By Deeba Ahmed
Palo Alto's Unit 42 Reveals Chinese APT Spying on 24 Cambodian Government Entities as Part of Long-Term Cyberespionage.
This is a post from HackRead.com Read the original post: Chinese APT Posing as Cloud Services to Spy on Cambodian Government

Cybersecurity researchers are confident that the targeted organizations are “still compromised” by “two prominent Chinese APT” groups.

Palo Alto Networks’ Unit 42 cybersecurity researchers have discovered that Chinese APT groups could be involved in a long-term espionage campaign against Cambodian government organizations using infrastructure masqueraded as cloud backup services.

According to the Unit 42 report, researchers noted network connections—specifically inbound connections—primarily originating from 24 Cambodian government organizations.

The researchers also believe that these organizations are ‘still compromised’ by ‘two prominent Chinese APT’ actors due to the infrastructure’s characteristics and the enduring persistence of these connections over several months.

It is worth noting that the certainty about the involvement of two **Chinese APT groups** stemmed from monitoring telemetry data, which established a clear link with these groups.

“We assess that these organizations are likely the targets of long-term cyberespionage activities that have leveraged this infrastructure for persistent access to government networks of interest,” said the Santa Clara, California-based cybersecurity giant.

These organizations were communicating regularly with the infrastructure between September and October 2023. Many of these organizations provided critical services to the following industries.

*   Politics
*   Commerce
*   Human rights
*   National defense
*   Election oversight
*   Natural resources
*   Telecommunications
*   National treasury and finance

The research emerged just days after **Canada banned the Chinese WeChat app** from all government devices due to spying concerns, prompting employees to promptly uninstall the application.

Researchers noted that organizations in these sectors could be targets of interest because of storing vast amounts of sensitive information, including financial data, classified government data, and PII (personally identifiable information) of citizens. They discovered at least six target-facing IP addresses used in the campaign, each hosting numerous subdomains. 

These domains were masqueraded as cloud storage services, which is the perfect alibi to create a sense of legitimacy to the unusually high traffic the server may observe during “high activity levels from the actor, such as data exfiltration from the victim network,” researchers wrote in their **blog post**.

Moreover, they had “high confidence” that these IP addresses served as the C2 infrastructure for the actor, and running the Cowrie honeypot on port 2222. Most likely, this honeypot was a cover to trick network defenders and security researchers investigating the “anomalous activity.”

In addition, they observed IP filtering on this infrastructure. It was used for blocking connections from IP ranges from known Palo Alto Networks several Big Tech and cybersecurity firms, and a number of VPS and cloud hosting providers. 

These C2 ports open only when the actor is active (between 08:30 and 17:30 UTC +08:00 (China Standard Time) on weekdays (Monday to Friday)) and remain closed otherwise. This means the actor is filtering connections to the malicious infrastructure to reduce the risk of C2 profiling by IP scanners or to evade detection.

Infrastructure overview of the Chinese APT groups (Unit42)

“This pattern might indicate the actor is attempting to avoid detection by blending into regular Cambodian business hours which are UTC +07:00.”

However, between September 29-October 8 2023, during China’s Golden Week and Special Working Days, the APT actors ceased their activity. This suggests that the attackers are based in **China** and following the country’s regular working hours, thus, validating Unit 42’s assessment regarding the attackers.

It is worth noting that Cambodia is **among** the signatories of the Chinese Belt and Road Initiative. The countries share strong economic and diplomatic relations. China has made significantly high investments to **modernize** Cambodia’s Ream Naval Base, despite that the project sparked **concerns** within the West. After completion, this base will become China’s first overseas outpost in Southeast Asia. This indicates that Cambodia is an important ally of China.

****_RELATED ARTICLES_****

1.  **Who Killed the IoT Zombie Mozi Botnet – China or India?**
2.  **Chinese Scammers Use Fake Loan Apps for Money Laundering**
3.  **Chinese Silent Skimmer Attack Hits Businesses in APAC and NALA regions**
4.  **Chinese Hackers Stole 60,000 US State Department Emails from Microsoft**
5.  **Chinese Smishing Triad Gang Hits US Users in Extensive Cybercrime Attack**
6.  **Chinese Hackers Stole Microsoft’s Signing Key to Breach Outlook Accounts**

Chinese APT Posing as Cloud Services to Spy on Cambodian Government

By Deeba Ahmed
esearchers have labeled this as the "ultimate cryptominer."
This is a post from HackRead.com Read the original post: Microsoft Azure Exploited to Create Undetectable Cryptominer

SafeBreach Labs’ researchers have successfully exploited MS Azure Automation Service to develop the first Free and Undetectable Cryptocurrency miner.

**Cryptomining** can cause harm if someone unauthorized does it on a regular person’s device. SafeBreach Labs found that researchers can use trustworthy, widely-used software to mine cryptocurrency without using many resources or incurring costs.

In a report shared with _Hackread.com_ ahead of publication on Wednesday, SafeBreach researchers demonstrated this by creating the first completely undetectable cryptominer that operates freely using Microsoft Azure’s Automation service. This service is specifically made to automate cloud-management tasks, eliminating the need for building or maintaining infrastructure. Users only need to provide the scripts for execution.

In a blog post by Ariel Gamrian, three methods for running a cryptocurrency miner on **Microsoft Azure** servers without detection or charges were discovered. SafeBreach Labs’ researchers referred to this as the ultimate cryptominer.

They found that the Azure automation service allows the uploading of custom Python packages, which are then utilized within the runbook scripts. Whenever a package is uploaded, the service silently installs it in the background to ensure successful installation and prevent runbook execution problems. The researchers from SafeBreach Labs exploited this behaviour to develop the cryptominer successfully.

“We knew that code could not be directly executed on a .whl file installation, but we could assume what command was used in the background for installation. We assumed the .whl file would be installed by the pip executable already installed in the Automation Account using the command “pip install “pip install <whl\_file>,” **explained** Gamrian.

“If our assumptions were correct, we could create a malicious package named “pip” and upload it to the Automation Account. The upload flow would replace the current pip in the Automation account.”

Once the custom pip was stored in the Automation account, the service automatically employed it whenever a package was uploaded. Leveraging this flow, the researchers managed to execute code. They ran this in a temporary sandboxed environment, obtaining an access token that represented the Automation Account’s assigned identity. This token allowed them to make requests on behalf of that identity, almost entirely obscuring any trace back to them.

Additionally, researchers found that they could achieve code execution by utilizing the Powershell module upload flow. This involved creating a Powershell module file containing the desired code for upload. While exploring the pricing, they discovered that the feature’s pricing details were not documented.

To determine the cost, they had to manually identify the code runtime and the associated flow cost. To test this, they initiated 55 import flows simultaneously, which theoretically accounted for approximately 10,000 minutes of runtime considering the three-hour import flow limitation.

A short demo about package upload shared by SafeBreach

After a month, they checked and found they were not charged anything, confirming that their developed cryptominer incurred no charges and was maintenance-free. Subsequently, they developed a tool named CloudMiner, enabling anyone to execute code for free on Azure using the same technique. Users only need to provide the Python or Powershell script they wish to execute and grant access to their Automation Account, and the tool will manage the rest.

CloudMiner in action (SafeBreach)

This research could significantly impact not only **crypto mining** but also other domains requiring code execution on Azure. Users can obtain cryptocurrency through various means, such as online exchanges, as payment, or by mining virtually.

Mining is a favoured method for earning crypto, involving a network of computers that verify and secure blockchains and digital ledgers recording crypto transactions. Miners are rewarded with new coins within this self-sustaining cycle, making it a preferred avenue for scammers.

The researchers reported their findings to the Microsoft Security Response Center, but no Common Vulnerabilities and Exposures (**CVEs**) were issued. However, the software company acknowledged the issue in their Security Researcher Acknowledgements for Microsoft Online Services. Subsequently, they addressed and resolved the Python 3.10 free runtime issue.

****_RELATED ARTICLES_****

1.  **Mirai botnet exploiting Azure OMIGOD vulnerabilities**
2.  **Sensitive source codes exposed in Microsoft Azure Blob account leak**
3.  **Researchers accessed primary keys of Azure’s Cosmos DB customers**
4.  **SolarWinds hackers accessed source code of Azure, Exchange, Intune**
5.  **240 top Microsoft Azure-hosted subdomains hacked to spread malware**
6.  **CISA’s Sparrow.ps1 tool detects malicious activity on Azure, Microsoft 365**

Microsoft Azure Exploited to Create Undetectable Cryptominer

By Waqas
BlueNoroff is a subgroup of the larger North Korean state-backed group called Lazarus.
This is a post from HackRead.com Read the original post: Lazarus-Linked BlueNoroff APT Targeting macOS with ObjCShellz Malware

The threat actor has a history of targeting cryptocurrency exchanges, venture capital firms, and banks.

Jamf Threat Labs’ security experts have discovered a new malware variant attributed to the BlueNoroff APT group. According to the company’s blog post published on 7 November 2023, this campaign, like BlueNoroff’s previous campaigns, seems to be financially motivated.

The threat actor has a history of targeting cryptocurrency exchanges, venture capital firms, and banks. BlueNoroff is a subgroup of the larger North Korean state-backed group called Lazarus.

The malware, dubbed ObjCShellz, is part of the RustBucket campaign, researchers believe. It is a later-stage malware variant of BlueNoroff’s RustBucket malware, because of their similar characteristics.

For your information, a later-stage malware is one that’s executed after the attacker has gained initial access and used for data exfiltration, lateral movement within the network, or maintaining persistence.

The malware was discovered while performing routine threat hunting. Further probing revealed that it was a Mach-O universal binary communicating with a domain (swissborgblog registered on May 31, 2023) that the company had previously classified as malicious because it was a fake version of the original domain (swissborg.com). The attackers created a **fake crypto exchange website** on this fake domain to trick users.

The malware is ad-hoc signed and can split its C2 URL into two different strings to evade detection. The IP address researchers detected (104.168.214151) was also linked to the same APT actor from their previous campaigns.

 “We have observed submissions to VirusTotal from countries such as Japan and the US in September and October” researchers noted in their **blog post**.

ObjCShellz is written in Objective-C, a programming language used for macOS applications. It is used as a macOS implant that establishes C2 communication after infiltrating the device and downloads/executes multiple payloads.

ObjCShellz is a lightweight malware featuring advanced obfuscation features. It operates as a simple remote shell and executes shell commands received from the C2 server. The malware sends a POST message to the fake URL version and gains information about the malware process before retrieving the operatingSystemVersionString to find out the macOS version.

Researchers could not determine how initial access was achieved. However, they are sure that this is a later-stage malware used in this multi-stage attack to run remote shell commands manually on Intel and Arm Macs.

The threat actor generally reaches out to victims as an investor or creates domains belonging to a legitimate crypto exchange. In this campaign too, the attacker contacts the victims as a head hunter or investor, offering them something beneficial or a partnership. Despite being simple, this malware is very functional and can allow threat actors to carry out a range of malicious objectives.

Hackread.com has observed a continuous surge in attacks against macOS devices and BlueNoroff’s **activities**. Earlier in November, Elastic Security Labs **detected** Lazarus group using a new macOS malware dubbed KandyKorn, targeting cryptocurrency users and blockchain engineers.

Back in 2021, AT&T Alien Labs researchers **discovered that** threat actors were harnessing malware-infected Macs and Windows devices as proxy exit nodes to reroute proxy requests. In December 2022, Kaspersky researchers **reported** that BlueNoroff is targeting cryptocurrency-related financial entities worldwide with new, sophisticated malware strains and 70 fake domains of venture capital firms and banks.

To protect against ObjCShellz malware, organizations must keep software and operating systems patched against new security flaws, use EDR (endpoint detection and response) solutions to monitor network activities, and employ network segmentation strategies to limit malware distribution by isolating critical systems.

Cybersecurity expert at the California-based **Menlo Security** browser security provider firm, Mr. Ngoc Bui, shared his findings on the BlueNoroff APT actor exclusively with Hackread.com. Bui noted that it has been active since 2016-2017 and its key targets are financial entities in Europe and North America. 

“BlueNoroff is a North Korean-backed advanced persistent threat (APT) group that has been active since at least 2016/2017. The group is known for targeting cryptocurrency exchanges, venture capital firms, and banks in North America and Europe,” explained Bui BlueNoroff’s attacks are typically financially motivated, and the group has been known to use a variety of malware and techniques to steal sensitive data and funds from its victims.”

About their malware RustBucket, Bui noted that this backdoor is written in rust and collects basic system details before contacting the C2. 

“RustBucket is a backdoor written in rust. The backdoor collects basic system information and communicates to the URL provided via the command line. Supported backdoor commands include file execution and exit. RustBucket is a malware campaign also attributed to BlueNoroff, first uncovered in 2021. It uses phishing emails posing as job recruiters to infect targets with backdoor malware that can steal data and remotely control infected systems,” Bui said.

Bui believes that Jamf Threat Labs’ discover holds significance because it highlights that the actor is continually improving its malware strains. 

“The discovery of the new malware strain by Jamf Threat Labs is significant because it shows that BlueNoroff is continuing to develop new and sophisticated malware. The fact that the malware was undetected by VirusTotal at the time of uploading suggests that BlueNoroff is taking steps to evade detection. For North Korea, this is a big deal if you have been following the different APTs and activities from that country.”

Bui noted that ObjCShellz is a big threat for macOS users “because it is disguised as legitimate software and can be difficult to detect. The malware can also steal sensitive data, such as cryptocurrency wallets and passwords. And a low detection rate means it may get past AV.”

Colorado-based cybersecurity advisory services provider **Coalfire**’s vice president Andrew Baratt told Hackread.com that it is hard to draw definite linkages between malware.

“It’s hard to really draw official linkages between malware that shares commonalities as many disparate threat actors borrow and steal from other malware campaigns. Copying legit sites is a fairly common tactic to evade detection on the C2 side of a malicious capability.” 

“We’ve been pointing out for some time that VirusTotal (VT) is only as good as its first observation time, and if malware authors are building up offline testing capabilities, the time it takes for detection is going to be much more significant. We also potentially have the signs of AI usage creeping into malware development,” said Baratt.

Historically, it can be seen in VT as it has been used as a test run for a piece of malware – as a cross over for detection -then multiple iterations are used until evasion is achieved. The challenge for the malware is that this creates a timeframe and VT, now owned by Google, has a window of advantage to do further analysis. If they’re using generative AI to help modify the malware, there is a real potential for new evasion techniques to be used with a reasonably high degree being under the purview of VT,” Baratt explained.

****_RELATED ARTICLES_****

1.  **MacStealer: A New Malware Targeting macOS Catalina Devices**
2.  **New macOS malware XcodeSpy found sneaking into spy on victims**
3.  **Linux, Windows and macOS Hit By New “Alchimist” Attack Framework**
4.  **Researchers Leverage ChatGPT to Expose Notorious macOS Malware**
5.  **UpdateAgent malware variant impersonates legitimate macOS software**

Lazarus-Linked BlueNoroff APT Targeting macOS with ObjCShellz Malware

By Waqas
Jamf Threat Labs’ security experts have discovered a new malware variant attributed to the BlueNoroff APT group. According…
This is a post from HackRead.com Read the original post: BlueNoroff APT Targets macOS with new RustBucket Malware Variant

Jamf Threat Labs’ security experts have discovered a new malware variant attributed to the BlueNoroff APT group. According to the company’s blog post published on 7 November 2023, this campaign, like BlueNoroff’s previous campaigns, seems to be financially motivated. The threat actor has a history of targeting cryptocurrency exchanges, venture capital firms, and banks. BlueNoroff is a subgroup of the larger North Korean state-backed group called Lazarus.

The malware, dubbed ObjCShellz, is part of the RustBucket campaign, researchers believe. It is a later-stage malware variant of BlueNoroff’s RustBucket malware, because of their similar characteristics. For your information, a later-stage malware is one that’s executed after the attacker has gained initial access and used for data exfiltration, lateral movement within the network, or maintaining persistence.

The malware was discovered while performing routine threat hunting. Further probing revealed that it was a Mach-O universal binary communicating with a domain (swissborgblog registered on May 31, 2023) that the company had previously classified as malicious because it was a fake version of the original domain (swissborg.com). The attackers created a fake crypto exchange website on this fake domain to trick users.

The malware is ad-hoc signed and can split its C2 URL into two different strings to evade detection. The IP address researchers detected (104.168.214151) was also linked to the same APT actor from their previous campaigns.

 “We have observed submissions to VirusTotal from countries such as Japan and the US in September and October” researchers noted.

ObjCShellz is written in Objective-C, a programming language used for macOS applications. It is used as a macOS implant that establishes C2 communication after infiltrating the device and downloads/executes multiple payloads. It is a lightweight malware featuring advanced obfuscation features. It operates as a simple remote shell and executes shell commands received from the C2 server. The malware sends a POST message to the fake URL version and gains information about the malware process before retrieving the operatingSystemVersionString to find out the macOS version.

Researchers could not determine how initial access was achieved. However, they are sure that this is a later-stage malware used in this multi-stage attack to run remote shell commands manually on Intel and Arm Macs.

The threat actor generally reaches out to victims as an investor or creates domains belonging to a legitimate crypto exchange. In this campaign too, the attacker contacts the victims as a head hunter.investor, offering them something beneficial or a partnership. Despite being simple, this malware is very functional and can allow threat actors to carry out a range of malicious objectives.

Hackread.com has observed a continuous surge in attacks against macOS devices and BlueNoroff’s activities. Earlier in November, Elastic Security Labs detected Lazarus group using a new macOS malware dubbed KandyKorn, targeting cryptocurrency users and blockchain engineers. Back in 2021, AT&T Alien Labs researchers discovered that threat actors were harnessing malware-infected Macs and Windows devices as proxy exit nodes to reroute proxy requests. In December 2022, Kaspersky researchers reported that BlueNoroff is targeting cryptocurrency-related financial entities worldwide with new, sophisticated malware strains and 70 fake domains of venture capital firms and banks.

To protect against ObjCShellz malware, organizations must keep software and operating systems patched against new security flaws, use EDR (endpoint detection and response) solutions to monitor network activities, and employ network segmentation strategies to limit malware distribution by isolating critical systems.

Cybersecurity expert at the California-based Menlo Security browser security provider firm, Mr. Ngoc Bui, shared his findings on the BlueNoroff APT actor exclusively with Hackread.com. Bui noted that it has been active since 2016-2017 and its key targets are financial entities in Europe and North America. 

“BlueNoroff is a North Korean-backed advanced persistent threat (APT) group that has been active since at least 2016/2017. The group is known for targeting cryptocurrency exchanges, venture capital firms, and banks in North America and Europe. BlueNoroff’s attacks are typically financially motivated, and the group has been known to use a variety of malware and techniques to steal sensitive data and funds from its victims.”

About their malware RustBucket, Bui noted that this backdoor is written in rust and collects basic system details before contacting the C2. 

“RustBucket is a backdoor written in rust. The backdoor collects basic system information and communicates to the URL provided via the command line. Supported backdoor commands include file execution and exit. RustBucket is a malware campaign also attributed to BlueNoroff, first uncovered in 2021. It uses phishing emails posing as job recruiters to infect targets with backdoor malware that can steal data and remotely control infected systems,” Bui explained.

Bui believes that Jamf Threat Labs’ discover holds significance because it highlights that the actor is continually improving its malware strains. 

“The discovery of the new malware strain by Jamf Threat Labs is significant because it shows that BlueNoroff is continuing to develop new and sophisticated malware. The fact that the malware was undetected by VirusTotal at the time of uploading suggests that BlueNoroff is taking steps to evade detection. For North Korea, this is a big deal if you have been following the different APTs and activities from that country.”

 Bui noted that ObjCShellz is a big threat for macOS users “because it is disguised as legitimate software and can be difficult to detect. The malware can also steal sensitive data, such as cryptocurrency wallets and passwords. And a low detection rate means it may get past AV.”

Colorado-based cybersecurity advisory services provider Coalfire’s vice president Andrew Baratt told Hackread.com that it is hard to draw definite linkages between malware.

“It’s hard to really draw official linkages between malware that shares commonalities as many disparate threat actors borrow and steal from other malware campaigns. Copying legit sites is a fairly common tactic to evade detection on the C2 side of a malicious capability.” 

“We’ve been pointing out for some time that VirusTotal (VT) is only as good as its first observation time, and if malware authors are building up offline testing capabilities, the time it takes for detection is going to be much more significant. We also potentially have the signs of AI usage creeping into malware development. Historically, it can be seen in VT as it has been used as a test run for a piece of malware – as a cross over for detection -then multiple iterations are used until evasion is achieved. The challenge for the malware is that this creates a timeframe and VT, now owned by Google, has a window of advantage to do further analysis. If they’re using generative AI to help modify the malware, there is a real potential for new evasion techniques to be used with a reasonably high degree being under the purview of VT,” Baratt stated.

BlueNoroff APT Targets macOS with new RustBucket Malware Variant

By Waqas
The hacker responsible for this leak is the same individual who previously leaked databases from InfraGard and Twitter.
This is a post from HackRead.com Read the original post: Hacker Leaks 35 Million Scraped LinkedIn User Records

The scraped LinkedIn database was leaked in two parts: one part contained 5 million user records, while the second part contained 35 million records.

A LinkedIn database, holding the personal information of over 35 million users, was leaked by a hacker operating under the alias USDoD. The database was leaked on the infamous cybercrime and hacker platform, **Breach Forums**.

It is important to note that USDoD is the same hacker responsible for breaching the FBI’s security platform InfraGard last year and disclosing the personal details of 87,000 of its members.

The hacker confirmed in a post on Breach Forums that the most recent LinkedIn database was obtained through **web scraping**. Web scraping is an automated process utilized by software to extract data from websites, primarily for gathering specific information from web pages.

The data was leaked in two parts (Screenshot: Hackread.com)

Regarding the contents of the data, as observed by _Hackread.com_, the database predominantly comprises publicly available information from **LinkedIn** profiles, containing full names and profile bios. Although the database contains millions of email addresses, it’s a relief to note that no passwords are included in the leaked data.

The screenshot below shows email addresses included in the breach belong to high-ranking US government officials and institutions. Additionally, email addresses from various government agencies worldwide have also been identified.

(Screenshot: Hackread.com)

****Legitimacy of LinkedIn Data: Authentic or Fraudulent?****

Troy Hunt of HaveIBeenPwned **analysed** over 5 million accounts from the database and concluded that it includes a mixture of information from various sources such as public LinkedIn profiles, fabricated email addresses, and other sources. Troy emphasizes that while some of the data might be anecdotal or partially fabricated, the people, companies, domains, and many email addresses are real.

_“_Because the conclusion is that there’s a significant component of legitimate data in this corpus, I’ve loaded it into HIBP,_“_ Hunt explained. _“_But because there are also a significant number of fabricated email addresses in there, I’ve flagged it as a spam list which means the addresses won’t impact the scale of anyone’s paid subscription if they’re monitoring domains._“_

The LinkedIn database has been identified and labelled as “scraped and fabricated data” on HIBP

This however is not the first time when LinkedIn’s scrapped database has been leaked online. In April 2021, a threat actor was selling 2 scraped LinkedIn databases with 500 million and 827 million records. In June 2021, a hacker sold a scrapped LinkedIn database containing data of 700 million users.

****_RELATED ARTICLES_****

1.  **Hackers Posed as Israelis in Targeted LinkedIn Phishing Attack**
2.  **Twitter Scraping Breach: 209M Accounts Leaked on Hacker Forum**
3.  **API Misuse: Hacker Exposes 2.6M Duolingo Users’ Emails & Names**
4.  **Meta Fined €265 million in Facebook Data Scraping Case in the EU**
5.  **Data scraping firm leaks 235m Instagram, TikTok, YouTube user data**

Hacker Leaks 35 Million Scraped LinkedIn User Records

By Waqas
You reap what you sow!
This is a post from HackRead.com Read the original post: US Man Sentenced to Over 21 Years for Dark Web Distribution of CSAM

In April 2023, Austen Peppers from Lawton, Oklahoma, pleaded guilty to advertising and distributing child sexual abuse material (CSAM) on the dark web.

Austen Peppers, a 36-year-old resident of Lawton, Oklahoma, faced the gavel and received a sentencing of 21 years and 10 months in prison, followed by 15 years of supervised release. This judgment came after Peppers was **found guilty** in April 2023, of the advertising and distribution of child sexual abuse material (CSAM) on the dark web, as announced by U.S. Attorney Phillip A. Talbert.

The distribution of CSAM has emerged as a significant challenge for law enforcement, exacerbated by AI services capable of generating harmful images. Recently, the Internet Watch Foundation, a UK-based internet watchdog, **revealed that** cybercriminals are turning to generative AI platforms to create child sexual abuse material (CSAM).

The court documents unveiled a disturbing timeline spanning from March 2018 to August 2019, during which Peppers was involved in the sale and solicitation of images portraying minors subjected to sexual abuse. His transactions were executed in the shadows of the **dark web**, employing cryptocurrency, and utilizing platforms that he believed shielded him from law enforcement scrutiny.

Peppers also engaged in explicit conversations with individuals he believed were minors, persuading them to create sexually explicit self-images. Shockingly, Peppers accumulated an extensive library of thousands of images and videos depicting children suffering sexual abuse.

According to a **press release** from the US Department of Justice (DoJ),, Austen Peppers has been in confinement since his initial appearance in court on November 14, 2019. As part of the sentencing, Peppers was also directed to pay restitution of $57,000 to 19 victims who suffered due to his vile actions.

This case highlights the dangers posed by individuals utilizing the anonymity of the dark web for criminal activities, especially those exploiting and abusing minors. Engaging in illegal activities, particularly heinous crimes such as the distribution of CSAM, on the dark web is a serious offence that should be strictly avoided.

Hackread.com has consistently cautioned users about the dangerous nature of the illicit sections of the dark web, emphasizing the importance of refraining from engaging in unlawful actions while navigating its depths. To gain a deeper understanding of the potential risks and the activities that should be avoided on the dark web, you can explore further details **here**.

****_RELATED ARTICLES_****

1.  Dark Web’s worst pedophile sentenced to 32 years in prison
2.  NHS Psychiatrist Jailed; Dark Web Forum and 7,000 Images Seized
3.  Creators of dark web chat room arrested for facilitating child abuse
4.  210 days prison for crypto CEO who held 13k child abuse, beastiality files
5.  School Principal Gets 9 Years in Prison for Trading Nude Pictures of Students

US Man Sentenced to Over 21 Years for Dark Web Distribution of CSAM

By Deeba Ahmed
GootBot: New Gootloader Variant Evades Detection with Stealthy Lateral Movement.
This is a post from HackRead.com Read the original post: IBM X-Force Discovers Gootloader Malware Variant- GootBot

The original Gootloader malware was used by numerous threat groups, including ransomware affiliates and in additional payloads like SystemBC and IcedID.

IBM X-Force has discovered a new variant of the notorious **Gootloader malware**, dubbed GootBot. This malware performs stealthy lateral movement, which complicates the detection or blocking of the campaign within enterprise networks.

According to the **blog post** authored by Golo Mühr and Ole Villadsen, the Gootloader group implements their custom bot in the latter stages of this attack chain to evade detection, using off-the-shelf tools for establishing C2 communication, such as RDP or CobaltStrike.

Gootloader malware was initially used only as an initial access tool and evolved considerably over time to include GootBot, a lightweight obfuscated PS script. It is downloaded after the Gootloader infection and receives commands via C2 through encrypted PowerShell scripts.

For your information, the Gootloader group (aka UNC2565 or Hive0127) first surfaced in 2014 and focused more on SEO poisoning techniques and compromised WordPress websites to distribute the Gootkit-based Gootloader malware. Tanium’s director of endpoint security research, Melissa Bischoping, explained how **SEO poisoning** works. 

One of the hacked websites used in delivered Gootloader malware (Image: Sophos)

“SEO poisoning drives users to malicious payloads by manipulating the search results for key terms. Most security awareness training focuses heavily on phishing and other methods where an attacker sends something to the user. There’s a false sense of security that people place in search result top rankings and an outdated mindset that the lock on the address bar means a site is safe.”

Hackread.com has been following the Gootloader group’s activities since its emergence. The group frequently targets business-related online searchers like queries about legal contracts, creating legit-looking websites, and positioning them on the first page of search results. Once the user visits the page, they entice them into downloading archive files, which appear harmless and relevant to their queries but actually contain Gootloader malware.

In March 2021, Sophos cybersecurity firm **confirmed** that Gootloader has evolved into a sophisticated loader framework from serving as an initial access point, revealing that its delivery method had expanded beyond the Gootkit malware family. As an initial access point, Gootloader malware was used by numerous threat groups, including ransomware affiliates and in additional payloads like SystemBC and IcedID.  

GootBot is a novel Gootloader variant. It is a PowerShell payload encapsulating a single C2 server address. Its strings use a replacement key to conduct mild obfuscation. The malware, just like Gootloader, sends a GET request to the C2 server, requesting PowerShell tasks, and gets a string comprising a Base64-encoded payload.

The last 8 digits of the code are the task’s name. It then decodes the payload and injects it into the script block before executing it. The payload runs asynchronously, maintaining a default beaconing interval of 60 seconds. When it receives a C2 task, the next loop iteration starts, and for completed jobs, the results are returned.

GootBot is designed for lateral movement within the network, noted X-Force researchers. Its C2 infrastructure can quickly generate numerous GootBot payloads for distribution, each having a unique C2 address, and can cause multiple infections of the same host. It also runs a reconnaissance script and contains a unique GootBot ID for the host.

This effective malware lets attackers swiftly propagate across the compromised network to deploy additional malicious software. Unlike Gootloader, GootBot spreads through infected domains to reach the domain controller. This indicates a shift in attack tactics from Gootloader operators and enhances the success rate of post-exploitation stages, including Gootloader-based ransomware affiliate activity.

The malware is capable of extracting domain user name, and OS details from the registry key, checks for x86 dir and int ptr size if 64bit architecture is detected, and obtains information about domain controllers from registry and ENV var, SID, local IP address, hostname, and running processes. The data gets formatted with the specified ID.

The emergence of the GootBot variant highlights that attackers are employing sophisticated methods to stay undetected and spread laterally across the network. Lateral-movement scripts are possible through various techniques, such as WinRM, SMB, and WinAPI calls, to spread the payload to other hosts.

Infection diagram

Organizations must implement advanced security mechanisms, including endpoint detection and response (EDR) solutions and regularly updating software to prevent the threat. Bugcrowd cybersecurity firm’s founder and chief strategy officer, **Casey Ellis**, shared the following statement with Hackread.com regarding the current Gootloader campaign.

“This all strikes me as a very organized and thoughtful initial access broker (IAB). Their watering-hole style deployment of malicious SEO isn’t particularly targeted, however, it suits the opportunistic attack model of an IAB quite well. For defenders, it’s important to remember that organized cybercrime is continuing to evolve, stratify, and mature and that the threat actor behaviours now include this type of long, wide game.”

Keeper Security’s CEO and co-founder, **Darren Guccione**, in an exclusive statement shared with Hackread.com, noted that it is hard for innocent users to distinguish between authentic and fabricated search results, which makes SEO poisoning so successful.

“Innocent people who are not trained on SEO (Search Engine Optimization) and SEO-related attack vectors, including SEO poisoning, generally focus on the aesthetics of the search results page they are familiar with such as the domain name and the logos displayed. Often, threat actors will use language like “Official Website” to lure people into clicking a dangerous link or visiting a spoofed site that can download Gootloader or other malware onto their device.”

However, some scrutiny can prove beneficial in detecting malicious websites, said Guccione. “Phony or spoofed websites will usually have a different website address than the official company name and can also use different domain extensions than the one for the legitimate website. The majority of popular websites use the domain extension .com,” explained Guccione. 

“If you visit a site, pay special attention to the domain itself and if it appears to be abnormally long or unrecognizable based on your normal search activity, it’s best to ignore it – and not click on any link. Online tools such as a Google Transparency Report can also be used to determine whether a site is safe.”

1.  Google Algorithm Updates vs SEO Strategies
2.  How Can SEO Help Increase Website Security?
3.  Google Indexed Trove of Bard AI User Chats in Search Results
4.  Ad-blocker Chrome extension AllBlock injected ads in Google searches
5.  Malicious Chrome, Edge extensions manipulating Google search results

IBM X-Force Discovers Gootloader Malware Variant- GootBot

By Waqas
Some of the most prominent victims of the data breach include Cloudflare, 1Password, and BeyondTrust.
This is a post from HackRead.com Read the original post: Okta Breach Linked to Employee’s Google Account, Affects 134 Customers

Okta’s investigation determined the breach to be associated with a Google account belonging to one of the company’s employees.

In a recent update following the initial data breach announcement made in October 2023, Okta, a prominent identity and access management (IAM) provider, disclosed that the number of affected customers has now reached 134. This breach enabled threat actors to gain unauthorized access to files.

“Some of these files were HAR files that contained session tokens which could in turn be used for session hijacking attacks,” David Bradbury, Okta’s chief security officer explained in Friday’s November 4th update.

Between September 28 and October 17, 2023, Okta encountered a sophisticated attack, wherein a threat actor accessed Okta’s support case management system by compromising a stolen account. Afterwards, the threat actor gained the ability to view, update support cases, and extract sensitive data, which included session tokens.

On October 19, Okta became aware of the breach following a notification from one of its customers, BeyondTrust, regarding suspicious activities. Among the prominent customers affected by the breach are Cloudflare and 1Password. Pedro Canahuati, the CTO of 1Password, disclosed the incident, confirming that threat actors were unable to access or extract user data during the attack.

****Google Account Connection****

Originally, the incident was thought to occur as a threat actor accessed an IT employee’s Okta session token by leveraging a stolen credential, thus gaining entry into 1Password’s Okta administrative portal. However, Bradbury later revealed that the investigation determined the breach to be associated with a Google account belonging to one of the company’s employees.

“Okta Security identified that an employee had signed-in to their personal Google profile on the Chrome browser of their Okta-managed laptop,” Bradbury said. “The username and password of the service account had been saved into the employee’s personal Google account. The most likely avenue for exposure of this credential is the compromise of the employee’s personal Google account or personal device.”

As to why it took two weeks for Okta to address the issue, Bradbury further explained that “Okta didn’t find any suspicious downloads in their system logs.” They noted that when someone looks at files attached to a support case, there’s a special record in their logs. But if a person goes directly to the Files section in the customer support system, it creates a different record. The attackers used this method in their attack.

“Okta first looked into access to support cases and then checked the logs related to those cases. On October 13, 2023, BeyondTrust gave Okta Security an IP address linked to the attackers. With this information, Okta found more file access events tied to the compromised account,” said Bradbury.

In a comment to Hackread.com, Tal Skverer, Research Team Lead at Astrix Security, discussed the use of personal accounts on devices issued by the company stating that “Service accounts skip security measures that normal accounts are subject to, such as MFA, therefore; their credentials are extremely vulnerable.”

“It is with utmost importance that service accounts follow the least privilege principle. Skverer emphasised. “To limit their permissions, their usage should be limited to very unique functionalities.”

The Okta breach is a major concern for the cybersecurity community, as Okta is a trusted IAM provider for many organizations, including Fortune 500 companies and government agencies. The breach also highlights the growing sophistication of threat actors and the need for organizations to take steps to protect their data from increasingly targeted attacks.

Nevertheless, the latest security breach at Okta serves as the second cyberattack on the company. In March 2022, LAPSUS$ hackers claimed to have breached Okta and Microsoft after leaking a trove of their data on Telegram.

****What Organizations Can Do to Protect Themselves****

Organizations can take a number of steps to protect themselves, including:

*   **Implement strong password policies and require users to use multi-factor authentication (MFA).** MFA adds an extra layer of security to user accounts by requiring users to provide a second form of authentication, such as a code from their phone, in addition to their password.
*   **Regularly update security software and patches.** Software developers release security updates to patch known vulnerabilities. By regularly updating their software and patches, organizations can help to reduce the risk of being exploited by attackers.
*   **Educate employees about cybersecurity best practices.** Employees should be trained on how to identify and avoid phishing attacks, and how to protect their devices and data.
*   **Monitor their systems for suspicious activity.** Organizations should have systems in place to monitor their systems for suspicious activity, such as unusual login attempts or data exfiltration.

1.  IBM Notifies Janssen CarePath Customers of Data Breach
2.  Human Error: Casio ClassPad Data Breach Impacting 148 Countries
3.  Sony Data Breach via MOVEit Vulnerability Affects Thousands in US
4.  Fake Bitwarden Password Manager Website Drops Windows ZenRAT
5.  Kroll SIM-Swapping Attack Causes Data Breach at 3 Top Crypto Firms
6.  Passwords by Kaspersky Password Manager exposed to brute-force attack

Okta Breach Linked to Employee’s Google Account, Affects 134 Customers

By Deeba Ahmed
The new feature will add an Independent Security Review badge at the top of the Google Play search results page when users search for VPN apps. 
This is a post from HackRead.com Read the original post: Google Launches Verification Badges for Security Tested VPN Apps

The new feature is the latest in line with increasing security and precautionary measures by Google to keep malicious Android apps away from its Play Store.

Google Play has introduced a new feature to inform users looking for reliable VPN (virtual private network) apps if the apps have undergone an independent security review. The new feature will add an Independent Security Review badge at the top of the Google Play search results page when users search for VPN apps. 

This badge will ensure the app has been scanned through an independent security review. That’s not all! The banner will provide additional information under the Learn More option, which will redirect them to the App Validation Directory, providing technical assessment details so that users can make informed decisions when downloading VPNs.

Screenshot: Google

The certification can be checked in the app’s Data Safety section on Google Play Store. Its presence means the application has been tested against pre-determined security criteria, which Google has developed with several cybersecurity partners.

The badge will inform users that the app has been verified and validated by an independent third party and meets the minimum best practices standards of the industry’s mobile security and privacy guidelines. It will also indicate that the app’s developers will identify/mitigate vulnerabilities promptly.

For your information, in 2022, the App Defense Alliance (ADA) launched the Mobile App Security Assessment (MASA) to let developers evaluate their apps independently against a strict global security standard.

This serves as an assurance for users that app developers are following best practices for privacy and security. Successful validation will allow the developers to display the badge in their app’s Data Safety section. This addition will make it more challenging for cybercriminals to access users’ devices through compromised apps and improve the app’s quality.

Although adhering to “baseline security standards” won’t guarantee that the app will be vulnerability-free, the badge will serve as a “visual cue” for users that it has been scanned and validated.

The new feature has been rolled out for VPN apps and selected app categories as the company wants to secure sensitive apps initially. VPNs hold a substantial volume of data as they are primarily used for searching and accessing websites. In a blog post, Nataliya Stanetsky, Android Security and Privacy Team wrote that:

> _“VPN providers such as NordVPN, Google One, ExpressVPN, and others have already undergone independent security testing and publicly declared the badge showing their good standing with the MASA program. We encourage and anticipate additional VPN app developers to undergo independent security testing, bringing even more transparency to users.”_
> 
> Google

This is a proactive move to enhance app security and protect user data, underscoring the company’s commitment to improving cybersecurity in the digital space. Users are generally unaware of the risks associated with VPN apps. Many of these apps can be designed to collect sensitive device or user data and may even inject malware onto their devices. 

1.  Google Makes Passkeys Default for All Users
2.  Google offers Dark Web monitoring for US Gmail users
3.  Google Buys Cyber Security Firm Mandiant for $5.4 Billion
4.  Google Chrome to Mask User IP Addresses to Protect Privacy
5.  Google Introduces Bug Bounty Program for Open-Source Software
6.  Google Removes Swing VPN Android App Exposed as DDoS Botnet
7.  Google’s Latest Android Feature Drop: Dark Web Search for Gmail ID
8.  Essential Insights on Google Cloud Backup and Disaster Recovery Service

Google Launches Verification Badges for Security Tested VPN Apps

By Waqas
After a surge of malware on the Google Play Store, is Microsoft also failing to properly vet apps for malware?
This is a post from HackRead.com Read the original post: Scammers Use Fake Ledger App on Microsoft Store to Steal $800,000 in Crypto

The fake Ledger Live app on the Microsoft Store deceived users into downloading malware, which stole their Bitcoin and Ethereum funds.

Hackread.com has been actively following the cryptocurrency space as it has lately been a prominent target of scams and cyberattacks. Hackers are eyeing the crypto industry to steal valuable assets and even NFTs.

For this purpose, crooks devise clever tactics to lure unsuspecting users into giving away their funds and tokens. One such scam was recently reported by a pseudonymous on-chain detective and crypto sleuth, ZachXBT. 

According to ZachXBT, a fake Ledger app was circulating on the Microsoft App Store. This fraudulent app masqueraded as the official Ledger Live app and tricked users into unwittingly downloading and installing malware stealing victims’ crypto funds and data.

Fake Ledger app on Microsoft Store (Screenshot: ZachXBT)

ZachXBT’s analysis stressed the sophisticated nature of this scam, emphasizing the critical need for end-users to stay alert in protecting their cryptocurrency wallets. As of November 4th, scammers successfully collected roughly $588,000 in Bitcoin by hijacking users’ crypto wallets.

In a tweet, ZachXBT cautioned crypto users and investors with the following warning: “Community Alert: There is currently a fake @Ledger Live app on the official @Microsoft App Store which was resulted in 16.8+ BTC ($588K) stolen.”

However, on November 5th, ZachXBT received updated information from a victim, indicating a loss of $180,000 worth of ETH due to the fake Ledger app. This significantly increased the total lost payments to over $768,000.

Stolen funds (Screenshot: Hackread.com)

It is worth noting that in November 2023, a fake Ledger Live app was uploaded to the official Microsoft App Store that looked exactly like the original Ledger Live app. For your information, it is a popular software wallet designed to help users manage their crypto assets.

However, those who downloaded the fake version of this app ended up installing malware capable of stealing cryptocurrency by intercepting users’ recovery phrases. The attackers specifically targeted users who store their cryptocurrency in the Ledger hardware wallets to profit by stealing their assets.

The attackers designed the fake app quite cunningly, replicating the look and features of the authentic app, including identical logos and branding materials. They went as far as creating a fraudulent Ledger device pin verification process. This tricky similarity between the original and fake apps makes it challenging for users to differentiate between them.

Nevertheless, Microsoft promptly detected and removed the fake Ledge Live app from their store. The company is investigating how the fake Ledger app bypassed its app review process, however, the damage to users is already done.

Remember that apps like Ledger, Trezor, or another hardware wallet will never ask users to enter their recovery phrases into their computers or phones. You should always enter the phrase in the hardware wallet to recover it.

1.  Teen Hacks Ledger Hardware Cryptocurrency Wallet
2.  New DoubleFinger Malware Strikes Cryptocurrency Wallets
3.  All Ledger hardware wallets vulnerable to man in middle attack
4.  Ledger data breach: Hacker leaks stolen database on hacker forum
5.  Crypto wallet Ledger data breach; hackers steal 1m emails, other data