Criminals Use Collaboration Platforms to Spread Malware, Research Finds

Collaboration platforms used by employees have become a prime target for attackers seeking to take advantage of telework and the security risks this new paradigm entails, according to new research.

People — and employees especially — need to stay in touch with friends and coworkers while staying at home. The available collaboration platforms can fill that void, but they also come with security issues that can be difficult to mitigate.

We think of malware as transmitted via back channels or fraudulent messages, but that’s not really the case. Abusing existing collaboration platforms to spread malware is just one of the known methods, and it usually comes with some advantages for attackers.

“Attackers are increasingly abusing the communications platforms that many organizations use to facilitate employee communications,” says Talos in its research. “This allows them to circumvent perimeter security controls and maximize infection capabilities. Over the past year, adversaries are increasingly relying on these platforms as part of the infection process.”

Since these are well-established platforms, it gives an attack more credence and allows attackers to bypass or trick some of the existing security solutions. Criminals don’t limit their use of this platform to just spreading malware, but for component retrieval and C2 and data exfiltration as well.

“The use of applications like Discord and Slack may also provide an additional means to perform the social engineering required to convince potential victims to open malicious attachments,” the researchers also explain.

Victims are more likely to click on links or open attachments if they see messages from colleagues or an established platform. Moreover, rooms controlled by threat actors are also used for communications. For example, Discord has been used to spread some threats, including Thanatos, LimeRAT, Remcos and many others.

For malware delivery, files are transmitted between users by attaching them in channels. “Files are stored within the Content Delivery Network (CDN) that the platform provider operates, allowing server members to access these files as they appeared when they were originally attached,” says Talos.

Of course, because these attacks come from known and trustworthy services and the communication takes place over HTTPS, criminals can more easily obfuscate their content. Adding another layer of compression using known types, such as ACE, ISO, makes it even more difficult to investigate the payloads.

The fact that the same systems are used for content delivery and communication with command and control centers only make it more critical for companies to filter out malicious domains from their networks. Using collaboration platforms for malware distribution looks more and more like a game that’s just started.

Ransomware attack causes supermarket cheese shortage in the Netherlands

  • Company hit with ransomware was unable to deliver food to supermarkets
  • Firm’s director says he suspects hackers exploited Microsoft Exchange Server flaw

Shoppers at Dutch supermarkets may have noticed that some cheeses were in short supply last week, and it was cybercriminals who are to blame.

Branches of Albert Heijn, the largest supermarket chain in the Netherlands, suffered from food shortages after a ransomware attack hit food transportation and logistics firm Bakker Logistiek over the Easter holiday, causing the firm to shut off computer systems and resort to pen and paper.

Inevitably, this impacted shipments from Bakeer Logistiek’s warehouses, with deliveries from the company’s warehouses in Zeewolde, Tilburg and Heerenveen coming to a standstill, and shortages hitting branches of Albert Heijn.

Amongst the food types to be in short supply was prepackaged cheese, for which Albert Heijn apologised on its website.

With a little help from Google Translate, I’m able to decipher that statement from Albert Heijn as:

“Due to a technical malfunction, there is limited availability on prepackaged cheese. The logistics service provider is working hard to solve the problem as quickly as possible to quickly restore availability. We apologize for the inconvenience.”

Of course, the typical shopper isn’t likely to blame the transportation firm, or even the ransomware gang behind the attack. Foodies are most likely to be upset with the supermarket chain whose shelves aren’t fully stocked with cheeses, even though they’ve done nothing wrong.

One local media report, Bakker Logistiek director Toon Verhoeven suspected the attackers might have breached the company’s systems by exploiting the recently revealed flaw in Microsoft Exchange Server.

Verhoeven says that all of Bakker Logistiek’s IT systems are operational once more after six days of recovery, and that should mean that shops will begin to receive deliveries and shelves will be filled again in the coming days.

The company says that it has informed the authorities about the security breach, but is neither confirming or denying whether it paid any ransom to its attackers.

DOJ Charges Texas Resident for Allegedly Planning to ‘Kill About 70% of The Internet”

Last Thursday, a Wichita Falls resident was arrested for allegedly attempting to bomb an AWS data center in Virginia.

According to the US Department of Justice (DOJ), 28-year Seth Aaron Pendley was detained after a concerned citizen alerted authorities to disturbing statements posted on the MyMilitia.com forum.

On March 31, with the help of a confidential source, Pendley got in touch with an FBI agent posing as an explosives dealer.

After taking what he believed to be an explosive device from an undercover law enforcement agent, he was arrested, prosecutors explained. His main goal was to destroy Amazon data centers that, according to him, “run 70% of the internet,” including FBI and CIA services.

“The investigation began after a concerned citizen contacted the FBI on Jan. 8 about alarming statements posted on MyMilitia.com, a forum dedicated to organizing militia groups,” the DOJ said in a press release. “A user who went by the screenname ’Dionysus‘ stated he was planning to ’conduct a little experiment,’ that he said would ’draw a lot of heat‘ and could be ’dangerous.’ When another user asked what outcome Dionysus desired, he responded, ’death.’”

If found guilty, Pendley faces up to 20 years in federal prison.

“We are indebted to the concerned citizen who came forward to report the defendant’s alarming online rhetoric. In flagging his posts to the FBI, this individual may have saved the lives of a number of tech workers,” Acting US Attorney Prerak Shah said.

“We are also incredibly proud of our FBI partners, who ensured that the defendant was apprehended with an inert explosive device before he could inflict real harm. The Justice Department is determined to apprehend domestic extremists who intend to commit violence, no matter what political sentiment drives them to do so.”

Amazon also thanked the FBI in a statement:

“We would like to thank the FBI for their work in this investigation,” the tech giant said. “We take the safety and security of our staff and customer data incredibly seriously and constantly review various vectors for any potential threats. We will continue to retain this vigilance about our employees and customers.”

Security Researchers Find Critical Zero-Day Exploit in Zoom Messenger

SERT Points Russia as Leader in Exploit Kit Development

A couple of security researchers have identified a critical, zero-day vulnerability in Zoom that allowed them to take control of the remote devices without user interaction.

Taking over a remote device, via network, with any input from the victim usually means that it’s a critical vulnerability. Since researchers just demonstrated the exploit chain, no information is available on how it works. We only know that DaanKeuper and Thijs Alkemade from Computest chained three bugs to exploit Zoom messenger.

The only details about the vulnerability appear in a short GIF posted on Twitter by the Zero Day Initiative, the organizers of Pwn2Own, a competition that gathered top white hat hackers from around the world. The researchers compromised a Windows 10 machine with the latest updates and ran the Calculator app.

While the exploit was shown running against Windows systems, MacOS machines are also affected. Zoom already works on a patch to fix the problems, especially since the company is a sponsor of the Pwn2Own Vancouver 2021 competition. Finding out about zero-day vulnerabilities in this type of competition is probably the best-case scenario.

“We are working to mitigate this issue with respect to Zoom Chat, our group messaging product. In-session chat in Zoom Meetings and Zoom Video Webinars are not impacted by the issue,” said the company in a statement to Tom’s Guide. “The attack must also originate from an accepted external contact or be a part of the target’s same organizational account.”

“As a best practice, Zoom recommends that all users only accept contact requests from individuals they know and trust. If you think you’ve found a security issue with Zoom products, please send a detailed report to our Vulnerability Disclosure Program in our Trust Center,” they explained.

DaanKeuper and Thijs Alkemade received a $200,000 prize for their efforts.

It’s Never Too Late To Teach Your Kids About Good Digital Practices

Online habits have changed dramatically over the past year, and adults are not the only ones spending more time online. Since the pandemic hit, limits on screen time for kids were tossed out as they turned to online platforms for school classes, activities, games and entertainment.

This increased digital time helped spawn new cyber threats that put their online and physical safety at risk.

While you’re busy online grocery shopping online, banking, or working on a job project, your young ones have other fish to fry in the digital world. They connect with friends, play, and post on social media from the internet-enabled devices in your household.

So whether you’re working from home or heading to the office, it’s essential to teach your child about online threats and the importance of good cyber practices to protect them from online predators, cyberbullying, identity theft and malware:

Take the necessary precautions to ensure your child remains safe online:

  • Keep online accounts private – make the necessary privacy settings available on most online platforms. Doing so can ensure that his profile information can only be seen by close friends and family
  • Ensure they understand the importance of not accepting friend or message requests from strangers – you can never be sure if the individual contacting you has good intentions
  • Encourage limiting the information and photos they post online – you need to assume that any information you share or make public on the internet can be seen or intercepted by anyone
  • Help set up strong, unique passwords for all online accounts and maintain operating systems of smart devices up to date at all times
  • Advise children to always ask for assistance or advice when downloading new apps on their device
  • Urge them never to provide their phone number, home address, school name or other personal information
  • Underline the importance of openly communicating with you and reporting any suspicious activity on their accounts
  • Make sure they never respond to a threatening email, messages, posts, or text message
  • Teach them about email-based threats, phishing  and fake pop-ups that may appear on their screens
  • Watch for any warning signs that suspicious individuals may target your child, such as spending long hours online, phone calls from strangers and withdrawal from family activities
  • Use a security solution with advanced parental control that filters out any inappropriate content and offers the possibility to limit screen time

Profiles and Associated Info of Half a Billion LinkedIn Users For Sale on Hacking Forum

Fact: Half a billion LinkedIn users are in for an unpleasant surprise, as scraped datasets of their profile information are up for sale right now on an underground forum.

The database was auctioned for a four-digit sum (minimum), according to the cyber thief who advertised the trove of user information. To entice buyers, he even provided a leaked sample containing the information of 2 million LinkedIn users. Any prospective buyer can go through the data for a $2 payment in forum credit.

Check if your personal info has been stolen or made public on the internet with Bitdefender’s Digital Identity Protection tool. 

What type of data was leaked?

According to Cybernews researchers who analyzed the samples, the data includes a combo of LinkedIn profiles and associated info, such as user IDs, full names, email addresses, phone numbers, gender, professional titles, job-related descriptions, profile and social media profile links.

A new breach or data-scraping venture?

The archive contains allegedly scraped user profile information from LinkedIn and is not part of a new data breach.

LinkedIn also confirmed the claims provided by the threat actor in a recent Corporate Communications message:

“We have investigated an alleged set of LinkedIn data that has been posted for sale and have determined that it is actually an aggregation of data from a number of websites and companies,” the notification reads. “It does include publicly viewable member profile data that appears to have been scraped from LinkedIn. This was not a LinkedIn data breach, and no private member account data from LinkedIn was included in what we’ve been able to review.”

The online service has also made it clear that any misuse of user data, including web-scraping techniques, clearly violate the platform’s terms of services:

“Any misuse of our members’ data, such as scraping, violates LinkedIn terms of service,” LinkedIn added. “When anyone tries to take member data and use it for purposes LinkedIn and our members haven’t agreed to, we work to stop them and hold them accountable.”

What should victims expect?

Although no sensitive or financial data was included in the leaked files, the information can be exploited by scammers and threat actors to conduct targeted phishing and smishing attacks or even brute-force the password to take over accounts.

The best way to protect your account and professional identity is to keep an eye out for suspicious and unsolicited communications you may receive via email, text message, or the LinkedIn chat feature. Even if account passwords have not been exposed, it’s never a bad idea to change the password for online accounts and enable two-factor authentication.

Since the data leak has already made headlines, threat actors might try to send out phishing emails that urge you to access a fake link to make modifications to your account or change the password.

Don’t click on suspicious links you might receive in your Inbox. Head to the official website and look for notifications.

Belgian Police Crack Encrypted Chat App to Seize $1.65 Billion Worth of Cocaine

Police specialists in Belgium managed to crack an encrypted messaging service, revealing detailed information about cocaine shipments into Antwerp, Belgium.

Belgian police issued a statement this week saying they seized several shipments of cocaine with a street value of 1.4 billion euros ($1.65 billion) after cracking the encryption algorithm of Sky ECC, a supplier of modified phones designed for ultra-private communications.

Since Feb. 20, police systematically seized a total of 27.64 tons of cocaine at the port of Antwerp, including a record shipment of almost 11 tons overnight from 2-3 April, according to the statement, obtained by CNN.

“During a judicial investigation into a potential service criminal organization suspected of knowingly providing encrypted telephones to the criminal environment, police specialists managed to crack the encrypted messages from Sky ECC,” reads the statement.

“This data provides elements in current files, but also opened up new criminal offenses. The international smuggling of cocaine batches plays a prominent role in intercepted reports.”

The FBI recently seized Sky ECC’s website over alleged collusion with international crime rings. The company sold modified Nokia, Google, Apple and BlackBerry handsets stripped of their GPS capabilities, cameras and microphones, and preinstalled with the Sky ECC app, which leveraged elliptic-curve cryptography to secure communications between customers. One of its key features was ‘self-destruction’ of messages after a user-defined expiration period. It also enabled users to enter a ‘panic’ password to instantly wipe the device clean of its contents.

On March 12, 2021, US Department of Justice issued an indictment against Sky Global’s CEO, Jean-Francois Eap, and a former distributor, Thomas Herdman. The indictment states that the Sky Global’s devices are “specifically designed to prevent law enforcement from actively monitoring the communications between members of transnational criminal organizations involved in drug trafficking and money laundering. As part of its services, Sky Global guarantees that messages stored on its devices can and will be remotely deleted by the company if the device is seized by law enforcement or otherwise compromised.”

The police report doesn’t say how Belgian experts managed to break the elliptic-curve encryption algorithm employed by Sky ECC. However, it is known that when ECC is used in virtual machines, an attacker can use an invalid curve to get a complete PDH private key. And in the hypothetical realm, Shor’s algorithm can be used to break elliptic curve cryptography by computing discrete logarithms on a quantum computer, according to Wikipedia.

Watch Out For United Nations COVID-19 Compensation Email Scams

Several COVID-19-related scams continue to tease internet users into believing they are about to receive a large sum on behalf of non-existent United Nations programs, Bitdefender Antispam Lab has learned.

In all versions of the scam, recipients are told they will get the funds after the necessary arrangements are made with the beneficiary that, of course, will need to provide his or her personal and financial information.

Even if recipients are not asked to contribute financially in the initial email, as soon as they reply to the correspondence, scammers will make up reasons for why they can’t send the money. At first, they might ask for a small amount to cover taxes and insurance fees, for example. The fraudsters will continue to ask for money as long as the recipient is willing to pay for the so-called reward or compensation.

COVID-19 version of the Nigerian email scam

In this version of the scam, recipients are contacted by a Cash and Payment Coordinator working with the United Nations, tasked with compensating individuals affected by the pandemic. You are one of the lucky 10 chosen beneficiaries who will receive a whopping 1 million dollars. There’s a catch, though.

“We shall share the money 50/50%. [ie] 50% percent for you and 50% me. All I need is your trust that you will keep my share of the money safe,” the scammer says.

He even tries to explain the reason behind your selection. “I contacted you because we are not related and you are not my known friend, no one will suspect me you are included as a beneficiary, because we are not related. If you are interested.”

A sample of the scam letter can be seen below:

$2.5 million coming soon at an ATM near you

In another version, the fraudsters try to trick recipients into thinking they somehow forgot about their COVID-19 compensation fund of $2.5 million, delayed due to payment processing issues. Luckily, the creditor was keen to remind you of this small fortune, conveniently freed from “Confiscation” just for you.

“So we hereby inform you about the ongoing process for your total fund payment, which has been converted to an ATM Card to free it from Confiscation, and all necessary arrangement over the ATM has been granted on your favor for your payment through our office ATM Card Department,” the fraudulent email reads.

Suppose the beneficiary can’t travel to the office, in Madrid, to complete formalities due to COVID-19 restrictions. In that case, the target is assured that he can withdraw the amount from any ATM.

He simply needs to send his full name, home address, mobile phone, and a copy of his ID to the bank’s credit department.

A sample of the scam can be seen below:

Even if these scams seem uncomplicated and easy to avoid, they still plague the digital world – because they work. Scammers know that the pandemic has left millions in financial hardship, and no matter how preposterous these fraudulent emails may seem, some unsuspecting users fall victim.

If you receive similar emails, delete the message. Do not reply to the sender or provide your personal and financial information.

US Senators Warn Bit-Tech Companies about Data-Gathering Practices

A group of United States senators from both sides of the aisle sent a strongly worded letter to a few major tech companies and advertisers, warning them about the dangers of collecting user data and sharing it with third parties.

The fact that companies gather data about users and their online activities is no secret. Ads served on websites are often based on collected data, but many people don’t know that it happens in real-time. Nor do they know how the companies treat that data after collection.

Senator Ron Wyden, D-Ore, along with Bill Cassidy, R-La., Kirsten Gillibrand, D-N.Y., Mark Warner, D-Va., Sherrod Brown, D-Ohio, and Elizabeth Warren, D-Mass, sent a letter to companies including AT&T, Index Exchange, Google, Magnite, OpenX, PubMatic, Twitter and Verizon. The letter describes a process called ‘real-time bidding’ and questions the gathering of ‘bitstream data.

“Many of the ads we see on our phones, computers, and smart T.V.s are curated through a process called real time bidding,” said the senators. “In the milliseconds before digital ads are displayed, an auction takes place in which hundreds of companies are able to bid for their ad to be shown.”

“While only one company will win the auction, hundreds of firms participating receive sensitive information about the potential recipient of the ad—device identifiers and cookies, web browsing and location data, I.P. addresses, and unique demographic information such as age and gender,” they explain.

Some companies that participate in these auctions keep the data they stored and compile it in comprehensive dossiers about users, which is later sold. Moreover, some federal agencies bought this data in the past.

The senators say this data can easily fall into the hand of other countries, looking to gather information and underline the serious national security risks that this marking tactic raises. The companies that received the letter have to answer to several requests byl May 4:

“Please identify the specific data elements about users, their devices, the websites they are accessing, and apps they are using that you provide to auction participants.

Please identify each company, foreign or domestic, to whom your firm has provided bidstream data in the past three years that is not contractually prohibited from sharing, selling, or using the data for any purpose unrelated to bidding on and delivering an ad.

If your firm has contractual restrictions in place prohibiting the sharing, sale, or secondary use of bidstream data, please detail all efforts to audit compliance with these contractual restrictions and the results of those audits.

Please identify each foreign-headquartered or foreign-majority owned company to whom your firm has provided bidstream data from users in the United States and their devices in the past three years.”

Presumably, the Senators will move forward with legislation regulating the use of this type of data, and this letter is part of the initial stages.

California Man Indicted in Shopify Data Breach

Tassilo Heinrich, a California resident arrested a few months ago by the FBI for alleged involvement in a Shopify data breach, has been indicted by a grand jury.

When we hear of data breaches, we usually assume they’re the work of outsiders, but that’s not always the case. Sometimes, breaches have causes other than hackers, like negligence or insider threats. In this California case, it seems like the definition of an insider threat, meaning it’s the act of someone with access to the infrastructure, working for personal gain.

According to a report on TechCrunch, which published the indictment documents, Heinrich is accused of aggravated identity theft and conspiracy to commit wire fraud. The documents say a Philippines-based employee of a third-party contractor that provided support to Shopify accessed data related to merchants, then took screenshots and uploaded data to Google Drive. The data included merchants’ and customers’ names, billing and shipping addresses, email addresses, payment methods and even details of the items purchased.

This data was allegedly sold to Heinrich for a sum in cryptocurrency. The data was allegedly used to set up fake pages that looked like the original ones or sell that data to other unknown co-conspirators, helping them commit frauds against the merchants and customers.

In total, Heinrich and his conspirator are accused of siphoning data for more than a year.

“Shopify has cooperated with the FBI to investigate an incident involving the data of a small number of our merchants in September 2020,” said Shopify spokesperson Rebecca Feigelsohn. “As previously stated, the perpetrators involved no longer work with Shopify. Because there is an active criminal investigation, we are unable to provide further comment at this time.”

Posts navigation

1 2 3 4 93 94 95
Scroll to top