North Korean hackers attempt to hack security researchers investigating zero-day vulnerabilities

North Korean hackers attempt to hack security researchers investigating zero-day vulnerabilities

  • Fully-patched Windows 10 computers using the Chrome browser are being infected by visiting bogus security researcher website.
  • Hackers would take weeks or months to gain the trust of security researchers before tricking them into running malicious code.

Threat experts at Google say that they have identified an ongoing hacking campaign that has targeted computer security experts, specifically those researching the very type of software vulnerabilities exploited by cybercriminals.

Google’s Threat Analysis Group (TAG) says that the attackers are backed by the North Korean government, and are using advanced persistent threats (APTs) in an attempt to compromise the computers of their high value targets.

As Google describes, the attackers reach out to their intended victims via email or websites such as Twitter and LinkedIn, posing as fellow researchers.

Over time and in conversations which can last for weeks or months the attackers attempt to establish their credibility and trustworthiness by posting videos of the exploits they claimed to have discovered, or posting links to their research on their blogs or Github.

The “evidence” of their discoveries was further amplified by having other social media accounts under the hackers’ control reshare the links in an attempt to increase its apparent authenticity.

Ingeniously, the attackers then ask the researcher they are targeting if they want to collaborate on vulnerability research together, and share a Visual Studio project with the source code to an exploit they are working on.

A careless researcher may not spot that the project also contains a malicious .DLL file that can install a backdoor onto their computer.

In addition, in some attacks researchers have been compromised after visiting the fake researcher’s blog. As Google explains, visiting the website hosting the blog – even on a fully-patched up-to-date version of the Chrome browser running on a fully-patched version of Windows 10 – can result in computers becoming infected by malware.

Google admits that it is not clear at the moment how the infection is taking place, but it is asking anyone who is able to identify such a previously unknown vulnerability in Chrome to make contact as they would be eligible for a reward under its bug bounty program.

According to The Register, one researcher was targeted by the North Korean hackers was zero-day vulnerability hunter Alejandro Caceres, the co-founder of US-based security research outfit Hyperion Gray.

Caceres said that he had been contacted by a bogus researcher calling himself James Willy, and offered a reward for anyone who could provide the hacker’s true identity and address.

Google’s Threat Analysis Group says that it is sharing details of the hacking campaign in the hope that it will act as a warning to all security researchers to be on their guard:

“We hope this post will remind those in the security research community that they are targets to government-backed attackers and should remain vigilant when engaging with individuals they have not previously interacted with.”

The Twitter and LinkedIn profiles used by the attackers have since been suspended. Although, of course, there is nothing to stop the hackers creating other accounts in an attempt to ensnare more unsuspecting security researchers.

Two Dutch Public Health Workers Arrested for Selling Coronavirus Patient Information

Dutch police have arrested two Public Health Department (GGD) workers for allegedly stealing information on COVID-19 patients and offering to sell it online to various cybercriminals.

The arrests resulted from a police investigation after RTL Nieuws, a local media outlet, discovered personal information from two GGD systems, storing coronavirus patient information, was being sold on instant messaging apps such as Telegram.

Police said the GGD reported personal data theft from its systems on January 22.

“The cybercrime team of the Central Netherlands police immediately started an investigation,” the police report reads. “This investigation soon led to two employees of the GGD call center. The suspects were both in Amsterdam on Saturday evening, where they were arrested and taken to a cell. It concerns a 21-year-old man from Heiloo and a 23-year-old man from Alblasserdam. The men’s homes were searched; computers have been seized.”

The investigation is ongoing, and authorities have not ruled out additional arrests. The initial police report states that names, date of birth, and address were among personal information put up for sale by the two suspects.

However, the RTL Nieuws investigation revealed that the private data had been offered for sale in large chat groups, including Snapchat and Wickr for months. Some posts provide look-up services for specific individuals that range between 30 and 50 euros.

“You will receive the home and email address and telephone and social security number from someone,” RTL Nieuws explained. “Other accounts offer large datasets containing the private data of tens of thousands of Dutch people. Criminals charge thousands of euros for this because it is relatively unique that social security numbers are sold on such a large scale.”

The data theft and illegal trade of information has obliged the GGD to enforce additional security measures, requiring each employee to sign a confidentiality agreement and submit a Certificate of Good Conduct. The public health service also ensured that remote workers will be thoroughly monitored once system upgrades are made.

The security incident could also have serious legal and financial consequences for the GGD. “This is very bad and may be a serious data breach,” the Dutch Data Protection Authority said. “The AP immediately demanded clarification from the GGD. This data includes name, address, place of residence and telephone numbers and also BSNs: all current and in large quantities. That is very valuable.”

How Bitdefender Protects You from Ransomware (Part 2)

Ransomware attacks are among the greatest security threats we face in the digital world, a trend that has continued to expand and grow in sophistication over the past years.

The threat actor’s goal is simple: Find an opportunistic target and lure it into accessing, downloading or installing malicious software onto their device so it can encrypt user files and prevent them from accessing the system. The victims then reach the all-too-familiar endgame of whether or not to pay a ransom.

Can you put a price on your data?

Most personal data on our devices consists of precious memories and financial information. However, as our kitchens and living rooms have turned into a home office, our devices also hold sensitive work materials and documents we cannot afford to lose.

How do you ensure the best protection for your files and data?

Bitdefender anti-ransomware technologies eliminate the ransomware threat by preventing malicious infections from reaching your device and encrypting your data. Advanced Threat Defense (ATD) continuously monitor all applications running on your systems, inhibiting any file-encrypting behavior from compromising your files. The ATD is designed to neutralize any suspicious process by hunting threat-like actions. Suppose an application attempts to modify host files, inject in other process, disable anti-malware software installed on your device or create startup keys. In that case, the ATD declares the process malicious and stops it from damaging the system.

This innovative proactive detection technology uses advanced heuristic methods to detect known and new ransomware strains in real time, blocking malicious actions, such as file encryption, before they start. Moreover, ATD shares intelligence with Bitdefender’s Global Protective Network to stop even the newest ransomware and exploits and notifies you each time potentially malicious processes and cyber threats are detected.

An additional proactive anti-ransomware security feature ensures that folders containing sensitive documents and files are not lost if a ransomware attack manages to bypass all other security layers. The Ransomware Remediation module allows you to restore critical files and data encrypted by ransomware. If malicious software attempts to encrypt files on your device, a backup of the targeted files will be automatically created, allowing you to restore them with just a few clicks.

The security shortcomings of our devices and systems pose a greater threat than ever, with security breaches and malicious attacks ramping up new victims daily. Secure and protect your data today by choosing a security solution prepared to defend your private data against new and existing threats.

Cybercriminals Impersonate UK’s National Health Service to Spread COVID-19 Vaccination Phishing Emails

Fraudsters impersonating UK’s National Health Service (NHS) are actively exploiting the COVID-19 vaccination campaign to dupe citizens into providing their personal information through various phishing emails.

The campaign seems to have started on January 25, as seen in the scam recipients’ multiple Twitter posts.

In one version of the phishing email, users are asked to confirm or reject the coronavirus vaccination by accessing the appropriate link.

Regardless of what they may choose, the links direct them to a fake NHS page that asks for personal information such as your name, ‘mother’s maiden name, home address, date of birth, phone number and even credit card details.

“I got this via email. It looks very real, and so does the site that it takes you to”, one Twitter user said. “BUT they ask for bank card details! This is so difficult especially when we read we may be contacted to book via email, text or letter.”

NHS COVID-19 phishing email

Although the email layout may seem legitimate, another user pointed out a red flag, noticing a suspicious email address added in the email’s CC field.

“My wife just received this,” he said. “Can’t believe people are using This method at a time when people feeling so anxious to get a vaccine jab. It looked very legit until we saw the email address in the CC list.”

The NHS was quick to respond to news regarding the fraudulent emails, assuring the population that the COVID-19 vaccine is free of charge.

The agency also provided a checklist for spotting the scam, explaining that citizens are not required to apply for the vaccine or share any documents that prove their identity including, copies of passports, driver’s license, bills and bank details.

Despite public awareness campaigns advertised by UK government agencies, some citizens have already fallen victim to scammers, providing personal and financial information via fraudulent online forms.

Assuming that any provided information will fuel identity theft and fraud-related crimes, victims should notify the appropriate UK government agencies and police. Report any stolen documents to the organization in charge of issuing your credit cards, driver’s license, or passport. Review your credit card statements and bank accounts for any fraudulent charges.

Hacker Releases Dating Site Data Belonging to 2+ Million Users

Dating site MeetMindful has discovered that “a well-known hacker” has leaked the details of more than 2 million users registered its web site.

An unnamed security researcher tells ZDNet that the leaked data is a 1.2 GB file containing some highly-sensitive data points, like real name, email address, city, state and ZIP code, body details, dating preferences, marital status, birth date, latitude and longitude, IP address, bcrypt-hashed account passwords, Facebook user IDs and even Facebook authentication tokens.

The leaked data is more than enough to cause serious damage to customers enlisted with MeetMindful, exposing them to sextortion, fraud, and of course psychological damage.

To its credit, the dating site has promptly responded to the leak with a comprehensive security notification addressing affected users.

However, unlike the ZDNet’s source, MeetMindful seems to downplay the severity of the leak, claiming the attacker was only able to grab basic user data that was already outdated. It isn’t clear which version of the story is more accurate.

“A well-known hacker was able to exploit a now-closed vulnerability in our system, and was able to export an outdated version of a list of basic user information,” the company says.

It explains that the incident applies to users who signed up for MeetMindful prior to March 2020, and that users who signed up after March 2020, or have updated their account details since March 2020 are not affected by this incident.

It also mentions that MeetMindful is a fellow victim in a larger campaign targeting several companies, including it, Teespring.com, Bonobos, and others.

“We identified the vulnerability and immediately resolved it, as well as brought in additional development resources to ensure future safety,” according to the notice.

The company further claims that no payment information was viewed or released. The same goes for messages, profile answers, photos, favorites, user views, or any other personal information relating to matches, detailed match preferences, conversations and specific locations, it says.

As a precaution, all users are advised to reset their password “to add additional security to your account,” according to the company. MeetMindful also instructs users to be wary of emails or text messages asking for an account number or password (i.e. phishing / fraud attempts).

Users who have additional questions or detect suspicious activity on their account can contact the company at hello@meetmindful.com.

World’s Largest Crane Maker Suffers Global Cyber Attack, Operations at a Halt

PALFINGER AG, the giant manufacturer of lifting systems, has posted a statement on its home page confirming it is currently under attack by hackers. Because of the attack, the firm’s IT infrastructure has been crippled.

With 150 crane models and a market share of 35 percent, PALFINGER is the world market leader in hydraulic lifting, loading and handling systems. It employs over 11,000 people in 35 locations across the globe with 5,000 service points. PALFINGER is also the world’s market leader in maritime lifesaving equipment.

The Austrian company this week disclosed a cyber incident that has all but halted its IT operations, in what appears to be the result of a ransomware attack. The firm greets visitors on its website with the following statement:

“PALFINGER Group is currently the target of an ongoing global cyber attack. IT infrastructure is disrupted at the moment (including sending and receiving emails, ERP systems). A large proportion of the group’s worldwide locations are affected. It is not possible to estimate the precise extent and duration of the attack or its consequences at this time. Work is being carried out intensively on a solution.”

The disruption described by the company suggests a ransomware infection, where systems become unusable as data and applications are encrypted and frozen. However, the firm has yet to disclose details of the hack.

Visitors of palfinger.com in different geographies are told the company cannot “receive or process in inquiries, orders, shipments and invoices,” and that existing customers ca only reach PALFINGER via telephone or through social media.

According to the notice, most of the company’s offices and factories around the world have been affected by the cyber attack.

Bitdefender research shows that businesses across all verticals face record numbers of data breaches this year, as misconfigurations resulting from the rapid transition of employees to remote work create security blind spots that attackers will exploit. Unpatched vulnerabilities and misconfigurations mean business clients stand to inherit those security lapses as well, opening the floodgates to supply chain attacks (i.e. SolarWinds).

Motivated politically or economically, cyber actors are showing more interest than ever in critical industry verticals, like healthcare, education, construction, retail, energy and water distribution, as well as municipal infrastructures.

2 Million User Records from Adult Streaming Website MyFreeCams.com Sold in Underground Forum

A data broker who allegedly hacked adult chat and web-streaming website MyFreeCams.com has sold nearly 2 million user records on a dark web forum, CyberNews researchers have discovered.

According to the seller’s post, the records were exfiltrated from the company’s servers in December 2020 after a SQL injection allowed him to access and view unauthorized data.

The perp claims to have stolen usernames, emails, clear text passwords, and MFC Token balances of 2 million Premium and Diamond members. The threat actor made a pretty penny, based on his cryptocurrency wallet analysis that showed 49 Bitcoin transactions, equating to more than $22,000.

After selling the stolen records, he immediately deleted his account and post from the forum.

News of the breach also reached MyFreeCams.com, which claims the leak data was traced “to a security incident that occurred more than ten years ago in June 2010.”

The company also emphasized that the vulnerability used to exfiltrate user data was fixed shortly after the incident.

Despite these assurances, MyFreeCams has notified impacted members to reset their passwords.

“MFC’s current systems prevent any similar attack,” the company said. ”Until now, MFC did not have evidence that user data was actually compromised as part of the incident. We have informed affected users by email and reset their passwords. No credit card information was stored or compromised.”

Although users can reset their account passwords and avoid account takeover, the exposed details make for efficient blackmail and extortion attempts from other cybercriminals.

The email addresses and clear-text passwords could also be used in credential stuffing attacks, so users are also advised to review any online account that shared the same username/email and password combination.

Stop guessing what the internet knows about you. Find out with Bitdefender’s Digital Identity Protection!

Hundreds of thousands of cryptocurrency investors put at risk after BuyUCoin security breach

Hundreds of thousands of cryptocurrency investors put at risk after BuyUCoin security breach

  • Data from Indian cryptocurrency BuyUCoin has been leaked online
  • Notorious hacking group appears to have accessed unsecured MongoDB database

Another day, and another report that a cryptocurrency exchange has been breached by malicious hackers.

Indian cryptocurrency exchange BuyUCoin says that is investigating claims that sensitive data related to hundreds of thousands of its users has been published on the dark web, where it is available for free download.

The 6GB of leaked data is said to have been found in a MongoDB database that BuyUCoin had left unsecured, and included users’ bank account details, email addresses, bcrypt-hashed passwords, mobile phone numbers, and Google sign-in tokens.

The data was subsequently leaked by the ShinyHunters gang which has a history of publishing data breaches.

Such details could, of course, be used by other online criminals to scam and defraud cryptocurrency investors.

Existing customers of BuyUCoin, including security researcher Rajshekhar Rajaharia, have confirmed the authenticity of the data breach by finding their own information in the leaked data.

Screenshots posted on social media of the data leak suggest that information included in the leaked database may have been accessed as recently as last September.

However, for now at least, BuyUCoin is sending mixed messages regarding whether a breach has occurred or not.

Initially a statement from the BuyUCoin’s CEO Shivam Thakral was released saying: “In the mid of 2020, while conducting a routine testing exercise with dummy data, we faced a ‘low impact security incident’ in which non-sensitive, dummy data of only 200 entries were impacted. We would like to clarify that not even a single customer was affected during the incident.”

That statement, however, was later replaced on BuyUCoin’s blog with another that said the company is “investigating each and every aspect of the report about malicious and unlawful cybercrime activities by foreign entities in mid-2020.”

The cryptocurrency exchange says that it will keep users updated with its investigation uncovers, and will “conduct a major cybersecurity overhaul throughout 2021 to upgrade platform security.”

I don’t know about you, but I’m not sure that’s going to reassure many cryptocurrency investors at this stage.

There is a simple checklist which administrators of MongoDB databases can follow to help ensure that sensitive information stays out of reach of cybercriminals.

Unfortunately, it is still all too common to find companiess are using older versions of the MongoDB software, which didn’t require a password by default.

Past victims of hacks associated with MongoDB databases breaches have included Verizon, dating website BeautifulPeople, and millions of users of an Android keyboard app.

If reports are confirmed that BuyUCoin left a MongoDB instance unsecured and directly accessible on the internet then it really shows a reckless disregard for the security and privacy of its users.

England’s Department of Education Sends Malware-Infected Laptops to Disadvantaged Kids

England’s Department for Education has learned that laptops given out by the government to support disadvantaged children during the lockdown contain malware.

The government has so far sent more than 800,000 laptops to children with no access to devices and / or Internet to assist the disadvantaged demographic home-schooling during lockdown. The plan is to allow more than a million children who may not have access to technology to participate in virtual classes.

But according to teachers at a Bradford school, some of the laptops were found to contain malware, the BBC reports.

“Upon unboxing and preparing them, it was discovered that a number of the laptops were infected with a self-propagating network worm,” wrote Marium Haque, deputy director of Education and Learning at Bradford Council.

According to a forum discussion maintained by some of the teachers, the GEO laptops came pre-installed with Windows (the BBC report doesn’t name the version) as well as Gamarue.I, an invasive and highly potent piece of malware.

Gamarue can change a PC’s security settings as well as download malicious files from the attackers’ command and control center for a full takeover operation, including spying and stealing private and financial data. It has also been used to deploy ransomware. One of the worm’s flagship capabilities is to make changes to the startup folder in the registry so that any additional malware it installs launches on startup.

“We are aware of an issue with a small number of devices,” a DfE official told BBC News. And we are investigating as an urgent priority to resolve the matter as soon as possible.

“DfE IT teams are in touch with those who have reported this issue. “We believe this is not widespread,” the spokesperson added.

Advanced AV solutions like Bitdefender Total Security will detect Gamarue and stop it in its tracks.

It’s paramount that any undertaking involving large numbers of government-issued laptops begins with a basic scan of the equipment before the devices are sent out. It’s unclear how the devices ended up laced with malware. Hopefully their numbers are indeed small.

Belgian Hospital Reroutes Critical Patients after Cyberattack

On Sunday evening, the CHwapi hospital in Belgium suffered a cyberattack that prompted the facility to redirect emergency patients to other hospitals and delay surgical procedures.

As reported by local media group L’Avenir, 80 of the hospital center’s 300 servers were affected by the attack, forcing staff and nurses to abandon digital entries and turn to pen and paper for patient assessments. Patient data was not compromised, according to CHwapi.

While regular consultations and distribution of COVID-19 vaccines were not disrupted, the medical facility was forced to delay surgical operations and information sessions for future parents.

Although the hospital said it received no ransom demand, the group allegedly responsible for the attack got in touch with BleepingComputer, stating that they used Windows BitLocker to encrypt 40 hospital servers housing 100TB of data.

“We attack chwapi hospital in belgium 2 days ago.and set up a ransom notes on servers. but IT management team not give this information to hospital management.hospital management make a press release and said there is no ransom note,but this is a lie.something is going on,” the cybercriminals explained.

The threat actors apparently used Windows BitLocker to encrypt CHwapi’s file and backup servers, stating that they do not steal or leak data.

Officials said any patients affected by hospital service disruptions will be notified by telephone, where possible, adding that they are working hard to return operations to normal as soon as possible.

As a precaution, the hospital has completely cut off any communications with the outside world. “We do not communicate with the outside and we do not receive anything either before having made an even more precise diagnosis of what is happening internally,” Didier Delval, general director of CHwapi, said in statement.

The regional crime unit was called on the scene to assist the hospital’s IT department. While attempts at full systems recovery are made, local police has already contacted Interpol to seek to identity the perps.

Posts navigation

1 2 3 4 82 83 84
Scroll to top