By Owais Sultan
SBOM or Software Bill of Materials implies a comprehensive inventory of all the constituent elements or components of the software.
This is a post from HackRead.com Read the original post: The Best Ways to Automate SBOM Creation

For the DevOps and software engineer, there’s nothing more important than having a safe and secure product. With **cybersecurity hacks** becoming more than a passing trend today, it has become imperative to take extreme steps to protect the software supply chain and its many components.

**Why is software cybersecurity important?**

The Software Development Life Cycle (**SDLC**) is a lengthy process. Given how fast-paced the world of software development is, it is common to have engineers use several other third-party sources and components to aid them rather than build everything from scratch.

This method is rather important for quick product and update delivery. However, the truth is that it exposes software to several corruptions and vulnerabilities, which, when exploited by hackers, become gaping security weaknesses that can compromise the entire project.

These vulnerabilities often exist for considerable dwell periods, such as in the case of the **SolarWinds hack**, before discovery. In the latter’s case, the vulnerabilities lay undiscovered for several months.

The respective hackers (**suspected Russians**) were only too glad to take advantage of the illegal backdoor to the software, stealing dollars worth of private and government data, including state secrets.

Upon discovery, the phenomenon shook the entire software industry, highlighting the importance of maintaining top-notch security practices throughout the development pipeline.

Since then, many standardized approaches have emerged. One essential way to protect your supply chain’s integrity is to assess the **SBOM**.

In this article, we’ll comprehensively examine the concept of SBOM and go on to explain the best ways to automate its creation.

Read on.

**What is SBOM?**

SBOM is an acronym for Software Bill of Materials. **Software Bill of Materials definition** implies a comprehensive inventory of all the constituent elements or components of the software.

In a non-software context, an SBOM can be likened to the ingredients that make up a canned good, including its source. Here, it would include the manufacturers of the can m, the farm where the raw ingredients were sourced, and so on.

An SBOM includes all third-party components used in software development, including code libraries, packages, patch status, dependencies, component version, license type, etc.

**What formats does the SBOM take?**

So vital is the data contained with SBOMs, particularly to mitigating the risk involved in cyberattacks, that the **US government has strict regulations** regarding it.

By law, software companies working with the government are required to provide a comprehensive SBOM in any one of three standardized formats.

These formats are identified by the NTIA (National Telecommunications and Information Administration) as methods for generating a comprehensive SBOM inventory list inclusive of software entities and related metadata.

Here are the three formats:

*   ●       OWASP Cyclone DX
*   ●       SPDX (Software Package Data Exchange)
*   ●       SWID (Standard for Software Identification)

The SPDX is an open standard for SBOM generation containing security references, copyrights, and software components.

On the other hand, the OWASP CycloneDX standard is used in generating inventories of third-party and proprietary software constituents for risk analysis. This makes it ideal for documenting information like firmware, libraries, containers, operating systems, frameworks, etc.

SWID is an ISO (International Organisation for Standardization) definition that consists of an XML file containing software components inventory such as patch statuses, licenses, and installation bundles.

> A “software bill of materials” (SBOM) has emerged as a key building block in software security and software supply chain risk management.
> 
> CISA

**Why is it important to automate SBOM generation?**

SBOM formats are designed to be machine-readable. As they comprise so much data, the manual analysis, curation, and processing of this data is time-consuming.

Even the smallest software is often composed of several components. Culling an inventory of these constituents is a near-impossible task per manual execution.

As such, automating the process the crucial to generating SBOMs. This way, there will be better consistency in the change implementation after release. Additionally, it facilitates the digital cryptographic verification and signing of components by vendors. Besides, it ensures continuous scanning to generate SBOMs, inherently making them valuable to the Continuous Integration/Continuous Delivery pipeline.

Also, SBOM automation offers machine speeds, thus saving valuable time. Instead of devoting crucial hours to curating the inventory, your software organization can focus on effective deployment. Additionally, it becomes easy to flag and isolate the faulty component and run update scans for **risk mitigation if vulnerabilities are detected**.

**Methods for automating SBOM creation**

There are three common methods of automating SBOM creation:

**SCA tools**

SCA stands for **software composition analysis**. These tools automate SBOM creation by comprehensively analyzing third-party code integrity, license compliance, and software security.

The process is highly efficient, guarantees code integrity boosts productivity, and does not compromise security.

Some of the components that SCA tools investigate include the following:

*   ●       Binary files
*   ●       Manifest files
*   ●       Source code
*   ●       Container images.

SCA tools provide security and reliability by analyzing tons of data points. Today, they’re highly useful in the cloud niche.

**Use plugins**

Another way to generate SBOMs is to use plugins within the **CI/CD pipeline**. This involves creating and auditing SBOMs in the DevOps pipeline.

A common plugin is the CycloneDX maven plugin which generates comprehensive SBOMs based on various project dependencies.

To begin with, the pox.xml file will have to be configured, with the culmination of the process being a generation of a bom.json file.

Next, the inventory is audited by a Dependency-Check SCA tool, after which the SBOM is finally generated.

**Use Scribe**

Scribe is an all-in-one software supply chain tool that helps developers generate comprehensive SBOMs.

The tool provides end-to-end security as far as your **software supply chain** is concerned, with a steady assurance of quality and code integrity throughout the SDLC.

The generated SBOMs can be shared with your team and your vendors, granting unhindered insight into code tampering and vulnerabilities in your software project.

With Scribe, you get comprehensive visibility, actionable insights, evidence-based compliance, and code integrity validation.

**Conclusion**

SBOMs are indispensable as far as the software supply chain is concerned. They’re the link between software developers and their respective project dependencies.

Without the comprehensive outlines they provide, optimizing cybersecurity practices within the development pipeline will be impossible.

As such, it’s important to generate a standardized SBOM in the course of a project’s development. It’s more than just essential- it is a necessity.

1.  **Importance of Automation for Businesses**
2.  **Importance of Tax Automation in Digital Business**
3.  **How Automation Affects The Interpreting Services**
4.  **Software Tech – Amp Up Your Onboarding Experience**
5.  **Cybersecurity Automation: How Businesses Benefit From It**

The Best Ways to Automate SBOM Creation

By Habiba Rashid
The Andre-Mignot Hospital in Versailles, near Paris, had to cancel operations and transfer patients after being hit by a cyber attack.
This is a post from HackRead.com Read the original post: French Hospital Suspends Operations After Crippling Cyber Attack

Over the weekend, the Andre-Mignot Hospital in Versailles, near Paris, had to cancel operations and transfer patients after being hit by a cyber attack, France’s health ministry said on Sunday.

By Saturday evening, six patients had been transferred – three belonged to intensive care while the other three were from the neonatal unit – said the minister, Francois Braun, after visiting the hospital. He added that more might follow. 

The hospital experienced a complete “reorganization” due to the cyber attack, according to Braun. The regional health agency (ARS) said the hospital had canceled operations but was doing its best to keep walk-in services and consultations running. 

Extra staff was also called into the intensive care. Although the machines were still functioning, more people were needed to watch the screens since they were no longer working as part of a network. 

The Paris prosecutor’s office has opened a preliminary investigation into attempted extortion, as well as the access and maintenance of the state digital system after the hospital filed a formal complaint on Sunday. 

This cyber attack is not a standalone event since many hospitals and health systems in France have been targeted by threat actors for several months now. Braun stated that “the health system suffers daily attacks” in France but the “vast majority of these attempts are prevented”. 

**In August**, the Corbeil-Essonnes hospital on the outskirts of Paris – which provides healthcare for nearly 700,000 residents – was targeted.

Its operations were severely disrupted for several weeks before returning to normal in mid-October. On that occasion, the cyber attack was followed by a demand for $10 million, subsequently lowered to one or two million.

The hackers had set a September 23 deadline for the hospital to pay the ransom, after which they posted confidential data on patients and staff to the “**dark web**.”

1.  **Ransomware attack on hospital causes patient’s death**
2.  **Authorities bust ransomware gang planning to hit hospitals**
3.  **CISA warns of disruptive ransomware attacks on US hospitals**
4.  **Hacker demands ransom in BTC after taking over hospital servers**
5.  **Doctor says his laptop was hacked and led to Aleppo hospital airstrike**

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

French Hospital Suspends Operations After Crippling Cyber Attack

By Waqas
The 50GB worth of data is currently being sold on two clear web forums with a price tag of 1 BTC per database.
This is a post from HackRead.com Read the original post: Data of Israeli Employees from 29 Logistics Firms Sold Online

A group of hackers has posted a trove of approximately 50GB of data for sale on two online forums and a Telegram group. The data was posted on 26 and 27th November 2022. This was revealed to Hackread.com by researchers at VPNMentor.

A probe into the incident revealed that the data belonged to 29 Israeli transportation, logistics services and forwarding firms. Researchers believe that the hackers breached a software provider’s single point of failure, gained unauthorized access to these logistics firms’ supply chains, and exfiltrated a trove of personal data and shipping records.

**50 GB of Israeli Firms’ Data on Sale**

Hackers have posted the stolen data for sale. Visitors can buy a complete employee and customer information dataset from the targeted companies. The per-database rate is 1 BTC, which equals $17,000. An analysis of the graphics associated with these posts revealed that the data is part of a Black Friday Sale.

Previously, when some Israeli delivery firms were **targeted in cyberattacks**, the Israeli government’s cyber agencies named Iranian threat actors as the perpetrators. However, it is unclear if the same actors are responsible in this instance.

**Details of Leaked Data**

According to VPNMentor’s **blog post,** exposed data includes contract details and shipment information of the affected Israeli firms. The hackers have listed 1.1 million records for sale on different online forums. It seems like they have shared a small sample of data.

Whether 1 record represented 1 person or 1.1 million people were impacted in this data breach couldn’t be determined. The exposed information includes full names, addresses, and contact numbers.

Researchers were unsure whether the exposed addresses were work or home addresses. Customers’ exposed data includes full names and shipping details (sender and receiver’s addresses, number of packages, contact numbers, etc.).

Screenshot provided by VPNMentor shows post by hackers and what’s in the data.

**Possible Dangers**

These records can be exploited to intercept packages or blackmail/threaten courier firms’ employees into handing over valuable shipments. Threat actors can use personal data such as full names or contact details to target people with **scams and phishing attacks**.

Customers of these firms should be wary of suspicious SMS messages and calls and do not share personal information via phone. They should reveal sensitive data only to a trusted source only when necessary.

1.  **Australian Trading Giant Exposed 60GB of User Data**
2.  **MyEasyDocs Exposed 30GB of Israeli Students’ PII Data**
3.  **Iranian hackers leak a trove of Israeli LGBTQ dating app data**
4.  **Logistics giant D.W. Morgan exposed 100 GB worth of clients’ data**
5.  **Logistics giant exposes customer data, Lolz at researchers when alerted**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Data of Israeli Employees from 29 Logistics Firms Sold Online

By Owais Sultan
Did you know Fortnite was the first game to break through on a variety of console platforms, including XBOX/PS/Switch?
This is a post from HackRead.com Read the original post: Behind The Success Of Phenomenon Game Fortnite

Fortnite refers to a video game series set in a post-apocalyptic, zombie-infested world. It was developed by **Epic Games** and uses the company’s signature Unreal Engine. Currently, Fortnite has two titles: a team survival shooter called Fortnite: Save the World and a single-player game called Fortnite: Battle Royale.

Millions of players have downloaded the game since its launch, generating hundreds of millions of dollars a month for its creators. According to a **survey** by CouponBirds, Fortnite’s monthly active player base has remained around 80 million. The incredible number of people online makes for incredible profits. Fortnite: Escape brought in $5.4 billion in revenue for Epic in 2018 alone, making it the world’s most profitable game that year.

**How did Fortnite achieve so much in such a short time?**

**Fortnite** achieved what was previously considered almost impossible in the gaming industry: it was the first game to break through on a variety of console platforms, including XBOX/PS/Switch. Fortnite’s simultaneous cross-platform PC/ console/mobile connectivity is a big deal in the closed gaming ecosystem. This is due to **Tim Sweeney** and Unreal Engine’s many years of experience in the industry and their contacts and influence.

On the other hand, Fortnite has made a significant model innovation in the **F2P premium system** with its Battle Pass season ticket subscription model. By most people’s understanding of free-to-play in-game payment mechanics, it’s a treasure chest or so-called ten-row model. Treasure chests are a great way to monetize a game on a large scale, but the number of paying players affects the balance of the game, and endless amounts of money usually make the game suck.

How did Fortnite do it? It takes the concept of a subscription system commonly accepted in Western Internet culture and differentiates rewards by season. More important is the way rewards are earned: each season, users play the game for free to gain experience points that can be used to improve their battle pass levels, which have corresponding rewards for each level.

Image credit: Epic Games

These mechanics combine to create an addictive growth experience that allows Fortnite games to go crazy for retention and daily active players. **Fortnite’s Battle Pass** payout rate is 70%, something every game developer dreams of. Fortnite’s original Battle Pass payment design was a huge success, and many of the world’s biggest games have followed suit, almost all of which have had a direct impact on retention and payment.

Not only that, but in Fortnite, users can build, socialize, and interact. In addition to the gameplay experience, Fortnite quickly transformed itself into a social space, connecting the game space with real life.

Fortnite is one of the closest systems ecosystems to a **metaverse**. It stopped being a real game and became more and more social, evolving into a virtual space where custom characters interact. So far, there have been concerts, movie launches, fan meets, and other real-world events held in Fortnite’s virtual environment:

*   Marshmello’s first live Fortnite concert in February 2019 was played by more than 10 million players;
*   In April 2019, Marvel’s Avengers: Endgame offered a new co-branded interactive mode in Fortnite, where players take on the role of the Avengers as they battle Thanos;

*   In December 2019, Star Wars: The Rise of Skywalker held an audience screening at Fortnite, where director JJ Abrams was interviewed;
*   In April 2020, American rapper Travis Scott held an immersive concert called Astronomical in Fortnite, which was watched by 17 million people at the same time, causing a viral spread on social media;
*   In August 2021, Ariana Grande, a popular American singer, performed five consecutive concerts in Fortnite.

Image credit: The Verge

The star power made the game more popular and contributed to its success. The future looks bright for Fortnite. New maps, lots of new content, and a blank slate are sure to host crazy **new livestreams**. The number of players is growing and this match is sure to be one of the top games for the foreseeable future.

1.  **Top Dangers That Online Gamers Face**
2.  **Influence of technology on the gaming industry**
3.  **12 Classic Games You Can Play on Your Smartphone**
4.  **Minecraft declared the most malware-infected game**
5.  **What is Blockchain Gaming and its Play-to-Earn Model?**

Owais takes care of Hackread's social media from the very first day. At the same time He is pursuing for chartered accountancy and doing part time freelance writing.

Behind The Success Of Phenomenon Game Fortnite

By Habiba Rashid
According to white hat hacker Sam Curry, once exploited, attackers could use the flaw to unlock the door, honk the horn, flash the lights, or even start the vehicle.
This is a post from HackRead.com Read the original post: App Flaw Allowed Honda and Nissan Cars Hack by Knowing VIN number

As convenient as it may be to be able to control certain features of your car using only a mobile app, you should keep in mind that with innovative technology comes the threat of **hackers finding vulnerabilities in it**.

As it turns out, remote car apps for several automakers giants that allow users to start, unlock, honk, and locate their car from their phones could actually be used without needing the login credentials.

Hacker, bug bounty hunter and Staff Security Engineer for Yuga Labs **Sam Curry published two threads on Twitter** explaining his research in which he uncovered this gaping hole in the remote car app security system of several makes including Nissan, Honda, Infiniti, and Acura vehicles. 

> More car hacking!
> 
> Earlier this year, we were able to remotely unlock, start, locate, flash, and honk any remotely connected Honda, Nissan, Infiniti, and Acura vehicles, completely unauthorized, knowing only the VIN number of the car.
> 
> Here’s how we found it, and how it works: pic.twitter.com/ul3A4sT47k
> 
> — Sam Curry (@samwcyo) November 30, 2022

Curry stated that he located the vulnerability by searching for the telematic platform shared by all these companies, which is offered by SiriusXM. Otherwise known for its satellite radio functionality, **SiriusXM offers** a Connected Vehicle Services package to other brands as well such as BMW, Hyundai, Jaguar, Land Rover, Lexus, Subaru, and Toyota. 

According to Curry, only the vehicle identification number (VIN) was needed to authorize the data exchanged through the telematics platform, allowing any person who knew the vehicle’s VIN to carry out various commands such as unlocking the door, honking, flashing the lights, or even starting the vehicle. 

When Curry tested this out, he also found that he could retrieve customer details such as a customer’s name, home address, contact information, and car details using only the VIN which is visible through the windshield on the dash of most vehicles.

Furthermore, the API calls for telematic services worked even if the user no longer had an active SiriusXM subscription. Curry also noted that he could enroll or enroll vehicle owners from the service at will.

Curry was only able to confirm that this vulnerability existed for Nissan, Honda, Infiniti, and Acura vehicles and did not cover the rest of the brands linked together by the service. 

On the brighter side, however, you can rest assured that your car is not affected by the vulnerability anymore. Before disclosing his findings publicly, Curry compiled a detailed report of the security vulnerability and presented it to the company.

He said that SiriusXM had used that information to immediately patch the vulnerability which means that the issue was already fixed before the news went public.

**Limited Security Options**

In the digital age, connected cars are becoming increasingly popular. They offer a range of benefits, from remote access to fuel consumption monitoring and more. But for car owners using apps to manage their vehicles, there are also potential security risks that need to be addressed.

The security of a vulnerable app is in the hands of its developers and owners, and only they can issue security updates and patches to fix the issue. This means users have limited and traditional options to go with. Here are a couple of steps you can take to protect your car from hackers and other cyber threats when you’re using applications.

To start with, do not share your car’s VIN numbers with unreliable third-party, make sure you use unique passwords for each app associated with your vehicle. Strong passwords that combine letters, numbers, and symbols can help protect valuable data stored in the connected cloud networks used by those apps.

Additionally, users should update their systems regularly with any new security patches released by their chosen app provider – these updates help keep hackers out of your car’s system.

1.  **Smart Cars: Increasing Comfort — Reducing Security**
2.  **How Hackers Can Remotely Unlock/Start Honda Cars**
3.  **Unlocking Tesla Cars, Smart Devices with Bluetooth Flaws**
4.  **Self-driving cars can be fooled by displaying virtual objects**
5.  **Internet-connected cars can be hacked to gridlock major cities**

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

App Flaw Allowed Honda and Nissan Cars Hack by Knowing VIN number

By Habiba Rashid
The backdoor is equipped with a wide range of spying capabilities, including exfiltrating files, keylogging, and stealing browser data, etc.
This is a post from HackRead.com Read the original post: North Korean APT37 Unleashes Dolphin Backdoor on South Korea

On 30th November, ESET researchers uncovered Dolphin, a sophisticated backdoor used by an APT group named ScarCruft, likely to be linked to **North Korea**.

The group also referred to as APT37, InkySquid, Reaper, and Ricochet Chollima, is known to attack government entities, diplomats, and news organizations in South Korea and certain other Asian countries.

The geopolitical espionage group has been active since 2012, working to compromise targets linked to the interests of North Korea. It is worth noting that **in August 2021**, the same APT group was previously found using the Konni RAT variant against Russian organizations, while **in December 2019**, Microsoft had already spotted and dismantled a network of 50 malicious domains used by the group.

This time around, the backdoor used by the group has a wide range of spying capabilities which includes monitoring drives and portable devices, exfiltrating files of interest (such as media, documents, emails, and certificates), keylogging, taking screenshots, and stealing credentials from browsers.

Initially, a targeted device is compromised using less advanced malware after which the Dolphin backdoor is deployed to abuse cloud storage services, specifically **Google Drive**, to allow Command and Control (C&C) communication. 

During their investigation, ESET researchers observed that the older versions of the previously unreported backdoor were able to modify the settings of victims’ signed-in Google and Gmail accounts to lower their security, in order to gain access to victims’ email inboxes.

Furthermore, it searches the drives of compromised systems for interesting files and infiltrates them into Google Drive. This should not come as a surprise since **Google Drive is accounted for 50%** of malicious document downloads.

It was first found by the Slovak cybersecurity company in early 2021 and deployed as a final-stage payload as part of a watering hole attack against a South Korean digital newspaper. The campaign exploited two Internet Explorer flaws (**CVE-2020-1380** and **CVE-2021-26411**) to drop a backdoor named BLUELIGHT.

Although made by the same APT Group, BLUELIGHT is not as advanced as Dolphin and is only used to execute an installer shellcode that activates a loader comprising a Python and shellcode component, the latter of which runs another shellcode loader to drop the Dolphin backdoor. 

Dolphin backdoor’s infection chain (ESET)

“While the BLUELIGHT backdoor performs basic reconnaissance and evaluation of the compromised machine after exploitation, Dolphin is more sophisticated and manually deployed only against selected victims,” ESET researcher Filip Jurčacko explained in a **blog post**.

Since initially being discovered in April 2021, Dolphin has undergone three successive iterations that improve its features and grant it more capabilities to evade detection. 

“Dolphin is another addition to ScarCruft’s extensive arsenal of backdoors abusing cloud storage services,” Jurčacko said. “One unusual capability found in prior versions of the backdoor is the ability to modify the settings of victims’ Google and Gmail accounts to lower their security, presumably in order to maintain account access for the threat actors.”

1.  **N. Korean hackers stole $1.7B from cryptocurrency exchanges**
2.  **N. Korean Radio Station Hacked to Play “The Final Countdown”**
3.  **US Warns Firms About N. Korean Hackers Posing as IT Workers**
4.  **N. Korean hackers used VPN flaws to hack S Korean atomic agency**
5.  **Elite N. Koreans aren’t opposed to exploiting internet for financial gain**

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

North Korean APT37 Unleashes Dolphin Backdoor on South Korea

By Deeba Ahmed
CryWiper showcases ransomware-like features, such as file modification, adding a .CRY extension to the files, leaving a ransom note, etc.
This is a post from HackRead.com Read the original post: CryWiper Masquerading as Ransomware to Target Russian Courts

Threat actors are targeting Russian Mayors’ courts and offices with a new malware called CryWiper that appears as ransomware. In reality, it’s a wiper that can destroy all the data on an infected system permanently.

This reminds us of **Microsoft’s report in January 2022** in which a “destructive malware” was faking ransomware infection to target Ukrainian tech organizations, government agencies, and non-profit organizations.

**Campaign Analysis**

Cybersecurity firm Kaspersky and the Izvestia news service’s researchers have revealed startling details of how a new wave of attack has surfaced involving a brand-new trojan. It showcases ransomware-like features such as file modification, adding .CRY extension to the files and saving a README.txt file and a ransom note.

The note contains a bitcoin wallet address, the infection ID, and the email ID of the malware creators. However, these are deceptive measures employed by the attackers because CryWiper isn’t ransomware but a wiper, which is why researchers dubbed it CryWiper.

CryWiper ransom note (Image: Kaspersky)

The files, according to researchers, it modifies cannot be restored to their previous/original state. So, it is pointless even to **consider paying the ransom**.

**Pinpoint Targets**

In their **report**, Kaspersky researchers noted that CryWiper launches ‘pinpoint attacks’ on targets based in Russian Federation, whereas Izvestia noted that the targets are mayors’ courts and offices in Russia.

Reportedly, this wiper corrupts any data that isn’t essential for the operating systems’ functioning. Such as it doesn’t modify files with extensions .dll, .exe, .msi, or .sys. Kaspersky discovered the attacks in the past few months.

Moreover, it avoids affecting various system folders stored in the C:\\Windows directory. That’s because its main targets are user documents, archives, and databases.

**Why CryWiper Leaves a Ransom Note?**

Izvestia identified that after infecting a system successfully, CryWiper left a note demanding 0.5 bitcoin and a wallet address to transfer funds. Kaspersky researchers explained that although it extorts money from its targets for data decryption, it doesn’t encrypt data but destroys its completely. They further observed that this wasn’t a mistake but the developer’s original intention.

**How does it Work?**

CryWiper resembles **IsaacWiper**, using the same algorithms to generate pseudo-random numbers for directly corrupting targeted files and overwriting data. In this instance, the wiper directly rewrites the file contents replacing the original with garbage.

Then, It creates a task in the Task Scheduler to restart the wiper every 5 minutes. CryWiper can also send the targeted device’s name to a C2 server and wait for a command from the server to start the attack.

Furthermore, CryWiper halts processes of **MS SQL databases** and **MySQL servers**, MS Active Directory web services, and **MS Exchange mail servers**. It deletes shadow copies of documents on the C: drive only to prevent their restoration. It also disables the infected system’s connection through RDP remote access protocol, probably to complicate the job of incident response teams.

**Protection from ransomware and Wipers**

To protect yourself or your business from ransomware and data wipers, the first step in protecting yourself from data wipers is to back up your files regularly. This will allow you to restore any lost or damaged data if it does become compromised.

Kaspersky recommends carefully controlling remote access connections to your infrastructure including public networks. You should also use **antivirus software** with active malware protection, which will help detect and remove any malicious programs before they can cause damage.

Additionally, you should set up strong passwords for all accounts associated with sensitive data and check for suspicious activity on them regularly.

1.  **Police lose evidence to ransomware attack; suspects walk free**
2.  **DDoS Attack and Data Wiper Malware hit Computers in Ukraine**
3.  **Iranian hackers hit Israel with disk wiper in disguise as ransomware**
4.  **Crippling attack on Iranian trains linked to Meteor file wiper malware**
5.  **Linux and Windows hit with disk wiper, ransomware, crypto-malware**

CryWiper Masquerading as Ransomware to Target Russian Courts

By Deeba Ahmed
According to crypto intelligence firm Arkham, the attacker's wallet address was linked to a developer at Ankr, meaning an inside job can't be ruled out.
This is a post from HackRead.com Read the original post: 6 Quadrillion Token Heist Hits BNB Chain-Based DeFi Protocol Ankr

Web3 infrastructure provider **Ankr** is the latest victim of hacking and financial theft. The BNB Chain-Based DeFi protocol has confirmed in a series of tweets that it got hacked, and the attacker managed to steal six quadrillion tokens. The stolen crypto was Ankr Reward Bearing Stake/aBNBc.

**Incident Details**

Lookomchain, an on-chain analytics firm, stated that the hacking occurred on Friday, and the hacker stole around $10 million worth of crypto (USDC coins). The hacker could create countless Ankr Reward Bearing Staked BNB (aBNBc) tokens, which Blockchain security company PeckShield **claim** has an unlimited mint bug. Following the attack, the token’s value collapsed by at least 100%.

Soon after the attack occurred, the Binance crypto exchange **paused withdrawals**. Crypto intel firm Arkham stated that the attacker’s wallet address was linked to a developer at Ankr. Based on this, Arkham is not ruling out the possibility of an **inside job**.

As per Ankr’s spokesperson, the hacking occurred from a compromised private security key. The private-key hack helped the attacker initiate infinite tokens minting, PeckShield noted. The key was swapped out and replaced. It is worth noting that developers are allotted private keys to modify/manage smart contracts.

**Ankr’s Statement**

Ankr **tweeted** about the incident, claiming that all underlying assets on its Staking are safe at the moment, whereas all infrastructure services remain unaffected. Ankr has confirmed that after the exploitation of its aBNB token, it has urged exchanges to stop trading immediately.

The protocol has requested users to stop trading aBNB, and liquidity providers should remove liquidity from DEXes and keep the aBNBc.

Furthermore, Ankr claims that it is in touch with DEXes and will reissue tokens after evaluating the situation. the protocol suspects that it is an insider job and is devising a plan to compensate impacted users.

**What Happened to Stolen Funds?**

According to PeckShield’s **tweet**, hacker(s) transferred some funds to a decentralized cryptocurrency tumbler, Tornado Cash. It is worth noting that **Tornado Cash was blacklisted** by the US government in August 2022.

A portion of these funds was bridged through Celer and deBridgeGate. Therefore, they shifted 20 trillion of the stolen tokens into Helio, a decentralized lending protocol, and converted them into Binance Coin (BNB). Using crypto mixer Tornado Cash, they swapped the BNB for $5 million of USDC, which is equivalent to the US dollar.

1.  **Ankr Confirms Providing RPC to Sui Blockchain**
2.  **Ankr Launches Chainscanner Blockchain Explorer Tool**
3.  **Ankr Becomes First RPC Provider to the Aptos Blockchain**
4.   **Harmony’s Horizon Blockchain Bridge Hacked to Steal $100 Million**
5.  **$625m Stolen From Ronin – The Blockchain Behind Axie Infinity Game**

6 Quadrillion Token Heist Hits BNB Chain-Based DeFi Protocol Ankr

By Deeba Ahmed
Hackers are using compromised platform certificates to sign Android malware apps.
This is a post from HackRead.com Read the original post: Malware Apps Signed with Compromised Android Platform Certificates

Google’s Android security team has reported that hackers signed malicious applications using several compromised Android platform certificates. This incident also reminds us of **what happened in March 2020** when threat actors were found dropping info-stealer malware with fake security certificate alerts.

What are Platform Certificates? For your information, platform certificates are digital keys, trusted and owned by specific device original equipment manufacturers (OEMs). These are used for signing their core apps. Therefore, attackers abuse them to sign malicious apps to obtain root access as legit apps, causing serious trouble for unsuspecting users.

Every device OEM has numerous trusted certificates for signing the platform’s core apps. This is just like verifying docs with a signature to allow the signed apps to gain root privileges and let the system function optimally.

**Findings Details**

Threat actors are abusing platform certificates used by reputed Android smartphone makers, including LG Electronics, Samsung, Revoview, and Media Tek, for signing malware-infected apps. This was discovered first by Google Android Security Team’s reverse engineer Łukasz Siewierski. 

As per Siewierski, if a malicious app is signed with the same certificate for gaining the highest privilege level as the Android OS, it is possible to extract sensitive data of all kinds from the compromised device. That’s because the Android app runs with a “highly privileged user ID” dubbed android.uid.system. It holds a variety of system permissions, such as permission to access user data.

Google also published a list of malware samples signed using 10 platform certificates, which were also noted in the Android Partner Vulnerability Initiative (AVPI) issue tracker:

com.attd.da  
com.arlo.fappx  
com.android.power  
com.houla.quicken  
com.metasploit.stage  
com.sledsdffsjkh.Search  
com.management.propaganda  
com.sec.android.musicplayer  
com.russian.signato.renewis  
com.vantage.ectronic.cornmuni

**How Hackers Obtained these Certificates?**

The biggest mystery surrounding this data harvesting campaign is how the threat actors accessed these certificates. It could be possible that someone working with the company leaked them.

The apps signed with the abovementioned OEMs’ platform certificates contained HiddenAd trojans, Metasploit, info stealers, and malware droppers, with the objective of delivering additional malware or harvesting device users’ data.

Google has informed impacted manufacturers about its findings and urged them to rotate these certificates. The company confirmed that there’s no evidence that the apps were delivered via its **official Play Store.**

“Google has implemented broad detections for the malware in Build Test Suite, which scans system images. Google Play Protect also detects malware. There is no indication that this malware is or was on the Google Play Store. As always, we advise users to ensure they are running the latest version of Android,” Google stated.

1.  **Bahamut Using Fake VPN Apps to Steal Android User Credentials**
2.  **Schoolyard Bully Malware Stealing Facebook Credentials on Android**
3.  **42,000 phishing domains discovered masquerading as popular brands**
4.  **Crooks Hack World Bank SSL Certificate, Hosted PayPal Phishing Scam**
5.  **Fake Banking Rewards Apps Install Info-stealing RAT on Android Phones**

Malware Apps Signed with Compromised Android Platform Certificates

By Deeba Ahmed
The campaign is ongoing, and so far, Schoolyard Bully Malware has victimized over 300,000 Facebook users on Android devices across 71 countries.
This is a post from HackRead.com Read the original post: Schoolyard Bully Malware Stealing Facebook Credentials on Android

Mobile security company Zimperium’s zLabs has released a warning about a notorious Android trojan that has stolen around 300,000 credentials of Facebook users.

According to zLabs, Schoolyard Bully malware is the name of malware used in a brand-new Android threat campaign that has been active since at least 2008. The attackers specifically target Facebook user credentials, and the malware is found in several applications downloaded from **third-party app stores** and the Google Play Store.

The malware’s primary targets are based in Vietnam. However, zLabs researchers claim that over 300,000 victims have been identified so far, and they are located in 71 different countries since the apps were available via third-party app stores while Google Play Store has removed them from its official store.

**Trojan Details**

Schoolyard Bully malware is delivered via harmless-looking Android apps, mostly educational apps. Malicious code is hidden inside these apps, which can **steal Facebook credentials** and upload them to the Firebase C&C for threat actors. The trojan relies on JavaScript injections to display phishing pages that lure users into handing over their Facebook username/password. 

Threat actors leverage the trojan to obtain user credentials and successfully access financial accounts. Around 64% of the users used the same passwords already exposed in an earlier breach. Perhaps, this has allowed the trojan to remain active for years.

To remain hidden from antivirus software and machine learning virus detections, Schoolyard Bully Trojan uses native libraries such as libabc.so to store the stolen data. Data strings are hidden from detection software through further encoding. Moreover, the malicious educational apps are hidden in a **password-protected ZIP**.

Malicious apps (left) – Facebook phishing page (right) – Image credit: Zimperium

**What Date can be Stolen?**

The Schoolyard Bully malware can steal sensitive data from innocent users’ Facebook accounts, including user ID, password, email ID, phone number, Facebook profile name, Facebook ID, and device-related information such as device RAM and API.

Zimperium researchers have **released technical information** about the campaign and its indicators of compromises, which can help detect Schoolyard Bully malware.

1.  **9 apps with 6M installs stole Facebook logins of Android users**
2.  **Mandrake Android malware stealing Facebook, crypto data since 2016**
3.  **Fake Netflix, WhatsApp, Facebook Android Apps Contain SpyNote RAT**
4.  **Facebook removes 100s of accounts for spreading iOS, Android malware**
5.  **Cookiethief Android malware hacks Facebook accounts without password**