By Waqas
One in five children aged 10-16 in the UK have engaged in online activities that violate the Computer Misuse Act, NCA has revealed.
This is a post from HackRead.com Read the original post: 1 in 5 Youth Engage in Cybercrime, NCA Finds

A recent report by the National Crime Agency (NCA) has revealed a disturbing trend: one in five children aged 10-16 in the UK have engaged in online activities that violate the Computer Misuse Act. This raises serious concerns about the increasing prevalence of cybercrime among young people and stresses the urgent need for greater awareness and education.

The report, based on a comprehensive survey, highlights several concerning online behaviours, including:

*   **Unauthorized access to computer systems or data:** This encompasses hacking into someone else’s account, downloading illegal software, or accessing restricted information.
*   **Cyberbullying and harassment:** Online harassment and bullying can have severe consequences for both the victim and the perpetrator, inflicting emotional distress and potentially leading to real-world harm.
*   **Copyright infringement:** Downloading or sharing copyrighted material without permission, such as music, movies, or software, is illegal and can have legal repercussions.
*   **Online gaming offenses:** This encompasses activities like making in-game purchases without permission, using cheats or hacks to gain an unfair advantage, or engaging in distributed denial-of-service (DDoS) attacks that disrupt online services.

The NCA emphasizes that many children may unknowingly engage in these activities, unaware of the legal implications and potential consequences. This underlines the critical need for open communication between parents, educators, and children about online safety and responsible behaviour.

The report also stresses the importance of proactive education and awareness campaigns targeted at both children and adults. Educating young people about cybercrime, its various forms, and the legal ramifications associated with it can significantly deter them from engaging in risky online behaviour.

Furthermore, the NCA advocates for promoting positive alternatives to encourage children to engage in safe and productive online activities. This can involve fostering their interest in educational resources, creative pursuits, and responsible online communities.

While the report paints a concerning picture, it is crucial to remember that not all online activity by children is illegal. It is essential to distinguish between harmless exploration and deliberate malicious intent based on the specific details and context surrounding each case.

> _“Many young people are getting involved in cybercrime without realising that they are breaking the law. Our message to these teenagers is simple – don’t play games with your future. Whether you engage in this behaviour knowingly or without realising, you are committing an offence – and could face serious consequences for your actions.”_
> 
> _“We’d encourage any concerned parents and teachers to speak to young people with an interest in tech, help them understand the dangers, and highlight the many rewarding and varied careers available to them. Our Cyber Choices team are here to help children, teachers and parents with advice and guidance.”_
> 
> Paul Foster – NCA Deputy Director and Head of the National Cyber Crime Unit

The NCA’s report should be a wake-up call, urging parents, educators, and policymakers to work collaboratively to address the growing issue of cybercrime among young people. By fostering open communication, promoting education and awareness, and encouraging responsible online behaviour, we can create a safer and more positive digital environment for future generations.

_**Editor’s Note:** We must have open and honest conversations with young people about their online activities. We need to educate them about the potential risks and consequences of their actions and equip them with the knowledge and skills to navigate the online world safely and responsibly._

1.  **Kids breach and bypass Linux Mint screensaver lock**
2.  **Snapchat Safety for Parents: How to Safeguard Your Child**
3.  **13-year-old student arrested for hacking school computers**
4.  **Utilizing Programmatic Advertising to Locate Abducted Children**
5.  **Gender Diversity in Cybercrime Forums: Women Users on the Rise**

1 in 5 Youth Engage in Cybercrime, NCA Finds

There was about a 24-hour period where many news outlets reported on a reported DDoS attack that involved a botnet made up of thousands of internet-connected toothbrushes.

Thursday, February 15, 2024 14:00

I’ll be the first to admit that, like many people on the internet last week, I got caught up in the toothbrush distributed denial-of-service attack that wasn’t.  

I had a whole section on it written up in last week’s newsletter, and then I came across Graham Cluley’s blog post debunking the whole thing, and I had to delete it about an hour before the newsletter went live.  

There was about a 24-hour period where many news outlets reported on a reported DDoS attack that involved a botnet made up of thousands of internet-connected toothbrushes, it all started with one international newspaper report, and then was aggregated to death and spread quickly on social media.  

This attack was only a _hypothetical_ that a security researcher posed in an interview but was reported or translated as an attack that happened. 

To me, I think we can all learn from a few major takeaways from this entire saga — myself included.  

It’s easy to see why this was a ready-made story to go viral: It involved a silly device that probably doesn’t need to be connected to the internet anyway, it involved a large number that would grab headlines and it was a DDoS attack, which have suddenly come back in vogue over the past year. 

But, I’ll admit, the aggregated stories seemed a little fishy to me at first, because all the reports didn’t include any specifics about which company was targeted, how long the attack lasted, or the name of the device that was reportedly compromised. 

That last part should be a red flag going forward for any of us wanting to share a meme about something the next time a cybersecurity story goes viral — in my opinion, responsible disclosure of an attack or compromise should always include information about whatever vulnerability it was that was exploited. In this hypothetical scenario, I don’t think an adversary would have been able to compromise an internet-connected toothbrush without first exploiting some sort of vulnerability, which if it’s being reported on in public, should at least include information on patches or mitigations. 

I also think we all need to be asking the fundamental question: Why? In this case, I should have asked myself why an attacker would want to go through the trouble of compromising smart toothbrushes. And what would be the end goal of targeting a private company with a DDoS attack? Likely, it would be to demand a ransom in exchange for the attacker stopping the attack, but without knowing what sector the targeted company was in, it’s tough to guess how profitable that might even be. (For example, a health care agency may be looking to do anything to get back to operating asap, as lives could literally be at stake.) 

And once the attacker compromised a toothbrush, what information can they glean from the user besides their dental hygiene habits? Usually, they’d be looking to steal some sort of personal information, login credentials or financial data that they could then turn around and sell on the dark web. 

Needless to say, there were multiple red flags we all ignored when this story started to spread. And I’m not here to blame anyone in this case; it was all honest mistakes that, all things considered, ended up not being that serious. But the toothbrush botnet that wasn’t does serve as a reminder to all of us to be a bit more mindful before clicking share or posting a story on social media.  

**The one big thing **

Cisco Talos has identified a new backdoor authored and operated by the Turla APT group, a Russian cyber espionage threat group. This new backdoor we’re calling “TinyTurla-NG” (TTNG) is similar to Turla’s previously disclosed implant, TinyTurla, in coding style and functionality implementation. Talos assesses with high confidence that TinyTurla-NG, just like TinyTurla, is a small “last chance” backdoor that is left behind to be used when all other unauthorized access/backdoor mechanisms have failed or been detected on the infected systems. 

**Why do I care? **

Turla has been widely known to target entities across the world using a huge set of offensive tools in geographies including the U.S., European Union, Ukraine and Asia. They’ve previously used malware families such as CAPIBAR and KAZUAR to target Ukrainian defense forces. After Crutch and TinyTurla, Turla has now expanded their arsenal to include the TinyTurla-NG and TurlaPower-NG malware families, while also widening its net of targets to NGOs. 

**So now what? **

Talos has released new ClamAV signatures and Snort rules to protect against TinyTurla and the actors’ actions. We don’t know what the initial access vector is, so it’s tough to give targeted advice on how to avoid this malware, but having any endpoint detection in place will block this “last chance” backdoor.  

**Top security headlines of the week **

**Chinese state-sponsored actor Volt Typhoon may have silently sat on U.S. critical infrastructure networks for more than five years,** according to a new report from American intelligence agencies. According to the advisory, the infamous hacking group has been exploiting vulnerabilities in routers, firewalls and VPNs to target water, transportation, energy and communications systems across the country. Volt Typhoon has been able to control some victims’ surveillance camera systems, and the access could have allowed them to disrupt critical energy and water controls. The actor is known for using living-off-the-land binaries (LoLBins) to remain undetected once they gain an initial foothold. Authorities in Canada, Australia and New Zealand also contributed to last week’s advisory, citing their concern for similar activity in their countries. The FBI’s director recently said in testimony to U.S. Congress that authorities had dismantled a bot network of hundreds of compromised devices that was connected to VoltTyphoon. (Axios, The Guardian) 

**A new spyware network called TheTruthSpy may have compromised hundreds of Android devices using silent tracking apps that users download thinking they’re legitimate.** Security researchers uncovered the information of thousands of devices that have already been compromised, including their IMEI numbers and advertising IDs. TheTruthSpy appears to actively spy on large clusters of victims across Europe, India, Indonesia, the U.S. and U.K. The operators behind TheTruthSpy also did not address a security vulnerability in the software, identified as CVE-2022-0732, which left the victim data they stole potentially vulnerable to other bad actors. These types of stalkerware tools are often used by family members, spouses or peers of victims who want to track their physical locations and spy on messages and phone calls. The spyware is downloaded via an app, which doesn’t appear on the victim’s home screen and operates quietly in the background. (TechCrunch, maia blog) 

**Apple removed a fake LastPass app called “LassPass” after the popular password management service reported it.** The phony LassPass used a similar logo to that of the legitimate LastPass and was up on the App Store for an unknown amount of time. Apple also said it was removing the creator of the app from its Developer Program. This is a very rare case for the Apple App Store, as it has a strict review policy. LastPass released a warning to all users last week of the fake app’s existence, including a link to the legitimate LastPass app. LassPass only had one review on the store, and multiple reviews warning it was fake. However, it’s safe to assume that the app was likely set up as some sort of phishing scam meant to get users to enter their legitimate LastPass login information to be stolen by the fake app’s creator. (Ars Technica, Bleeping Computer) 

**Can’t get enough Talos? **

*   Beers with Talos Ep. #143: The Reddit security diaries 
*   The Need to Know: How are attackers using QR codes in phishing emails and lure documents? 
*   First Microsoft Patch Tuesday zero-day of 2024 disclosed as part of group of 75 vulnerabilities 

**Upcoming events where you can find Talos **

**S4x24** **(March 4 - 27)** 

Miami Beach, Florida 

_To protect themselves during Russian aggression, the Ukrainian military utilizes electronic warfare to blanket critical infrastructure to defeat radar and GPS-guided smart munitions. This has the unintended consequence of disrupting GPS synchrophasor clock measurements and creating service outages on an already beleaguered and damaged transmission electric grid. Joe Marshall from Talos’ Strategic Communications team will tell an incredible story of how a group of engineers and security professionals from a diverse coalition of organizations came together to solve this electronic warfare GPS problem in an unconventional technical way, and helped stabilize parts of the transmission grid of Ukraine._ 

**RSA** **(May 6 - 9)** 

_San Francisco, California_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:** 7bdbd180c081fa63ca94f9c22c457376   
**Typical Filename:** c0dwjdi6a.dll   
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1      
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515      
**Typical Filename:** IMG001.exe      
**Claimed Product:** N/A      
**Detection Name:** Win.Dropper.Coinminer::1201 

**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa     
**MD5:** df11b3105df8d7c70e7b501e210e3cc3     
**Typical Filename:** DOC001.exe     
**Claimed Product:** N/A     
**Detection Name:** Win.Worm.Coinminer::1201 

**SHA 256:** 5e537dee6d7478cba56ebbcc7a695cae2609010a897d766ff578a4260c2ac9cf   
**MD5:** 2cfc15cb15acc1ff2b2da65c790d7551   
**Typical Filename:** rcx4d83.tmp   
**Claimed Product:** N/A     
**Detection Name:** Win.Dropper.Pykspa::tpd 

**SHA 256:** 77c2372364b6dd56bc787fda46e6f4240aaa0353ead1e3071224d454038a545e   
**MD5:** 040cd888e971f2872d6d5dafd52e6194   
**Typical Filename:** tmp000c3787   
**Claimed Product:** Ultra Virus Killer   
**Detection Name:** PUA.Win.Virus.Ultra::95.sbx.tg

Why the toothbrush DDoS story fooled us all

By Waqas
Is your ChatGPT down? Or, are you experiencing issues accessing ChatGPT? If so, you’re not alone. ChatGPT has…
This is a post from HackRead.com Read the original post: ChatGPT Down? Anonymous Sudan Claims Responsibility for DDoS Attacks

Is your ChatGPT down? Or, are you experiencing issues accessing ChatGPT? If so, you’re not alone. ChatGPT has been encountering service disruptions and numerous errors lately. The cause appears to be DDoS attacks, possibly instigated by Anonymous Sudan.

Anonymous Sudan, a now prominent group of hacktivists, has claimed responsibility for targeting ChatGPT and its parent company, OpenAI, with a series of DDoS attacks.

Anonymous Sudan also referenced alleged tweets attributed to Tal Broda, Head of Research Platform at OpenAI. The screenshots of these tweets depict Tal denying the existence of Palestine and criticizing calls for a ceasefire in Gaza.

According to Anonymous Sudan, they plan to continue their DDoS attacks until OpenAI implements behavioural changes to ChatGPT to prevent the propagation of what they deem as “dehumanizing views of Palestinians.” Additionally, they demand the removal of Tal Broda from his position at OpenAI.

Anonymous Sudan on Telegram (Screenshots: Hackread.com)

On the contrary, ChatGPT’s Status Page confirms service disruptions, including login issues. It also notes an “Elevated error rate impacting ChatGPT,” indicating a higher-than-usual number of errors occurring within the system or process. Such errors could arise from various factors, including faulty hardware, software bugs, network issues, DDoS attacks, or even human error.

Nevertheless, OpenAI is actively monitoring the situation and working to resolve the issue. However, as of now, there has been no official confirmation or acknowledgement from OpenAI regarding the company experiencing cyber attacks or the specific reasons behind the ChatGPT errors that users have been reporting since this afternoon.

****Anonymous Sudan vs ChatGPT and OpenAI****

This isn’t the first instance where Anonymous Sudan has claimed responsibility for DDoSing ChatGPT. Last November, the group made similar claims, and OpenAI acknowledged that its infrastructure was indeed targeted by DDoS attacks.

For expert commentary, we reached out to Oded Vanunu, Head of Product Vulnerability Research at Check Point Software. Vanunu linked Anonymous Sudan’s DDoS attacks to a strategy aimed at garnering media attention.

“Russian-affiliated groups Anonymous Sudan and SkyNet have claimed responsibility for the latest outages on the OpenAI website and ChatGPT service. This is according to an ‘official spokesperson’ for Anonymous Sudan going by the name of Crush on Telegram,” said Oded.

“Hacktivists often look for high-profile targets to disrupt in order to bring attention to themselves and in this case, Crush claims the groups attacked OpenAI due to the company’s perceived support of Israel.”

****Anonymous Sudan’s Recent Activities****

Anonymous Sudan has been notably active in recent times. According to a recent report by Hackread.com, the group has conducted DDoS attacks on various targets, including the Israeli BAZAN Group and the United Arab Emirates-based FlyDubai Airline.

Furthermore, the group targeted Thuraya Mobile Satellite Communications Company, an international mobile-satellite service (MSS) provider headquartered in Dubai, United Arab Emirates (UAE). In both attacks on UAE-based infrastructure, Anonymous Sudan claimed that the UAE’s support for the Rapid Support Forces (RSF) was evident through communication channels.

It’s worth noting that the RSF is a paramilitary force previously operated by the Government of Sudan and has been accused by hacktivists of committing war crimes against the Sudanese people.

1.  **Hackers Target Israeli Rocket Alert App Users with Spyware**
2.  **10 Top DDoS Attack Protection and Mitigation Companies in 2023**
3.  **Google, Cloudflare and AWS Disclose Largest DDoS Attack in History**
4.  **Hackers Send Fake Rocket Alerts to Israelis via Hacked Red Alert App**
5.  **Researchers Leverage ChatGPT to Expose Notorious macOS Malware**
6.  **WormGPT – Malicious ChatGPT Alternative Empowering Cybercriminals**

ChatGPT Down? Anonymous Sudan Claims Responsibility for DDoS Attacks

Red Hat Security Advisory 2024-0777-03 - An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.14. Issues addressed include bypass, code execution, cross site request forgery, cross site scripting, denial of service, information leakage, and open redirection vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0777.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: jenkins and jenkins-2-plugins security update  
Advisory ID:        RHSA-2024:0777-03  
Product:            OpenShift Developer Tools and Services  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0777  
Issue date:         2024-02-12  
Revision:           03  
CVE Names:          CVE-2022-25857  
====================================================================

Summary: 

An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.14.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.

Security Fix(es):

* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)

* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

* apache-commons-text: variable interpolation RCE (CVE-2022-42889)

* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)

* maven-shared-utils: Command injection via Commandline class (CVE-2022-29599)

* jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin (CVE-2023-24422)

* Jenkins: Session fixation vulnerability in OpenShift Login Plugin (CVE-2023-37946)

* jenkins-plugins: cloudbees-folder: CSRF vulnerability in Folders Plugin may approve unsandboxed scripts (CVE-2023-40336)

* guava: insecure temporary directory creation (CVE-2023-2976)

* jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin (CVE-2023-25761)

* jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin (CVE-2023-25762)

* jackson-databind: denial of service via cylic dependencies (CVE-2023-35116)

* Jenkins: Open redirect vulnerability in OpenShift Login Plugin (CVE-2023-37947)

* jenkins-plugins: cloudbees-folder: CSRF vulnerability in Folders Plugin (CVE-2023-40337)

* jenkins-plugins: cloudbees-folder: Information disclosure in Folders Plugin (CVE-2023-40338)

* jenkins-plugins: config-file-provider: Improper masking of credentials in Config File Provider Plugin (CVE-2023-40339)

* jenkins-plugins: blueocean: CSRF vulnerability in Blue Ocean Plugin allows capturing credentials (CVE-2023-40341)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2022-25857

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003  
https://bugzilla.redhat.com/show_bug.cgi?id=2066479  
https://bugzilla.redhat.com/show_bug.cgi?id=2126789  
https://bugzilla.redhat.com/show_bug.cgi?id=2135435  
https://bugzilla.redhat.com/show_bug.cgi?id=2164278  
https://bugzilla.redhat.com/show_bug.cgi?id=2170039  
https://bugzilla.redhat.com/show_bug.cgi?id=2170041  
https://bugzilla.redhat.com/show_bug.cgi?id=2215214  
https://bugzilla.redhat.com/show_bug.cgi?id=2215229  
https://bugzilla.redhat.com/show_bug.cgi?id=2222709  
https://bugzilla.redhat.com/show_bug.cgi?id=2222710  
https://bugzilla.redhat.com/show_bug.cgi?id=2232422  
https://bugzilla.redhat.com/show_bug.cgi?id=2232423  
https://bugzilla.redhat.com/show_bug.cgi?id=2232424  
https://bugzilla.redhat.com/show_bug.cgi?id=2232425  
https://bugzilla.redhat.com/show_bug.cgi?id=2232426  
https://bugzilla.redhat.com/show_bug.cgi?id=2242803  
https://bugzilla.redhat.com/show_bug.cgi?id=2243296  
https://issues.redhat.com/browse/JKNS-271  
https://issues.redhat.com/browse/JKNS-289  
https://issues.redhat.com/browse/JKNS-337  
https://issues.redhat.com/browse/JKNS-344  
https://issues.redhat.com/browse/JKNS-345  
https://issues.redhat.com/browse/OCPBUGS-11158  
https://issues.redhat.com/browse/OCPBUGS-11253  
https://issues.redhat.com/browse/OCPBUGS-11254  
https://issues.redhat.com/browse/OCPBUGS-11446  
https://issues.redhat.com/browse/OCPBUGS-1357  
https://issues.redhat.com/browse/OCPBUGS-13869  
https://issues.redhat.com/browse/OCPBUGS-14111  
https://issues.redhat.com/browse/OCPBUGS-14609  
https://issues.redhat.com/browse/OCPBUGS-15646  
https://issues.redhat.com/browse/OCPBUGS-15902  
https://issues.redhat.com/browse/OCPBUGS-1709  
https://issues.redhat.com/browse/OCPBUGS-1942  
https://issues.redhat.com/browse/OCPBUGS-2099  
https://issues.redhat.com/browse/OCPBUGS-2184  
https://issues.redhat.com/browse/OCPBUGS-2318  
https://issues.redhat.com/browse/OCPBUGS-23438  
https://issues.redhat.com/browse/OCPBUGS-27388  
https://issues.redhat.com/browse/OCPBUGS-655  
https://issues.redhat.com/browse/OCPBUGS-6579  
https://issues.redhat.com/browse/OCPBUGS-6870  
https://issues.redhat.com/browse/OCPBUGS-710  
https://issues.redhat.com/browse/OCPBUGS-8377  
https://issues.redhat.com/browse/OCPBUGS-8442  
https://issues.redhat.com/browse/OCPTOOLS-244

Red Hat Security Advisory 2024-0777-03

Threat hunters have identified a new variant of Android malware called MoqHao that automatically executes on infected devices without requiring any user interaction.
"Typical MoqHao requires users to install and launch the app to get their desired purpose, but this new variant requires no execution," McAfee Labs said in a report published this week. "While the app is

Mobile Security / Cyber Threat

Threat hunters have identified a new variant of Android malware called **MoqHao** that automatically executes on infected devices without requiring any user interaction.

"Typical MoqHao requires users to install and launch the app to get their desired purpose, but this new variant requires no execution," McAfee Labs said in a report published this week. "While the app is installed, their malicious activity starts automatically."

The campaign's targets include Android users located in France, Germany, India, Japan, and South Korea.

MoqHao, also called Wroba and XLoader (not to be confused with the Windows and macOS malware of the same name), is an Android-based mobile threat that's associated with a Chinese financially motivated cluster dubbed Roaming Mantis (aka Shaoye).

Typical attack chains commence with package delivery-themed SMS messages bearing fraudulent links that, when clicked from Android devices, lead to the deployment of the malware but redirect victims to credential harvesting pages impersonating Apple's iCloud login page when visited from an iPhone.

In July 2022, Sekoia detailed a campaign that compromised at least 70,000 Android devices in France. As of early last year, updated versions of MoqHao have been found to infiltrate Wi-Fi routers and undertake Domain Name System (DNS) hijacking, revealing the adversary's commitment to innovating its arsenal.

The latest iteration of MoqHao continues to be distributed via smishing techniques, but what has changed is that the malicious payload is run automatically upon installation and prompts the victim to grant it risky permissions without launching the app, a behavior previously spotted with bogus apps containing the HiddenAds malware.

What's also received a facelift is that the links shared in the SMS messages themselves are hidden using URL shorteners to increase the likelihood of the attack's success. The content for these messages is extracted from the bio (or description) field from fraudulent Pinterest profiles set up for this purpose.

MoqHao is equipped with several features that allow it to stealthily harvest sensitive information like device metadata, contacts, SMS messages, and photos, call specific numbers with silent mode, and enable/disable Wi-Fi, among others.

McAfee said it has reported the findings to Google, which is said to be "already working on the implementation of mitigations to prevent this type of auto-execution in a future Android version."

The development comes as Chinese cybersecurity firm QiAnXin revealed that a previously unknown cybercrime syndicate named Bigpanzi has been linked to the compromise of Android-based smart TVs and set-top boxes (STBs) in order to corral them into a botnet for conducting distributed denial-of-service (DDoS) attacks.

The operation, active since at least 2015, is estimated to control a botnet comprising 170,000 daily active bots, most of which are located in Brazil. However, 1.3 million distinct Brazilian IP addresses have been associated with Bigpanzi since August 2023.

The infections are made possible by tricking users into installing booby-trapped apps for streaming pirated movies and TV shows through sketchy websites. The campaign was first disclosed by Russian antivirus vendor Doctor Web in September 2023.

"Once installed, these devices transform into operational nodes within their illicit streaming media platform, catering to services like traffic proxying, DDoS attacks, OTT content provision, and pirate traffic," QiAnXin researchers said.

"The potential for Bigpanzi-controlled TVs and STBs to broadcast violent, terroristic, or pornographic content, or to employ increasingly convincing AI-generated videos for political propaganda, poses a significant threat to social order and stability."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

MoqHao Android Malware Evolves with Auto-Execution Capability

By Deeba Ahmed
Blank Image, Fake Link: Unraveling the Temu Phishing Scam Targeting Senior Shoppers!
This is a post from HackRead.com Read the original post: Over 800 Phony “Temu” Domains Lure Shoppers into Credential Theft

Stay alert against Temu phishing scams: Cybersecurity experts warn of scammers using fake giveaways to steal credentials. Over 800 new ‘Temu’ domains registered in the past 3 months.

Temu is the latest brand chosen by scammers for their phishing scams. Checkpoint’s Harmony Email’s cybersecurity researcher Jeremy Fuchs, has noted that hackers are using Temu’s giveaway rewards to entice users to give away their credentials, with over 800 new domains registered as “Temu” in the last three months.

For your information, Temu is an international e-commerce store having 40% of its user base in the USA. It offers discounted goods shipped directly to consumers. Temu was launched in 2022 and is available in 48 countries, including Europe, the Middle East, Southeast Asia, and Australia.

As of February 7, 2024, it is the number one shopping app on Google Play Store and second on the Apple App Store. The app’s most frequent shoppers are senior citizens, mostly 59 and above.

The sample phishing email identified by researchers claims to be from Temu Rewards. However, if you look closely, it is sent by an unrelated email address- onmicrosoft.com. The email contains a blank image and a link to a credential harvesting page. The threat actors try to attract recipients by informing them that they have won.

According to Checkpoint’s blog post, the email has Temu’s name as the sender. However, if the user realizes the sender address isn’t related to Temu or the links don’t lead to a Temu page, they’ll stay away from this scam. The email should raise suspicion as it is sent from a generic address on onmicrosoft (.) com, and the image does not load.

One of the phishing emails used in the scam (Check Point)

****Brand Names and Phishing****

This isn’t the first time threat actors have exploited brand names and the latest trends to steal credentials or other sensitive information from innocent users.

In November 2022, Hackread reported that Cyjax researchers discovered a sophisticated phishing campaign targeting over 400 brands across various sectors. The scammers, likely having Chinese affiliations, used 42,000 domains to distribute malware and generate ad revenue with at least 24,000 survey/landing domains used to promote the scam.

Cybersecurity researchers at Bloster AI recently discovered a USPS Delivery phishing campaign utilizing advanced techniques to target victims in the US. Bolster’s CheckPhish detected over 3,000 phishing domains mimicking Walmart. The campaign tricked consumers into thinking they had failed deliveries and late payments. Threat actors have improved their attack tactics, transitioning from deceptive messages to luring victims into downloading financial or banking data-stealing apps.

A phishing scam targeting Meta Platforms, Inc. business owners to steal their email addresses and passwords, leading to the takeover of their Facebook page, profile, and financial information was discovered in January 2024. The scam used Meta Platforms’ authority to create urgency and legitimacy.

****Temu and Cybersecurity****

Temu itself has faced several cybersecurity-related issues, including allegations of collecting user and device data such as text messages and banking information.

In November 2023, a class-action lawsuit was filed in the United States, alleging that the company had unlawfully collected its customers’ data. Furthermore, another report surfaced, implicating Temu in the unauthorized disclosure of customer data, particularly in connection with data purportedly appearing for sale on the dark web after customers make purchases through the app.

Nevertheless, it’s crucial to emphasize basic security measures with users and ensure that all threats can be stopped, both simple and sophisticated, especially scams like these, which exploit users’ trust in big brands.

Additionally, to protect against phishing attacks, security professionals must implement AI-based security, robust URL protection, and full-suite security to scan documents and files.

****RELATED ARTICLES****

1.  **Fake LastPass Password Manager App Lurks on iOS App Store**
2.  **Google Suspends Chinese Shopping App Pinduoduo Over Malware**
3.  **Google Removes Swing VPN Android App Exposed as DDoS Botnet**
4.  **Check Point Research: Microsoft the Most Phished Brand in Q2 2023**
5.  **Domain Squatting and Brand Hijacking: A Threat to Digital Enterprises**

Over 800 Phony “Temu” Domains Lure Shoppers into Credential Theft

By Waqas
Remember, it is LastPass Password Manager, not LassPass Password Manager!
This is a post from HackRead.com Read the original post: Fake LastPass Password Manager App Lurks on iOS App Store

The popular LastPass Password Manager application has warned iOS users about a fraudulent app exploiting the app’s name circulating on the official Apple App Store.

Attention, LastPass users! A cunning imposter has infiltrated the iOS App Store, posing as the legitimate **LastPass Password Manager** app. This fake app, aptly named “LassPass Password Manager,” seeks to deceive users and potentially steal their sensitive login credentials.

Despite slight alterations to the logo and name, the fake LastPass app operates seamlessly to scam unsuspecting users into downloading it, as its colour scheme and font closely mimic those of the original LastPass app.

It all began on February 7, 2024, when LastPass published a **blog post** warning unsuspecting users to remain vigilant and avoid downloading a fraudulent application. Despite LastPass’s report, the app remains available on the App Store and is developed by an individual using the name Parvati Patel. Interestingly, the developer also has another app on their account, a community service app for India, hinting at their location.

Just to clarify, the LastPass password manager app is owned by GoTo, formerly known as LogMeIn Inc. Therefore, the official app lists LogMeIn Inc., as its developer on the Apple App Store.

Fake LastPass Password Manager app called LassPass Password Manager App (left) – Authentic LastPass Password Manager app (right) (Screenshots: Hackread.com)

****IN SUMMARY****

*   **The fake app:** The app is called “LassPass Password Manager” and is listed under the developer name Parvati Patel.
*   **Mimicking tactics:** The app closely copies LastPass’ branding and user interface, even using similar screenshots, to potentially mislead users into downloading it.
*   **Potential dangers:** If downloaded, the fake app could steal your login credentials and other sensitive information.
*   **Action taken:** LastPass is actively working to get the app removed from the App Store and is urging users to be cautious.

The fake app can be seen **here**, while the authentic one can be downloaded from **here**.

Nevertheless, this isn’t the first instance of a fake app mimicking a popular developer making its way onto the Apple App Store. **In July 2023**, Apple approved a fake THREADS app, which later surged to number 1 on the Apple Store in Europe. Interestingly, the original THREADS app had been launched by META just a few days prior to the incident and was not yet available in Europe when the fake one appeared in the store.

****RELATED ARTICLES****

1.  **Google Deletes Fake BatteryBot Pro Malware App**
2.  **Scylla Ad Fraud Attack on iOS Users Halted by Apple**
3.  **Apple removes Clearview AI iPhone app from App Store**
4.  **Apple removes anti-virus apps from store for “stealing data”**
5.  **Google removes ClearURLs Chrome extension from app store**
6.  **Google Removes Swing VPN Android App Exposed as DDoS Botnet**

Fake LastPass Password Manager App Lurks on iOS App Store

Your essential guide to toothbrush security.

February 7, 2024 - We look at a scam campaign on Facebook that continues to do the rounds, and how you can recover your compromised account.

February 6, 2024 - The State of Malware 2024 report covers some topics that are of special interest to home users: privacy, passwords, malvertising, banking Trojans, and Mac malware.

February 6, 2024 - Big Game ransomware is just one of six threats resource-constrained IT teams need to pay attention to in 2024.

February 6, 2024 - Safer Internet Day is all about raising awareness about a safer and better internet for all, and especially for children and young people.

February 5, 2024 - Clorox has reported losses of $49 million following a cyberattack in mid-2023.

 How to tell if your toothbrush is being used in a DDoS attack 

Plus: Russia was likely behind widespread GPS outages, Vault 7 leaker was sentenced, police claim to trace Monero cryptocurrency, and more.

An indictment from the US Department of Justice may have solved the mystery of how disgraced cryptocurrency exchange FTX lost over $400 million in crypto. The indictment, filed last week, alleges that three individuals used a SIM-swapping attack to steal hundreds of millions in virtual currency from an unnamed company. The timing and the amount stolen coincides with FTX's theft. Meanwhile, in a letter obtained by WIRED this week, seven lawmakers have demanded the DOJ stop funding biased and inaccurate predictive policing tools until the agency has a way to ensure law enforcement won’t use them in a way that has a “discriminatory impact.”

In Florida, prosecutors say a 17-year-old named Alan Winston Filion is responsible for hundreds of swatting attacks around the United States. The news of his arrest was first reported by WIRED days before law enforcement made it public. It was the culmination of a multi-agency manhunt to piece together a trail of digital breadcrumbs left by the teenager. In Ukraine, unmanned aerial vehicles have been powerful tools since the Russian invasion began in February 2022. But as the war rages on, another kind of unmanned robot has increasingly appeared on the front-lines: the unmanned ground vehicle, or UGV.

For months lawyers affiliated with an India based hacker-for-hire firm called Appin Technology have used legal threats to censor reporting about the company’s alleged cyber mercenary past. The EFF, Techdirt, MuckRock, and DDoSecrets are now pushing back, publicly sharing details for the first time about the firm's efforts to remove content from the web. It’s a dangerous world out there, so we’ve also got a list of some major patches issued in January that you can use to update your devices to keep them secure.

And there’s more. Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

For years Western security officials have warned about the threat of China collecting data about millions of people and the country’s hackers infiltrating sensitive systems. This week, Federal Bureau of Investigation director Christopher Wray said hackers affiliated with the Chinese Communist Party are constantly targeting US critical infrastructure, such as water treatment plants, the electrical grid, and oil and gas pipelines. Wray’s testimony, at a House subcommittee on China, came as the FBI also revealed it removed malware from hundreds of routers in people’s homes and offices that had been planted by the Chinese hacking group Volt Typhoon.

“China’s hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities,” Wray said in the public appearance. “Low blows against civilians are part of China’s plan.” The FBI director added that China has a bigger hacking operation than “every other major nation combined,” and claimed that if all of the FBI’s cyber-focused agents were assigned to work on issues related to China, they would still be outnumbered “by at least 50 to 1.”

While concerns about the scale of China’s espionage and cyber operations aren’t new, the US intelligence community has been increasingly vocal and worried about critical infrastructure being targeted by Volt Typhoon and other groups. “The threat is extremely sophisticated and pervasive,” NSA officials warned in November. In May 2023, Microsoft revealed it had been tracking Volt Typhoon intrusions at communications and transportation infrastructure, among other critical infrastructure, in US states and Guam.

The FBI and DOJ, also revealed this week that they remotely removed the KV Botnet malware from hundreds of routers infected by Volt Typhoon. The impacted routers, from Cisco and Netgear, were mostly at the end of their life, but were being used as part of wider operations. “​​The Volt Typhoon malware enabled China to hide, among other things, pre-operational reconnaissance and network exploitation against critical infrastructure like our communications, energy, transportation, and water sectors,” Wray said. It isn’t the first time US officials have obtained a court order to remotely wipe devices infected by hackers, but the move is still rare.

Since the first cryptocurrencies emerged more than a decade ago, there has been the assumption that the blockchain-based digital currencies are anonymous and untraceable. They are, in fact, very traceable. Researchers have shown how people can be linked to the transactions they make and law enforcement have used the techniques to help bust illicit dark web markets and catch pedophiles. There are, however, still some privacy-focused cryptocurrencies that appear to be less traceable than Bitcoin. This includes Monero, which is increasingly being adopted by sellers of child sexual abuse materials.

This week investigators in Finland said Moreno-tracing helped reveal the identity of a hacker who allegedly attacked psychotherapy company Vastaamo in 2020, stealing thousands of patient records and threatening to leak them unless people paid a ransom. Investigators from the Finnish National Bureau of Investigation claim they used heuristic analysis to infer where funds were moved to. The investigators did not reveal the full methods of how they allegedly traced the Monero payments, however, they add to the growing body of evidence that cryptocurrency tracing firms and investigators may be able to track the currency.

Planes flying over Europe have faced a spike in accuracy issues with GPS systems used for navigation in recent months. The head of Estonia’s Defense Forces has claimed that Russia is likely the source of this interference, according to an interview with Bloomberg. “Someone is causing it, and we think it’s Russia,” Martin Herem told the publication, adding that Russia may be testing its electronic warfare capabilities and “learning” the most effective tactics. Across Europe, and particularly the Baltics region, there has been a reported increase in GPS jamming, with Finland reporting large interferences in December and pilots repeatedly reporting issues with their navigation systems.

In 2017, the Vault 7 leaks exposed some of the CIA’s most sophisticated hacking tools, including how the agency could compromise routers, phones, PC, and TVs. Joshua Schulte, a former CIA engineer in the agency’s Operations Support Branch who prosecutors identified as being behind the data breach and responsible for leaking the materials to Wikileaks, was convicted in numerous trials in recent years. Schulte, who denied the allegations, has been sentenced to 40 years in prison for the espionage and also for possessing thousands of child abuse images. Judge Jesse Furman, sentencing Schulte, said he had caused “untold damage to national security.” In June 2022, _The New Yorker_ published this comprehensive investigation into the data breach and Schulte’s troubled history working at the agency.

China’s Hackers Keep Targeting US Water and Electricity Supplies

By Waqas
The new variant of Mispadu Stealer was discovered by Palo Alto's Unit 42 researchers while investigating the Windows Defender SmartScreen vulnerability.
This is a post from HackRead.com Read the original post: Mispadu Stealer’s New Variant Targets Browser Data of Mexican Users

Originally, since 2019, Mispadu Stealer targeted Spanish- and Portuguese-speaking victims, but the new variant aims at URLs associated with Mexican citizens.

In a recent development reported by Unit 42 researchers, a new variant of the infamous Mispadu Stealer has emerged, targeting users primarily in Mexico with stealthy information-stealing techniques. The discovery shows the persistent evolution of this malware, showcasing its adaptability and the challenges it poses to cybersecurity efforts.

Initially identified in 2019, Mispadu Stealer has been a persistent threat, known for its stealthy operations primarily targeting Spanish- and Portuguese-speaking victims. The latest variant, however, demonstrates a high level of sophistication, specifically targeting regions and URLs associated with Mexican citizens.

The discovery of this new variant came as part of Unit 42’s Managed Threat Hunting initiative, while researchers were investigating the Windows Defender SmartScreen CVE-2023-36025 vulnerability.

This vulnerability, categorized as a security feature bypass within the Windows SmartScreen function, allows attackers to circumvent warnings and execute malicious payloads. Exploiting this vulnerability, the Mispadu Stealer variant was found to employ a crafty technique involving the creation of internet shortcut files (.url) or hyperlinks pointing to malicious files, effectively bypassing SmartScreen’s warnings.

One of the key findings in this investigation is the malware’s use of a parameter referencing a network share, which, when embedded in a .url file, directs victims to a threat actor’s network share to retrieve and execute the malicious payload without triggering SmartScreen warnings. This technique, while not limited to Mispadu Stealer, showcases the malware’s ability to adapt and evolve its tactics.

Further analysis of the new variant reveals a sophisticated operation that selectively targets victims based on their geographic location and system configurations. By querying the bias between the local time zone and UTC and performing checks based on the victim’s location, the malware ensures its execution primarily within specific regions, such as the Americas and certain parts of Western Europe.

Statistics of infected countries (Unit 42)

Once executed, the malware proceeds to interact with the victim’s browser history, extracting URLs and checking them against a targeted list. Notably, the malware employs encryption algorithms and techniques to evade detection, highlighting the evolving sophistication of its information-stealing capabilities.

The attribution of this new variant to previous Mispadu campaigns highlights the challenges in combating evolving cybersecurity threats. While similarities in tactics and infrastructure provide insights into the malware’s origins, the ever-changing nature of such threats demands a comprehensive approach to cybersecurity.

As Mispadu continues to evolve and target unsuspecting users, cybersecurity experts emphasize the importance of staying informed on the latest threat intelligence, deploying strong endpoint protection measures, and advocating a culture of cybersecurity awareness among employees and users. By adopting proactive measures and leveraging collective intelligence, organizations can better defend against emerging threats like the new variant of Mispadu Stealer.

1.  **Mirai Variant V3G4 Exploiting IoT Devices for DDoS Attacks**
2.  **IBM X-Force Discovers Gootloader Malware Variant- GootBot**
3.  **Fake TeamViewer download ads distributing new ZLoader variant**
4.  **New Agent Tesla Variant Uses Excel Exploit to Infect Windows PCs**
5.  **MidgeDropper Variant Hits Work-from-Home Employees on Windows**

Tag

#ddos