By Deeba Ahmed
Google, Cloudflare, and AWS Disclosed Digital History’s Largest Ever DDoS Attack- Courtesy HTTP/2 Zero-day.
This is a post from HackRead.com Read the original post: Google, Cloudflare, and AWS Disclose Largest DDoS Attack in History

The largest DDoS attack on the Internet has occurred, following the exploitation of a new zero-day vulnerability by hackers.

*   **Google, Cloudflare, and AWS have confirmed that unknown adversaries exploited a new zero-day vulnerability called HTTP/2 Rapid Reset to launch digital history’s largest-ever record DDoS attack.**

*   **The attack peaked at 398 million RPS, which is 7 times higher than the previous largest DDoS attack recorded by Google.**

*   **AWS and Cloudflare had previously recorded DDoS attacks peaking at 200 million RPS.**

*   **The zero-day flaw lets adversaries send specially designed HTTP/2 requests to a target server, triggering an extensive response, which is further amplified by sending it to vulnerable IoT devices or misconfigured servers.**

*   **This novel technique is based on stream multiplexing.**

*   **In this case, threat actors sent amplified traffic to diverse targets, including financial entities, gaming corporations, and government agencies, causing significant damage to several of them.**

Three of the world’s leading tech firms, Google, Amazon Web Services (AWS), and Cloudflare, have jointly disclosed a new 0-day flaw exploited by unknown threat actors to launch the largest Distributed Denial of Service attack (DDoS attack) recorded to date.

Dubbed HTTP/2 Rapid Reset, the vulnerability lets attacker send specially designed HTTP/2 requests to their target server and trigger a large-scale response. They can further amplify this response by sending the same request to as many vulnerable IoT devices and misconfigured servers as they want. The vulnerability is tracked as CVE-2023-44487 and has been assigned a CVSS score of 7.5 out of 10, rated High Severity.

The largest ever DDoS attack resulting from HTTP/2 Rapid Reset’s exploitation peaked at 398 million requests per second (RPS), seven times higher than the previous largest attack recorded by Google.

Cloudflare and AWS had previously recorded DDoS attacks peaking at slightly over 200 million RPS. Cloudflare claims to have mitigated over 1,100 other attacks, peaking at 10 million RPS until August 2023, and 184 of them were greater than the company’s previously reported DDoS record of 71 million RPS. These are still startling revelations compared to last year when the highest recorded DDoS attack peaked at 46 million RPS.

A wide range of targets have been identified, including financial institutions, government agencies, and gaming companies. The attack caused massive damage to many of these targets, but most were able to mitigate them through filtering, rate limiting, and other techniques.

In its blog post, Google noted that this is a ‘hyper volumetric novel attack that relies on stream multiplexing. The attack exploits a weakness in the HTTP2 protocol, which lets clients identify the server a previous stream has to cancel by sending an RST\_STREAM frame. It is worth noting that the protocol doesn’t require client-server coordination for this cancellation, and the client performs it unilaterally.

The attack is dubbed Rapid Reset because when the RST\_STREAM frame is sent from one endpoint right after sending a request frame, the other endpoint starts working and rapidly resets the request. The request gets cancelled later, but the HTTP/2 connection remains open.

HTTP/1.1 and HTTP/2 request and response pattern (Source: Google)

This is a concerning issue because HTTP/2 protocol is a critical element of around 0% of all web apps and facilitates interaction between a browser and a website. It is responsible for determining the quality and speed of how visitors interact with websites.

Exploitation of such a critical protocol indicates that DDoS attack remains a potent and growing threat. Organizations must take necessary steps such as promptly patching systems, upgrading their security mechanisms, and using rate limiting and filtering or at least having an incident response plan to deal with DDoS attacks.

1.  Cloudflare thwarts largest reported HTTP DDoS attack
2.  10 Top DDoS Attack Protection and Mitigation Companies in 2023
3.  Tiny Mantis Botnet Can Launch More Powerful DDoS Attacks Than Mirai

Google, Cloudflare, and AWS Disclose Largest DDoS Attack in History

By Waqas
Goodbye Passwords, or Not Yet?
This is a post from HackRead.com Read the original post: Google Makes Passkeys Default for All Users

Google is making passkeys the default option, aiming to replace passwords altogether.

Google announced today that it is making passkeys the default option for users. Passkeys are a new, more secure way to sign in to online accounts that is phishing resistant.

Passkeys use public-key cryptography to authenticate users without the need for passwords. When a user creates a passkey, a public and private key pair is generated. The public key is stored on the website or app that the user is signing in to, and the private key is stored securely on the user’s device.

To sign in with a passkey, the user simply selects the passkey they want to use and authenticates it with their device’s biometric sensor or PIN. This eliminates the need to remember or type in a password.

Passkeys UI

Google has been supporting passkeys since May 2022, and the company says that it has received positive feedback from users. The company is now making passkeys the default option in order to encourage more people to use them.

****Benefits of passkeys****

Passkeys offer a number of benefits over passwords, including:

*   **Security:** Passkeys are more secure than passwords because they are phishing-resistant and cannot be easily cracked.
*   **Convenience:** Passkeys are easier to use than passwords because users do not have to remember or type them in.
*   **Privacy:** Passkeys are more private than passwords because they do not require users to share their personal information with websites and apps.

Timothy Morris, Chief Security Advisor at Tanium, a Kirkland, Washington-based provider of converged endpoint management (XEM) thinks it is a positive development and it will play a vital role in securing user accounts without the complication of remembering long and complex passwords.

“This news is a positive development because you can authenticate faster and you don’t have to remember complex passwords,” Timothy said. However, he argued how users will react to the recovery process of a passkey.

“You can’t just recover your passkey like you can a password. The reason we’re now at this point is because there’s enough resiliency so the recovery key process is much smoother, Timothy added.

****How to use passkeys****

To use passkeys, you will need to have a device that supports them. Most modern smartphones and computers support passkeys.

To create a passkey, you will need to visit the website or app that you want to sign in to and follow the instructions. Once you have created a passkey, you will be able to use it to sign in to the website or app on any device that supports a passkey.

****Takeaway****

Google’s decision to make passkeys the default option for users is a welcome one. Passkeys are a more secure, convenient, and private way to sign in to online accounts. I hope that more companies will follow suit and make passkeys the default option for their users as well.

1.  Google offers Dark Web monitoring for US Gmail users
2.  Google Vertex AI Vision: Revolutionizing E-Commerce?
3.  Google’s Latest Android Feature Drop: Dark Web Search for Gmail ID
4.  Mobile Cybersecurity Firm Cirotta Launches Anti-Hacking Phone Cases
5.  Essential Insights on Google Cloud Backup and Disaster Recovery Service
6.  Microsoft launches free Linux memory forensics tool for detecting malware

Google Makes Passkeys Default for All Users

By Deeba Ahmed
If you use WordPress, update to the latest version.
This is a post from HackRead.com Read the original post: Hackers on WordPress Websites Hacking Spree with Balada Malware

Thousands of WordPress websites have been hacked as hackers exploit a vulnerability in the tagDiv Composer front-end page builder plugin.

*   **The vulnerability is tracked as CVE-2023-3169.**

*   **It lets attackers inject malicious code into a particular location in the site’s database and propagate the code to every public page of the targeted area.**

*   **Balada malware campaign reportedly exploits a recently patched vulnerability in Newspaper and Newsmag premium themes’ key component tagDiv Composer front-end page builder plugin.**

*   **After obtaining initial access, attackers can upload backdoors, add malicious plugins, and create admin accounts to gain persistent access.**

*   **This vulnerability was fixed in the plugin’s version 4.2.**

Web developers using WordPress themes Newspaper and Newsmag must remain cautious as a recently patched vulnerability is being exploited to gain full control of a website. The vulnerable plugin is tagDiv Composer, an essential component of the Newspaper and Newsmag themes. These themes are available via the Theme Forest and Envato marketplaces, boasting over 155,000 downloads.

Vietnamese researcher Truoc Phan detected it first. It is tracked as CVE-2023-3169 and carries a severity rating of 7.1 out of 10, which is Medium. It was partially fixed in version 4.1 of tagDiv Composer and fully patched in version 4.2.

According to security firm Sucuri’s researcher Denis Sinegubko, threat actors exploit this cross-site scripting (XSS) vulnerability to inject malicious code in webpages, redirecting visitors to scam or compromised websites.

These sites offer fake tech support, push notification scams, and fraudulent lottery wins to lure users. Push notification scams force users into subscribing by displaying fake captcha dialogues.

The most concerning aspect of this research is that threat actors have already compromised thousands of WordPress websites. On NIST’s National Vulnerability database, it is reported that the tagDiv Composer WordPress plugin versions before 4.2 didn’t have authorization in a REST route and didn’t validate or escape some parameters when outputting them back.

This allows unauthenticated users to conduct Stored Cross-Site Scripting attacks. Exploiting this flaw, an attacker can inject malicious code into a website.

It is worth noting that this vulnerability originated in a malware campaign dubbed Balada by Sucuri. The company has been tracking it since 2017, when it was first detected, and estimates that since 2017, the malware has compromised over one million websites.

In September 2023, Balada injections were seen on more than 17,000 websites and 40,000 users. Over 9,000 of the newly detected infections resulted from injections facilitated by CVE-2023-3169.

Balada group prefers to gain persistent control over compromised websites by injecting scripts that create accounts with administrator rights. When real admins detect it, they remove the redirection but keep the fake admin accounts. The threat actor uses the admin privileges to create a new set of malicious redirect scripts.

Commenting on this story is Chris Hauk, Consumer Privacy Advocate at Pixel Privacy said, “Unfortunately, plugins and themes are favourite targets of hackers looking to exploit weaknesses in the WordPress ecosystem.”

Chris warned that “This flaw was only recently patched in the tagDiv Composer plugin, so there are likely still thousands upon thousands of WordPress sites using the old version of the plugin. WordPress admin should immediately update their plugins and templates to protect against this hack,” he advised.

It is necessary for any web developer or website administrator using WordPress themes Newspaper and Newsmag to inspect the site and event logs to detect signs of infection. Apart from removing malicious scripts, they must check for newly added admin accounts and backdoor code. Those still using the old version must immediately switch to TagDiv version 4.2 to prevent infection.

****_RELATED ARTICLES_****

1.  How To Secure WordPress Website From Cyber Attacks?
2.  Zero-Day Exploit Threatens 200,000 WordPress Websites
3.  5 WordPress Security Solutions with Free SSL Certificates
4.  Flaws in 2 famous WordPress plugins put millions of sites at risk
5.  Hackers using hacked WordPress & Joomla sites to drop malware

Hackers on WordPress Websites Hacking Spree with Balada Malware

By Deeba Ahmed
Be cautious of scammers employing a new and convincing trick to steal your payment card data through a Magecart attack.
This is a post from HackRead.com Read the original post: New Magecart Attack Uses 404 Errors to Steal Your Card Data

A Magecart attack is a type of digital credit card skimming attack where malicious code is injected into e-commerce websites to steal payment card information from unsuspecting customers during online transactions.

****_KEY FINDINGS_****

*   **Akamai has discovered a new Magecart campaign in which scammers manipulate the default 404 error messages to inject malicious code.**

*   **The malicious code is injected as bogus Meta Pixel code or an inline script.**

*   **The skimmer overlays a checkout form exactly as those generated by genuine e-comm websites for capturing shoppers’ financial data.**

*   **The data is exfiltrated as a Base64-encoded string.**

*   **Magento and WooCommerce websites are the key targets in this campaign.**

*   **Large organizations in the retail and food sectors are prominent targets.**

Akamai Security Intelligence Group’s researchers have noticed a much more sophisticated and creative wave of Magecart attacks in a newly detected digital skimming campaign. The unique aspect of this campaign is that scammers are exploiting the 404 errors generated by websites to steal sensitive financial data.

In the blog post published Monday, Akamai security researcher Roman Lvovsky wrote that malicious code is injected into 404 error pages, mainly Magento and WooCommerce websites. The websites were directly exploited, and the malicious code snippet was added to one of their “first-party resources.”

In this campaign, the recurring targets are large organizations from the retail and food sectors. The attack is divided into three parts, making it a challenge for researchers and scanning tools to detect it. Moreover, it helps activate the attack in full flow on the targeted pages.

Lvovsky explained that Magecart attacks involve exploiting vulnerabilities in targeted websites or in third-party services used by those websites to deploy skimming malware on their payment pages. Once the loader gets executed, the malware sends a fetch request to a relative path “/icons” that doesn’t exist, and the request leads to the 404 Not Found Error.

> _“Upon analysis of the HTML returned in the response, it seemed like the default 404 page of the website. This was confusing and made us wonder if the skimmer was no longer active on the victim websites we found.”_
> 
> Roman Lvovsky – Akamai

**Tip:** _How to check for websites hacked to run web skimming, magecart attack_

Further probing revealed a regex match in the loader for the COOKIE\_ANNOT string in the HTML of the error 404 page, and a lengthy Base64-encoded string was next to it, which contained the obfuscated JavaScript attack code. 

What happens is that the loader extracts the string from the comment to decode and then executes the attack. When the JavaScript skimmer gets activated, a fake checkout form is displayed, and visitors are prompted to enter sensitive data, including credit card details, expiration date, and security code. A fake Session Timeout error follows this while the exfiltrated data is transferred to a remote server through an image request URL disguised as an image fetch event to evade detection by network traffic monitoring services.

When researchers simulated more requests to that path, all returned the same error page containing the malicious code. This means the attackers could modify the default error page for the website and successfully inject the malicious code.

Akamai detected two more variants of this attack. One hides the malicious code in an inappropriately formatted HTML image tag with an onerror attribute. The other hides the code in an inline script disguised as Meta Pixel code, a popular Facebook visitor activity tracking service.

A Magecart attack involves adding malicious code into e-comm websites to steal users’ personal and financial data. End-users must remain vigilant when entering data on websites. It is essential to keep website plugins and software up-to-date and filter out malicious traffic with a web application firewall. Lastly, implement CSP (content security policy) to restrict the types of scripts websites can execute.

****_RELATED ARTICLES_****

1.  100s of schools at risk after Magecart attack on Wisepay
2.  Major Magecart skimming attack hits 8 local US government sites
3.  Magecart hackers launched largest ever attack against Magento stores
4.  Lazarus hackers use Magecart attack to steal card data from EU, US sites
5.  Chinese Silent Skimmer Attack Hits Businesses in APAC and NALA regions

New Magecart Attack Uses 404 Errors to Steal Your Card Data

By Owais Sultan
Here are simple yet vital steps to identify online trading scams and safeguard your investments from cyber criminals.…
This is a post from HackRead.com Read the original post: How to Identify and Avoid Online Trading Scams

Here are simple yet vital steps to identify online trading scams and safeguard your investments from cyber criminals.

In today’s digitized era, online trading offers a lot of lucrative opportunities. But as the horizon broadens, so does the risk. Scammers lurk, waiting to capitalize on unsuspecting traders. The good news is that you can safeguard your investments by spotting and sidestepping these pitfalls. Let’s explore how. 

****Beware of Too Good to Be True Promises****

High returns with no risks? That’s a fantasy. An authentic trading platform will never guarantee success, as the market is unpredictable. You can, of course, improve your chances of success through education and research, like reading books by James Cordier. But steer clear of any platforms that promise successful trades. 

****Pressure to Act Fast – A Red Flag****

Scammers often create a sense of urgency. If you’re being rushed to make a decision, it’s a warning sign. Similarly, any unsolicited offers, such as random messages about ‘exclusive’ investment opportunities that you’re urged to take advantage of now should be approached with caution. A real brokerage won’t typically cold call or spam. 

****Do Your Due Diligence****

Before diving in, spend some time investigating. Is the website professionally designed and secure? Check for legitimate contact information and clear terms of service. Plus, validate the trading platform’s licensing. A reputable trading platform will always be regulated, and you should be able to verify their registration with relevant authorities.

Finally, look at reviews and testimonials. What are other users saying? While it’s true that no company is immune to negative feedback, a series of similar complaints can be revealing. 

****Protect Your Information****

Start by securing your devices. Firewalls, antivirus software, and updated systems aren’t just good ideas – they’re essentials. Always trade from a secure connection. Plus, regularly update your passwords and avoid using easily guessable ones. Two-factor authentication is even better. 

****Be Skeptical of Shortcuts****

While there are valid automated systems out there, many promising ‘quick riches’ are fraudulent. Be sure to conduct thorough research before you make any commitments. Plus, anyone boasting about having ‘insider’ details is likely misleading you. Acting on such information is also illegal. 

****Stay Educated****

The world of online trading is constantly evolving. By staying updated, you are less likely to fall for outdated scams. Spend time on trading blogs, websites, and reading books. Learn from the experts in webinars and workshops whenever possible. They will offer valuable insights, and you can ask questions directly. 

****Take Action if Duped****

If you have fallen victim to an online trading scam, it’s crucial to report it. This can prevent others from being victimized and may help you recover your losses. It’s important to maintain documentation and records of all your communications and transactions. This can be key if legal action is necessary. 

In the digital age, traders are offered plentiful incredible opportunities – but they bring challenges with them. By staying vigilant, conducting thorough research, and regularly updating your knowledge, you can navigate the online trading world with confidence. Always remember that in trading, if something seems too good to be true, then it probably is. Stay safe and trade wisely. 

1.  Online scams: How Safe Are the Websites You Visit?
2.  How To Safely Navigate the World of Crypto Finance
3.  Snapchat Safety for Parents: How to Safeguard Your Child
4.  How to Obtain a Virtual Phone Number and Why You Need One
5.  US military personnel defrauded into losing $822m through scams
6.  Online scams: How to give scammers a taste of their own medicine

How to Identify and Avoid Online Trading Scams

By Deeba Ahmed
As the conflict escalates on the ground, hacktivists are gearing up for cyberwar.
This is a post from HackRead.com Read the original post: Hacktivists Trageting Critical ICS Infrastructure in Israel and Palestine

Amidst the escalating conflict between Palestine and Israel, both pro-Palestinian and pro-Israeli hacktivists are targeting critical Industrial Control Systems (ICS) that are vulnerable.

Several cybersecurity firms have reported that pro-Israeli and pro-Palestinian hacktivists are eyeing industrial control systems (ICS) amidst the growing tension between the two countries. ICSs could be a target of interest because hundreds of these systems are still vulnerable to exploitation.

Waqas Ahmed, the founder and editor of Hackread.com, noted that hacktivists typically resort to DDoS attacks or small-scale data leaks, especially during unfortunate escalations in the conflict between Palestine and Israel. However, in this case, they have escalated their activities to a higher level. An example of this escalation is AnonGhost, who hacked the Israeli rocket alert app Red Alert to send thousands of fake nuclear bomb alerts to Israeli smartphones.

AnonGhost posting their claims on Telegram (Screenshot: Telegram – Hackread.com)

Many hacktivists are looking to disrupt critical infrastructure and claim headlines because a cyberattack on critical infrastructure can cause severe economic, safety, operational, and reputational damage. Many ICSs, which are computerized systems installed to monitor/manage mechanical processes in different industries, remain exposed to such threats. 

In a report, CyberNews revealed that several Israeli organizations have exposed the SCADA communications protocol called Modbus. Around 400 exposed systems were identified along with 150 open Message Queuing Telemetry Transport (MQTT) ports. These ports manage communications between SCADA and MES (manufacturing execution system).

What’s worth noting is that this is not just in Israel, many Palestinian firms also have exposed MODBUS and MQTT, and in addition to that, have exposed Siemens automation and Symantec systems. Therefore, it isn’t surprising that threat actors are aiming to target them.

According to Microsoft, a Gaza-based threat actor Storm-1133, has started targeting Israeli private-sector, telecom, and defense organizations. This group is affiliated with Hamas, which controls the Gaza Strip. This means the fight has already started in the cyber realm.

Microsoft’s annual Digital Defense Report reveals that Storm-1133 uses different social engineering techniques and fake LinkedIn profiles to lure employees to Israeli organizations. They send phishing emails, deliver malware, conduct espionage, and even infiltrate third-party organizations having public ties to achieve their objectives. After the group gains access to its target organization, it deploys backdoors. It avoids detection by regularly updating its C2 infrastructure.

There are reports that the Israeli government and media outlets have also become targets of hacktivists. A multitude of attacks, mostly DDoS, are observed targeting Israeli organizations/entities. However, not all threat actors have claimed allegiance with any of the two parties involved. Such as ThreatSec intends to target both sides simultaneously.

“As you might know, we don’t like Israel, but… We also don’t like War! Soooo, as we have attacked Israel in the past, we now attack the Gaza region, where many of the Hamas fighters are located!” the group wrote on Telegram and claimed to own every server of Alfanet.ps, including Gaza strip’s biggest ISP Quintiez Alfa.

For your information, ThreatSec is one of the five families of the world’s most well-organized groups. The others include GhostSec, Stormous, SiegedSec, and Blackforums. Many other groups are actively targeting Israeli and Palestinian organizations.

In the ongoing conflicts, The Archivists Domain and ThreatSec have targeted Palestinian infrastructure, with The Siegedsec supporting the Palestinian side. Additionally, the Gonjeshke Darande group has been targeting Iran. (Screenshots: Hackread.com)

On Sunday, the website gov.il became inaccessible worldwide, and the Russian Killnet group took responsibility for the attack on Telegram. Killnet later stated that they won’t target ordinary Israeli citizens as they are after the regime that “sold itself to NATO.”

“The atrocities that Hamas or Israel commit against civilians are terrible! We exclude the possibility of attacking the critical infrastructure of both sides!” the gang noted on Telegram.

Microsoft’s researchers noted that nation-state threat actors are more interested in long-term espionage campaigns. Israel, the US, Ukraine, and South Korea are some of the most regularly targeted nations in the MENA and Asia-Pacific regions.

****_RELATED ARTICLES_****

1.  Israel’s Channel 10 TV Station Hacked by Hamas
2.  Israeli Oil Refinery Giant BAZAN Hit by Fresh Wave of Cyber Attacks
3.  Hackers interrupt Eurovision webcast in Israel with missile attack alert
4.  Hamas hackers posed as women to con IDF into downloading malware
5.  Israel Faces Fresh Wave of Cyberattacks Targeting Critical Infrastructure

Hacktivists Trageting Critical ICS Infrastructure in Israel and Palestine

By Owais Sultan
Human Mind and Attention as Clue in Penetration Testing Success Stories.
This is a post from HackRead.com Read the original post: Unveiling Vulnerabilities: Penetration Testing Services

Penetration testing is vital as it helps identify vulnerabilities in a system or network, allowing organizations to proactively strengthen their security and protect against real-world cyber threats, ultimately safeguarding sensitive data and assets.

The penetration test, or pentest, is a controlled intrusion into the software system to reveal and eliminate vulnerabilities. Nowadays, the pentest is the closest model to the **regular cyber attack** and the best means to prevent it.

The need becomes more and more crucial: the statistics of 2022 demonstrates a **40% growth** of new vulnerability number compared with 2021, 21,000 to 13,000. 21,000 vulnerabilities per year are invisible for scanners but can bring multimillion losses.

That’s why both principles of penetration testing and text cases themselves make the researchers consider the **unique vulnerabilities** as valuable precedents and analyze the pentest reports in detail.

****Company to Deal with and Its Risks****

The zero stage of the pentest is collecting a full package of background information about the reviewed company and the breach if it happened. Let’s model a regular supposed cryptocurrency company, let’s name it Ultimo Chain, which faced the exploit of the native exchange. For better illustration, Ultimo’s model combines features of several real cryptocurrencies, bridges and exchanges, **attacked in 2021-2022**. 

Ultimo relies on original blockchain encryption and never passed a test before. But penetration testing success stories teach that a middle or large company needs it crucially. The main company features and risks according to the checklist of OUR SITE experts:

*   **Industry**. As a cryptocurrency IT business, Ultimo is more interesting for cybercriminals than industrial manufacturers.

*   **Market cap**. A high-skilled intruder may consider a market leader as a beneficial target despite the complex security system. Ultimo is a medium company with a 150+ ranking on CoinMarketCap with a capitalization under $150M, so it’s a decent trophy.

*   **Original system**. Software of most middle or bigger businesses is a unique combination of apps, services, connections and client interfaces. A breach in one component may disclose others to malicious actors. Ultimo uses the original coin, stablecoin and exchange, based on their blockchain, several bridges between Ethereum and other altcoins. 

*   **Data access policies and staff instructions**. Ultimo is an open-source project, and anyone can review its codes on GitHub. The data about financial transactions are encrypted with **blockchain** and stay in secured clouds. Meanwhile, all communications and supportive information are provided by regular messengers, emails and outer storage. Ultimo has 50+ remote workers with 3 levels of access for partners, regular developers, managers and architects.

After the exploit, the exchange was robbed. Due to further investigation, a hacker took away all native stablecoins (25% of all supply) from the Ethereum pair, sold them on external DEX and covered the tracks in a crypto mixer.

****Main Sectors for Vulnerability Detecting** **

The Ultimo pentest not only aims for software and several technical supplements but also closely looks for human errors. The research has to detect:

*   data leak sources;
*   hardware malfunctions;
*   sustainability of connections;
*   system errors and wrong settings;
*   weaknesses in the code and encryption; 
*   vulnerabilities related to staff and management.

The specifics of this case study in penetration testing is that its core code is public. However, the GitHub code doesn’t include visible vulnerabilities and was excluded from possible data leak sources.

The pentest team has to pay attention to the following elements:

*   **Core software** — services and processing software on servers or in clouds, resilience to data leaks, errors and crashes during malware intrusion. 
*   **Websites** — page displaying, navigation and script procedures during DDoS attacks or corruption by malware, encryption and coding against web page data stealing, reliability of redirecting from multinational sites to local mirrors.  
*   **Networks** — reliability of connections and protocols for data transfers, vulnerabilities within local company networks and during remote access.
*   **Client apps** — options and probability of virus invasion, interface misconfigurations, vulnerabilities related to application access and cashed private data.
*   **Remote access software** — possibilities for malware intrusion in the VPNs and forging IP addresses.
*   **Wireless webs** — reliability of Internet connection software (routers, encryptors, filters).
*   **Hardware functioning (SCADA)** — reliability and risks of controlling software in sensors and transmitters. This type relates to power, temperature or pressure equipment, including one inside the servers.
*   **Human factor** — possibilities for staff, clients or partners to corrupt software or cause data leaks (management of data access levels, fishing and similar hacking techniques).

Most penetration testers are narrow but experienced specialists who analyze the separate categories of vulnerabilities. Then the team discusses the results in complex.

****Vulnerability Hunt Step-by-Step****

The professional pentest passes by a **certified methodology** in these steps:

*   Primarily scanning for common vulnerabilities with security scanners (Kali Linux and Rapid7 Nexpose).
*   Additional manual testing for original vulnerabilities.
*   Severity level attribution for vulnerabilities according to standard calculations (NVD by NIST).
*   Test exploitation, including specially written software.
*   Summarizing the research in generated (Cyver Core) and manually complemented reports.
*   Choosing ways to eliminate vulnerabilities.

Security testing professionals may also consult related sources for additional information. In the Ultimo model, the pen specialists review the exchange transaction history. The Ultimo blockchain scanner demonstrates that every recent purchase was cancelled because of a lack of validation nodes. However, after the cancellation, the exchange currency was redirected to the fraudster’s wallet instead of the exchange one.  

****How and Why to Classify Vulnerabilities****

Vulnerability detection is the first stage of penetration testing case study. The test team detects regular weaknesses with scanners to shorten the time of audit and to allow the experts to focus on manual detecting of special things.

As a result, the company Ultimo received comprehensible metrics of system weaknesses, the most severe among them relating to:

*   Possibilities for access level manipulation.
*   Sending data from the exchange to external apps.
*   Fishing probabilities on personal computers of remote workers because of unsecured messengers and storage.

During the further case study of penetration testing, the found vulnerabilities obtain a category of severity due to their danger levels and potential negative consequences:

*   **Critical** — The vulnerability is open and can be used by malicious actors at any moment. It allows the malware to run within the organization soft and needs immediate fixing.
*   **High** — The vulnerability is also available without additional conditions. It doesn’t allow changes within the company’s software, launching of malware or deleting of data. But the actor still can intercept any protected information. 
*   **Medium** — The vulnerability allows the stealing of only low-priority information and only after the actions of the medium-level specialist. The malware can’t be launched. Most of these cases are due to errors in software configurations.
*   **Low** — The vulnerability menaces with data leaks and is caused by software configuration, particularly data access levels and company data policies. Using this type of vulnerability requires social engineering and, sometimes, additional software exploits.

The analysis allows the team to qualify the Ultimo vulnerabilities as medium and low. But they seem to be the weaknesses used by the hacker.

****Harmless Exploit****

The next stage is a practical attack on the researched system but without damage. The pentest team exploit the software only after backups and by agreement with the organization. The main steps:

*   The cyber security team develops several scenarios that involve all found vulnerabilities.
*   The testing system embodies them and records all successful intrusions.
*   The reports go to the company managers with commentaries.
*   The cybersecurity team models the consequences if a malicious actor exploits the same sectors or achieves the same data.
*   The company and pen-testers evaluate the probability of each scenery and calculate possible losses.

The practical deeds adjust the theoretical results. Some vulnerabilities interfere with others and get higher severity levels. Some are offset by other program components and are considered low-risk. The practice often reveals missed weaknesses and unexpected consequences of an exploit.

The penetration testers try to recreate the scenery of the Ultimo exploit as the main one. It combines the detected vulnerabilities, social engineering and data from the blockchain scanner:

*   The tester rewrites and compiles an open-source code to get a binary file.
*   Then, the expert creates a classic fishing email trap, involving a fake Google authentication, uses saved passwords in the target’s browser and gets access to the Ultimo designer’s account at the external storage.
*   The specialist uses a popular hacking solution to get the third level of access and, as a result, reads the project manager’s database of developers’ information in the common documents.
*   With the received accesses, the tester can enter the site server (even without a proxy), replace the purchase binary file with the forged one and relaunch the exchange.

The checking transaction of a small amount shows that the exploit was successful, and the tester backed the replaced file. The used scenery allows not only stealing money but also deleting the whole exchange, source codes and all supportive materials (except backups on the staff computers). 

****Strategies and Recommendations to Overcome Security Problems****

After discussing vulnerabilities and related risks, the testers offer ways to solve them. The company compares their reliability and necessary expenses for choosing the best solutions for this penetration testing and test cases.

Additionally, the pentest team advises how to prevent similar troubles during the renovation of software and expansion of business processes. By the company’s wish, the team describes the signs of danger and general ways that can lead to it.

These are general recommendations for Ultimo, which will suit any organization:

1.  Creation of the security software list for obligatory installation by remote staff. 
2.  Using secured data rooms or similar business solutions instead of regular storage.
3.  Monitoring and notification of leading developers of all server changes.
4.  Using one-way data encryption and doubling for databases.
5.  Integration of biometric identification for the second and third security levels in storage.
6.  Registration of all involved devices by the administrator.

These steps contour the security update plan, but exact solutions must be developed for and together with an individual company only. 

****Mutual Collaboration for the Best Results****

The pen-testing team consults the researched company while implementing the offered changes. They control the quality of the work and adjust algorithms if the direct implementation faces inconvenience. 

Due to penetration testing success stories, the team and company must share clear results and control each other’s work. The **testers list all vulnerabilities**, the company notifies the testers about all implementation nuances. 

Ultimo is also recommended to pass the penetration test periodically because the company:

1.  make frequent global upgrades of both blockchain and apps;
2.  integrates new cryptocurrencies and fiat payment methods;
3.  develops apps for smart TVs and desktops.

In short, not only major leaks but any global change should be accompanied by a new professional pen test.

****Benefits for Pentested Companies****

Despite the best-quality blockchain, the modelled cryptocurrency company failed in supporting factors, especially related to data storage and human errors. Elimination of these vulnerabilities helps Ultimo to prevent:

*   data leaks;
*   new money and time losses;
*   decreasing company market value.
*   further spoiling of reputation and losing of clients;

In total, the pentest fosters Ultimo in increasing its market sustainability and advancing competitors. The costs of both pentest and improving the company’s security pay off especially quickly in the case of the trendy crypto industry.

****Pentest: Way to Forget about Intruders****

Penetration test with further upgrades is the best way to cut losses on hacks and overcome their consequences of high quality and a unique way. That’s why the results of each case study of penetration testing are so valuable.

As any modern company has a unique software complex, common solutions do not suit it. Only manual testing with a customized plan and hands-on exploit can reveal all security weaknesses. Finally, the **pentest services** are a safe and affordable way to advance the competitors and secure the company’s market future.

1.  The Most In-Demand Freelance Skills for 2023
2.  Top Certifications for Network Security Administrators
3.  We Need Smarter Smart Contracts To Prevent DeFi Hacks
4.  Penetration Testing And Their Methodology In Cybersecurity
5.  5 Proven Cyber Security Certifications That Will Boost Your Salary

Unveiling Vulnerabilities: Penetration Testing Services

By Deeba Ahmed
British Electronics Firm Volex Suffers Cyberattack, Confirms no “Material Financial Impact.”
This is a post from HackRead.com Read the original post: UK Power and Data Manufacturer Volex Hit by Cyberattack

AIM-listed British power and data transmission products manufacturer Volex PLC is the latest victim of a cyberattack.

****_KEY FINDINGS_****

*   **A UK-based critical power and data transmission products manufacturer, Volex PLC, has suffered a security breach.**

*   **The company claims there’s no evidence of a ‘material financial impact.’**

*   **The attack resulted from attackers gaining unauthorized access to some of its IT systems and data.**

*   **Volex claims it responded quickly to mitigate the attack and implemented an incident response plan.**

*   **Part of the plan is to ensure all its websites remain operational and global production systems stay unaffected.**

*   **The company has consulted cybersecurity experts to investigate the incident.**

AIM-listed British power and data transmission products manufacturer Volex PLC is the latest victim of a cyberattack. The incident resulted from unknown threat actor(s) gaining unauthorized access to some of the company’s IT systems and data at several global sites. 

However, Volex claims that attackers could not access financial data, and the incident had no material financial impact. Still, as noticed by London-based City AM publication, the company’s shares dropped around 4% on Monday morning. 

The 131-year-old Volex has employed unnamed third-party cybersecurity specialist consultants to investigate the root cause and extent of damage caused by the attack. The company stated in its Notice of Cyber Incident that multiple global sites of Volex were targeted in this data breach.  

Volex explained that it responded immediately and took action to keep its websites operational. The company implemented an incident response plan so that global production levels experience minimal disruption and uninterrupted trading with its suppliers and customers is ensured.

However, when checked at 13:25:26 UTC, the Volex website was offline, displaying a Cloudflare page. Nevertheless, at the time of writing, the website has been restored and is available for visitors.

Screenshot: Hackread.com)

“On becoming aware of the incident, the Group enacted its established IT security protocols and took immediate steps to stop the unauthorized access to its systems and data. Specialist, third party consultants have been engaged to investigate the nature and extent of the incident and to implement the incident response plan.”

It is worth noting that the company has footprints in 24 countries and owns 27 production sites. Europe, North America, and Asia are its primary trading markets.

We will update our readers as soon as Volex releases an update.

****_RELATED ARTICLES_****

1.  UK’s Freecycle Data Breach Impacts 7 Million Users
2.  UK Air Traffic Control System Collapses, Causing Travel Chaos
3.  IT Contractor Data Breach Affects 47,000 Met Police Personnel
4.  Cyberattack on UK IT Firm Swan Retail Affects up to 300 Retailers
5.  Contractor Data Breach Impacts 8k Greater Manchester Police Officers

UK Power and Data Manufacturer Volex Hit by Cyberattack

By Waqas
The Red Alert App is available on iOS; however, its Android version has been removed for unknown reasons
This is a post from HackRead.com Read the original post: Hackers Send Fake Rocket Alerts to Israelis via Hacked Red Alert App

Pro-Palestinian hackers from AnonGhost apparently managed to hack the Red Alert app, whose sole purpose is to send missile and rocket alerts to Israelis.

In the midst of the ongoing conflict between Israel and Hamas, a group of Pro-Palestinian hackers operating under the moniker **AnonGhost** launched a cyberattack on the RedAlert app, causing chaos among Israeli citizens over the weekend.

Developed by Kobi Snir, an app developer and IoT researcher, the Red Alert App serves a critical purpose by providing real-time alerts whenever rockets, mortars, or missiles are fired into Israel from the Gaza region.

Singapore-based cybersecurity firm Group-IB confirmed the cyberattack. In a brief **tweet**, the company’s threat analysis team revealed that AnonGhost had exploited an API vulnerability within the Red Alert app.

The group successfully intercepted requests, exposing vulnerable servers and APIs, allowing them to employ Python scripts to send spam messages to some Israeli app users. This resulted in users receiving false missile alerts on their smartphones, further worsening the already dire situation in the country.

But the extent of the attack didn’t stop at fake rocket alerts. According to Group-IB’s Threat Intelligence system, AnonGhost also sent fabricated messages regarding a “nuclear bomb” attack on Israel.

One of the announcements from AnonGhost on Telegram boasts about the attack with the following words:

> _“Israel’s RedAlert phone app system hacked by AnonGhost + AG Members. Before this attack happened we have found that there are about 10,000 users online in this chat. All 10k to 20k users in this application will get the same notification.”_

Furthermore, the group claimed that, aside from sending fake alerts and causing hysteria, the impact of this attack also includes disconnecting the user’s phone from the Internet and rendering the phone unusable, forcing the victim to purchase a new one. However, these claims remain unverified at this time.

Hackread.com delved into these claims and discovered a video shared by AnonGhost on their Telegram channel, demonstrating that the group had exploited the RedAlert app to send emergency alerts about fictitious rocket and nuclear bomb attacks.

Source: Hackrad.com

The Red Alert App is available on **iOS**; however, its Android version has been **removed** for unknown reasons

The conflict between Israel and **Hamas** ignited on October 7, 2023, when Hamas fighters launched a surprise attack on Israel, crossing the border from the Gaza Strip into Israeli territory. Hamas reported casualties among Israelis and claimed to have taken dozens of hostages.

Israel, on the other hand, characterized Hamas’ attack as unprovoked and an attempt to annihilate the country. Reuters **reported** that Israel responded with airstrikes on the Gaza Strip, resulting in the deaths of hundreds of Palestinians, including at least 20 children.

While the physical conflict raged on, cyber warfare unfolded in parallel. Pro-Palestinian and Pro-Israeli hacktivist groups engaged in online battles, targeting each other’s infrastructure through activities such as Distributed Denial of Service (DDoS) attacks, data leaks, doxing, and social engineering.

The ongoing conflict continues to have a digital dimension, as **hacktivist groups** on both sides strive to make their voices heard in the cyber realm, further escalating tensions in an already volatile situation.

****_RELATED ARTICLES_****

1.  Israel’s Channel 10 TV Station Hacked by Hamas
2.  Israeli Oil Refinery Giant BAZAN Hit by Fresh Wave of Cyber Attacks
3.  Hackers interrupt Eurovision webcast in Israel with missile attack alert
4.  Hamas hackers posed as women to con IDF into downloading malware
5.  Israel Faces Fresh Wave of Cyberattacks Targeting Critical Infrastructure

Hackers Send Fake Rocket Alerts to Israelis via Hacked Red Alert App

By Waqas
September 2023’s Most Wanted Malware: Remcos Wreaks Havoc in Colombia and Formbook Takes Top Spot after Qbot Shutdown, reveals Check Point.
This is a post from HackRead.com Read the original post: Formbook Takes the Throne as Most Prevalent Malware

Check Point’s Global Threat Index for September 2023, released on October 6th, revealed that Education and Research remain the top targeted industries in September 2023.

The cybersecurity researchers at Check Point have released its Global Threat Index for September 2023, revealing significant shifts in the cyber threat landscape. The report highlights a notable phishing campaign that targeted numerous organizations in Colombia, resulting in the surge of the Remcos Remote Access Trojan (RAT) and the rise of Formbook as the most prevalent malware following the demise of Qbot.

Here, it’s worth noting that Qbot, also known as Qakbot and Pinkslipbot malware, faced disruption by the FBI in August 2023, having infected 700,000 computers globally. Despite this disruption, a recent report from Cisco Talos Intelligence Group reveals that the cybercriminals responsible for Qbot remain active, now distributing a new malware known as Ransom Knight.

****Colombia Under Attack: Remcos RAT Unleashed****

In September, Check Point Research uncovered a large-scale phishing campaign aimed at over 40 prominent businesses across various industries in Colombia. The primary objective of this campaign was to surreptitiously deploy the Remcos RAT on victims’ computers.

Remcos ranked as the second most prevalent malware in September, is a sophisticated Remote Access Trojan, offering attackers full control over the infected systems and versatile malicious capabilities. The consequences of a Remcos infection are dire, encompassing data theft, subsequent malware infections, and account takeovers.

Maya Horowitz, VP of Research at Check Point Software, stated, “The campaign that we uncovered in Colombia offers a glimpse into the intricate world of evasion techniques employed by attackers. It is also a good illustration of how invasive these techniques are and why we need to employ cyber resilience to guard against a variety of attack types.”

****Formbook Takes the Throne****

The September Global Threat Report Index also revealed a noteworthy shift in the top malware rankings. Formbook, an Infostealer targeting Windows OS, claimed the number one spot with a global impact of 3% on organizations worldwide.

First detected in 2016, Formbook data stealer is marketed as Malware as a Service (MaaS) in underground hacking forums for its potent evasion techniques and relatively low price. Its capabilities include harvesting credentials from web browsers, capturing screenshots, logging keystrokes, and executing files on the attacker’s command.

****Qbot’s Reign Ends**?**

The most significant change in the malware landscape was the exit of Qbot from the top malware list. The FBI had seized control of the Qbot botnet in August, marking the end of its long-standing reign as the most prevalent malware throughout most of 2023.

However, as the group responsible for Qbot is still active and already disseminating new malware, the significance of the disruption of the malware’s infrastructure may have somewhat diminished.

****Top Attacked Industries and Vulnerabilities****

In terms of attacked industries globally, Education/Research remained the top target, followed by Communications and Government/Military. These sectors continue to face relentless cyber threats.

Regarding exploited vulnerabilities, “Web Servers Malicious URL Directory Traversal” took the top spot, affecting 47% of organizations worldwide. This vulnerability allows unauthenticated remote attackers to access arbitrary files on vulnerable servers. “Command Injection Over HTTP” followed closely with 42%, and “Zyxel ZyWALL Command Injection” was at 39% in terms of impact.

****Malware Attacks Against Smartphones****

In the mobile malware arena, Anubis retained its position as the most prevalent mobile malware, followed by AhMyth and SpinOk. Anubis, initially a banking Trojan, has evolved to include Remote Access Trojan (RAT) functionality, keylogging, audio recording capabilities, and ransomware features.

AhMyth, discovered in 2017, is another RAT distributed through Android apps that collect sensitive information from infected devices. SpinOk, operating as spyware, was found in over 100 Android apps, amassing more than 421 million downloads as of May 2023.

As cybersecurity threats continue to evolve, organizations must remain vigilant and proactive in implementing robust cybersecurity measures to protect against the ever-present dangers of malware and vulnerabilities.

****_RELATED ARTICLES_****

1.  US, India and China Most Targeted in DDoS Attacks
2.  Microsoft Office Most Exploited Software in Malware Attacks
3.  Schools Are the Most Targeted Industry by Ransomware Gangs
4.  Russian Dark Net Markets Dominate the Global Illicit Drug Trade
5.  What Are the Top 10 Android Edu Apps That Collect Most User Data?
6.  VirusTotal Reveals Apps Most Exploited by Hackers to Spread Malware
7.  Microsoft, PayPal & Facebook most targeted brands in phishing scams