By Deeba Ahmed
MoustachedBouncer is a Belarusian government-backed hacking group that has been active since 2014.
This is a post from HackRead.com Read the original post: MoustachedBouncer Hackers Caught Spying on Embassies

*   **Belarusian MoustachedBouncer hacking group exposed for state-sponsored espionage on foreign embassies.**

*   **ESET Research reveals a years-long campaign targeting diplomats in South Asia, Africa, and Europe.**

*   **Hackers employ diverse techniques, including C++ backdoors and ISP-level attacks.**

*   **MoustachedBouncer tampered with victims’ internet access, tricking Windows with fake captive portals.**

*   **Researchers recommend encrypted VPNs for enhanced security against this sophisticated spying.**

According to ESET Research’s cybersecurity researchers, the Belarusian government had been spying upon foreign diplomats in the country for years through the MoustachedBouncer hacking group.

The research has confirmed that at least one embassy from South Asia, one from Africa, and two from Europe have been the targets of a state-sponsored espionage campaign, active since 2014.

The hackers utilized a wide range of attack techniques, including C++ modular backdoors, adversary-in-the-middle attacks, and email-based C&C protocols and performed attacks at the ISP level from within the country for spying.

“To compromise their targets, MoustachedBouncer operators tamper with their victims’ internet access, probably at the ISP level, to make Windows believe it’s behind a captive portal,” ESET’s report read.

For your information, adversary-in-the-middle attacks rely on ‘lawful interception’ espionage infrastructure e.g. SORM. In Russia and many other countries, it is deployed by security services on ISP premises.

****Campaign Active Since 2014****

The espionage activity started in 2014, which is surprising considering that this is the first time it has been disclosed. Since 2014, the group has used numerous malware families to achieve network intervention.

Initially, MoustachedBouncer used email protocols (SMTP and MAP) based malware frameworks and later switched to droppers that could steal files, take screenshots, and record conversations.

****Hackers Backed by the State** **

Researchers suspect that MoustachedBouncer had full backing from the Belarusian government and probably ties with other hacking groups. This view is strengthened by the fact that MoustachedBouncer has a close affiliation with another highly active hacking group, Winter Vivern.

The Winter Vivern group was discovered in 2021 and is known for targeting European diplomats. Their attack techniques resonate with two different threat actors called StrongPity and Turla. Both trojanized software installers at the ISP level.

****Attack Tactic Analysis****

Per ESET’s report, authored by malware researcher Matthieu Faou, the hackers fiddled with their target’s traffic to display genuine-looking but fake Windows Update URLs. This page promised them critical system security updates they needed to install urgently.

Fake Windows update website and fake Windows update on the Microsoft Edge browser are both part of the MoustachedBouncer attack. (Screenshot: ESET)

Per ESET telemetry this page delivered a fake update file containing the malicious executable, and two local ISP networks contributed to this campaign, including Beltelecom and Unitary Enterprise A1.

“We strongly recommend that foreign organizations in Belarus use an end-to-end encrypted VPN tunnel, ideally out-of-band (i.e., not from the endpoint), providing internet connectivity from a trusted network,” Faou wrote.

There is evidence that since June 2017, diplomats from four countries were targeted by MoustachedBouncer, two from Europe, one from Northeast Africa and one from South Asia. One of the two European diplomats was targeted twice between Nov 2020 and July 2022.

Timeline of MoustachedBouncer’s malicious activities (Screenshot: ESET)

****About MoustachedBouncer****

This previously undocumented cyberespionage group only targets foreign embassies in Belarus and has most likely been performing ISP-level adversary-in-the-middle attacks since 2020. This hacking group prefers using NightClub and Disco toolsets and used them in this campaign as well. 

Researchers have documented MoustachedBouncer as an independent group, but believe it works in collaboration with Winter Vivern. It was discovered in 2021. Proofpoint reported that the group used the Zimbra mail portal’s XSS vulnerability to steal the webmail credentials of diplomats from European countries.

**RELATED ARTICLES**

1.  Fake Tor Browser Installers Distributing Clipper Malware
2.  Big Head Ransomware Found in Fake Windows Updates
3.  SmugX: Chinese Hackers Targeting Embassies in Europe
4.  Hackers targeting embassies with trojanized TeamViewer
5.  Cyber-Partisans hit Belarus railroad system with ransomware

MoustachedBouncer Hackers Caught Spying on Embassies

By Habiba Rashid
The new attack has been dubbed Phishing 3.0.
This is a post from HackRead.com Read the original post: Phishing 3.0: Crooks Leverage AWS in Deceptive Email Campaigns

*   Cybercriminals are adopting advanced phishing tactics, using legitimate services like Amazon Web Services (AWS) to launch convincing attacks that bypass traditional security measures.

*   The Check Point report highlights the emergence of Business Email Compromise 3.0 (BEC 3.0), where attackers host phishing sites on AWS S3 Buckets to send seemingly genuine emails with phishing links.

*   Hackers manipulate users with social engineering and credential harvesting, often posing as password reset requests, leading victims to click on AWS S3 Bucket URLs that redirect to fake login pages.

*   Phishing attempts rely on exploiting human behaviour and urgency associated with password resets, making it crucial for users to scrutinize email URLs and remain cautious.

*   To counter this threat, cybersecurity experts recommend implementing multi-indicator phishing detection systems, and comprehensive security measures including document scanning, and URL protection mechanisms.

Cybercriminals are now leveraging legitimate services to launch highly convincing phishing attacks that evade traditional security measures. A recent report from cybersecurity firm Check Point’s subsidiary Avanan has revealed that hackers are now utilizing Amazon Web Services (AWS) as a platform for sending out phishing links, adding a new layer of sophistication to their deceptive campaigns.

Phishing attacks have long been a menace in the digital landscape, but the latest trend involves hackers exploiting reputable services to slip through the cracks of cybersecurity defences. This tactic has been previously witnessed with services such as Google, QuickBooks, and PayPal, where attackers create accounts and send out seemingly genuine emails directly from these platforms, making them difficult to identify and block.

The Check Point Harmony Email researchers shed light on how hackers are now using AWS to facilitate their phishing endeavours. In this novel attack variant, cybercriminals are hosting phishing sites on AWS S3 Buckets, which are legitimate storage containers within AWS. This approach allows the attackers to send emails containing phishing links that appear convincingly genuine, as they originate from AWS S3 Buckets.

The attack method, known as Business Email Compromise 3.0 (BEC 3.0), relies heavily on social engineering and credential harvesting techniques to manipulate users into divulging their sensitive information.

The phishing email typically mimics a password reset request, a familiar scenario that prompts users to take action. While some users might be cautious and recognize the email as suspicious due to sender address discrepancies, the attackers cunningly employ AWS S3 Bucket URLs to redirect victims to seemingly legitimate login pages.

Upon clicking the link, victims are led to a webpage that bears the hallmarks of a Microsoft login page, complete with pre-populated email addresses and password fields. While this technique requires a slightly more advanced skill set from the attackers, it remains accessible enough for the average cybercriminal to execute.

The phishing email and phishing login page aim at the login credentials of Microsoft users. (Screenshot: Avanan)

The ultimate goal is to obtain victims’ login credentials, granting the attackers unauthorized access to sensitive accounts and potentially confidential information. According to a blog post published by Jeremy Fuchs of Avanan, users can protect themselves against these increasingly sophisticated attacks by paying close attention to the URLs presented in the emails.

However, the attackers’ well-crafted scenarios and the common urgency associated with password resets can often lead users to disregard this caution. This reliance on human behaviour is precisely what the hackers are banking on, as it offers them a higher chance of success.

In response to this emerging threat, Check Point researchers promptly alerted Amazon about the campaign on July 25th. To mitigate the risks associated with such attacks, cybersecurity professionals are advised to adopt multi-indicator phishing detection systems, implement comprehensive security measures that extend to document scanning and incorporate URL protection mechanisms.

**RELATED ARTICLES**

1.  Google Drive accounted for 50% of malicious Office Docs downloads
2.  LinkedIn Phishing Scam Steals Gmail Credentials Through Google Docs
3.  Google Docs Phishing Scam Cost Minnesota State Thousands of Dollars
4.  Royal Ransomware: New Threat Uses Google Ads and Cracked Software
5.  Research sector targeted in new spear phishing attack using Google Drive

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Phishing 3.0: Crooks Leverage AWS in Deceptive Email Campaigns

By Waqas
The new study has identified a cybersecurity training gap and an alarming lack of preparedness in countering emerging threats.
This is a post from HackRead.com Read the original post: Email Hacking Reigns as Top Cybersecurity Threat, Indusface Study

*   **Sector Vulnerabilities:** Indusface’s research reveals that the Education sector is the most susceptible to cyber attacks, with a staggering 78% of businesses in this domain having experienced such threats.

*   **Email Hacking Dominates:** Email hacking emerged as the most common form of cyber attack, affecting 64% of respondents across various industries, necessitating enhanced training and defences against phishing and related tactics.

*   **Financial Services Resilience:** In contrast, the Financial Services sector demonstrated stronger cyber resilience, with only 26% reporting cyber attacks, potentially due to robust cybersecurity investment and training.

*   **Training Deficits:** The study highlights a concerning lack of employee training in cyber security across various sectors, with 83% of Education sector businesses neglecting this crucial aspect.

*   **Expert Insights:** Venky Sundar, Indusface’s Founder and President, underscores the diverse methods cyber attackers employ and emphasizes the importance of proactive employee training, security assessments, and Web Application and API Protection (WAAP) solutions.

A study conducted by Indusface in July 2023 and recently shared with Hackread.com delved deep into the state of cybersecurity, unearthing insights into the sectors most targeted by cyber attacks and shedding light on the prevailing types of cyber assaults faced by enterprises. Here’s what the company found:

**The Perilous Terrain: A Sector-Wise Analysis**

Indusface embarked on an extensive investigation, surveying 2,200 respondents across 16 diverse industries, to unveil the contours of cyber attacks on businesses. The results showcased an alarming reality – nearly half (49%) of UK businesses had fallen victim to a cyber attack. Such statistics underscored the pressing need for robust cybersecurity strategies in the corporate world.

**Education: The Bullseye of Cyber Attacks**

Within this backdrop, the Education sector emerged as the most besieged by cyber threats, with a staggering 78% of businesses revealing that they had experienced an attack. This revelation demands attention, particularly when coupled with the fact that a significant 83% of organizations within the Education sector were found to lack proactive employee training in cybersecurity – a vulnerability that cybercriminals can exploit.

**Arts, Entertainment, and Recreation: Second in Line**

Coming in second place, the Arts, Entertainment, and Recreation sector encountered cyber attacks at a rate of 68%. Disturbingly, over 30% of businesses in this sector were not actively training their personnel in cybersecurity protocols. This lack of preparation exposes these businesses to a range of attacks, including the ever-pervasive threat of email hacking.

**The Email Hacking Conundrum**

Indeed, email hacking stood tall as the most prevalent form of cyber attack, affecting a significant 64% of respondents from various business domains. This emphasizes the necessity for bolstered training in email security, encompassing a comprehensive approach to thwart phishing attempts, account takeovers, and credential stuffing.

**Navigating the Dangers: Financial Services Bypassed**

Contrasting the widespread cyber attacks on various sectors, the Financial Services industry exhibited resilience, reporting a lower incidence rate of 26%. This positive outcome was possibly influenced by the sector’s commitment to cybersecurity investment and training. It is evident that proactive measures play a pivotal role in safeguarding businesses from cyber threats.

**Expert Insights: Securing the Future**

Venky Sundar, Founder and President of Indusface, elucidated the significance of cybersecurity investment across all sectors. He highlighted that while email hacking remains a prevalent threat, the methods used are diverse, ranging from phishing to sophisticated attacks like SQL injection vulnerabilities.

Sundar emphasized the importance of training employees against phishing attacks, coupled with the implementation of robust security assessments and Web Application and API Protection (WAAP) solutions.

**A Call to Action**

As cyber threats continue to evolve in sophistication and impact, businesses must heed the findings of this research. Implementing comprehensive cybersecurity strategies, investing in training programs, and staying updated with the latest security solutions are imperatives that transcend industry boundaries.

In conclusion, the Indusface study serves as a clarion call to businesses to fortify their cyber defences. The relentless march of technology necessitates a united front against cybercriminals. With the insights gained from this research, businesses can navigate the complex landscape of cyber threats with resilience and vigilance.

**RELATED ARTICLES**

1.  AI Flagged as “Chronic Risk” in UK Gov Risk Register 2023
2.  SSH Remains Most Targeted Service in Cado’s Threat Report
3.  Russian Dark Net Markets Dominate the Global Illicit Drug Trade
4.  Submarine Cables Face Escalating Cybersecurity Threats, Report
5.  US, India, China Most Targeted in DDoS Attacks, StormWall Report

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Email Hacking Reigns as Top Cybersecurity Threat, Indusface Study

By Habiba Rashid
The EvilProxy phishing kit is a malicious tool that has emerged as a key player, as it exploits MFA's limitations. So far, it has targeted over 100 firms.
This is a post from HackRead.com Read the original post: EvilProxy Phishing Kit Hits 100+ Firms, Bypasses MFA via Reverse Proxy

*   Proofpoint’s report highlights a rise in account takeovers, contradicting expectations of MFA’s effectiveness.
*   Malicious EvilProxy phishing kit emerges as a key player, exploiting MFA’s limitations.
*   EvilProxy employs a complex infection chain, utilizing legitimate redirectors and reverse proxy architecture.
*   High-level executives are targeted due to their access to sensitive data; 39% of compromised users held C-level positions.
*   Organizations urged to enhance email, cloud, and web security, and consider better authentication methods like FIDO-based keys.

Cybersecurity firm Proofpoint’s recent report has revealed a surge in account takeovers, defying the expectation that multi-factor authentication (MFA) would curb such incidents. The firm’s research showed that at least 35% of compromised users over the past year were equipped with MFA protection. It seems threat actors have found a way to exploit this defence.

The key protagonist in this narrative is the malicious phishing kit dubbed EvilProxy. As MFA gained traction, attackers responded with sophisticated methods to bypass this layer of security. EvilProxy, a reverse proxy-based phishing kit, has taken center stage in these endeavours, demonstrating its prowess by targeting thousands of users, including a significant number of C-suite executives.

Reverse Proxy (Proofpoint)

The method of attack involves a complex multi-step infection chain. Phishing emails, often impersonating trusted services like DocuSign and Adobe, contain malicious links that redirect users through a labyrinth of legitimate redirectors, including YouTube, malicious cookies, and 404 redirects. At the core of this campaign lies EvilProxy’s reverse proxy architecture. The kit intercepts MFA requests, obtains valid session cookies, and leverages them for authentication in the actual domain.

What is striking about this campaign is the attackers’ discrimination in targeting. They prioritized high-level executives due to their potential access to sensitive data and financial assets. Proofpoint’s study indicated that out of numerous compromised users, approximately 39% held C-level executive positions, including 17% who were chief financial officers and 9% who were presidents and CEOs.

Roles compromised in the attack (Proofpoint)

Once the attackers obtain access, their post-compromise activities include establishing persistence within the organization’s cloud environment. They leverage Microsoft 365 applications for MFA manipulation, further cementing their control. This persistent access opens avenues for lateral movement and potential malware deployment.

Proofpoint’s findings have shone a spotlight on the relentless evolution of cyber threats, highlighting that even the most secure of defences can be outmanoeuvred. The rise of EvilProxy as a tool of choice for such attacks has exposed critical vulnerabilities in organizational defence strategies. With a 100% increase in cloud account takeover incidents targeting high-level executives in the past six months, the battle between attackers and defenders continues to escalate.

Organizations are urged to strengthen their defences against these advanced hybrid threats by focusing on email security, cloud security, web security, and user awareness, and considering adopting better authentication methods, such as FIDO-based physical security keys. 

**RELATED ARTICLES**

1.  Warning as hackers breach MFA to target cloud services
2.  Global CDN Service ‘jsdelivr’ Exposed Users to Phishing Attacks
3.  FortiGuard Labs Discovers .ZIP Domains Fueling Phishing Attacks
4.  New Phishing Attack Spoofs Microsoft 365 Authentication System
5.  “Picture in Picture” Tactic Exploited in New Deceptive Phishing Attack

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

EvilProxy Phishing Kit Hits 100+ Firms, Bypasses MFA via Reverse Proxy

By Habiba Rashid
Operating from Europe, Lolek Hosted offered services that shielded clients' identities and turned a blind eye to the content they posted.
This is a post from HackRead.com Read the original post: Feds Seize Bulletproof Hosting Service ”Lolek Hosted”

1.  **Lolek Hosted, a prominent bulletproof hosting provider, has been dismantled in a coordinated operation by US and Polish authorities.**
2.  **The joint effort aimed to curb cybercriminals’ access to crucial tools for malicious activities by targeting the hosting platform.**
3.  **The takedown was marked by a banner on the seized website displaying logos of the FBI and IRS-CI, confirming the seizure.**
4.  **Both US and Polish authorities, along with law enforcement agencies, played vital roles in the operation, though details remain undisclosed.**
5.  **This action aligns with a broader trend of international law enforcement agencies intensifying efforts to dismantle cybercriminal networks and their supportive platforms.**

In a significant blow to cybercriminals’ anonymous infrastructure, authorities from the United States and Poland successfully dismantled the notorious bulletproof hosting provider, Lolek Hosted, this week. The joint effort aims to curtail cybercriminals’ unfettered access to critical tools for carrying out malicious activities.

As of the early hours of Tuesday, visitors to the Lolek Hosted website were met with a banner prominently displaying the logos of the Federal Bureau of Investigation (FBI) and the Internal Revenue Service – Criminal Investigation (IRS-CI). The banner stated:

> “This domain has been seized by the Federal Bureau of Investigation and Internal Revenue Service – Criminal Investigation as part of a coordinated law enforcement action taken against Lolek Hosted.”

The operation also saw the active involvement of the U.S. Attorney’s Office for the Middle District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice.

Domain seizure notice uploaded by authorities (Screenshot: Hackread.com)

Additionally, Polish authorities played a crucial role, with significant support provided by the Regional Prosecutor’s Office in Katowice and the Central Bureau for Combating Cybercrime in Krakow.

An official spokesperson from the IRS confirmed the legitimacy of the seizure notice, affirming its role in the takedown. However, both the FBI and Polish authorities refused to provide any details regarding the seizure.

Lolek Hosted, a widely used bulletproof hosting provider, has been operating since 2009 and has established itself as a key player in the realm of anonymous hosting platforms.

Operating from a European data center, the company offered services that shielded clients’ identities and turned a blind eye to the content they posted. This approach made bulletproof hosting services a haven for criminals seeking to disseminate malware, orchestrate botnet attacks, and execute various forms of cybercrime and fraud.

Archive view of the now seized Lolek Hosted domain (Screenshot: Hackread.com)

In recent years, authorities have escalated their efforts to dismantle bulletproof hosting services and other platforms aiding cybercrime by bringing the individuals responsible to justice. Notable cases include the seizure of DoubeVPN, the takedown of the infamous Safe-Inet VPN service, and the INTERPOL’s collaborative effort to dismantle the ’16shop’ phishing platform, resulting in arrests.

The joint operation involving INTERPOL, Indonesian, Japanese, and US authorities, as well as private sector partners, dismantled the ’16shop’ phishing-as-a-service platform. The platform offered phishing kits to hackers, enabling email scams to steal sensitive information from victims. 

Nevertheless, these joint efforts serve as a clear indicator that law enforcement agencies worldwide are intensifying their efforts to dismantle the foundations of cybercriminal networks, leaving no safe haven for those seeking to exploit the digital realm for illicit gains.

1.  13 Domains Linked to DDoS-For-Hire Services Seized
2.  NetWire Malware Site and Server Seized, Admin Arrested
3.  Researcher Exposes Crypto Scam Network of 300 Domains
4.  7 Domains Used in Pig Butchering Cryptocurrency Scam Seized
5.  Seized: 9 Crypto Laundering Sites Used by Ransomware Gangs

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Feds Seize Bulletproof Hosting Service ”Lolek Hosted”

Welcome to WordPress. This is your first post. Edit or delete it, then start writing!

Welcome to WordPress. This is your first post. Edit or delete it, then start writing!

Posted

August 10, 2023

in

Uncategorized

by

admin

Tags:

**Comments****One response to “Hello world!”**

1.  A WordPress Commenter
    
    August 9, 2023
    
    Hi, this is a comment.  
    To get started with moderating, editing, and deleting comments, please visit the Comments screen in the dashboard.  
    Commenter avatars come from Gravatar.
    
    Reply
    

**Leave a Reply**

Your email address will not be published. Required fields are marked \*

Comment \*

Name \*

Email \*

Website

Save my name, email, and website in this browser for the next time I comment.

Hello world!

By Waqas
The cybercrime platform 16shop sold hacking tools and other malicious tools used to compromise more than 70,000 users in 43 countries.
This is a post from HackRead.com Read the original post: INTERPOL Dismantles Infamous ’16shop’ Phishing-as-a-Service Platform

*   **INTERPOL Dismantles ’16shop’:** Global effort leads to arrests in Indonesia and Japan, targeting notorious phishing platform.
*   **Successful Intelligence Sharing:** Cooperation between INTERPOL, law enforcement, and private partners demonstrates effective global cybercrime fighting.
*   **Wide-reaching Phishing Impact:** ’16shop’ exploited victims worldwide with phishing kits, showcasing the pervasive threat of such attacks.
*   **Phishing Dominance:** Phishing responsible for up to 90% of data breaches, necessitating urgent countermeasures.
*   **Collective Defense:** Collaboration among law enforcement and industry remains crucial in battling evolving cyber threats.

In a remarkable feat of international collaboration, INTERPOL has successfully dismantled the nefarious ’16shop’ phishing-as-a-service (PaaS) platform, culminating in the arrest of its operator and two facilitators.

The joint effort between law enforcement agencies and private sector partners demonstrates the power of shared intelligence in combating cybercrime on a global scale. This comes days after INTERPOL managed to shut down a decade-old child abuse network during **Operation Narsil**.

**Targeting the Heart of Phishing Operations**

The ’16shop’ platform offered so-called ‘phishing kits’ to hackers eager to exploit unsuspecting Internet users through email scams. Victims were tricked into sharing sensitive information, including credit card details, by clicking on malicious pdf files or links. These ill-gotten gains were then used to defraud victims of their hard-earned money.

Phishing attacks remain the most prevalent cyber threat worldwide, responsible for up to 90 percent of data breaches. The success of such attacks highlights the urgency of tackling this pervasive issue.

C2 server of 16shop and an Amazon phishing page available on the site

**International Partnerships at Work**

According to INTERPOL’s press release, the successful takedown of ’16shop’ was the result of a comprehensive operation involving INTERPOL, Indonesian authorities, and counterparts in Japan and the United States. Private sector entities such as Cyber Defense Institute, Group-IB, Palo Alto Networks Unit 42, Trend Micro, and Cybertoolbelt also played instrumental roles.

**“Borderless Cyber Impact”**

Bernardo Pillot, Assistant Director of Cybercrime Operations at INTERPOL, emphasized the tangible impact of cyberattacks on victims. He stated, “Cyberattacks such as phishing may be borderless and virtual in nature, but their impact on victims is real and devastating.”

**Unravelling the Web of Cybercrime**

The investigation began with the identification of ’16shop’ by INTERPOL’s cybercrime analysts during a project focusing on cyber threats in the ASEAN region. Collaboration with private sector partners allowed the team to pinpoint the platform’s administrator based in Indonesia.

Leveraging connections with the United States, INTERPOL coordinated with US law enforcement agencies to provide crucial information to Indonesian investigators. This joint effort led to the arrest of the platform’s 21-year-old administrator and the confiscation of electronic devices and luxury vehicles.

**Unmasking Facilitators and Future Prevention**

The successful capture of the administrator in Indonesia catalyzed further cooperation between Japanese and Indonesian authorities, leading to the arrest of two facilitators. This meticulous unravelling of the criminal network highlights the collective determination to curtail cybercrime.

Brigadier General Adi Vivid Agustiadi Bachtiar, Director of the Indonesian National Police’s Cyber Crime Investigation, underscored the significance of the operation. “This operation is only successful as we work closely with various stakeholders… to stop the crime-ware being offered as a service and also stopping more people from falling victim to phishing attacks,” he stated.

**Coherent Intelligence for a Safer Cyberspace**

INTERPOL’s cybercrime directorate serves as a critical hub for experts from law enforcement and industry to analyze and disseminate actionable intelligence on cyber threats. This united approach underscores the need for ongoing collaboration to combat the ever-evolving landscape of cybercrime.

**RELATED ARTICLES**

1.  SSNDOB Cybercrime Marketplace Seized in Intl. Operation
2.  Researcher Exposes Crypto Scam Network of 300 Domains
3.  Ukraine Busts Gang for Massive $4.3 Million Phishing Scams
4.  Microsoft seizes 99 sites used by Iranians for phishing attacks
5.  Domain, server of DoubleVPN used by ransomware gangs seized

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

INTERPOL Dismantles Infamous ’16shop’ Phishing-as-a-Service Platform

By Habiba Rashid
New Intel Processor Vulnerability "Downfall" Discovered: Threats to Data Security Amplify
This is a post from HackRead.com Read the original post: Intel Responds to ‘Downfall’ Attack with Firmware Updates, Urges Mitigation

*   **‘Downfall’ Attack Unveiled:** Google researchers reveal a new side-channel attack called “Downfall” targeting Intel processors, exposing a memory optimization vulnerability (CVE-2022-40982).
*   **Cloud Impact:** The attack extends into cloud environments, enabling attackers to extract data from shared cloud computers, intensifying data breach risks.
*   **Memory Optimization Flaw:** The vulnerability originates from Intel processors’ memory optimization features, inadvertently revealing internal hardware registers to software.
*   **Attack Techniques:** The attack employs Gather Data Sampling (GDS) and Gather Value Injection (GVI) to steal CPU data and manipulate microarchitectural data injections.
*   **Mitigations and Implications:** Intel responds with firmware updates to address the vulnerability, but performance overhead concerns remain. ‘Downfall’ underlines the vulnerability of modern microprocessors, resonating with industry-wide concerns.

Google researchers have uncovered a new side-channel attack known as “Downfall” targeting Intel processors. This attack, discovered by Google senior research scientist Daniel Moghimi, exposes a vulnerability tracked as CVE-2022-40982, exploiting a memory optimization feature in Intel processors.

Downfall joins the league of attacks that can be exploited by local attackers or malware to access sensitive information, including passwords and encryption keys, of affected device users.

Moghimi’s findings unveil a disconcerting aspect of Intel processors, revealing that transient execution attacks like Downfall extend their reach even into cloud environments. This enables malicious actors to pilfer data from other users sharing the same cloud computer, significantly raising the stakes of data breaches.

The underlying flaw stems from memory optimization features inherent in Intel processors, inadvertently disclosing internal hardware registers to software. This exposure facilitates unauthorized software access to data that should remain shielded from such access.

The pivotal culprit in this scenario is the “Gather” instruction, intended to expedite the retrieval of scattered memory data. However, Moghimi ingeniously demonstrated how this instruction leaks the contents of the internal vector register file during speculative execution, thereby opening up avenues for cybercriminals.

Two specific attack techniques were developed as part of the Downfall (research paper PDF) exploit – Gather Data Sampling (GDS) and Gather Value Injection (GVI). The former method facilitates the theft of data from CPU components, while the latter manipulates the data leaks for microarchitectural data injections. The practicality of GDS is underscored by Moghimi’s creation of a proof-of-concept (PoC) exploit, capable of pilfering encryption keys from OpenSSL.

This clip shows how attacks can steal 128-bit and 256-bit AES keys from another user:

Notably, the Downfall attack doesn’t discriminate between endpoint devices and cloud infrastructure. While cloud environments provide a broader landscape for potential attacks, Moghimi emphasized the significant threat Downfall poses to personal computers. Theoretically, the exploit could even be executed via a web browser, although this possibility necessitates further research and validation.

To counteract the impending threats posed by Downfall, Intel has swiftly responded by publishing a security advisory and releasing firmware updates. These mitigations come as microcode updates designed to address CVE-2022-40982, which Intel has classified as having “medium severity.”

The updates intend to thwart the data leakage intrinsic to the Gather instruction, although they come with a trade-off of potential performance overhead, which could be as high as 50% in some workloads. Despite this drawback, experts unanimously advocate for the implementation of these fixes to safeguard against potential breaches.

Intel’s recent woes are not exclusive, as the Downfall attack highlights the vulnerability of modern microprocessors. Notably, Google researchers also unveiled “Zenbleed,” a vulnerability afflicting AMD Zen 2 processors, reiterating the broader implications of such vulnerabilities across the industry.

The disclosure of Downfall coincides with the revelation of another processor vulnerability named “Inception” by researchers at ETH Zurich. Inception targets devices powered by AMD Zen processors, allowing attackers to manipulate the CPU’s predictive algorithms to access sensitive data.

**RELATED ARTICLES**

1.  Hackers Targeting Apple’s M1 Chip with Mac Malware
2.  Intel chip flaw left cars, medical and IoT devices vulnerable
3.  Intel chip flaw “Foreshadow” attacks SGX tech to extract data
4.  Chip Flaws Impacting Microsoft, Lenovo, and Samsung Devices
5.  All Nintendo Switch Consoles Contain Unpatchable Chip-Level Flaw

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Intel Responds to ‘Downfall’ Attack with Firmware Updates, Urges Mitigation

By Habiba Rashid
The Police Service of Northern Ireland (PSNI) experienced a severe security breach, unintentionally revealing personal details of its entire workforce, including officers and civilian staff.
This is a post from HackRead.com Read the original post: Irish Police Data Breach Rattles Northern Ireland’s Security Landscape

*   **PSNI Data Breach:** The Police Service of Northern Ireland inadvertently exposed personal details of its workforce, raising security concerns in a historically sensitive region.
*   **Accidental FOI Leak:** Responding to a FOI request, the PSNI published sensitive information online, potentially endangering over 10,000 personnel.
*   **Safety at Risk:** The breach, potentially the UK’s worst, puts officers at risk, as roles of intelligence and security are exposed.
*   **Tense Climate:** Amid ongoing security threats, like the New IRA, the breach ignites fears for officers’ safety in an already delicate environment.
*   **Calls for Investigation:** The breach prompts demands for investigation, improved data protection, and measures to ensure officer safety.

In a grave breach of security, the Police Service of Northern Ireland (PSNI) accidentally exposed the personal details of its entire workforce, comprising both officers and civilian staff.

The data leak occurred in response to a Freedom of Information (FOI) request and was subsequently published online, leaving more than 10,000 individuals vulnerable to potential physical threats.

The breach, which experts have described as potentially the worst data breach in UK history, has raised serious concerns about the safety of police officers and staff in a region with a history of violence.

The exposed information included names, initials, ranks, work locations, and departments of all PSNI personnel. While private addresses were not compromised, sensitive roles such as members of the organized crime unit, intelligence officers stationed at ports and airports, and officers at MI5’s headquarters were revealed.

However, this should not come as a surprise, as the United Kingdom has been facing data security issues for a while. Just yesterday, the UK Electoral Commission **released information** about a year-long data breach, in which an unknown attacker stole the personal data of millions of Brits.

This incident comes at a time when the security situation in Northern Ireland remains tense. Dissident Republican groups, such as the **New IRA**, continue to pose a threat to officers’ safety. Over 300 police officers lost their lives during the Troubles, and recent attacks on police personnel have heightened concerns about their security.

The accidental data leak has sparked outrage and fear within the PSNI and the wider community. A serving police constable, who spoke anonymously, emphasized the impact on officers and their families, stating, “This breach has highlighted the fear and concern that my family have about me doing this job.”

Northern Ireland’s Alliance Party leader, Naomi Long, called for a thorough investigation into the breach, questioning why such sensitive data was available in unencrypted form and how a junior staff member had access to it. The breach has prompted calls for greater protection for police officers, who often take measures to conceal their identities to safeguard their families.

Liam Kelly, chair of the Police Federation for Northern Ireland, expressed dismay and anger over the breach, stressing the importance of rebuilding trust between the PSNI and its officers. The breach has cast doubts on the PSNI’s security measures and its ability to safeguard its personnel.

Commenting on the breach, **Pieter Arntz**, a Malware Intelligence Researcher from Malwarebytes, told Hackead.com, “As we sometimes see in data breaches, there was no mal intent, but it was a case of human error. Human errors, however, are always enabled by some oversights in security measures or protocols that are designed to depend on everyone knowing exactly what to do and what not to do.”

“You could compare it to the way many services depend on passwords. We expect people to keep track of hundreds of passwords that need to be so complex that they are impossible to remember. But at the same time, we blame these people if they write it down on a Post-it or re-use the password for several sites,” said Pieter.

“Educating people has its boundaries, sometimes the underlying technology is just not right for the problem we are trying to solve,” Pieter added.

According to **Sky News,** the Information Commissioner’s Office has been informed of the incident and is assessing the situation. The PSNI has taken steps to rectify the breach and prevent similar errors from occurring in the future. Chief Constable Simon Byrne has interrupted his holiday to address the situation and provide reassurance to the police force.

As Northern Ireland grapples with the aftermath of this significant data breach, concerns persist about the potential consequences for officers’ safety and the region’s security landscape. The incident highlights the urgent need for enhanced data protection measures and renewed efforts to ensure the safety of those who risk their lives to maintain public order and security in a historically sensitive environment.

UK’s Ofcom confirms MOVEit related cyber attack

UK Police mistakenly deleted 150K arrest records in software glitch

Police lose evidence to Ryuk ransomware attack; suspects walk free

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Irish Police Data Breach Rattles Northern Ireland’s Security Landscape

By Waqas
FortiGuard Labs Reveals Insights into Recent Surge of Cyberattacks Utilizing Rust Programming Language.
This is a post from HackRead.com Read the original post: Rust-Based Injector Deploys XWorm and Remcos RAT in Multi-Stage Attack

*   **Rust Injector Emergence:** A novel Rust-based injector has emerged, facilitating the deployment of the XWorm malware and Remcos RAT.
*   **Multi-Stage Attack:** The attack follows a sophisticated multi-stage process involving phishing emails, redirection to malicious files, and the execution of PowerShell scripts.
*   **Innovative Tool Adoption:** Cybercriminals leverage the Red Team tool “Freeze.rs” and SYK Crypter to bypass security controls and deliver malicious payloads.
*   **Global Impact:** The C2 server traffic analysis reveals that the attack primarily targets Europe and North America, showcasing its global reach.
*   **Threat Evolution:** The findings underscore the evolving nature of cyber threats, highlighting the need for enhanced vigilance against advanced attack techniques.

In a recent cybersecurity revelation, FortiGuard Labs has detected a surge in cyberattacks utilizing a new injector written in Rust, one of the fastest-growing programming languages.

Rust, while uncommon in malware development, has been increasingly adopted by malicious actors since 2019. This discovery sheds light on the evolving tactics of cybercriminals and their ability to innovate with new tools and techniques.

**Rust Injector Emergence**

The newly discovered Rust injector has been identified as a platform to introduce the XWorm malware into victims’ systems. FortiGuard Labs’ analysis reveals an unprecedented spike in injector activity during May 2023, suggesting a significant shift in cybercriminal strategy. This Rust-based injector is designed to inject shellcode and deploy XWorm, a remote access Trojan (RAT) known for its comprehensive control and monitoring capabilities.

**Sophisticated Attack Chain**

The attack begins with a phishing email campaign that purports to be an urgent order supplement request sent to various companies. This clever social engineering technique is accompanied by a malicious PDF file that redirects victims to an HTML file, leveraging the “search-ms” protocol to access an LNK file on a remote server.

Once the LNK file is executed, a PowerShell script initiates the deployment of the Rust injector “Freeze.rs” and the SYK Crypter, a tool used to deliver various malware families. The ultimate goal is to load the XWorm RAT and establish communication with a command and control (C2) server.

The phishing email (FortiGuard Labs)

**Freeze.rs and SYK Crypter Nexus**

FortiGuard Labs’ detailed analysis traced the origin of the new injector to the Red Team tool “Freeze.rs.” This tool is designed to create payloads capable of bypassing Endpoint Detection and Response (EDR) security controls, highlighting the increasingly sophisticated methods employed by cybercriminals.

Furthermore, the involvement of SYK Crypter, a tool commonly used to deliver malware families via the Discord chat platform, further exemplifies the collaborative and evolving nature of cybercriminal operations.

**Multi-Stage Infection Process**

The attack’s multi-stage infection process involves a series of intricate manoeuvres to evade detection and establish control. The malicious code employs various encryption algorithms, such as AES, RC4, or LZMA, to obfuscate its intent and evade antivirus detection. This flexibility in encryption methods adds a layer of complexity to the malicious payload.

**XWorm and Remcos Collaboration**

Once successfully injected, the XWorm RAT, a commodity tool traded on underground forums, collaborates with Remcos RAT, a sophisticated remote access Trojan. Together, they create a formidable threat with capabilities ranging from gathering device information and capturing screenshots to logging keystrokes and gaining comprehensive control over compromised systems.

The attack chain (FortiGuard Labs)

**Global Implications**

FortiGuard Labs’ analysis of the C2 server’s traffic reveals Europe and North America as primary targets of this malicious campaign. The attackers’ utilization of sophisticated techniques, such as the “search-ms” feature and the Rust injector “Freeze.rs,” underscores the need for heightened vigilance in handling suspicious emails and files.

In conclusion, the cyber threat landscape continues to evolve, with cyber criminals adopting innovative tactics and tools to infiltrate and compromise systems. FortiGuard Labs’ recent findings shed light on the emergence of Rust-based injectors and their role in deploying sophisticated malware payloads like XWorm and Remcos.

**RELATED ARTICLES**

1.  P2PInfect: Self-Replicating Worm Hits Redis Instances
2.  Retired Software Exploited To Target Power Grids, Microsoft
3.  Phishers Exploiting Google Docs to Harvest Crypto Credentials
4.  Hackers Abusing MS Dynamics 365 Customer Voice to Steal Data
5.  Russian Midnight Blizzard Hackers Hit MS Teams in Precision Attack

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Source

HackRead