admin, Author at Cyber Training Group International (CTGI)

admin

Hackers Using Sitting Ducks Attack To Hijack Domains, 1 Million Domains Vulnerable

Over 1 million registered domains could be vulnerable to a cyberattack method known as “Sitting Ducks,” as recently unveiled in a new report from Infoblox Threat Intel. This relatively unknown attack vector allows malicious actors to hijack legitimate domains by exploiting misconfigurations in DNS settings. The Sitting Ducks attack, which has been active since 2018, enables threat actors to gain full control of a domain by taking over its DNS configurations. Infoblox’s monitoring initiative identified approximately 800,000 vulnerable domains, with about 70,000 of those already hijacked. Threat Groups Several threat actor groups have been exploiting this attack vector: The attack is particularly dangerous due to its stealthy nature. Hijacked domains often retain their positive reputation which allows them to evade detection by security tools. This makes it challenging for security teams to identify and mitigate the threat. The impact of Sitting Ducks attacks is far-reaching, affecting organizations, individuals, and security teams. Businesses face reputational damage, while individuals risk malware infections, credential theft, and fraud. Security teams struggle to defend against these attacks due to the use of trusted domains in malicious infrastructure. To protect against Sitting Ducks attacks, domain holders, registrars, and DNS providers must ensure correct configurations and implement proper ownership verification processes. Increased awareness and vigilance within the cybersecurity community are crucial to addressing this growing threat. Credit: Cybersecurity News

Hackers Using Sitting Ducks Attack To Hijack Domains, 1 Million Domains Vulnerable Read More »

New LightSpy Spyware Version Targets iPhones with Increased Surveillance Tactics

Cybersecurity researchers have discovered an improved version of an Apple iOS spyware called LightSpy that not only expands on its functionality, but also incorporates destructive capabilities to prevent the compromised device from booting up. “While the iOS implant delivery method closely mirrors that of the macOS version, the post-exploitation and privilege escalation stages differ significantly due to platform differences,” ThreatFabric said in an analysis published this week. LightSpy, first documented in 2020 as targeting users in Hong Kong, is a modular implant that employs a plugin-based architecture to augment its capabilities and allow it to capture a wide range of sensitive information from an infected device. Attack chains distributing the malware leverage known security flaws in Apple iOS and macOS to trigger a WebKit exploit that drops a file with the extension “.PNG,” but is actually a Mach-O binary responsible for retrieving next-stage payloads from a remote server by abusing a memory corruption flaw tracked as CVE-2020-3837. This includes a component dubbed FrameworkLoader that, in turn, downloads LightSpy’s Core module and its assorted plugins, which have gone up significantly from 12 to 28 in the latest version (7.9.0). “After the Core starts up, it will perform an Internet connectivity check using Baidu.com domain, and then it will check the arguments that were passed from FrameworkLoader as the [command-and-control] data and working directory,” the Dutch security company said. “Using the working directory path /var/containers/Bundle/AppleAppLit/, the Core will create subfolders for logs, database, and exfiltrated data.” The plugins can capture a wide range of data, including Wi-Fi network information, screenshots, location, iCloud Keychain, sound recordings, photos, browser history, contacts, call history, and SMS messages, as well as gather information from apps like Files, LINE, Mail Master, Telegram, Tencent QQ, WeChat, and WhatsApp. Some of the newly added plugins also boast destructive features that can delete media files, SMS messages, Wi-Fi network configuration profiles, contacts, and browser history, and even freeze the device and prevent it from starting again. Furthermore, LightSpy plugins can generate fake push notifications containing a specific URL. The exact distribution vehicle for the spyware is unclear, although it’s believed to be orchestrated via watering hole attacks. The campaigns have not been attributed to a known threat actor or group to date. Some of the newly added plugins also boast destructive features that can delete media files, SMS messages, Wi-Fi network configuration profiles, contacts, and browser history, and even freeze the device and prevent it from starting again. Furthermore, LightSpy plugins can generate fake push notifications containing a specific URL. The exact distribution vehicle for the spyware is unclear, although it’s believed to be orchestrated via watering hole attacks. The campaigns have not been attributed to a known threat actor or group to date. Credit: The Hacker News

New LightSpy Spyware Version Targets iPhones with Increased Surveillance Tactics Read More »

Microsoft Reveals macOS Vulnerability that Bypasses Privacy Controls in Safari Browser

Microsoft has disclosed details about a now-patched security flaw in Apple’s Transparency, Consent, and Control (TCC) framework in macOS that has likely come under exploitation to get around a user’s privacy preferences and access data. The shortcoming, codenamed HM Surf by the tech giant, is tracked as CVE-2024-44133 (CVSS score: 5.5). It was addressed by Apple as part of macOS Sequoia 15 by removing the vulnerable code. HM Surf “involves removing the TCC protection for the Safari browser directory and modifying a configuration file in the said directory to gain access to the user’s data, including browsed pages, the device’s camera, microphone, and location, without the user’s consent,” Jonathan Bar Or of the Microsoft Threat Intelligence team said. Microsoft said the new protections are limited to Apple’s Safari browser, and that it’s working with other major browser vendors to further explore the benefits of hardening local configuration files. HM Surf follows Microsoft’s discovery of Apple macOS flaws like Shrootless, powerdir, Achilles, and Migraine that could enable malicious actors to sidestep security enforcements. While TCC is a security framework that prevents apps from accessing users’ personal information without their consent, the newly discovered bug could enable attackers to bypass this requirement and gain access to location services, address book, camera, microphone, downloads directory, and others in an unauthorized manner. The access is governed by a set of entitlements, with Apple’s own apps like Safari having the ability to completely sidestep TCC using the “com.apple.private.tcc.allow” entitlement. While this allows Safari to freely access sensitive permissions, it also incorporates a new security mechanism called Hardened Runtime that makes it challenging to execute arbitrary code in the context of the web browser. That said, when users visit a website that requests location or camera access for the first time, Safari prompts for access via a TCC-like popup. These entitlements are stored on a per-website basis within various files located in the “~/Library/Safari” directory. The HM Surf exploit devised by Microsoft hinges on performing the following steps – The attack could be extended further to save an entire camera stream or stealthily capture audio through the Mac’s microphone, Microsoft said. Third-party web browsers don’t suffer from this problem as they do not have the same private entitlements as Apple applications. Microsoft noted it observed suspicious activity associated with a known macOS adware threat named AdLoad likely exploiting the vulnerability, making it imperative that users take steps to apply the latest updates. “Since we weren’t able to observe the steps taken leading to the activity, we can’t fully determine if the AdLoad campaign is exploiting the HM surf vulnerability itself,” Bar Or said. “Attackers using a similar method to deploy a prevalent threat raises the importance of having protection against attacks using this technique.” Credit: The Hacker News

Microsoft Reveals macOS Vulnerability that Bypasses Privacy Controls in Safari Browser Read More »

AI girlfriend site breached, user fantasies stolen

A hacker has stolen a massive database of users’ interactions with their sexual partner chatbots, according to 404 Media. The breached service, Muah.ai, describes itself as a platform that lets people engage in AI-powered companion NSFW chat, exchange photos, and even have voice chats. As you can imagine, data like this is very sensitive, so the site assures customers that communications are encrypted and says it doesn’t sell any data to third parties. The stolen data, however, tells a different story. It includes chatbot prompts that reveal users’ sexual fantasies. These prompts are in turn linked to email addresses, many of which appear to be personal accounts with users’ real names. Mauh.ai says it believes in freedom of speech and to uphold that right, it says: “AI technology should be for everyone, and its use case to be decided by each mature, individual adult. So that means we don’t actively censor or filter AI. So any topic can be discussed without running into a wall.” Unfortunately, that means that filth is created to satisfy the needs of some sick users, and some of the data contains horrifying explicit references to children. Presumably those users in particular don’t want their fantasies to be discovered, which is exactly what might happen if they are connected to your email address. The hacker describes the platform as “a handful of open-source projects duct-taped together.” Apparently, it was no trouble at all to find a vulnerability that provided access to the platform’s database. The administrator of Muah.ai says the hack was noticed a week ago and claims that it must be sponsored by the competitors in the “uncensored AI industry.” Which, who knew, seems to be the next big thing. The administrator also said that Muah.ai employs a team of moderation staff that suspend and delete ALL child-related chatbots on its card gallery (where users share their creations), Discord, Reddit, etc, But in reality, when two people posted about a reportedly underage AI character on the site’s Discord server, 404 Media claims a moderator told the users to not “post that shit” here, but to go “DM each other or something.” Muah.ai is just one example of a new breed of uncensored AI apps that offer hundreds of role-play scenarios with chatbots, and others designed to behave like a long-term romantic companion. 404 Media says it tried to contact dozens of people included in the data, including users who wrote prompts that discuss having underage sex. Not surprisingly, none of those people responded to a request for comment. Update October 11 There are reports that this information is in use for active extortion attempts. Whether these are based on actual activities on the platform or solely based on leaked email addresses is not yet known. Innovation before security Emerging platforms like these are often rushed into existence because there is money to be made. Unfortunately, that usually happens at the expense of security and privacy, so here are some things to bear in mind: Credit: Malwarebytes

AI girlfriend site breached, user fantasies stolen Read More »

LockBit Ransomware and Evil Corp Members Arrested and Sanctioned in Joint Global Effort

A new wave of international law enforcement actions has led to four arrests and the takedown of nine servers linked to the LockBit (aka Bitwise Spider) ransomware operation, marking the latest salvo against what was once a prolific financially motivated group. This includes the arrest of a suspected LockBit developer in France while on holiday outside of Russia, two individuals in the U.K. who allegedly supported an affiliate, and an administrator of a bulletproof hosting service in Spain used by the ransomware group, Europol said in a statement. In conjunction, authorities outed a Russian national named Aleksandr Ryzhenkov (aka Beverley, Corbyn_Dallas, G, Guester, and Kotosel) as one of the high-ranking members of the Evil Corp cybercrime group, while simultaneously painting him as a LockBit affiliate. Sanctions have also been announced against seven individuals and two entities linked to the e-crime gang. “The United States, in close coordination with our allies and partners, including through the Counter Ransomware Initiative, will continue to expose and disrupt the criminal networks that seek personal profit from the pain and suffering of their victims,” said Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence, Bradley T. Smith. The development, part of a collaborative exercise dubbed Operation Cronos, comes nearly eight months after LockBit’s online infrastructure was seized. It also follows sanctions levied against Dmitry Yuryevich Khoroshev, who was revealed to be the administrator and individual behind the “LockBitSupp” persona. A total of 16 individuals who were part of Evil Corp have been sanctioned by the U.K. Also tracked as Gold Drake and Indrik Spider, the infamous hacking crew has been active since 2014, targeting banks and financial institutions with the ultimate goal of stealing users’ credentials and financial information in order to facilitate unauthorized fund transfers. The group, responsible for the development and distribution of the Dridex (aka Bugat) malware, has been previously observed deploying LockBit and other ransomware strains in 2022 in order to get around sanctions imposed against the group in December 2019, including key members Maksim Yakubets and Igor Turashev. Ryzhenkov has been described by the U.K. National Crime Agency (NCA) as Yakubets’ right-hand man, with the U.S. Department of Justice (DoJ) accusing him of deploying BitPaymer ransomware to target victims across the country since at least June 2017. “Ryzhenkov used the affiliate name Beverley, made over 60 LockBit ransomware builds and sought to extort at least $100 million from victims in ransom demands,” officials said. “Ryzhenkov additionally has been linked to the alias mx1r and associated with UNC2165 (an evolution of Evil Corp affiliated actors).” Additionally, Ryzhenkov’s brother Sergey Ryzhenkov, who is believed to use the online alias Epoch, has been linked to BitPaymer, per cybersecurity firm Crowdstrike, which assisted the NCA in the effort. “Throughout 2024, Indrik Spider gained initial access to multiple entities through the Fake Browser Update (FBU) malware-distribution service,” it noted. “The adversary was last seen deploying LockBit during an incident that occurred during Q2 2024.” Notable among the individuals subjected to sanctions are Yakubets’ father, Viktor Yakubets, and his father-in-law, Eduard Benderskiy, a former high-ranking FSB official, underscoring the deep connection between Russian cybercrime groups and the Kremlin. “The group were in a privileged position, with some members having close links to the Russian state,” the NCA said. “Benderskiy was a key enabler of their relationship with the Russian Intelligence Services who, prior to 2019, tasked Evil Corp to conduct cyber attacks and espionage operations against NATO allies.” “After the U.S. sanctions and indictments in December 2019, Benderskiy used his extensive influence with the Russian state to protect the group, both by providing senior members with security and by ensuring they were not pursued by Russian internal authorities.” Credit: The Hacker News

LockBit Ransomware and Evil Corp Members Arrested and Sanctioned in Joint Global Effort Read More »

INTERPOL Arrests 8 in Major Phishing and Romance Fraud Crackdown in West Africa

INTERPOL has announced the arrest of eight individuals in Côte d’Ivoire and Nigeria as part of a crackdown on phishing scams and romance cyber fraud. Dubbed Operation Contender 2.0, the initiative is designed to tackle cyber-enabled crimes in West Africa, the agency said. One such threat involved a large-scale phishing scam targeting Swiss citizens that resulted in financial losses to the tune of more than $1.4 million. The cybercriminals posed as buyers on small advertising websites and used QR codes to direct victims to fraudulent websites that mimicked a legitimate payment platform. This allowed victims to inadvertently enter personal information such as their credentials or card numbers. The perpetrators also impersonated the unnamed platform’s customer service agents over the phone to further deceive them. As many as 260 scam reports are said to have been received by Swiss authorities between August 2023 and April 2024, prompting a collaborative investigation that traced the roots of the campaign to Côte d’Ivoire. The main suspect behind the attacks confessed to the scheme and making illicit financial gains of over $1.9 million. Five other individuals conducting cybercriminal activities at the same location have also been arrested. In a separate case, authorities said they apprehended a suspect and their accomplice in Nigeria on April 27, 2024, in connection with a romance scam after Finnish authorities alerted the Nigerian Police Force via INTERPOL that a victim was scammed out of a “substantial amount of money.” Such financial grooming crimes entail scammers creating fake online identities on dating apps and social media platforms to develop romantic or close relationships with prospective victims, only to steal money from them. “Leveraging the increased reliance on technology in every aspect of our daily lives, cybercriminals are employing a range of techniques to steal data and execute fraudulent activities,” Neal Jetton, Director of the Cybercrime Directorate, said. “These recent successful collaborations, under the umbrella of Operation Contender 2.0, demonstrate the importance of continued international cooperation in combating cybercrime and bringing perpetrators to justice.” The development comes as the U.S. Department of Justice (DoJ) said a 45-year-old dual citizen of Nigeria and the United Kingdom, Oludayo Kolawole John Adeagbo, has been sentenced to seven years in prison for his role in a multimillion-dollar business email compromise (BEC) scheme. Adeagbo “conspired with others to participate in multiple cyber-enabled BEC schemes that defrauded a North Carolina university of more than $1.9 million, and attempted to steal more than $3 million from victim entities in Texas, including local government entities, construction companies, and a Houston-area college,” the DoJ said. It also follows an announcement from Meta that it’s teaming up with U.K. banks to combat scams on its platforms as part of an information-sharing partnership program dubbed Fraud Intelligence Reciprocal Exchange (FIRE). Credit: The Hackers News

INTERPOL Arrests 8 in Major Phishing and Romance Fraud Crackdown in West Africa Read More »

Data Breaches Slim Down Your Wallet

Data breaches are becoming an expensive predicament for all of us, even if your data isn’t directly stolen in a breach. The latest IBM 2024 Cost of a Data Breach Report, released in July, reveals that when companies suffer these breaches, they often pass the hefty costs onto their customers. And data breaches are becoming extremely pricey, especially for small and medium sized businesses. The cost of data breaches According to the report, the global average cost of a data breach in 2024 has skyrocketed to $4.88 million! That’s a staggering 10% jump from the previous year! This study was carried out by the Ponemon Institute and sponsored and analyzed by IBM. It took a deep dive into data breaches at 604 organizations worldwide. They talked to over 3,500 security and business leaders who lived through these breaches to get the inside scoop.  Why are data breaches so expensive? Lost business, including downtime and customers going elsewhere, is a huge factor driving the increase. So is the cost of responding to the breach, including staffing up customer service help desks and regulatory fines for failing to protect data. Who pays the price? You do. Here’s where it gets personal: more than half of the organizations hit by data breaches pass those costs directly to consumers by charging more for goods and services. That’s right, when a company gets hacked, most will raise their prices to cover the damages. This year, 63% of businesses said they’re upping prices because of data breaches, compared to 57% last year. While many factors contribute to products becoming more expensive, data breaches are part of the equation in many cases now. The human factor One big reason these breaches are so costly is that cybersecurity teams are often understaffed. Over half of the companies surveyed said they’re struggling with severe staffing shortages in their security departments. And as companies rush to adopt new AI technologies, the pressure on these already overwhelmed teams is only increasing. What are hackers stealing? The report found that nearly half (46%) of all data breaches involve customer personal information like Social Security numbers, emails, phone numbers, and home addresses. Intellectual property, like trade secrets, was stolen in 43% of breaches. The financial fallout The costs associated with data breaches aren’t just about fixing the security hole. Businesses hemorrhage money due to system downtime, losing customers, and damaging their reputation. They also spend big on setting up call centers, providing credit monitoring services, and paying regulatory fines. This year, these lost business and response costs totaled a whopping $2.8 million per breach, the highest in the last six years. What helps and what hurts The report also examined what factors can make these costs go up or down.   What saved money?   What increased costs?  What can we do?  Understanding the dynamics of data breaches and increased customer prices is crucial. Businesses need to invest in strong cybersecurity measures and train their employees well. Making security systems easier for everyone to understand and addressing the cybersecurity skills gap can also help reduce the impact of breaches. The 2024 report is a stark reminder of how interconnected our economy is and why robust cybersecurity is more important than ever. Credits: Stay Safe Online

Data Breaches Slim Down Your Wallet Read More »

2.9 billion records, including Social Security numbers, stolen in data hack: What to know

An enormous amount of sensitive information including Social Security numbers for millions of people could be in the hands of a hacking group after a data breach and may have been released on an online marketplace, The Los Angeles Times reported this week. The hacking group USDoD claimed it had allegedly stolen personal records of 2.9 billion people from National Public Data, according to a class-action lawsuit filed in U.S. District Court in Fort Lauderdale, Florida, reported by Bloomberg Law. The breach was believed to have happened in or around April, according to the lawsuit. Here’s what to know about the alleged data breach. Social security hack:National Public Data confirms massive data breach included Social Security numbers. What information is included in the data breach? The class-action law firm Schubert, Jonckheer & Kolbe said in a news release that the stolen file includes 277.1 gigabytes of data, and includes names, address histories, relatives and Social Security numbers dating back at least three decades. According to a post from a cybersecurity expert on X, formerly Twitter, USDoD claims to be selling the 2.9 billion records for citizens of the U.S., U.K. and Canada on the dark web for $3.5 million. Since the information was posted for sale in April, others have released different copies of the data, according to the cybersecurity and technology news site Bleeping Computer. A hacker known as “Fenice” leaked the most complete version of the data for free on a forum in August, Bleeping Computer reported. The news you need to start your day smart. Sign up for USA TODAY’s Daily Briefing newsletter. 2025 COLA:Estimate dips with inflation, but high daily expenses still burn seniors What is National Public Data? National Public Data is a Florida-based background check company operated by Jerico Pictures, Inc. USA TODAY has reached out to National Public Data for comment. The company has not publicly confirmed a data breach, but The Los Angeles Times reported that it has been telling people who contacted via email that “we are aware of certain third-party claims about consumer data and are investigating these issues.” What to do if you suspect your information has been stolen If you believe your information has been stolen or has appeared on the dark web, there are a few steps you can take to prevent fraud or identity theft. We recommend taking the following steps: Credits: USA Today

2.9 billion records, including Social Security numbers, stolen in data hack: What to know Read More »

Our vision is to create and deliver Cyber Security Awareness training to the NGOs, Small Medium Businesses, and Enterprises to help them reduce exposure to cyber security attacks.

Copyright © 2024 Cyber Training Group International | All Rights Reserved