Published By
Created On
22 May 2022 01:39:27 UTC
Transaction ID
Cost
Safe for Work
Free
Yes
The Week in Ransomware - May 20th 2022 - Another one bites the dust
The Week in Ransomware - May 20th 2022 - Another one bites the dust
Ransomware attacks continue to slow down, likely due to the invasion of Ukraine, instability in the region, and subsequent worldwide sanctions against Russia.
This does not mean, though, that there has been no ransomware activity.
This week's biggest news is the Conti ransomware gang beginning to shut down their operation, with internal infrastructure taken offline and team leaders/members told that the brand is ending.
Top Articles
READ MORE
READ MORE While the 'Conti' brand may be shut down, cybersecurity firm Advanced Intel says that the cybercrime syndicate will continue to operate, with members joining other ransomware operations or the Conti leadership taking over smaller operations.
By splintering into smaller 'cells,' it is believed that Conti will be able to evade law enforcement more easily and simply switch between different ransomware operation's encryptors.
While this may mean less revenue for the syndicate, it creates greater mobility for the overall operation.
What this means for the Costa Rican government, which was severely impacted by a recent Conti attack, is unclear.
Other news this week includes the charging of a Venezuelan doctor to create the Thanos and Jigsaw ransomware families, QNAP warning customers that a new DeadBolt campaign is targeting NAS devices, and a report that ransomware gangs are increasingly use vulnerabilities for initial access.
Finally, Publishing giant Nikkei disclosed that its Singapore branch suffered a ransomware attack.
Contributors and those who provided new ransomware information and stories this week include: @PolarToffee, @malwrhunterteam, @struppigel, @FourOctets, @LawrenceAbrams, @DanielGallagher, @Seifreed, @Ionut_Ilascu, @VK_Intel, @BleepinComputer, @jorntvdw, @demonslay335, @billtoulas, @fwosar, @serghei, @malwareforme, @y_advintel, @AdvIntel, @vxunderground, @douglasmun, @GroupIB_GIB, @PRODAFT, @kateconger, @pcrisk, @Amigo_A_, and @Fortinet May 16th 2022 US links Thanos and Jigsaw ransomware to 55-year-old doctor The US Department of Justice today said that Moises Luis Zagala Gonzalez (Zagala), a 55-year-old cardiologist with French and Venezuelan citizenship residing in Ciudad Bolivar, Venezuela, created and rented Jigsaw and Thanos ransomware to cybercriminals.
[WS] Wizard Spider Group In-Depth Analysis The PRODAFT Threat Intelligence (PTI) team has assembled this report to provide in-depth knowledge about Wizard Spider.
New EarthGrass ransomware PCrisk found a new EarthGrass ransomware that appends the .34r7hGr455 extension and drops a ransom note named Read ME (Decryptor).txt.
May 17th 2022 Russian Hacking Cartel Attacks Costa Rican Government Agencies A Russian hacking cartel carried out an extraordinary cyberattack against the government of Costa Rica, crippling tax collection and export systems for more than a month so far and forcing the country to declare a state of emergency.
Conti accuses LockBit and AlphV or stealing from affiliates Chaos Ransomware Variant Sides with Russia In this vein, FortiGuard Labs recently came across a variant of the Chaos ransomware that appears to side with Russia.
This blog explains the vicious consequences that the Chaos variant delivers to a compromised machine.
New STOP ransomware variant PCrisk found a new STOP ransomware variant that appends the .dfwe extension.
May 18th 2022 National bank hit by ransomware trolls hackers with dick pics After suffering a ransomware attack by the Hive operation, the Bank of Zambia made it clear that they were not going to pay by posting a picture of male genitalia and telling the hackers to s… (well, you can use your imagination).
New STOP ransomware variant PCrisk found a new STOP ransomware variant that appends the .fdcv extension.
New CryptBit ransomware PCrisk found the new CryptBit ransomware that appends the .cryptbit extension and drops the CryptBIT-restore-files.txt ransom note.
May 19th 2022 Ransomware gangs rely more on weaponizing vulnerabilities Security researchers are warning that external remote access services continue to be the main vector for ransomware gangs to breach company networks but there's a notable uptick in exploiting vulnerabilities.
QNAP alerts NAS customers of new DeadBolt ransomware attacks Taiwan-based network-attached storage (NAS) maker QNAP warned customers on Thursday to secure their devices against attacks pushing DeadBolt ransomware payloads.
Media giant Nikkei’s Asian unit hit by ransomware attack Publishing giant Nikkei disclosed that the group's headquarters in Singapore was hit by a ransomware attack almost one week ago, on May 13, 2022.
Conti ransomware shuts down operation, rebrands into smaller units The notorious Conti ransomware gang has officially shut down their operation, with infrastructure taken offline and team leaders told that the brand is no more.
New STOP ransomware variant PCrisk found a new STOP ransomware variant that appends the .fe
Ransomware attacks continue to slow down, likely due to the invasion of Ukraine, instability in the region, and subsequent worldwide sanctions against Russia.
This does not mean, though, that there has been no ransomware activity.
This week's biggest news is the Conti ransomware gang beginning to shut down their operation, with internal infrastructure taken offline and team leaders/members told that the brand is ending.
Top Articles
READ MORE
READ MORE While the 'Conti' brand may be shut down, cybersecurity firm Advanced Intel says that the cybercrime syndicate will continue to operate, with members joining other ransomware operations or the Conti leadership taking over smaller operations.
By splintering into smaller 'cells,' it is believed that Conti will be able to evade law enforcement more easily and simply switch between different ransomware operation's encryptors.
While this may mean less revenue for the syndicate, it creates greater mobility for the overall operation.
What this means for the Costa Rican government, which was severely impacted by a recent Conti attack, is unclear.
Other news this week includes the charging of a Venezuelan doctor to create the Thanos and Jigsaw ransomware families, QNAP warning customers that a new DeadBolt campaign is targeting NAS devices, and a report that ransomware gangs are increasingly use vulnerabilities for initial access.
Finally, Publishing giant Nikkei disclosed that its Singapore branch suffered a ransomware attack.
Contributors and those who provided new ransomware information and stories this week include: @PolarToffee, @malwrhunterteam, @struppigel, @FourOctets, @LawrenceAbrams, @DanielGallagher, @Seifreed, @Ionut_Ilascu, @VK_Intel, @BleepinComputer, @jorntvdw, @demonslay335, @billtoulas, @fwosar, @serghei, @malwareforme, @y_advintel, @AdvIntel, @vxunderground, @douglasmun, @GroupIB_GIB, @PRODAFT, @kateconger, @pcrisk, @Amigo_A_, and @Fortinet May 16th 2022 US links Thanos and Jigsaw ransomware to 55-year-old doctor The US Department of Justice today said that Moises Luis Zagala Gonzalez (Zagala), a 55-year-old cardiologist with French and Venezuelan citizenship residing in Ciudad Bolivar, Venezuela, created and rented Jigsaw and Thanos ransomware to cybercriminals.
[WS] Wizard Spider Group In-Depth Analysis The PRODAFT Threat Intelligence (PTI) team has assembled this report to provide in-depth knowledge about Wizard Spider.
New EarthGrass ransomware PCrisk found a new EarthGrass ransomware that appends the .34r7hGr455 extension and drops a ransom note named Read ME (Decryptor).txt.
May 17th 2022 Russian Hacking Cartel Attacks Costa Rican Government Agencies A Russian hacking cartel carried out an extraordinary cyberattack against the government of Costa Rica, crippling tax collection and export systems for more than a month so far and forcing the country to declare a state of emergency.
Conti accuses LockBit and AlphV or stealing from affiliates Chaos Ransomware Variant Sides with Russia In this vein, FortiGuard Labs recently came across a variant of the Chaos ransomware that appears to side with Russia.
This blog explains the vicious consequences that the Chaos variant delivers to a compromised machine.
New STOP ransomware variant PCrisk found a new STOP ransomware variant that appends the .dfwe extension.
May 18th 2022 National bank hit by ransomware trolls hackers with dick pics After suffering a ransomware attack by the Hive operation, the Bank of Zambia made it clear that they were not going to pay by posting a picture of male genitalia and telling the hackers to s… (well, you can use your imagination).
New STOP ransomware variant PCrisk found a new STOP ransomware variant that appends the .fdcv extension.
New CryptBit ransomware PCrisk found the new CryptBit ransomware that appends the .cryptbit extension and drops the CryptBIT-restore-files.txt ransom note.
May 19th 2022 Ransomware gangs rely more on weaponizing vulnerabilities Security researchers are warning that external remote access services continue to be the main vector for ransomware gangs to breach company networks but there's a notable uptick in exploiting vulnerabilities.
QNAP alerts NAS customers of new DeadBolt ransomware attacks Taiwan-based network-attached storage (NAS) maker QNAP warned customers on Thursday to secure their devices against attacks pushing DeadBolt ransomware payloads.
Media giant Nikkei’s Asian unit hit by ransomware attack Publishing giant Nikkei disclosed that the group's headquarters in Singapore was hit by a ransomware attack almost one week ago, on May 13, 2022.
Conti ransomware shuts down operation, rebrands into smaller units The notorious Conti ransomware gang has officially shut down their operation, with infrastructure taken offline and team leaders told that the brand is no more.
New STOP ransomware variant PCrisk found a new STOP ransomware variant that appends the .fe
Author
Content Type
Unspecified
video/mp4
Language
English
More from the publisher
Controlling
VIDEO
HTML
LANG_en_htmlattachmentsremainpopularamongphishingactorsin2022mp4
HTML attachments remain popular among phishing actors in 2022
HTML files remain one of the most popular attachments used in phishing attacks for the first four months of 2022, showing that the technique remains effective against antispam engines and works well on the victims themselves.
HTML (HyperText Markup Language) is a language that defines the meaning and structure of web content.
HTML files are interactive content documents designed specifically for digital viewing within web browsers.
In phishing emails, HTML files are commonly used to redirect users to malicious sites, download files, or to even display phishing forms locally within the browser.
Top Articles
READ MORE As HTML is not malicious, attachments tend not to be detected by email security products, thus doing a good landing in recipients' inboxes.
HTML phishing attachment impersonating a Microsoft login
Source: BleepingComputer Statistical data from Kaspersky indicates that the trend of using HTML attachments in malicious emails is still going strong, as the security company detected 2 million emails of this kind targeting its customers in the first four months of the year.
The numbers culminated in March 2022, when Kaspersky's telemetry data counted 851,000 detections, while a drop to 387,000 in April could be just a momentary shift.
Detections of malicious HTML attachments (Kaspersky) How HTML evades detection The phishing forms, redirection mechanisms, and data-stealing elements in HTML attachments are typically implemented using various methods, ranging from simple redirects to obfuscating JavaScript to hide phishing forms.
Attachments are base64 encoded when present in email messages, allowing secure email gateways and antivirus software to easily scan attachments for malicious URLs, scripts, or other behavior.
To evade detection, threat actors commonly use JavaScript in the HTML attachments that will be used to generate the malicious phishing form or redirect.
The use of JavaScript in HTML attachments to hide malicious URLs and behavior is called HTML smuggling and has become a very popular technique over the past few years.
To make it even harder to detect malicious scripts, threat actors obfuscate them using freely-available tools that can accept custom configuration for a unique, and thus less likely to be detected, result and thus evade detection.
For example, in November, we reported that threat actors used morse code in their HTML attachment to obfuscate a phishing form that the HTML attachment would display when opened.
Source code HTML phishing attachment Kaspersky notes that in some cases, the threat actors use encoding methods involving deprecated functions like the "unescape()", which substitutes "%xx" character sequences in the string with their ASCII equivalents.
While this function has been replaced by decodeURI() and decodeURIComponent() today, most modern browsers still support it.
Still, it might be ignored by security tools and antispam engines that focus more on current methods.
Conclusion HTML attachment distribution was first seen spiking in 2019, but they remain a common technique in 2022 phishing campaigns, so they should be seen as red flags.
Phishing email with an HTML attachment (Kaspersky) Remember, merely opening these files is often enough to have JavaScript run on your system, which may lead to automatic malware assembly on the disk and the bypassing of security software.
As the security software doesn't detect an attachment as malicious, recipients may be more likely to open them and become infected.
Even if your email security solution doesn't generate any warnings, you should always treat HTML attachments as highly suspicious.
Transaction
Created
4 weeks ago
Content Type
Language
video/mp4
English
Controlling
VIDEO
UNPAT
LANG_en_unpatcheddnsrelatedvulnerabilityhtmlmp4
Unpatched DNS Related Vulnerability Affects a Wide Range of IoT Devices
Cybersecurity researchers have disclosed an unpatched security vulnerability that could pose a serious risk to IoT products.
The issue, which was originally reported in September 2021, affects the Domain Name System (DNS) implementation of two popular C libraries called uClibc and uClibc-ng that are used for developing embedded Linux systems.
uClibc is known to be used by major vendors such as Linksys, Netgear, and Axis, as well as Linux distributions like Embedded Gentoo, potentially exposing millions of IoT devices to security threats.
"The flaw is caused by the predictability of transaction IDs included in the DNS requests generated by the library, which may allow attackers to perform DNS poisoning attacks against the target device," Giannis Tsaraias and Andrea Palanca of Nozomi Networks said in a Monday write-up.
DNS poisoning, also referred to as DNS spoofing, is the technique of corrupting a DNS resolver cache — which provides clients with the IP address associated with a domain name — with the goal of redirecting users to malicious websites.
Successful exploitation of the bug could allow an adversary to carry out Man-in-the-Middle (MitM) attacks and corrupt the DNS cache, effectively rerouting internet traffic to a server under their control.
Nozomi Networks cautioned that the vulnerability could be trivially exploited in a reliable manner should the operating system be configured to use a fixed or predictable source port.
"The attacker could then steal and/or manipulate information transmitted by users, and perform other attacks against those devices to completely compromise them," the researchers said.
Transaction
Created
4 weeks ago
Content Type
Language
video/mp4
English
Controlling
VIDEO
HACKE
LANG_en_hackersexploitingcriticalf5bigipbugpublicexploitsreleasedmp4
Hackers exploiting critical F5 BIG-IP bug, public exploits released
Threat actors have started massively exploiting the critical vulnerability tracked as CVE-2022-1388, which affects multiple versions of all F5 BIG-IP modules, to drop malicious payloads.
F5 last week released patches for the security issue (9.8 severity rating), which affects the BIG-IP iControl REST authentication component.
The company warned that the vulnerability enables an unauthenticated attacker on the BIG-IP system to
Transaction
Created
4 weeks ago
Content Type
Language
video/mp4
English
Controlling
VIDEO
GITHU
LANG_en_githubannouncesenhanced2faexperiencefornpmaccountsmp4
GitHub announces enhanced 2FA experience for npm accounts
Today, GitHub has launched a new public beta to notably improve the two-factor authentication (2FA) experience for all npm user accounts.
Myles Borins, Open Source Product Manager at GitHub, said that the code hosting platform now allows npm accounts to register "multiple second factors, such as security keys, biometric devices, and authentication applications."
It has also introduced a new 2FA configuration menu that allows users to manage registered keys and recovery codes.
Top Articles
READ MORE
Critical F5 BIG‑IP vulnerability targeted by
destructive attacks Additional features available starting today include the ability to view and regenerate recovery codes and full command-line interface (CLI) support.
Those enrolled in this public beta will be able to log in and publish via the CLI using physical security keys and biometric devices.
These changes come after a December rollout of enhanced login verification to all npm publishers in response to a massive series of account takeovers.
Two months later, GitHub enforced 2FA for all publishers of the top-100 packages by dependent, with all publishers of top-500 and high-impact packages enrolled in early 2022.
Image: GitHub 2FA roll-out across the platform GitHub also revealed last week that all active code contributors (an estimated 83 million developers in total) will be required to enable two-factor authentication (2FA) on their accounts until the end of next year.
Developers can use multiple 2FA options to secure their accounts, including physical security keys, virtual security keys built into devices like phones or laptops, and Time-based One-Time Password (TOTP) authenticator apps.
Although SMS-based 2FA is also an option (only in some countries), GitHub urged users to switch to security keys or TOTPs, given that threat actors can bypass SMS 2FA or steal auth tokens sent over SMS.
GitHub also improved account security over the years by adding sign-in alerts, two-factor authentication, and WebAuthn support.
Today's public beta push towards increased npm account security is GitHub's latest step to protect the software supply chain from attacks by moving away from basic password-based auth.
Transaction
Created
4 weeks ago
Content Type
Language
video/mp4
English
Controlling
VIDEO
NEW W
LANG_en_newwindowspetitpotamntlmrelayattackvectorfixedinmayupdatesmp4
New Windows PetitPotam NTLM Relay attack vector fixed in May updates
A recent security update for a Windows NTLM Relay Attack has been confirmed to be a previously unfixed vector for the PetitPotam attack.
During the May 2022 Patch Tuesday, Microsoft released a security update for an actively exploited NTLM Relay Attack labeled as a 'Windows LSA Spoofing Vulnerability' and tracked as CVE-2022-26925.
"An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM.
This security update detects anonymous connection attempts in LSARPC and disallows it."
Top Articles
READ MORE
READ MORE An NTLM Relay Attack allows threat actors to force devices, even domain controllers, to authenticate against malicious servers they control.
Once a device authenticates, the malicious server can impersonate the device and gain all of its privileges.
These attacks are significant problems as they could allow a threat actor to gain complete control over the domain.
While Microsoft did not share too many details about the bug, they stated that the fix affected the EFS API OpenEncryptedFileRaw(A/W) function, which indicated that this might be another unpatched vector for the PetitPotam attack.
Confirmed to be part of Petitotam PetitPotam is an NTLM Relay Attack tracked as CVE-2021-36942 that French security researcher GILLES Lionel discovered, aka Topotam, in July.
The PetitPotam attack allowed unauthenticated users to use the EfsRpcOpenFileRaw function of the MS-EFSRPC API to force a device to perform NTLM authentication against attacker-controlled servers.
A demonstration of this attack can be viewed below.
While Microsoft fixed part of the PetitPotam vulnerability in August 2021, there were still unpatched vectors that allowed the bug to be abused by attackers.
When we contacted Microsoft to confirm if the NTLM Relay vector patched this month was related to PetitPotam, they responded with a stock response that did not answer our questions.
“A security update was released in May.
Customers who apply the update, or have automatic updates enabled, will be protected.
We are continuously improving security for our products and encourage customers to turn on automatic updates to help ensure they are protected.” – a Microsoft spokesperson.
However, BleepingComputer has since confirmed that the recently fixed NTLM Relay Attack bug does, in fact, fix an unpatched vector for the PetitPotam attack.
Raphael John, who Microsoft attributes for the discovery of the new NTLM Relay vulnerability, says that he discovered that PetitPotam was still working when conducting pentests in January and March.
However, when he disclosed it to Microsoft, they fixed it under a new CVE rather than the original one assigned to PetitPotam.
"I made it very clear in the report, that it is just PetitPotam and nothing I found out or changed," Raphael John told BleepingComputer in a conversation.
PetitPotam continued to work after Microsoft fixed it because Topotam discovered a bypass to the August security update and added it to his tool in January 2022.
Gilles has confirmed to BleepingComputer that the new security update has now fixed the PetitPotam 'EfsRpcOpenFileRaw' vector, but other EFS vectors still exist, allowing the attack to work.
"All functions of petitpotam, as others vectors, still works except efsopenfileraw," Gilles told BleepingComputer.
As new PetitPotam vectors and other NTML Relay attacks will be discovered in the future, Microsoft suggests that Windows domain admins become familiar with the mitigations outlined in their 'Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS)' support document.
Transaction
Created
4 weeks ago
Content Type
Language
video/mp4
English
Controlling
VIDEO
HP FI
LANG_en_hpfixesbuglettingattackersoverwritefirmwareinover200modelsmp4
HP fixes bug letting attackers overwrite firmware in over 200 models
HP has released BIOS updates today to fix two high-severity vulnerabilities affecting a wide range of PC and notebook products, which allow code to run with Kernel privileges.
Kernel-level privileges are the highest rights in Windows, allowing threat actors to execute any command at the Kernel level, including manipulating drivers and accessing the BIOS.
The flaws are tracked as CVE-2021-3808 and CVE-2021-3809, and both have a CVSS 3.1 base score of 8.8, giving them a high severity rating.
At this time, HP has provided no technical details about these flaws.
Top Articles
READ MORE “Potential security vulnerabilities have been identified in the BIOS (UEFI Firmware) for certain HP PC products, which might allow arbitrary code execution.
HP is releasing firmware updates to mitigate these potential vulnerabilities,” reads the short advisory.
The list of affected products includes business notebooks like Zbook Studio, ZHAN Pro, EliteBook, ProBook, and Elite Dragonfly, business desktop PCs like the EliteDesk and ProDesk, retail PoS computers like the Engage, workstations like the Z1 and Z2, and thin client PCs.
For a complete list of all the affected models and the corresponding SoftPaqs to use in each case, check the security advisory page and look for your device.
Note that not all of the listed products have received a fixing patch yet.
Researcher discloses more Nicholas Starke, the researcher who discovered these flaws in November 2021, and reported them to HP, explains the problem in greater detail in a separate blog post.
“This vulnerability could allow an attacker executing with kernel-level privileges (CPL == 0) to escalate privileges to System Management Mode (SMM).
Executing in SMM gives an attacker full privileges over the host to further carry out attacks.” explains a report by Starke.
The problem appears to be that an SMI handler can be triggered from the OS environment, for example, through the Windows kernel driver.
The vulnerable SMI handler (StarkeBlog) An attacker needs to locate the memory address of the “LocateProtocol” function and overwrite it with malicious code.
Finally, the attacker can trigger code execution by instructing the SMI handler to execute.
It's important to underline that to exploit the vulnerability, an attacker would need to have root/SYSTEM level privileges on the target system, and execute code in System Management Mode (SMM).
The ultimate goal of such an attack would be to overwrite the UEFI Implementation (BIOS) of the machine with attacker controlled BIOS images.
This means an attacker could plant persistent malware that can't be removed by antivirus tools, and not even with OS reinstalls.
Finally, it's also crucial to highlight that some HP computer models have mitigations that the attacker would need to bypass in order for the exploit to work, like the HP Sure Start system for example.
The researcher explains that HP Sure Start can detect tampering of this kind and shut down the host upon the memory corruption act.
Then, at first startup, a warning will be displayed to the user along with a prompt to approve the system boot.
HP’s latest fixes come only two months after the computer maker plugged 16 UEFI firmware bugs and three months after addressing a different set of BIOS flaws.
As such, if you haven’t applied the security updates yet, make sure to take a backup of your data on a separate system and do so now.
Transaction
Created
4 weeks ago
Content Type
Language
video/mp4
English
Controlling
VIDEO
GOOGL
LANG_en_googlechromeupdatesfailingonandroiddevicesinrussiamp4
Google Chrome updates failing on Android devices in Russia
A growing number of Android Google Chrome users in Russia are reporting errors when attempting to install the latest update for the web browser.
The number of complaints is increasing every day but so far, the cause of the problem remains unknown and is still unsolved.
According to Russian news outlets and numerous user comments on the Play Store, the issues started on May 9th, 2022, when Google released Chrome version 101 for Android.
Top Articles
READ MORE
READ MORE Those who attempted to install the latest release got an error saying, “Fail to install Google Chrome”.
The message further advises the user to try again and to follow troubleshooting tips if that doesn’t help.
Update error message (Rozetked) Users who thought the problem might get a fix by removing and re-installing Chrome denied adding the browser to their device.
Google had announced that Russian users and developers would be blocked from downloading or updating paid apps from the Play Store starting on May 5, 2022.
However, Chrome is free, so it should be outside this new policy.
Moreover, the error message doesn’t make clear the reason for the failed update, whether it is due to sanctions or a technical problem.
At the same time, Google’s support agent on the Play Store suggests that Russian users find a solution in the Support Community discussions.
BleepingComputer has reached out to Google for a comment or a clarification on the situation, asking for an explanation of the update issue for users in Russia.
We are yet to receive a response and will update the article when we get it.
What Russians can do The situation leaves Russian users of Chrome for Android with several options that might do the trick: stay on the version they’re using
download an APK to install Chrome manually
use a VPN to trick the Play Store into giving them the update
switch to a different browser Keeping an older version comes with security risks as Google fixed 13 vulnerabilities in the latest release, and the list is likely to grow longer in time.
Downloading a the Chrome APK and installing it manually might work fine but users should get the package from a trusted source.
Obviously, the situation creates the perfect conditions for setting up scams and malware-dropping sites that pretend to offer Russians the latest version of Chrome.
Using a VPN to update the device with the latest version of Chrome may be the safest way to get the app, although it violates Play Store’s terms, so it could have your account banned.
Additionally, the few VPN products still available legally in Russia may not work even after clearing the Play Store app's cache.
Considering the above, if switching to a different browser is not desirable, sticking to the older version is likely the surest option to keep using Chrome in Russia.
Transaction
Created
4 weeks ago
Content Type
Language
video/mp4
English
Controlling
VIDEO
CHINE
LANG_en_chinesehackerscaughtexploitinghtmlmp4
Chinese Hackers Caught Exploiting Popular Antivirus Products to Target Telecom Sector
A Chinese-aligned cyberespionage group has been observed striking the telecommunication sector in Central Asia with versions of malware such as ShadowPad and PlugX.
Cybersecurity firm SentinelOne tied the intrusions to an actor it tracks under the name "Moshen Dragon," with tactical overlaps between the collective and another threat group referred to as Nomad Panda (aka RedFoxtrot).
"PlugX and ShadowPad have a well-established history of use among Chinese-speaking threat actors primarily for espionage activity," SentinelOne's Joey Chen said.
"Those tools have flexible, modular functionality and are compiled via shellcode to easily bypass traditional endpoint protection products."
ShadowPad, labeled a "masterpiece of privately sold malware in Chinese espionage," emerged as a successor to PlugX in 2015, even as variants of the latter have continually popped up as part of different campaigns associated with Chinese threat actors.
Although known to be deployed by the government-sponsored hacking group dubbed Bronze Atlas (aka APT41, Barium, or Winnti) since at least 2017, an ever-increasing number of other China-linked threat actors have joined the fray.
Earlier this year, Secureworks attributed distinct ShadowPad activity clusters to Chinese nation-state groups that operate in alignment with the Chinese Ministry of State Security (MSS) civilian intelligence agency and the People's Liberation Army (PLA).
The latest findings from SentinelOne dovetails with a previous report from Trellix in late March that revealed a RedFoxtrot attack campaign targeting telecom and defense sectors in South Asia with a new variant of PlugX malware named Talisman.
Moshen Dragon's TTPs involve the abuse of legitimate antivirus software belonging to BitDefender, Kaspersky, McAfee, Symantec, and Trend Micro to sideload ShadowPad and Talisman on compromised systems by means of a technique called DLL search order hijacking.
In the subsequent step, the hijacked DLL is used to decrypt and load the final ShadowPad or PlugX payload that resides in the same folder as that of the antivirus executable.
Persistence is achieved by either creating a scheduled task or a service.
The hijacking of security products notwithstanding, other tactics adopted by the group include the use of known hacking tools and red team scripts to facilitate credential theft, lateral movement and data exfiltration.
The initial access vector remains unclear as yet.
"Once the attackers have established a foothold in an organization, they proceed with lateral movement by leveraging Impacket within the network, placing a passive backdoor into the victim environment, harvesting as many credentials as possible to insure unlimited access, and focusing on data exfiltration," Chen said.
Transaction
Created
4 weeks ago
Content Type
Language
video/mp4
English
Controlling
VIDEO
SEC P
LANG_en_secplanstohiremorestaffincryptohtmlmp4
SEC Plans to Hire More Staff in Crypto Enforcement Unit to Fight Frauds
The U.S. Securities and Exchange Commission (SEC) on Tuesday announced that it will expand and rebrand its Cyber Unit to fight against cyber-related threats and protect investors in cryptocurrency markets.
To that end, the SEC is renaming the Cyber Unit within the Division of Enforcement to Crypto Assets and Cyber Unit and plans to infuse 20 additional positions with the goal of investigating wrongdoing in the crypto markets.
The goal, per the agency, is to tackle cryptocurrency fraud and crackdown on malicious actors attempting to profit from crypto marketplaces.
The Cyber Unit was instituted in September 2017 with a focus on addressing cyber-based threats and protecting retail investors.
But given the dramatic evolution of the digital assets markets in recent years, the new unit is expected to focus on securities law violations pertaining to - Additionally, the unit also aims to take action against SEC registrants and public companies for lapses in cybersecurity controls and for failing to appropriately disclose data breaches and other security incidents.
The cyber team is said to have brought more than 80 enforcement actions related to fraudulent and unregistered crypto asset offerings and platforms since 2017, resulting in $2 billion in monetary relief for investors, according to SEC.
"Crypto markets have exploded in recent years, with retail investors bearing the brunt of abuses in this space.
Meanwhile, cyber-related threats continue to pose existential risks to our financial markets and participants," said Gurbir S. Grewal, Director of the SEC's Division of Enforcement.
"The bolstered Crypto Assets and Cyber Unit will be at the forefront of protecting investors and ensuring fair and orderly markets in the face of these critical challenges."
Transaction
Created
4 weeks ago
Content Type
Language
video/mp4
English