Plus: Apple warns iPhone users about spyware attacks, CISA issues an emergency directive about a Microsoft breach, and a ransomware hacker tangles with an unimpressed HR manager named Beth.

After months of delays, the US House of Representatives voted on Friday to extend a controversial warrantless wiretap program for two years. Known as Section 702, the program authorizes the US government to collect the communications of foreigners overseas. But this collection also includes reams of communications from US citizens, which are stored for years and can later be warrantlessly accessed by the FBI, which has heavily abused the program. An amendment that would require investigators to obtain such a warrant failed to pass.

A group of US lawmakers on Sunday unveiled a proposal that they hope will become the country’s first nationwide privacy law. The American Privacy Rights Act would limit the data that companies can collect and give US residents greater control over the personal information that is collected about them. Passage of such legislation remains far off, however: Congress has attempted to pass a national privacy law for years and has thus far failed to do so.

Absent a US privacy law, you’ll need to take matters into your own hands. DuckDuckGo, the privacy-focused company famous for its search engine, now offers a new product called Privacy Pro that includes a VPN, a tool for having your data removed from people-search websites, and a service for restoring your identity if you fall victim to identity theft. There are also steps you can take to wrench back some of the data used to train generative AI systems. Not all systems out there offer the option to opt out of data collection, but we have a rundown of the ones that do and how to keep your data out of AI models.

Data collection isn’t the only risk associated with AI advancements. AI-generated scam calls are becoming more sophisticated, with cloned voices sounding eerily like the real thing. But there are precautions you can take to protect yourself from getting swindled by someone using AI to sound like a loved one.

Change Healthcare’s ongoing ransomware nightmare appears to have gotten worse. The company was originally targeted by a ransomware gang known as AlphV in February. But after the hackers received a $22 million payment early last month, a rift appeared to grow between AlphV and affiliate hackers, who say AlphV took the money and ran without paying other groups that helped them carry out the attack. Now, another ransomware group, RansomHub, claims it has terabytes of Change Healthcare’s data and is attempting to extort the company. Service disruptions caused by the ransomware attack have impacted healthcare providers and their patients across the US.

That’s not all. Each week, we round up the privacy and security news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

The streaming video service Roku warned customers Friday that 576,000 accounts had been compromised, a breach it discovered in the midst of its investigation of a far smaller-scale intrusion that it dealt with in March. Roku said that rather than actually penetrating Roku’s own network through a security vulnerability, the hackers had carried out a “credential-stuffing” attack in which they tried passwords for users that had leaked elsewhere, thus breaking into accounts where users had reused those passwords. The company noted that in less than 400 cases, hackers had actually exploited their access to make purchases with the hijacked accounts. But the company nonetheless reset users’ passwords and is implementing two-factor authentication on all user accounts.

**Apple Notifies Users of Mercenary Spyware Infections**

Apple sent notices via email to users in 92 countries around the world this week, warning them that they had been targeted by sophisticated “mercenary spyware” and that their devices may be compromised. The notice stressed that the company had “high confidence” in this warning and urged potential hacking victims to take it seriously. In a status page update, it suggested that anyone who receives the warning contact the Digital Security Helpline of the nonprofit Access Now and enable Lockdown Mode for future protection. Apple didn’t offer any information publicly about who the hacking victims are, where they’re located, or who the hackers behind the attacks might be, though in its blog post, it compared the malware to the sophisticated Pegasus spyware sold by the Israeli hacking firm NSO Group. It wrote in its public support post that it’s warned users in a total of 150 countries about similar attacks since 2021.

**CISA Warns Federal Agencies to Look Out for Russian Hackers Stealing Emails**

April continues to be the cruelest month for Microsoft—or perhaps Microsoft’s customers. On the heels of a Cybersecurity Review Board report on Microsoft’s previous breach by Chinese state-sponsored hackers, the Cybersecurity and Infrastructure Security Agency (CISA) published a report this week warning federal agencies that their communications with Microsoft may have been compromised by a group known as APT29, Midnight Blizzard, or Cozy Bear, believed to work on behalf of Russia’s SVR foreign intelligence agency. “Midnight Blizzard’s successful compromise of Microsoft corporate email accounts and the exfiltration of correspondence between agencies and Microsoft presents a grave and unacceptable risk to agencies,” CISA said in the emergency directive. As recently as March, Microsoft said that it was still working to expel the hackers from its network.

**When a Ransomware Hacker Calls a Victim Company’s Front Desk**

As ransomware hackers seek new ways to bully their victims into giving in to their extortion demands, one group tried the novel approach of calling the front desk of the company it had targeted to verbally threaten its staff. Thanks to one HR manager named Beth, that tactic ended up sounding about as threatening as a clip from an episode of _The Office_.

TechCrunch describes a recording of the conversation, which a ransomware group calling itself Dragonforce posted to its dark-web site in a misguided attempt to pressure the victim company to pay. (TechCrunch didn’t identify the victim.) The call starts like any tedious attempt to find the right person after calling a company’s publicly listed phone number, as the hacker waits to speak to someone in “management.”

Eventually, Beth picks up and a somewhat farcical conversation ensues as she asks that the hacker explain the situation. When he threatens to make the company’s stolen data available for “fraudulent activities and for terrorism by criminals,” Beth responds “Oh, ok,” in an altogether unimpressed tone. She then asks if the data will be posted to “Dragonforce.com.” At another point, she notes to the increasingly frustrated hacker that recording their call is illegal in Ohio, and he responds, “Ma’am, I am a hacker. I don’t care about the law.” Finally, Beth refuses to negotiate with the hacker with a “Well, good luck,” to which the hacker responds, “Thank you, take care.”

Roku Breach Hits 567,000 Users

By Deeba Ahmed
Apple has issued iPhone security alerts to 92 countries, stating that their devices have been targeted by a mercenary spyware attack, expressing high confidence in the warning.
This is a post from HackRead.com Read the original post: iPhone Users in 92 Countries Targeted by Mercenary Spyware Attacks

Apple has issued security alerts to millions of iPhone users across 92 countries, stating that their devices are being targeted by mercenary spyware. The alerts suggest that the attack is likely targeting users based on their identity or activities.

Apple has been informing users of threats for years, targeting journalists and politicians in over 150 countries since 2021. Some users have found invasive Pegasus spyware on their iPhones, created by Israeli spyware maker NSO Group. However, the company hasn’t provided any official numbers in the current case.

Apple’s threat notification (Read Apple’s updated statement here)

****Apple Requests Users to Take It Seriously!****

As reported by The Economic Times, Apple has stated in the warning email that the attack is likely targeted due to specific characteristics or actions, urging users to take it seriously.

A targeted mercenary spyware attack could remotely access sensitive data, communications, or even the camera and microphone, according to Apple’s threat notification email.

Despite the Indian government’s opposition to security alerts by Apple, India is among the countries affected by this issue, and it’s unclear if US iPhone owners were targeted, as Apple hasn’t provided any further details.

Apple has sent multiple alerts to over 150 countries since 2021 and it previously sued Israeli firm NSO Group for aiding adversaries in targeting iPhone users. Moreover, Apple has been releasing iOS updates to address potential spyware attacks, often as emergency security measures, especially when an iPhone flaw is already being exploited.

If you have received this notification, remember that Apple has dedicated a page to offer guidance on changing passwords and enabling two-factor authentication to enhance security.

****What are Mercenary Attacks?****

Mercenary attacks are targeted spyware attacks, which are a unique type of cyberattacks that targets specific individuals based on their profession, social status, or access to sensitive information. They use sophisticated spyware, like Pegasus, to infiltrate devices and gather vast amounts of data.

These attacks, are expensive and require extensive resources to execute. Mercenary attacks are rare and complex cybercrimes, costing millions and targeting a small number of people worldwide, according to a company email.

Brian Higgins, security specialist at Comparitech commented on the issue. _“_There have been enough periodic Pegasus activations in recent years for those who are regularly targeted to hopefully have some kind of response or mitigation plans in place,_“_ he said.

_“_Most often journalists and activists in jurisdictions of risk are targeted as they are vulnerable to intervention, prosecution and attack by the regimes they challenge – and data harvested in these breaches can facilitate all of these activities,_“_ Brain warned.

_“_It’s rather a disappointing buck-passing exercise for Apple to direct them to a third party, non-profit Security Helpline, given the history of implications for individual targets in previous incidents. You’d think as proprietors of a vulnerable platform, they would offer to help out themselves._“_

1.  Apple Issues Urgent Security Patches for Zero-Day Flaws
2.  iLeakage Attack: Theft of Data from Apple’s Safari Browser
3.  QuaDream, Israeli iPhone hacking spyware firm, to shut down
4.  Fake Lockdown Mode Exposes iOS Users to Malware Attacks
5.  iPhone Spyware Exploits Obscure Chip Feature, Hits Researchers

iPhone Users in 92 Countries Targeted by Mercenary Spyware Attacks

Apple has sent alerts to people in 92 nations to say it's detected that they may have been a victim of a mercenary attack.

Apple has reportedly sent alerts to individuals in 92 nations on Wednesday, April 10, to say it’s detected that they may have been a victim of a mercenary attack. The company says it has sent out these types of threat notifications to over 150 countries since the start in 2021.

Mercenary spyware is used by governments to target people like journalists, political activists, and similar targets, and involves the use of sophisticated tools like Pegasus. Pegasus is one of the world’s most advanced and invasive spyware tools, known to utilize zero-day vulnerabilities against mobile devices.

The second number became known when Apple changed the wording of the relevant support page. The change also included the title that went from “About Apple threat notifications and protecting against **state-sponsored attacks**” to “About Apple threat notifications and protecting against **mercenary spyware**.”

If you look at the before and after, you’ll also notice an extra paragraph, again with the emphasis on the change from “state-sponsored attacks” to “mercenary spyware.”

The cause for the difference in wording might be because “state-sponsored” is often used to indicate attacks targeted at entities, like governments or companies, while these mercenary attacks tend to be directed at individual people.

The extra paragraph specifically calls out the NSO Group and the Pegasus spyware it sells. While the NSO Group claims to only sell to “government clients,” we have no reason to take its word for it.

Apple says that when it detects activity consistent with a mercenary spyware attack it uses two different means of notifying the users about the attack:

*   Displays a Threat Notification at the top of the page after the user signs into appleid.apple.com.
*   Sends an email and iMessage notification to the email addresses and phone numbers associated with the user’s Apple ID.

Apple says it doesn’t want to share information about what triggers these notifications, since that might help mercenary spyware attackers adapt their behavior to evade detection in the future.

The NSO Group itself argued in a court case started by Meta for spying on WhatsApp users, that it should be recognized as a foreign government agent and, therefore, be entitled to immunity under US law limiting lawsuits against foreign countries.

NSO Group has also said that its tool is increasingly necessary in an era when end-to-end encryption is widely available to criminals.

**How to stay safe**

Apple advises iPhone users to:

*   Enable Lockdown mode.
*   Keep devices up to date.
*   Protect devices with a passcode.
*   Use Multi-Factor-Authentication (MFA) for your Apple ID.
*   Only install apps from the App Store.
*   Use strong and unique passwords online.
*   Don’t click on links or attachments from unknown senders.

We’d like to add:

*   Use an anti-malware solution on your device.
*   If you’re not sure about something that’s been sent to you, verify it with the person or company via another communcation channel.
*   Use a password manager.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Apple warns people of mercenary attacks via threat notification system 

In new threat notification information, Apple singled out Pegasus vendor NSO Group as a culprit in mercenary spyware attacks.

Source: nk Drop via Shutterstock

Apple this week updated its spyware threat notification system to alert and assist users it identifies as targeted by mercenary spyware attacks.

To date, Apple has spotted and alerted users in more than 150 countries that they were targeted in these attacks.

Such spyware attacks target individuals largely because of who they are and what they do, Apple said. While most people will never be targeted by these types of attacks, a small number of people — journalists, activists, politicians, and the like — will potentially be victimized. 

Apple said once it detects spyware it notifies the user within two days. The vendor does provide threat actor attribution, however.

In its notice, Apple pointed fingers at the NSO Group, one of the private companies that develops the mercenary spyware Pegasus that is used in such attacks. "According to public reporting and research by civil society organizations, technology firms, and journalists, individually targeted attacks of such exceptional cost and complexity have historically been associated with state actors, including private companies," stated the notice on Apple's support page. 

Should an individual receive a threat notification, Apple recommends that they seek the help of either Apple or a third party. Apple's notifications never ask the user to click on any link or install an application; the threat notification can be verified simply by signing into applied.apple.com, where the notification will be at the top of the page. 

**About the Author(s)**

Apple Warns Users in 150 Countries of Mercenary Spyware Attacks

Apple on Wednesday revised its documentation pertaining to its mercenary spyware threat notification system to mention that it alerts users when they may have been individually targeted by such attacks.
It also specifically called out companies like NSO Group for developing commercial surveillance tools such as Pegasus that are used by state actors to pull off "individually targeted

Apple Expands Spyware Alert System to Warn Users of Mercenary Attacks

By Waqas
Another day, another malware threat!
This is a post from HackRead.com Read the original post: New Latrodectus Downloader Malware Linked to IcedID and Qbot Creators

Image credit: Hackread.com

A new malware threat named Latrodectus has emerged, bypassing detection methods and linked to the developers behind IcedID. This downloader malware empowers cybercriminals (including infamous actors like TA577 and TA588) to breach systems and deploy various malicious payloads.

Cybersecurity researchers at Proofpoint have identified a new malware threat dubbed “Latrodectus.” First observed in November 2023, Latrodectus is a downloader malware used by cybercriminals to gain initial access to victim systems and deploy further malicious payloads.

This malware poses a major threat due to its ability to evade detection techniques commonly employed in sandboxes, which are security environments used to analyze suspicious code.

****Latrodectus: A New Player with Familiar Traits****

Initial analysis suggested Latrodectus might be a variant of the notorious IcedID malware. However, further investigation revealed it to be an entirely new strain, likely created by the same developers behind IcedID. This connection is supported by shared infrastructure and code characteristics.

****Initial Access Brokers Leverage Latrodectus****

Proofpoint report shared with Hackread.com on Thursday 04, 2024 ahead of publication on Tuesday attributes Latrodectus to two specific threat actors: TA577 and TA578. It is worth mentioning that TA578 is known for delivering malware threats like BazaLoader, Cobalt Strike, Ursnif, and KPOT Stealer.

On the other hand, TA577 is infamous for having served as a key affiliate of the Qbot network until its recent disruption. TA577 has been linked by Proofpoint to various campaigns, with subsequent ransomware infections such as Black Basta being notably attributed to them.

These actors are classified as Initial Access Brokers (IABs), specializing in gaining initial footholds within victim networks. Latrodectus serves as their tool to establish a foothold and potentially deploy ransomware or other malicious tools.

Commenting on this, Ken Dunham, Cyber Threat Director at Qualys Threat Research Unit told Hackread.com, _“_Battling eCrime is similar to moving a couch where roaches live, they simply run to another piece of furniture or room nearby to seek harbour and continue business as normal, despite any actions taken by the homeowner._“_

_“_Latrodectus has powerful components upon its emergence, capable of defeating sandboxes, use of RC4 encrypted command and control communications, and more,_“_ Ken warned. _“_It appears likely that actors behind QBot felt the heat from takedowns last year, migrating to this new code base and infrastructure in the fall of 2023._“_

While Latrodectus activity dropped in December 2023 and January 2024, Proofpoint reports a surge in campaigns throughout February and March 2024. This suggests a growing adoption of Latrodectus by cybercriminals.

The specific payloads delivered by Latrodectus remain unknown, but its downloader functionality allows attackers to deploy a wide range of tools through malicious emails depending on their objectives.

Two of the malicious emails used in the campaign to spread Latrodectus (Screenshot: Proofpoint)

While technical details of Latrodectus’s modus operandi are available in Proofpoint’s blog post, here are some to mitigate the risk of Latrodectus:

*   **Maintain strong cybersecurity hygiene:** Regularly update software and firmware on all devices. Utilize robust security solutions with advanced malware detection capabilities.
*   **Be cautious of suspicious emails:** Phishing emails are a common method for distributing malware. Be wary of unsolicited attachments and links.
*   **Educate employees:** Train employees on cybersecurity best practices, including email security awareness and the importance of reporting suspicious activity.

1.  New Malware “BunnyLoader 3.0” Steals Credentials
2.  WordPress Websites Hacked with New Sign1 Malware
3.  TheMoon Malware Hacks 6,000 Asus Routers in 72 Hours
4.  AcidRain Linux Malware Variant “AcidPour” Targeting Ukraine
5.  New Vcurms Malware Targets Popular Browsers for Data Theft

New Latrodectus Downloader Malware Linked to IcedID and Qbot Creators

A China-linked threat actor had access to a router configuration database that could have completely disrupted coverage, a security vendor says.

Source: rarrarorro via Shutterstock

About six months before the 2022 FIFA World Cup soccer tournament in Qatar, a threat actor — later identified as China-linked BlackTech — quietly breached the network of a major communications provider for the games and planted malware on a critical system storing network device configurations.

The breach remained undetected until six months after the games, when researchers at NetWitness spotted it during a routine audit for the service provider. During that period, the cyber-espionage group gathered up an unknown volume of data from targeted customers of the telecommunications provider — including those associated with the World Cup and vendors providing services for it.

**A Near Miss**

But it's the "what else could have happened" that's the really scary part, says Stefano Maccaglia, global practice manager, incident response, at NetWitness, discussing the incident for the first time with Dark Reading recently.

The access that BlackTech had on the telecom provider's system would have allowed the threat actor to completely disrupt key communications — including all streaming services associated with the game. The fallout from such a disruption would have been substantial in terms of geopolitical implications, brand damage, national reputation, and potentially hundreds of millions of dollars in losses from the licensing rights and ads negotiated prior to the World Cup, Maccaglia says.

"We are normally very collected, but in this case, we were terrified," Maccaglia says of NetWitness' discovery. "The threat actor literally had their finger on the button but didn't push it."

NetWitness' involvement in the Qatar World Cup began in 2022, about six months before the event, when several local service providers hired the company to assess the cybersecurity preparedness of some of the supporting IT infrastructure for the games. Like with other security vendors involved in the effort, the telecom provider gave NetWitness access to a substantial portion of its tech stack and environment — but not to all of it.

According to Maccaglia, the NetWitness team detected and remediated several issues on parts of the provider's tech stack to which the company had access. But it wasn't until early 2023 that the service provider finally opened up the rest of the environment to NetWitness for additional auditing. This was when NetWitness unearthed log activity suggesting that someone had gained access to the provider's network.

**A Rootkit and a Backdoor**

The company's subsequent investigation showed the attacker had planted a sophisticated rootkit and a backdoor, dubbed Waterbear, on a critical configuration management database (CMDB) storing device configurations for the provider's customers. NetWitness found the attackers had used PLEAD — a remote access Trojan commonly associated with the BlackTech APT — to target additional systems within the environment.

"The attacker aimed to control this database \[from\] the beginning, because it would allow him/her to swap configurations on the fly and revert them back, once finished, leaving no traces," Maccaglia says.

BlackTech is a threat actor that the US Cybersecurity and Infrastructure Security Agency (CISA) last year identified as a threat to organizations in the telecommunications, technology, media, electronics, and industrial sectors. In an advisory, CISA described the threat actor (aka Radio Panda, Circuit Panda, Temp.Overboard, and Palmerworm) as particularly adept at modifying router malware without detection and the exploiting routers' domain-trust relationships to gain access to victim networks. "BlackTech actors' TTPs include developing customized malware and tailored persistence mechanisms for compromising routers," CISA noted. "These TTPs allow the actors to disable logging and abuse trusted domain relationships to pivot between international subsidiaries and domestic headquarters' networks."

In the attack on the telecom provider in Qatar, BlackTech actors used their access to the CMDB to change configurations on Asus routers associated with various organizations in such a manner as to make systems belonging to these organizations become accessible over the Internet. They then uploaded PLEAD — concealed in legitimate looking software updates from Asus — to these systems by modifying the DNS resolution of asus.com. The threat actor then leveraged PLEAD to steal data from the victim organizations. Among the systems infected in this manner were those associated with the World Cup games. The attackers would change the router config details for a few hours at a time and then revert back to the original rules to minimize the chances of detection, Maccaglia says.

**Worrying Lack of Visibility**

The fact that no one was able to spot the intrusion in the months leading up to the World Cup, during the event, or for months later is worrisome, Maccaglia says. With the countdown for the 2024 Summer Olympics well underway, it is imperative that the entire technology stack supporting the games be vetted for security issues, he says.

The Olympics, like other major sporting events, such as the Super Bowl, have become huge cyberattack targets in recent years. In 2019, for instance, a threat group later identified and linked to Russia's military intelligence also attempted to disrupt the opening of the Winter Olympics in South Korea after Russian athletes were banned from participating over doping concerns.

"As we saw with the World Cup, threats can live in obscure places and keep a very low profile," Maccaglia says, adding, "You can't find what you aren't allowed to look for," in advocating for broader visibility for companies like NetWitness into the entire supporting infrastructure for the game.

"When you behave as if there's always a threat present, you put yourself in a position to mitigate damage and, potentially, get ahead of the threat in the environment," he says. "This will be critical for the 2024 Summer Games."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

How Soccer's 2022 World Cup in Qatar Was Nearly Hacked

ASUS Control Center Express version 01.06.15 suffers from an unquoted service path vulnerability.

    # Exploit Title: ASUS Control Center Express 01.06.15 - Unquoted Service PathPrivilege Escalation# Date: 2024-04-02# Exploit Author: Alaa Kachouh# Vendor Homepage:https://www.asus.com/campaign/ASUS-Control-Center-Express/global/# Version: Up to 01.06.15# Tested on: Windows# CVE: CVE-2024-27673===================================================================ASUS Control Center Express Version =< 01.06.15 contains an unquotedservice path which allows attackers to escalate privileges to the systemlevel.Assuming attackers have write access to C:\, the attackers can abuse theAsus service "Apro console service"/apro_console.exe which upon restartingwill invoke C:\Program.exe with SYSTEM privileges.The binary path of the service alone isn't susceptible, but upon itsinitiation, it will execute C:\program.exe as SYSTEM.Service Name: AProConsoleServicebinary impacted: apro_console.exe# If a malicious payload is inserted into C:\  and service is executed inany way, this can grant privileged access to the system and performmalicious activities.

ASUS Control Center Express 01.06.15 Unquoted Service Path

By Waqas
A new variant of "TheMoon Malware" has emerged, specifically targeting vulnerable IoT devices, particularly Asus routers.
This is a post from HackRead.com Read the original post: TheMoon Malware Returns: 6,000 Asus Routers Hacked in 72 Hours

Is your router outdated? Millions are at risk as a new variant of TheMoon malware infects devices in just 72 hours. Learn how to protect yourself from this cyberattack and secure your home network.

A multi-year campaign targeting vulnerable home and small business routers has come to light thanks to a recent report by Black Lotus Labs, a security research team at Lumen Technologies. The campaign leverages an updated version of a well-known malware strain called “TheMoon.”

TheMoon malware first emerged in 2014 and has a history of exploiting weaknesses in routers and Internet of Things (IoT) devices. This latest campaign, however, appears to be particularly widespread, infecting devices across 88 countries.

According to the Black Lotus Labs report, the attackers primarily focused on end-of-life (EoL) routers, meaning devices no longer receive security updates from the manufacturer. ASUS routers were the most targeted, with over 6,000 infected in just 72 hours in early March 2024.

The attackers’ goal appears to be the creation of a large network of compromised devices. By infecting routers and IoT devices, they can add them to a service known as “Faceless.” Faceless operates as a proxy service, allowing malicious actors to anonymize their online activities. This anonymization can make it difficult to track the source of cyberattacks and other criminal operations.

Jason Soroko, Senior Vice President of Product at Sectigo told Hackread.com that, _“_Routers and other networking equipment that use passwords have been easy victims to pray and spray attacks for years._“_

_“_Unfortunately, stronger forms of authentication are not common. What’s new here is the usage of proxy networks for C2 traffic obfuscation. It shows that de-anonymizing Tor and VPN traffic is not only happening but has been successfully used against attackers,_“_ Jason added.

To protect your devices from the latest variant of TheMoon malware or similar attacks; always follow these steps:

*   **Update your router and IoT devices regularly.** Check the manufacturer’s website for instructions on how to update the firmware for your specific device.
*   **Disable remote access to your router.** This can be done through the router’s administration panel.
*   **Use strong passwords for your router and Wi-Fi network.** Avoid using easily guessable passwords or default settings.
*   **Consider a security solution for your home network.** There are several security products available that can help to protect your network from malicious activities.

There are many more technical details and aspects addressed in the Black Lotus Labs blog post.

1.  How To Keep Your Router And WiFi Safe From Hackers
2.  DDoS Botnet ‘Condi’ Targets Vulnerable TP-Link AX21 Routers
3.  Russian Hackers Target Ubiquiti Routers for Data, Botnet Creation
4.  D-Link home routers plagued with critical & multiple vulnerabilities
5.  415,000 routers infected by crypto malware – Prime target MikroTik

TheMoon Malware Returns: 6,000 Asus Routers Hacked in 72 Hours

By Deeba Ahmed
New Dark Web Tool GEOBOX, sold for $700 on Telegram and underground forums, hijacks Raspberry Pi, allowing cybercriminals to fake locations and evade detection.
This is a post from HackRead.com Read the original post: New GEOBOX Tool Hijacks Raspberry Pi, Lets Hackers Fake Location

Cybercriminals now repurpose devices like Raspberry Pi into ‘plug-and-play’ weapons for digital fraud. With GEOBOX on the Dark Web, their capabilities are even more sophisticated, enabling manipulation of GPS, network simulation, Wi-Fi mimicry, and anti-fraud filter evasion.

Cybercriminals are targeting IoT devices for illicit activities through OPSEC techniques and customizable settings, allowing these devices to operate without logs and ensure anonymity for perpetrators, reveals research from the US-based cybersecurity solutions and services provider, Resecurity. 

According to Resecurity’s Cyber Threat Intelligence team, a significant discovery has been made on the Dark Web: a malicious tool known as GEOBOX. This tool can turn ordinary IoT hardware into powerful weapons for cybercriminals. GEOBOX represents a “paradigm shift in cybercriminal tactics,” highlighting the evolving nature of threats in the digital landscape.

GEOBOX is being sold on Telegram (Screenshot credit: Resecurity)

GEOBOX is a powerful, deceptive tool specifically designed for the Raspberry Pi 4 Model B devices to facilitate cybercriminals in anonymization and fraud. It was first discovered while investigating an online banking theft involving a high-net-worth (HNW) client of a Fortune 100 financial company, prompting researchers to dig deeper into its workings.

The emergence of GEOBOX is not unexpected, appearing shortly after the discovery of another dark web tool known as TMChecker. TMChecker has been arming ransomware gangs, specifically targeting the e-commerce and aviation industries with precision cyberattacks.

The research blog, shared by Resecurity with Hackread.com, ahead of publication on Monday revealed that threat actors have already used multiple internet-connected GEOBOX devices as proxies, each placed at a strategic remote location, enhancing their anonymity.

This complicated the investigation and tracking process, as GEOBOX devices do not store logs by default. Resecurity observed a bad actor using GEOBOX with two LTE-based wireless modems for enhanced anonymization, particularly in remote connections.

The package can be rented for a lifetime fee of $700 or a monthly rate of $80, payable in cryptocurrency and advertised on major underground forums and Telegram. The user manual provides clear instructions on the download and installation of the Raspberry Pi OS using Raspberry Pi Imager, how to obtain the GEOBOX Software Image and work with the GEOBOX software.

It is a feature-rich tool, including WebRTC IP for discreet online communication, GPS spoofing for geolocation manipulation, and the ability to mask Wi-Fi MAC addresses. The device requires at least 4 GB of RAM, but an 8 GB version is also available offering superior performance. 

Further, it connects to the internet via Ethernet or USB modem and offers various tabs like INTERNETBOX, MIDDLEBOX, Proxy, VPN, and Wi-Fi, each providing specific functionalities. Users can configure various internet connection types, including VPN protocols like L2TP, PPTP, L2TP-IPsec, Wireguard, SSTP, Zerotier, and OpenVPN, and even create a VPN tunnel within another VPN tunnel. 

GEOBOX can help threat actors in cyberattack coordination, dark web market operations, sophisticated financial frauds, circumvention of government censorship, anonymous malware distribution, credential stuffing campaigns, disinformation campaigns, surveillance evasion in authoritarian regimes, content piracy and geo-restriction bypassing, and network security testing.

That’s not all. Cybercriminals can also use GEOBOX to fake their geographical location using a GPS-like driver, bypassing location verification checks on websites like Whoer.net and browserleaks.com, and creating customized accounts on popular platforms like Google and Amazon.

The emergence of GEOBOX necessitates robust digital risk monitoring and endpoint protection strategies, making collaboration between law enforcement agencies, deployment of proactive measures, and continuous innovation in cybersecurity strategies fundamental to counter such threats effectively.

1.  Kaspersky’s iShutdown Tool Detects Pegasus Spyware
2.  New Dark Web Market Styx: Focuses on Money Laundering
3.  USB Wormable Raspberry Robin Malware Hits Windows PCs
4.  Building Your Defense Toolbox: Tools to Combat Cyber Threats
5.  Following WormGPT, FraudGPT Emerges for AI-Driven Cyber Crime

Tag

#asus