Connect with us

Cyber Security

Android Banking Trojan Relies on Screen Recording and Keylogging Instead of HTML

Published

on

According to security experts at ThreatFabric, a newly found Android banking Trojan captures login credentials via screen recording and keylogging rather than HTML overlays.

The malware, dubbed Vultur and originally discovered in March 2021, uses AlphaVNC’s VNC (Virtual Network Computing) implementation to get full visibility into the victim system. Remote access to the device’s VNC server is provided by ngrok, which uses secure tunnels to expose endpoints behind NATs and firewalls to the Internet.

According to ThreatFabric, the mobile malware uses Accessibility Services to identify the programme running in the foreground and begins screen recording if the app is in the target list. Vultur is projecting the screen while masquerading as a programme called Protection Guard, an operation visible in the notification panel.

While Android banking Trojans are known to use the Accessibility Services to carry out criminal operations, they often use HTML overlays to deceive users into exposing their login details. Vultur does use overlay to get all of the permissions it needs to execute unimpeded on the infected device.

The malware also makes advantage of Accessibility Services to log all of the keys that the user taps on the screen and to prevent the victim from manually uninstalling the infection. The virus auto-clicks the back button to return the user to the main screen when the user accesses the app’s information screen in settings.

Vultur is a banking application that primarily targets consumers in Australia, Italy, and Spain. Some victims were also seen in the Netherlands and the United Kingdom, but to a considerably smaller extent. The malware is also highly interested in stealing crypto-wallet credentials and keeps a close eye on social networking apps.

Vultur looks to be tied to Brunhilda, a privately managed dropper that previously transmitted Alien, a variant of the Cerberus banking malware that was discovered in Google Play several months ago, according to ThreatFabric.

The Brunhilda sample connected with Vultur (it has the same icon, package name, and command and control server as a Vultur sample) has over 5.000 instals, out of a total of more than 30.000 Brunhilda droppers are estimated to have had through Google Play and unofficial stores.

The post Android Banking Trojan Relies on Screen Recording and Keylogging Instead of HTML appeared first on Cybers Guards.
PlatoAi. Web3 Reimagined. Data Intelligence Amplified.
Click here to access.

Source: https://cybersguards.com/android-banking-trojan-relies-on-screen-recording-and-keylogging-instead-of-html/

Cyber Security

The FBI’s Decision to Withhold the Decryption Keys for the Kaseya Ransomware has Sparked Discussion

Published

on

Many security professionals backed the FBI’s decision to leave Kaseya victims infected for weeks with ransomware.

The FBI had the decryption keys for victims of the massive Kaseya ransomware attack in July, according to the Washington Post, but did not disclose them for three weeks.

The Kaseya attack impacted hundreds of organisations, including dozens of hospitals, schools, businesses, and even a Swedish supermarket chain.

The FBI obtained the decryption keys after gaining access to the servers of REvil, the Russia-based criminal organisation that was behind the enormous attack, according to Washington Post reporters Ellen Nakashima and Rachel Lerman.

Before going black and shutting down large elements of its infrastructure shortly after the attack, REvil wanted a $70 million ransom from Kaseya and thousands of dollars from individual victims. Although the gang has since resurfaced, many organisations are still reeling from the July 4th attack.

Despite the vast number of people who were affected by the attack, the FBI chose to keep the decryption keys to themselves as they prepared to attack REvil’s infrastructure. The FBI did not want to give the decryption keys to REvil operators, according to The Washington Post.

According to The Washington Post, the FBI also indicated that “the impact was not as severe as initially anticipated.”

Officials told the newspaper that the FBI attack on REvil was never carried out as a result of REvil’s disappearance. On July 21, weeks after the incident, the FBI finally handed over the decryption keys to Kaseya. Several victims spoke to The Washington Post about the millions of dollars that were lost and the massive harm that the attacks caused.

SEE ALSO:

Researchers At IOActive Said ICS Hacked Through Barcode Scanners

Bitdefender received the decryption keys from another law enforcement source, which published a universal decryptor earlier this month for all victims affected before July 13, 2021. According to a Bitdefender spokesman, the decryptor has been utilised by more than 265 REvil victims.

During his appearance before Congress on Tuesday, FBI Director Christopher Wray blamed the delay on other law enforcement agencies and allies who allegedly requested that the keys not be released. He stated that he was constrained in what he could say about the matter because the incident is still being investigated.

“We make the decisions as a group, not unilaterally. These are complex…decisions, designed to create maximum impact, and that takes time in going against adversaries where we have to marshal resources not just around the country but all over the world. There’s a lot of engineering that’s required to develop a tool,” Wray told Congress. 

The news sparked heated debate among security professionals, with many defending the FBI’s decision to leave victims battling for weeks to recover from the attack.

Consider this: CISO Mike Hamilton, who dealt with a particularly tricky instance in which a Kaseya victim was left in the dark after paying a ransom just before REvil vanished, stated that being cautious about divulging procedures is a standard practise in law enforcement and intelligence.

“There is a ‘tell’ though, that we’ve confirmed ourselves. The FBI is quoted as saying that the damage wasn’t as bad as they thought and that provided some time to work with. This is because the event wasn’t a typical stealth infiltration, followed by pivoting through the network to find the key resources and backups. From all indications the only servers that were encrypted by the ransomware were the ones with the Kaseya agent installed; this was a smash-and-grab attack,” Hamilton said.

“If you had it deployed on a single server used to display the cafeteria menu, you could rebuild quickly and forget the whole thing happened. The fact that the world wasn’t really on fire, again, created time to dig further into the organization, likely for the ultimate purpose of identifying individual criminals. Those organizations that WERE hit hard had the agent deployed on on-premises domain controllers, Exchange servers, customer billing systems, etc.”

The FBI may have seen the need to prevent or shut down REvil’s operations as outweighing the need to save a smaller group of companies struggling in a single attack, according to Sean Nikkel, senior threat intel analyst at Digital Shadows.

Because of REvil’s growing scale of attacks and extortion demands, a rapidly evolving situation requiring an equally rapid response likely preempted a more measured response to the Kaseya victims, according to Nikkel, who added that while it is easy to judge the decision now that we have more information, it must have been a difficult decision at the time.

“Quietly reaching out directly to victims may have been a prudent step, but attackers seeing victims decrypting files or dropping out of negotiations en masse may have revealed the FBI’s ploy for countermeasures,” Nikkel told ZDNet.“Attackers then may have taken down infrastructure or otherwise changed tactics. There’s also the problem of the anonymous soundbite about decryption making its way into public media, which could also tip off attackers. Criminal groups pay attention to security news as much as researchers do, often with their own social media presence.” 

Open backchannel communications with incident response organisations involved, Nikkel indicated, would have been a preferable strategy to better coordinate resources and response, but he added that the FBI may have already done so.

The incident, according to BreachQuest CTO Jake Williams, is a textbook case of an intelligence gain/loss evaluation.

It’s easy, he continued, for individuals to play “Monday morning quarterback” and criticise the FBI for not disclosing the keys after the fact, as Nikkel did.

Williams did point out, however, that the direct financial impact was almost definitely greater than the FBI thought when it withheld the key to protect its operation.

“On the other hand, releasing the key solves an immediate need without addressing the larger issue of disrupting future ransomware operations. On balance, I do think the FBI made the wrong decision in withholding the key,” Williams said.“However, I also have the convenience of saying this now, after the situation played itself out. Given a similar situation again, I believe the FBI will release the keys unless a disruption operation is imminent (hours to days away). Because organizations aren’t required to report ransomware attacks, the FBI lacked the full context required to make the best decision in this case. I expect this will be used as a case study to justify reporting requirements.”

Critics must remember, according to John Bambenek, chief threat hunter at Netenrich, that the FBI is first and foremost a law enforcement institution that will always act in a way that optimises law enforcement outcomes.

PlatoAi. Web3 Reimagined. Data Intelligence Amplified.
Click here to access.

Source: https://cybersguards.com/the-fbis-decision-to-withhold-the-decryption-keys-for-the-kaseya-ransomware-has-sparked-discussion/

Continue Reading

Cyber Security

Affordable Internet Service Provider

Published

on

Today internet has become more or less like oxygen because it has become essential for better human existence. You might feel like this is an exaggeration but it is true, for instance, when the pandemic hit and people started losing jobs, the internet helped them to survive, economically and emotionally. As people were not allowed to interact physically, they could stay connected with loved phones through social media.

Due to challenging times, people faced economic challenges and everyone cannot afford to pay $100 each month for a moderate internet speed. We are mentioning the best affordable internet service provider named Spectrum internet and WOW! internet that offers all kinds of packages. You can get high-speed internet at very affordable prices with Spectrum internet and WOW! internet.

Spectrum Affordable Package and Benefits

Spectrum is a very well-known telecommunication company that offers internet, home phone and cable TV service. With millions of users in more than 41 states all around the United States, Spectrum has been successful in making a strong customer base.

More than 50% of users prefer to use the regular internet plan that is offered by Spectrum internet. An average user who uses the internet for browsing, watching Netflix or Youtube and for socializing needs an average speed of 15 Mbps. If a user needs an internet connection for work, gaming, online classes and wants to connect up to 3 or 4 devices with Wi-Fi, he can get the regular internet speed of 100 Mbps.

SEE ALSO:

Reasons Why Your Growing Business Needs a Colocation Solution

Spectrum offers a speed of 100 Mbps for only $49.99 a month. This is an ideal package that offers a high speed that supports all kinds of internet usage. Spectrum offers unlimited internet data which sets you free from data restrictions. Spectrum has also ended the hassle of contracts and they require no contracts from any user.

Spectrum offers free access to hotspots that you can benefit from when you are away from your home. The ease that you get with Spectrum App is amazing because it allows you to monitor your equipment along with your account. You can also pay monthly bills through your App, which means no hassle of bill payment. These perks and benefits make Spectrum a wise choice.

WOW! Affordable Package and Benefits

Wide Open West or WOW! is a regional provider that is operating in 9 states, mainly around the Westside. They offer internet, cable TV and home phone services. WOW! offers three different internet plans with high internet speed.

The regular internet plan offered by WOW! has 200 Mbps which supports massive internet usage. You can easily connect up to 6 devices with the Wi-Fi without facing speed lag issues. You can work, watch as much Neflix you want, play games, and take online classes.

SEE ALSO:

Cybersecurity in Healthcare

Another way to assess an internet service provider is by looking at the features and benefits that you can get with an ISP. WOW! is one of the few providers that offer next-day installation service, you can get your internet service as soon as possible with them. Internet is unlimited, there will be no data restrictions.

WOW! internet also offers a 30-day money-back guarantee in which gives you some time to access the quality of an ISP and you can see if you are satisfied with the speed or not. WOW! also won an award for customer service, they offer 24/7 customer support and a free helpline to reach out whenever a user faces any issue.

Wrapping Up

Internet is a necessity but everyone cannot afford to pay a huge amount of bills each month. It is always better to choose an internet service provider that offers promotional discounted packagaes and high internet speeds.

PlatoAi. Web3 Reimagined. Data Intelligence Amplified.
Click here to access.

Source: https://cybersguards.com/affordable-internet-service-provider/

Continue Reading

Cyber Security

SonicWall has Patched a critical Flaw impacting Several Secure Mobile Access (SMA)

Published

on

SonicWall fixes critical bug allowing SMA 100 device takeover

SonicWall has corrected a significant security hole that affects various Secure Mobile Access (SMA) 100 series products and allows unauthenticated attackers to get admin access on vulnerable devices remotely.

SMA 200, 210, 400, 410, and 500v appliances are vulnerable to attacks targeting the incorrect access control vulnerability listed as CVE-2021-20034.

There are no temporary mitigations to remove the attack vector, and SonicWall strongly advises impacted customers to install security updates as soon as possible to resolve the problem.

There will be no exploitation in the wild.

Attackers who successfully exploit this flaw can remove arbitrary files from unpatched SMA 100 secure access gateways, reboot the device to factory default settings, and potentially acquire administrator access.

“The vulnerability is due to an improper limitation of a file path to a restricted directory potentially leading to arbitrary file deletion as nobody,” the company said.

SonicWall advised enterprises who use SMA 100 series appliances to immediately log in to MySonicWall.com and update the appliances to the patched firmware versions shown in the table below.

There is currently no evidence that this serious pre-auth vulnerability is being exploited in the wild, according to the business.

Product Platform Impacted Version Fixed Version
SMA 100 Series • SMA 200
• SMA 210
• SMA 400
• SMA 410
• SMA 500v (ESX, KVM, AWS, Azure)
10.2.1.0-17sv and earlier 10.2.1.1-19sv and higher
10.2.0.7-34sv and earlier 10.2.0.8-37sv and higher
9.0.0.10-28sv and earlier 9.0.0.11-31sv and higher

SEE ALSO:

US financial regulator warns of a massive phishing campaign

Targeted ransomware

Since the beginning of 2021, ransomware gangs have targeted SonicWall SMA 100 series appliances on many occasions, with the objective of migrating laterally into the target organization’s network.

For example, a threat organisation known as UNC2447 used the CVE-2021-20016 zero-day flaw in SonicWall SMA 100 appliances to spread the FiveHands ransomware strain (a DeathRansom variant just as HelloKitty).

Before security patches were issued in late February 2021, their attacks targeted a number of North American and European enterprises. In January, the same issue was utilised in attacks against SonicWall’s internal systems, and it was afterwards used indiscriminately in the wild.

SonicWall warned two months ago, in July, that unpatched end-of-life (EoL) SMA 100 series and Secure Remote Access (SRA) systems were at danger of ransomware attacks.

Security researchers from CrowdStrike and Coveware added to SonicWall’s warning, stating that the ransomware campaign was still active. Three days later, CISA validated the researchers’ findings, warning that threat actors were targeting a SonicWall vulnerability that had already been patched.

HelloKitty ransomware had been exploiting the weakness (recorded as CVE-2019-7481) for a few weeks before SonicWall’s ‘urgent security notification’ was issued, according to BleepingComputer.

SonicWall recently announced that its products are used by over 500,000 businesses in 215 countries and territories across the world. Many of them may be found on the networks of the world’s top companies, organisations, and government institutions.

SEE ALSO:

Top 5 Programming Languages to Learn for Cyber Security

PlatoAi. Web3 Reimagined. Data Intelligence Amplified.
Click here to access.

Source: https://cybersguards.com/sonicwall-has-patched-a-critical-flaw-impacting-several-secure-mobile-access-sma/

Continue Reading

Cyber Security

Apple bans Epic Games from App Store

Published

on

Apple bans Epic Games from App Store until all litigation is finalized

Epic Games CEO Tim Sweeney announced the indefinite ban with a series of tweets.

According to a series of emails published on Twitter and a blog post by Epic CEO Tim Sweeney, Apple has blocked Epic Games from returning to the App Store ecosystem indefinitely, despite the games developer claiming it would stop its own payments system.

Epic’s iOS developer account was blocked in August of last year after the company introduced a new payment method designed to bypass Apple’s payment systems and 30 percent commission fees. Epic filed cases against Apple in response to the prohibition, with the US litigation resulting in a mixed court verdict a fortnight ago.

Apple was justified in cancelling Epic’s iOS developer account because it breached App Store criteria, according to the mixed court verdict.

Epic has subsequently challenged the ruling, and the court is currently deciding whether or not to hear the case.

SEE ALSO:

Iranian Hackers Recently Switched to WhatsApp and LinkedIn to Conduct Phishing Attacks

The games developer’s apps, such as its flagship game Fortnite, would not be permitted to return to the App Store until the US case was resolved, according to one of the disclosed emails reportedly received by Apple’s legal representatives on September 21.

“Apple has exercised its discretion not to reinstate Epic’s developer program account at this time. Furthermore, Apple will not consider any further requests for reinstatement until the district court’s judgment becomes final and non-appealable,” the emails reads.

The letter alluded to the mixed court judgement, which stated that Apple was within its rights to remove any Epic-related accounts from the App Store and that Epic’s developer account could not be reinstated.

Sweeney accused Apple of breaking its promise to enable Epic Games to return to the App Store if it agreed to “play by the same standards” in his tweets.

This was in response to an Apple spokesperson’s emailed remark from a week ago:

“As we’ve said all along, we would welcome Epic’s return to the App Store if they agree to play by the same rules as everyone else. Epic has admitted to breach of contract and as of now, there’s no legitimate basis for the reinstatement of their developer account.”

“Apple lied,” Sweeney tweeted.

SEE ALSO:

Top 10 Websites for Freelancers to Make More Money Online

“Apple spent a year telling the world, the court, and the press they’d ‘welcome Epic’s return to the App Store if they agree to play by the same rules as everyone else.’ Epic agreed, and now Apple has reneged in another abuse of its monopoly power over a billion users.”

Other repercussions of the US court judgement include Epic’s attempt to reintroduce Fortnite to the South Korean iOS App Store, which is now in jeopardy due to the company’s lack of an iOS developer account. Despite the fact that South Korea recently passed legislation requiring programme stores like the App Store to accept different payment methods, this is still the case.

Epic Games’ other pending lawsuits around the world, such as two in Australia, accuse Apple and Google of acting anti-competitively through their app store tactics, would be influenced by the court verdict.

PlatoAi. Web3 Reimagined. Data Intelligence Amplified.
Click here to access.

Source: https://cybersguards.com/apple-bans-epic-games-from-app-store/

Continue Reading
Esports2 hours ago

Dota 2’s 7.30d patch buffs Clinkz, nerfs Silencer, and adds a lot of rebalancing

Esports3 hours ago

How to charge an iPhone 13?

Esports3 hours ago

Overwatch game director hints at new heroes next OWL season, confirms all 32 heroes will return in the sequel

Esports3 hours ago

Shanghai Dragons win the 2021 Overwatch League championship

AI4 hours ago

Around 30% of Swing State Voters Want Bitcoin as Legal Payment Method: Poll

AI4 hours ago

Around 30% of Swing State Voters Want Bitcoin as Legal Payment Method: Poll

AI4 hours ago

Around 30% of Swing State Voters Want Bitcoin as Legal Payment Method: Poll

AI4 hours ago

Cathie Wood’s Ark Invest Buys $89M Worth of TWTR After the Bitcoin Tips Integration

AI4 hours ago

Cardano is Partnering With American Telecom Service DISH Network

AI4 hours ago

Cardano is Partnering With American Telecom Service DISH Network

AI4 hours ago

Rich Dad Poor Dad’s Author Now Invests in ETH After BTC and Gold

AI4 hours ago

Over 10 New Cryptocurrencies Are Being Launched Every Day, Data Shows

AI4 hours ago

Over 10 New Cryptocurrencies Are Being Launched Every Day, Data Shows

AI4 hours ago

Around 30% of Swing State Voters Want Bitcoin as Legal Payment Method: Poll

AI4 hours ago

Cathie Wood’s Ark Invest Buys $89M Worth of TWTR After the Bitcoin Tips Integration

AI4 hours ago

Cardano is Partnering With American Telecom Service DISH Network

AI4 hours ago

Rich Dad Poor Dad’s Author Now Invests in ETH After BTC and Gold

AI4 hours ago

Rich Dad Poor Dad’s Author Now Invests in ETH After BTC and Gold

Esports4 hours ago

Overwatch League players show off Overwatch 2 in first pro exhibition match

AI4 hours ago

Over 10 New Cryptocurrencies Are Being Launched Every Day, Data Shows

Gaming4 hours ago

Overwatch 2 Gets New Trailers Revealing New Look for Bastion, Sombra & Bastion Reworks

Gaming4 hours ago

Overwatch 2 Gets New Trailers Revealing New Look for Bastion, Sombra & Bastion Reworks

Gaming4 hours ago

Overwatch 2 Gets New Trailers Revealing New Look for Bastion, Sombra & Bastion Reworks

AI5 hours ago

Switzerland to Impose Anti-Money Laundering Rules on Crypto Providers: Report

AI5 hours ago

Around 30% of Swing State Voters Want Bitcoin as Legal Payment Method: Poll

AI5 hours ago

Cathie Wood’s Ark Invest Buys $89M Worth of TWTR After the Bitcoin Tips Integration

AI5 hours ago

Cardano is Partnering With American Telecom Service DISH Network

AI5 hours ago

Rich Dad Poor Dad’s Author Now Invests in ETH After BTC and Gold

Esports6 hours ago

How to turn off 5G on iPhone 13?

Esports6 hours ago

Where is the home button on iPhone 13?

Trending