MIT Researchers Discover New Flaw in Apple M1 CPUs That Can’t Be Patched

source: thehackernews.com  |  image: pexels.com

A novel hardware attack dubbed PACMAN has been demonstrated against Apple’s M1 processor chipsets, potentially arming a malicious actor with the capability to gain arbitrary code execution on macOS systems.

It leverages “speculative execution attacks to bypass an important memory protection mechanism, ARM Pointer Authentication, a security feature that is used to enforce pointer integrity,” MIT researchers Joseph Ravichandran, Weon Taek Na, Jay Lang, and Mengjia Yan said in a new paper.

What’s more concerning is that “while the hardware mechanisms used by PACMAN cannot be patched with software features, memory corruption bugs can be,” the researchers added.

The vulnerability is rooted in pointer authentication codes (PACs), a line of defense introduced in arm64e architecture that aims to detect and secure against unexpected changes to pointers — objects that reference an address location in memory.

PACs aim to solve a common problem in software security, such as memory corruption vulnerabilities, which are often exploited by overwriting control data in memory (i.e., pointers) to redirect code execution to an arbitrary location controlled by the attacker.

Continue reading “MIT Researchers Discover New Flaw in Apple M1 CPUs That Can’t Be Patched”

Authorities Shut Down Russian RSOCKS Botnet That Hacked Millions of Devices

source: thehackernews.com  |  image:  pexels.com

The U.S. Department of Justice (DoJ) on Thursday disclosed that it took down the infrastructure associated with a Russian botnet known as RSOCKS in collaboration with law enforcement partners in Germany, the Netherlands, and the U.K.

The botnet, operated by a sophisticated cybercrime organization, is believed to have ensnared millions of internet-connected devices, including Internet of Things (IoT) devices, Android phones, and computers for use as a proxy service.

Botnets, a constantly evolving threat, are networks of hijacked computer devices that are under the control of a single attacking party and are used to facilitate a variety of large-scale cyber intrusions such as distributed denial-of-service (DDoS) attacks, email spam, and cryptojacking.

Continue reading “Authorities Shut Down Russian RSOCKS Botnet That Hacked Millions of Devices”

New ‘GoodWill’ Ransomware Forces Victims to Donate Money and Clothes to the Poor

source: thehackernews.com  |  image: Pixabay.com

Cybersecurity researchers have disclosed a new ransomware strain called GoodWill that compels victims into donating for social causes and provide financial assistance to people in need.

“The ransomware group propagates very unusual demands in exchange for the decryption key,” researchers from CloudSEK said in a report published last week. “The Robin Hood-like group claims to be interested in helping the less fortunate, rather than extorting victims for financial motivations.”

Written in .NET, the ransomware was first identified by the India-based cybersecurity firm in March 2022, with the infections blocking access to sensitive files by making use of the AES encryption algorithm. The malware is also notable for sleeping for 722.45 seconds to interfere with dynamic analysis.

The encryption process is followed by displaying a multiple-paged ransom note that requires the victims to carry out three socially-driven activities to be able to obtain the decryption kit.

This includes donating new clothes and blankets to the homeless, taking any five underprivileged children to Domino’s Pizza, Pizza Hut, or KFC for a treat, and offering financial support to patients who need urgent medical attention but don’t have the financial means to do so.

Additionally, the victims are asked to record the activities in the form of screenshots and selfies and post them as evidence on their social media accounts.

“Once all three activities are completed, the victims should also write a note on social media (Facebook or Instagram) on ‘How you transformed yourself into a kind human being by becoming a victim of a ransomware called GoodWill,'” the researchers said.

There are no known victims of GoodWill and their exact tactics, techniques, and procedures (TTPs) used to facilitate the attacks are unclear as yet.

Also unrecognized is the identity of the threat actor, although an analysis of the email address and network artifacts suggests that the operators are from India and that they speak Hindi.

Further investigation into the ransomware sample has also revealed significant overlaps with another Windows-based strain called HiddenTear, the first ransomware to have been open-sourced as a proof-of-concept (PoC) back in 2015 by a Turkish programmer.

“GoodWill operators may have gained access to this allowing them to create a new ransomware with necessary modifications,” the researchers said.

 

view an example of the ransomware letter here

Don’t accidentally hire a North Korean hacker, FBI warns

source: theguardian.com  |  image: pexels.com

Employing remote IT workers who are secretly working for Kim Jong-un’s regime poses risks and may breach sanctions, say US agencies

 

US officials have warned businesses against inadvertently hiring IT staff from North Korea, saying that rogue freelancers were taking advantage of remote work opportunities to hide their true identities and earn money for Pyongyang.

An advisory issued by the state and treasury departments and the FBI said the effort was intended to circumvent US and UN sanctions, and bring in money for North Korea’s nuclear weapons and ballistic missile programs. The officials said companies who hired and paid such workers may be exposing themselves to legal consequences for sanctions violations.

Continue reading “Don’t accidentally hire a North Korean hacker, FBI warns”

FBI, CISA, and NSA warn of hackers

increasingly targeting MSPs

source: bleepingcomputer.com, contributed by FAN Steve Page  |  image:  pixabay.com

 

Members of the Five Eyes (FVEY) intelligence alliance today warned managed service providers (MSPs) and their customers that they’re increasingly targeted by supply chain attacks.

Multiple cybersecurity and law enforcement agencies from FVEY countries (NCSC-UK, ACSC, CCCS, NCSC-NZ, CISA, NSA, and the FBI) shared guidance for MSPs to secure networks and sensitive data against these rising cyber threats.

“The UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities expect malicious cyber actors—including state-sponsored advanced persistent threat (APT) groups—to step up their targeting of MSPs in their efforts to exploit provider-customer network trust relationships,” the joint advisory reads.

Continue reading “FBI, CISA, and NSA warn of hackers increasingly targeting MSPs”

Anatomy of a Phishing Scam As Told Through Scamming the Scammer

 

image - phishing

source: blog.avast.com. |  image:  pixabay.com

to view all images associated with this blog post, go to Avast.com

Here’s a “scam the scammer” SMS conversation to highlight some of the red flags to look out for the next time your “boss” messages you.

Sometimes it feels like scammers are coming at you from every direction these days. They’re on the phone. They’re on SMS. They’re on social media. Sorting the real from the nonsense can feel like a full time job but, for some people, that “job” turns into fun.

That’s what happened recently when a professional woman in New York City decided to play around a little bit with her “boss,” (spoiler: not her boss) who was making odd requests via text. And while “scam the scammer” situations like this one are often hilarious, they’re also a great way to learn about the methodology that scammers use to trick people into giving them money. 

So let’s take a look at the following “scam the scammer” SMS conversation to highlight some of the red flags to look out for the next time your “boss” messages you. 

1. They set up a situation where you can’t talk to them on the phone.

“Josh” makes it clear up front that he can’t talk on the phone. Obviously there are some situations where this is legitimate — like if he was actually Josh and was actually at a conference — but “Cris,” as an employee, would likely know if her boss was out of office. The scammer is hoping that Cris doesn’t know her boss’ schedule.

Continue reading “Anatomy of a Phishing Scam…”

North Korean hackers targeting journalists with novel malware

source: bleepingcomputer.com  |  image: pixabay.com

 

North Korean state-sponsored hackers known as APT37 have been discovered targeting journalists specializing in the DPRK with a novel malware strain.

The malware is distributed through a phishing attack first discovered by NK News, an American news site dedicated to covering news and providing research and analysis about North Korea, using intelligence from within the country.

The APT37 hacking group, aka Ricochet Chollima, is believed to be sponsored by the North Korean government, which sees news reporting as a hostile operation, and attempted to use this attack to access highly-sensitive information and potentially identify journalists’ sources.

After NK News discovered the attack, they contacted the malware experts at Stairwell for further assistance, who took over the technical analysis.

Continue reading “North Korean hackers targeting journalists with novel malware”

Russian hackers targeted NATO, eastern European militaries: Google

source: indianexpress.com  |  image: pexels.com

Russia, which is now under heavy Western economic sanctions following its decision to invade Ukraine on Feb. 24, regularly denies accusations of mounting cyber attacks on Western targets.

 

Russian hackers have recently attempted to penetrate the networks of NATO and the militaries of some eastern European countries, Google’s Threat Analysis Group said in a report published on Wednesday.

The report did not say which militaries had been targeted in what Google described as “credential phishing campaigns” launched by a Russian-based group called Coldriver, or Callisto.

“These campaigns were sent using newly created Gmail accounts to non-Google accounts, so the success rate of these campaigns is unknown,” the report said.

NATO was not immediately available for comment on the report.

Russia, which is now under heavy Western economic sanctions following its decision to invade Ukraine on Feb. 24, regularly denies accusations of mounting cyber attacks on Western targets.

In 2019, Finnish cybersecurity firm F-Secure Labs described Callisto as an unidentified and advanced threat actor “interested in intelligence gathering related to foreign and security policy” in Europe.

The group also targeted a NATO Centre of Excellence, Wednesday’s Google report said, without elaborating.

In a statement, the centre did not directly address Google’s report but said: “We see malicious cyber activity on a daily basis.”

 

Microsoft App Store Sizzling with New ‘Electron Bot’ Malware

source: threatpost.com  |  image: pexels.com

 

 

The SEO poisoning bot, capable of full system takeover, is actively taking over social media accounts, masquerading as popular games like Temple Run.

A backdoor malware that can take over social-media accounts – including Facebook, Google and Soundcloud – has infiltrated Microsoft’s official store by cloning popular games such as Temple Run or Subway Surfer.

The backdoor, dubbed Electron Bot, gives attackers complete control over compromised machines. Among the multiple evil deeds it can execute remotely, it enables its operators to register new accounts, log in, and comment on and like other social media posts – all in real time.

In a Thursday report, Check Point Research (CPR) said that the malware has claimed more than 5,000 victims in 20 countries – most from Bermuda, Bulgaria, Russia, Spain and Sweden– in its actively ongoing onslaught.

Continue reading “Microsoft App Store Sizzling with New ‘Electron Bot’ Malware”

TrickBot Ravages Customers of Amazon, PayPal and Other Top Brands

source: threatpost.com  |  image by pixabay.com

 

The resurgent trojan has targeted 60 top companies to harvest credentials for a wide range of applications, with an eye to virulent follow-on attacks.

Cyberattackers are targeting 60 different high-profile companies with the TrickBot malware, researchers have warned, with many of those in the U.S. The goal is to attack those companies’ customers, according to Check Point Research (CPR), which are being cherry-picked for victimization.

According to a Wednesday CPR writeup, TrickBot is targeting well-known brands that include Amazon, American Express, JPMorgan Chase, Microsoft, Navy Federal Credit Union, PayPal, RBC, Yahoo and others.

“Trickbot attacks high-profile victims to steal the credentials and provide its operators access to the portals with sensitive data where they can cause greater damage,” researchers noted in their report.

On the technical front, the variant that’s being used in the campaign has also added three interesting modules, and new de-obfuscation and anti-analysis approaches, researchers added.

TrickBot’s Back with a New Bag

The TrickBot malware was originally a banking trojan, but it has evolved well beyond those humble beginnings to become a wide-ranging credential-stealer and initial-access threat, often responsible for fetching second-stage binaries such as ransomware.

Continue reading “TrickBot Ravages Customers of Amazon, PayPal and Other Top Brands”