Thursday, April 22, 2021

Hackers Are Using Telegram to Spread Malware and Control the System

Check Point researchers identified more than 130 cyber attacks using a Remote Access Trojan called ToxicEye. This malware is managed by cybercriminals through Telegram messenger app.

As per Check Point Research, there is a new trend of attack among cybercriminals, where Telegram is used as a control-and-command system to spread malware even popular application is not installed or is not used, the system allows attackers to send malicious commands and operations remotely.

Check Point Research explained that they identified more than 130 cyber attacks that resorted to a Remote Access Trojan (RAT) called ToxicEye, communicating with their servers and sending all the data collected there.

ToxicEye is spread via phishing emails embedded with malicious .exe files. Once it open by victim, these files start installing the malware on the it's equipment and increase a series of operations that go undetected.

The Malware can execute the range of exploits without the victim’s knowledge:

  • ·         Data theft
  • ·         Delete or transfer files
  • ·         Encrypt files for a ransom (Ransomware)
  • ·         Remote control and I/O hijacking
  • ·         Installation of a Keylogger
  • ·         Hijack the computer's microphone and camera to record audio and video from the computer.

How This Attack Infection Chain Works -

The researcher mentioned “ The attacker first creates a Telegram account and a Telegram ‘bot.’ A Telegram bot account is a special remote account with which users can interact by Telegram chat or by adding them to Telegram groups, or by sending requests directly from the input field by typing the bot’s Telegram username and a query.

Attacker embeds The Telegram bot into the ToxicEye RAT configuration file then compile into an executable file and this executable file (.exe) can be injected into a Word document also. When victim open this doc file or email , this .exe get installed into this computer and make the same infected. Now victim’s computer can be attacked via the Telegram bot and attackers control this system.




Cybercriminals find Telegram as an essential part of their attacks and it  allows attackers to remain anonymous as the registration process only requires a mobile number, The messaging app Telegram is not blocked by antivirus solutions or network security tools.

Attackers can easily extract data from users equipment or transfer new malicious files to infected devices. Hackers can use their mobile phone to access infected computers from any location in the world.

Identify if your system is compromised and tips to strengthen security

  1. Search for RAT file - First of all you should search your computer for the file (rat.exe) in location (without quotes): “C: \ Users \ ToxicEye \ rat.exe if this file exists on your computer, you must immediately contact your helpdesk and delete this file.
  2. Traffic Monitoring - You can monitor the traffic generated from your personal or organization's system to Telegram C&C accounts. If you see such traffic and Telegram is not installed as a business solution, this is an indication that system has been compromised.
  3. Identify Phishing or Malicious Emails - It is very important to beware of any kind of attachments files that have usernames because malicious/spam emails often use the your username as the subject line or name of the file. These could be suspicious emails and you should not open these attachments,  delete the email immediately and not reply to the sender. If you receive an email from unlisted or undisclosed  sender it indicates that the email is malicious or phishing.
  4. Anti-Phishing Software - In order to minimize the risks phishing attacks for an organization, it is AI-based anti-phishing software  that is able to identify and block malicious content from all communication services (i.e. emails )and platforms (i.e. computers, handheld devices)

Friday, April 16, 2021

New WhatsApp Vulnerabilities could have allowed Attackers to Hack Android Mobile Remotely

 

WhatsApp technical team recently addressed 2 security vulnerabilities in WhatsApp for Android. As per security researchers Remote attackers could have exploited these vulnerabilities to execute malicious code on a target device.

The flaws allow attackers to execute “man-in-the-disk” attacks that is possible when mobile apps use External Storage that is shared across all the applications. Attacker can manipulate certain data being exchanged between mobile app and the external storage

Census Labs researchers reported one of the two issues(CVE-2021-24027) and said “We will show how the two aforementioned WhatsApp vulnerabilities would have made it possible for attackers to remotely collect TLS cryptographic material for TLS 1.3 and TLS 1.2 sessions.”

“With the TLS secrets at hand, we will demonstrate how a man-in-the-middle (MitM) attack can lead to the compromise of WhatsApp communications, to remote code execution on the victim device and to the extraction of Noise protocol keys used for end-to-end encryption in user communications.”




The CVE-2021-24027 vulnerability , in prior to WhatsApp for Android v2.21.4.18 and WhatsApp Business for Android v2.21.4.18, leverages Chrome's support in Android and this can allow an attacker with access to the device’s external storage to read cached TLS material. An attacker can send a specially-crafted HTML file to a victim over WhatsApp, which once opened in the victim’s browser, executes the attacker’s code contained in the HTML file.

"All an attacker has to do is lure the victim into opening an HTML document attachment. WhatsApp will render this attachment in Chrome, over a content provider, and the attacker's Javascript code will be able to steal the stored TLS session keys." Census Labs researcher Chariton Karamitas said.

“WhatsApp comes with a debugging mechanism that allows its development team to catch fatal errors happening in the wild during the first few days of a release. More specifically, if an OutOfMemoryError exception is thrown, a custom exception handler is invoked that collects System Information, WhatsApp Application Logs, as well as a dump of the Application Heap (collected using android.os.Debug::dumpHprofData). These are uploaded to crashlogs.whatsapp.net.”  As per report.

The attackers could purposefully throw the exception to force the data being sent to the server to intercept it.

Google has already addressed this vulnerability by introducing the “scoped storage” model in Android 10 that allows each app to access only their own app-specific cache files.

Remediation

The CVE-2021-24027 vulnerabilities were addressed by WhatsApp with the release of version 2.21.4.18.

WhatsApp users are recommended to use version 2.21.4.18 to rule out the risk associated with the vulnerability. When reached for a response, the company confirmed “The "keys" that are used to protect people's messages are not being uploaded to the servers and that the crash log information does not allow it to access the message contents.

Monday, April 5, 2021

Hackers released Facebook User's Leaked Data For Free Download

  

The case of data leakage from Facebook is becoming big issue once again and this is a huge dent in the Facebook security. Selling the phone number and personal data of Facebook owner Mark Zuckerberg is in the headlines. Report says that data of more than 533 million people of 100 countries around the world using Facebook has been leaked online.
Now hackers have made public the phone numbers and private data of more than 533 million users for free and anyone who has basic knowledge of hacking can initiate Facebook Leaked Data download and use.
 

What is the risk of Facebook Data Leak :

Alon Gal, a security expert, discovered few months before that Facebook users' phone numbers and personal data were being sold at Telegram by using Telegram Bot. Now he found in few hacking forum that the same data is being sold by hackers for free and this will be a bigger risk for all Facebook users who didn’t change their mobile for long.
 
According to Mr. Gal, if you have a Facebook user ID of anyone, you can find that person's phone number, and vice versa, if you have that person's phone number, then you can get Facebook user's ID.
 

Facebook Clarification on Facebook Data Hack:

 
Facebook confirmed that this database was stolen during a security issue and Facebook had fixed the same in 2019. However, experts are confirming that user doesn’t change their phone numbers frequently and this data is still valuable for cybercriminals and can be used in wrong doing.
 
What is Telegram Bot:
 
As per Telegram mentioned its blog “Bots are simply Telegram accounts operated by software, not people and they'll often have AI features. They can do anything like teach, play, search, broadcast, remind, connect, integrate with other services, or even pass commands to the Internet of Things.”
 
Why Using Telegram Bot:
Nowadays Hackers are using multiple options to earn money by selling hacked information without being traced. Telegram bot provide an automation where credit will be incurredfor which the buyer had to pay a price of $ 20, which is about 1,450 rupees in India.
As per screenshots, bot was activated on January 12, 2021, but the database is being sold of 2019.
 






Preventive Action for Users:

1.       Facebook users should not provide all personal information in Social Media platform.
2.       If user has two phone numbers then they should have different number for Social Media websites other than their personal number.
3.       Always use Two-Factor-Authentication for login wherever is possible.
4.       Last but not least, do not make Social Media platform part of your life.

Saturday, May 30, 2020

WeTransfer Banned In India, 5 Alternatives of WeTransfer



WeTransfer has become an important technology that allows the user to upload and send large files with excellent quality to other users. A premium version of the service allows one to share larger file more than 2GB.

When this file sharing site has helped many users around the world share important files with each other during this work from home culture, Indian users are reporting that the file sharing website is not accessible now. If you are unable to access WeTransfer.com for sending work files, this is not your internet connection issue.

According to a report in The Mumbai Mirror, The Department of Telecommunications has banned popular file-sharing site WeTransfer.com and mentioned public interest and national security. News report says, on 18 May, the telecom department issued a notice to all internet service providers (ISPs) to ban two specific website URLs on WeTransfer and then banning the entire site.

Wetransfer is suggesting users to use VPN to access this site.


5 Alternatives of Wetransfer  -

However, if you are also having these problems, we have solution. You can try using few alternative websites mentioned below as We Transfer hack.

Firefox Send-

Firefox Send is Mozilla's file-sharing website and it allows users to share files upto 2.5 GB of data where WeTransfer allows up to 2 GB files. Firefox Send doesn’t require a Firefox Account to share files with other users, but they have a limitation of only uploading files up to 1 GB. Firefox Account user can share files of 2.5 GB of data successfully.  Firefox Send use encryption to protect the data from unauthorized access and it is completely free.


Dropbox Transfer- 

Dropbox is one of the innovators in file-sharing services over the Internet. A registered user can send a maximum of 100 GB data, however, Its free version offers upto 3 GB. The file owners can set passwords and an expiry date to the transferred which expires once the date has crossed.


Google Drive-

Google Drive is still one of the excellent file sharing website. You can upload files up to 15 GB in free version and share with anyone.  If you have money to spend then you can use the Google One service which gives you access to a number of plans with storage capacities of 100 GB, 200 GB and 2TB.

 

One Drive - 

OneDrive is Microsoft’s cloud storage service to store and share files. You can upload and share files up to 5 GB in free version.Again If you need more storage and have money then you can buy a plan with 100 GB. 


Send-anywhere –

Send Anywhere tool allows users to send files up to 10 GB for free. In the Free version website shows few ads and the files expiration set to 48 hours. It's paid version has many benefits including  size of the files up to 1 TB . No ads and files expiration if you purchase plus version. You can track file and improves upload and download speed..




Saturday, May 16, 2020

REvil Ransomware Attack | Hackers Threaten to Post Trump "Dirty Laundry" And Celebs Secret

A New York-based firm, Grubman Shire Meiselas & Sacks that offers legal services to the entertainment and media industries including Lady Gaga, Madonna, Elton John, Barbara Streisand, Bruce Springsteen, Mariah Carey and Mary J. Blige and Priyanka Chopra, has been hit by a ransomware attack.

Cybercriminals attack law firm using the REvil ransomware (also known as Sodinokibi). Hackers are now threatening to release the 756 gigabytes of data allegedly stolen - including Telephone numbers, Email addresses, non-disclosure agreements, client contracts and personal correspondence. However, celebrity law firm is declining to settle up and now attackers have multiplied the ransom request to $42 million and threatened to publish the information they have claimed to have "a ton of dirty laundry" about President Trump.

Since this information is in public domain, you can get further update from any NEWS channel or websites. Here I'm going to share complete details of REvil ransomware.

 

REvil ransomware -

REvil, also known as Sodinokibi, Bluebackground, or Sodin, is a ransomware that is backed by an underground affiliate program,  uses wide range of tactics to distribute the ransomware and earn 30% to 40% commission. It appeared in the first half of 2019. It exploited vulnerabilities in remote services such as Oracle WebLogic platform (CVE-2019-2725) and carried out attacks on MSP providers. Oracle vulnerability was easy for attackers to exploit, as anyone with HTTP access to the WebLogic server could carry out an attack.

Execution Method –

Hackers utilized the CVE-2019-2725 vulnerability to execute a PowerShell command on Oracle WebLogic server. Doing so allowed them to upload a dropper to the server, which then installed the payload — the Sodin ransomware. Patches for the bug were released in April, however, a similar vulnerability was discovered — CVE-2019-2729 later.

REvil gets onto users’ machines in different ways using MSPs.  In few examples, the attackers used the Webroot and Kaseya remote access consoles to implant the Trojan. In other cases, hackers penetrated MSP infrastructure using an RDP connection, gained privileges, deactivated security solutions and backups, and then downloaded ransomware to client computers.

Sodinokibi or REvil ransomeware collects some basic system information and saves it to the registry with the generated encryption parameters. If the dbg option is not in the config, the UI language and keyboard layout values are checked, and the malware will simply exit on systems.

Business Model –

Sodinokibi or REvil ransomeware works on Ransomware-as-a-Service (RaaS) model. Sodinokibi has 41 active affiliates program. Each affiliate's version of Sodinokibi gets customized with a unique ID so that they can receive payments. Sodinokibi affiliates keep 60 to 70 percent of every ransom payment.

 In July 2019, Sodinokibi advertisers posted a recruitment announcement on a popular hacking forum UNKN.  They mentioned in advertisement that they were looking for experienced individuals to expand their activity and it was a private operation with "limited number of seats" available.

The forum post stressed that it’s forbidden to do business in the Commonwealth of Independent States (CIS) region, including Ukraine, Russia, Belarus, and Moldova.

You can see below some of their attacks post their hiring process. 

§  August 2019, Sodin attack 22 local administrations in Texas and demanded a collective ransom of $2.5 million. 

§  August 2019 : Hacker attack a remote data backup service and encrypted files from dental practices in the U.S. 

§  December 2019 : Hacker  hit another IT vendor serving hundreds of dentistry practices, infecting clients’ computers by exploiting a vulnerable remote access tool. 

§  December  2019 : They claim that they attack against the CyrusOne data center. As per UNKN claim,  they have stolen files from the company before encrypting their network.

§  December  2019 : Developers changed their ransom note over the holidays to include a new message wishing the victims a "Merry Christmas and Happy Holidays".

§  December  2019, they attack Travelex and  the company has to take offline all its computer systems. 

§  January 2020 : Sodinokibi threatened to publish data stolen from GEDIA Automotive Group, a German automotive supplier. They published a MS Excel spreadsheet containing an AdRecon report with information on an Active Directory environment. 

§  February 2020 : the operators of the Sodinokibi Ransomware (REvil)  started urging affiliates to copy their victim's data before encrypting computers . 

§  February 2020 : the operators of  Sodinokibi Ransomware published download links to files containing what they claim is financial and work documents  and customers' personal data stolen from U.S. fashion house Kenneth Cole Productions.

 

Prevention –  

We recommend the following actions to prevent these kind of ransomware attack. 

Ø  A little bit of extra vigilance and don’t open dubious-looking emails. 

Ø  Maintain up-to-date backups of the most important files. 

Ø  Take seriously the storing of passwords for remote access. 

Ø  Use two-factor authentication. 

Ø  Log and centrally collect web, application, and operating systems events. 

Ø  Restrict the account access used to run the WebLogic process. 

Ø  Monitor for Egress network communications from data center systems. 

Ø  Unexpected activity of service or system accounts (WebLogic user). 

Ø  Scan and mitigate your vulnerability posture. 

Ø  Restrict outbound Data Center communications.  

Ø  Always ready for Disaster Recovery, including maintaining and testing data backups and recovery.

 

Conclusion -

Sodinokibi, REvil, Sodin  – regardless of what you call it, it's the dangerous  ransomware on the cyberthreat map now. The REvil attackers use zero-day exploit to distribute ransomware and zero-day exploitation technique could work on otherwise fully-patched systems. Its developers seem to always have new unpredicted tricks up their sleeve, and perfect crypto implementation means that victims must pay up otherwise they will lose all their data.