Cyber-ketju: verkkovakoilu,kännyköiden ja wlanien seuranta, hakkerointi, virukset, DoS etc

  • Viestiketjun aloittaja Viestiketjun aloittaja OldSkool
  • Aloitus PVM Aloitus PVM
Spain's prime minister and defense minister are the latest elected officials to detect Pegasus spyware on their mobile phones, according to multiple media reports quoting Spanish authorities.

During a press conference on Monday, Félix Bolaños, the minister for the presidency, told reporters that cellphones of Spanish prime minister Pedro Sánchez and defense minister Margarita Robles were both infected by NSO's notorious surveillance software last year.

Sánchez's device was breached twice, and Robles' phone was breached once. Bolaños noted that a Spanish judge did not authorize these breaches, meaning "external" groups initiated the espionage.

"We have no doubt that this is an illicit, unauthorized intervention," Bolaños said at the press conference. "It comes from outside state organisms and it didn't have judicial authorization."

Phones of other government officials are under investigation to determine if additional Spanish lawmakers were targeted, he added.
 
A threat group responsible for sophisticated cyberespionage attacks against U.S. utilities is actually comprised of three subgroups, all with their own toolsets and targets, that have been operating globally since 2018, researchers have found.

TA410 is a cyberespionage umbrella group loosely linked to APT10, a group tied to China’s Ministry of State Security. The group is known not only for targeting U.S. organizations in the utilities sector, but also diplomatic organizations in the Middle East and Africa, according to a report published this week by researchers at security firm ESET.

Though it’s apparently been active since 2018, TA410 first came up on researchers’ radar in 2019, when Proofpoint uncovered a phishing campaign targeting three U.S. companies in the utilities sector that used a novel malware then dubbed LookBack.
 
It’s not the kind of security discovery that happens often. A previously unknown hacker group used a novel backdoor, top-notch tradecraft, and software engineering to create an espionage botnet that was largely invisible in many victim networks.

The group, which security firm Mandiant is calling UNC3524, has spent the past 18 months burrowing into victims’ networks with unusual stealth. In cases where the group is ejected, it wastes no time reinfecting the victim environment and picking up where things left off. There are many keys to its stealth, including:
  • The use of a unique backdoor Mandiant calls Quietexit, which runs on load balancers, wireless access point controllers, and other types of IoT devices that don’t support antivirus or endpoint detection. This makes detection through traditional means difficult.
  • Customized versions of the backdoor that use file names and creation dates that are similar to legitimate files used on a specific infected device.
  • A live-off-the-land approach that favors common Windows programming interfaces and tools over custom code with the goal of leaving as light a footprint as possible.
  • An unusual way a second-stage backdoor connects to attacker-controlled infrastructure by, in essence, acting as a TLS-encrypted server that proxies data through the SOCKS protocol.
 
Infosec outfit Cybereason says it's discovered a multi-year – and very successful – Chinese effort to steal intellectual property.

The company has named the campaign "Operation CuckooBees" and attributed it, with a high degree of confidence, to a Beijing-backed advanced persistent threat-slinger going by Winnti – aka APT 41, BARIUM, and Blackfly.

Whatever the group is called, it uses several strains of malware and is happy to construct complex chains of activity. In the attack Cybereason claims to have spotted, Winnti starts by finding what Cybereason has described as "a popular ERP solution" that had "multiple vulnerabilities, some known and some that were unknown at the time of the exploitation."

Once ERP was compromised, Winnti sought out a file named gthread-3.6.dll, which can be found in the VMware Tools folder. The DLL was used to inject other payloads into svchost.exe, with installation of a webshell and credential dumping tools high on the crims' to-do list.

Cybereason's technical deep dive into Winnti's techniques details many efforts to hide its activities.

Among the crew's techniques employs the Common Log File System (CLFS) present in Windows Server, as it uses an undocumented file format that can be accessed through APIs but can't be parsed. That makes CLFS data a fine place to hide payloads. Cybereason says Winnti did so, and was able to evade detection for years – the firm suggests Operation CuckooBees commenced in 2019 and went undetected until 2021, thanks largely to its use of CLFS and other sophisticated techniques to hide.

"With years to surreptitiously conduct reconnaissance and identify valuable data, it is estimated that the group managed to exfiltrate hundreds of gigabytes of information," the firm opines. "The attackers targeted intellectual property developed by the victims, including sensitive documents, blueprints, diagrams, formulas, and manufacturing-related proprietary data," Cybereason's analysis adds.

The firm asserts that the attacks focused on "technology and manufacturing companies mainly in East Asia, Western Europe, and North America." Global tech and manufacturing hotspots all.

The USA and other nations credibly accuse China of conducting or at least turning a blind eye to industrial espionage campaigns. Cybereason's analysis of Winnti's attacks techniques suggests they required a lot of resources to create and operate, and were likely the result of Beijing's espionage efforts.
 
Inside Man hyökkäys
A phishing operation compromised over one hundred UK National Health Service (NHS) employees' Microsoft Exchange email accounts for credential harvesting purposes, according to email security shop Inky.

During the phishing campaign, which began in October 2021 and spiked in March 2022, the email security firm detected 1,157 phishing emails originating from NHSMail accounts that belonged to 139 NHS employees in England and Scotland.

"The true scope of the attack could have been much larger, as Inky detected only those attempts made on our customers," the company's VP of Security Strategy Roger Kay wrote in a blog post. "But given how many we found, it's safe to say that the total iceberg was much bigger than the tip we saw."

Inky analysts determined the breach saw individual accounts hijacked and found no sign of a compromised mail server. The miscreants used the compromised accounts to send scam emails to third-parties in attempts to harvest Microsoft credentials and, in a few cases, trick recipients into sending money via advance-fee scams.

Last year, the NHS migrated its email service from an on-premises system to Microsoft Exchange Online, which "could have been a factor in the attack," Kay noted.

All of the fake emails were sent from two IP addresses used by the NHS, and the health agency confirmed that both were relays within the mail system used for a large number of accounts.

After reporting its initial findings to the NHS on April 13, the volume of attacks "decreased dramatically" on April 14, according to Kay.
 
:oops:
Researchers have discovered a malicious campaign utilizing a never-before-seen technique for quietly planting fileless malware on target machines.

The technique involves injecting shellcode directly into Windows event logs. This allows adversaries to use the Windows event logs as a cover for malicious late stage trojans, according to a Kaspersky research report released Wednesday.

Researchers uncovered the campaign in February and believe the unidentified adversaries have been active for the past month.
The first stage of the attack involves the adversary driving targets to a legitimate website and enticing the target to download a compressed .RAR file boobytrapped with the network penetration testing tools called Cobalt Strike and SilentBreak. Both tools are popular among hackers who use them as a vehicle for delivering shellcode to target machines.

Cobalt Strike and SilentBreak utilizing separate anti-detection AES decryptors, compiled with Visual Studio.

The digital certificate for the Cobalt Strike module varies. According to Kaspersky, “15 different stagers from wrappers to last stagers were signed.”

Next, attackers are then able to leverage Cobalt Strike and SilentBreak to “inject code into any process” and can inject additional modules into Windows system processes or trusted applications such as DLP.

“This layer of infection chain decrypts, maps into memory and launches the code,” they said.

The ability to inject malware into system’s memory classifies it as fileless. As the name suggests, fileless malware infects targeted computers leaving behind no artifacts on the local hard drive, making it easy to sidestep traditional signature-based security and forensics tools. The technique, where attackers hide their activities in a computer’s random-access memory and use a native Windows tools such as PowerShell and Windows Management Instrumentation (WMI), isn’t new.

What is new is new, however, is how the encrypted shellcode containing the malicious payload is embedded into Windows event logs. To avoid detection, the code “is divided into 8 KB blocks and saved in the binary part of event logs.”

Legezo said, “The dropper not only puts the launcher on disk for side-loading, but also writes information messages with shellcode into existing Windows KMS event log.”

“The dropped wer.dll is a loader and wouldn’t do any harm without the shellcode hidden in Windows event logs,” he continues. “The dropper searches the event logs for records with category 0x4142 (“AB” in ASCII) and having the Key Management Service as a source. If none is found, the 8KB chunks of shellcode are written into the information logging messages via the ReportEvent() Windows API function (lpRawData parameter).”

Next, a launcher is dropped into the Windows Tasks directory. “At the entry point, a separate thread combines all the aforementioned 8KB pieces into a complete shellcode and runs it,” the researcher wrote.

“Such attention to the event logs in the campaign isn’t limited to storing shellcodes,” the researchers added. “Dropper modules also patch Windows native API functions, related to event tracing (ETW) and anti-malware scan interface (AMSI), to make the infection process stealthier.
 
NSO Group's Pegasus spyware-for-governments keeps returning to the headlines thanks to revelations such as its use against Spain's prime minister and senior British officials. But there's one nation where outrage about Pegasus has been constant for nearly a year and shows little sign of abating: India.

A quick recap: Pegasus was created by Israeli outfit NSO Group, which marketed the product as "preventing crime and terror acts" and promised it would only sell the software to governments it had vetted, and for approved purposes like taking down terrorists or targeting criminals who abuse children.

Those promises are important because Pegasus is very powerful: targets are fooled into a "zero click" install of the software, after which their smartphones are an open book.
 
Kauniaisten sähköposteissa ongelmia


” Häiriöt Kauniaisten kaupungin sähköpostiliikenteessä jatkuvat edelleen. Kaupunki arvioi, että sähköpostipalvelut ovat poissa käytöstä ainakin tämän viikon loppuun asti. Kauniaisten kaupungin työntekijät tavoittaa tällä hetkellä vain puhelimitse.

Kaupungin tiedotteen mukaan nykyistä sähköpostipalvelinta ei voida ottaa käyttöön, sillä ongelman syitä selvitellään edelleen. Uuden palvelimen asentaminen on aloitettu turvallisuussyistä.

Aiemmissa tiedotteissa nostettiin esille epäilys sähköpostipalvelimen kaappaamisesta. Viime viikolla @kauniainen.fi-sähköpostiosoitteista lähetettiin kalasteluviestejä, joissa oli oikeiden lähettäjien nimet sekä aidon näköiset otsikot.

Viestit sisälsivät lyhyitä tekstinpätkiä sekä linkin ulkoiselle verkkosivulle, jonka kautta saatetaan levittää viruksia, haittaohjelmia tai kalastella esimerkiksi luottokorttitietoja.”

https://www.mikrobitti.fi/uutiset/k...elimitse/bb859903-6b03-4fb3-9449-1f275fc18dc3
 
The US justice department secretly issued a subpoena to gain access to details of the phone account of a Guardian reporter as part of an aggressive leak investigation into media stories about an official inquiry into the Trump administration’s child separation policy at the southern border.

Leak investigators issued the subpoena to obtain the phone number of Stephanie Kirchgaessner, the Guardian’s investigations correspondent in Washington. The move was carried out without notifying the newspaper or its reporter, as part of an attempt to ferret out the source of media articles about a review into family separation conducted by the Department of Justice’s inspector general, Michael Horowitz.

It is highly unusual for US government officials to obtain a journalist’s phone details in this way, especially when no national security or classified information is involved. The move was all the more surprising in that it came from the DoJ’s inspector general’s office – the watchdog responsible for ethical oversight and whistleblower protections.

Katharine Viner, the Guardian’s editor-in-chief, decried the action as “an egregious example of infringement on press freedom and public interest journalism by the US Department of Justice”.

She added: “We will be asking the DoJ urgently for an explanation for why and how this could have occurred, and for an apology. We will also be seeking assurances that our reporter’s details will be erased from DoJ systems and will not be used for any further infringements of press freedom.”

Jenkeillä perse kuumenemassa tämän asian johdosta.
 
A newly discovered and complex remote access trojan (RAT) is spreading via malicious email campaigns using COVID-19 lures and includes numerous features to evade analysis or detection by researchers, Proofpoint has found.

Dubbed Nerbian RAT, the novel malware variant is written in the OS-agnostic Go programming language and “utilizes significant anti-analysis and anti-reversing capabilities”, according to a Proofpoint blog post published Wednesday.

The name appointed by Proofpoint researchers is based on a named function in the malware code and appears to be derived from “Nerbia,” a fictional place from the novel Don Quixote, researchers said.
 
"Interestingly, individuals who purchase the malware can utilize the Telegram Bot to build the binary," the researchers wrote. "The [threat actors] provide an option in the Telegram channel to customize the binary features, which provides an effective way to build binaries without any dependencies."

Malware sales and subscriptions are alive and well in the cybercriminal world, with popular malware types – from ransomware to DDoS and phishing programs, as illustrated by the detection of the Frappo phishing-as-a-service tool late last month – being peddled by developers. Some miscreants also are offering paths into compromised networks via stolen credentials or direct access.

With malware-as-a-service, the programmer has various opportunities to make money from their work. They can use their malware themselves to bag ill-gotten gains; bring in cash by leasing or selling the code; and charge for support and related services. At the same time, crooks who don't have the skills or time to develop their own malicious code can simply buy it from someone else.

"It's not talked about that commonly, but it's also not a surprise," Casey Ellis, founder and CTO of cybersecurity firm Bugcrowd, told The Register.

"This is one of many examples of a criminal enterprise taking cues from technology companies and business growth and increasing their customer value through feature flexibility and SaaS-like business models."
 
Essentially, what happens is this: the paired smartphone should be physically close by the Tesla to unlock it. NCC's technique involves one gadget near the paired phone, and another gadget near the car. The phone-side gadget relays signals from the phone to the car-side gadget, which forwards them to the vehicle to unlock and start it. This shouldn't normally happen because the phone and car are so far apart. The car has a defense mechanism – based on measuring transmission latency to detect that a paired device is too far away – that ideally prevents relayed signals from working, though this can be defeated by simply cutting the latency of the relay process.

In a real-life scenario, a victim could be in a building just out of range of their Tesla while standing near a crook with a relay gadget on them. This gadget relays signals from the victim's phone to the Tesla outside via another miscreant with a gadget, who jumps in and steals the unlocked vehicle.

In its testing, NCC Group said it was able to perform a relay attack that opened a Tesla Model 3 in which the vehicle's paired device was located in a house approximately 25 metres from the vehicle. Using phone-side and vehicle-side relaying devices made from $50 Bluetooth development modules, the team said it managed to gain full access to the Tesla when the vehicle-side relay was brought within 3 metres.
 
Sähköpostiini tuli ihmeellinen ilmoitus, meni näköjään roskapostiin suoraan.
Mutta hyvin aidon näköinen ja ihan kun Applelta. Huomasin sitä vasta nyt.
Your App‌l‌e I‌D has been locke‌‌d‌‌ on Sunday, May, 22 2022 [ref:_179414]


‌‌"Y‌‌our ‌A‌p‌p‌l‌e‌ ‌‌Ι‌‌D‌‌ has been ‌‌l‌‌o‌‌c‌‌k‌‌e‌‌ď‌‌ on Sunday, May, 22 2022 ‌‌f‌‌or ‌‌s‌‌ecurit‌‌y‌‌ ‌‌r‌‌eason‌‌s‌‌, because of too many fa‌‌i‌‌l‌‌ed ‌‌l‌‌og‌‌i‌‌n attempts

‌‌Y‌‌ou cannot access your account and any ‌A‌p‌p‌l‌e‌ services, ‌V‌erification is required before 24 hours to get re-access your account"

"verify your account".

"‌‌T‌‌he purpose of this email is to ensure that we update you when important actions are taken. The ‌s‌ecurit‌y‌ of your account is important to us. If you don't recognize this activity".

Osoite on
One ‌A‌p‌p‌l‌e‌ Park Way, Cupertino, CA, 95014, United States​
Copyright © 2022 ‌A‌p‌p‌l‌e‌ Inc. All Rights Reserved​


Mikä tämä on, osaatteko sanoa?
Apple tuki on suljettu jo..
 
Sähköpostiini tuli ihmeellinen ilmoitus, meni näköjään roskapostiin suoraan.
Mutta hyvin aidon näköinen ja ihan kun Applelta. Huomasin sitä vasta nyt.
Your App‌l‌e I‌D has been locke‌‌d‌‌ on Sunday, May, 22 2022 [ref:_179414]


‌‌"Y‌‌our ‌A‌p‌p‌l‌e‌ ‌‌Ι‌‌D‌‌ has been ‌‌l‌‌o‌‌c‌‌k‌‌e‌‌ď‌‌ on Sunday, May, 22 2022 ‌‌f‌‌or ‌‌s‌‌ecurit‌‌y‌‌ ‌‌r‌‌eason‌‌s‌‌, because of too many fa‌‌i‌‌l‌‌ed ‌‌l‌‌og‌‌i‌‌n attempts

‌‌Y‌‌ou cannot access your account and any ‌A‌p‌p‌l‌e‌ services, ‌V‌erification is required before 24 hours to get re-access your account"

"verify your account".

"‌‌T‌‌he purpose of this email is to ensure that we update you when important actions are taken. The ‌s‌ecurit‌y‌ of your account is important to us. If you don't recognize this activity".

Osoite on
One ‌A‌p‌p‌l‌e‌ Park Way, Cupertino, CA, 95014, United States​
Copyright © 2022 ‌A‌p‌p‌l‌e‌ Inc. All Rights Reserved​


Mikä tämä on, osaatteko sanoa?
Apple tuki on suljettu jo..

Jos pystyt kirjautumaan Apple ID:llä appleid.apple.com niin tuo todennäköisimmin kalastelu yritys

edit, kannattaa ottaa kaksivaiheinen tunnistautuminen käyttöön Apple ID kanssa, jos ei jo ole. Löytyy Kirjautuminen ja suojaus -> Tilin suojaus -osasta

1653407546402.png
 
Viimeksi muokattu:
Interpol and cops in Africa have arrested a Nigerian man suspected of running a multi-continent cybercrime ring that specialized in phishing emails targeting businesses.

His alleged operation was responsible for so-called business email compromise (BEC), a mix of fraud and social engineering in which staff at targeted companies are hoodwinked into, for example, wiring funds to scammers or sending out sensitive information. This can be done by sending messages that impersonate executives or suppliers, with instructions on where to send payments or data, sometimes by breaking into an employee's work email account to do so.

The 37-year-old's detention is part of a year-long, counter-BEC initiative code-named Operation Delilah that involved international law enforcement, and started with intelligence from cybersecurity companies Group-IB, Palo Alto Networks Unit 42, and Trend Micro.

According to the organizations involved, Op Delilah, which began in May 2021, is another success story coming out of Interpol's Cyber Fusion Center, a public-private initiative between law enforcement and industry analysts based in Singapore.

However, the arrest also follows a stark warning from the FBI earlier this month about BEC, which the bureau said remains the most costly threat facing organizations globally. Organizations and individuals spent at least $43.3 billion between June 2016 and December 2022 because of email scams.

BEC "continues to grow and evolve, targeting small local businesses to larger corporations, and personal transactions," the FBI warned, adding that between July 2019 and December 2021, it tracked a 65 percent increase in identified global exposed losses, with victims in 177 countries.

In this particular case, the suspected fraudster fled Nigeria in 2021 when law enforcement initially tried to apprehend him. In March 2022, he attempted to return to Nigeria, where he was identified and detained due to the intelligence-gathering partnership.
 
Back
Top