Jennifer Addie, COO and CWO from VentureScope and MACH37 Cyber Accelerator sits down to share her incredible story, bringing creativity into the cyber community. Growing up Jennifer always loved the human side of things, and learning that she had a knack for computers helped her to realize what type of field she wanted to pursue as an adult. She started working jobs dealing in programming, database administration, product development, and it was there in the design of those products where she felt the deep need for security, emerging as critical in her consciousness. She shares how she likes to be on a personal level with the people she works with, always wondering where people came from and why they are passionate, being a very interactive leader. Jennifer also says that she believes bringing creativity into the field is what helps her solve any form of problem the best stating “I absolutely agree with the idea that, that creativity is far more than artistic capability. It is very much centered on problem solving and in fact, the master’s degree that I received in creativity focuses on creative problem solving as a process.” We thank Jennifer for sharing her story with us. Read More
Well, the GoldPickaxe Trojan does not literally steal your face, but it does steal an image of your face in order to be able to identify as you.
Researchers have found a family of Trojans, attributed to a financially motivated Chinese group, which come in versions for iOS and Android.
Cybercriminals try to trick victims into scanning their faces along with identification documents. The victims are approached through phishing and smishing messages claiming to be from local governments or other trusted sources. They ask the target to install a fake government service app.
At this stage there is a crossroads where Android and iOS infections are different. While Android users go straight to the malicious app, due to measures taken by Apple the criminals ask the iOS users to install a disguised Mobile Device Management (MDM) profile. MDM allows a controller to remotely configure devices by sending profiles and commands to the device. As such MDM offers a wide range of features such as remote wipe, device tracking, and application management, which the cybercriminals take advantage of to install malicious applications and obtain the information they need.
The criminals then request that the victim take a photo of an official ID and scan their face with the app. Additionally, the criminals request the target’s phone number in order to get more details about them, particularly their bank accounts.
Once the criminals have a scan of the face they can use artificial intelligence (AI) to perform face-swaps. Face swapping is a technique that allows you to replace faces in images with others.
With the face swap and the photo of the ID the criminals can identify themselves as the victim to the victim’s bank and withdraw funds from their account. Many financial organizations use facial recognition for transaction verification and login authentication. Although the researchers found no evidence that bank fraud was the goal of the cybercriminals, their story was confirmed by warnings from the Thai police.
Although this group is mainly active in Asia, more precisely in Thailand, it makes sense to expect such a successful method to be copied.
Malwarebytes and ThreatDown solutions detect the GoldPickaxe Trojan as Android/Trojan.Agent.prn1.
We don’t just report on phone security—we provide it
North Korean Hackers Targeting CyberLink Users in Supply-chain Attack
In the ever-evolving realm of cybersecurity, Microsoft Threat Intelligence has uncovered a sophisticated supply chain attack orchestrated by the North Korean Hackers Diamond Sleet (ZINC).
This ingenious attack involved tampering with a legitimate CyberLink Corp. application, deploying a malevolent variant that harbors a concealed second-stage payload.
This devious file, cleverly disguised as a genuine CyberLink installer, has infiltrated over 100 devices worldwide, leaving an indelible mark on countries such as Japan, Taiwan, Canada, and the United States.
In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway
The Artistry of Malicious Adaptation
Diamond Sleet’s modus operandi exhibits a remarkable level of artistry, extending to forging a file signed with a valid CyberLink Corp certificate.
This file, strategically positioned within CyberLink’s update infrastructure, employs evasive tactics, limiting its execution time window to evade detection by security measures.
With high confidence, Microsoft attributes this activity to Diamond Sleet, a North Korean threat actor notorious for targeting sectors such as information technology, defense, and media.
In response to this supply chain compromise, Microsoft swiftly executed a strategic defense plan:
Notifying CyberLink: Microsoft promptly alerted CyberLink of the breach, enabling them to take corrective actions and protect their customers.
Alerting Affected Customers: Microsoft Defender for Endpoint customers affected by this campaign were immediately notified, allowing them to take proactive steps to mitigate the threat.
Reporting to GitHub: Upon identifying the second-stage payload on GitHub, Microsoft promptly reported the attack, leading to its removal and safeguarding the platform’s users.
Blocking the Certificate: To prevent further exploitation, Microsoft added the CyberLink Corp. certificate to its list of prohibited items, effectively blocking its use for malicious purposes.
Categorizing the Threat: Microsoft’s security solutions detect and categorize this activity as Diamond Sleet within Microsoft Defender for Endpoint, providing users with clear and actionable information about the threat.
Diamond Sleet Unveiled
Diamond Sleet, formerly known as ZINC, emerges as a sophisticated North Korean threat group with a global reach.
Specializing in espionage, data theft, financial gain, and network disruption, this group possesses an arsenal of exclusive custom malware.
Microsoft’s report sheds light on Diamond Sleet’s recent exploits, intertwining with activities tracked by other security entities under monikers like Temp.Hermit and Labyrinth Chollima.
Delving into the technical nuances, Microsoft observed the modified CyberLink installer’s suspicious activity as early as October 20, 2023.
Diamond Sleet’s playbook involves exfiltrating sensitive data, compromising software build environments, and establishing persistent access in victim environments.
LambLoad Unleashed
LambLoad, Diamond Sleet’s weaponized downloader and loader, conceals its malicious code within a legitimate CyberLink application.
The loader, bearing the SHA-256 hash 166d1a6ddcde4e859a89c2c825cd3c8c953a86bfa92b343de7e5bfbfb5afb8be, meticulously checks execution conditions before proceeding.
Microsoft issues key recommendations to protect organizations against this threat:
Employ Microsoft Defender Antivirus with cloud-delivered protection: This comprehensive solution provides real-time protection against a wide range of threats, including Diamond Sleet’s malicious code.
Activate network protection: Network protection capabilities in Microsoft Defender for Endpoint help thwart access to malicious domains, preventing the initial stage of the attack.
Enable automated investigation and remediation: Microsoft Defender for Endpoint automates the investigation and remediation process, minimizing the impact of attacks and reducing manual intervention.
Swiftly address malicious activity: Upon detection, promptly isolate affected systems and reset credentials to prevent further compromise.
Implement attack surface reduction rules: Attack surface reduction rules block untrusted executable files, preventing the execution of malicious code.
Decrypting the Code
Technical insights reveal LambLoad’s maneuvers, utilizing compromised domains for callbacks and concealing its payload within PNG files.
For independent analysis, Microsoft offers a decryption script, enabling security researchers to dissect the malware and gain deeper insights into its inner workings.
Microsoft Defender Antivirus and Microsoft Defender for Endpoint stand vigilant, detecting and categorizing threat components associated with Diamond Sleet’s arsenal.
This continuous monitoring ensures that organizations remain protected against the evolving tactics, techniques, and procedures employed by this sophisticated threat actor.
Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.
Fake FlipperZero sites promise free devices after completing offer
A site impersonating Flipper Devices promises a free Flipper Zero after completing an offer but only leads to shady browser extensions and scam sites. […] Read More