicom Beijing Province Network IP addresses were also used to access other operational infrastructure used in computer intrusion activities against U.S. victims, the agencies said. The FBI has engaged with multiple U.S. victims of these intrusions “and found activity consistent with the tactics, techniques, and infrastructure associated with the cyber threat group known publicly as Flax Typhoon, RedJuliett, and Ethereal Panda.” C2 Servers Use Specific Domain; Other IoCs Shared The botnet uses the Mirai family of malware to hijack IoT devices, including webcams, DVRs, IP cameras, and routers running Linux-based operating systems. More than 50 different Linux versions have been observed in the infected devices, spanning Linux kernel versions 2.6 through 5.4. The payload starts processes on the device to establish a connection with a command-and-control (C2) server using TLS on port 443. The malware also makes requests to “c.speedtest.net,” and over 80 subdomains of “w8510.com” were linked to the botnet’s C2 servers. A tier of upstream management servers using TCP port 34125 manage the botnet’s C2 servers. These management servers host a MySQL database that contained over 1.2 million records of compromised devices, both previously and actively exploited. NSA Recommendations The NSA said it released the advisory “to help National Security Systems, Department of Defense, and Defense Industrial Base networks mitigate these cyber threats.” The advisory’s authors recommend the following mitigations: Regularly apply patches and updates, using automatic updates from trusted providers when available. Disable unused services and ports, such as automatic configuration, remote access, or file sharing protocols, which threat actors may abuse to gain initial access or to spread malware to other networked devices. Replace default passwords with strong passwords. Implement network segmentation with the principle of least privilege to ensure IoT devices within a larger network pose “known, limited, and tolerable risks.” Monitor for high network traffic volumes to detect and mitigate DDoS incidents. Plan for device reboots to remove non-persistent malware. Replace end-of-life equipment with supported devices.

image for AT&T Reaches $13 Mil ...

 Compliance

AT&T has reached a $13 million settlement with the Federal Communications Commission (FCC) following a significant data breach that compromised the personal information of approximately nine million customers. This AT&T data breach occurred in January 2023 which involved unauthorized access and sale of   show more ...

customer data by third-party vendors employed by the firm. According to a consent decree shared by the FCC, AT&T “failed to meet its duty to protect the confidentiality of customer proprietary information (PI)” and “improperly used, disclosed, or permitted access to individually identifiable customer information without customer approval.” Background of the 2023 AT&T Data Breach The breach began when AT&T’s third-party vendors, who were responsible for managing customer data, were found to have mishandled sensitive personal information. This breach primarily involved Customer Proprietary Network Information (CPNI), which includes details like phone numbers, names, and certain service-related information. The vendors, hired to provide customer service and support, accessed this data without proper authorization and sold it to external parties, putting millions of AT&T customers at risk. AT&T's vendors gained access to this CPNI data to facilitate unlocking AT&T devices and assist in SIM swaps, which is where they resell SIM cards to bypass network restrictions. As the FCC report noted, unauthorized individuals purchased this data to unlock phones and sell them on the black market, contributing to an increase in SIM swapping frauds, where bad actors take over a customer’s phone number to steal personal information or money. FCC’s Investigation and Findings The FCC launched a thorough investigation into the 2023 data breach after several customers reported suspicious activity, including incidents related to identity theft and SIM swapping fraud. The investigation revealed that AT&T's third-party vendors had accessed and misused the CPNI of around 9 million customers without proper consent. Additionally, AT&T was found to have failed in adequately protecting this sensitive customer information, thereby violating the FCC’s rules surrounding CPNI protection. As part of its inquiry, the FCC found that the breach exposed vulnerabilities in AT&T’s data security practices. AT&T’s reliance on third-party vendors without strong oversight mechanisms contributed to the ease with which customer data was misused. The FCC argued that AT&T should have exercised more robust safeguards to prevent unauthorized access and sale of this data, which is a violation of the Communications Act. AT&T’s Settlement and Remedial Measures To resolve the investigation and avoid further legal consequences, AT&T agreed to pay a $13 million fine to the FCC. The settlement reflects the seriousness of the breach and its potential to harm millions of customers. The company did not admit guilt but consented to the financial penalty and has committed to implementing a range of enhanced security measures to prevent such incidents from recurring in the future. Under the terms of the settlement, AT&T is also required to add new safeguards to protect customer data. These measures include tightening the oversight of third-party vendors, implementing more stringent access controls, and conducting regular security audits to detect and address vulnerabilities in its data management systems. Impact on Customers and Broader Implications The 2023 data breach affected millions of AT&T customers, exposing them to risks like identity theft, unauthorized access to their accounts, and financial fraud. Customers have expressed concerns over how their personal data was handled and are now wary of similar breaches occurring in the future. To mitigate these concerns, AT&T has initiated several customer-centric initiatives, including free identity theft protection services for those affected by the breach. The settlement also serves as a warning to other telecommunications providers about the importance of securing customer data. The FCC emphasized that companies must be vigilant in their data protection practices, particularly when working with third-party vendors who handle sensitive customer information.

image for SambaSpy, a new RAT ...

 Privacy

Today, lets talk about rats. Not the long-tailed rodents, but the digital kind – Remote Access Trojans, or RATs. These are Trojans that attackers use to gain remote access to a device. Typically, these RATs can install and uninstall programs, control the clipboard and log keystrokes. In May 2024, a new breed of RAT,   show more ...

SambaSpy, wandered into our rat trap. To learn how this malware infects its victims devices and what it does once its inside, read on. What SambaSpy is SambaSpy is a feature-rich RAT Trojan obfuscated using Zelix KlassMaster, making it much more difficult to detect and analyze. However, our team was up to the challenge and discovered that this new RAT is capable of: Managing the file system and processes Downloading and uploading files Controlling the webcam Taking screenshots Stealing passwords Loading additional plug-ins Remotely controlling the desktop Logging keystrokes Managing the clipboard Impressed? It seems SambaSpy can do it all – the perfect tool for a 21st century James Bond villain. But even this extensive list isnt exhaustive: read more about this RATs capabilities in the full version of our study. The malicious campaign we uncovered was exclusively targeting victims in Italy. You may be surprised, but this is actually good news (for everyone except Italians). Threat actors usually try to cast a wide net to maximize their profits, but these attackers are focused on just one country. So why is that a good thing? Its likely that the attackers are testing the waters with Italian users before expanding their operation to other countries – and were already one step ahead, since were familiar with SambaSpy and how to counter it. All that our users worldwide need to do is make sure they have a reliable security solution, and read on knowing that weve got this. How attackers spread SambaSpy In short, just like many other RATs, via email. The attackers used two primary infection chains, both involving phishing emails disguised as communications from a real estate agency. The key element in the email is a CTA to check an invoice by clicking a hyperlink. At first glance, the email appears legitimate – except that its sent from a German email address, but written in Italian Clicking the link redirects users to a malicious website that checks the system language and the browser used. If the potential victims OS is set to Italian and they open the link in Edge, Firefox or Chrome, they receive a malicious PDF file that infects their device with either a dropper or a downloader. The difference between the two is minimal: the dropper installs the Trojan immediately, while the downloader first downloads the necessary components from the attackers servers. Before starting, both the loader and the dropper check that the system isnt running in a virtual machine and, most importantly, that the OS language is set to Italian. If both conditions are met, the device is infected. Users who dont meet these criteria are redirected to the website of FattureInCloud, an Italian cloud-based solution for storing and managing digital invoices. This clever disguise allows the attackers to target only a specific audience – everyone else is redirected to a legitimate website. Whos behind SambaSpy? Weve yet to determine which group is behind this sophisticated distribution of SambaSpy. However, circumstantial evidence has shown us that the attackers speak Brazilian Portuguese. We also know that theyre already expanding their operations to Spain and Brazil – as evidenced by malicious domains used by the same group in other detected campaigns. By the way, these campaigns no longer include the language check. How to protect yourself from SambaSpy The key takeaway from this story is the method of infection, which suggests that anyone, anywhere, speaking any language could be the target of the next campaign. For the attackers, it doesnt really matter who they hit, nor are the particulars of the phishing bait important. Today, it might be an invoice from a real estate agency; tomorrow, a tax notification; and the day after that, airline tickets or travel vouchers. Here are a few tips and recommendations to help you stay safe from SambaSpy: Install Kaspersky Premium before your device shows any signs of infection. Our solution reliably detects and neutralizes both SambaSpy and other malware. Always be wary of phishing emails. Before you click on a link in your inbox, take a moment to ask yourself: Could this be a scam?

image for Scam ‘Funeral Stre ...

 A Little Sunshine

Scammers are flooding Facebook with groups that purport to offer video streaming of funeral services for the recently deceased. Friends and family who follow the links for the streaming services are then asked to cough up their credit card information. Recently, these scammers have branched out into offering fake   show more ...

streaming services for nearly any kind of event advertised on Facebook. Here’s a closer look at the size of this scheme, and some findings about who may be responsible. One of the many scam funeral group pages on Facebook. Clicking to view the “live stream” of the funeral takes one to a newly registered website that requests credit card information. KrebsOnSecurity recently heard from a reader named George who said a friend had just passed away, and he noticed that a Facebook group had been created in that friend’s memory. The page listed the correct time and date of the funeral service, which it claimed could be streamed over the Internet by following a link that led to a page requesting credit card information. “After I posted about the site, a buddy of mine indicated [the same thing] happened to her when her friend passed away two weeks ago,” George said. Searching Facebook/Meta for a few simple keywords like “funeral” and “stream” reveals countless funeral group pages on Facebook, some of them for services in the past and others erected for an upcoming funeral. All of these groups include images of the deceased as their profile photo, and seek to funnel users to a handful of newly-registered video streaming websites that require a credit card payment before one can continue. Even more galling, some of these pages request donations in the name of the deceased. It’s not clear how many Facebook users fall for this scam, but it’s worth noting that many of these fake funeral groups attract subscribers from at least some of the deceased’s followers, suggesting those users have subscribed to the groups in anticipation of the service being streamed. It’s also unclear how many people end up missing a friend or loved one’s funeral because they mistakenly thought it was being streamed online. One of many look-alike landing pages for video streaming services linked to scam Facebook funeral groups. George said their friend’s funeral service page on Facebook included a link to the supposed live-streamed service at livestreamnow[.]xyz, a domain registered in November 2023. According to DomainTools.com, the organization that registered this domain is called “apkdownloadweb,” is based in Rajshahi, Bangladesh, and uses the DNS servers of a Web hosting company in Bangladesh called webhostbd[.]net. A search on “apkdownloadweb” in DomainTools shows three domains registered to this entity, including live24sports[.]xyz and onlinestreaming[.]xyz. Both of those domains also used webhostbd[.]net for DNS. Apkdownloadweb has a Facebook page, which shows a number of “live video” teasers for sports events that have already happened, and says its domain is apkdownloadweb[.]com. Livestreamnow[.]xyz is currently hosted at a Bangladeshi web hosting provider named cloudswebserver[.]com, but historical DNS records show this website also used DNS servers from webhostbd[.]net. The Internet address of livestreamnow[.]xyz is 148.251.54.196, at the hosting giant Hetzner in Germany. DomainTools shows this same Internet address is home to nearly 6,000 other domains (.CSV), including hundreds that reference video streaming terms, like watchliveon24[.]com and foxsportsplus[.]com. There are thousands of domains at this IP address that include or end in the letters “bd,” the country code top-level domain for Bangladesh. Although many domains correspond to websites for electronics stores or blogs about IT topics, just as many contain a fair amount of placeholder content (think “lorem ipsum” text on the “contact” page). In other words, the sites appear legitimate at first glance, but upon closer inspection it is clear they are not currently used by active businesses. The passive DNS records for 148.251.54.196 show a surprising number of results that are basically two domain names mushed together. For example, there is watchliveon24[.]com.playehq4ks[.]com, which displays links to multiple funeral service streaming groups on Facebook. Another combined domain on the same Internet address — livestreaming24[.]xyz.allsportslivenow[.]com — lists dozens of links to Facebook groups for funerals, but also for virtually all types of events that are announced or posted about by Facebook users, including graduations, concerts, award ceremonies, weddings, and rodeos. Even community events promoted by state and local police departments on Facebook are fair game for these scammers. A Facebook page maintained by the police force in Plympton, Mass. for a town social event this summer called Plympton Night Out was quickly made into two different Facebook groups that informed visitors they could stream the festivities at either espnstreamlive[.]co or skysports[.]live. WHO’S BEHIND THE FAKEBOOK FUNERALS? Recall that the registrant of livestreamnow[.]xyz — the bogus streaming site linked in the Facebook group for George’s late friend — was an organization called “Apkdownloadweb.” That entity’s domain — apkdownloadweb[.]com — is registered to a Mazidul Islam in Rajshahi, Bangladesh (this domain is also using Webhostbd[.]net DNS servers). Mazidul Islam’s LinkedIn page says he is the organizer of a now defunct IT blog called gadgetsbiz[.]com, which DomainTools finds was registered to a Mehedi Hasan from Rajshahi, Bangladesh. To bring this full circle, DomainTools finds the domain name for the DNS provider on all of the above-mentioned sites  — webhostbd[.]net — was originally registered to a Md Mehedi, and to the email address webhostbd.net@gmail.com (“MD” is a common abbreviation for Muhammad/Mohammod/Muhammed). A search on that email address at Constella finds a breached record from the data broker Apollo.io saying its owner’s full name is Mohammod Mehedi Hasan. Unfortunately, this is not a particularly unique name in that region of the world. But as luck would have it, sometime last year the administrator of apkdownloadweb[.]com managed to infect their Windows PC with password-stealing malware. We know this because the raw logs of data stolen from this administrator’s PC were indexed by the breach tracking service Constella Intelligence [full disclosure: As of this month, Constella is an advertiser on this website]. These so-called “stealer logs” are mostly generated by opportunistic infections from information-stealing trojans that are sold on cybercrime markets. A typical set of logs for a compromised PC will include any usernames and passwords stored in any browser on the system, as well as a list of recent URLs visited and files downloaded. Malware purveyors will often deploy infostealer malware by bundling it with “cracked” or pirated software titles. Indeed, the stealer logs for the administrator of apkdownloadweb[.]com show this user’s PC became infected immediately after they downloaded a booby-trapped mobile application development toolkit. Those stolen credentials indicate Apkdownloadweb[.]com is maintained by a 20-something native of Dhaka, Bangladesh named Mohammod Abdullah Khondokar. The “browser history” folder from the admin of Apkdownloadweb shows Khondokar recently left a comment on the Facebook page of Mohammod Mehedi Hasan, and Khondokar’s Facebook profile says the two are friends. Neither MD Hasan nor MD Abdullah Khondokar responded to requests for comment. KrebsOnSecurity also sought comment from Meta.

 Malware and Vulnerabilities

The vulnerability was related to the undocumented Salesforce Aura API and SOQL subqueries, allowing a blind SOQL injection attack to retrieve customer information, including personally identifiable information (PII).

 Incident Response, Learnings

Prosecutors allege that Chinese national Wu Song targeted US academics and engineers to obtain applications used in aerospace engineering and fluid dynamics, which could be used for developing missiles and weapons.

 Identity Theft, Fraud, Scams

Advanced phishing attacks are putting X accounts, formerly known as Twitter, at risk. Even with two-factor authentication in place, researchers at eSentire have found that account takeovers are still possible.

 Feed

Ubuntu Security Notice 7019-1 - Ziming Zhang discovered that the DRM driver for VMware Virtual GPU did not properly handle certain error conditions, leading to a NULL pointer dereference. A local attacker could possibly trigger this vulnerability to cause a denial of service. Gui-Dong Han discovered that the software   show more ...

RAID driver in the Linux kernel contained a race condition, leading to an integer overflow vulnerability. A privileged attacker could possibly use this to cause a denial of service.

 Feed

Debian Linux Security Advisory 5772-1 - Yufan You discovered that Libreoffice's handling of documents based on ZIP archives was susceptible to spoofing attacks when the repair mode attempts to address a malformed archive structure.

 Feed

Ubuntu Security Notice 7018-1 - Robert Merget, Marcus Brinkmann, Nimrod Aviram, and Juraj Somorovsky discovered that certain Diffie-Hellman ciphersuites in the TLS specification and implemented by OpenSSL contained a flaw. A remote attacker could possibly use this issue to eavesdrop on encrypted communications. This   show more ...

was fixed in this update by removing the insecure ciphersuites from OpenSSL. Paul Kehrer discovered that OpenSSL incorrectly handled certain input lengths in EVP functions. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service.

 Feed

Debian Linux Security Advisory 5770-1 - Shang-Hung Wan discovered multiple vulnerabilities in the Expat XML parsing C library, which could result in denial of service or potentially the execution of arbitrary code.

 Feed

Ubuntu Security Notice 7000-2 - USN-7000-1 fixed vulnerabilities in Expat. This update provides the corresponding updates for Ubuntu 22.04 LTS. Shang-Hung Wan discovered that Expat did not properly handle certain function calls when a negative input length was provided. An attacker could use this issue to cause a denial of service or possibly execute arbitrary code.

 Feed

Ubuntu Security Notice 7017-1 - Iggy Frankovic discovered that Quagga incorrectly handled certain BGP messages. A remote attacker could possibly use this issue to cause Quagga to crash, resulting in a denial of service.

 Feed

Ubuntu Security Notice 7016-1 - Iggy Frankovic discovered that FRR incorrectly handled certain BGP messages. A remote attacker could possibly use this issue to cause FRR to crash, resulting in a denial of service.

 Feed

Ubuntu Security Notice 6885-3 - USN-6885-1 fixed several vulnerabilities in Apache. This update provides the corresponding update for Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Orange Tsai discovered that the Apache HTTP Server mod_rewrite module incorrectly handled certain substitutions. A remote attacker could possibly   show more ...

use this issue to execute scripts in directories not directly reachable by any URL, or cause a denial of service. Some environments may require using the new UnsafeAllow3F flag to handle unsafe substitutions.

 Feed

The GSM Association, the governing body that oversees the development of the Rich Communications Services (RCS) protocol, on Tuesday, said it's working towards implementing end-to-end encryption (E2EE) to secure messages sent between the Android and iOS ecosystems. "The next major milestone is for the RCS Universal Profile to add important user protections such as interoperable end-to-end

 Feed

Broadcom on Tuesday released updates to address a critical security flaw impacting VMware vCenter Server that could pave the way for remote code execution. The vulnerability, tracked as CVE-2024-38812 (CVSS score: 9.8), has been described as a heap-overflow vulnerability in the DCE/RPC protocol. "A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a

 Feed

Google has announced that it's rolling out a new set of features to its Chrome browser that gives users more control over their data when surfing the internet and protects against online threats. "With the newest version of Chrome, you can take advantage of our upgraded Safety Check, opt out of unwanted website notifications more easily and grant select permissions to a site for one time only,"

 Feed

The evolution of software always catches us by surprise. I remember betting against the IBM computer Deep Blue during its chess match against the grandmaster Garry Kasparov in 1997, only to be stunned when the machine claimed victory. Fast forward to today, would we have imagined just three years ago that a chatbot could write essays, handle customer support calls, and even craft commercial

 Feed

A North Korea-linked cyber-espionage group has been observed leveraging job-themed phishing lures to target prospective victims in energy and aerospace verticals and infect them with a previously undocumented backdoor dubbed MISTPEN. The activity cluster is being tracked by Google-owned Mandiant under the moniker UNC2970, which it said overlaps with a threat group known as TEMP.Hermit, which is

 Feed

Cybersecurity researchers have uncovered a never-before-seen botnet comprising an army of small office/home office (SOHO) and IoT devices that are likely operated by a Chinese nation-state threat actor called Flax Typhoon (aka Ethereal Panda or RedJuliett). The sophisticated botnet, dubbed Raptor Train by Lumen's Black Lotus Labs, is believed to have been operational since at least May 2020,

 Feed

A Chinese national has been indicted in the U.S. on charges of conducting a "multi-year" spear-phishing campaign to obtain unauthorized access to computer software and source code created by the National Aeronautics and Space Administration (NASA), research universities, and private companies. Song Wu, 39, has been charged with 14 counts of wire fraud and 14 counts of aggravated identity theft.

 Cyber Security News

Source: www.databreachtoday.com – Author: 1 Cybersecurity Spending , Government , Industry Specific Experts Warn Federal Cyber Strategies Increasingly Lack Accompanying Resources Chris Riotta (@chrisriotta) • September 17, 2024     The guidance calls for CISA to have expanded visibility into agency assets   show more ...

for improved incident detection and response. (Image: Shutterstock) A new federal plan to […] La entrada Can CISA’s Federal Cybersecurity Alignment Plan Really Work? – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.databreachtoday.com – Author: 1 Fraud Management & Cybercrime , Geo Focus: The United Kingdom , Geo-Specific Former Royal Mail and Manchester University CISOs Talk Ransomware Response Akshaya Asokan (asokan_akshaya) • September 17, 2024     Timely notification of ransomware incidents to   show more ...

British law enforcement agencies played a crucial role in understanding the threats and […] La entrada UK Orgs Tout Government Help in Ransomware Incidents – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Apple

Source: www.databreachtoday.com – Author: 1 Endpoint Security , Legislation & Litigation , Standards, Regulations & Compliance iPhone Maker Seeks Voluntary Dismissal, Citing Concerns Over Sensitive Data Leaking Michael Novinson (MichaelNovinson) • September 17, 2024     Apple wants to dismiss its   show more ...

2021 lawsuit against Israeli spyware maker NSO Group out of concern that continuing the […] La entrada Apple Moves to Dismiss Suit Against Spyware Firm NSO Group – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

 Cyber Security News

Source: www.databreachtoday.com – Author: 1 3rd Party Risk Management , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime Cybersecurity Experts Say Operatives Probably Intercepted Physical Supply Chain David Perera (@daveperera) • September 17, 2024     Hezbollah supporters in Tyre,   show more ...

Lebanon, on Oct. 10, 2023 (Image: Shutterstock) It doesn’t appear to be a cyberattack, […] La entrada Exploding Hezbollah Pagers Not Likely a Cybersecurity Attack – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

2024-09
Aggregator history
Wednesday, September 18
SUN
MON
TUE
WED
THU
FRI
SAT
SeptemberOctoberNovember