Bringing cybersecurity globally to critical and complex key activities
A new banking malware, known as ToxicPanda, has infected more than 1,500 Android devices to make fraudulent money transfers without users noticing. This malware allows cybercriminals to take control of compromised bank accounts through a technique called on-device fraud (ODF), bypassing banks’ identity verification and authentication measures. Most of the infections have been reported in Italy, followed by Portugal, Hong Kong, Spain and Peru, which is considered an unusual case as a Chinese-speaking threat actor is targeting users in Europe and Latin America. ToxicPanda, a simplified version of the TgToxic malware, uses Android accessibility services to obtain advanced permissions, intercept one-time passwords (OTP) and bypass two-factor authentication. In addition, it masquerades as popular apps such as Google Chrome and Visa, distributing itself through fake pages that mimic official app stores.
On 25 October, the ransomware group Hive claimed responsibility for a cyber attack that took place on 14 October against the Indian energy supplier Tata Power. The ransom negotiation failed, so the cybercriminal group revealed the stolen data. The data could include personal data of Tata Power employees, ID card numbers, tax account numbers, salary information, but also technical drawings, financial and banking records and customer information. Read more about it : here
China's National Computer Virus Emergency Response Centre said that after its investigation, it had concluded that the US National Security Agency was responsible for the cyber attack on the email system of Northwestern Polytechnic University in Xi'an, Shaanxi province. On 22 June, the university announced that it had discovered phishing emails containing Trojan horses and posing as research reports, invitations to academic events and study abroad opportunities. These emails were sent to teachers and students at the university with the aim of stealing their data and personal information. According to the investigation, thirteen US individuals were directly involved in the attack, and 170 electronic documents and 60 contracts between the NSA and US telecom operators were arranged through a front company to create an environment for cyber attacks. Read more about it : here
From their statements on their telegram channel, it appears that KIllMilk and Killnet, the pro-Russian hacktivist groups, have re-launched their attack campaigns by reorienting themselves to target Japan. After a period of about two weeks of inactivity, Killnet does not seem to have an explanation for the reorientation of their attacks. The targets were two government sites and the Japanese tax site. It is likely that the nature of the attacks is DDoS, although this is not specified in their statement. Read more about it : here
Kaspersky’s researchers have uncovered a rootkit developed by an advanced persistent threat (APT) actor that stays on the victim’s machine even if the operating system is rebooted or Windows is reinstalled – making it very dangerous in the long run. Dubbed “CosmicStrand,” this UEFI firmware rootkit was used majorly to attack private individuals in China, with rare cases in Vietnam, Iran and Russia. The UEFI firmware is a critical component in the vast majority of hardware. Its code is responsible for booting up a device, launching the software component that loads the operating system. If the UEFI firmware is somehow modified to contain malicious code that code will be launched before the operating system, making its activity potentially invisible to security solutions and to the operating system’s defenses. This, and the fact that the firmware resides on a chip separate from the hard drive, makes attacks against UEFI firmware exceptionally evasive and persistent – because regardless of how many times the operating system is reinstalled, the malware will stay on the device. Read more about it: here
China Telecom's data was allegedly stolen by the cyber mercenary group "AtlasIntelligenceGroup". The latter announced on August 7 a disclosure of the data and put the whole package online on August 10. Read more about it : here
Cybersecurity Government surveillance isn't just about Pegasus. Hermit's new spyware is used by the government of Kazakhstan to surveillance citizens. However, Hermit was detected not only in Kazakhstan, but also earlier - in northeastern Syria. According to analysts at Lookout Threat Lab, there is also an iOS version of Hermit - however, in this case, researchers were not able to obtain a sample of this software for analysis. Spyware as a tool of governments around the world Read more about it: here
An alleged group of Iranian hackers has been operating a spearphishing campaign that includes masquerading known government officials. Based on reports, the Iran-sponsored threat group posed as a former United States ambassador to target think tank officials. The Iranian hackers used fake and authentic email accounts to conduct spearphishing attacks. The Iranian hackers’ campaign included spearphishing attacks using phoney and legitimate accounts. The uncovered spearphishing infrastructure exclusively attacks the high-ranking officials in Israel and worsens as the tension between Iran and Israel continues. Read more about it: here
In total, Lapsus$ hackers have leaked 189 GB worth of sensitive data, while Samsung has confirmed the incident; it claimed that the leak does not involve customers’ or employees’ data. The South Korean technology and smartphone giant, Samsung Electronics, has become a victim of a cyberattack involving 189 GB of sensitive data, which the hackers have leaked online. The data is now being traded on Telegram and several hacking and cybercrime forums, especially active Russian language ones. Read more about it here.
Large-scale phishing activity using hundreds of domains to steal credentials for Naver, a Google-like online platform in South Korea, shows infrastructure overlaps linked to the TrickBot botnet. The resources used for this attack show the sheer size of the cybercriminal effort to collect login data to be used in various attacks. Similar to Google, Naver provides a diverse set of services that range from web search to email, news, and the NAVER Knowledge iN online Q&A platform. Read more about it here.