By Deeba Ahmed
The technical details of these findings will be unveiled at Black Hat USA on Wednesday, August 9, 2023.
This is a post from HackRead.com Read the original post: Researchers Jailbreak Tesla Vehicles, Gain Control Over Paid Features

**IN SUMMARY**

1.  **A basic piece of hardware allows third-party jailbreaking of a Tesla vehicle.**
2.  **The findings came from a security researcher and 3 academic researchers.**
3.  **Tesla’s AMD Secure Processor was bypassed with a voltage-glitching flaw.**
4.  **The findings will be unveiled at Black Hat USA on Wednesday, August 9.**

With the involvement of smart technology, **security vulnerabilities in Tesla cars** are not a novel occurrence; they have been a well-established fact. Such vulnerabilities are an inherent possibility whenever sophisticated technology is integrated into a vehicle.

Tesla offers in-car purchases to enhance its EVs connectivity, and researchers have already found a method to jailbreak Tesla vehicles and activate crucial features like FSD Beta, or heated seats.

**Tesla EVs In-Car Paid Features are Hackable!**

Academic researchers from Technical University Berlin and independent researcher Oleg Drokin have found a way to unlock in-car purchasable features of Tesla EVs. Researchers have found that gaining complete control of a Tesla EV was possible by **exploiting a flaw in its Bluetooth system**.

According to researchers, they managed to gain root access to Tesla EV’s MCU-Z (AMD-based) infotainment system, **used** in almost all new EV models, which gave them complete control over the vehicle’s operating system and use any feature such as activating and deactivating its systems.

**How Does the Attack Work?**

Researchers exploited a voltage-glitching (aka fault injection) vulnerability in the ICE (infotainment ECU) board of the EV to bypass Tesla’s AMD Secure Processor, a Trusted Platform Module. This helped them gain root access to the OS and run arbitrary code on the MCU-Z and enable paid features like Acceleration Boost, FSD Beta, and heated seats.

Not just that, they could break geolocation restrictions on FSD Beta and navigation, which may be detrimental for Tesla users because it makes enabling FSD Beta possible in any region/country where it is unavailable.

For instance, they can enjoy fully autonomous (level 5) driving in Europe where only Level 3 autonomous driving (requiring a fair amount of human intervention) is legal under certain **conditions**.

** Tesla Jailbreak details**

Interestingly, Tesla jailbreaking turned out easier than expected, and advanced tools weren’t required to achieve it. Researchers successfully exploited MCU-Z by voltage fault injection attack against the ASP using low-cost hardware to mount to glitching attack and disrupt the ASP’s early boot code.

They then reverse-engineered the boot flow to gain a root shell. After gaining root permissions, they enabled arbitrary changes to Linux and decrypt the encrypted NVMe storage to access private user data like calendar entries or phonebook.

The ASP attack also allows extracting a TPM-protected attestation key that authenticates a Tesla EV and migrates the vehicle’s identity to another car computer without Tesla’s consent.

According to co-researcher **Christian Werling**, this attack can be pulled off with basic electronic engineering using hardware worth up to $100 and a soldering iron. Moreover, the AMD CPU’s vulnerability is unmitigable without a CPU upgrade, and gaining root permissions allows arbitrary changes to Linux that survive updates and reboots. This means the access might be irrevocable.

However, Werling noted that a Teensy 4.0 Development board is better for voltage-glitching as it works better with their open-source attack firmware. In addition, an SPI flash programmer and a logic analyzer can help debug this attack.

It is unclear whether researchers have informed Tesla about this vulnerability. Despite successful jailbreaking, researchers lauded Tesla’s superior security mechanism, claiming it is way ahead of most automakers.

The findings will be revealed at the **Black Hat USA** on Wednesday, August 9, 2023.

**RELATED ARTICLES**

1.  How to unlock Tesla wireless key fobs in 2 seconds
2.  Tesla autopilot feature hacked to risk oncoming traffic
3.  3rd-party flaw allowed a teen hacker to track Tesla cars
4.  Sensitive user data found in Tesla car parts sold on eBay
5.  Bug bounty: Hack Tesla Model 3 to win your own Model 3
6.  Researchers found another way to hack Tesla Model X Key Fob

Researchers Jailbreak Tesla Vehicles, Gain Control Over Paid Features

By Waqas
These networks generated revenues from advertising sexually explicit content involving children.
This is a post from HackRead.com Read the original post: Operation Narsil INTERPOL Busts Decade-Old Child Abuse Network

**IN SUMMARY**

1.  **Operation Narsil was launched in 2021 with 27 countries’ collaboration.**
2.  **Arrests were made in Argentina, Bulgaria, and Russia during the operation.**
3.  **INTERPOL disrupted finance mechanisms and seized over 20,000 domains.**
4.  **The Argentinian arrest involves a brother-sister duo running an abuse site.**
5.  **Interpol’s actions send a strong message to criminals exploiting children.**

The rise of profitable platforms that provide access to content depicting the sexual or physical exploitation of minors is an unfortunate reality. However, law enforcement agencies worldwide are actively engaged in efforts to dismantle these networks and bring the perpetrators to justice. Operation Narsil stands as a notable example of such initiatives, successfully busting several child exploitation networks.

Interpol launched Operation Narsil in December 2021 with the primary objective of tracking down criminals involved in operating children’s sexual abuse-related websites. After two years of relentless investigation, in a massive worldwide law enforcement collaboration, agencies achieved a major breakthrough in July 2023, taking down a significant network responsible for distributing child sexual abuse content.

Throughout the operation, the investigators effectively disrupted the finance mechanisms of the website operators, resulting in a severe impact on their advertising campaigns.

According to INTERPOL’s **press release**, under Operation Narsil, Interpol managed to seize over 20,000 domains in the past 13 years. In total, 27 countries have collaborated in the operation so far.

**Decade-Old Abuse Networks**

During Operation Narsil, all Interpol member countries collaborated extensively to combat the issue of child exploitation. They actively engaged in sharing intelligence information, identifying suspects, and coordinating arrests of individuals involved in running the websites that facilitated such heinous activities.

Notably, in 2010, Interpol established the Interpol Worst of List (**IWOL**), which served as a watchlist to monitor websites offering extreme child sexual abuse content. Interpol’s general secretariat headquarters worked in close partnership with law enforcement authorities in all regions, urging them to take action and shut down these harmful websites within their respective countries.

**Brother Sister Duo Ran Minor Abuse Site**

**In Argentina**, one of the websites seized during Operation Narsil had been operating for approximately a decade and was discovered to be run by a brother-sister duo based in Argentina.

These siblings were apprehended for their involvement in creating, maintaining, and profiting from a website that featured explicit child sexual abuse material, along with associated advertising campaigns. During the arrests, authorities confiscated 14 electronic devices, credit cards, and cash from the residence of the suspects.

The reason this illicit activity remained undetected for such a long period was due to the complexities of technology that the perpetrators exploited to evade law enforcement. However, the breakthrough came when digital clues from the Interpol Worst of List (IWOL) and intelligence shared by the global police community helped trace and identify the duo’s involvement in this appalling crime.

To bring the criminals to justice, Argentina’s Anti Cyber Crime against Minors’ Victim Identification Office and the Specialised Cybercrime Prosecution Unit (**UFECI**) collaborated with the Federal Courts in Mendoza Province. This joint effort led to the successful identification and subsequent arrest of the suspects, ensuring that they would face the legal consequences for their heinous actions against children.

**In Bulgaria**, law enforcement successfully apprehended a 34-year-old male who was operating an online forum dedicated to sharing child sexual abuse content. The arrest aimed to put an end to this disturbing online activity and bring the perpetrator to justice.

**In Russia**, two individuals aged 24 were arrested for their involvement in the production and distribution of illegal content related to child sexual abuse. During the operation, authorities seized removable hard drives that contained explicit material, as well as various software and equipment that were used to create and maintain websites promoting such illicit content.

**In Thailand**, a 45-year-old male was arrested for possessing and profiting from child sexual abuse content. This reprehensible act of exploitation was met with decisive action by the authorities, intending to **ensure the safety** and protection of vulnerable children.

**The Fight is Far From Over**

The arrests indicate the effectiveness of cross-regional police cooperation, said Argentina’s Federal Police head and America’s Interpol executive committee’s delegate, Juan Carlos Hernandez.

Interpol’s secretary general, Jurgen Stock, believes that “identifying and removing these websites” is highly **crucial** to prevent the “potential normalization” of child abuse material online. It is also important to reduce the re-victimization of abused minors.

“Operation Narsil sends a strong message to the criminals making money from these websites that Interpol and its alliance of police forces in 195 member countries, know where they are, what they are doing, and how to find them,” Stock added.

**RELATED ARTICLES**

1.  Dark Web child abuse gang busted; 15TB of files seized
2.  Authorities seize world’s biggest dark web child abuse site
3.  Op protected childhood: 113 online child predators arrested
4.  Busted: Man streamed “worst child abuse content ever seen”
5.  210 days prison for crypto CEO who held 13k child abuse files
6.  BreachForums’ Pom Pleads Guilty to Holding Child Abuse Content
7.  Man sought dark web hitman to murder child victim of sexual abuse

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Operation Narsil INTERPOL Busts Decade-Old Child Abuse Network

By Habiba Rashid
Dubbed HVNC, the malware is being sold on a Russian hacker and cybercrime forum for $60,000.
This is a post from HackRead.com Read the original post: Researchers Leverage ChatGPT to Expose Notorious macOS Malware

**IN SUMMARY**

1.  **The HVNC macOS malware tool is designed to target SMEs.**
2.  **The malware tool is effective on a wide range of macOS versions.**
3.  **This is a reminder that Macs are not immune to cyberattacks**
4.  **The creators of the malware tool have placed a large escrow deposit, which shows their confidence in the tool’s effectiveness.**

Russian hackers and cybercrime forums are notorious for exploiting critical infrastructure. Last month, Hackread.com **exclusively reported** that a Russian-speaking threat actor was selling access to a US military satellite. Now, researchers have identified macOS malware being sold for $60,000.

Guardz Cyber Intelligence Research (CIR) team has uncovered a sophisticated and perilous macOS malware tool being sold on the notorious Russian cybercrime forum “Exploit.” Leveraging a lead from **ChatGPT**, the team has unearthed a Hidden Virtual Network Computer (HVNC) tool, designed to seize control of Macs within small to medium-sized enterprises (SMEs).

ChatGPT assisting researchers (screenshot: Guardz)

HVNC is a malicious tool that enables cybercriminals to infiltrate Mac devices without the victim’s knowledge. Unlike conventional remote control technologies, HVNC operates covertly, creating a hidden desktop session that escapes the user’s awareness. 

According to Guardz CIR’s report, the tool was available for the staggering price of $60,000. For this sum, cybercriminals gain access to a malicious tool capable of persistently running on a Mac, evading user authorization, and executing a range of invasive functions. The tool is effective on a spectrum of macOS versions, from 10 up to macOS Ventura 13.2.

The creators of this tool, presumed to be Russian hackers, have taken their malevolent endeavours to new heights. To substantiate the tool’s credibility, an astonishing $100,000 deposit has been placed in an escrow account, earmarked as insurance should the tool fail to deliver as promised. This unprecedented measure shows the hackers’ confidence in their creation and its grave implications.

Post by malware author on a Russian cybercrime and hacker forum (screenshot: Guardz)

Historically, Macs have enjoyed relative immunity compared to their Windows counterparts, but this equilibrium is being disrupted. Cybercriminals are increasingly targeting Macs, a trend that demands heightened awareness from both individual users and businesses alike.

Updating to the latest macOS version and refraining from downloading applications from untrusted sources is paramount. Employing reliable antivirus software, complemented by regular security audits, will further bolster defence mechanisms. 

**RELATED ARTICLES**

1.  MacStealer Malware Targeting macOS Catalina Devices
2.  macOS Users Targeted by Chinese Iron Tiger APT Group
3.  SysJoker backdoor targeting Windows, macOS & Linux Devices
4.  DazzleSpy malware infects macOS devices through hacked sites
5.  UpdateAgent malware variant mimics legitimate macOS software

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Researchers Leverage ChatGPT to Expose Notorious macOS Malware

By Waqas
The group of Russian hackers involved in this attack is Midnight Blizzard (aka NOBELIUM).
This is a post from HackRead.com Read the original post: Russian Midnight Blizzard Hackers Hit MS Teams in Precision Attack

**IN SUMMARY:**

1.  **Midnight Blizzard (aka NOBELIUM) was also involved in the SolarWinds hack.**
2.  **The group used hacked Microsoft 365 tenants owned by small businesses.**
3.  **The reported campaign impacted fewer than 40 unique global organizations.**
4.  **The goal of Midnight Blizzard is to collect intelligence through espionage.**
5.  **Microsoft has taken measures to mitigate the domains used by the group.**

Microsoft has recently disclosed a highly targeted social engineering attack by the threat actor known as Midnight Blizzard (previously tracked as **NOBELIUM**). The attack involves credential theft phishing lures sent via Microsoft Teams chats, and it demonstrates the actor’s continued use of both new and traditional techniques to achieve its objectives.

According to Microsoft Threat Intelligence, the latest activity involves **Midnight Blizzard** using previously compromised Microsoft 365 tenants owned by small businesses to create new domains that appear to be legitimate technical support entities.

Using these domains, the threat actor sends Teams messages as lures to steal credentials from targeted organizations. The attack relies on engaging users and eliciting approval of multifactor authentication (MFA) prompts, ultimately giving the actor access to the victims’ **Microsoft 365 accounts**.

This campaign has impacted fewer than 40 unique global organizations. These targets indicate that Midnight Blizzard’s objectives primarily revolve around espionage, with a specific focus on government entities, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors.

Midnight Blizzard, attributed by the US and UK governments as the Foreign Intelligence Service of the Russian Federation (SVR), is well-known for targeting governments, diplomatic entities, NGOs, and IT service providers primarily in the US and Europe.

According to Microsoft’s **report**, their main goal is to collect intelligence through dedicated espionage, and their operations have been ongoing since early 2018. The threat actor uses various initial access methods, including stolen credentials, supply chain attacks, and exploitation of on-premises environments to move laterally to the cloud.

To execute their latest attack, Midnight Blizzard uses security-themed or product name-themed domain names in their **phishing lures**. They compromise Microsoft 365 tenants of small businesses to host and launch the social engineering attacks. This tactic includes renaming the compromised tenant, adding a new subdomain, and creating a new user associated with that domain to send outbound messages to the target tenant.

The attack chain observed in this activity relies on token theft techniques for initial access, as well as authentication spear-phishing, password spray, brute force, and other credential attacks. Additionally, the threat actor targets users with passwordless authentication configured on their accounts, asking them to enter a code displayed during the authentication flow into the **Microsoft Authenticator app** on their mobile devices.

Message from Midnight Blizzard using a Microsoft Teams account and a phishing message sent by the same group (Screenshot: Microsoft)

In a comment to Hackread.com, Mike Newman, CEO of **My1Login** said “This is a highly sophisticated phishing scam that would be almost impossible to detect to the untrained eye. Because the attackers were using a legitimate Microsoft domain, it would only have taken a very curious and security-savvy user to investigate the prompts further and realise they were fake.”

Mr. Newman advised that “Businesses need to take their own remediation action against these threats and one of the best ways to do this is by removing passwords and credentials from users’ hands. This means even when highly sophisticated scams do reach user inboxes, users can’t be tricked into handing over their credentials because they simply do not know them.”

“Removing credentials and passwords from users can be achieved by implementing modern Identity Management solutions, which improve security but also remove cumbersome security checks within the enterprise to enhance the user experience and increase operational efficiency,” added Mr. Newman.

Nevertheless, Microsoft has taken measures to mitigate the use of these domains by Midnight Blizzard and is actively investigating the campaign to remediate its impact. The company has directly notified targeted or compromised customers to help them secure their environments.

In response to this latest attack, Microsoft recommends several mitigations to reduce the risk of falling victim to such **social engineering campaigns**:

*   Pilot and deploy phishing-resistant authentication methods for users.
*   Implement Conditional Access authentication strength to require phishing-resistant authentication for employees and external users accessing critical apps.
*   Specify trusted Microsoft 365 organizations to define which external domains are allowed or blocked for chat and meetings.
*   Enable Microsoft 365 auditing to investigate audit records if required.
*   Select the best access settings for external collaboration.
*   Allow only known devices that adhere to Microsoft’s recommended security baselines.
*   Educate users about social engineering and credential phishing attacks, cautioning them against entering MFA codes sent via unsolicited messages.
*   Train Microsoft Teams users to verify the “External” tagging on communication attempts from external entities and to be cautious about sharing sensitive information or authorizing sign-in requests over chat.
*   Encourage users to review sign-in activity and report suspicious sign-in attempts.

By adhering to these best practices, organizations can strengthen their defences against social engineering attacks and minimize the risk of unauthorized access to critical resources.

**RELATED ARTICLES**

1.  Check Point: Microsoft the Most Phished Brand in Q2 2023
2.  NodeStealer 2.0 Poses as ‘Microsoft’ to Hack Browser Data
3.  Microsoft Teams Flaw Sends Malware to Employees’ Inboxes
4.  Microsoft Message Queuing Service Exposed to DoS Attacks
5.  Microsoft sued for alleged misuse of stolen Dark Web credentials
6.  Microsoft-Signed Drivers Helped Hackers Breach System Defenses

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Russian Midnight Blizzard Hackers Hit MS Teams in Precision Attack

By Deeba Ahmed
NodeStealer 2.0 is a variant of the NodeStealer infostealing malware, which was taken down by Meta in May 2023.
This is a post from HackRead.com Read the original post: NodeStealer 2.0 Poses as ‘Microsoft’ to Hack Facebook and Browser Data

**IN SUMMARY**

1.  **Palo Alto Networks’ Unit 42 identified and reported NodeStealer 2.0.**
2.  **The Python-based malware steals crypto, Facebook and browser data.**
3.  **It spreads through phishing, masquerading as advertising opportunities.**
4.  **NodeStealer 2.0 campaign originated in Vietnam.**

Phishing scams targeting Facebook business accounts to conduct advertising frauds or account takeovers are on the rise, which is a concerning trend. Recently Hackread published MalwareBytes’ Jerome Segura’s **research** on fake Meta ad managers and Chrome extensions allowing attackers to lure business account holders into making ad investments to increase sales revenues.

Now Palo Alto Networks’ Unit 42 researchers have **shared** details of a new phishing attack distributing a brand-new version of a deadly information stealer NodeStealer. This new version is dubbed NodeStealer 2.0, which also targets Facebook business accounts. Researchers believe this trend of targeting Facebook business accounts started in July 2022 with the emergence of the **Ducktail infostealer**. 

NodeStealer malware was detected and taken down by Meta in May 2023. It could steal browser cookies to hijack Facebook business accounts, commendably perform ad frauds, steal account credentials and download additional payloads, etc.

In this campaign, the attack chain starts with a phishing lure, for instance, offering tools like spreadsheet templates for businesses. Previously, we have seen **ChatGPT-inspired scams** offering malicious extensions to business account users. 

NodeStealer 2.0r is similar to its predecessor, using phishing tactics to lure users and distributing malware-infected executable files in the guise of advertising opportunities. Victims are lured into downloading a .ZIP file from reputable Cloud file storage providers to gain their trust, but they get their devices infected.

Screenshot of a Facebook phishing scam tricking users into downloading .ZIP file (Screenshot: Palo Alto Networks’ Unit 42)

According to Unit 42’s **report**, NodeStealer 2.0 has additional features such as downloader and cryptocurrency stealing capabilities and a complete takeover of Facebook business accounts. The first attack in which NodeStealer 2.0 was used was discovered in December 2022, mainly targeting Facebook pages.

It is worth noting that both versions (named by Unit 42 as Variant 1 and Variant 2) are written in Python language. NodeStealer 2.0 posed as Microsoft Corporation and can steal emails, Facebook accounts, and even boasts anti-analysis features.

> The second variant of the infostealer in the campaign was internally named MicrosofOffice.exe and was compiled with Nuitka, the same as the first variant. Unlike the first variant, it does not generate a lot of activity visible to the unsuspecting user. For this variant, the threat actor used the product name “Microsoft Coporation” (originally misspelled by the malware authors).
> 
> Lior Rochberger – Palo Alto Networks’ Unit 42

NodeStealer 2.0 campaign originated in Vietnam, and as per researchers, it is no more active. The Vietnamese link was identified because previous campaigns involving **Ducktail and NodeStealer** were launched by threat actors based in Vietnam. 

Malware seen stealing passwords from a targeted browse (Screenshot: Palo Alto Networks’ Unit 42)

However, it could be part of a larger campaign where attackers are using different methods to target Facebook business account holders for monetary gains. NodeStealer 2.0 seems a continuation of the same agenda, which can cause huge financial losses for organizations, and users get exposed to additional threats due to credential leaks, apart from reputational damage.

Visit this link to check out the **indicators of compromise**. This is becoming a raging threat; therefore, organizations and Facebook business account holders must remain cautious while downloading executables. Using strong passwords with MFA and training employees to detect phishing lures can prove crucial in safeguarding your privacy and data on social media.

**RELATED ARTICLES**

1.  Fake ChatGPT Extension Hijacks Facebook Accounts
2.  Phishers Now Actively Automating Scams with Telegram
3.  Alert: Scammers Pose as ChatGPT in New Phishing Scam
4.  Fake ChatGPT, AI pages on Facebook spread infostealers
5.  Fake Facebook Profiles, Google Ads Pushing Sys01 Stealer

NodeStealer 2.0 Poses as ‘Microsoft’ to Hack Facebook and Browser Data

By Owais Sultan
London, England, August 2, 2023 – Open Campus, a leading educational technology protocol, has announced an exciting new…
This is a post from HackRead.com Read the original post: Care Bears and Open Campus Launch Educational Games on Climate Change

London, England, August 2, 2023 – Open Campus, a leading educational technology protocol, has announced an exciting new collaboration with Cloudco Entertainment’s Care Bears to develop educational games for children centered around the topic of Climate Change.

This partnership will leverage the platform TinyTap, known for creating and sharing educational games, to impart the Care Bears’ messages of sharing, caring, friendship, and courage to young learners, inspiring them to take care of the planet.

Through this joint effort, Open Campus will utilize the Care Bears‘ intellectual property to design educational games aimed at teaching children about environmental conservation and ways to protect the planet. These games will engage children in interactive and enjoyable learning experiences while imparting essential lessons on sustainability and the environment.

The partnership will also explore the application of non-fungible tokens (NFTs) to enhance the educational experience. This includes Publisher NFTs from Open Campus’ content tokenization engine, as well as a collection of co-branded digital collectables, to delight Care Bears fans and collectors. This innovative approach opens up exciting opportunities to engage children in learning about critical topics like climate change.

Yogev Shelly, CEO of TinyTap and Council Member of Open Campus, expressed excitement about the partnership, stating, “We are thrilled to partner with Care Bears to create innovative educational content that helps children learn about the environment and climate change.

By combining the power of TinyTap with the iconic and beloved characters of the Care Bears franchise, we believe we can create games that are not only fun and engaging but also teach important lessons about sustainability and the environment.”

Robert Prinzo, Head of Licensing at Cloudco Entertainment, added, “We couldn’t be more excited to collaborate with TinyTap on this educational venture. The Care Bears have always been committed to sharing messages of sharing, caring, friendship, and courage with their fans.

Partnering with TinyTap allows us to extend that mission into the digital world, using interactive games and content to teach valuable lessons about sustainability, the environment, and more. Together, we aim to inspire and empower young minds to make a positive impact on the world around them.”

The educational games will be available on the TinyTap platform in the coming months, and the partnership will continue exploring ways to enhance the learning experience for children.

1.  The Most In-Demand Freelance Skills for 2023
2.  Teach Your Child Coding: A Gift for Their Digital Future
3.  How Technology Has Altered the Education Landscape
4.  Develop Complex Marketing Operations with “No Code” Tools
5.  Top 10 Android Educational Apps That Collect Most User Data?

Owais takes care of Hackread's social media from the very first day. At the same time He is pursuing for chartered accountancy and doing part time freelance writing.

Care Bears and Open Campus Launch Educational Games on Climate Change

By Waqas
Cado Security Labs' 2023 Cloud Threat Findings Report dives deep into the world of cybercrime, cyberattacks, and vulnerabilities.
This is a post from HackRead.com Read the original post: SSH Remains Most Targeted Service in Cado’s Cloud Threat Report

**IN SUMMARY**

1.  **Botnet agents dominate the malware landscape, comprising 40.3% of all traffic.**
2.  **SSH remains the most targeted service, representing 68.2% of observed samples.**
3.  **A staggering 97.5% of threat actors target vulnerabilities in a single specific service.**

Cado Security, a pioneer in cloud forensics and incident response solutions, has released the much-anticipated Cado Security Labs 2023 Cloud Threat Findings Report. The report uncovers groundbreaking insights into the evolving cloud threat landscape, highlighting the escalating risk of cyberattacks in the wake of widespread cloud service adoption.

Headed by Chris Doman, CTO, and Co-Founder, of Cado Security Labs; their discoveries have exposed novel cloud-based malware and threat techniques, including the infamous Denonia, the first-known malware designed explicitly for AWS Lambda environments.

The report, which the company shared with Hackread.com, is crucial since Cado Security Labs employs honeypot infrastructure to capture real-time cloud attacker telemetry, providing timely insights into emerging attack patterns, and swiftly disseminating crucial findings throughout the security community.

As cloud technologies continue to shape the modern business landscape, organizations must grasp the depth of emerging cloud threats. Cado’s report arms the security community with the knowledge required to counter these latest threats effectively.

According to Cado’s press release, key findings from the report are as follows:

1.  Botnet agents dominate the malware landscape, comprising 40.3% of all traffic, playing a significant role in the Russia-Ukraine war’s hacktivist-driven DDoS attacks.
2.  SSH (Secure Shell Protocol) remains the most targeted service, representing 68.2% of observed samples. Redis follows at 27.6%, while the exploitation of Log4Shell vulnerability declines to a mere 4.3%.
3.  A staggering 97.5% of opportunistic threat actors target vulnerabilities in a single specific service, suggesting attackers focus on exploiting known weaknesses.

It is worth noting that last month, Nokia also released its Threat Intelligence Report for 2023. In this report, the company issued a warning about the increasing threat of DDoS attacks powered by IoT botnets, specifically targeting global Telecom networks.

Moreover, the report highlighted a concerning surge in malicious activity that was initially observed during the Russia-Ukraine conflict but has now spread to various regions worldwide.

Looking ahead, Cado Security Labs predicts an increase in serverless function attacks, non-Windows ransomware developments by ransomware groups, and the continuous exploitation of cloud services for phishing and spam campaigns.

To mitigate these impending threats, Cado Security experts advise organizations to comprehend the AWS shared responsibility model, restrict access to critical evidence, minimize exposure of services like Docker and Redis, scrutinize public repositories for cloud credentials, and implement the principle of least privilege.

Nevertheless, in an ever-evolving cyber threat landscape, the insights from the Cado Security Labs 2023 Cloud Threat Report are crucial for organizations seeking to strengthen their defences against constantly advancing cloud-focused threats.

1.  Microsoft the Most Phished Brand in Q2 2023 Report
2.  US, India China Most Targeted in DDoS Attacks, Report
3.  VirusTotal: Apps Most Exploited by Hackers to Spread Malware
4.  Russian Dark Net Markets Dominate Global Drug Trade: Report
5.  Submarine Cables Face Massive Cybersecurity Threats, Report
6.  MS Office Most Exploited Software in Malware Attacks – Report
7.  Google, Microsoft, Oracle generated most vulnerabilities in 2021

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

SSH Remains Most Targeted Service in Cado’s Cloud Threat Report

By Deeba Ahmed
Cloudzy is registered in the United States, and its CEO is an Iranian national.
This is a post from HackRead.com Read the original post: Cloud Service Provider Cloudzy Accused of Aiding Ransomware and APTs

**In Summary**

1.  **Report by Halcyon, a Texas-based cybersecurity startup.**
2.  **Cloudzy is registered in the USA but based in Iran.**
3.  **Cloudzy is suspected of providing C&C services to govt hacking groups.**
4.  **CEO Hannan Nozari denies services to cybercriminals.**

The cybersecurity researchers at Halcyon claim that Cloudzy, a cloud service provider, is actively involved in providing command-and-control services to more than 20 hacking groups.

These groups encompass spyware and ransomware operators, as well as state-backed APT groups. Shockingly, approximately 40% – 60% of Cloudzy’s activities are deemed “malicious in nature,” involving activities such as espionage and extortion against its victims.

**The Cloudzy Saga**

Cybersecurity startup Halcyon researchers discovered that an Iranian-run ISP has been “unwittingly” supporting the “ransomware economy” and miscellaneous attack operations by providing C2P (Command-and-Control Providers) services to threat actors.

> Halcyon researchers suggest there is yet another player that is, perhaps unwittingly, supporting the booming ransomware economy and other attack operations: the Command-and-Control Providers (C2P) who sell services to threat actors while assuming a legal business profile.
> 
> Halcyon

Researchers suspect that the company, identified as Cloudzy (formally RouterHosting), sells services to state-sponsored APT (advanced persistent threat) actors and cybercriminals/hackers while keeping a “legal business profile.”

In a research report (PDF) published on August 1st, the Halcyon Research team wrote that Cloudzy is registered in the USA, but it operates from outside of Tehran, Iran, and has virtually no presence in the USA.

An individual identified as Hannan Nozari runs this company, allegedly the founder of another Iranian firm abrNOC. This is based on the finding that eight individuals employed by Cloudzy in Iran also work for abrNOC.

“Halcyon therefore assessed with high confidence that C2P Cloudzy is almost certainly a cutout for the actual hosting company, abrNOC, operating out of Tehran, Iran,” researchers confirmed.

**Cloudzy Supporting Nation-State Actors**

Halcyon researchers conducted a thorough assessment of Cloudzy’s activities over a three-month period before releasing their report. According to their analysis, Cloudzy not only provided command-and-control (C2P) services to threat actors worldwide, disguising them as anonymity-based services, but it also demonstrated an alarming lack of response when informed about malicious activities.

This lack of response strongly suggests that Cloudzy was actively aiding threat actors. Even more concerning is the discovery that its attack infrastructure was closely tied to government-backed hacking groups from various countries, including the following:

*   Iran
*   India
*   China
*   Russia
*   Vietnam
*   Pakistan
*   North Korea

In addition to its government ties, Cloudzy was found to have links with sanctioned spyware vendors, including the Israeli spyware vendor Candiru, who came to the limelight last year for using Chrome 0-day to target journalists.

Cloudzy allegedly also provided its services to infamous ransomware gangs such as Ghost Clown and Space Kook. Notorious cybercriminals were also found to be connected to the service.

Complete list of APT groups that Cloudzy is allegedly providing services to (Screenshot credit: Halcyon )

**Halcyon Shares Shocking Evidence Against Cloudzy**

In its report, Halcyon provided hard facts against Cloudzy. For instance, researchers noted that the company never verified its customers’ identities and got registered with just a working email address. Over half of its hosted servers were discovered supporting malicious activities directly on infrastructure loaned from a dozen different ISPs. 

Moreover, it accepts cryptocurrency payments from users wanting to anonymously use its Remote Desktop Protocol (RDP) Virtual Private Server (VPS) services. Its T&C policy prohibits it from getting involved in illegal activities, but the ISP services provider has allowed abusers to continue operations for a nominal fee.

**Cloudzy’s Response**

Cloudzy’s CEO Nozari has refuted Halcyon’s claims, stating that only 2% of its clients were malicious and that the company cannot be held responsible for having such clients. Talking to Reuters, Nozari explained that he is doing everything to get rid of such clients, but the firm should not be blamed if its services are being abused.

“If you are a knife factory, are you responsible if someone misuses the knife?” the CEO explained his stance in a LinkedIn exchange.

Nozari also explained that his company was registered in the US state of Wyoming because a US domicile is required to register IP addresses in America.

However, Halcyon executive Ryan Golden refuses to back down, claiming that his researchers tracked Cloudzy’s digital footprints by renting its servers and examining the social media pages of its employees before publishing the report.

Cybersecurity firm CrowdStrike stated that it never observed any state-sponsored actor using Cloudzy, but many other cybercriminals use it, and its operational base is definitely unclear.

**RELATED ARTICLES**

1.  Feds seize VPN service used by hackers in cyber attacks
2.  Free VPN Service SuperVPN Exposes 360 Million User Records
3.  Zombinder on Dark Web Lets Hackers Add Malware to Legit Apps
4.  US Warns Firms About North Korean Hackers Posing as IT Workers
5.  Microsoft-Signed Drivers Helped Hackers Breach System Defenses

Cloud Service Provider Cloudzy Accused of Aiding Ransomware and APTs

By Habiba Rashid
In its recent attack campaign, SpyNote Spyware is sending victims fake SMS messages urging them to install a new certified banking app.
This is a post from HackRead.com Read the original post: SpyNote Spyware Returns with SMS Phishing Against Banking Customers

**IN SUMMARY**

1.  **SpyNote spyware has been active since 2016, with a primary focus on targeting the banking sector.**
2.  **The latest campaign involves an extensive targeting of banks in Europe by the SpyNote spyware.**
3.  **SpyNote’s modus operandi involves sending fake SMS messages to victims, commonly known as smishing.**

The cybersecurity firm Cleafy Threat Intelligence Team has revealed alarming findings about the Android spyware known as SpyNote, which has been increasingly targeting European financial institutions.

According to Cleafy’s report, over the past few months, an aggressive campaign utilizing SpyNote has been observed, posing significant threats to the security of bank customers. This malware exploits various techniques, including social engineering attacks and Accessibility services, to carry out bank fraud with ease.

The modus operandi of this spyware starts with a deceptive smishing campaign, where potential victims receive fake SMS messages urging them to install a “new certified banking app.” Subsequently, users are redirected to what appears to be a legitimate TeamViewer app but this is, in reality, the initial step to grant remote access to the victim’s device.

One of the fake text messages used against Italian customers – Clicking on (bit.ly/SupportoRemoto) is still redirecting victims to TeamViewer QuickSupport app on Google Play Store. (Screenshot: Cleafy)

**Key Features of SpyNote:**

1.  **Keylogger**: Once granted Accessibility permissions, SpyNote can automatically accept other permission popups, perform keylogging activities, and collect sensitive information such as installed applications, app properties, and user inputs.
2.  **SMS Collection & 2FA Bypass**: SpyNote intercepts SMS messages, including two-factor authentication (2FA) codes, and transmits them to the attackers’ command-and-control (C2) server, bypassing the security measures implemented by financial institutions.
3.  **C2 Communications**: The spyware communicates with its C2 server via socket communication, employing various uncommon ports to avoid detection. Data exchanged between SpyNote and the server are packaged with a custom scheme, making it challenging to identify and block.
4.  **Screen Recording and Defense Evasion**: SpyNote can capture the device’s screen content using Media Projection APIs, granting attackers comprehensive control and access to critical information. The malware also employs obfuscation, anti-emulator controls, and hidden application icons to evade detection and analysis.

However, this is not the first time that SpyNote has been highlighted in a spyware campaign. Active since 2016, the spyware has been behind countless campaigns targeting various institutions. In 2017, SpyNote RAT was found on fake Android apps masquerading as Netflix, WhatsApp and Facebook.

**RELATED ARTICLES**

1.  Advanced Vishing Attack “LetsCall” Targets Andriod Users
2.  FakeTrade Android Malware Attack Steals Crypto Wallet Data
3.  Triada Malware Infects Android Devices via Fake Telegram App
4.  Global Android Malware Attack Imitates VPN and Security Apps
5.  Popular Android Screen Recorder iRecorder App Exposed as Trojan

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

SpyNote Spyware Returns with SMS Phishing Against Banking Customers

By Deeba Ahmed
Industrial organizations in Eastern Europe are the prime targets of this data-harvesting campaign.
This is a post from HackRead.com Read the original post: Chinese APT Group Hits Air-Gapped Systems in Europe with Malware

**IN SUMMARY**

1.  **Cybersecurity researchers at Kaspersky Labs identified the malware.**
2.  **The malware used by APT31 targets European industrial control systems.**
3.  **The Chinese APT31 group is also known as Zirconium and Judgment Panda).**

In its latest research report published on July 31, 2023, Kaspersky ICS CERT shared exclusive details of a new threat trend gaining momentum and targeting air-gapped ICS systems.

Researchers at Kaspersky noted that attackers are using second-stage malware after first-stage implants to remotely access crucial industrial control systems (ICS) systems and extract data from them in this campaign. Later, the malware allows third-stage tools to invade the device and transmit data.

The attack should not come as a surprise due to recent reports exposing the activities of Chinese Group Storm-0558. These reports revealed the group’s successful hacking of email accounts belonging to European government officials.

Additionally, there was another report indicating the Chinese APT group’s targeting of European embassies using the SmugX malware. Moreover, just last month, it was reported that Chinese espionage malware was used to target European healthcare systems, utilizing malicious USB drives as a vector of attack. These alarming incidents highlight the need for heightened cybersecurity measures and vigilance in countering such threats.

Reportedly, Kaspersky ICS CERT researchers were investigating a string of cyberattacks targeted against critical infrastructure in Eastern Europe when they discovered second-stage malware capable of evading data security measures typically protecting air-gapped systems.

Researchers believe that through using this novel malware, threat actors are trying to establish a permanent presence on the ICS systems to keep exfiltrating sensitive data stored on these systems.

Further investigation revealed signs indicating the involvement of Chinese state-backed APT31 (aka Zirconium and Judgment Panda), even though the perpetrators had used advanced TTPs to obfuscate their actions.

For instance, they used encrypted payloads, DLL hijacking, injected payloads in legit processes, and embedded malware in authorized apps’ memory to evade detection. These steps highlight the “sophistication of their tactics,” explained Kaspersky ICS CERT’s senior security researcher Krill Kruglov.

For your information, second-stage malware is far more complex and harder to detect than single-stage as it involves two steps to perform its malicious tasks. It is typically disguised as a legit program and can bypass advanced antivirus solutions. 

During their research, the Kaspersky threat intelligence team also identified over fifteen distinct implants, along with several variants, which they divided into three categories. Two of these implants loaded the second-stage malware, one of which is a modular malware that can profile and contaminate removable drives with a worm. It can steal data from air-gapped/isolated ICS networks.

This malware contains three modules, each performing different tasks. For instance, it uses separate tools for profiling/handling removable drives, capturing screenshots, and planting second-stage malware on all connected devices. The second implant can steal data from local computers and transmit it to Dropbox through third-stage tools.

The attack starts with invading the ICS network, for which APT31 uses already known remote access and data collection tools. Once infiltrated, the attackers deploy an advanced modular malware to contaminate the storage devices, and afterwards, data exfiltration commences.

The third and final stage of the attack chain entails exfiltrating data using a range of tools and uploading it on a C2 server. This operation has been planned meticulously, considering that the threat actor uses multiple attack tactics to ensure persistence without getting detected.

This is a developing story, as Kruglov states that this is an ongoing research. Hackread will update its readers as soon as there is any update. Meanwhile, industrial organizations are urged to upgrade their cybersecurity defences, keep enterprise OT network components updated, limit the use of privileged accounts, and exercise caution to prevent the threat.

> “As the investigation continues, remain resolute in its dedication to safeguarding against targeted cyber-attacks and collaborating with the cybersecurity community to disseminate actionable intelligence.”
> 
> Krill Kruglov

**RELATED ARTICLES**

1.  Stealing data from air-gapped PC by turning RAM into WiFi Card
2.  New malware tool can steal files from airgapped PCs using USBs
3.  China-Linked Spyware in Google Play Store Apps, 2m Downloads
4.  Hackers Can Now Steal Data from Air-Gapped PCs via SATA Cables
5.  Malware can extract data from air-gapped PC through power supply
6.  ETHERLED & GAIROSCOPE attacks – Data stealing from air-gapped PC

Source

HackRead