ECS

ECS Pioneers of cybersecurity,protecting organisations & individuals from Hackerโ€™s

๐——๐—ถ๐—ด๐—ถ๐—–๐—ฒ๐—ฟ๐˜ ๐˜๐—ผ ๐— ๐—ฎ๐˜€๐˜€-๐—ฅ๐—ฒ๐˜ƒ๐—ผ๐—ธ๐—ฒ ๐—ง๐—Ÿ๐—ฆ ๐—–๐—ฒ๐—ฟ๐˜๐—ถ๐—ณ๐—ถ๐—ฐ๐—ฎ๐˜๐—ฒ๐˜€ ๐——๐˜‚๐—ฒ ๐˜๐—ผ ๐——๐—ผ๐—บ๐—ฎ๐—ถ๐—ป ๐—ฉ๐—ฎ๐—น๐—ถ๐—ฑ๐—ฎ๐˜๐—ถ๐—ผ๐—ป ๐—•๐˜‚๐—ดDigiCert has issued a warning about mass-revoking S...
02/08/2024

๐——๐—ถ๐—ด๐—ถ๐—–๐—ฒ๐—ฟ๐˜ ๐˜๐—ผ ๐— ๐—ฎ๐˜€๐˜€-๐—ฅ๐—ฒ๐˜ƒ๐—ผ๐—ธ๐—ฒ ๐—ง๐—Ÿ๐—ฆ ๐—–๐—ฒ๐—ฟ๐˜๐—ถ๐—ณ๐—ถ๐—ฐ๐—ฎ๐˜๐—ฒ๐˜€ ๐——๐˜‚๐—ฒ ๐˜๐—ผ ๐——๐—ผ๐—บ๐—ฎ๐—ถ๐—ป ๐—ฉ๐—ฎ๐—น๐—ถ๐—ฑ๐—ฎ๐˜๐—ถ๐—ผ๐—ป ๐—•๐˜‚๐—ด

DigiCert has issued a warning about mass-revoking SSL/TLS certificates due to a bug in their domain validation process, necessitating affected customers to reissue certificates within 24 hours. The issue affects approximately 0.4% of domain validations conducted between August 2019 and June 2024, where a random value used for DNS CNAME-based validation lacked the required underscore prefix, potentially posing a collision risk.

This oversight, attributed to a system update in August 2019, was discovered during an investigation into random value generation. DigiCert has since consolidated its random value generators and implemented measures to enhance compliance and testing, aiming to prevent future incidents. Affected customers must log into their CertCentral accounts, identify impacted certificates, generate new Certificate Signing Requests (CSRs), and undergo a new Domain Control Verification process to reissue certificates promptly to avoid disruption of service.

๐—ข๐˜ƒ๐—ฒ๐—ฟ ๐Ÿญ ๐— ๐—ถ๐—น๐—น๐—ถ๐—ผ๐—ป ๐——๐—ผ๐—บ๐—ฎ๐—ถ๐—ป๐˜€ ๐—ฎ๐˜ ๐—ฅ๐—ถ๐˜€๐—ธ ๐—ผ๐—ณ '๐—ฆ๐—ถ๐˜๐˜๐—ถ๐—ป๐—ด ๐——๐˜‚๐—ฐ๐—ธ๐˜€' ๐——๐—ผ๐—บ๐—ฎ๐—ถ๐—ป ๐—›๐—ถ๐—ท๐—ฎ๐—ฐ๐—ธ๐—ถ๐—ป๐—ดOver a million domains are vulnerable to a sophisticat...
02/08/2024

๐—ข๐˜ƒ๐—ฒ๐—ฟ ๐Ÿญ ๐— ๐—ถ๐—น๐—น๐—ถ๐—ผ๐—ป ๐——๐—ผ๐—บ๐—ฎ๐—ถ๐—ป๐˜€ ๐—ฎ๐˜ ๐—ฅ๐—ถ๐˜€๐—ธ ๐—ผ๐—ณ '๐—ฆ๐—ถ๐˜๐˜๐—ถ๐—ป๐—ด ๐——๐˜‚๐—ฐ๐—ธ๐˜€' ๐——๐—ผ๐—บ๐—ฎ๐—ถ๐—ป ๐—›๐—ถ๐—ท๐—ฎ๐—ฐ๐—ธ๐—ถ๐—ป๐—ด

Over a million domains are vulnerable to a sophisticated cyber attack known as Sitting Ducks, recently highlighted by a joint analysis from Infoblox and Eclypsium. This attack method allows malicious actors, predominantly Russian-nexus cybercriminals, to stealthily hijack domains by exploiting weaknesses in the domain name system (DNS).

Unlike other domain hijacking techniques, Sitting Ducks does not require access to the domain owner's accounts directly. Instead, attackers exploit misconfigurations in both the domain registrar and authoritative DNS provider, allowing them to seize control of registered domains.

This method is particularly insidious because it is easier to execute, more likely to succeed undetected, and harder to mitigate compared to other known attacks. Once compromised, these domains can be used for a variety of malicious activities, from distributing malware and spam to perpetrating scams and hoax threats, exploiting the trust associated with legitimate domain owners.

๐—”๐—ฐ๐—ฟ๐—ผ๐—ป๐—ถ๐˜€ ๐—”๐—น๐—ฒ๐—ฟ๐˜๐˜€: ๐—–๐˜†๐—ฏ๐—ฒ๐—ฟ ๐—œ๐—ป๐—ณ๐—ฟ๐—ฎ๐˜€๐˜๐—ฟ๐˜‚๐—ฐ๐˜๐˜‚๐—ฟ๐—ฒ ๐——๐—ฒ๐—ณ๐—ฎ๐˜‚๐—น๐˜ ๐—ฃ๐—ฎ๐˜€๐˜€๐˜„๐—ผ๐—ฟ๐—ฑ ๐—˜๐˜…๐—ฝ๐—น๐—ผ๐—ถ๐˜๐—ฒ๐—ฑ ๐—ถ๐—ป ๐—”๐˜๐˜๐—ฎ๐—ฐ๐—ธ๐˜€Acronis has warned customers to patch a critic...
30/07/2024

๐—”๐—ฐ๐—ฟ๐—ผ๐—ป๐—ถ๐˜€ ๐—”๐—น๐—ฒ๐—ฟ๐˜๐˜€: ๐—–๐˜†๐—ฏ๐—ฒ๐—ฟ ๐—œ๐—ป๐—ณ๐—ฟ๐—ฎ๐˜€๐˜๐—ฟ๐˜‚๐—ฐ๐˜๐˜‚๐—ฟ๐—ฒ ๐——๐—ฒ๐—ณ๐—ฎ๐˜‚๐—น๐˜ ๐—ฃ๐—ฎ๐˜€๐˜€๐˜„๐—ผ๐—ฟ๐—ฑ ๐—˜๐˜…๐—ฝ๐—น๐—ผ๐—ถ๐˜๐—ฒ๐—ฑ ๐—ถ๐—ป ๐—”๐˜๐˜๐—ฎ๐—ฐ๐—ธ๐˜€

Acronis has warned customers to patch a critical Cyber Infrastructure security flaw that allows attackers to bypass authentication on vulnerable servers using default credentials. Acronis Cyber Infrastructure (ACI) is a unified multi-tenant platform combining remote endpoint management, backup, and virtualization capabilities, aiding disaster recovery workloads and securely storing enterprise backup data.

Over 20,000 service providers use ACI to protect more than 750,000 businesses across 150+ countries. The vulnerability, tracked as CVE-2023-45249, can be exploited in low-complexity attacks that require no user interaction, enabling remote code ex*****on on unpatched ACI servers. Despite being patched nine months ago, the flaw affects multiple ACI builds before specific versions.

Acronis has confirmed that the bug has been exploited in attacks and has urged admins to update their installations immediately, emphasizing the critical nature of the vulnerability. Users should log into their accounts, download the latest ACI build from the "Products" section, and install it on vulnerable servers. Detailed patch protocols and support guidelines are available on the Acronis security advisory page.

๐—™๐—ผ๐—ฟ๐˜๐—ถ๐—š๐˜‚๐—ฎ๐—ฟ๐—ฑ ๐—Ÿ๐—ฎ๐—ฏ๐˜€ ๐—ง๐—ต๐—ฟ๐—ฒ๐—ฎ๐˜ ๐—ฅ๐—ฒ๐˜€๐—ฒ๐—ฎ๐—ฟ๐—ฐ๐—ต: ๐—ฃ๐—ต๐—ถ๐˜€๐—ต๐—ถ๐—ป๐—ด ๐—–๐—ฎ๐—บ๐—ฝ๐—ฎ๐—ถ๐—ด๐—ป ๐—ง๐—ฎ๐—ฟ๐—ด๐—ฒ๐˜๐—ถ๐—ป๐—ด ๐—œ๐—ป๐—ฑ๐—ถ๐—ฎ๐—ป ๐— ๐—ผ๐—ฏ๐—ถ๐—น๐—ฒ ๐—จ๐˜€๐—ฒ๐—ฟ๐˜€ ๐˜„๐—ถ๐˜๐—ต ๐—œ๐—ป๐—ฑ๐—ถ๐—ฎ ๐—ฃ๐—ผ๐˜€๐˜ ๐—Ÿ๐˜‚๐—ฟ๐—ฒ๐˜€The FortiGuard Lab...
29/07/2024

๐—™๐—ผ๐—ฟ๐˜๐—ถ๐—š๐˜‚๐—ฎ๐—ฟ๐—ฑ ๐—Ÿ๐—ฎ๐—ฏ๐˜€ ๐—ง๐—ต๐—ฟ๐—ฒ๐—ฎ๐˜ ๐—ฅ๐—ฒ๐˜€๐—ฒ๐—ฎ๐—ฟ๐—ฐ๐—ต: ๐—ฃ๐—ต๐—ถ๐˜€๐—ต๐—ถ๐—ป๐—ด ๐—–๐—ฎ๐—บ๐—ฝ๐—ฎ๐—ถ๐—ด๐—ป ๐—ง๐—ฎ๐—ฟ๐—ด๐—ฒ๐˜๐—ถ๐—ป๐—ด ๐—œ๐—ป๐—ฑ๐—ถ๐—ฎ๐—ป ๐— ๐—ผ๐—ฏ๐—ถ๐—น๐—ฒ ๐—จ๐˜€๐—ฒ๐—ฟ๐˜€ ๐˜„๐—ถ๐˜๐—ต ๐—œ๐—ป๐—ฑ๐—ถ๐—ฎ ๐—ฃ๐—ผ๐˜€๐˜ ๐—Ÿ๐˜‚๐—ฟ๐—ฒ๐˜€

The FortiGuard Labs Threat Research team has detected a fraud campaign targeting iPhone users in India, leveraging India Post lures. This campaign involves smishing attacks where users receive an iMessage claiming a package is waiting at an India Post warehouse.

Public reporting attributes this to the China-based Smishing Triad, previously targeting regions like the US, UK, and Pakistan. These scams use third-party email addresses via iMessage, leading to fraudulent sites.

Analysis shows over 470 domains mimicking India Post, with a significant number registered through a Chinese registrar, Beijing Lanhai Jiye Technology Co., Ltd. Most domains use TLDs like 'vip' and 'top,' hosted mainly by Tencent. The cloned phishing sites collect sensitive user information and request credit card details for redelivery charges.

The attackersโ€™ modus operandi involves sending iMessages to Apple ID email addresses, ensuring messages appear legitimate. Recommendations include verifying URLs, using strong passwords, enabling MFA, and reporting phishing attempts.

The investment in domain registrations indicates the scale and long-term potential impact of these phishing operations, highlighting the need for awareness and proactive measures. Fortinet provides protections through URL Filtering Services and training programs to help users recognize and avoid phishing threats.

๐——๐—ผ๐—ฐ๐—ธ๐—ฒ๐—ฟ ๐—ฆ๐—ฒ๐—ฐ๐˜‚๐—ฟ๐—ถ๐˜๐˜† ๐—”๐—ฑ๐˜ƒ๐—ถ๐˜€๐—ผ๐—ฟ๐˜†: ๐—”๐˜‚๐˜๐—ต๐—ญ ๐—ฃ๐—น๐˜‚๐—ด๐—ถ๐—ป ๐—•๐˜†๐—ฝ๐—ฎ๐˜€๐˜€ ๐—ฅ๐—ฒ๐—ด๐—ฟ๐—ฒ๐˜€๐˜€๐—ถ๐—ผ๐—ป ๐—ถ๐—ป ๐——๐—ผ๐—ฐ๐—ธ๐—ฒ๐—ฟ ๐—˜๐—ป๐—ด๐—ถ๐—ป๐—ฒDockerโ€™s default authorization model is all-or-...
26/07/2024

๐——๐—ผ๐—ฐ๐—ธ๐—ฒ๐—ฟ ๐—ฆ๐—ฒ๐—ฐ๐˜‚๐—ฟ๐—ถ๐˜๐˜† ๐—”๐—ฑ๐˜ƒ๐—ถ๐˜€๐—ผ๐—ฟ๐˜†: ๐—”๐˜‚๐˜๐—ต๐—ญ ๐—ฃ๐—น๐˜‚๐—ด๐—ถ๐—ป ๐—•๐˜†๐—ฝ๐—ฎ๐˜€๐˜€ ๐—ฅ๐—ฒ๐—ด๐—ฟ๐—ฒ๐˜€๐˜€๐—ถ๐—ผ๐—ป ๐—ถ๐—ป ๐——๐—ผ๐—ฐ๐—ธ๐—ฒ๐—ฟ ๐—˜๐—ป๐—ด๐—ถ๐—ป๐—ฒ

Dockerโ€™s default authorization model is all-or-nothing, allowing users with access to the Docker daemon to execute any Docker command. Authorization plugins (AuthZ) provide greater access control by approving or denying requests to the Docker daemon based on authentication and command context. In 2018, a security issue was discovered where an attacker could bypass AuthZ plugins using a specially crafted API request, potentially leading to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later versions, resulting in a regression.

An attacker could exploit this bypass using an API request with Content-Length set to 0, causing the Docker daemon to forward the request without the body to the AuthZ plugin, which might approve the request incorrectly if not set to deny by default.

The issue was fixed in Docker Engine v18.09.1 in January 2019 but not included in Docker Engine v19.03 or newer versions. This regression was identified in April 2024, and patches were released on July 23, 2024, with the issue assigned CVE-2024-41110. Affected versions include

๐—ฃ๐—ผ๐˜๐—ฒ๐—ป๐˜๐—ถ๐—ฎ๐—น ๐—ฉ๐˜‚๐—น๐—ป๐—ฒ๐—ฟ๐—ฎ๐—ฏ๐—ถ๐—น๐—ถ๐˜๐—ถ๐—ฒ๐˜€ ๐—ถ๐—ป ๐—Ÿ๐—ฎ๐—ป๐—ด๐—–๐—ต๐—ฎ๐—ถ๐—ป ๐—š๐—ฒ๐—ป ๐—”๐—œResearchers from Palo Alto Networks have identified two vulnerabilities in ...
25/07/2024

๐—ฃ๐—ผ๐˜๐—ฒ๐—ป๐˜๐—ถ๐—ฎ๐—น ๐—ฉ๐˜‚๐—น๐—ป๐—ฒ๐—ฟ๐—ฎ๐—ฏ๐—ถ๐—น๐—ถ๐˜๐—ถ๐—ฒ๐˜€ ๐—ถ๐—ป ๐—Ÿ๐—ฎ๐—ป๐—ด๐—–๐—ต๐—ฎ๐—ถ๐—ป ๐—š๐—ฒ๐—ป ๐—”๐—œ

Researchers from Palo Alto Networks have identified two vulnerabilities in LangChain, a popular open-source generative AI framework with over 81,000 stars on GitHub. The vulnerabilities, CVE-2023-46229 and CVE-2023-44467, affected LangChain and its experimental version, respectively.

These flaws could have allowed attackers to execute arbitrary code and access sensitive data. LangChain has since issued patches to resolve these vulnerabilities. Palo Alto Networks advises users to update to the latest version to ensure protection. The company also highlights how their products, such as Next-Generation Firewall, Prisma Cloud, and Cortex XDR, provide additional security against these types of attacks.

LangChain is widely used for LLM app development, offering components for integrating advanced LLM capabilities into applications. The identified vulnerabilities were promptly addressed by LangChain, but they underscore the importance of rigorous validation and continuous monitoring in AI-driven development.

๐—™๐—ฟ๐—ผ๐˜€๐˜๐˜†๐—š๐—ผ๐—ผ๐—ฝ ๐— ๐—ฎ๐—น๐˜„๐—ฎ๐—ฟ๐—ฒ ๐——๐—ถ๐˜€๐—ฟ๐˜‚๐—ฝ๐˜๐˜€ ๐—›๐—ฒ๐—ฎ๐˜๐—ถ๐—ป๐—ด ๐—ถ๐—ป ๐Ÿฒ๐Ÿฌ๐Ÿฌ ๐—จ๐—ธ๐—ฟ๐—ฎ๐—ถ๐—ป๐—ถ๐—ฎ๐—ป ๐—”๐—ฝ๐—ฎ๐—ฟ๐˜๐—บ๐—ฒ๐—ป๐˜ ๐—•๐˜‚๐—ถ๐—น๐—ฑ๐—ถ๐—ป๐—ด๐˜€A previously unseen malware, dubbed FrostyGoop, ...
24/07/2024

๐—™๐—ฟ๐—ผ๐˜€๐˜๐˜†๐—š๐—ผ๐—ผ๐—ฝ ๐— ๐—ฎ๐—น๐˜„๐—ฎ๐—ฟ๐—ฒ ๐——๐—ถ๐˜€๐—ฟ๐˜‚๐—ฝ๐˜๐˜€ ๐—›๐—ฒ๐—ฎ๐˜๐—ถ๐—ป๐—ด ๐—ถ๐—ป ๐Ÿฒ๐Ÿฌ๐Ÿฌ ๐—จ๐—ธ๐—ฟ๐—ฎ๐—ถ๐—ป๐—ถ๐—ฎ๐—ป ๐—”๐—ฝ๐—ฎ๐—ฟ๐˜๐—บ๐—ฒ๐—ป๐˜ ๐—•๐˜‚๐—ถ๐—น๐—ฑ๐—ถ๐—ป๐—ด๐˜€

A previously unseen malware, dubbed FrostyGoop, disrupted industrial processes in a cyberattack against a district energy company in Lviv, Ukraine, during January 2024, leaving residents of over 600 apartment buildings without heat for two days in sub-zero temperatures.

The attack, targeting temperature controllers of the municipal district energy company, altered controller values to falsely indicate higher temperatures, resulting in the circulation of cold water instead of heated water.

The Cyber Security Situation Center (CSSC) of Ukraine, in collaboration with Dragos, revealed that FrostyGoop, the ninth malware identified to target industrial control systems (ICS), used the Modbus protocol to communicate with and manipulate these systems.

Dragos' analysis indicated the malware, written in Golang for Windows and communicating over Modbus TCP port 502, could potentially disrupt various ICS devices globally due to Modbus' widespread and poorly secured usage.

The attack originated in April 2023 when intruders exploited a vulnerability in a Mikrotik router, deploying a web shell and later conducting the attack remotely from a Moscow-based IP address.

Dragos emphasized the need for better OT network security, including removing Modbus-exposed devices from the internet and enhancing ICS visibility and monitoring, to mitigate such threats. Although FrostyGoop specifically targets vulnerable, low-security systems, it highlights the pressing need for improved cybersecurity measures in critical infrastructure sectors.

๐—”๐˜๐˜๐—ฒ๐—ป๐˜๐—ถ๐—ผ๐—ป ๐—š๐—ฟ๐—ฎ๐—ป๐—ฑ ๐—ง๐—ต๐—ฒ๐—ณ๐˜ ๐—”๐˜‚๐˜๐—ผ ๐—™๐—ฎ๐—ป๐˜€! ๐—™๐—ฎ๐—ธ๐—ฒ ๐—š๐—ง๐—” ๐—ฉ๐—œ ๐—•๐—ฒ๐˜๐—ฎ ๐——๐—ผ๐˜„๐—ป๐—น๐—ผ๐—ฎ๐—ฑ ๐——๐—ถ๐˜€๐˜๐—ฟ๐—ถ๐—ฏ๐˜‚๐˜๐—ฒ๐˜€ ๐— ๐—ฎ๐—น๐˜„๐—ฎ๐—ฟ๐—ฒGrand Theft Auto (GTA) is a household name...
23/07/2024

๐—”๐˜๐˜๐—ฒ๐—ป๐˜๐—ถ๐—ผ๐—ป ๐—š๐—ฟ๐—ฎ๐—ป๐—ฑ ๐—ง๐—ต๐—ฒ๐—ณ๐˜ ๐—”๐˜‚๐˜๐—ผ ๐—™๐—ฎ๐—ป๐˜€! ๐—™๐—ฎ๐—ธ๐—ฒ ๐—š๐—ง๐—” ๐—ฉ๐—œ ๐—•๐—ฒ๐˜๐—ฎ ๐——๐—ผ๐˜„๐—ป๐—น๐—ผ๐—ฎ๐—ฑ ๐——๐—ถ๐˜€๐˜๐—ฟ๐—ถ๐—ฏ๐˜‚๐˜๐—ฒ๐˜€ ๐— ๐—ฎ๐—น๐˜„๐—ฎ๐—ฟ๐—ฒ

Grand Theft Auto (GTA) is a household name in gaming, and Rockstar Games, the developer behind GTA, has announced the release of Grand Theft Auto VI in Autumn 2025 for PS5 and Xbox Series, which has got fans all excited.

However, this presents threat actors with the perfect opportunity to exploit fans, with Bitdefender researchers detecting suspicious Facebook ads promoting fake beta versions for free download on PC. Social media users, particularly those following GTA content, might encounter sponsored ads promising early access to a non-existent GTA VI beta.

These ads often showcase tempting features, early release dates, and even include convincing-looking gameplay footage, likely stolen from 2022โ€™s Rockstar data breach and other sources. According to Bitdefenderโ€˜s report, between July 16 and 18, researchers came across a page promoting free access to the GTA beta version for the first 100 people through sponsored ads.

This page was running three different ads all using the same message and visuals, targeting people aged 18-65. The malicious domain used in the ad was created on June 27, 2024, and was also hosting another Ethereum scam. Users in Europe, including France, Poland, Romania, Germany, Spain, Hungary, Italy, Greece, the Netherlands, and Sweden, were the primary targets.

Security researcher Andrei Mogageโ€™s analysis revealed that the MSI file downloaded through the Facebook ad impersonated a legitimate GTA VI installer and mimicked the installation process. The file shared similarities with FakeBat loader malware that deployed malicious payloads and PowerShell scripts to download next-stage malware like info-stealers and RATs. Clicking the ad leads to a website mimicking a legitimate download page. Here, a user might be prompted to download an โ€˜exclusive beta clientโ€™ or complete a survey to gain access.

These downloads arenโ€™t beta versions; theyโ€™re malware in disguise. It is worth noting that Rockstar Games has not announced a beta program for GTA VI. The three malicious samples available for download from the ads were โ€œbrokenโ€ and could not execute payloads or exfiltrate data. As of July 19, none of these malicious ads remain active. While the reported malicious ads may be removed, there could be hundreds of such malicious ads currently running on social media, especially Facebook, which is known for approving malicious ads.

In February 2024, Savvy Seahorse, a DNS threat actor, was found using Facebook ads to promote and lure unsuspecting victims into its investment scams. In November 2023, Facebook displayed AI-generated โ€œprovocativeโ€ ads that spread NodeStealer malware. Back in April 2021, Facebook approved an advertisement that displayed and distributed a Facebook Messenger phishing link.

๐—ก๐—ผ๐—ฟ๐˜๐—ต ๐—ž๐—ผ๐—ฟ๐—ฒ๐—ฎ ๐—ฆ๐˜‚๐˜€๐—ฝ๐—ฒ๐—ฐ๐˜๐—ฒ๐—ฑ ๐—ผ๐—ณ ๐—›๐—ฎ๐—ฐ๐—ธ๐—ถ๐—ป๐—ด ๐—œ๐—ป๐—ฑ๐—ถ๐—ฎ๐—ป ๐—–๐—ฟ๐˜†๐—ฝ๐˜๐—ผ ๐—˜๐˜…๐—ฐ๐—ต๐—ฎ๐—ป๐—ด๐—ฒ ๐—ช๐—ฎ๐˜‡๐—ถ๐—ฟ๐—ซIndian crypto exchange WazirX has revealed it lost virtual...
22/07/2024

๐—ก๐—ผ๐—ฟ๐˜๐—ต ๐—ž๐—ผ๐—ฟ๐—ฒ๐—ฎ ๐—ฆ๐˜‚๐˜€๐—ฝ๐—ฒ๐—ฐ๐˜๐—ฒ๐—ฑ ๐—ผ๐—ณ ๐—›๐—ฎ๐—ฐ๐—ธ๐—ถ๐—ป๐—ด ๐—œ๐—ป๐—ฑ๐—ถ๐—ฎ๐—ป ๐—–๐—ฟ๐˜†๐—ฝ๐˜๐—ผ ๐—˜๐˜…๐—ฐ๐—ต๐—ฎ๐—ป๐—ด๐—ฒ ๐—ช๐—ฎ๐˜‡๐—ถ๐—ฟ๐—ซ

Indian crypto exchange WazirX has revealed it lost virtual assets valued at over $230 million after a cyber attack that has since been linked to North Korea. According to a late Thursday WazirX Xeet, the attack targeted one of its multi-signature wallets โ€“ digi-cash lockers designed to offer superior security by requiring multiple private keys to authorize a transaction.

WazirX's transaction verification process requires approval by multiple parties. The hacked wallet had six signatories โ€“ five from the WazirX team and one from Liminal. Most transactions on the WazirX platform require approval from three of the company's signatories, plus final approval from Liminal's signatory.

The attack exploited a discrepancy between Liminal's interface and the actual transaction data, allowing the attacker to gain control of the wallet and bypass the multi-signature security measures, WazirX explained. After discovering the breach, WazirX halted all crypto withdrawals, blocked some deposits, and reached out to affected wallet owners for recovery assistance.

The crypto exchange described the incident as a "force majeure" event, a term usually reserved for natural disasters or wars. WazirX claimed it took all necessary steps to protect customer assets but acknowledged the cyber attackers breached security features.

The exchange is actively working to locate and recover the stolen funds. Blockchain analytics platform Lookchain published a breakdown of the stolen WazirX assets, suggesting the thief is already seeking buyers. UK-based blockchain analytics firm Elliptic noted the thief has started swapping stolen tokens for Ether using decentralized services, and concluded the attackers are affiliated with North Korea.

North Korea has turned to cryptocurrency as a source of funds amid international sanctions, allegedly running crypto-stealing operations to fund its nuclear weapons program and enrich the ruling family. WazirX, claiming roughly 16 million users, was acquired in 2019 by Binance, though ownership disputes remain.

Binance was suspended from operating in India in December 2023 for violating anti-money laundering rules but was cleared to operate again last month, subject to a $2.25 million fine. WazirX also faced regulatory issues in India, with $8.1 million frozen in August 2022 as part of money laundering investigations.

Legislation to regulate cryptocurrency in India is still under consideration. Joanna Cheng, associate general counsel at NYC-based cryptocurrency custody and security firm Fireblocks, stated the industry would benefit from clear regulatory expectations on security standards, risk management, and consumer protection.

๐—จ๐—ฟ๐—ด๐—ฒ๐—ป๐˜ ๐—จ๐—ฝ๐—ฑ๐—ฎ๐˜๐—ฒ ๐—ณ๐—ผ๐—ฟ ๐—ช๐—ฃ ๐—ง๐—ถ๐—บ๐—ฒ ๐—–๐—ฎ๐—ฝ๐˜€๐˜‚๐—น๐—ฒ ๐—ฃ๐—น๐˜‚๐—ด๐—ถ๐—ป ๐——๐˜‚๐—ฒ ๐˜๐—ผ ๐—–๐—ฟ๐—ถ๐˜๐—ถ๐—ฐ๐—ฎ๐—น ๐—ฆ๐—ฒ๐—ฐ๐˜‚๐—ฟ๐—ถ๐˜๐˜† ๐—™๐—น๐—ฎ๐˜„Security researchers have discovered a vulnerabili...
18/07/2024

๐—จ๐—ฟ๐—ด๐—ฒ๐—ป๐˜ ๐—จ๐—ฝ๐—ฑ๐—ฎ๐˜๐—ฒ ๐—ณ๐—ผ๐—ฟ ๐—ช๐—ฃ ๐—ง๐—ถ๐—บ๐—ฒ ๐—–๐—ฎ๐—ฝ๐˜€๐˜‚๐—น๐—ฒ ๐—ฃ๐—น๐˜‚๐—ด๐—ถ๐—ป ๐——๐˜‚๐—ฒ ๐˜๐—ผ ๐—–๐—ฟ๐—ถ๐˜๐—ถ๐—ฐ๐—ฎ๐—น ๐—ฆ๐—ฒ๐—ฐ๐˜‚๐—ฟ๐—ถ๐˜๐˜† ๐—™๐—น๐—ฎ๐˜„

Security researchers have discovered a vulnerability in the Backup and Staging by WP Time Capsule plugin, affecting versions 1.22.20 and below. This WordPress plugin, with over 20,000 active installations, facilitates website backups and update management through cloud-native file versioning systems. However, a flaw allowed unauthorized users to exploit a broken authentication mechanism, potentially gaining administrative access to affected sites.

The vulnerability, found by Patchstack, stemmed from a logical error in the pluginโ€™s code, specifically in the wptc-cron-functions.php file. Attackers could bypass critical authentication checks by manipulating JSON-encoded POST data to elevate their privileges and log in as site administrators.

Patchstack explained that the flaw allowed any unauthenticated user to log into the site as an administrator with a single request, provided the plugin was set up with a connection to the wptimecapsule.com site. The issue was reported to the plugin developers on July 3, who quickly released version 1.22.20 within six hours to mitigate the initial vulnerability. However, the initial patch was only partially effective, leading to the release of version 1.22.21 on July 12, which included a more robust security fix involving additional hash comparisons to prevent further exploitation.

Patchstack emphasized the importance of rigorous security protocols in plugin development for WordPress and other platforms, recommending proper access control and authorization checks when writing functions that involve setting the authorization of a request based on user input variables. Users of the WP Time Capsule plugin are strongly advised to update to version 1.22.21 or later immediately to ensure their sites are protected.

๐—™๐—ฎ๐—ฐ๐—ฒ๐—ฏ๐—ผ๐—ผ๐—ธ ๐—”๐—ฑ๐˜€ ๐—ณ๐—ผ๐—ฟ ๐—ช๐—ถ๐—ป๐—ฑ๐—ผ๐˜„๐˜€ ๐——๐—ฒ๐˜€๐—ธ๐˜๐—ผ๐—ฝ ๐—ง๐—ต๐—ฒ๐—บ๐—ฒ๐˜€ ๐——๐—ถ๐˜€๐˜๐—ฟ๐—ถ๐—ฏ๐˜‚๐˜๐—ฒ ๐—œ๐—ป๐—ณ๐—ผ-๐—ฆ๐˜๐—ฒ๐—ฎ๐—น๐—ถ๐—ป๐—ด ๐— ๐—ฎ๐—น๐˜„๐—ฎ๐—ฟ๐—ฒCybercriminals are exploiting Facebook business ...
17/07/2024

๐—™๐—ฎ๐—ฐ๐—ฒ๐—ฏ๐—ผ๐—ผ๐—ธ ๐—”๐—ฑ๐˜€ ๐—ณ๐—ผ๐—ฟ ๐—ช๐—ถ๐—ป๐—ฑ๐—ผ๐˜„๐˜€ ๐——๐—ฒ๐˜€๐—ธ๐˜๐—ผ๐—ฝ ๐—ง๐—ต๐—ฒ๐—บ๐—ฒ๐˜€ ๐——๐—ถ๐˜€๐˜๐—ฟ๐—ถ๐—ฏ๐˜‚๐˜๐—ฒ ๐—œ๐—ป๐—ณ๐—ผ-๐—ฆ๐˜๐—ฒ๐—ฎ๐—น๐—ถ๐—ป๐—ด ๐— ๐—ฎ๐—น๐˜„๐—ฎ๐—ฟ๐—ฒ

Cybercriminals are exploiting Facebook business pages and advertisements to distribute the SYS01 password-stealing malware by promoting fake Windows themes.

Trustwave researchers observed that the threat actors also push fake downloads for pirated games, software, Sora AI, 3D image creator, and One Click Active. These campaigns, leveraging Facebook's massive reach, pose a significant threat as the ads promote free game downloads and software activation cracks for popular applications.

Threat actors either create new Facebook business pages or hijack existing ones, renaming them to match their advertisement themes and exploit the existing follower base. Thousands of ads per campaign direct users to fake download pages hosted on Google Sites or True Hosting, which offer free software and game downloads. However, these downloads contain the SYS01 malware, first discovered by Morphisec in 2022, designed to steal browser cookies, saved credentials, browser history, and cryptocurrency wallets.

The malware also uses Facebook cookies to steal account information, including personal data and advertising account details. The stolen data is stored temporarily before being sent to the attackers, who can sell it or use it to breach further accounts. Trustwave has also seen similar malvertising profiles on LinkedIn and YouTube, emphasizing the need for social media users to remain vigilant.

This campaign marks a shift in the SYS01 malware's delivery method from adult-themed clickbaits to targeting a general audience with ads for Windows themes and AI-based software tools. In February, Trustwave reported a similar campaign involving the Ov3r_Stealer malware.

๐— ๐—ฎ๐—น๐˜ƒ๐—ฒ๐—ฟ๐˜๐—ถ๐˜€๐—ถ๐—ป๐—ด ๐—–๐—ฎ๐—บ๐—ฝ๐—ฎ๐—ถ๐—ด๐—ป ๐—ง๐—ฎ๐—ฟ๐—ด๐—ฒ๐˜๐˜€ ๐— ๐—ฎ๐—ฐ ๐—จ๐˜€๐—ฒ๐—ฟ๐˜€ ๐˜„๐—ถ๐˜๐—ต ๐—™๐—ฎ๐—ธ๐—ฒ ๐— ๐—ถ๐—ฐ๐—ฟ๐—ผ๐˜€๐—ผ๐—ณ๐˜ ๐—ง๐—ฒ๐—ฎ๐—บ๐˜€ ๐—”๐—ฑA sophisticated malvertising campaign is targeting M...
16/07/2024

๐— ๐—ฎ๐—น๐˜ƒ๐—ฒ๐—ฟ๐˜๐—ถ๐˜€๐—ถ๐—ป๐—ด ๐—–๐—ฎ๐—บ๐—ฝ๐—ฎ๐—ถ๐—ด๐—ป ๐—ง๐—ฎ๐—ฟ๐—ด๐—ฒ๐˜๐˜€ ๐— ๐—ฎ๐—ฐ ๐—จ๐˜€๐—ฒ๐—ฟ๐˜€ ๐˜„๐—ถ๐˜๐—ต ๐—™๐—ฎ๐—ธ๐—ฒ ๐— ๐—ถ๐—ฐ๐—ฟ๐—ผ๐˜€๐—ผ๐—ณ๐˜ ๐—ง๐—ฒ๐—ฎ๐—บ๐˜€ ๐—”๐—ฑ

A sophisticated malvertising campaign is targeting Mac users searching for Microsoft Teams, highlighting the growing competition among malware creators in the macOS ecosystem. This latest attack, which uses Atomic Stealer malware, follows closely on the heels of the Poseidon (OSX.RodStealer) project, indicating growing advancements in threats affecting macOS.

The deceptive Microsoft Teams for macOS ad campaign, which ran for several days, employed advanced filtering techniques to evade detection. Appearing as a top search result for Microsoft Teams, the ad displayed microsoft.com as its URL but actually redirected users through a series of deceptive links.

The ad was likely paid for by a compromised Google ad account. Initially, the ad redirected straight to Microsoftโ€™s website, but after multiple attempts and tweaks, a full attack chain was finally observed. Researchers from Malwarebytes stated that upon clicking the ad, users were subjected to a profiling process to ensure only actual people proceeded, helping the malicious site evade detection from automated security tools and scans.

A cloaking domain separated the initial redirect from the malicious landing page, which mimicked the design of the official Microsoft Teams download site. The ad, with a display URL showing Microsoft.com, led to a fake installation page. The advertiser, located in Hong Kong, runs over a thousand unrelated ads.

Further investigation revealed that the ad used a unique payload for each visitor, generated from a domain called locallyhyped.com. Once the downloaded file was opened, users were instructed to enter their password and grant access to the file system, allowing the malicious application to steal keychain passwords and important files. The data was then exfiltrated via a single POST request to a remote attacker-controlled web server.

To avoid such attacks, researchers advised caution when downloading applications via search engines. Using browser protection tools with the ability to block ads and malicious websites, regularly updating antivirus software, and employing a reputable ad blocker can help minimize the risk of malware infection.

This campaign underscores the increasing sophistication of macOS malware due to the keen interest demonstrated by threat actors in compromising the operating systemโ€™s environment. Last year, researchers from Cyble Research and Intelligence Labs (CRIL) observed that the Atomic Stealer used in this campaign had been offered via Telegram at the price of $1000 USD per month.

Address

Park View Edifice Building
Hyderabad
500033

Opening Hours

Monday 9am - 5pm
Tuesday 9am - 5pm
Wednesday 9am - 5pm
Thursday 9am - 5pm
Friday 9am - 5pm
Saturday 9am - 5pm

Website

Alerts

Be the first to know and let us send you an email when ECS posts news and promotions. Your email address will not be used for any other purpose, and you can unsubscribe at any time.

Shortcuts

Share

Category