By Owais Sultan
Remediation following ransomware is a long process during which companies have to do to protect their assets and…
This is a post from HackRead.com Read the original post: How to Recover From a Ransomware Attack

The results of a ransomware attack are different for every organization. You might have paid the ransom and the hackers came through with their end of the deal, i.e. gave you the key to your files. In other scenarios, you might have paid, and data has remained in the hacker’s hands.

If you’ve involved the authorities that used the encrypting device to recover the data, you might have gotten access to your files back without paying the ransom. Regardless of how you initially handled the situation, what follows is the period of remediation.

The recovery period following a cyberattack is the most damaging time for affected organizations. It has been known to drain the finances of companies completely. Also, it causes irreversible damage to the reputation of companies that disclosed the breach to the public.

For ransomware, it’s estimated that it takes between a week and a month to fully recover. Even if your important files are encrypted for just two days, it’s estimated that the downtime will last between 15 and 22 days. 

Downtime considers the time it takes for businesses to get back to 100 percent after the attack interrupts their workflow. Remediation time is crucial because it determines whether your company can get back on its feet — this time preferably stronger and better protected from possible ransomware.

How do you prevent further attacks and strengthen your security?

**Analyze the Documentation of the Attack**

Depending on how you handle the security of your company, your team might have had to remove the malware manually from devices. Alternatively, you may have the tools that decrypt data and remove the malware.

In both cases, you’re left with the forensic report of the incident. During the analysis, find out:

*   How many devices have been encrypted?
*   How did your IT team handle the attack?
*   How long have your files been encrypted?
*   How did the ransomware enter your network?
*   How did the malware bypass the anti-malware software you had?

The analysis of the documents that depict the attack will leave you with an overview of your system. It’ll give you a clear image of what you must work on to strengthen your security, as well as what the most vulnerable parts of your network might be.

**Patch Up Flaws in the System**

If there are any vulnerabilities in your network, they can lead to repeated ransomware attacks. Threat actors might be the same, or new hackers might be going after your organization.

To weed out the flaws in your system, consider how the malware entered your system. Ransomware can get into your system via a phishing email infected with malware that encrypts data.

Another common route for the virus to breach your system is via websites that contain a virus. Therefore, vulnerable parts of your cybersecurity posture could be your employees that need more training. Educate your employees on the protocols and basic cybersecurity hygiene.

That can prevent simple errors such as weak passwords, opening emails from unknown senders, and downloading infected attachments.

**Getting Your Business Ready for Ransomware**

Some actions you can take to protect yourself from possible ransomware include:

*   Backing up important data
*   Preparing the tools that can remove malware
*   Training your employees, deciding on protocols early

Invest in software that can detect malware and remove it from your system even before it can turn into an incident and encrypt your files.

Hackers fundamentally rely on human mistakes and members of your team that may not be familiar with cybersecurity issues or aren’t tech-savvy. They are the ones that might click on a link that leads to malware-infected websites.

Determine how your teams should handle the attack before they occur. How should they mitigate the attack? Does your organization need to report the incident and notify the public? Those are some of the answers you need in advance.

Back up your data in isolated places so that you can reach them even if hackers manage to conduct one more attack. Otherwise, ransomware can disrupt your workflow and set you back by blocking the access to files you need to run your company.

**Monitor the Network to Discover New Ransomware Attempts**

After the vulnerable parts of your system have been patched up, and you’ve set it up to be bulletproof in case of further attacks, it’s necessary to continually scan the system.

Even if you paid the ransom, there is no guarantee that you won’t be the repeated target of these attacks.

Your system is continually changing — sometimes within minutes. Those alterations can result in new flaws that can leave your organization vulnerable to repeated ransomware.

**How Long Until Everything Returns to Normal?**

Ransomware is a major setback for businesses. How long might it take them to recover after the ransomware? That depends on whether they have been preparing for such incidents and how many files have been decrypted.

Did they have the measures, tools, and protocols that govern what to do in case of such an incident?

For companies that were prepared, but hackers still managed to discover a vulnerability and install malware, the best-case scenario would be that their systems are down for two days.

Unprepared businesses can deal with the consequences of ransomware for months to come.

Some businesses never recover after a cyberattack. They may not have the finances to remedy the flaws in the system following the breach.

The extent to which devices have been hit by ransomware also matters. You might have lost the vital files that haven’t been recovered. In other cases, some of your information might have been leaked to the public.

**Hope For the Best, Prepare for the Worst**

A successful ransomware attack can leave IT teams and business owners with a lot of anxiety. 

The best you can do is to patch up flaws to prevent further attacks and get ready for a repeated attack.

Therefore, have the security solutions and protocols ready, employees trained, and continually scan the network to discover signs of the ransomware early.

**More Ransomware Topics**

*   Ransomware Attacks: Everything You Need to Know
*   US Military’s Hacking Unit to take on ransomware gangs
*   How To Prevent Growing Issue of Encryption Based Malware (Ransomware)
*   52 Critical Infrastructure Orgs Hit by Ragnar Locker Ransomware Gang – FBI
*   PoC Shows IoT Devices Can Be Hacked to Install Ransomware on OT Networks

How to Recover From a Ransomware Attack

By Deeba Ahmed
According to a Mandiant representative, the company was aware of LockBit 2.0 claims, but there was no evidence of…
This is a post from HackRead.com Read the original post: Cyber Security Giant Mandiant Denies Hacking Claims By LockBit Ransomware

****According to a Mandiant representative, the company was aware of LockBit 2.0 claims, but there was no evidence of a cyberattack as yet.****

The infamous ransomware-as-a-service group using a variant of LockBit ransomware (LockBit 2.0) has claimed to have successfully hacked Mandiant cybersecurity firm and threatened to release company files. 

The ransomware gang was first seen in September 2019 as ABCD ransomware and has since targeted thousands of organizations worldwide. In its latest attack, the LockBit ransomware gang claimed that it would release Mandiant data on its Dark Web portal.

The group further claimed that they have stolen 356,841 files from Mandiant, which they intend to leak online. For your information, LockBit 2.0 has hit many high-profile entities in the past including the following:

*   Bangkok Airways
*   Crypto exchange PayBito,
*   The French Ministry of Justice
*   Global systems integrator Accenture

**No Evidence of Hacking- Mandiant**

According to a Mandiant representative, the company was aware of LockBit 2.0 claims, but there was no evidence of a cyberattack as yet. After LockBit 2.0 posted its second threat message late Monday, the company released a statement.

In response, the company rep stated that there’s no indication that Mandiant’s security was compromised. Moreover, they noted that the gang could be trying to “disprove Mandiant’s June 2nd, 2022 research blog on UNC2165 and LockBit.”

**The Bone of Contention**

The group has reportedly reacted to Mandiant’s report (published on June 2nd, 2022) in which the company claimed that the off-the-shelf ransomware LockBit 2.0 was in use by the Russian Evil Corp affiliates dubbed UNC2165 to evade sanctions.

This group was sanctioned by the U.S. Treasury Department‘s Office of Foreign Assets Control (OFAC) in 2019. However, LockBit 2.0’s website displayed a note posted by the group claiming that they didn’t have any affiliation with Evil Corp and rejected Mandiant’s claims in the report.

> “Our group has nothing to do with Evil Corp. We are real underground darknet hackers, we have nothing to do with politics or special services like FSB, FBI, and so on.”
> 
> LockBit 2.0

As seen by Hackraed.com, the gang has released a note maintaining its claims of attack on Mandiant and addressing the company’s report published last week.

Screenshot from LockBit gang’s dark web site (Image: Hackread.com)

Lockbit ransomware group’s response to Mandiant’s blog post

As per Emsisoft threat analyst Brett Callow, this group has previously made several false claims. In some cases, the group claimed to steal data from different firms, so it is “entirely possible” that the claims made by LockBit 2.0 have no substance.

The timing of the disclosure of this attack on Mandiant is unusual as it comes when the RSA cybersecurity conference has just started, and Mandiant is to be acquired by Google in a whopping $5.4 billion deal.

**More Ransomware News**

1.  Ransomware Attacks: Everything You Need to Know
2.  Conti Ransomware Gang Hits German Wind Turbine Giant Nordex
3.  GoodWill Ransomware demands food for the poor to decrypt locked files
4.  Cardiologist Charged for Developing Jigsaw v.2 and Thanos Ransomware
5.  PoC Shows IoT Devices Can Be Hacked to Install Ransomware on OT Network

Cyber Security Giant Mandiant Denies Hacking Claims By LockBit Ransomware

By Owais Sultan
Let’s talk about how AI in cybersecurity protects the corporate networks of companies. Technological progress has not only…
This is a post from HackRead.com Read the original post: How to use AI in cybersecurity?

****Let’s talk about how AI in cybersecurity protects the corporate networks of companies.****

Technological progress has not only pleasing but also bad consequences. Together with the accelerated pace of corporate security systems development, new and more sophisticated types of cyber-attacks are emerging.

According to the World Economic Forum, the protection measures taken by enterprises become outdated instantly. Over the previous year, the number of attacks increased by 30%, and this alarming trend continues.

The market is short of about 2.72 million cybersecurity professionals to deal with the growing number of threats. This is where artificial intelligence can help businesses. Let’s talk about six AI use cases in cybersecurity.

**Statistics on AI use in cybersecurity**

Researchers contributing to the 2022 Cybersecurity Almanac predict that spending on fighting cybercrimes will rise to $10.5 trillion. This is three times more than in 2015 ($3 trillion). Given the fact that the amount of global data is growing, it becomes more difficult to track and prevent vulnerabilities.

For example, 80% of telecommunications organizations are confident that they will not be able to respond to cyber-attacks without AI. The professional sector is a target for cyber villains (934 incidents were recorded in 2020). The public sector, manufacturing, and healthcare suffer from cyberattacks.

In 2020, AI in cybersecurity was worth more than $10 billion, and by 2027, the price will increase by almost 4.5 times. IBM estimates that companies that lack AI spend three times as much to mitigate cyberattacks as companies with deployed automated tracking systems.

Nearly half of the managers surveyed by Capgemini say they use a smart algorithm to detect cyber threats. With its help, 34% of these professionals predict attacks and 18% respond to incidents.

Based on the above trends, Meticulous Research says that AI in cybersecurity will grow by 24% per year to reach $46 billion by 2027.

**Six main AI use cases in cybersecurity**

Imagine a campus that consists of several buildings. Getting inside is not difficult, because it is impossible to put a guard at each door. This is where AI helps: cameras read the faces of visitors and find those who “sit on someone’s tail” following employees with passes to enter buildings. This may be a worker who was too lazy to show a pass or a scammer.

The larger the office, the higher the risk of intrusion, and the more useful AI systems for face recognition are. In a video, an algorithm singles out people who violate the security policy. An image of a person’s face is compared with the database of staff members’ photographs; thus, the system defines if it is an employee or a stranger who decided to illegally enter the office.

If we consider the use of AI in a corporate network or on the Internet, we can talk about six main options for using a smart algorithm.

*   **Detection of malicious code and malicious activity in corporate networks**

AI automatically classifies domains by analyzing DNS traffic to identify C&C, malicious, spam, phishing and clone domains, and so on. Previously, to manage this environment, it was enough to have good blacklists. They coped with their task albeit with regular updates and with large volumes.

Today, domains are created in 1-2 minutes, used no more than 2-3 times within half an hour, and then criminals switch to other domains. To track them, blacklisting is not enough: you need to use AI technology. A smart algorithm learns to detect such domains and block them immediately.

*   **Encrypted traffic analysis**

According to Cisco, more than 80% of Internet traffic is encrypted. It needs to be analyzed. You can apply the “government man in the middle” scheme or use AI technology, which, without encryption and decryption, allows you to identify the following issues by metadata and network packets and without analyzing the payload:

*   Malicious code; 
*   Malware family;
*   Applications that are used;
*   Devices that work within the framework of an encrypted TLS session or SSL of one version or another.

These are technologies that work in practice and allow you to understand what is happening inside the encrypted traffic the volume of which is growing. And you needn’t invest much in it.  

*   **Detection of fake photos and substituted pictures.**

An algorithm recognizes whether the face of a person in the photo has been replaced with someone else’s picture. This feature is particularly useful for remote biometric authentication in financial services. It prevents scammers from creating fake photos or videos and presenting themselves as legal citizens who could be granted a loan. Thus, they won’t steal the money of others. 

*   **Recognition of voice, language, and speech.**

This AI feature is used to detect information leaks and read unstructured information in non-machine readable formats. This information enriches the data from firewalls, gateways, proxy systems, and other technical solutions that provide structured data.

Thus, you will know who and when accessed the Internet and whether they used corporate or departmental networks. AI helps enrich this information with data from news, company newsletters, and so on.

*   **Providing recommendations**

Based on statistics, AI makes recommendations on what protection tools to use or what settings need to be changed to automatically increase the security of a corporate network. For example, the Massachusetts Institute of Technology has created AI2, a system that detects unknown threats with a probability of up to 85%.

The more analyses the system performs, the more accurately it gives the next estimate due to the feedback mechanism. Moreover, a smart algorithm does this on such a scale and at such a speed that human defenders would not be able to handle.

*   **Automation of software vulnerability search**

A vulnerability is a bug in a program that allows someone to benefit from it (for example, extract data for sale, transfer money, steal private data from a phone, and so on). Thanks to AI, it has become possible to search for such errors automatically.

AI looks for vulnerabilities in a program and examines the application interface. If it finds ransomware on a computer, it immediately disconnects its user from the network, thereby saving the rest of the company from dangerous infection.

**Conclusion**

AI in cybersecurity has great prospects. But it must be handled reasonably, like any other technology. It is not a silver bullet and having even the most advanced technology does not mean 100% protection. AI will not save you from serious attacks caused by neglecting basic cybersecurity rules. A smart algorithm should be implemented if a clear ecosystem that can adapt to a changing corporate network has been built.

AI will be genuinely effective if it is developed, corrected, and tuned. This is time-consuming and difficult work, which will benefit if the technology is used carefully and not for the sake of being trendy.

**More AI Topics**

1.  Fields of application of artificial intelligence
2.  How Artificial intelligence (AI) Stops Cybercriminals
3.  ‘Optical Adversarial Attack’ uses a low-cost projector to trick AI
4.  Ways to Take Advantage of Artificial Intelligence in Technology
5.  Website uses Artificial Intelligence to create utterly realistic human faces

How to use AI in cybersecurity?

By Deeba Ahmed
The targeted website which belongs to the Russian Ministry of Construction, Housing, and Utilities, was also asked to…
This is a post from HackRead.com Read the original post: Russian Ministry Website Hacked to Display “Glory To Ukraine” Message

**The targeted website which belongs to the Russian Ministry of Construction, Housing, and Utilities, was also asked to pay a 0.5 BTC ransom to avoid the leak of stolen user data.**

Russian Ministry of Construction, Housing and Utilities’ website (minstroyrf.gov.ru) was hacked over the weekend. When searched on the internet, the site’s address led to a sign in the Ukrainian language that read- “Glory to Ukraine.”

The hackers also demanded ransom to prevent the leaking of personal data of the site users. According to RIA, a Russian state news outlet, a ministry representative confirmed that the site was offline, but user data wasn’t compromised. 

The Russian language message when translated to English via Google Translate states that: “Hacked by the DumpForums team. The entire database has been exported and will probably appear on our forum soon. Site administrators have until 06/07/2022 0:00 am to transfer exactly 0.5 BTC to this wallet: . Otherwise, all personal data of users of the Ministry of Construction of the Russian Federation, and possibly not only ;) will be made available to the public. (Credit: Hackread.com)

However, as seen by Hackread.com on Telegram, the group behind the hack going by the online handle of DumpForums is still claiming to have access to the ministry’s data. According to the hackers, the website uses Bitrix Content Management System (CMS).

Furthermore, to prove their claim, the group also published a screenshot of data that they claimed belonged to the targeted ministry website and its registered users. The data included the following information:

*   Full name
*   Login name
*   Email address
*   Password (MD5 with salt) Hashes
*   Date of registration (from 08/14/2014 to 05/08/2022)

At the time of publishing this article, the ministry website was offline. This, however, isn’t the first time a Russian government institution or organization has been targeted. In the months following the Russian invasion of Ukraine in late February 2022, Anonymous hacktivists have hacked several high-profile Russian websites, TV stations’ live broadcasts, and entities.

These include Russia’s state-owned news agency TASS, St. Petersburg-based news outlet Fontanka, and daily newspaper Kommersant, while some television channels impacted by the cyberwar waged against Russia include Channel One, NTV-Plus, and Rossiya-1. Hackers also targeted the Russian video hosting platform RuTube, which went offline for three days.

1.  DDoS Attacks by Hacktivists Disrupted Russian Alcohol Supply Chain
2.  Anonymous sent 7 million texts to Russians & hacked their security cams
3.  Russian TV Schedules Hacked on Victory Day to Show Anti-War Messages
4.  Confirmed: Anonymous Hacks Central Bank of Russia; Leaks 28GB of Data
5.  Anonymous & its affiliates hacked 90% of Russian misconfigured databases

Russian Ministry Website Hacked to Display “Glory To Ukraine” Message

By Waqas
Rustam Kurmaev and Partners work with the Russian government and other high-profile banking, media, oil, and industrial companies,…
This is a post from HackRead.com Read the original post: Anonymous Hacktivists Leak 1TB of Top Russian Law Firm Data

**Rustam Kurmaev and Partners work with the Russian government and other high-profile banking, media, oil, and industrial companies, including American firms.**

The Anonymous hacktivists collective has struck Russia again by leaking approximately 1TB of data from a leading Russian law firm identified as Rustam Kurmaev and Partners (RKP Law).

The news arrives just a day after the collective leaked hundreds of gigabytes of data from the servers of Russia’s largest media holdings with over 100 regional radio stations, Vyberi Radio.

It is worth noting that Anonymous waged a cyberwar against Russia in late February 2022 dubbed #OpRussia after the country invaded Ukrainian territories, referring it to “special military operation” to denazify and demilitarize Ukraine.

**Anonymous’ Announcement**

The hacktivists who go by the Twitter handle of @DepaixPorteur and @B00daMooda took to Twitter to announce the leaking of the data trove belonging to RKP Law. In one tweet, @DepaixPorteur stated that:

> We are Anonymous – We have hacked RKPLaw (rkplawru) and leaked 1TB of files, emails, court files, client files, backups, and more! They have a very large (455 clients) and an interesting client list which I will post in the comments.

Emma Best, a journalist, and co-founder of a non-profit whistleblower organization DDoSecretsDistributed Denial of Secrets, aka DDoSecrets, confirmed the leak. Best also announced that the enormous data dump is also available on DDoSecrets.

On the other hand, @YourAnonNews, and @YourAnonTV, two of the largest social media representatives of the Anonymous movement also tweeted about the data leak stating that:

“Once again, #Anonymous delivers Many thanks to @DepaixPorteur,” tweeted @YourAnonNews. “Just In: #Anonymous released a terabyte of data and emails from Rustam Kurmaev and Partners (RKP Law), a Russian law firm that works with major banking, media, oil, and industrial firms and state interests, including American companies. #OpRussia,” said @YourAnonTV.

**About RKP Law**

Rustam Kurmaev and Partners has been operating in Russia for over 20 years and represents around 500 clients, including the Volkswagen Group Russia, Ikea, Toyota, Jones Lang LaSalle, Mechel PJSC, ChTPZ PJSC, Abbott Laboratories, Baker Hughes, ING Bank, Yamaha Motor, Caterpillar, Panasonic, Mars, Gilette, 2×2 Channel, VimpelCom, Citibank, and Sberbank.

**Details of Leaked Data**

According to DDoSecrets, revealed that RKP Law was hacked by Anonymous affiliated B00da (@B00daMooda) and Porteur (@DepaixPorteur). The leak could be devastating for the company considering that it specializes in resolving real estate, construction, corporate, and commercial sector disputes.

Moreover, the law firm also resolves disputes regarding the criminal defense of business and creates a systematic defense strategy for corporate managers and top management in various stages of criminal proceedings. Furthermore, the company deals in anti-corruption law as well.

**More Anonymous Attacks on Russia**

1.  DDoS Attacks by Hacktivists Disrupted Russian Alcohol Supply Chain
2.  Anonymous sent 7 million texts to Russians & hacked their security cams
3.  Russian TV Schedules Hacked on Victory Day to Show Anti-War Messages
4.  Confirmed: Anonymous Hacks Central Bank of Russia; Leaks 28GB of Data
5.  Anonymous & its affiliates hacked 90% of Russian misconfigured databases

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Anonymous Hacktivists Leak 1TB of Top Russian Law Firm Data

By Waqas
Upon being alerted by security researcher Anurag Sen, the company rubbished the sensitivity of the matter by labeling…
This is a post from HackRead.com Read the original post: Scoop: Australian Trading Giant ACY Securities Exposed 60GB of User Data

**Upon being alerted by security researcher Anurag Sen, the company rubbished the sensitivity of the matter by labeling the exposed database as “an insignificant one.”**

Anurag Sen, a prominent IT security researcher has shared exclusive information with Hackread.com revealing that Sydney, Australia-based trading company ACY Securities (acy.com) exposed a massive trove of personal and financial data of unsuspected users and businesses online for public access.

**Another day, another misconfigured database**

It happened due to a misconfigured database owned by ACY Securities. The worse part of the data leak is the fact that it contained over 60GB worth of data that was left exposed without any security authentication. This means anyone with a slight bit of knowledge about finding unsecured databases on Shodan and other such platforms would have complete access to ACY’s data which contained logs from February 2020 while being updated with the latest data set every second.

As seen by Hackread.com, the exposed database hosted the following user data:

*   Full name
*   Postcode
*   Full address
*   Date of birth
*   Name of city
*   Gender details
*   Email address
*   Phone Number
*   Hashed password
*   Trading-related information like business details and more.

Screenshot of a US-based user (Image source: Hackread.com via Anurag Sen)

List of countries where most users and businesses were impacted:

*   India
*   China
*   Spain
*   Brazil
*   Russia
*   Australia
*   Romania
*   Malaysia
*   Indonesia
*   United States
*   United Kingdom
*   United Arab Emirates and many more.

**No Value to Sensitive Nature of Data**

Anurag told Hackread.com that he reached out to ACY multiple times last week with necessary proof however it took the company a couple of days to understand and address the issue. An ACY representative replied to the researcher by labeling the exposed server as an “insignificant one.”

> “They officially emailed me stating that ” Thank you for mentioning this, the below server is an insignificant one” – “I am really not happy with the reply. They are considering personal details of registered users including hashed password, email address, physical address, full name, and mobile number – insignificant.”
> 
> Anurag told Hackread.com

Nevertheless, at the time of publishing this article, the exposed database was secured and its IP addresses were no longer accessible to the public.

**Potential Dangers**

The severity of misconfigured and exposed databases can be quantified by the fact that earlier this year, Anonymous and its affiliate group of hackers compromised around 90% of Russian cloud databases that were exposed to the public without any security authentication or password.

In ACY’s case, considering the extent and nature of exposed data, the incident could have far-reaching implications. Such as bad actors could download the data and carry out identity theft, phishing scams, scam marketing campaigns, and microloans identity fraud.

**Misconfigured Databases – Threat to Privacy**

Misconfigured or unsecured databases, as we know it, have become a major privacy threat to companies and unsuspected users. In 2020, researchers identified over 10,000 unsecured databases that exposed more than ten billion (10,463,315,645) records to public access without any security authentication. In 2021, the number increased to 399,200 exposed databases.

**More Elasticsearch database Mess Ups**

1.  9,517 unsecured databases identified with 10 billion records globally
2.  New malware attack turns Elasticsearch databases into DDoS botnet
3.  Stripchat database mess up exposes 200M adult cam models, users’ data
4.  US and China Exposed Most Databases Among 308,000 Discovered in 2021
5.  Misconfigured ElasticSearch Servers Exposed 579GB of Users’ Website Activity

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Scoop: Australian Trading Giant ACY Securities Exposed 60GB of User Data

By Owais Sultan
In this digital era, online threats are booming as much as the internet user base. Sometimes, malware infects…
This is a post from HackRead.com Read the original post: Fake Updates Continue To Be A Digital Risk: What To Do?

In this digital era, online threats are booming as much as the internet user base. Sometimes, malware infects devices due to vulnerabilities unknown to people. However, it frequently comes as a direct consequence of users’ actions. For instance, entering that suspicious website promising exclusive content or software for free. Speaking of human error, one of the most popular techniques used by hackers is fake updates.

But what are fake updates? These are malicious software downloads masquerading as legitimate updates. This type of malware is often used to infect devices with ransomware. The recent development in this is Vidar Malware. What are its risks, and how to contain them?

**What is Vidar malware? **

The recent fake update was discovered impersonating a Windows 11 download portal. These portals ultimately caused a Vidar malware infection. The same malware was found to be spreading through the fake InterVPN website.

Vidar is a kind of info-stealing malware that may be utilized to monitor users. This malicious software can steal login credentials, take screenshots, bank details, etc. Besides general info stealing, Vidar was also discovered downloading and executing additional malware payloads. Moreover, the malware deletes itself from the system after completing its work.

Fake Windows 11 download website delivering Vidar malware

**How does Vidar work? **

It is being spread across the internet using phishing, fallout exploit kit, and pay-per-install PrivateLoader dropper. The email contains an attachment as a .iso disk image, which is misleadingly called “request.doc.” This ISO is mainly composed of two files:  an executable (app.exe) and a Microsoft Compiled HTML Help (CHM) file (pss10r.chm).

Here’s how it enters the systems: When a notorious CHM file is loaded, a JavaScript snippet executes the app.exe. The second stage downloads and decodes the Vidar malware, which is then performed on the system.

Then, the Vidar samples communicate with their C2 server via Mastodon and Telegram. After successful communication, user profile bio sections are examined, and C2 addresses are extracted from the profiles. The malware is then copied to the target system, where it sets up its configuration and begins collecting user data.

So, this is how it hides its presence in your system. But how to save our devices from such attacks?

**How to protect yourself?**

Now that you know how to identify fake updates, it’s time to take measures to protect yourself. Here are some tips:

**Use a firewall**

This security system helps screen out incoming and outgoing network traffic. Good firewalls can often prevent malware from contacting the Command & Control server. It is how ransomware works – it needs to contact the C&C server to get a key that can encrypt your files. If it can’t reach the C&C server, it can’t get the key and thus can’t do any harm.

**Protect internet connection**

Your computer is only a part of the defense strategy you must employ. Malware can exploit many vulnerabilities, including unsecured networks. Luckily, you can guarantee that each network you connect to is safe. 

All it takes is setting up a VPN for Windows on your laptop and enabling it whenever you use it outside the home. Public Wi-Fi can be extremely dangerous: outsiders can snoop on your activities or use security loopholes to infect your device. Therefore, remember never to connect your devices, be it a Windows laptop or an Android smartphone, to free Wi-Fi without a VPN. 

**Change your update settings**

We often have our update settings on auto-update. It will install itself as soon as an update is available. This option should be preferred as it ensures you can have a PC running the latest operating system. If you do not schedule automatic updates, you may delay updates indefinitely. 

**Say no to piracy**

Free software and games can be tempting but can be a source of cyberattacks. Therefore, use only licensed software. This way, you will be sure that your updates are from a trusted source. Additionally, stay away from alleged exclusive offers for programs on random websites. 

**Install an antivirus**

An antivirus program will scan all incoming and outgoing files for a malicious activity like ransomware or adware. If it detects anything suspicious, it will alert users and recommend removal. Of course, it is essential to get a trusted antivirus program. Many fake antivirus programs could warn you about fake threats because they wish you to buy premium versions. 

So, even if you accidentally click on a fake update, the antivirus will take care of it. Install updates only from official websites. It is the safest way to ensure that the update is legitimate. If you ever come across any pop-ups that look legitimate, don’t click on them. It is best to counter-check the update on the official website and then download it from there.

**Always keep your system updated**

The best way to know whether any update is fake is to keep your system up to date. Any unexpected update now will be quite suspicious. Moreover, updates often contain security patches that fix vulnerabilities in your system. So, it’s always a good idea to keep your system updated.

**Backup your data**

This is more of a precautionary measure than anything else. By backing up your data, you ensure that you won’t lose any important files even if your device gets infected with ransomware. Many cloud storage options are available these days that offer good security and are affordable.

**Conclusion**

Apart from these precautions, it is essential to practice safe surfing to avoid these threats from detecting your device.

Fake Updates Continue To Be A Digital Risk: What To Do?

By Deeba Ahmed
The takedown resulted from a global law enforcement operation involving eleven countries, headed by Europol’s European Cybercrime Center.…
This is a post from HackRead.com Read the original post: Authorities Take Down SMS-based FluBot Android Spyware

The takedown resulted from a global law enforcement operation involving eleven countries, headed by Europol’s European Cybercrime Center.

The European Cybercrime Center/EC3 of Europol and law enforcement agencies from eleven countries launched a joint operation to take down FluBot spyware. The investigation involved Australia, Finland, Belgium, Spain, Ireland, Hungary, Sweden, the Netherlands, Switzerland, and the USA law enforcement authorities while EC3 coordinated the operation.

Ireland’s Garda National Cyber Crime Bureau (GNCCB) was part of the investigation team. GNCCB Detective Superintendent Pat Ryan stated that “the investigation is ongoing to identify the individuals behind this global malware campaign.”

**Details of the Operation**

In a blog post, Europol explained that the FluBot Android malware was distributed through SMS and was capable of stealing online banking credentials, passwords, and other sensitive data. Hence, an extensive investigation was launched since FluBot spyware targeted Android smartphones across Australia, Europe, and other parts of the world.

Authorities noted that its distribution scope was widening quickly. Now the spyware is under the control of Dutch Police/Politie, which carried out the operation in May, rendering the malware strain inactive.

A Flubot alert received by one of the victims as a text message

**About FluBot**

FluBot malware is distributed as an application, making it difficult to detect it. The malware gets installed on the Android smartphone through text messages. The user is asked to click on a link and install an app for tracking a package delivery or access a fake voice mail message.

After the app is installed, it asks for accessibility permissions. The malware operators use the access to steal sensitive data from the smartphone, including banking app login details and cryptocurrency wallet credentials. It can also effectively disable the mobile phone’s built-in security mechanisms.

Furthermore, it doesn’t open when the user taps on the app icon, and an error message appears when the user tries to uninstall it. The notorious malware was detected in 2021 when it infected many devices in Spain and Finland.

According to Interpol, FluBot was excessively virulent. It could be multiplicated automatically by forwarding the SMS message to the infected smartphone’s contact list. To avoid infection, smartphone users should immediately reset their phones on factory settings if they believe a malicious app was downloaded on the device.

1.  Microsoft takes down largest botnet network “Necurs”
2.  World’s Most ‘Resilient Malware’ Botnet Emotet Taken Down
3.  Authorities take down scam campaign impersonating the WHO
4.  Dutch Police takes down 15 DDoS-for-hire services in one week
5.  Europol takes down VPN service VPNLab used by ransomware operators

Authorities Take Down SMS-based FluBot Android Spyware

By Waqas
The U.S. Department of Justice (DoJ) confirmed seizing three domains used by cybercriminals to sell stolen personal data…
This is a post from HackRead.com Read the original post: FBI Seizes WeLeakInfo, IPStress and OVH-Booter Cybercrime Portals

The U.S. Department of Justice (DoJ) confirmed seizing three domains used by cybercriminals to sell stolen personal data and facilitate DDoS-for-hire service.

It has been just a couple of months since the authorities seized the infamous cybercrime portal Raidforums and arrested its alleged owner Diogo Santos Coelho. Now, in a press release, the DoJ and the FBI announced the seizure of three domains- weleakinfo.to, ipstress.in, and ovh-booter.com that the cybercriminals used for trading stolen personal information and offering DDoS for hire service.

The seizure results from an international investigation into sites/domains that allowed users to purchase access to stolen data and target victim networks with Distributed Denial-of-Service attacks (DDoS attacks).

Seizure notice on weleakinfo.to, ipstress.in, and ovh-booter.com domains

The District of Columbia’s attorney Matthew M. Graves and the FBI Washington Field Office’s Criminal and Cyber Division’s Special Agent in charge, Wayne A. Jacobs, made the announcement.

**Details of Seized Domains**

According to the DoJ press release issued on May 31st, 2022, the Weleakinfo website offered visitors a searchable database containing stolen information collected from over 10,000 data breaches. Moreover, it allowed users to trade hacked personal data, which the agency referred to as website trafficking in stolen private data.

The site also sold subscriptions to enable users to access the results of these data breaches. Subscriptions provided unlimited searches and access and were offered for 1 day, 1 week, 1 month, 3 months, and even for a lifetime.

The other two domains offered DDoS-for-hire services to their clients. Visitors of these domains will find a seizure banner notifying them that federal authorities have seized the domains after issuing a seizure warrant. The seized domains are currently in the U.S. federal government’s control, and their operations stand suspended.

WeLeakInfo’s prices

**What Data Was Available for Trading?**

The database comprised 7 billion indexed records, including names, usernames, email I.D.s, passwords for online accounts, and phone numbers.

> “Today, the FBI and the Department stopped two distressingly common threats: websites trafficking in stolen personal information and sites which attack and disrupt legitimate internet businesses.”
> 
> U.S. Attorney Matthew Graves

Special Agent Charles Jacobs noted that the seizure of these websites is a “prime example” of the extensiveness of actions the FBI and other intelligence agencies are undertaking to disrupt “malicious cyber activity.”

The investigation involved the DoJ’s Computer Crime and Intellectual Property Section, the FBI, the U.S. Attorney’s Office for the District of Columbia, the National Police Corps of the Netherlands, and Belgium’s Federal Police.

**More Cybercrime News**

1.  Feds seize WeLeakInfo.com for selling stolen databases
2.  21 WeLeakInfo customers arrested for buying breached data
3.  179 Dark Web vendors arrested, 500kg worth of drugs seized
4.  Domain, server of DoubleVPN used by ransomware gangs seized
5.  Russia seizes Trump Dumps, Ferum, and SkyFraud carding forums

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

FBI Seizes WeLeakInfo, IPStress and OVH-Booter Cybercrime Portals

By Deeba Ahmed
The new law requires service providers to store users’ web usage patterns, designated IP addresses, etc. for the…
This is a post from HackRead.com Read the original post: ExpressVPN Removes VPN Servers in India Rejecting Data Collection Law

The new law requires service providers to store users’ web usage patterns, designated IP addresses, etc. for the past five years and hand it over to CERT India.

Last month Hackread.com reported about the new law in India passed under the Information Technology Act 2000 provisions of sub-section (6) of section 70B, making it compulsory for VPNs and other internet service providers to collect sensitive user data.

The new law has garnered the Indian Computer Emergency Response Team (CERT-In) immense criticism for limiting user privacy. As per the new directions, all internet service providers will collect/store user data for the past five years and hand it over to the agency. This includes VPN service providers, data centers, body corporate, and intermediaries however, ExpressVPN has rejected the new law.

**ExpressVPN Removed its Servers in India**

VPN service providers view the new directions as a direct violation of a VPN service. ExpressVPN, now owned Kape Technologies, claims that the directions are “incompatible” with the core purpose of using VPNs, designed exclusively to retain users’ online privacy. Hence, the company has removed its servers from India.

The VPN vendor stated that this isn’t just a policy-based decision, and there’s another factor involved. Its servers aren’t structured to store user logs, so data centers cannot facilitate the Indian government’s new requirements.

> Not only is it our policy that we would not accept logging, but we have also specifically designed our VPN servers to not be able to log, including by running in RAM. Data centers are unlikely to be able to accommodate this policy and our server architecture under this new regulation, and thus we will move forward without physical servers in India.
> 
> ExpressVPN – Blog post

The company also disagreed with CERT-IN’s new directions citing them as “overarching” and “broad.” Therefore, the company refused to participate in the Indian government’s attempt to restrict internet freedom.

**Can Indians Still Access ExpressVPN?**

ExpressVPN has confirmed that users can still connect to its servers and access the internet as if they are located in India. The company confirmed that users would be assigned Indian IP addresses, and there will be a minimal difference.

> Our users will still be able to connect to VPN servers that will give them Indian IP addresses and allow them to access the internet as if they were located in India. These “virtual” India servers will instead be physically located in Singapore and the UK.
> 
> ExpressVPN

Anyone trying to connect to an Indian server would select the VPN server location India via Singapore or India via the UK to use the service.

**Mounting Disapproval Among VPN Service Providers**

Reportedly, ProtonVPN, PureVPN, and Surfshark are also among those vendors voicing concern over the new cybersecurity rules passed by the Indian government. The Netherlands-based Surfshark VPN stated that it is also exploring its options and wants to challenge the new directives legally.

After being criticized overwhelmingly, the Indian government revised its earlier, staunch stance, claiming that these rules won’t apply to corporate and enterprise VPNs. 

Meanwhile, the country’s Minister of State for Electronics and Information Technology, Rajeev Chandrasekhar, has categorically told other VPN providers to follow directions or terminate their businesses in India.

**More VPN News**

*   NSA, CISA Release Guidelines to Secure VPNs
*   Almost Every Major Free VPN Service is a Glorified Data Farm
*   Hackers Selling US Colleges VPN Credentials on Russian Forums- FBI
*   134 million downloads in 85 countries: A look at VPN usage in H1 2020
*   Personal details of 21M SuperVPN, GeckoVPN users leaked on Telegram

Source

HackRead