Published By
Created On
9 May 2022 17:31:17 UTC
Transaction ID
Cost
Safe for Work
Free
Yes
US sanctions Bitcoin laundering service used by North Korean hackers
US sanctions Bitcoin laundering service used by North Korean hackers
The U.S. Department of Treasury today sanctioned cryptocurrency mixer Blender.io used last month by the North Korean-backed Lazarus hacking group to launder funds stolen from Axie Infinity's Ronin bridge.
In the wake of the attack, Sky Mavis (the bridge's creator) revealed that hackers breached the Ronin bridge on March 23 to steal 173,600 Ethereum and 25.5M USDC tokens in two transactions worth $617 million at the time, the largest cryptocurrency hack in history.
The previous most significant theft of cryptocurrency was the $611 million Poly Network hack in August 2021.
Top Articles
READ MORE The FBI linked the Lazarus hackers to the incident in April and sanctioned the 0x098B716B8Aaf21512996dC57EB0615e2383E2f96 address that received the stolen funds.
Today, the Treasury's Office of Foreign Assets Control (OFAC) said Lazarus used the Blender.io virtual currency mixer to launder over $20.5 million of the illicit proceeds.
"Blender has helped transfer more than $500 million worth of Bitcoin since its creation in 2017," OFAC said.
"OFAC's investigation also identified Blender's facilitation of money-laundering for, among others, Russian-linked malign ransomware groups including Trickbot, Conti, Ryuk, Sodinokibi, and Gandcrab."
Image: US Department of the Treasury Blender.io is not the first cryptomixing service sanctioned by the U.S., with the Financial Crimes Enforcement Network (FinCEN) issuing the first-ever penalty against the Helix and Coin Ninja mixer services in October 2020.
Lazarus was also sanctioned in September 2019 for funneling financial assets they stole in cyberattacks to the North Korean government.
In April, CISA, the FBI, and U.S. Treasury warned in a joint advisory that the hacking group is targeting cryptocurrency and blockchain companies with trojanized cryptocurrency apps.
Last year, in another joint advisory, they shared info on malicious and fake crypto-trading applications injected with AppleJeus malware used by Lazarus to steal cryptocurrency from individuals and companies worldwide.
A confidential United Nations report from 2019 revealed that the North Korean hackers stole an estimated $2 billion in at least 35 cyberattacks against banks and crypto exchanges across more than a dozen countries.
"The virtual currency mixers that assist criminals are a threat to U.S. national security interests," OFAC added.
"Treasury will continue to investigate the use of mixers for illicit purposes and consider the range of authorities Treasury has to respond to illicit financing risks in the virtual currency ecosystem."
The U.S. Department of Treasury today sanctioned cryptocurrency mixer Blender.io used last month by the North Korean-backed Lazarus hacking group to launder funds stolen from Axie Infinity's Ronin bridge.
In the wake of the attack, Sky Mavis (the bridge's creator) revealed that hackers breached the Ronin bridge on March 23 to steal 173,600 Ethereum and 25.5M USDC tokens in two transactions worth $617 million at the time, the largest cryptocurrency hack in history.
The previous most significant theft of cryptocurrency was the $611 million Poly Network hack in August 2021.
Top Articles
READ MORE The FBI linked the Lazarus hackers to the incident in April and sanctioned the 0x098B716B8Aaf21512996dC57EB0615e2383E2f96 address that received the stolen funds.
Today, the Treasury's Office of Foreign Assets Control (OFAC) said Lazarus used the Blender.io virtual currency mixer to launder over $20.5 million of the illicit proceeds.
"Blender has helped transfer more than $500 million worth of Bitcoin since its creation in 2017," OFAC said.
"OFAC's investigation also identified Blender's facilitation of money-laundering for, among others, Russian-linked malign ransomware groups including Trickbot, Conti, Ryuk, Sodinokibi, and Gandcrab."
Image: US Department of the Treasury Blender.io is not the first cryptomixing service sanctioned by the U.S., with the Financial Crimes Enforcement Network (FinCEN) issuing the first-ever penalty against the Helix and Coin Ninja mixer services in October 2020.
Lazarus was also sanctioned in September 2019 for funneling financial assets they stole in cyberattacks to the North Korean government.
In April, CISA, the FBI, and U.S. Treasury warned in a joint advisory that the hacking group is targeting cryptocurrency and blockchain companies with trojanized cryptocurrency apps.
Last year, in another joint advisory, they shared info on malicious and fake crypto-trading applications injected with AppleJeus malware used by Lazarus to steal cryptocurrency from individuals and companies worldwide.
A confidential United Nations report from 2019 revealed that the North Korean hackers stole an estimated $2 billion in at least 35 cyberattacks against banks and crypto exchanges across more than a dozen countries.
"The virtual currency mixers that assist criminals are a threat to U.S. national security interests," OFAC added.
"Treasury will continue to investigate the use of mixers for illicit purposes and consider the range of authorities Treasury has to respond to illicit financing risks in the virtual currency ecosystem."
Author
Content Type
Unspecified
video/mp4
Language
English
More from the publisher
Controlling
VIDEO
RESEA
LANG_en_researchersdeveloprceexploitforhtmlmp4
Researchers Develop RCE Exploit for the Latest F5 BIG-IP Vulnerability
Days after F5 released patches for a critical remote code execution vulnerability affecting its BIG-IP family of products, security researchers are warning that they were able to create an exploit for the shortcoming.
Tracked CVE-2022-1388 (CVSS score: 9.8), the flaw relates to an iControl REST authentication bypass that, if successfully exploited, could lead to remote code execution, allowing an attacker to gain initial access and take control of an affected system.
This could range anywhere from deploying cryptocurrency miners to dropping web shells for follow-on attacks, such as information theft and ransomware.
"We have reproduced the fresh CVE-2022-1388 in F5's BIG-IP," cybersecurity company Positive Technologies said in a tweet on Friday.
"Patch ASAP!"
The critical security vulnerability impacts the following versions of BIG-IP products - Fixes are available in versions 17.0.0, 16.1.2.2, 15.1.5.1, 14.1.4.6, and 13.1.5.
Firmware versions 11.x and 12.x will not receive security updates and users relying on those versions should consider upgrading to a newer version or apply the workarounds - Last month, cybersecurity authorities from Australia, Canada, New Zealand, the U.K., and the U.S. jointly warned that "threat actors aggressively targeted newly disclosed critical software vulnerabilities against broad target sets, including public and private sector organizations worldwide."
With the F5 BIG-IP flaw found trivial to exploit, malicious hacking crews are expected to follow suit, making it imperative that affected organizations move quickly to apply the patches.
Update: Security researcher Kevin Beaumont has warned of active exploitation attempts detected in the wild, while simultaneously alerting the availability of a public proof-of-concept (PoC) for the code execution flaw.
Transaction
Created
1 month ago
Content Type
Language
video/mp4
English
Controlling
VIDEO
UKRAI
LANG_en_ukrainiancertwarnscitizensofnewhtmlmp4
Ukrainian CERT Warns Citizens of a New Wave of Attacks Distributing Jester Malware
The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of phishing attacks that deploy an information-stealing malware called Jester Stealer on compromised systems.
The mass email campaign carries the subject line "chemical attack" and contains a link to a macro-enabled Microsoft Excel file, opening which leads to computers getting infected with Jester Stealer.
The attack, which requires potential victims to enable macros after opening the document, works by downloading and executing an .EXE file that is retrieved from compromised web resources, CERT-UA detailed.
Jester Stealer, which was first documented by Cyble in February 2022, comes with features to steal and transmit login credentials, cookies, and credit card information along with data from passwords managers, chat messengers, email clients, crypto wallets, and gaming apps to the attackers.
"The hackers get the stolen data via Telegram using statically configured proxy addresses (e.g., within TOR)," the agency said.
"They also use anti-analysis techniques (anti-VM/debug/sandbox).
The malware has no persistence mechanism — it is deleted as soon as its operation is completed."
The Jester Stealer campaign coincides with another phishing attack that CERT-UA has attributed to the Russian nation-state actor tracked as APT28 (aka Fancy Bear aka Strontium).
The emails, titled "Кібератака" (meaning cyberattack in Ukrainian), masquerade as a security notification from CERT-UA and come with a RAR archive file "UkrScanner.rar" attachment that, when opened, deploys a malware called CredoMap_v2.
"Unlike prior versions of this stealer malware, this one uses the HTTP protocol for data exfiltration," CERT-UA noted.
"Stolen authentication data will be sent to a web resource, deployed on the Pipedream platform, through the HTTP POST requests."
The disclosures follow similar findings from Microsoft's Digital Security Unit (DSU) and Google's Threat Analysis Group (TAG) about Russian state-sponsored hacking crews carrying out credential and data theft operations in Ukraine.
Transaction
Created
1 month ago
Content Type
Language
video/mp4
English
Controlling
VIDEO
CISA
LANG_en_cisawarnsadminstopatchactivelyexploitedspringzyxelbugsmp4
CISA warns admins to patch actively exploited Spring, Zyxel bugs
The Cybersecurity and Infrastructure Security Agency (CISA) has added two more vulnerabilities to its list of actively exploited bugs, a code injection bug in the Spring Cloud Gateway library and a command injection flaw in Zyxel firmware for business firewalls and VPN devices.
The Spring Framework vulnerability (CVE-2022-22947) is a maximum severity weakness that attackers can abuse to gain remote code execution on unpatched hosts.
This critical bug is currently being exploited by a botnet known as Sysrv to install cryptomining malware on vulnerable Windows and Linux servers.
Top Articles
READ MORE
READ MORE Threat actors are also abusing a critical Zyxel firmware vulnerability (CVE-2022-30525), patched on May 12th and under active exploitation starting the next day, on May 13th.
Rapid7 found over 15,000 vulnerable Zyxel products exposed to Internet access, while the Shadowserver Foundation spotted at least 20,000 potentially impacted devices.
Since exploitation began, NSA Cybersecurity Director Rob Joyce also warned admins about ongoing exploitation and encouraged them to update their Zyxel firewalls' firmware if vulnerable.
Spring & Zyxel active exploitation Federal agencies have three weeks to patch According to a November binding operational directive (BOD 22-01) issued by CISA to reduce the risk of known exploited bugs across US federal networks, all Federal Civilian Executive Branch Agencies (FCEB) agencies must patch their systems against bugs added to the Known Exploited Vulnerabilities Catalog (KEV).
The US cybersecurity agency gave them three weeks to fix these flaws until June 6th to block ongoing exploitation attempts.
Although the BOD 22-01 directive only applies to US FCEB agencies, CISA also strongly urged all US organizations from the private and public sectors to prioritize patching these actively exploited bugs.
Following the agency's advice should notably reduce the attack surface threat actors can exploit in attempts to breach vulnerable networks.
Last week, CISA also added an actively exploited Windows LSA spoofing zero-day (CVE-2022-26925), now confirmed as a new PetitPotam Windows NTLM Relay attack vector.
However, this Windows security flaw was removed from the KEV catalog after it was discovered that Microsoft's May 2022 Patch Tuesday updates are triggering Active Directory (AD) authentication issues on domain controllers.
Update: Corrected title incorrectly mentioning a VMware bug.
Transaction
Created
1 month ago
Content Type
Language
video/mp4
English
Controlling
VIDEO
HACKE
LANG_en_hackersareexploitingcriticalbuginzyxelfirewallsandvpnsmp4
Hackers are exploiting critical bug in Zyxel firewalls and VPNs
Hackers have started to exploit a recently patched critical vulnerability, tracked as CVE-2022-30525, that affects Zyxel firewall and VPN devices for businesses.
Successful exploitation allows a remote attacker to inject arbitrary commands remotely without authentication, which can enable setting up a reverse shell.
Getting shell Zyxel on May 12 released a security advisory for CVE-2022-30525 (9.8 critical severity score), announcing that a fix was released for the affected models and urging administrators to install the latest updates: Top Articles
READ MORE
Fake Pixelmon NFT site infects you with
password‑stealing malware Affected model Affected firmware version Patch availability
USG FLEX 100(W), 200, 500, 700 ZLD V5.00 through ZLD V5.21 Patch 1 ZLD V5.30
USG FLEX 50(W) / USG20(W)-VPN ZLD V5.10 through ZLD V5.21 Patch 1 ZLD V5.30
ATP series ZLD V5.10 through ZLD V5.21 Patch 1 ZLD V5.30
VPN series ZLD V4.60 through ZLD V5.21 Patch 1 ZLD V5.30 The vulnerability was discovered by Jacob Baines, lead security researcher at Rapid7, who explains in a brief technical report how the flaw can be leveraged in attacks.
A module has been added to the Metasploit penetration testing framework.
“Commands are executed as the nobody user.
This vulnerability is exploited through the /ztp/cgi-bin/handler URI and is the result of passing unsanitized attacker input into the os.system method in lib_wan_settings.py” - Jacob Baines The researcher notes that an attacker can establish a reverse shell using the normal bash GTFOBin.
source: Rapid7 The severity of the security issue and the damage it could lead to is serious enough for the NSA Cybersecurity Director Rob Joyce to warn users about exploitation and encourage them to update the device firmware version if it is vulnerable.
Starting Friday the 13th, security experts at the nonprofit Shadowserver Foundation reported seeing exploitation attempts for CVE-2022-30525.
It is unclear if these efforts are malicious or just researchers working to map up Zyxel devices currently exposed to adversary attacks.
Rapid7 scanned the internet for vulnerable Zyxel products and found more than 15,000 using the Shodan search platform for hardware connected to the internet.
source: Rapid7 Shadowserver ran their own scan and found at least 20,800 Zyxel firewall models on the open web that are potentially affected by the vulnerability.
The organization counted the hardware by unique IP addresses and discovered that more than 15,000 of them were USG20-VPN and USG20W-VPN, models, designed for “VPN connections across the branch offices and chain stores.” The region with the most potentially vulnerable devices is the European Union, with France and Italy having the larger number.
source: Shadowserver Foundation Detecting exploit attempts Given the severity of the vulnerability and the popularity of the devices, security researchers have released code that should help administrators detect the security flaw and exploitation attempts.
Part of the Spanish telecommunications company Telefónica’s redteam, z3r00t created and published a template for the Nuclei vulnerability scanning solution to detect CVE-2022-30525.
The template is available from the author’s GitHub Another researcher, BlueNinja, also created a script to detect the unauthenticated remote command injection in Zyxel firewall and VPN products and published it on GitHub.
Transaction
Created
1 month ago
Content Type
Language
video/mp4
English
Controlling
VIDEO
CHINE
LANG_en_chinesehackerscaughtstealinghtmlmp4
Chinese Hackers Caught Stealing Intellectual Property from Multinational Companies
An elusive and sophisticated cyberespionage campaign orchestrated by the China-backed Winnti group has managed to fly under the radar since at least 2019.
Dubbed "Operation CuckooBees" by Israeli cybersecurity company Cybereason, the massive intellectual property theft operation enabled the threat actor to exfiltrate hundreds of gigabytes of information.
Targets included technology and manufacturing companies primarily located in East Asia, Western Europe, and North America.
"The attackers targeted intellectual property developed by the victims, including sensitive documents, blueprints, diagrams, formulas, and manufacturing-related proprietary data," the researchers said.
"In addition, the attackers collected information that could be used for future cyberattacks, such as details about the target company's business units, network architecture, user accounts and credentials, employee emails, and customer data."
Winnti, also tracked by other cybersecurity vendors under the names APT41, Axiom, Barium, and Bronze Atlas, is known to be active since at least 2007.
"The group's intent is towards theft of intellectual property from organizations in developed economies, and with moderate confidence that this is on behalf of China to support decision making in a range of Chinese economic sectors," Secureworks notes in a threat profile of the actor.
The multi-phased infection chain documented by Cybereason involves the exploitation of internet-facing servers to deploy a web shell with the goal of conducting reconnaissance, lateral movement, and data exfiltration activities.
It's both complex and intricate, following a "house of cards" approach in that each component of the killchain depends on other modules in order to function, rendering analysis exceedingly difficult.
"This demonstrates the thought and effort that was put into both the malware and operational security considerations, making it almost impossible to analyze unless all pieces of the puzzle are assembled in the correct order," the researchers explained.
The data harvesting is facilitated by means of a modular loader called Spyder, which is used to decrypt and load additional payloads.
Also used are four different payloads — STASHLOG, SPARKLOG, PRIVATELOG, and DEPLOYLOG — that are sequentially deployed to drop the WINNKIT, a kernel-level rootkit.
Crucial to the stealthiness of the campaign is the use of "rarely seen" techniques such as the abuse of Windows Common Log File System (CLFS) mechanism to stash the payloads, enabling the hacking group to conceal their payloads and evade detection by traditional security products.
Interestingly, parts of the attack sequence were previously detailed by Mandiant in September 2021, while pointing out the misuse of CLFS to hide second-stage payloads in an attempt to circumvent detection.
The cybersecurity firm attributed the malware to an unknown actor, but cautioned that it could have been deployed as part of a highly targeted activity.
"Because the file format is not widely used or documented, there are no available tools that can parse CLFS log files," Mandiant said at the time.
"This provides attackers with an opportunity to hide their data as log records in a convenient way, because these are accessible through API functions."
WINNKIT, for its part, has a compilation timestamp of May 2019 and has almost zero detection rate in VirusTotal, highlighting the evasive nature of the malware that enabled the authors to stay undiscovered for years.
The ultimate goal of the intrusions, the researchers assessed, is to siphon proprietary information, research documents, source code, and blueprints for various technologies.
"Winnti is one of the most industrious groups operating on behalf of Chinese state-aligned interests," Cybereason said.
"The threat [actor] employed an elaborate, multi-stage infection chain that was critical to enabling the group to remain undetected for so long."
Transaction
Created
1 month ago
Content Type
Language
video/mp4
English
Controlling
VIDEO
NIST
LANG_en_nistreleasesupdatedguidanceforhtmlmp4
NIST Releases Updated Cybersecurity Guidance for Managing Supply Chain Risks
The National Institute of Standards and Technology (NIST) on Thursday released an updated cybersecurity guidance for managing risks in the supply chain, as it increasingly emerges as a lucrative attack vector.
"It encourages organizations to consider the vulnerabilities not only of a finished product they are considering using, but also of its components — which may have been developed elsewhere — and the journey those components took to reach their destination," NIST said in a statement.
The new directive outlines major security controls and practices that entities should adopt to identify, assess, and respond to risks at different stages of the supply chain, including the possibility of malicious functionality, flaws in third-party software, insertion of counterfeit hardware, and poor manufacturing and development practices.
The development follows an Executive Order issued by the U.S. President on "Improving the Nation's Cybersecurity (14028)" last May, requiring government agencies to take steps to "improve the security and integrity of the software supply chain, with a priority on addressing critical software."
It also comes as cybersecurity risks in the supply chain have come to the forefront in recent years, in part compounded by a wave of attacks targeting widely-used software to breach dozens of downstream vendors all at once.
According to the European Union Agency for Cybersecurity's (ENISA) Threat Landscape for Supply Chain Attacks, 62% of 24 attacks documented from January 2020 to early 2021 were found to "exploit the trust of customers in their supplier."
"Managing the cybersecurity of the supply chain is a need that is here to stay," said NIST's Jon Boyens and one of the publication's authors.
"If your agency or organization hasn't started on it, this is a comprehensive tool that can take you from crawl to walk to run, and it can help you do so immediately."
Transaction
Created
1 month ago
Content Type
Language
video/mp4
English
Controlling
VIDEO
AVOSL
LANG_en_avoslockerransomwarevariantusingnewhtmlmp4
AvosLocker Ransomware Variant Using New Trick to Disable Antivirus Protection
Cybersecurity researchers have disclosed a new variant of the AvosLocker ransomware that disables antivirus solutions to evade detection after breaching target networks by taking advantage of unpatched security flaws.
"This is the first sample we observed from the U.S. with the capability to disable a defense solution using a legitimate Avast Anti-Rootkit Driver file (asWarPot.sys)," Trend Micro researchers, Christoper Ordonez and Alvin Nieto, said in a Monday analysis.
"In addition, the ransomware is also capable of scanning multiple endpoints for the Log4j vulnerability (Log4shell) using Nmap NSE script."
AvosLocker, one of the newer ransomware families to fill the vacuum left by REvil, has been linked to a number of attacks that targeted critical infrastructure in the U.S., including financial services and government facilities.
A ransomware-as-a-service (RaaS) affiliate-based group first spotted in July 2021, AvosLocker goes beyond double extortion by auctioning data stolen from victims should the targeted entities refuse to pay the ransom.
Other targeted victims claimed by the ransomware cartel are said to be located in Syria, Saudi Arabia, Germany, Spain, Belgium, Turkey, the U.A.E., the U.K., Canada, China, and Taiwan, according to an advisory released by the U.S. Federal Bureau of Investigation (FBI) in March 2022.
Telemetry data gathered by Trend Micro shows that the food and beverage sector was the most hit industry between July 1, 2021 and February 28, 2022, followed by technology, finance, telecom, and media verticals.
The entry point for the attack is believed to have been facilitated by leveraging an exploit for a remote code execution flaw in Zoho's ManageEngine ADSelfService Plus software (CVE-2021-40539) to run an HTML application (HTA) hosted on a remote server.
"The HTA executed an obfuscated PowerShell script that contains a shellcode, capable of connecting back to the [command-and-control] server to execute arbitrary commands," the researchers explained.
This includes retrieving an ASPX web shell from the server as well as an installer for the AnyDesk remote desktop software, the latter of which is used to deploy additional tools to scan the local network, terminate security software, and drop the ransomware payload.
Some of the components copied to the infected endpoint are a Nmap script to scan the network for the Log4Shell remote code execution flaw (CVE-2021-44228) and a mass deployment tool called PDQ to deliver a malicious batch script to multiple endpoints.
The batch script, for its part, is equipped with a wide range of capabilities that allows it to disable Windows Update, Windows Defender, and Windows Error Recovery, in addition to preventing safe boot execution of security products, creating a new admin account, and launching the ransomware binary.
Also used is aswArPot.sys, a legitimate Avast anti-rootkit driver, to kill processes associated with different security solutions by weaponizing a now-fixed vulnerability in the driver the Czech company resolved in June 2021.
"The decision to choose the specific rootkit driver file is for its capability to execute in kernel mode (therefore operating at a high privilege)," the researchers pointed out.
"This variant is also capable of modifying other details of the installed security solutions, such as disabling the legal notice."
Transaction
Created
1 month ago
Content Type
Language
video/mp4
English
Controlling
VIDEO
FAKE
LANG_en_fakecryptogiveawaysstealmillionsreusingelonmuskdorseyvideosmp4
Fake crypto giveaways steal millions reusing Elon Musk, Dorsey videos
Fake cryptocurrency giveaways are stealing millions of dollars simply by replaying old Elon Musk and Jack Dorsey Ark Invest videos on YouTube.
The scheme is the old “double your investment” ruse that promises to pay back twice the cryptocurrency amount the victim sends the scammer.
The fraudsters made more than $1.3 million after re-streaming an edited version of an old live panel discussion on cryptocurrency with Elon Musk, Jack Dorsey, and Cathie Wood at Ark Invest’s “The ₿ Word” conference.
Top Articles
READ MORE
READ MORE Simple operation At a quick search, BleepingComputer found that close to 10 YouTube channels have published the discussion, albeit in a smaller format edited to include additional elements that promoted the scam, including the link to the fraudulent crypto giveaway website.
Our findings are just a glimpse of the entire scheme, which we observed unfold since March.
However, there are reports of it going as far back as January and bringing scammers $400,000 in just seven hours.
Security researchers at cybersecurity firm McAfee were also monitoring the scam and published a report on Thursday in which they identified 11 fraudulent websites.
source: McAfee McAfee updated the post the next day saying that the number of these websites had increased to 26 in just 24 hours.
“The YouTube streams advertised several sites which shared a similar theme.
They claim to send cryptocurrency worth double the value which they’ve received.
For example, if you send 1BTC you will receive 2BTC in return” - McAfee However, these websites appear every day and scammers generate new wallets to receive funds from gullible cryptocurrency users.
Here's some that BleepingComputer and McAfee found: make2x[.
]org arknow[.
]org teslabtc22[.
]com
musk-official[.
]net arkinvest22[.
]net tesla-eth[.
]org
2x-musk[.
]net elontoday[.
]org teslaswell[.
]com
2022ark-invest[.
]net elonnew[.
]org twittergive[.
]net
22ark-invest[.
]org elonnew[.
]com doublecrypto22[.
]com
22invest-ark[.
]com 2xEther[.
]com teslabitcoin[.
]org
tesla-2x[.
]org Some of the sites in the table above are still up and running.
The list is far from being complete as scammers continue to set up new websites promoted in new streams playing a modified version of cryptocurrency talks.
The researchers said that the sites promoted in the videos tricked the visitors into thinking that others were sending cryptocurrency and had received double their “investment,” showing a table with recent transactions as proof.
To create the fake table, the scammers used JavaScript code that generated a list of random cryptocurrency wallets and paid amounts.
source: McAfee The money Below is a list of Ethereum and Bitcoin wallet addresses that scammers used for their Ark Invest cryptocurrency fraud: BTC Wallet address Value ETH Wallet address Received
bc1qz50pclcp7a7wl0au2m4rkleaxl7wryktmsy9sk 0 0xb8e257c18bbec93a596438171e7e1e77d18671e5 $25,209
1HBt1KrtWMSkjgGzuvTEPsePk24ChoQ33t $4,632 0x7007fa3e7db99686d337c87982a07baf165a3c1d $9.16
1A4GEKCKrRhjgsNCQfRaGmbZVPW8qsxfwW $29,706 0x436f1f89c00f546bfef42f8c8d964f1206140c64 $13,377
bc1qcawgs6gpmqyx35c0a0yldhak7ggagwxdpget7e $16,933 0x9b857c44c500eaf7fafe9ed1af31523d84cb5bb0 $70,602
bc1qc66cl4eap9d0r3fmydwxufa0yk6natdv72qe87 $19,439 0xbd73d147970bcbccdde3dd9340827b679e70d9d4 $57,573
bc1quu3ltey8vndcx6ma9zukazyffsw50hz8s4zhrw $20,983 0xac9275b867dab0650432429c73509a9d156922dd 0
1DU2H3dWXbUA9mKWuZjbqqHuGfed7JyqXu 0 0x12357a8e2e6b36dd6d98a2aed874d39c960ec174 0
1Q3r1TzwCwQbd1dZzVM9mdFKPALFNmt2WE $41,219 0x2605df183743587594a3dbc5d99f12bb4f19ac74 $11,468
17XfgcHCfpyYMFdtAWYX2QcksA77GnbHN9 $49,311 0x18e860308309f2ab23b5ab861087cbd0b65d250a $14,766
1GLRZZHK2fRrywVUEF83UkqafNV3GnBLha $5,787 0x5081d1ec9a1624711061c75db9438f207823e694 $4,029
1NKajgogVrRYQjJEQY2BcvZmGn4bXyEqdY 0 0x820a78d8e0518fce090a9d16297924db7941fd4f $63,301
1DU2H3dWXbUA9mKWuZjbqqHuGfed7JyqXu 0 0xcaaa38911bfe60933e39acbb59f0ba8dda491331 $18,929
bc1qas66cgckep3lrkdrav7gy8xvn7cg4fh4d7gmw5 $11,846 0xdbb8c934650bd1a88b4ba12f4acb042d9a8a0cbe $43,604
18wJeJiu4MxDT2Ts8XJS665vsstiSv6CNK $119,147 0x2d18a797b68a4f0bf15f21b55e76e2367a716942 $64,585
1CHRtrHVB74y8Za39X16qxPGZQ12JHG6TW $4,790 0x24310fb34afccbe29f80c46b4b5e17601bf11c56 $16,778
bc1qdjma5kjqlf7l6fcug097s9mgukelmtdf6nm20v 0 0x7a619530988a266fd39a4acccc5315d90c9544aa $36,449
1EX3dG9GUNVxoz6yiPqqoYMQw6SwQUpa4T $95,974 0xa15ebabdda7b5401d642893b843cf94be2293172 $16,311
0xac9275b867dab0650432429c73509a9d156922dd 0 The amounts received may not look like much but it's good money considering that the entire operation requires little effort and technical skills.
Once the video is edited and the site up and running, the fraudster just needs to wait for victims to transfer the digital coins.
McAfee says that the wallets listed on the malicious sites they found recorded a high number of transactions that amounted on May 5th to $280,000 worth of c
Transaction
Created
1 month ago
Content Type
Language
video/mp4
English
Controlling
VIDEO
CRITI
LANG_en_criticaltlstorm20bugsaffectwidelyhtmlmp4
Critical TLStorm 2.0 Bugs Affect Widely-Used Aruba and Avaya Network Switches
Cybersecurity researchers have detailed as many as five severe security flaws in the implementation of TLS protocol in several models of Aruba and Avaya network switches that could be abused to gain remote access to enterprise networks and steal valuable information.
The findings follow the March disclosure of TLStorm, a set of three critical flaws in APC Smart-UPS devices that could permit an attacker to take over control and, worse, physically damage the appliances.
IoT security firm Armis, which uncovered the shortcomings, noted that the design flaws can be traced back to a common source: a misuse of NanoSSL, a standards-based SSL developer suite from Mocana, a DigiCert subsidiary.
The new set of flaws, dubbed TLStorm 2.0, renders Aruba and Avaya network switches vulnerable to remote code execution vulnerabilities, enabling an adversary to commandeer the devices, move laterally across the network, and exfiltrate sensitive data.
Affected devices include Avaya ERS3500 Series, ERS3600 Series, ERS4900 Series, and ERS5900 Series as well as Aruba 5400R Series, 3810 Series, 2920 Series, 2930F Series, 2930M Series, 2530 Series, and 2540 Series.
Armis chalked up the flaws to an "edge case," a failure to adhere to guidelines pertaining to the NanoSSL library that could result in remote code execution.
The list of remote code execution bugs is as follows - "These research findings are significant as they highlight that the network infrastructure itself is at risk and exploitable by attackers, meaning that network segmentation alone is no longer sufficient as a security measure," Barak Hadad, head of research in engineering at Armis, said.
Organizations deploying impacted Avaya and Aruba devices are highly recommended to apply the patches to mitigate any potential exploit attempts.
Transaction
Created
1 month ago
Content Type
Language
video/mp4
English