By Deeba Ahmed
Watch out for a new YouTube phishing scam and ignore any email from YouTube that claims to provide details about "Changes in YouTube rules and policies | Check the Description."
This is a post from HackRead.com Read the original post: Beware of new YouTube phishing scam using authentic email address

YouTube is investigating and warning users of a new phishing scam that has been using its authentic no-reply@youtube.com email address to lure users into giving away their login credentials.

YouTube, one of the world’s largest video-sharing platforms with billions of users, has become a target for phishing attacks. Scammers have found a new way to **trap YouTubers** through the platform’s Share Video by Email feature, which sends out phishing emails that look authentic. YouTube has become aware of this trend and is warning users to be cautious.

In a recent tweet, YouTube revealed details about a phishing scam where emails are being sent from an authentic YouTube account. The malicious email appears to be sent directly from YouTube, with the email address **no-reply@youtube.com**.

Social media content creator Kevin Breeze alerted YouTube about the new phishing scam and **tweeted** that it is not a spoofed email but rather an abuse of the video-sharing system. This suggests that scammers are exploiting the platform’s sharing system to send these emails.

The phishing email content is similar to those seen in **previous phishing scams**, containing a YouTube video and a message informing users about YouTube’s new monetization policy and new rules.

The email also includes a **Google Drive** link that has a password to open it. To instil urgency, users are told they have only 7 days to review and respond, otherwise their YouTube access will be restricted.

If users open the document and enter the required information, they may actually lose access to their YouTube account because it will be hijacked by scammers. This is especially concerning as most YouTube users log in using their Gmail accounts. If their YouTube account gets hijacked, their **Gmail data will also be stolen**.

> ⚠️ heads up: we’re seeing reports of a phishing attempt showing no-reply@youtube.com as the sender
> 
> be cautious & don’t download/access any file if you get this email (see below)
> 
> while our teams investigate, try these tips to stay safe from phishing: https://t.co/x9Ysnm9SSm https://t.co/MNQtrB7zbx
> 
> — TeamYouTube (@TeamYouTube) April 4, 2023

To stay safe, users are advised to be cautious and vigilant. They should avoid responding to messages sent by unknown senders, review emails carefully even if they are sent from the company’s official email address, and enable two-factor authentication.

In a comment to Hackread.com, **Vonny Gamot**, Head of EMEA at online protection company, McAfee said “Although the sender address appears to look legitimate, there are some tell-tale signs that the email is a scam. The 7-day countdown is a classic tactic from cybercriminals who often try to create a sense of urgency in a bid to make people act quickly without double-checking.”

Vonny emphasised that “You should never feel pressured into acting and always hover over any links before clicking on them to ensure the URL is correct as secure websites begin with “HTTPS,” not just “HTTP.”

“That extra “s” in HTTPS stands for “secure,” which means that it uses a secure protocol for transmitting sensitive information like passwords and credit card numbers. It often appears as a little padlock icon in the address bar of your browser,” Vonny added. “If ever in doubt over the legitimacy of an email or link, don’t engage with it and go direct to the source.”

Additionally, users are encouraged to use the **best antivirus software** to protect their devices against malware. YouTube may also need to temporarily disable the Share Video by Email feature to prevent exploitation by hackers.

This new phishing scam is a reminder that even the most popular and trusted platforms are not immune to cyber threats. It’s important for users to be aware and take steps to protect themselves from these types of attacks.

1.  How to detect phishing images in emails
2.  Google: Cookie stealer malware targeting YouTubers
3.  YouTube Tutorial Videos Spread Vidar, Raccoon Malware
4.  Increasing demand for stolen YouTube logins on dark web
5.  Google Drive caused 50% of malicious Office Doc downloads

Beware of new YouTube phishing scam using authentic email address

By Habiba Rashid
According to documents analyzed by Jeremiah Fowler, Z2U sells malware and other malicious services to customers under the guise of online trading.
This is a post from HackRead.com Read the original post: Z2U Market Leak Exposes Access to Illicit Services and Malware

The discovery came after Z2U exposed a cloud database containing 600,000 customers’ records.

Recently, vpnMentor’s cybersecurity researcher Jeremiah Fowler discovered a non-password-protected database that contained over 600,000 customer records. The database was owned by Z2U, a China-based platform.

The data was analysed by Fowler who noticed images of individuals holding their credit cards, passports, or other government-issued identification documents. It indicates a typical case of a company exposing the KYC data of its customers.

In addition to personal information, it contained records of bank transaction payments, user logins, emails and passwords, software license keys, customer support history, and refunds requested due to frozen accounts.

Z2U claims to be a platform that creates a reliable trade environment between gamers. However, the documents seen by Fowler indicate that the company sells everything from aged Facebook and Instagram accounts to access to HBO, Netflix, and Disney+. Even more concerning is that Fowler confirmed seeing documents that reveal Z2U allegedly offers viruses, malware, and other malicious applications through its platform.

A leaked image shows a virus being sold to hack WhatsApp (Image credit: vpnMentor)

While Z2U claims not to sell stolen, hacked, or cracked accounts, it is unclear how the verification process is performed other than buyers requesting refunds when the account is no longer working or suspended.

According to vpnMentor’s report, the database contained records from users worldwide, and access was closed a week after Fowler sent the notice translated into Chinese.

The risks of the data being publicly exposed are significant. The images of individuals holding their identity documents and credit cards with their faces clearly visible were required by Z2U’s verification process and should have never been publicly exposed. This information puts users at significant risk of identity theft and fraudulent charges.

In addition to personally identifiable information and payment information, the images show that a wide range of other accounts or access to paid services were sold on Z2U’s platform, bypassing the validation processes put in place to prevent malicious or fraudulent activity on other social media platforms.

Many refund requests were marked “Seller Refused to Provide Refund.” Buyers who purchase accounts from secondary or potentially illicit marketplaces run the risk of not having their money returned or actually getting access to the account or goods they thought they were purchasing.

Fowler suspects that the records were attachments to and from customer support. He also saw video files where users filmed their screens to show login issues or payment problems. Z2U claims to have over one million positive reviews and even offers an affiliate program, but many mixed reviews exist, both positive and negative, on independent review websites and Reddit.

The database was hosted on a server based in China, and many of the documents and file names were in Chinese. Many of the account login email addresses for sale used Russian email accounts with the.ru domain extension. It is well-known that Russian cybercriminals are actively engaged in identity theft, online scams, and other malicious activities.

In conclusion, the discovery of the Z2U database raises many ethical and security concerns. While the company claims not to sell stolen, hacked, or cracked accounts, the verification process remains unclear, and the refund requests for frozen accounts suggest otherwise. The images of individuals holding their identification documents and credit cards expose them to significant risks of identity theft and fraudulent charges.

1.  US and China Exposed Most Databases in 2021
2.  Data of millions of Americans exposed from PC in China
3.  Leaky Server Exposed 579 GB of Users’ Website Activity
4.  Leaky server exposes fake Amazon product review scam
5.  “BreedReady” database of 1.8m Chinese women exposed online

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Z2U Market Leak Exposes Access to Illicit Services and Malware

By Waqas
The FBI and European authorities have seized Genesis Market’s clearnet domains as part of the ongoing Operation Cookie…
This is a post from HackRead.com Read the original post: Genesis Market’s Clearnet domain seized; Dark Web site still online

The FBI and European authorities have seized Genesis Market’s clearnet domains as part of the ongoing Operation Cookie Monster.

Genesis is one of the largest marketplaces on the dark web while its presence on clearnet is also quite significant. In the latest, clearnet domains belong to Genesis marketplace have been seized by the FBI under the ongoing Operation Cookie Monster.

When accessed, the marketplace’s domain displays a banner stating that the website is inaccessible because the FBI has executed a seizure warrant. 

Although the marketplace administrator(s) have not been identified or caught yet, it is evident that authorities have only seized clearnet domains while its main dark web domain remains online, which suggests that they have not been able to take down the entire Genesis infrastructure.

Regardless, it is still too early to make any assumptions or predictions about what might happen next.

The Dark Web domain of the Genesis market is still online and shows no seizure notice.

**How Did the Seizure Happen?**

According to the FBI, the seizing was carried out with the collaboration of multiple organizations from the private and public sectors, and international law enforcement agencies.

The seizure notice displayed on the domain also had a message for the site visitors, which read:

“Been active on Genesis Market? In contact with Genesis Market administrators? Email us, we’re interested,” followed by an official email address.

The bureau noted that around two dozen partners were on board for this operation. The seizure was followed by a worldwide applicable search and arrest operation. A federal court in the Eastern District of Wisconsin had issued the seizure warrant.

It is currently unclear who was operating this marketplace as they have maintained a low profile over the years, indicating they have sufficient operational security know-how.

That’s what the Genesis market’s homepage shows right now

**Why Genesis Market Seizure a Big Blow?**

Genesis Market was established in late 2017 and played a vital role to fill the gap especially after the seizure of Hansa and AlphaBay marketplace by the Dutch police.

By 2020, Genesis had become the world’s most popular marketplace for buying stolen credentials, cookies, and device fingerprints. Considered the largest platform in the world for illicit activities, Genesis Market offered stolen credentials for corporate and consumer accounts.

This market provided access to an extensive range of services with accounts from Gmail, Netflix, Facebook, PayPal, WordPress, Amazon, Zoom, eBay, Cloudflare, Reddit, Spotify, Twitter, and LinkedIn. Therefore, it is understandable that seizing such a thriving platform will be a huge blow to its users.

The seizure of Genesis marketplace should not come as a surprise. This development came just a month after the FBI arrested PomPomPurin (aka Pompompurin, aka Pom), the owner and admin of popular hacker and cybercrime forum Breach Forums, a hacker forum that surfaced as an alternative to the popular and now-seized Raidforums.

**How did Genesis Market operate?**

The market operators used information stealers to collect login credentials with fingerprint data, such as time zones, IP addresses, cookies, device information, etc.

The operators earned profits from renting the account identities via bots, including stolen accounts, and browser plug-ins that imported the login and fingerprint data of the compromised account to let attackers assume the real owner’s digital identity. As per the account type, buyers paid up to $10 to get access to an account for a specific period.

1.  Dark web data center in former NATO bunker seized
2.  Finnish language dark web market Sipulimarket seized
3.  Hive Ransomware’s Servers and Dark Web Site Seized
4.  179 Dark Web vendors arrested, 500kg of drugs seized
5.  Dark Web child abuse gang busted; 15TB of files seized

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Genesis Market’s Clearnet domain seized; Dark Web site still online

By Deeba Ahmed
Rorschach ransomware boasts advanced encryption technology and can spread automatically on the machine if executed on a domain controller. 
This is a post from HackRead.com Read the original post: New Strain of Rorschach Ransomware Targeting US- Firms

Researchers state that Rorschach ransomware has been labelled as the fastest-ever ransomware due to its unparalleled evasion techniques, which have never been seen before.

Check Point Research has shared details of previously undocumented ransomware, dubbed Rorschach, which they regard as the fastest-ever ransomware discovered so far. Researchers noticed that an unnamed US-based organization is one of the victims of Rorschach.

It’s not surprising that new strains of ransomware are emerging, given the increasing number of ransomware attacks and the constant development of new evasion techniques by cybercriminals. Recently, researchers discovered a new ransomware strain called **Cylance** that targets both Linux and Windows devices.

**Highly Effective, Evasive, and Fast-Encrypting Ransomware**

An exclusive feature of Rorschach ransomware is its effective, fast hybrid-cryptography scheme, which makes it the fastest ransomware out there, even faster than LockBit.

Calling it a Speed Demon, Check Point researchers wrote that in a controlled encryption speed assessment, the ransomware encrypted 220,000 files in four and a half minutes. In contrast, LockBit encrypted the same number of files in seven minutes.

Rorschach ransomware boasts advanced encryption technology and can spread automatically on the machine if executed on a domain controller. 

Moreover, this is a highly configurable malware equipped with novel functionalities that make it stand out among other ransomware strains. It features a “high level of customization” and has “technically unique features that have not been seen before in ransomware,” Check Point’s researchers Jiri Vinopal, Dennis Yarizadeh, and Gil Gekker explained in their **report**.

“In fact, Rorschach is one of the fastest ransomware strains ever observed, in terms of the speed of its encryption.”

Furthermore, the ransomware is equipped with safeguards to bypass analysis and defence mechanisms, which it achieves via direct system calls. This is the first ransomware that can make direct system calls. Until now, only malware families had this feature. 

**Is Rorschach Linked with another Ransomware?**

Although it seems inspired by several other ransomware, Rorschach is neither linked to any other malware family nor affiliated with another ransomware group. However, researchers did observe similarities between Rorschach and **Babuk ransomware** source codes.

It is worth noting that Babuk’s source code was **leaked** in September 2021. The ransom notes used in Rorschach-based campaigns are inspired by DarkSide and Yanluowang.

Ransom note (Image: Checkpoint)

**How is Rorschach Executed?**

The ransomware execution mainly relies on three files. First, Cortex XDR Dump Service Tool (cy.exe) is executed, which side-loads with loader and injector file (winutils.dll). This DLL file then loads the ransomware (config.ini) in the memory. It also gets injected into notepad.exe.

Rorschach uses multiple processes and uses falsified arguments to stop some processes, clear Windows event logs, delete shadow backups and volumes, and disable Windows firewalls.

Infection chain of Rorschach Ransomware (Image: Checkpoint)

When the ransomware is executed on a domain controller, it generates a group policy that lets it automatically infect other devices on that domain. It checks for the infected device language and terminates if a language from the CIS countries, e.g., Russia, is detected.

1.  LockBit Ransomware Hits SpaceX Contractor
2.  IRS tax forms W-9 email scam drops Emotet malware
3.  CISA to Start Issuing Early-Stage Ransomware Alerts
4.  ALPHV ransomware claims it has hacked Amazon’s Ring
5.  Rilide Malware – Crypto Stealer Hits Chromium Browsers

New Strain of Rorschach Ransomware Targeting US- Firms

By Owais Sultan
Let's code, kids!
This is a post from HackRead.com Read the original post: How to Teach Your Child Coding: A Gift for Their Digital Future

As we progress through the digital age, coding is rapidly gaining traction as a logic-based skill that can fuel creativity in both kids and teens. Another beauty of technology is that children have access to an array of resources, such as coding apps, websites, online courses, games, and more.

However, teaching coding to kids and teens using traditional methods can be quite challenging. Parents and educators are increasingly opting for age-appropriate, engaging, and enjoyable ways to teach coding.

This approach helps young learners develop the skills required in the programming world. Keep reading this post to discover five exciting ideas to make coding fun for kids and teens.

**Innovative Approaches to Teach Coding to Kids**

Many programming concepts will be entirely new to young learners. As such, it’s essential to introduce each concept incrementally. Recent research indicates that students across all age groups retain information more effectively when they learn in a fun and engaging manner. This insight opens the door to discovering new methods for teaching coding to children.

If the learning process becomes dull, it can quickly dampen the student’s interest, regardless of the subject matter. Before teaching coding, convey to your child the excitement and enjoyment they may find in programming.

The prospect of building websites, games, animations, apps, and more will pique their curiosity about coding. Here are some tips to make learning coding a fun and immersive experience for kids and teens:

**1\. Leverage Toys for Skill Development**

One of the most effective ways to enhance kids’ creativity is by introducing them to toys like Legos, Mechanix, and others. Depending on the child’s age, you can engage them in the design and creation process of these toys. This approach will bolster their logical, observational, creative, and reasoning abilities, paving the way for learning the basics of programming.

**2\. Explore Coding through Minecraft**

Getting kids and teens involved in Minecraft serves as an excellent motivator for learning to code. Widely accessible on gaming consoles and desktops, Minecraft introduces young learners to various coding elements in an enjoyable manner. The game employs a straightforward structure to craft objects, making it an engaging learning tool.

**3\. Utilize Websites and Apps for Coding Instruction  
**

Presently, numerous websites and applications offer block-based coding lessons to kids and teenagers. Popular platforms like Thunkable and code.org provide tailored learning experiences, allowing you to select the most suitable resource for your needs.

These websites are specifically designed to teach children by integrating visual code blocks into entertaining projects. The combination of vibrant graphics and block code helps make the coding process more approachable and less daunting.

**4\. Utilize Engaging Media Resources**

There are numerous resources available today for teaching children coding, such as YouTube, TikTok, and online communities. Streaming programming videos on YouTube prompts the algorithm to suggest related coding videos for both you and your child. YouTube offers a wealth of information tailored to various learning styles for coding.

Choose the right YouTube video to help kids and teenagers grasp binary code. Videos, especially animated ones, can simplify complex coding concepts and make them enjoyable. For offline education, parents can turn to books or magazines featuring engaging imagery that sparks interest and motivates children and teens to delve into coding studies.

**5\. Embrace Learning from Children**

Recent research suggests that learning by teaching is an effective strategy for deepening one’s understanding of a concept. If your child is learning to code, encourage them to share their knowledge with someone else. You can participate by providing an opportunity for them to teach you a new coding concept. Asking questions about these concepts helps reinforce their learning and motivates them to continue learning.

**The Benefits of Learning to Code for Kids and Teenagers**

Coding involves giving instructions to a computer to perform specific tasks. By learning coding through resources like the CodeMonkey course, your children can secure a brighter future. They’ll develop logic and computational thinking skills to tackle various challenges in life. Additionally, coding fosters persistence, collaboration, and communication skills. Let’s explore how kids can benefit from learning to code:

**1\. Developing Crucial Skills**

One of the major advantages of learning to code is the enhancement of problem-solving, creativity, and logical thinking abilities. Children are provided with numerous opportunities to practice and refine these skills, which are essential for both personal growth and professional success.

**2\. Building Confidence**

As kids and teenagers learn to articulate their ideas and grasp fundamental concepts, their confidence increases. This newfound confidence enables them to develop websites and applications more effectively.

**3\. Discovering New Concepts**

Coding offers a hands-on learning approach that encourages kids and teenagers to explore and interact with their environment. This method helps them learn from their mistakes and experiment with various solutions to find the most appropriate one.

**4\. Enhancing Communication Skills**

Coding requires breaking down complex ideas into simpler forms and effectively communicating them to computers. For a computer to execute a specific task, the message must be clear and precise.

As a result, not only do children’s computer communication skills improve, but their verbal and written abilities also see growth. Strong communication skills are essential for success in life.

**Closing Thoughts**

This article aims to guide you in discovering engaging methods for teaching your child coding. By making learning enjoyable, children are more likely to retain concepts for longer periods and apply them effectively.

In today’s world, coding is a crucial aspect of childhood education. Learning to code prepares kids and teenagers for success in future careers while enhancing problem-solving capabilities and creativity.

Through coding skills, individuals can create computer software, apps, websites, games, and more. It’s vital to introduce these future skills to your child to help them stand out in a competitive environment.

Moonpreneur recognizes the demands and needs that our rapidly evolving technological landscape presents for our children. As a result, we’re on a mission to educate and inspire entrepreneurship through our comprehensive online STEM programs, which help kids master futuristic sciences such as robotics, game development, app development, advanced math, and more! Sign up for a free 60-minute robotics and coding class today!

1.  5 Ways to Ensure Your Child’s Online Safety
2.  10 Android Ed Apps That Collect Most User Data
3.  Top 6 Cell Phone Tracker Apps for Parental Control
4.  Kids breach and bypass Linux Mint screensaver lock
5.  Teen Hackers on Discord Sell Malware for Quick Cash

How to Teach Your Child Coding: A Gift for Their Digital Future

By Deeba Ahmed
The Chromium-based browsers include Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi, and several others.
This is a post from HackRead.com Read the original post: Rilide Malware – New Crypto Stealer Hits Chromium-Based Browsers

Riligy malware is disguised as a legitimate Google Drive extension and allows attackers to capture screenshots, monitor users’ browsing history, and inject malicious scripts to steal funds from cryptocurrency wallets.

The cybersecurity researchers at Trustwave SpiderLabs have disclosed alarming details on a new strain of Rilide malware that targets Chromium-based browsers to steal cryptocurrency funds and monitor users browsing activities.

In the newly discovered campaign, SpiderLabs researchers noticed that threat actors have created legitimate-looking Google Drive extension that hides Rilide malware.

SpiderLabs researchers believe Rilide malware is unique because of its capability of generating dialogues to trick users into giving away their 2FA keys. This is a rare feature that helps the attacker withdraw cryptocurrencies discreetly.

In addition to this, the malware also allows attackers to carry out an extensive range of activities, including capturing screenshots, monitoring users’ browsing history, and injecting malicious scripts to steal funds from cryptocurrency wallets.

The researchers have confirmed that Rilide malware targets Chromium-based browsers, including Microsoft Edge, Google Chrome, and Opera to achieve its malicious objectives.

The fact that Google Drive is being used maliciously is not surprising. A study conducted last year found that 50% of all malicious Office document downloads were from Google Drive. Another study revealed that Apple Safari was the safest browser while Google Chrome was the riskiest browser in 2022.

As for Rilide malware, during their investigation, SpiderLabs researchers detected multiple such extensions for sale in March 2022. They also noted that a portion of Rilie malware source code was recently leaked by someone on an underground hacking forum over payment issues.

This leaked code can swap cryptocurrency wallet addresses from the clipboard with the attacker’s address. Moreover, the C2 address embedded in the Rilide code can identify GitHub repositories belonging to a user named gulantin, which contains the extension’s loader.

**Attack Chain**

Researchers have detected two attack methods to install the malicious extension, Ekipa RAT and Aurora Stealer. Ekipa RAT is distributed through booby-trapped Microsoft Publisher documents, whereas fake Google Ads serve as Aurora Stealer’s distributor.

Their attack chains encourage the execution of a Rust-based loader, which can modify the browsers’ LNK shortcut file and launch the add-on using the “–load-extension” command line switch.

_Infection Chains_ (Trustwave)

Ekipa RAT can carry out targeted attacks. Conversely, Aurora, first spotted in April 2022 on Russian-speaking underground forums, is a Go-based stealer offered as a Malware-as-a-Service (Maas) tool. It can take data from different web browsers, local systems, and cryptocurrency wallets.

“The Rilide stealer is a prime example of the increasing sophistication of malicious browser extensions and the dangers they pose,” the report read.

1.  Malicious Firefox extension phish Gmail credentials
2.  Ad-blocker Chrome extension injected ads in Google
3.  Fake ChatGPT Extension Hijacks Facebook Accounts
4.  Phishing attack uses Google Drive against researchers
5.  Chrome extensions harboring Dormant Colors malware

Rilide Malware – New Crypto Stealer Hits Chromium-Based Browsers

By Deeba Ahmed
The findings are to be presented at the Usenix Security Symposium.
This is a post from HackRead.com Read the original post: WiFi Flaws Allow Network Traffic Interception on Linux, iOS, and Android

The WiFi flaw discovered by researchers from Northeastern University and KU Leuven can impact a wide range of operating systems, including Linux, iOS, and Android, leaving them vulnerable to potential interception of network traffic if exploited by hackers.

Wireless networking stacks found in a wide range of operating systems were left vulnerable due to an ambiguity in the WiFi specification, explained academics from Northeastern University and KU Leuven in a paper (PDF) titled “Framing Frames: Bypassing WiFi Encryption by Manipulating Transmit Queues.” The ambiguity can allow exposure of network traffic if exploited by threat actors.

**Research Findings**

According to researchers Domien Schepers, Aanjhan Ranganathan, and Mathy Vanhoef, the issue is caused by a fundamental design flaw detected in the IEE 802.11 WiFi protocol standard. The devices impacted by this issue include those running FreeBSD, Linux, iOS, and Android. Aruba, Asus, and D-Link devices were also examined for this research.

If exploited successfully, it can allow attackers to hijack TCP connections. Additionally, they can intercept client and web traffic. Vanhoef shared these findings at the 2023 Real World Crypto (cryptography) Symposium in Tokyo, Japan. The paper is to be presented at the Usenix Security Symposium.

**Security Advice**

*   Securing your Spectrum-compatible WiFi routers
*   How To Keep Your Router, WiFi Safe From Hackers
*   Wireless Router Security: Set up a WiFi router securely

**What’s The Issue?**

Vanhoef explained the findings in a video presentation, sharing that an attack called kr00k revealed by ESET in 2019 shares similarities with the attack his team had developed as both involve similar vulnerabilities, indicating that the IEEE 802.11 WiFi standard cannot articulately handle buffered framed. 

WiFi frames contain different types of data related to network routing and traffic and include a header, body, and trailer, which allow data to move from one point to another. WiFi access points queue frames linked with different network layers and buffers them until the right network sources are available to send them. In this case, researchers noted that the WiFi specification didn’t describe how to manage the security context in buffered frames.

**How Can The Flaw Be Abused?**

Researchers wrote that attackers would exploit power-save mechanisms in endpoint devices to trick access points into exposing data frames in plaintext. Or else an all-zero key would allow them to encrypt it. Due to the power-save bit’s “unprotected nature” in a frame’s header, the issue allows an attacker to enforce queue frames for a particular client.

This would result in disconnecting and executing a DoS (denial of service) attack. The objective is to leak the frame from the access point linked to the victim’s client station. It works because, during the security context changes, most WiFi stacks didn’t appropriately dequeue/purge their transmit queues.  

The attacker can send a spoofed power-save frame with an Association or Authentication frame and successfully reset the wireless connection by making the access point respond by removing the client’s pairwise key. If the adversary uses a Wake-Up frame, the access point will send the buffered data under an undefined security context and prompt a data frame leak.

Furthermore, in a security context override attack, the access points can encrypt unqueued frames through the attacker’s chosen key, thus, rendering the encryption ineffective. Researchers have published a proof-of-concept exploit titled MacStealer. This tool tests networks to identify vulnerability to a client isolation bypass.

1.  WiFi software firm leaked millions of users’ data
2.  iPhone Wifi bug exposed devices to remote attacks
3.  Avoid being Pwned by bugs residing in the WiFi chip
4.  Flaws exposed all WiFi enabled devices to FragAttacks

WiFi Flaws Allow Network Traffic Interception on Linux, iOS, and Android

By Deeba Ahmed
Researchers warned that the campaign works through a network of fake websites that promote seemingly harmless crypto apps and other software.
This is a post from HackRead.com Read the original post: New VPN Malvertising Attack Drops OpcJacker Crypto Stealer

The primary target of the OpcJacker Crypto malware campaign are unsuspecting users in Iran who were tricked into downloading an archive file that contained the novel Opcjacker malware. 

Trend Micro cybersecurity researchers discovered a new malvertising campaign in February 2023 targeting Iranian users and distributing Opcjacker malware. They dubbed the malware Opcjacker due to its opcode configuration design and cryptocurrency-stealing capabilities.

The use of VPNs in malvertising attacks against Iranian users should not be surprising. In October 2022, Iranian hackers were spreading “**RatMilad**” Android spyware disguised as a VPN app.

**More Context**

1.  Iranian group hacking VPNs for “Fox Kitten Campaign”
2.  Phones of Iran’s protest detainees targeted with spyware
3.  VPN malvertising hits Persian speakers Baháʼí faith followers

**VPN Malvertising Attack Drops Opcjacker **

The campaign works through a network of fake websites that promote harmless-looking crypto apps and other software. In the newly analyzed sample, malvertisements were hidden inside a genuine VPN app. Users in Iran were tricked into downloading an archive file that contained the novel Opcjacker malware. 

The fake website distributing the OpcJacker crypto stealer (Credit: Trend Micro)

**How Does the Attack Work?**

Malware loads automatically by patching a legit DLL library in an installed program, which loads the next malicious DLL library. This library eventually runs the shellcode that contains the loader and runner of another malicious app. This app is different from Opcjacker as it has been assembled from data chunks stored in files of WAV, CHM, and other formats. 

**Analyzing Opcjacker**

Researchers noted that Opcjacker is a novel and interesting malware. Its configuration file has a custom file format resembling custom virtual machine code that outlines the stealer’s behaviour.

In the configuration file, researchers found numeric hexadecimal identifiers that force the malware to perform certain functions and make it difficult for researchers to identify the malware’s code flow.

“The configuration file format resembles a bytecode written in a custom machine language, where each instruction is parsed, individual opcodes are obtained, and then the specific handler is executed,” researchers wrote in the **report**.

**Opcjacker’s Capabilities and Functionalities**

In this campaign, scammers have concealed Opcjacker through a crypter called **Babadeda**. It uses the configuration file for activating the malware’s data-stealing capabilities, running arbitrary shellcode, and other executables.

The malware’s functions include capturing screenshots, keylogging, loading new modules, stealing private/sensitive user data from browsers, and hijacking cryptocurrency wallets by **replacing addresses in the clipboard**.

In addition, Opcjacker can deliver next-stage payloads like **NetSupport RAT** along with an hVNC (hidden virtual network computing) variant to allow the attacker remote access.

The infection chain

Researchers believe the campaign is financially motivated because Opcjacker can steal cryptocurrency. The malware is being distributed in the wild since at least mid-2022 in different malvertising campaigns but it is still evolving and under active development.

1.  New malvertising attack is spreading backdoor
2.  Fake Tor Browser Installers Drop Clipper Malware
3.  CISA says use ad blockers to fend off ‘malvertising’
4.  Malvertising attack affected millions of PornHub users

New VPN Malvertising Attack Drops OpcJacker Crypto Stealer

By Waqas
The cyberattack has forced the technology giant to shut down and take some of its operations offline.
This is a post from HackRead.com Read the original post: Western Digital Security Breach – Hackers infiltrate Internal Systems

The Western Digital security breach appears to have been linked to ransomware, but so far, no major ransomware group has claimed responsibility for the attack.

On March 26, 2023, data storage company Western Digital suffered a “network security incident” where hackers managed to access several of its internal systems, confirmed the California-based firm.

The breach appears to have been linked to ransomware, although Western Digital has not revealed how it was compromised. The company is currently working to determine the nature and extent of the data that was stolen by the hackers.

So far, the perpetrators remain unknown and no major ransomware group has claimed responsibility for the attack.

It’s not surprising that Western Digital has experienced another security breach, given that in 2021, hackers were able to remotely wipe the hard drives of Western Digital My Book Live.

In a statement, Western Digital said that “Based on the investigation to date, the company believes the unauthorized party obtained certain data from its systems and is working to understand the nature and scope of that data.”

Western Digital stated that the incident caused disruption to its business operations and downed its My Cloud network-attached storage service, which enables users to access their files over the internet.

According to the company, it is taking proactive measures to secure its business operations, which include taking some systems and services offline. The company is also taking additional steps as necessary to prevent further security breaches.

The company assured customers that it is implementing security measures to prevent future cyber attacks and is also working to restore the affected infrastructure and services.

Western Digital is working with a cybersecurity firm whose name has not been revealed, and coordinating with law enforcement to investigate the breach.

The data breach at Western Digital highlights the continuing threat of cyber attacks to companies and their customers. It is a timely reminder for organizations to take proactive measures to secure their networks and protect sensitive data.

1.  Don’t Sell Your Laptop Without Following These Steps
2.  UCLA researcher destroyed hard drive amid FBI probe
3.  Sonic & Ultra signals crash Windows, Linux & hard drives
4.  Hard drives with data of 29K Facebook employees stolen
5.  Ex-employee stole hard drive with Coca-Cola workers’ data

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Western Digital Security Breach – Hackers infiltrate Internal Systems

By Waqas
Mullvad VPN and the Tor Project Join Forces to Launch Mullvad Browser, a Privacy-Focused Web Browser.
This is a post from HackRead.com Read the original post: Mullvad VPN and Tor Project Release Mullvad Browser

Good news for those seeking online privacy and anonymity as Mullvad Browser is now available for free download.

Mullvad VPN and the **Tor Project** have partnered to launch the Mullvad Browser, a new privacy-focused web browser. The browser has been developed to offer users a secure browsing experience and to minimize tracking and fingerprinting.

Mullvad browser is designed to be used with Mullvad VPN, a trustworthy VPN, to provide even greater privacy and security.

The Tor Project, the team behind the popular **Tor browser**, is a nonprofit organization that aims to defend online privacy and advance human rights by creating and deploying free, open-source anonymity and privacy technologies.

In a **press release**, Jan Jonsson, CEO of Mullvad VPN said, “The Tor Project is the best in the field of privacy-focused browsers. That’s why we reached out to them. We also share their values of human rights and online privacy. The Mullvad Browser is all about providing more privacy alternatives to reach as many people as possible and make life harder for those who collect data from you.”

For your information, Mullvad VPN was founded in 2009 and is widely considered to be one of the most secure and privacy-focused VPN services available today.

The company is based in Sweden and offers a secure, private, and anonymous VPN service that allows users to browse the internet without being tracked or monitored.

Mullvad VPN uses advanced encryption technology to protect user data and offers a no-logging policy to ensure that user activities are not tracked or recorded. Now, the service is also designed to work seamlessly with the Tor network, providing an additional layer of privacy and security for users.

The Mullvad browser is available for free and **can be downloaded** on Windows, MacOS, and Linux platforms.

“We want to free the internet from mass surveillance and a VPN alone is not enough to achieve privacy. From our perspective, there has been a gap in the market for those who want to run a privacy-focused browser as good as the Tor Project’s but with a VPN instead of the Tor Network,” Jonsson said.

For your information, another option that offers VPN along with Tor browser integration is **Brave browser**.

1.  Tor and Its 10 Best Alternatives
2.  Mozilla VPN – Firefox private network VPN
3.  Download the official Tor browser on Android
4.  ProtonVPN launches Chrome and Firefox extensions

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Source

HackRead