Sunday, March 3, 2024

News

News

Malicious meeting invite fix targets Mac users

Malicious meeting invite fix targets Mac users

[[{“value”:”

Cybercriminals are targeting Mac users interested in cryptocurrency opportunities with fake calendar invites. During the attacks the criminals will send a link supposedly to add a meeting to the target’s calendar. In reality the link runs a script to install Mac malware on the target’s machine.

Cybersecurity expert Brian Krebs investigated and flagged the issue.

Scammers, impersonating cryptocurrency investors, are active on Telegram channels to get interested people to attend a meeting about a future partnership.

One of those investors called Signum Capital tweeted a warning on X in January that one of their team members was being impersonated on Telegram and sending out invites by direct message (DM).

Heads up! A fake account pretending to be one of our team members is going around DM-ing people on Telegram.

The screenshots below is from the scammer please take note and be alert. pic.twitter.com/6hFcUsaGtZ

— Signum Capital (@Signum_Capital) January 22, 2024

The criminals reach out to targets by DM on Telegram and ask if they have an interest in hearing more about the opportunity in a call or meeting. If they show interest they will be sent a fabricated invitation for a meeting. When the times comes to join the meeting the invitation link doesn’t work. The scammers tell the victim it’s a known issue, caused by a regional access restriction, which can be solved by running a script.

We asked Malwarebytes Director of Core Technology and resident Apple expert Thomas Reed to look at this method. This isn’t the first time criminals have used scripts to compromise users, he told us.

“AppleScript has been used against Mac users with moderate frequency by malware creators over the years. It has the advantage of being very easy to write, and if compiled, is also extremely difficult to reverse engineer.”

According to Reed, AppleScripts can be provided in a few different forms. One is a simple .scpt file that opens in Apple’s Script Editor app. This has a few drawbacks for criminals: A victim would need to click something within Script Editor to run the script, and they would able to see the code, which might be a problem because AppleScript tends to be more human readable than most other scripts. However, there are ways to obfuscate what the code is doing, and many users won’t bother to read it anyway.

Another option is an AppleScript applet. This is something that acts like a normal Mac app. It contains a basic AppleScript executable and the script to be run. In this form, the script can be code signed, notarized, given an icon, and otherwise made to appear more trustworthy. The code could be pretty bland, and unlikely to trigger any kind of detection from Apple’s notarization process, but could download and execute something less trustworthy.

Scripts have another advantage for criminals, Reed warned.

“AppleScripts also have the advantage of being able to very easily get administrator permissions.”

A script that attempts to run a command with administrator privileges will ask users to authenticate, triggering a password dialog.

If the user enters their password, the script doesn’t actually get to see it, but everything else the script attempts to do “with administrator privileges” will successfully run as root without further authentication. This makes it very easy for the script to show a standard authentication request dialog and trick the user into giving root permissions.

“So, in summary, AppleScript can be quite effective for writing malware. In fact, some malware has been written exclusively – or almost exclusively – in AppleScript, such as OSX.DubRobber or OSX.OSAMiner.”

In this case, the script was a simple Apple Script that downloaded and executed a macOS-oriented Trojan. The nature of the Trojan is unknown, but it certainly won’t surprise anyone if it turns out it was a banking Trojan that specializes in stealing cryptocurrencies.

Recognizing the scam

To avoid falling victim to these scammers, it’s good to know a few of their tactics.

Targets are approached by DM on Telegram.

Topics are cryptocurrency investment opportunities.

The scammers have a preference for the Calendly scheduling platform.

A fake “regional access restriction” creates a sense of last minute urgency.

The script had the .scpt (Apple script) extension.

The script was hosted on a domain that pretended to be a meeting support site.

The presence of Mac malware is unfortunately still underestimated, but you can find protection by Malwarebytes for Mac and protect Mac endpoints in your environment by ThreatDown solutions.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

“}]]   Read More 

Malwarebytes 

Read More
News

Someone is hacking 3D printers to warn owners of a security flaw

Someone is hacking 3D printers to warn owners of a security flaw

[[{“value”:”Someone is hacking 3D printers to warn owners of a security flaw

Do you have an Anycubic Kobra 2 Pro/Plus/Max 3D printer? Did you know it has a security vulnerability?

If you answered “yes” to both those questions, then chances are that I can guess just how you found out your 3D printer was vulnerable to hackers.

Read more in my article on the Hot for Security blog.”}]]   Read More 

Graham Cluley 

Read More
News

The US is Bracing for Complex, Fast-Moving Threats to Elections This Year, FBI Director Warns

The US is Bracing for Complex, Fast-Moving Threats to Elections This Year, FBI Director Warns

[[{“value”:”

FBI Director Christopher Wray says advances in generative AI make it easier for election interference and meddling easier than before.

The post The US is Bracing for Complex, Fast-Moving Threats to Elections This Year, FBI Director Warns appeared first on SecurityWeek.

“}]]   Read More 

SecurityWeek RSS Feed 

Read More
News

Hacker Group Publicly Announced That They Are Recruiting Pentesters

Hacker Group Publicly Announced That They Are Recruiting Pentesters

[[{“value”:”

Hacker groups recruit pentesters because they possess valuable skills in identifying and exploiting vulnerabilities. This aligns with the offensive capabilities that are needed for cyber attacks. 

Besides this, Pentesters’ expertise in finding security flaws helps enhance the group’s ability to compromise systems and networks for malicious purposes.

Daily Dark Web recently discovered and reported that a hacker group, 62IX, officially announced they are actively recruiting pentesters and DDoSers.

Hackers Recruiting Pentesters

It is assumed that the 62IX hacker group is a pro-Russian hacker group. This group has been suspected of attacking several key targets through cyber networks, such as telecommunications firms in Australia and Hong Kong. 

The belief is that they have deployed quite a few strategies consisting of malware and social engineering tricks to be able to infiltrate sensitive systems. 

Moreover, it has also been claimed that 62IX hacker groups indulged in spying activities on America. However, it remains unclear why the group does what it does. 

International law enforcement agencies are currently carrying out investigations directed at this group. 

Here’s what the operators of the 62IX hacker group stated:-

“In order to join our team, you need to fill out a short questionnaire, according to which we will judge whether to recruit you or not.

“When filling out the questionnaire, be as honest as possible and express your thoughts correctly, as well as the information you fill out.”

Here below is the announcement spotted by Daily Dark Web.

62IX group has officially announced that they are recruiting DDoSers and pentesters

The group will decide whether to recruit or not based on the questionnaire filled out by the candidates.#DarkWeb #DDoS #pentest pic.twitter.com/mbQavOjqMQ

— Daily Dark Web (@DailyDarkWeb) March 1, 2024

The trend of hacker groups recruiting pentesters has quickly changed over the past few years, with cyber threats becoming more sophisticated.

These groups have increasingly sought pentesters to strengthen their offensive capabilities as they recognize the strategic advantage of having people with real security knowledge.

Precautionary Measures

Here below, we have mentioned all the precautionary measures:-

Thorough Background Checks

Strict Code of Ethics

Regular Monitoring

Non-Disclosure Agreements (NDAs)

Education and Training

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are incredibly harmful, can wreak havoc, and damage your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

The post Hacker Group Publicly Announced That They Are Recruiting Pentesters appeared first on Cyber Security News.

“}]]   Read More 

Cyber Security News 

Read More
News

New Bifrost Malware Attacking Linux Servers Evades Security Systems

New Bifrost Malware Attacking Linux Servers Evades Security Systems

[[{“value”:”

A new Linux variant of Bifrost, dubbed Bifrose, was observed exhibiting a creative way to avoid detection, such as using a deceptive domain that imitates the official VMware domain.

Bifrost is a remote access Trojan (RAT) that was first discovered in 2004. It is usually distributed by attackers using phishing websites or email attachments.

After being installed on the victim’s computer, Bifrost allows the attacker access to confidential information such as the victim’s IP address and hostname.

Bifrost’s most recent version attempts to bypass security measures and infiltrate target systems.

The cybersecurity industry is concerned about the recent spike in Linux variants of Bifrost, which may indicate an increase in attacks against Linux-based systems.

Bifrost sample detections from October through January 2024

 Novel User-Deception Method Used By Bifrost

“The latest version of Bifrost reaches out to a command and control (C2) domain with a deceptive name, download.vmfare[.]com, which appears similar to a legitimate VMware domain.

This is a practice known as typosquatting”, Palo Alto Networks shared with Cyber Security News. Researchers have identified the most recent Bifrost sample on a server.

The sample binary is x86-compiled and appears to be stripped. A stripped binary has both symbol tables and debugging information removed. Attackers typically employ this tactic to hinder analysis.

The malware initially uses the setSocket method to build a socket to communicate, after which it gathers user data and transmits it to the attacker’s server.

Code flow of the malware seen in a disassemble

Once the socket has been created, the malware gathers user information to transmit it to the attacker’s server.

Collects victim data

The most recent sample encrypts victim data that has been gathered using RC4 encryption. The malware then attempts to establish a connection with a public DNS resolver located in Taiwan.

The malware uses the public DNS resolver to start a DNS query to resolve the domain download.vmfare[.]com. This step is essential to make sure the malware can connect to its target location.

Malware initiating a DNS query to resolve the domain download.vmfare[.]com

To avoid detection, the malware frequently uses misleading domain names such as C2 instead of IP addresses.

Researchers discovered that a malicious IP address also hosts an ARM version of Bifrost. This version’s existence suggests that the attacker is attempting to increase the area of attack.

Therefore, it is essential to detect and eliminate malware such as Bifrost to protect sensitive information and maintain the integrity of computer systems.

This lessens the possibility of unauthorized entry and the damage that could follow.

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are incredibly harmful, can wreak havoc, and damage your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

The post New Bifrost Malware Attacking Linux Servers Evades Security Systems appeared first on Cyber Security News.

“}]]   Read More 

Cyber Security News 

Read More