Netizen Blog and News

The Netizen team sharing expertise, insights and useful information in cybersecurity, compliance, and software assurance.

recent posts

about

  • SpyLoan: The Network of 18 Malicious Loan Apps Harvesting Your Data

    SpyLoan: The Network of 18 Malicious Loan Apps Harvesting Your Data

    In a significant cybersecurity development, ESET, a leading Slovak cybersecurity firm, has unearthed a deceptive network of 18 malicious loan apps, collectively known as “SpyLoan.” These apps, designed to exploit users seeking financial services, have been downloaded over 12 million times. Primarily targeting regions in Southeast Asia, Africa, and Latin America, SpyLoan apps masquerade as legitimate loan services but engage in data theft, extortion, and blackmail.

    Background and Synopsis

    SpyLoan was first identified in 2020 and has seen a resurgence in 2023. ESET’s research revealed that these apps bypassed Google Play’s security measures by adhering to standard privacy policies and KYC norms while masking their true intent.

    In order to entice potential victims, SpyLoan apps offer seemingly attractive loan services with high-interest rates. They exploit their users by:

    • Harvesting personal and financial information.
    • Utilizing the information for blackmail and extortion.
    • Employing harassment tactics for loan repayment.
    • Threatening to release personal photos and videos on social media.

    These apps gained traction through various channels, including scam websites, third-party app stores, and even direct downloads from Google Play.

    Exploitation of Android Permission System

    A key aspect of SpyLoan apps is their abuse of Android’s permission system. These apps request extensive permissions that are unnecessary for their stated purpose of providing financial services. The permissions include access to:

    • Contacts and Call Logs: Used to gather personal information about the user and their network, which is then exploited for blackmail and harassment.
    • SMS Messages: Enables the apps to intercept incoming messages, which can include sensitive information like one-time passwords (OTPs) or other financial data.
    • Media Files and Camera: Access to media files and camera is ostensibly for uploading documents for KYC (Know Your Customer) compliance, but is actually used to gather compromising information.

    Misleading Privacy Policies and Websites

    The SpyLoan apps are crafted to appear legitimate, with privacy policies and user agreements that mimic those of genuine financial services. However, these policies are intentionally deceptive. As ESET notes, “While these SpyLoan apps technically comply with the requirements of having a privacy policy, their practices clearly go beyond the scope of data collection necessary for providing financial services” (ESET).

    These apps often link to websites that are near-replicas of legitimate sites, complete with stolen office environment photos and stock images. This is a tactic designed to create a veneer of authenticity and legitimacy.

    Data Harvesting and Blackmail Tactics

    Once installed, these apps harvest a wide range of personal data from the device. This includes:

    • List of Accounts: Gaining access to account information can lead to identity theft and unauthorized access to other services.
    • Device Info and Installed Apps: This information can be used for targeted phishing attacks or to understand the user’s digital behavior better.
    • Calendar Events and Local Wi-Fi Network Details: Such details provide further personal information that could be used for social engineering attacks.
    • Metadata from Images: This could include location data or other sensitive information embedded in photographs.

    The collected data is then used for blackmail and harassment, pressuring victims into making payments under threats of public exposure or ridicule. Some of the SpyLoan apps employ advanced techniques like overlay attacks, where a fraudulent interface is placed over legitimate apps to steal credentials. Furthermore, methods like JsonPacker are used for code obfuscation, making it challenging to detect and analyze the malicious code.

    Mitigation Recommendations

    To mitigate the risks posed by such threats, users are advised to:

    • Scrutinize App Permissions: Be wary of apps that request excessive permissions, especially those unrelated to the app’s functionality.
    • Verify App Authenticity: Check the developer’s background and the app’s reviews before downloading.
    • Avoid Third-party App Stores: Stick to official app stores like Google Play, as they have more stringent security checks.
    • Stay Informed: Be aware of the latest cybersecurity threats and tactics used by cybercriminals.

    List of Malicious Apps

    The following are the identified SpyLoan apps, which have now been removed from the Google Play Store:

    1. AA Kredit: इंस्टेंट लोन ऐप (com.aa.kredit.android)
    2. Amor Cash: Préstamos Sin Buró (com.amorcash.credito.prestamo)
    3. Oro Préstamo – Efectivo rápido (com.app.lo.go)
    4. Cashwow (com.cashwow.cow.eg)
    5. CrediBus Préstamos de crédito (com.dinero.profin.prestamo.credito.credit.credibus.loan.efectivo.cash)
    6. ยืมด้วยความมั่นใจ – ยืมด่วน (com.flashloan.wsft)
    7. PréstamosCrédito – GuayabaCash (com.guayaba.cash.okredito.mx.tala)
    8. Préstamos De Crédito-YumiCash (com.loan.cash.credit.tala.prestmo.fast.branch.mextamo)
    9. Go Crédito – de confianza (com.mlo.xango)
    10. Instantáneo Préstamo (com.mmp.optima)
    11. Cartera grande (com.mxolp.postloan)
    12. Rápido Crédito (com.okey.prestamo)
    13. Finupp Lending (com.shuiyiwenhua.gl)
    14. 4S Cash (com.swefjjghs.weejteop)
    15. TrueNaira – Online Loan (com.truenaira.cashloan.moneycredit)
    16. EasyCash (king.credit.ng)
    17. สินเชื่อปลอดภัย – สะดวก (com.sc.safe.credit)

    Conclusion

    SpyLoan represents a sophisticated and malicious exploitation of users’ trust in online financial services. Its discovery underscores the importance of vigilance and cybersecurity awareness when engaging with online loan providers. This report serves as a crucial reminder of the risks associated with online financial transactions and the importance of cybersecurity vigilance.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time – 

    https://www.netizen.net/contact

  • The Massive 23andMe Data Breach: Implications and Responses

    The Massive 23andMe Data Breach: Implications and Responses

    In October, the genetic testing company 23andMe faced a significant data breach, initially believed to affect about 14,000 of its users. However, further assessments revealed that nearly half of its 14 million users, approximately 6.9 million individuals, were impacted. The specific individuals or groups responsible for the 23andMe data breach have not been publicly identified in the information available. The breach was carried out using a technique known as credential stuffing, where attackers use previously stolen or leaked usernames and passwords to gain unauthorized access to accounts. This method suggests that the attackers may have utilized databases of compromised credentials from other breaches to target 23andMe accounts.

    The Breach and Its Scope

    The 23andMe data breach, which compromised a substantial amount of Personally Identifiable Information (PII), highlights the already significant privacy concerns within the realm of genealogy testing companies. The breach allowed unauthorized access to sensitive features like “DNA Relatives” and “Family Tree,” leading to the scraping of critical data such as ancestry information, health data based on genetics, names, birth years, and familial relationships. Particularly concerning was the exposure of data related to users of Ashkenazi Jewish and Chinese descent, underscoring the potential risks of genetic discrimination. As reported by HealthITSecurity, this targeted nature of the breach “put minority groups at risk”​​. TechCrunch provided insight into the extent of the breach, noting that “The stolen data included the person’s name, birth year, relationship labels, the percentage of DNA shared with relatives, ancestry reports, and self-reported location”​​. This breach not only jeopardized individual privacy but also raised alarms about the broader implications of genetic data misuse.

    Company Response

    In response, 23andMe took steps to mitigate the breach’s impact, with a spokesperson stating, “We are working to remove this information from the public domain”​​, highlighting the company’s efforts to address the aftermath of the breach. The company updated its user agreement to include new terms that make it more challenging for customers to initiate class action lawsuits. These provisions include a longer initial dispute period and stronger language to prevent collective legal actions. Furthermore, 23andMe has required all users to reset their passwords and implemented mandatory two-step verification for all logins. Additionally, the company has been actively working to remove the leaked information from public domains​​​​.

    The Broader Impact

    The 23andMe incident highlights the broader implications of data breaches in the healthcare and genetic testing sectors. As companies collect more sensitive personal and genetic information, the potential consequences of data breaches become increasingly severe, especially when companies like 23andMe and Ancestry are not HIPPA compliant. It is imperative that companies like 23andMe and their users remain vigilant against such cyber threats to protect the privacy and integrity of personal genetic data. In addition, it is crucial for people looking to be a customer of companies like 23andMe to be cognizant of the fact that while they have a significant amount of your PHI (Personal Healthcare Information), they are not HIPPA compliant.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Nightshade: Training Data Poisoning Attacks in Machine Learning Security

    Nightshade: Training Data Poisoning Attacks in Machine Learning Security

    AI training data poisoning is a form of cybersecurity threat that targets the integrity of machine learning models by deliberately inserting misleading or harmful data into the training set. This tactic can compromise the model’s accuracy, leading to incorrect or manipulated outputs. Nightshade, a tool developed by Ben Zhao’s team at the University of Chicago, is a prime example of why training data poisoning attacks threaten the reliability of trusted LLMs (Large Language Models). Nightshade allows artists to subtly alter the pixels in their images, rendering them as “poisoned” data for AI models. When such data is used in training, it can cause the model to misinterpret and generate incorrect outputs, like confusing dogs with cats or cars with cows as shown in the figure below.

    A table showing a grid of thumbnails of generated images of Hemlock attack-poisoned concepts from SD-XL models contrasted with images from the clean SD-XL model in increments of 50, 100, and 300 poisoned samples.

    In the graphic above, the Nightshade team’s experimentation with one of Stable Diffusion’s latest models (SD-XL) is showcased. Initially, the researchers introduced 50 poisoned images of dogs into the model. The resulting images generated by Stable Diffusion were notably distorted, featuring creatures with an excess of limbs and cartoonish facial features. Further intensifying their approach, with 300 poisoned samples, they were able to manipulate the model to such an extent that it started generating images where dogs appeared more like cats. This dramatic transformation highlights the significant impact that even a relatively small number of poisoned inputs can have on AI model outputs.

    Nightshade’s Implications on GPT Models

    The potential harm of data poisoning extends beyond image generation. Large language models like GPT-3 and GPT-4 are also susceptible. These models rely on vast datasets from diverse sources such as Common Crawl, WebText, and OpenWebText, and even books, making them vulnerable to targeted poisoning attacks. The OWASP List for LLMs highlights this vulnerability, emphasizing the risks of over-reliance on AI content, where the introduction of false or malicious documents into the training data can reflect in the model’s outputs.

    Preventing Data Poisoning

    Preventing and detecting data poisoning is critical. Security measures like input validity checking, rate limiting, regression testing, and manual moderation are essential, and must be implemented in modern LLMs in order to lessen the risk of being hit with a training data poisoning attack. Utilizing statistical techniques to detect anomalies and setting up restrictions on user inputs can also help mitigate risks. Moreover, organizations should consider running red team exercises against their models in order to identify potential vulnerabilities and craft defenses against such attacks.

    A Difficult Problem to Solve

    The stakes are high, as these attacks can have far-reaching implications; Poisoning attacks aren’t as detectable as a common cyberattack. Attackers utilizing poisoning attacks may have a different goal in mind. For instance, poisoned data can lead to the generation of biased opinions, spread misinformation, or even incite hate crimes. Attacks using this poisoned data are hard to identify and remove, due to the sheer amount of information used in training, necessitating expensive and time-consuming fixes like retraining the model with clean data.

    Conclusion

    In summary, AI training data poisoning represents a significant threat to the integrity and reliability of AI models. Tools like Nightshade highlight the need for increased awareness and robust security measures to protect against these sophisticated attacks. As the reliance on AI grows, so does the importance of safeguarding against data poisoning to ensure the reliability and trustworthiness of AI systems.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Critical WebKit Vulnerabilities Patched in Latest Apple Updates

    Critical WebKit Vulnerabilities Patched in Latest Apple Updates

    Two significant vulnerabilities have been identified in the WebKit web browser engine, impacting a range of Apple devices and operating systems. These vulnerabilities are critical and require immediate attention.

    1. CVE-2023-42916: This is an out-of-bounds read issue in WebKit. It presents a risk of leaking sensitive information when processing web content. Such a vulnerability can be exploited to access data that should normally be off-limits, potentially exposing personal or confidential information.
    2. CVE-2023-42917: This vulnerability is a memory corruption bug within WebKit. It is particularly concerning because it could lead to arbitrary code execution. When exploited, it allows attackers to run their own code on the affected device, leading to a range of possible attacks, including system takeover, data manipulation, or further spreading of malware.

    Apple has acknowledged these vulnerabilities and released updates for a range of devices. Users are urged to update their devices to the latest versions as soon as possible to mitigate these risks.

    • iOS 17.1.2 and iPadOS 17.1.2: This update applies to iPhone XS and later models, iPad Pro (12.9-inch, 2nd generation and later), iPad Pro (10.5-inch), iPad Pro (11-inch, 1st generation and later), iPad Air (3rd generation and later), iPad (6th generation and later), and iPad mini (5th generation and later).
    • macOS Sonoma 14.1.2: Users running macOS Sonoma on their Macs should update to this version. It contains fixes specifically targeted at these WebKit vulnerabilities.
    • Safari 17.1.2: For Mac users running macOS Monterey and macOS Ventura, updating Safari to version 17.1.2 is crucial for securing their browsing experience.

    Additional Vulnerabilities

    In 2023, Apple has been actively addressing a significant number of zero-day vulnerabilities, with CVE-2023-42916 and CVE-2023-42917 marking the 19th and 20th such issues fixed by the company.

    Google’s Threat Analysis Group (TAG) revealed CVE-2023-42824, a critical zero-day bug in the XNU kernel affecting iPhones and iPads, which could allow attackers to escalate privileges.

    Three additional zero-day vulnerabilities – CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993 – were patched following reports from Citizen Lab and Google TAG. These bugs were exploited by threat actors to deploy the Predator spyware.

    Citizen Lab also disclosed two zero-day vulnerabilities, CVE-2023-41061 and CVE-2023-41064, which Apple addressed in September. These vulnerabilities were part of a zero-click exploit chain, named BLASTPASS, used to install the notorious Pegasus spyware developed by NSO Group. For more information on BLASTPASS, check out Netizen’s report on the set of vulnerabilities.

    Additionally, eleven other zero-days have been patched by Apple in 2023, including:

    • Two in July: CVE-2023-37450 and CVE-2023-38606.
    • Three in June: CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439.
    • Three more in May: CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373.
    • Two in April: CVE-2023-28206 and CVE-2023-28205.
    • An additional WebKit zero-day, CVE-2023-23529, patched in February.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • U.S. Sanctions Target Kimsuky: A Strategic Move in Cybersecurity Against the DPRK

    U.S. Sanctions Target Kimsuky: A Strategic Move in Cybersecurity Against the DPRK

    On Thursday, the Office of Foreign Assets Control (OFAC) under the U.S. Department of the Treasury announced sanctions against the North Korean-affiliated group Kimsuky, along with eight international agents accused of aiding in evading sanctions. These sanctions, imposed against the North Korean cyberespionage group, (which is also known as APT43) mark a significant step in global efforts to curb the Democratic People’s Republic of Korea’s (DPRK) cyber activities. These sanctions were partly in response to North Korea’s launch of a military reconnaissance satellite in November 2023, but they also aim to impede the DPRK’s revenue generation, which is built off of cryptocurrency theft, and missile technology procurement, which support their weapons of mass destruction (WMD) programs​​​​.

    Kimsuky’s Origins and Operations within the RGB

    Kimsuky has been active since at least 2012, operating as an element within North Korea’s primary foreign intelligence service, the Reconnaissance General Bureau (RGB). The group is known for employing sophisticated social engineering tactics, particularly against South Korean and U.S.-based government organizations, academics, and think tanks focused on Korean peninsula geopolitical issues​​.

    Intensified Social Engineering Tactics in 2023

    In 2023, U.S. and South Korean intelligence agencies warned of Kimsuky’s increased use of social engineering to gather intelligence on geopolitical events, foreign policy strategies, and security developments affecting North Korea. Their methods include mimicking key figures and using credible spear-phishing campaigns to target individuals in think tanks, academia, and the news media sectors​​.

    Kimusky’s Powerful OSINT Tactics

    Kimsuky’s tactics involve leveraging open-source information to identify and impersonate real individuals, crafting convincing email messages to gain trust and rapport with their targets. They use password-protected malicious documents, often attached directly or hosted on platforms like Google Drive or Microsoft OneDrive, to gain backdoor access to victims’ devices. This access enables them to stealthily auto-forward all emails from a victim’s inbox to an actor-controlled account. The group also uses fake versions of websites and applications to harvest victims’ login credentials. Notably, Kimusky’s group has made use of custom tools like ReconShark (an upgraded version of BabyShark) and RandomQuery for reconnaissance and information exfiltration​​​​.

    International Collaboration and Future Challenges

    The United States, in collaboration with allies like Australia, Japan, and South Korea, is employing a multi-faceted approach that combines sanctions, public awareness, and cybersecurity measures. However, the evolving nature of Kimsuky’s operations, characterized by resilience and adaptability, continues to pose a significant challenge. This necessitates ongoing vigilance and a comprehensive, collaborative approach to cybersecurity on a global scale.

    Conclusion

    The collective efforts of the United States and its allies, including targeted sanctions and increased global awareness, are crucial steps in combating the persistent and evolving cyber threat posed by North Korea. However, despite these efforts, the DPRK’s cyber capabilities remain a formidable challenge, underscoring the need for ongoing vigilance and a comprehensive approach to cybersecurity.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Netizen Cybersecurity Bulletin (November 30th, 2023)

    Overview:

    • Phish Tale of the Week
    • Ransomware Attack Hits Ardent Health Services, Disrupts Hospital Operations
    • Ukrainian Authorities Arrest Key Ransomware Operator in International Crackdown
    • How can Netizen help?

    Phish Tale of the Week

    Often times phishing campaigns, created by malicious actors, target users by utilizing social engineering. For example, in this text message, the actors are appearing as Royal Mail, a courier service, and informing you that action needs to be taken regarding your package’s delivery. The message politely explains that “RoyalMail” is holding our parcel at the nearest PO Depot, and that we just need to rearrange a delivery in order to receive it. It seems both urgent and genuine, so why shouldn’t we visit the link they sent us? Luckily, there’s plenty of reasons that point to this being a scam.

    Here’s how we can tell not to click on this smishing link:

    1. The first warning sign for this SMS is the fact that it includes a URL in the message. Typically, companies will send notifications like this through SMS, but they’ll end with a call to action within an already trusted environment, for example the statement “check your tracking details for more information.” Always be sure to think twice and check “urgent” statuses like this one through a trusted environment, and never click on links sent through an SMS from an unknown number.
    2. The second warning signs in this text is the messaging. This message tries to create a sense of urgency and get you to take action by using language such as “is being held” and “Please visit.” Phishing scams commonly attempt to create a sense of urgency in their messages in order to get you to click their link without thinking about it first. Always be sure to thoroughly inspect the style and tone of all texts before following a link sent through SMS.
    3. The final warning sign for this email is the style of the link. After a quick look at the address, one can quickly deduce that we’ve been sent a phishing link. Trusted companies like Royal Mail typically will use a simple, standardized domain as their website. For example, Royal Mail’s official website is simply “royalmail.com.” Threat actors typically will utilize message-related words in the links they send you. After taking one quick look at the URL, “post.office-costs.com,” it’s very obvious that this email is an attempt at a smish.


    General Recommendations:

    smishing attack will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via your text messages. 

    1. Scrutinize your messages before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the message come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
    2. Verify that the sender is actually from the company sending the message.
    3. Did you receive a message from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
    4. Do not give out personal or company information over the internet.
    5. Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

    Many smishing messages pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any SMS requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.

    Cybersecurity Brief

    In this month’s Cybersecurity Brief:

    Ransomware Attack Hits Ardent Health Services, Disrupts Hospital Operations

    On November 27, 2023, Ardent Health Services, a healthcare provider operating 30 hospitals in states like Texas, New Mexico, Oklahoma, and New Jersey, was hit by a devastating ransomware attack. The attack occurred on Thanksgiving Day, a time typically marked by reduced staffing, which likely exacerbated the situation. The ransomware not only disrupted Ardent’s IT systems but also forced the shutdown of their critical electronic healthcare records system. This led to the diversion of some emergency room patients to other hospitals, highlighting the direct impact on patient care and safety.

    The consequences of the attack were far-reaching. The inability to access electronic health records is a significant setback in any healthcare setting, as it can delay critical patient care processes. The incident also put additional strain on nearby healthcare facilities that had to accommodate diverted patients. It vividly illustrated how cybersecurity breaches can have immediate and tangible effects on people’s lives, especially in sectors as sensitive as healthcare.

    Ardent Health Services responded by shutting down numerous IT systems to contain the breach. The main objective was to restore critical services and ensure the safety of patients amidst the chaos. However, the attack raised significant concerns about the preparedness of healthcare institutions to handle such sophisticated cyber threats. It highlighted the necessity for robust cybersecurity infrastructure and rigorous emergency response protocols to minimize the impact of such attacks on healthcare delivery.

    The Ardent Health Services ransomware attack serves as a critical reminder of the growing cybersecurity threats facing the healthcare sector. Hospitals and healthcare providers are lucrative targets for cybercriminals due to the sensitive nature of the data they handle and their crucial role in public health. This incident underscores the importance of implementing strong cybersecurity measures, including proactive defense strategies, regular data backups, and comprehensive emergency plans, to protect against such disruptive and potentially dangerous cyberattacks.

    To read more about this article, click here.

    Ukrainian Authorities Arrest Key Ransomware Operator in International Crackdown

    In a significant operation against cybercrime, Ukrainian authorities, in cooperation with international law enforcement agencies, arrested an individual on November 28, 2023. This person is believed to be a key figure behind a ransomware group that has targeted organizations in 71 countries. The arrest was part of a broader crackdown that also saw four other individuals detained, signifying a substantial effort in the global fight against ransomware.

    The arrested individual’s group was known for deploying four different strains of ransomware, demonstrating the diversification and sophistication of modern cybercriminal operations. Their tactics included brute force attacks, SQL injection attacks, and the distribution of emails with infected attachments. These methods underscore the evolving nature of cyber threats and the challenges organizations face in protecting their data and systems.

    The operation’s success was largely due to the collaboration between various international law enforcement agencies, including Europol. This global cooperation highlights the necessity of a unified approach in tackling cybercrime, particularly ransomware, which often transcends borders. The arrest sends a strong message to cybercriminals worldwide about the increasing effectiveness and reach of international law enforcement in combating cyber threats.

    This crackdown on a ransomware gang is a critical development in the cybersecurity landscape. It demonstrates a concerted effort by global authorities to pursue and apprehend individuals responsible for significant cyber threats. However, it also brings into focus the continuous need for enhanced cybersecurity measures at the organizational and national levels. As ransomware gangs become more sophisticated, so must the strategies to counter them.

    The arrest in Ukraine is a positive step toward a more secure digital environment, emphasizing the importance of international cooperation in cybercrime investigations. It reinforces the commitment of law enforcement agencies to track down and prosecute individuals behind these disruptive cyberattacks. This event is a crucial reminder of the ongoing battle against ransomware and the need for continued vigilance and robust cybersecurity defenses in all sectors.

    To read more about this article, click here.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

  • Telekopye: Decoding Online Marketplace Scams

    Telekopye: Decoding Online Marketplace Scams

    Functioning as a Telegram bot-based toolkit, Telekopye, an e-commerce threat vector, streamlines the execution of advanced phishing operations. It enables perpetrators, referred to as ‘Neanderthals’, to deploy a range of tactics including spear-phishing through crafted HTML pages, domain spoofing, and social engineering via SMS and email phishing campaigns. This toolkit marks a significant escalation in the ease and efficacy of executing marketplace frauds, leveraging deceptive domain strategies and integrating features like image manipulation and automated financial transaction tracking. Understanding the technical operation and structure of Telekopye is imperative for cybersecurity professionals in devising robust defense mechanisms against such agile and adaptive cyber threats.

    An Overview of Telekopye’s Operations

    1. Phishing Web Page Generation: At the heart of Telekopye lies its ability to create convincing phishing web pages. These pages, cloned from pre-built HTML templates, are skillfully crafted to imitate legitimate marketplace payment interfaces. Customizable to the smallest details, they lure victims into entering sensitive data under the guise of routine transactions.

    2. Deceptive Domain Strategy: A critical aspect of Telekopye’s modus operandi is its cunning use of domain names. By registering domains and subdomains that mimic established marketplace URLs, it becomes challenging for users to discern the fake from the real. This subtlety in duplicating legitimate URLs significantly enhances the scam’s success rate.

    3. Email and SMS Phishing: Furthering its reach, Telekopye equips scammers with the tools to dispatch authentic-looking phishing emails and SMS messages. These communications, embedded with malicious links, direct victims to the crafted phishing sites. The toolkit’s sophistication extends to spoofing email headers, adding an extra layer of legitimacy.

    4. Image Manipulation Capabilities: Beyond text, Telekopye manipulates images to avoid detection by search engines. This feature, coupled with the ‘Render bot’ component for generating fake screenshots, creates a more convincing scam facade, thereby increasing the likelihood of deceiving vigilant users.

    5. Financial Backend and Payouts: Beyond orchestrating scams, Telekopye meticulously manages the financial aftermath. It keeps track of each scammer’s contributions and streamlines the payout process, predominantly in cryptocurrencies, through an intricate system that calculates and records the financial transactions involved in each scam.

    More Advanced Features

    • Experimental QR Code Generation: A notable addition to Telekopye’s arsenal is the QR code generation feature, hinting at the potential for new scamming methods, such as direct mobile payment frauds.
    • Multi-Language SMS Support: To cast a wider net, Telekopye includes SMS templates in various languages, broadening its target demographic.
    • Online SMS Service Integration: The toolkit enhances its operational scope by leveraging online services like smscab.ru for mass SMS distribution, further amplifying its reach.
    • Decentralized Operations: Telekopye’s user base, labeled as ‘Neanderthals,’ operates within a structured hierarchy ranging from administrators with extensive access to blocked users with no privileges. Each level within this hierarchy plays a distinct role in the scamming ecosystem, shaping the operational dynamics of the group.

    Mitigation and Prevention

    • User Awareness and Education: Understanding the common tactics and appearances of phishing attempts is a critical defense strategy.
    • Robust Security Measures: Online marketplaces must adopt advanced security protocols to detect and preemptively block these sophisticated phishing attempts.
    • Vigilance in Communication: Users should remain alert to inconsistencies in language and be skeptical of offers that seem unusually advantageous.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Netizen: November 2023 Vulnerability Review

    Netizen: November 2023 Vulnerability Review

    Security vulnerabilities are a common occurrence in managing any business’s organizational security. The prompt patching and remediation of any new vulnerabilities are critical to reducing the outside attack surface. Netizen’s Security Operations Center (SOC) has compiled five vulnerabilities from November that should be immediately patched or addressed if present in your environment. Detailed writeups are below:

    CVE-2023-43902

    CVE-2023-43902 is a critical Privilege Escalation vulnerability with a high severity rating of 9.8 out of 10 according to the NIST CVSSv3 criteria. This flaw is present in EMSigner version 2.8.7, a widely used software for digital signature and document management. The core issue lies in the handling of password reset tokens within the software. Specifically, the vulnerability allows unauthenticated attackers to gain access to the accounts of all registered users, including those with administrator privileges, by exploiting a flaw in the password reset mechanism. In technical terms, the vulnerability arises due to insufficient validation of password reset tokens. This means that an attacker can craft a malicious token that bypasses the standard authentication process, thereby granting them unauthorized access to any user account. This is particularly concerning because it does not require any form of user interaction, making it easier for an attacker to exploit the vulnerability. For more technical details or proof of concept, refer to the SecPro documentation and the NVD entry.

    CVE-2023-47246

    In SysAid On-Premise before version 23.3.36, a Path Traversal vulnerability, CVE-2023-47246, exists that could lead to code execution. This vulnerability was exploited in the wild in November 2023. The severity of this issue is classified as CRITICAL, with a NIST CVSSv3 base score rating of 9.8/10. The affected systems are those running SysAid On-Premise versions before 23.3.36. The vulnerability allows attackers to execute arbitrary code by performing a path traversal attack, accomplished by writing a malicious file to the Tomcat webroot. The attack complexity is low, but it does not require user interaction. It’s important to note that this vulnerability has been exploited in real-world incidents. To mitigate this risk, it is recommended to follow the vendor’s instructions for applying mitigations or, if mitigations are unavailable, consider discontinuing the use of the product. For more technical details or proof of concept, you can refer to the provided documentation links, and please be aware that this CVE is listed in CISA’s Known Exploited Vulnerabilities Catalog, so additional guidance and requirements may apply. For more information, refer to the vendor advisory and the NVD entry.

    CVE-2023-6074

    A critical vulnerability, documented as CVE-2023-6074, has been discovered in PHPGurukul Restaurant Table Booking System version 1.0. This vulnerability is associated with the file check-status.php within the component Booking Reservation Handler. The issue allows for SQL injection, and it has been rated as critical in severity. The vulnerability arises from improper handling of user input in the check-status.php file, which could be exploited to inject malicious SQL queries into the system. The attack can be initiated remotely, meaning that an attacker does not need physical access to the system but can exploit it from a distance. The affected version is 1.0 of the PHPGurukul Restaurant Table Booking System, and the default status of other versions is currently marked as unknown. Users and administrators of this software are strongly advised to take immediate action to address this critical vulnerability, including updating to a patched version, implementing relevant security measures, or temporarily discontinuing use until a fix is available. For more information, you can refer to the VulDB entry and the NVD entry on the vulnerability.

    CVE-2023-48020

    A Cross-Site Request Forgery (CSRF) issue, documented as CVE-2023-48020, in Dreamer CMS v4.1.3, could lead to unauthorized actions being performed on behalf of authenticated users. This vulnerability has a NIST CVSSv3 base score rating of 8.8/10 and affects Dreamer CMS version 4.1.3 specifically through the endpoint /admin/task/changeStatus. The vulnerability allows attackers to trick authenticated users into submitting a request to the vulnerable endpoint, which can result in unauthorized actions being performed without the user’s knowledge. The attack complexity is low, and it requires some user interaction, typically through social engineering or other deceptive practices. Users of Dreamer CMS v4.1.3 are advised to update to a version where this vulnerability has been addressed or to implement CSRF protection mechanisms if not already present. Technical details and potential exploits have been published, as referenced in the GitHub advisory and NVD entry.

    CVE-2023-28134

    A Local Privilege Escalation issue in Check Point Harmony Endpoint/ZoneAlarm Extreme Security, given the identifier CVE-2023-28134, could allow a local attacker to escalate privileges on affected installations. This vulnerability has a NIST CVSSv3 base score rating of 7.8/10 and affects Check Point Endpoint Security versions E84, E85, and E86. The vulnerability allows an attacker who has already obtained the ability to execute low-privileged code on the target system to exploit this vulnerability for higher privilege escalation. The attack complexity is low, and it does not require user interaction. The vulnerability results from incorrect permission assignment for critical resources. Users of affected versions are advised to follow the vendor’s recommendations for mitigation. For more information on this vulnerability, check out the NVD entry. Check Point has also provided a vendor advisory with mitigation measures.

    Conclusion:

    Software vulnerabilities are a common nuisance to IT and security teams everywhere. Organizations that prioritize the remediation and patching of these vulnerabilities will drastically reduce their attack surface and ensure no doors into their environment are left unlocked. Keeping informed about critical vulnerabilities that could potentially affect your network environment is essential to maintaining your organization’s cybersecurity.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • NETIZEN TO ATTEND 2023 CDCA EASTERN DEFENSE SUMMIT

    NETIZEN TO ATTEND 2023 CDCA EASTERN DEFENSE SUMMIT

         

    Allentown, PA: Netizen Corporation, an ISO 27001:2013, ISO 9001:2015, and CMMI Level 3 certified Veteran Owned provider of cybersecurity products and solutions, will be sponsoring a booth at the 2023 CDCA Eastern Defense Summit on December 6th and 7th. The event will take place in Charleston, South Carolina at the Charleston Area Convention Center.

    With two weeks till the event, the whole Netizen team is excited to once again return to the CDCA and mingle with some of the brightest minds in the defense and cybersecurity spaces, while also exhibiting some of Netizen’s capabilities.

    This year, Netizen will be showing off some of our new custom-tailored solutions that we provide to both the commercial and federal markets, with members of our team also attending industry focused workshops throughout the event. Come find us at booth 821 and meet the whole Netizen team!

    Additional details and photographs posted from the event will be posted directly to the Netizen website at https://www.Netizen.net and all of Netizen’s social media accounts.

    About Netizen Corporation:

    America’s fastest-growing cybersecurity company, 2nd fastest-growing Veteran-owned company, and 47th fastest-growing private company overall in the nation according to the 2019 Inc. 5000 list of the nation’s most successful businesses, Netizen is a highly specialized cybersecurity solutions provider. They also develop innovative software products that include the award-winning AutoSTIG and Overwatch Governance Suite.

    The company, a certified Service Disabled Veteran Owned Business (SDVOSB), is headquartered in Allentown, PA, with additional locations in Virginia (DC Metro), South Carolina (Charleston), and Florida (Orlando). In addition to being one of the fastest-growing businesses in the US, Netizen has also been named as one of the nation’s “Best Workplaces” by Inc. Magazine and is a US Department of Labor HIRE Vets Platinum Medallion awardee for veteran hiring and support for two years in a row. Learn more at Netizen.net.

    POINT OF CONTACT:

    Akhil Handa

    Chief Operating Officer (COO)

    Phone: 1-800-450-1773

    Email:   press@Netizen.net     

        

  • CISA Launches New Pilot Program to Bolster Cybersecurity in Critical Infrastructure Sectors

    CISA Launches New Pilot Program to Bolster Cybersecurity in Critical Infrastructure Sectors

    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has taken a significant step towards enhancing the cybersecurity posture of the nation’s critical infrastructure sectors. The agency has announced the launch of an innovative pilot program, aimed at extending cutting-edge cybersecurity shared services to critical infrastructure entities, especially those most in need of such support. This move marks a pivotal development in CISA’s ongoing efforts to fortify national cyber defenses against an increasingly complex and evolving threat landscape.

    Boosting Cybersecurity in Critical Infrastructure

    Central to this initiative is CISA’s focus on identifying and collaborating with critical infrastructure entities that could benefit from leveraging commercial shared services provided by the agency. This approach is tailored to evaluate and stress-test CISA’s service delivery mechanisms. More importantly, it showcases CISA’s capability to acquire, deploy, and operate cybersecurity services on a large scale, ensuring robustness and efficiency in its cybersecurity efforts. The program is set to demonstrate CISA’s readiness and adaptability in managing cyber threats across diverse infrastructure sectors. The pilot program’s inception is a direct response to the escalating volume and sophistication of cyber threats targeting the United States’ critical infrastructure. Events such as the ransomware attack on Colonial Pipeline and the activities of advanced threat actors have brought to light the urgent need for enhanced cybersecurity measures. By extending its services beyond federal agencies, CISA aims to provide a safety net for infrastructure entities that are rich in targets but poor in resources, especially in sectors that are vital yet vulnerable to cyber attacks.

    Target Rich, Resource Poor

    In its initial phase, the pilot program will focus on three specific sectors that CISA Director Jen Easterly has identified as “Target Rich, Resource Poor.” These sectors include healthcare, water, and K-12 education, all of which play crucial roles in the daily lives of Americans and are increasingly reliant on potentially vulnerable digital infrastructure. The program seeks to establish a common baseline of cyber protection across these sectors, ultimately reducing the frequency and impact of damaging cyberattacks.

    CISA’s Deploys Protective DNS Resolver

    One of the key components of the pilot program is the deployment of CISA’s Protective Domain Name System (DNS) Resolver. Until now, this tool was exclusively available to federal civilian agencies. The Protective DNS Resolver is a proven and cost-effective solution that employs U.S. government and commercial threat intelligence. It functions by preventing systems from connecting to known or suspected malicious domains, thereby mitigating common cyber risks such as ransomware, phishing, and malicious redirects.

    Conclusion

    By offering these services, CISA is not only expanding its reach but also demonstrating its commitment to a more inclusive and comprehensive approach to national cybersecurity. The pilot program, therefore, represents a strategic expansion of CISA’s role as a provider of cybersecurity services, transitioning from a federal focus to encompassing a wider spectrum of critical infrastructure entities across the nation. This initiative by CISA aligns with the broader national objective of strengthening cybersecurity defenses. As the threat landscape evolves, so does the need for innovative and scalable solutions that can effectively address the complex challenges faced by critical infrastructure sectors. Through this pilot program, CISA is poised to play a pivotal role in shaping the future of cybersecurity in the United States, ensuring the resilience and security of essential services that underpin American society.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time – 

    https://www.netizen.net/contact