The emergence of Pikabot malware, employed by the group Water Curupira, represents a significant shift in cyber threat tactics, with its deployment closely linked to sophisticated phishing strategies like email conversation thread hijacking.
Pikabot and Its Operational Tactics
Pikabot operates as a loader malware with two components: a loader and a core module. This sophisticated design enables unauthorized remote access and the execution of arbitrary commands via a command-and-control server. Initially used in various campaigns for dropping backdoors such as Cobalt Strike, leading to ransomware attacks like Black Basta, Pikabot primarily infiltrates systems through spam emails containing archives or PDF attachments. These emails employ thread-hijacking techniques, making the attacks highly effective due to the established trust in ongoing email conversations.
Phishing Campaigns and Thread-Hijacking
Central to the operation of Pikabot is the use of phishing campaigns. These campaigns are meticulously crafted, employing a technique known as thread-hijacking. Email conversation thread hijacking, or email reply chain attacks, is an advanced phishing method that leverages existing email conversations to spread malicious content. Attackers gain access to a victim’s email account, monitor ongoing threads, and then insert malicious emails, effectively exploiting the trust between the original conversation participants. The bond of trust and context already established in these threads significantly increases the likelihood of recipients interacting with the malicious content. Recipients of these emails are much more easily tricked into interacting with malicious links or attachments, as they appear to be part of a legitimate ongoing conversation. Malware families like Gozi ISFB/Ursnif, Emotet, Ursnif, and Valak have also adopted this technique for their phishing campaigns.
Pikabot’s Mechanism of Action
Once a recipient of a Pikabot phish interacts with the email attachment, the malware kicks into action. “The attached archive contains a heavily obfuscated JavaScript (JS) with a file size amounting to more than 100 KB. Once executed by the victim, the script will attempt to execute a series of commands using conditional execution,” as detailed in Trend Micro’s report. This process is essential for Pikabot to establish its foothold in the system. The malware is designed to avoid detection and activation in systems with Russian or Ukrainian language settings, which might suggest geopolitical motivations or affiliations of the threat actor.
Impact and Significance
Pikabot’s emergence and capabilities underscore the evolving and adaptive nature of cyber threats. Its association with the Black Basta ransomware attacks through Cobalt Strike backdoors highlights a growing trend of sophistication in cyber attacks. The malware’s ability to infiltrate systems via phishing, execute arbitrary commands, and establish unauthorized remote access presents a formidable challenge to cybersecurity defenses.
Defending Against Sophisticated Phishing Attacks
To combat these sophisticated attacks, a combination of advanced email filtering technologies and heightened user awareness is crucial. Traditional methods like trusting emails from known senders are no longer sufficient. Organizations must emphasize continuous education and awareness programs to help employees recognize and avoid these attacks. Incorporating regular phishing training, social engineering exercises, and robust endpoint detection solutions can significantly reduce the risk posed by such advanced phishing techniques.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
SMTP smuggling, a novel cybersecurity threat, has emerged as a significant concern due to its ability to exploit vulnerabilities in the Simple Mail Transfer Protocol (SMTP). This protocol is widely used by mail servers for the transmission, reception, and relaying of emails. Discovered by Timo Longin from SEC Consult, SMTP smuggling allows malicious actors to bypass established email authentication protocols and send spoofed emails, undermining the integrity and reliability of email communications.
Technical Overview: SMTP Smuggling
The vulnerability central to SMTP smuggling lies in the varying interpretations of the end-of-data sequence (“<CR><LF>.<CR><LF>”) among different SMTP servers. This sequence is critical in SMTP communications as it signifies the end of the email message content. SMTP, as a protocol, uses these specific character sequences to delineate different parts of an email. In this context, “<CR><LF>” represents the carriage return and line feed characters, which are standard text delimiters used to mark the end of a line in electronic text.
In a typical SMTP communication, when an email is sent, the end-of-data sequence signals to the server that the email body has concluded, and what follows should be treated as part of the SMTP protocol communication, rather than the email content. However, due to the inconsistent handling of this sequence across various SMTP implementations, attackers have found a way to exploit these inconsistencies to insert, or “smuggle,” additional SMTP commands into the email content.
Here’s a breakdown of how the exploitation works:
Differing Interpretations: Some SMTP servers might interpret the end-of-data sequence in a non-standard way. For example, while one server might strictly adhere to the “<CR><LF>.<CR><LF>” sequence to denote the end of the message, another might accept just “<LF>.<LF>” as a valid end-of-data marker.
Manipulating the End-of-Data Sequence: An attacker can craft an email message that includes what appears to be an end-of-data sequence, followed by additional SMTP commands. Due to the inconsistent interpretations, some servers will treat these additional commands as part of the email content, while others will execute them as SMTP commands.
Spoofing and Bypassing Security Checks: By exploiting these discrepancies, attackers can manipulate the SMTP conversation to insert commands that spoof the sender’s email address or perform other malicious activities. This allows them to bypass security mechanisms like SPF, which are designed to validate the origin of email messages.
Resulting in Spoofed Emails: The outcome is that emails can be sent that appear to originate from legitimate sources, but are actually crafted by attackers. These emails can bypass checks that would normally prevent spoofing, making them effective for phishing and other malicious activities.
SMTP smuggling, therefore, represents a significant security concern because it undermines the trust and reliability of email communications. The ability to bypass SPF and other email authentication mechanisms can lead to increased success in phishing attacks, where unsuspecting recipients may trust and act upon emails that appear to come from legitimate sources.
Affected Products and Services
This vulnerability predominantly impacts products from several key vendors, including Microsoft, GMX, and Cisco. Notably, Cisco Secure Email Gateway and Cisco Secure Email Cloud Gateway are among the affected products. The vulnerability is also present in open-source mail transfer agents like Postfix (CVE-2023-51764), Sendmail (CVE-2023-51765), and Exim (CVE-2023-51766).
Recommendations for Mitigation
To mitigate this risk, it is advised to change the default handling of carriage returns and line feed configurations in affected systems, particularly the Cisco Secure Email Cloud Gateway and Cisco Secure Email Gateway, to “Allow” instead of “Clean”. This simple yet critical adjustment prevents the exploitation of the vulnerability, enhancing the security of email communications.
In addition to these specific recommendations, organizations using affected SMTP servers should conduct thorough reviews of their email security protocols and configurations. Regular updates and patches provided by vendors should be applied promptly to address any emerging threats.
Conclusion
SMTP smuggling represents a significant challenge in the realm of email security, highlighting the ever-evolving nature of cyber threats. The ability of attackers to circumvent traditional security measures such as SPF, DKIM, and DMARC through this technique calls for a heightened level of vigilance and adaptive security measures. Organizations must stay informed about such vulnerabilities and take proactive steps to safeguard their email infrastructure against these sophisticated attack methods.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
The year 2023 marked a significant surge in phishing attacks targeting cryptocurrency wallets, highlighting the increasing sophistication of cybercriminal activities in the blockchain space. These attacks, impacting a wide range of networks including Ethereum, Binance Smart Chain, Polygon, Avalanche, and nearly 20 others, have led to substantial financial losses, totaling nearly $295 million stolen from approximately 324,000 victims.
The Sophistication of Modern Phishing Scams
The tactics used in these phishing scams have evolved significantly. Scammers have employed various methods to lure victims, including the creation of counterfeit websites that mimic legitimate cryptocurrency platforms. These sites often use malvertising schemes, exploiting the vulnerabilities in ad networks to spread malicious content. Unsolicited emails and social media messages are also common tools for these scams.
In one notable instance, fake ads for cryptocurrency platforms on Google and X (formerly Twitter) redirected users to these fraudulent sites, leading to the draining of funds from their digital wallets. The scammers induced users to interact with malicious smart contracts under the guise of claiming airdrops, which stealthily increased the attacker’s allowance through functions like ‘approve’ or ‘permit,’ thereby granting them access to the victims’ funds.
The ‘Scam-as-a-Service’ Model
Central to this surge of phishing attacks is the emergence of the ‘Scam-as-a-Service’ model, similar to the already prevalent ‘Ransomware-as-a-Service’ model that has been plaguing the community over the past few years. Threat actor groups like Angel Drainer and Inferno Drainer, which recently announced its shutdown, have been instrumental in facilitating these scams. They provide wallet-draining scripts and other services to other cybercriminals, charging a percentage (typically 20-30%) of the stolen amount as their fee.
Core Features of the ‘Scam-as-a-Service’ Model
Tool Provisioning: At the heart of this model is the provision of tools and scripts that enable other criminals to carry out cryptocurrency wallet phishing. These tools are sophisticated and tailored to exploit vulnerabilities in various blockchain networks and digital wallet systems. They include wallet-draining scripts that can siphon funds from unsuspecting victims’ wallets.
Business-Like Operations: The entities behind these services operate in a manner reminiscent of legitimate businesses. They have service offerings, pricing models (often a percentage of the stolen funds), customer support, and even marketing strategies. This business-like approach enhances their appeal and accessibility to a broader range of criminals, not just those with advanced technical skills.
Revenue Model: Revenue is generated by taking a cut from the stolen funds. Groups like Angel Drainer and Inferno Drainer are known to charge around 20% to 30% of the stolen cryptocurrency. This model incentivizes the continual improvement of their tools to ensure higher success rates in theft, thus maximizing their earnings.
Anonymity and Security: These services operate with a high degree of anonymity. Communication is often conducted over encrypted channels, and transactions are made using cryptocurrencies, which can be further obscured through techniques like mixing or laundering. This makes it difficult for law enforcement to track and identify the individuals behind these services.
Adaptation and Evolution: The ‘Scam-as-a-Service’ model is highly adaptable, with service providers constantly evolving their tools and techniques to bypass emerging security measures and exploit new vulnerabilities. This continual adaptation means that the threat they pose is always changing, requiring constant vigilance from cybersecurity professionals.
Collaboration and Community: These services foster a sense of community among cybercriminals. There is often collaboration and sharing of best practices within this community, further enhancing the effectiveness of their scams. This collaborative aspect also means that when one service shuts down, as seen with Inferno Drainer, others quickly emerge to fill the void, perpetuating the cycle of cybercrime.
In response to these threats, the crypto community and cybersecurity experts have been advocating for enhanced security measures. They recommend the use of hardware wallets, which are considered more secure than software wallets, as they store the user’s private keys in a physical device, making it harder for hackers to access them remotely.
Furthermore, verifying the legitimacy of smart contracts and regularly reviewing wallet allowances for any signs of suspicious activity are crucial steps in mitigating the risks posed by these scams. Platforms like Scam Sniffer have emerged, specializing in the detection and analysis of such scams, and providing crucial information for users to protect themselves.
The Implications for Cybersecurity
The emergence of the ‘Scam-as-a-Service’ model signifies a significant shift in the cybercrime landscape. It highlights not only the increasing sophistication of cybercriminals but also their ability to organize and operate in a manner akin to legitimate businesses. This presents new challenges for cybersecurity, necessitating innovative and proactive approaches to detection, prevention, and enforcement. As this model continues to evolve and adapt, it becomes increasingly important for individuals and organizations to remain vigilant, employing advanced security measures and staying informed about the latest trends in cybercrime.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
Security vulnerabilities are a common occurrence in managing any business’s organizational security. The prompt patching and remediation of any new vulnerabilities are critical to reducing the outside attack surface. Netizen’s Security Operations Center (SOC) has compiled five vulnerabilities from December that should be immediately patched or addressed if present in your environment. Detailed writeups below:
CVE-2023-36019:
This vulnerability affects the Microsoft Power Platform Connector and is considered critical due to its spoofing nature, with a CVSS score of 9.6/10. It primarily affects the Microsoft Power Platform Connector and requires user interaction, as exploitation depends on the victim clicking a specially crafted URL. The vulnerability lies in the web server, but the malicious scripts are executed in the victim’s browser. Microsoft has addressed this issue by updating OAuth 2.0 connectors to use a per-connector redirect URI, thereby reducing the risk of spoofing attacks. Users are strongly advised to update their systems with these security improvements to mitigate this threat. The detailed technical specifics about the attack vector and complexity, beyond the requirement for user interaction, are not extensively detailed in the available public resources. For more information, see the NIST documentation.
CVE-2023-7024:
CVE-2023-7024 is a high-severity vulnerability identified in Google Chrome’s WebRTC framework, characterized as a heap-based buffer overflow bug. Although the exact CVSS score is not specified, its critical nature is underscored by the fact that it has been exploited in the wild. The flaw was discovered by Google’s Threat Analysis Group and could lead to arbitrary code execution or crashes in the Chrome browser. Due to the severity of this issue, Google has promptly rolled out security updates. Given WebRTC’s open-source nature and support by other browsers like Mozilla Firefox and Apple Safari, the broader impact of this flaw beyond Chrome and Chromium-based browsers remains a concern. Users are advised to update to the latest versions of Chrome (version 120.0.6099.129/130 for Windows and 120.0.6099.129 for macOS and Linux) to protect against potential exploits. The specific attack complexity and user interaction requirements are not fully detailed, but the urgency of the update suggests a significant risk. For more information, check out the NVD’s vulnerability documentation.
CVE-2023-50164:
Apache Struts, a popular open-source framework for building Java web applications, has a critical vulnerability identified as CVE-2023-50164, with a high CVSS score of 9.8/10. This vulnerability affects versions 2.5.0 to 2.5.32 and 6.0.0 to 6.3.0 of Apache Struts. It allows attackers to manipulate file upload parameters to achieve path traversal, leading to potential remote code execution. Given its widespread use in commercial and open-source projects, this vulnerability poses a significant risk. Apache has responded by releasing patches for affected versions, and it is highly recommended for users to update their Apache Struts installations to the secure versions. Detailed information about the attack complexity and user interaction requirements are not provided, but the high CVSS score suggests a severe impact. Check out the NIST documentation for more information.
CVE-2023-51385:
The SSH ProxyCommand feature is compromised by CVE-2023-51385, a critical vulnerability with a CVSS score of 9.8/10. This flaw enables attackers to perform shell injection on servers using SSH ProxyCommand, which is used for proxying SSH connections. The vulnerability arises due to the handling of invalid usernames or hostnames containing shell metacharacters when passed to SSH. Attackers could exploit this in scenarios like untrusted Git repositories containing submodules with shell metacharacters in a username or hostname. Patches have been issued by various vendors, including LibSSH, OpenSSH, and Debian. Users of affected SSH implementations are advised to update their systems with these patches. The exact attack complexity and user interaction requirements are not explicitly detailed in the available advisories. For more information on this vulnerability, check out the NIST documentation.
CVE-2023-49070:
Apache OFBiz, a widely used open-source enterprise resource planning system, faced a critical authentication bypass vulnerability identified as CVE-2023-49070. This vulnerability allows unauthorized users to bypass authentication mechanisms under certain conditions, posing a significant security risk. The vulnerability was discovered in the OFBiz’s XML-RPC service, where specific request parameters could be manipulated to bypass authentication checks. This flaw was particularly concerning due to its potential impact on the confidentiality and integrity of data managed by OFBiz applications. The vulnerability was addressed swiftly by the Apache OFBiz team with a patch that effectively resolved the issue. The patch involved code changes that corrected the flawed authentication logic, ensuring that the system no longer allowed unauthorized access under the conditions exploited by the vulnerability. This vulnerability has been documented as severe, with the National Institute of Standards and Technology (NIST) assigning a high CVSS 3.x base score of 9.8, indicating its critical nature. Users and administrators of Apache OFBiz systems are strongly advised to apply the patch as soon as possible to protect against potential exploits. More information can be found in the NVD vulnerability summary here.
Conclusion:
In conclusion, software vulnerabilities are a common nuisance to IT and security teams everywhere. Organizations that prioritize the remediation and patching of these vulnerabilities will drastically reduce their attack surface and ensure no doors into their environment are left unlocked.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
The Cyberattack on Ukraine’s Largest Mobile Network: Kyivstar
Teen Members of LAPSUS$ Gang Sentenced in UK for Hacking Spree
How can Netizen help?
Phish Tale of the Week
Often times phishing campaigns, created by malicious actors, target users by utilizing social engineering. For example, in this text message, the actors are appearing as LinkedIn, the social media platform, and informing you that action needs to be taken regarding your account. The message politely explains that someone else may have accessed our LinkedIn account, and that they’re notifying us so that we can take action. It seems both urgent and genuine, so why shouldn’t we visit the link they sent us? Luckily, there’s plenty of reasons that point to this being a scam.
Here’s how we can tell not to click on this phishing link:
The first red flag in this message is the senders’ addresses. Always thoroughly inspect the sender’s address to ensure it’s from a trusted sender. In this case, the actors neglected to spoof their email address, and a simple look at the sender’s address makes it very apparent that the email is not from LinkedIn. In the future, review the sender’s address thoroughly to see if the email could be coming from a threat actor.
The second warning signs in this email is the messaging. This message tries to create a sense of urgency by using different phrases like “require you to verify” and “To prevent us from blocking.” Phishing scams commonly attempt to create a sense of urgency in their emails in order to get you to click their link without thinking about it first. Always be sure to thoroughly inspect the messaging of all emails in your inbox before clicking on a link in your email.
The final warning sign for this email is the lack of legitimate LinkedIn information. Fortune 500 companies and similar organizations standardize all email communications with customers. Support links, addresses, acceptable use policies, and other information is always provided at the bottom of each email, along with options to unsubscribe or change messaging preferences. While this specific email includes a small footer at the bottom, a quick investigation proves that it’s just for show. This email lacks all of the parts of a credible LinkedIn email and can be immediately detected as a phishing attempt.
General Recommendations:
A phishing attack will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via your text messages.
Scrutinize your messages before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the message come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
Verify that the sender is actually from the company sending the message.
Did you receive a message from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
Do not give out personal or company information over the internet.
Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
Many phishing messages pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.
Cybersecurity Brief
In this month’s Cybersecurity Brief:
The Cyberattack on Ukraine’s Largest Mobile Network: Kyivstar
The December cyberattack on Kyivstar, Ukraine’s largest mobile network, serving over 24 million people, marked a pivotal moment in the digital aspect of the ongoing Russia-Ukraine conflict. This event is more than a disruption of a commercial entity; it signifies the vulnerability of crucial digital infrastructures in areas of geopolitical tension. Kyivstar’s network, a crucial communication lifeline for millions, faced a complete shutdown that impacted both voice and data services nationwide, demonstrating the extensive reach and impact of modern cyber warfare.
This attack wasn’t an isolated event but rather part of a larger strategy of digital warfare tactics used in the conflict. The comprehensive nature of the shutdown underscores the critical role and reliance on mobile communication in contemporary society. The attribution of this cyberattack to Russian groups Killnet and Solntsepek, particularly with ties to the GRU’s Sandworm group, suggests a sophisticated, state-level approach to cyber warfare. These groups are known for their disruptive cyber activities, and their involvement in this incident points to a calculated effort to weaken Ukraine’s communication capabilities. The connection with the Sandworm group, known for its role in significant cyberattacks, raises serious concerns.
The consequences of the Kyivstar cyberattack are wide-ranging. For the Ukrainian military, which heavily depends on mobile networks for coordinating operations and intelligence, the disruption posed a severe threat to their defense capabilities. For civilians, the loss of mobile communication networks meant challenges in emergency response, information sharing, and maintaining general connectivity, adding to the hardships already faced during the conflict.
In response to this cyberattack, Kyivstar, under CEO Oleksandr Komarov, likely took swift action to restore its services and strengthen its cyber defenses. This incident has undoubtedly triggered both national and international conversations on the necessity of securing critical digital infrastructure, especially in regions facing conflict.
The Kyivstar cyberattack is emblematic of a significant shift in modern warfare, where digital attacks complement traditional military strategies. It underscores the imperative for nations and companies to invest in robust cybersecurity measures. As digital infrastructure becomes increasingly central to civilian life and military operations, ensuring its security is crucial for national security. This incident serves as a reminder of the evolving nature of conflict in the digital era and the need for heightened vigilance and preparedness in cybersecurity.
Teen Members of LAPSUS$ Gang Sentenced in UK for Hacking Spree
On December 24, 2023, two British teenagers associated with the LAPSUS$ cybercrime and extortion gang were sentenced for their involvement in a series of high-profile attacks against various companies. The first teen, Arion Kurtaj, an 18-year-old from Oxford, received an indefinite hospital order. Kurtaj was still fixated on hacking and likely to reoffend, as noted by the judge during his sentencing.
The second member, a 17-year-old whose identity remains undisclosed due to legal protections for minors, was handed an 18-month Youth Rehabilitation Order. This includes a three-month intensive supervision and surveillance requirement. He was found guilty on multiple counts, including two counts of fraud, two under the Computer Misuse Act, and one of blackmail.
These individuals were initially arrested in January 2022 and subsequently re-arrested in March 2022. Notably, Kurtaj continued to engage in hacking activities even after being granted bail, leading to another arrest in September.
Their criminal activities spanned from August 2020 to September 2022, targeting notable organizations such as BT, EE, Globant, LG, Microsoft, NVIDIA, Okta, Revolut, Rockstar Games, Samsung, Ubisoft, Uber, and Vodafone. LAPSUS$, the group they were part of, includes members from the UK and Brazil, with a third member arrested in Brazil in October 2022.
The LAPSUS$ group is known for its use of SIM-swapping attacks and exploiting vulnerabilities in victim networks. They also publicized their operations and extorted their victims through a Telegram channel. The Cyber Safety Review Board of the U.S. Department of Homeland Security highlighted the group’s tactics in a report, noting the ease with which they breached corporate security systems, raising concerns about the effectiveness of existing cybersecurity measures against such threats.
These cases underline the growing concern over cybercrime committed by young individuals and the challenges in dealing with juvenile offenders in this sphere. The City of London Police emphasized the dangers of the online environment for young people and the serious consequences that can result from such criminal activities.
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
In a significant cybersecurity development, ESET, a leading Slovak cybersecurity firm, has unearthed a deceptive network of 18 malicious loan apps, collectively known as “SpyLoan.” These apps, designed to exploit users seeking financial services, have been downloaded over 12 million times. Primarily targeting regions in Southeast Asia, Africa, and Latin America, SpyLoan apps masquerade as legitimate loan services but engage in data theft, extortion, and blackmail.
Background and Synopsis
SpyLoan was first identified in 2020 and has seen a resurgence in 2023. ESET’s research revealed that these apps bypassed Google Play’s security measures by adhering to standard privacy policies and KYC norms while masking their true intent.
In order to entice potential victims, SpyLoan apps offer seemingly attractive loan services with high-interest rates. They exploit their users by:
Harvesting personal and financial information.
Utilizing the information for blackmail and extortion.
Employing harassment tactics for loan repayment.
Threatening to release personal photos and videos on social media.
These apps gained traction through various channels, including scam websites, third-party app stores, and even direct downloads from Google Play.
Exploitation of Android Permission System
A key aspect of SpyLoan apps is their abuse of Android’s permission system. These apps request extensive permissions that are unnecessary for their stated purpose of providing financial services. The permissions include access to:
Contacts and Call Logs: Used to gather personal information about the user and their network, which is then exploited for blackmail and harassment.
SMS Messages: Enables the apps to intercept incoming messages, which can include sensitive information like one-time passwords (OTPs) or other financial data.
Media Files and Camera: Access to media files and camera is ostensibly for uploading documents for KYC (Know Your Customer) compliance, but is actually used to gather compromising information.
Misleading Privacy Policies and Websites
The SpyLoan apps are crafted to appear legitimate, with privacy policies and user agreements that mimic those of genuine financial services. However, these policies are intentionally deceptive. As ESET notes, “While these SpyLoan apps technically comply with the requirements of having a privacy policy, their practices clearly go beyond the scope of data collection necessary for providing financial services” (ESET).
These apps often link to websites that are near-replicas of legitimate sites, complete with stolen office environment photos and stock images. This is a tactic designed to create a veneer of authenticity and legitimacy.
Data Harvesting and Blackmail Tactics
Once installed, these apps harvest a wide range of personal data from the device. This includes:
List of Accounts: Gaining access to account information can lead to identity theft and unauthorized access to other services.
Device Info and Installed Apps: This information can be used for targeted phishing attacks or to understand the user’s digital behavior better.
Calendar Events and Local Wi-Fi Network Details: Such details provide further personal information that could be used for social engineering attacks.
Metadata from Images: This could include location data or other sensitive information embedded in photographs.
The collected data is then used for blackmail and harassment, pressuring victims into making payments under threats of public exposure or ridicule. Some of the SpyLoan apps employ advanced techniques like overlay attacks, where a fraudulent interface is placed over legitimate apps to steal credentials. Furthermore, methods like JsonPacker are used for code obfuscation, making it challenging to detect and analyze the malicious code.
Mitigation Recommendations
To mitigate the risks posed by such threats, users are advised to:
Scrutinize App Permissions: Be wary of apps that request excessive permissions, especially those unrelated to the app’s functionality.
Verify App Authenticity: Check the developer’s background and the app’s reviews before downloading.
Avoid Third-party App Stores: Stick to official app stores like Google Play, as they have more stringent security checks.
Stay Informed: Be aware of the latest cybersecurity threats and tactics used by cybercriminals.
List of Malicious Apps
The following are the identified SpyLoan apps, which have now been removed from the Google Play Store:
AA Kredit: इंस्टेंट लोन ऐप (com.aa.kredit.android)
Amor Cash: Préstamos Sin Buró (com.amorcash.credito.prestamo)
Oro Préstamo – Efectivo rápido (com.app.lo.go)
Cashwow (com.cashwow.cow.eg)
CrediBus Préstamos de crédito (com.dinero.profin.prestamo.credito.credit.credibus.loan.efectivo.cash)
SpyLoan represents a sophisticated and malicious exploitation of users’ trust in online financial services. Its discovery underscores the importance of vigilance and cybersecurity awareness when engaging with online loan providers. This report serves as a crucial reminder of the risks associated with online financial transactions and the importance of cybersecurity vigilance.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
In October, the genetic testing company 23andMe faced a significant data breach, initially believed to affect about 14,000 of its users. However, further assessments revealed that nearly half of its 14 million users, approximately 6.9 million individuals, were impacted. The specific individuals or groups responsible for the 23andMe data breach have not been publicly identified in the information available. The breach was carried out using a technique known as credential stuffing, where attackers use previously stolen or leaked usernames and passwords to gain unauthorized access to accounts. This method suggests that the attackers may have utilized databases of compromised credentials from other breaches to target 23andMe accounts.
The Breach and Its Scope
The 23andMe data breach, which compromised a substantial amount of Personally Identifiable Information (PII), highlights the already significant privacy concerns within the realm of genealogy testing companies. The breach allowed unauthorized access to sensitive features like “DNA Relatives” and “Family Tree,” leading to the scraping of critical data such as ancestry information, health data based on genetics, names, birth years, and familial relationships. Particularly concerning was the exposure of data related to users of Ashkenazi Jewish and Chinese descent, underscoring the potential risks of genetic discrimination. As reported by HealthITSecurity, this targeted nature of the breach “put minority groups at risk”. TechCrunch provided insight into the extent of the breach, noting that “The stolen data included the person’s name, birth year, relationship labels, the percentage of DNA shared with relatives, ancestry reports, and self-reported location”. This breach not only jeopardized individual privacy but also raised alarms about the broader implications of genetic data misuse.
Company Response
In response, 23andMe took steps to mitigate the breach’s impact, with a spokesperson stating, “We are working to remove this information from the public domain”, highlighting the company’s efforts to address the aftermath of the breach. The company updated its user agreement to include new terms that make it more challenging for customers to initiate class action lawsuits. These provisions include a longer initial dispute period and stronger language to prevent collective legal actions. Furthermore, 23andMe has required all users to reset their passwords and implemented mandatory two-step verification for all logins. Additionally, the company has been actively working to remove the leaked information from public domains.
The Broader Impact
The 23andMe incident highlights the broader implications of data breaches in the healthcare and genetic testing sectors. As companies collect more sensitive personal and genetic information, the potential consequences of data breaches become increasingly severe, especially when companies like 23andMe and Ancestry are not HIPPA compliant. It is imperative that companies like 23andMe and their users remain vigilant against such cyber threats to protect the privacy and integrity of personal genetic data. In addition, it is crucial for people looking to be a customer of companies like 23andMe to be cognizant of the fact that while they have a significant amount of your PHI (Personal Healthcare Information), they are not HIPPA compliant.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
AI training data poisoning is a form of cybersecurity threat that targets the integrity of machine learning models by deliberately inserting misleading or harmful data into the training set. This tactic can compromise the model’s accuracy, leading to incorrect or manipulated outputs. Nightshade, a tool developed by Ben Zhao’s team at the University of Chicago, is a prime example of why training data poisoning attacks threaten the reliability of trusted LLMs (Large Language Models). Nightshade allows artists to subtly alter the pixels in their images, rendering them as “poisoned” data for AI models. When such data is used in training, it can cause the model to misinterpret and generate incorrect outputs, like confusing dogs with cats or cars with cows as shown in the figure below.
In the graphic above, the Nightshade team’s experimentation with one of Stable Diffusion’s latest models (SD-XL) is showcased. Initially, the researchers introduced 50 poisoned images of dogs into the model. The resulting images generated by Stable Diffusion were notably distorted, featuring creatures with an excess of limbs and cartoonish facial features. Further intensifying their approach, with 300 poisoned samples, they were able to manipulate the model to such an extent that it started generating images where dogs appeared more like cats. This dramatic transformation highlights the significant impact that even a relatively small number of poisoned inputs can have on AI model outputs.
Nightshade’s Implications on GPT Models
The potential harm of data poisoning extends beyond image generation. Large language models like GPT-3 and GPT-4 are also susceptible. These models rely on vast datasets from diverse sources such as Common Crawl, WebText, and OpenWebText, and even books, making them vulnerable to targeted poisoning attacks. The OWASP List for LLMs highlights this vulnerability, emphasizing the risks of over-reliance on AI content, where the introduction of false or malicious documents into the training data can reflect in the model’s outputs.
Preventing Data Poisoning
Preventing and detecting data poisoning is critical. Security measures like input validity checking, rate limiting, regression testing, and manual moderation are essential, and must be implemented in modern LLMs in order to lessen the risk of being hit with a training data poisoning attack. Utilizing statistical techniques to detect anomalies and setting up restrictions on user inputs can also help mitigate risks. Moreover, organizations should consider running red team exercises against their models in order to identify potential vulnerabilities and craft defenses against such attacks.
A Difficult Problem to Solve
The stakes are high, as these attacks can have far-reaching implications; Poisoning attacks aren’t as detectable as a common cyberattack. Attackers utilizing poisoning attacks may have a different goal in mind. For instance, poisoned data can lead to the generation of biased opinions, spread misinformation, or even incite hate crimes. Attacks using this poisoned data are hard to identify and remove, due to the sheer amount of information used in training, necessitating expensive and time-consuming fixes like retraining the model with clean data.
Conclusion
In summary, AI training data poisoning represents a significant threat to the integrity and reliability of AI models. Tools like Nightshade highlight the need for increased awareness and robust security measures to protect against these sophisticated attacks. As the reliance on AI grows, so does the importance of safeguarding against data poisoning to ensure the reliability and trustworthiness of AI systems.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
Two significant vulnerabilities have been identified in the WebKit web browser engine, impacting a range of Apple devices and operating systems. These vulnerabilities are critical and require immediate attention.
CVE-2023-42916: This is an out-of-bounds read issue in WebKit. It presents a risk of leaking sensitive information when processing web content. Such a vulnerability can be exploited to access data that should normally be off-limits, potentially exposing personal or confidential information.
CVE-2023-42917: This vulnerability is a memory corruption bug within WebKit. It is particularly concerning because it could lead to arbitrary code execution. When exploited, it allows attackers to run their own code on the affected device, leading to a range of possible attacks, including system takeover, data manipulation, or further spreading of malware.
Apple has acknowledged these vulnerabilities and released updates for a range of devices. Users are urged to update their devices to the latest versions as soon as possible to mitigate these risks.
iOS 17.1.2 and iPadOS 17.1.2: This update applies to iPhone XS and later models, iPad Pro (12.9-inch, 2nd generation and later), iPad Pro (10.5-inch), iPad Pro (11-inch, 1st generation and later), iPad Air (3rd generation and later), iPad (6th generation and later), and iPad mini (5th generation and later).
macOS Sonoma 14.1.2: Users running macOS Sonoma on their Macs should update to this version. It contains fixes specifically targeted at these WebKit vulnerabilities.
Safari 17.1.2: For Mac users running macOS Monterey and macOS Ventura, updating Safari to version 17.1.2 is crucial for securing their browsing experience.
Additional Vulnerabilities
In 2023, Apple has been actively addressing a significant number of zero-day vulnerabilities, with CVE-2023-42916 and CVE-2023-42917 marking the 19th and 20th such issues fixed by the company.
Google’s Threat Analysis Group (TAG) revealed CVE-2023-42824, a critical zero-day bug in the XNU kernel affecting iPhones and iPads, which could allow attackers to escalate privileges.
Three additional zero-day vulnerabilities – CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993 – were patched following reports from Citizen Lab and Google TAG. These bugs were exploited by threat actors to deploy the Predator spyware.
Citizen Lab also disclosed two zero-day vulnerabilities, CVE-2023-41061 and CVE-2023-41064, which Apple addressed in September. These vulnerabilities were part of a zero-click exploit chain, named BLASTPASS, used to install the notorious Pegasus spyware developed by NSO Group. For more information on BLASTPASS, check out Netizen’s report on the set of vulnerabilities.
Additionally, eleven other zero-days have been patched by Apple in 2023, including:
Two in July: CVE-2023-37450 and CVE-2023-38606.
Three in June: CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439.
Three more in May: CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373.
Two in April: CVE-2023-28206 and CVE-2023-28205.
An additional WebKit zero-day, CVE-2023-23529, patched in February.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
On Thursday, the Office of Foreign Assets Control (OFAC) under the U.S. Department of the Treasury announced sanctions against the North Korean-affiliated group Kimsuky, along with eight international agents accused of aiding in evading sanctions. These sanctions, imposed against the North Korean cyberespionage group, (which is also known as APT43) mark a significant step in global efforts to curb the Democratic People’s Republic of Korea’s (DPRK) cyber activities. These sanctions were partly in response to North Korea’s launch of a military reconnaissance satellite in November 2023, but they also aim to impede the DPRK’s revenue generation, which is built off of cryptocurrency theft, and missile technology procurement, which support their weapons of mass destruction (WMD) programs.
Kimsuky’s Origins and Operations within the RGB
Kimsuky has been active since at least 2012, operating as an element within North Korea’s primary foreign intelligence service, the Reconnaissance General Bureau (RGB). The group is known for employing sophisticated social engineering tactics, particularly against South Korean and U.S.-based government organizations, academics, and think tanks focused on Korean peninsula geopolitical issues.
Intensified Social Engineering Tactics in 2023
In 2023, U.S. and South Korean intelligence agencies warned of Kimsuky’s increased use of social engineering to gather intelligence on geopolitical events, foreign policy strategies, and security developments affecting North Korea. Their methods include mimicking key figures and using credible spear-phishing campaigns to target individuals in think tanks, academia, and the news media sectors.
Kimusky’s Powerful OSINT Tactics
Kimsuky’s tactics involve leveraging open-source information to identify and impersonate real individuals, crafting convincing email messages to gain trust and rapport with their targets. They use password-protected malicious documents, often attached directly or hosted on platforms like Google Drive or Microsoft OneDrive, to gain backdoor access to victims’ devices. This access enables them to stealthily auto-forward all emails from a victim’s inbox to an actor-controlled account. The group also uses fake versions of websites and applications to harvest victims’ login credentials. Notably, Kimusky’s group has made use of custom tools like ReconShark (an upgraded version of BabyShark) and RandomQuery for reconnaissance and information exfiltration.
International Collaboration and Future Challenges
The United States, in collaboration with allies like Australia, Japan, and South Korea, is employing a multi-faceted approach that combines sanctions, public awareness, and cybersecurity measures. However, the evolving nature of Kimsuky’s operations, characterized by resilience and adaptability, continues to pose a significant challenge. This necessitates ongoing vigilance and a comprehensive, collaborative approach to cybersecurity on a global scale.
Conclusion
The collective efforts of the United States and its allies, including targeted sanctions and increased global awareness, are crucial steps in combating the persistent and evolving cyber threat posed by North Korea. However, despite these efforts, the DPRK’s cyber capabilities remain a formidable challenge, underscoring the need for ongoing vigilance and a comprehensive approach to cybersecurity.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
Netizen Blog and News 
You must be logged in to post a comment.