By Waqas
Amid the data breach, Discord.io has shut down all of its operations indefinitely in the foreseeable future.
This is a post from HackRead.com Read the original post: Discord.io Admits Data Breach: Info of 760K Users Sold Online

*   **Massive Discord.io Data Breach Unveiled:** Hacker “Akhirah” exposes a vast data breach on Discord.io, an unofficial service that provides redirect and invite links to Discord servers.

*   **Over 760,000 Users Impacted:** The breach, occurring on August 14, 2023, has jeopardized the personal information of more than 760,000 users.

*   **Discord.io Halts Operations:** In response to the breach, Discord.io has taken the unprecedented step of shutting down its operations indefinitely.

*   **Hacker Talks to Hackread.com:** Akhirah wants Discord.io to remove malicious content from the site in order to put an end to the database sale.

*   **Exposed Data Includes Sensitive Details:** Stolen information from the breach includes usernames, Discord IDs, email addresses, and salted and hashed passwords.

*   **Urgent Call to Action:** Discord.io urges users to update their passwords to mitigate the impact of the breach, while financial information remains reportedly untouched. Hackread.com is actively seeking more details from the hacker to provide comprehensive insights into the incident.

A hacker using the pseudonym “Akhirah” has unleashed a massive data breach against Discord.io, a non-official service known for providing redirect and invite links to Discord servers. The data breach, which occurred on Monday, August 14, 2023, has put the personal information of approximately 760,000 users at grave risk.

Currently, the database is being sold on the **new version of Breach Forums** that surfaced recently under the leadership of the infamous ShinyHunter hackers.

Discord.io database on Breach Forums (Screenshot: Hackread.com)

Initial glimpses into the database are troubling, as usernames, Discord IDs, email addresses, and salted and hashed passwords have all fallen prey to this data breach. Although the hashed nature of passwords may offer a thin silver lining, the potential for decryption looms large, underscoring the urgent need for users to fortify their defences which is why Discord.io has urged users to reset and update their passwords.

Additionally, Discord.io maintains that no financial data has been infiltrated or exposed in this breach. However, while the extent of this breach is still unfolding, Discord.io has taken a drastic step in response. The service, which was already skating on thin ice, has decided to cease all operations indefinitely in the “foreseeable future.”

Visitors to Discord.io are now greeted with a message detailing the severity of the breach. The company, in an act of transparency, has laid out the compromised data fields. This initiative aims to provide clarity to affected users about what information is now exposed and what remains untouched in the cataclysmic wake of this incident.

> “We have cancelled existing premium subscriptions and we’ll be reaching out as soon as possible on an individual basis. As of this message, we have not yet been contacted by the people responsible for this breach nor have we reached out to them. As far as we currently know, the database itself has not yet been shared publicly.”
> 
> Discord.io

Here is a screenshot from Discord.io admitting the data breach and providing in-depth details about what data was stolen and which information remained untouched.

Homepage of Discord.io right now (Screenshot: Hackread.com)

**Interview with the hacker Akhirah**

Akhirah responded to Hackread.com, and we managed to ask him a couple of questions about the breach. Akhirah claims he is least interested in selling data; however, he wants Discord.io to remove malicious content from their site and get in touch with him to resolve the issue – no retribution or bounty required.

Hackread.com: Discord.io has shut down its operations. Would you share your thoughts on that? and share some details of how did you manage to breach them, and if you have access to their payment section as well?

Akhirah: First I have to say I hate Discord and its audience, I think most of them are paedophiles, I put the data on the market to sell but I’m not sure about it, and I haven’t sold it to anyone yet, but there are so many demands, I want to talk to the management of discord.io and agree on some issues. Plus, I don’t have access to payment-related data, just stuff I’ve shared an example of

Hackread.com: By talking to them do you mean resolving the issue and discarding the data or asking them for some sort of retribution?

Akhirah: I want to talk to him about sissy, femboy etc content and blacklisting of paedophile talks from now on.

Hackread.com: So if they remove the malicious content and people you would agree to safely discard the data and that would be the end of it?

Akhirah: Yes, that can be said. Too many children want to buy this data, it’s true that I sell data, but I’m not sure I want to sell this data. I just want to talk and agree with the admin about the sensitive issues I mentioned.

Hackread.com: Have you contacted Discord.io?

Akhirah: No, they are the victims right now and they didn’t try to talk to me, I invite them to talk, I would appreciate it if you could share this on your site.

Discord.io becomes the latest platform to shut down due to data breaches. Just a week ago, LetMeSpy Android Spyware Service also **announced its permanent closure** following a hacker’s successful breach and access to user data.

**RELATED ARTICLES**

1.  Teen “Hackers” on Discord Selling Malware for Quick Cash
2.  Roblox Data Breach: PII of Thousands of Developers Stolen
3.  Pink Drainer Posed as Journalists, Stole $3M from Discord Users
4.  Data Breach at New BreachForums: 4,000 members’ data leaked
5.  Original BreachForums Breached, PII Data of 210K Users Sold Online

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Discord.io Admits Data Breach: Info of 760K Users Sold Online

By Waqas
Trellix Uncovers Deceptive Chrome Browser Update Campaign Leveraging NetSupport Manager RAT.
This is a post from HackRead.com Read the original post: Fake Chrome Browser Update Installs NetSupport Manager RAT

*   **Fake Chrome Browser Update Scam:** Trellix exposes a scheme using fake Chrome browser updates to sneak NetSupport Manager onto victim computers, granting cybercriminals control and data access.

*   **Possible SocGholish Link:** While resembling SocGholish, differences in tools raise doubt about a direct connection, highlighting evolving tactics.

*   **Compromised Sites as Launchpads:** Compromised websites act as launchpads for the attack, affecting diverse sectors, including government and finance.

*   **Deceptive Path to RAT:** Victims fall for the fake update, unknowingly downloading a malicious JavaScript file, “Browser\_portable.js,” which activates NetSupport Manager.

*   **Urgent Need for Vigilance:** Trellix’s discovery underscores the critical importance of global threat intelligence and advanced security solutions in countering evolving cyber threats.

Cybersecurity firm Trellix has identified a new cyber campaign exploiting unsuspecting victims by disguising itself as a legitimate Chrome browser update. The deceptive scheme employs a malicious remote administration tool (RAT) known as NetSupport Manager RAT, allowing threat actors to gain unauthorized access to victims’ computers and seize control.

Moreover, the Trellix Advanced Research Center uncovered striking similarities to a previously reported SocGholish campaign, although a definitive connection remains elusive. Yet, concrete links between the two campaigns remain scarce.

The campaign, which came to light in late June 2023, exploits compromised websites as a platform for delivering the fraudulent Chrome update. Victims are lured into downloading and installing the fake update, unwittingly inviting the NetSupport Manager RAT onto their systems. The malware allows cybercriminals to pilfer sensitive information and manipulate victim computers to their advantage.

The modus operandi of the campaign involves injecting compromised websites with a carefully crafted HTML script tag that retrieves JavaScript content from the attackers’ command and control server.

This technique, seemingly automated, hinges on the unsuspecting victims falling for the fake browser update ruse. The success of the scheme relies heavily on the prevalence of compromised websites.

Trellix researchers found evidence of this campaign infiltrating a Chamber of Commerce website, with traffic from governmental entities, financial institutions, and consulting services. Although the site has since been cleansed of the injected script, it suffered compromise for at least one day.

The deceptive journey commences when victims encounter the injected script on a compromised website, leading them to a fake browser update page. This manipulation, which directs users to unwittingly install the NetSupport RAT, isn’t novel; similar tactics have been documented in past instances like the SocGholish campaign.

Fake Chrome Browser Update page (Screenshot: Trellix)

However, it’s the tools employed in the present campaign that stand apart from SocGholish. SocGholish exploited PowerShell with WMI capabilities to facilitate RAT download and installation. In contrast, the current campaign utilizes batch files (.BAT), VB scripts, and the Curl tool to carry out its malevolent operations. The use of these distinct tools underscores the evolving strategies of cybercriminals.

Should a victim succumb to the allure of the fake browser update and click on the “Update Chrome” link, a ZIP archive named “UpdateInstall.zip” containing a malevolent JavaScript file, “Browser\_portable.js,” is initiated for download. This script serves as a downloader for the ensuing stage of the attack.

Upon extraction of the NetSupport Manager RAT via the downloaded 7-zip utility, execution transpires via a scheduled task, orchestrated by the “2.bat” batch file. Furthermore, this batch file also engenders persistence for the RAT, ensuring automatic execution upon system startup.

The malevolent configuration file (“client32.ini”) for the RAT reveals a gateway address set to 5.252.178.48. At this juncture, with the RAT firmly entrenched within the victim’s system, threat actors possess substantial control, enabling them to execute further malware deployment, data exfiltration, network reconnaissance, and lateral movement.

The infection chain (Screenshot: Trellix)

In conclusion, this campaign serves as a reminder that threat actors consistently exploit successful techniques to advance their malicious agendas. The deployment of familiar lures, such as the phony browser update, underscores the persistent nature of these attacks.

The proliferation of RATs, while not always updated, showcases their enduring utility for cybercriminals. As attackers adopt increasingly sophisticated tactics, the challenge of detection intensifies. The utilization of native Windows scripting languages, like VBScript and Batch script, combined with tools like Curl, exemplifies their adaptability and innovation.

Joseph Tal, Senior Vice President of Trellix’s Advanced Research Center, cautioned that the prevalence of these NetSupport RAT attacks underscores the need for comprehensive global threat intelligence and innovative security solutions.

Commenting on this, Dr Klaus Schenk, senior vice president, Security and Threat Research at Verimatrix told Hackread.com that _“_The reports of threat actors exploiting fake Chrome browser updates to spread the NetSupport Manager Remote Access Trojan are concerning. While the attack vector of abusing browser updates is common, this particular campaign stands out for its sophistication and targeting. The attribution to the SocGholish group, known for cyber espionage aligned with Russian state interests, makes this a high-priority threat._“_

_“_While the details connecting this attack to SocGholish are inconclusive, the examination by Trellix seems reliable. The threat actors clearly spent time crafting a credible lure using Chrome’s market dominance. I recommend to wait a bit to see if this attacks manifests — but it would be a good idea to prioritise incident response and user education to detect and mitigate this threat,” Tal added.

_“_Even though users must still click a malicious link, the sophistication of this attack makes it likely to evade defenses. We should continue monitoring for new developments, but organisations should act swiftly to harden systems, update browsers, and inform personnel about this threat,” Tal recommend.

Nevertheless, the continually evolving threat landscape necessitates a proactive and holistic approach to cybersecurity, particularly as more enterprises rely on Chromium-based browsers for their web applications.

**RELATED ARTICLES**

1.  New malware in pirated games disables Windows Updates
2.  Fake ROBLOX &Nintendo game cracks drop ChromeLoader malware
3.  Fake Chrome & Firefox browser update lead users to malware infection
4.  Over 20 million Chrome users have installed fake malicious Ad Blockers
5.  Big Head Ransomware Found in Malvertising and Fake Windows Updates

Fake Chrome Browser Update Installs NetSupport Manager RAT

By Habiba Rashid
Renowned Mac security researcher Patrick Wardle recently unveiled potential weaknesses within Apple’s macOS Ventura, shedding light on vulnerabilities…
This is a post from HackRead.com Read the original post: macOS Ventura Background Task Flaws Can Be Exploited for Malware

*   **Background Task Weaknesses:** macOS Ventura’s Background Task Management has vulnerabilities that allow hackers to evade detection and install malware.

*   **Researcher’s Revelation:** Patrick Wardle, a respected Mac security researcher, unveiled these vulnerabilities at the Defcon hacker conference.

*   **Monitoring Tool’s Purpose:** Background Task Management is intended to detect and alert users to software persistence, ensuring data retention after restarts.

*   **Sophisticated Exploitation:** Despite alerts and notifications, Wardle’s research shows that advanced malware can bypass the monitoring system, even without root access.

*   **Apple’s Response Awaited:** Apple has yet to respond to these findings, raising concerns about the efficacy of macOS Ventura’s security enhancements.

Renowned Mac security researcher Patrick Wardle recently **unveiled** potential weaknesses within Apple’s macOS Ventura, shedding light on vulnerabilities in the Background Task Management mechanism. This revelation calls into question the efficacy of Apple’s latest monitoring tool designed to detect and mitigate malware.

Image: Patrick Wardle

During his **presentation** at the Defcon hacker conference held in Las Vegas, Wardle shared insights into how malicious actors can exploit macOS Ventura’s Background Task Management to bypass monitoring and potentially compromise user devices.

The Background Task Management tool, introduced with **macOS Ventura**, aims to detect instances of software “persistence,” which is when malicious software establishes itself on a device and remains active even after restarts. Such persistence is crucial for legitimate applications, ensuring users’ apps, data, and preferences are retained across device reboots.

However, Wardle’s findings suggest that the implementation of this monitoring tool is not foolproof. Apple **added** Background Task Management to send notifications to users and third-party security tools if a “persistence event” occurs, alerting users to unexpected or potentially malicious persistence. Despite this enhancement, Wardle’s **research** demonstrates that sophisticated malware can easily evade the monitoring mechanism.

Wardle’s research focused on pinpointing vulnerabilities within the Background Task Management’s structure. He highlighted that some bypass techniques require root access, effectively granting attackers full control over a compromised device, allowing them to manipulate persistence notifications and install malware without user awareness.

More concerning are two other bypass methods that don’t necessitate root access, exploiting flaws in how the alerting system communicates with the operating system’s core (the kernel) and leveraging the capability to put processes to sleep.

The security researcher’s findings reflect broader concerns about the efficacy of macOS Ventura’s security enhancements. Wardle emphasized that the rushed implementation of monitoring tools can give users a false sense of security, potentially overlooking critical security risks.

Apple has not yet responded to requests for comment regarding Wardle’s findings. Despite the vulnerabilities exposed, Wardle remains hopeful that these revelations will encourage Apple to refine its security measures further, ensuring a safer environment for Mac users. 

**More Findings from Patrick Wardle**

1.  Hackers Targeting Apple’s M1 Chip with Mac Malware
2.  Apple approved malware camouflaged as Adobe Flash Player
3.  How easily macOS user warnings can be bypassed by malware
4.  LockBit Ransomware Expands Attack Spectrum to Mac Devices
5.  Cryptocurrency users on Discord & Slack hit by MacOS malware
6.  Researcher creates app to notify users of evil maid attack on MacBook

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

macOS Ventura Background Task Flaws Can Be Exploited for Malware

By Owais Sultan
JasmyCoin operates on blockchain technology as a decentralized digital currency, ensuring secure and transparent transactions. 
This is a post from HackRead.com Read the original post: Investing in Ethereum Blockchain-based JasmyCoin: Guide

This article will explore the Ethereum Blockchain-based JasmyCoin market, its advantages, how to get started with JasmyCoin investment, the related risks, and how it relates to other cryptocurrencies. Whether you are a seasoned investor or new to cryptocurrencies, this guide will provide valuable insights to make informed investment decisions.

**The Benefits of Investing in JasmyCoin**

Investing in JasmyCoin offers several benefits:

1.  It provides an opportunity for diversification in your investment portfolio.
2.  Given its increasing value and market demand, JasmyCoin has the potential for high returns.
3.  Investing in JasmyCoin allows for easy and quick transactions, eliminating the need for intermediaries and reducing transaction costs. Get to know the latest JasmyCoin Price and get started. 

**Understanding the JasmyCoin Market: Trends and Insights**

The JasmyCoin market has experienced significant growth and popularity in recent years. JasmyCoin operates on blockchain technology as a decentralized digital currency, ensuring secure and transparent transactions. The market trends and insights indicate a promising future for JasmyCoin, with increasing adoption and acceptance by businesses and individuals worldwide.

**How to Get Started with JasmyCoin Investment**

To get started with JasmyCoin investment, you need to follow a few simple steps. Firstly, choose a reliable cryptocurrency exchange platform that supports JasmyCoin. Create an account and complete the necessary verification process. Once your account is set up, deposit funds into your account and start trading JasmyCoin. It is essential to conduct thorough research, stay updated with market trends and consider consulting with financial advisors before making investment decisions.

**Analyzing the Risks Associated with JasmyCoin Investment**

While JasmyCoin investment offers potential rewards, it is crucial to analyze the associated risks. The cryptocurrency market is highly volatile, and the value of JasmyCoin can fluctuate significantly. Also, there is a risk of security breaches and hacking attempts, which can result in financial losses. Investing only what you can afford to lose and implementing proper security measures to protect your investments is advisable.

**JasmyCoin vs. Other Cryptocurrencies: A Comparative Analysis**

When comparing JasmyCoin to other cryptocurrencies, it is essential to consider factors such as market capitalization, technology, adoption rate and use cases. While Bitcoin remains the most popular and widely accepted cryptocurrency, JasmyCoin offers unique features and advantages. Its focus on privacy, security and scalability sets it apart from other cryptocurrencies, making it an attractive investment option.

In conclusion, investing in JasmyCoin can be a lucrative opportunity for investors. However, it is crucial to understand the market trends, benefits, risks and how it compares to other cryptocurrencies. By following the steps outlined in this guide and staying informed, you can make informed investment decisions and potentially reap the rewards. 

**RELATED ARTICLES**

1.  How To Use ChatGPT To Trade Cryptocurrency
2.  What Makes Bitcoin NFTs Different from Other NFTs?
3.  Tracing the Path: Unraveling the Full History of Toncoin
4.  The Rise of Blockchain Gaming and Secure Marketplaces
5.  Shiba Inu: The Meme Coin Fueling an Open-Source Ecosystem

Owais takes care of Hackread's social media from the very first day. At the same time He is pursuing for chartered accountancy and doing part time freelance writing.

Investing in Ethereum Blockchain-based JasmyCoin: Guide

By Owais Sultan
Powered by Oracle Cloud, Stellar Cyber Open XDR offers best-in-class cyberattack detection and response capabilities to Oracle Cloud Infrastructure users.
This is a post from HackRead.com Read the original post: Stellar Cyber and Oracle Cloud Partner for Enhanced Cybersecurity

*   Stellar Cyber partners with Oracle Cloud to enhance cybersecurity capabilities.

*   Stellar Cyber’s Open XDR platform now available on Oracle Cloud Infrastructure (OCI).

*   Joint customers can reduce cyber risk and improve security operations efficiency.

*   Stellar Cyber’s AI-driven platform streamlines threat monitoring and response across diverse environments.

*   OCI customers can access Stellar Cyber solutions through the Oracle Cloud Marketplace.

SAN JOSE – August 14, 2023 – Stellar Cyber, the innovator of Open XDR technology, announced that the Stellar Cyber Open XDR platform is available on Oracle Cloud Infrastructure (OCI) to help users manage their security operations. Joint customers of Oracle and Stellar Cyber can expect to reduce cyber risk and improve security analyst efficiency and effectiveness. 

“We find that OCI is a user-friendly platform, which correlates directly to our commitment to making security operations simpler,” said Andrew Homer, VP of Strategic Alliances for Stellar Cyber. “We are excited to work with OCI to deliver the security solutions our shared customers require and trust.”

With integrations and support for all enterprise data sources, field-vetted AI/ML-driven correlation, and purpose-built intelligent automation, the Stellar Cyber Open XDR platform eliminates manually-intensive security tasks while enabling security teams to quickly monitor, identify, and respond to threats in their cloud, on-premises, OT and hybrid environments. By running on OCI, the Stellar Cyber platform offers its best-in-class security outcomes to OCI users. 

“Stellar Cyber is committed to providing the critical capabilities security teams need to deliver consistent security outcomes—all for a single license and price on a single platform,” said Jim O’Hara, Chief Revenue Officer at Stellar Cyber. “This simple yet comprehensive model makes it easy for customers to measure how our Open XDR platform dramatically impacts their security ROI.” 

“We designed OCI with a security-first mindset, which is one of the many reasons why enterprises continue to trust Oracle with their data,” said David Hicks, Group Vice President, of Worldwide ISV Cloud Business Development, Oracle. “Stellar Cyber on OCI provides our joint customers with an industry-leading Open XDR solution to manage their cloud security posture and help protect their data.”

Stellar Cyber is a member of Oracle PartnerNetwork (OPN). OCI customers now can purchase Stellar Cyber via the Oracle Cloud Marketplace, applying Oracle Universal Credits (OUCs) toward the purchase price. 

**About Stellar Cyber**

The Stellar Cyber Open XDR platform delivers comprehensive, unified security without complexity, empowering lean security teams of any skill to secure their environments successfully.

With Stellar Cyber, organizations reduce risk with early and precise identiﬁcation and remediation of threats while slashing costs, retaining investments in existing tools, and improving analyst productivity, delivering an 8X improvement in MTTD and a 20X improvement in MTTR. The company is based in Silicon Valley. For more information, contact Stellarcyber.ai.

**About Oracle PartnerNetwork**

Oracle PartnerNetwork (OPN) is Oracle’s partner program designed to enable partners to accelerate the transition to the cloud and drive superior customer business outcomes.

The OPN program allows partners to engage with Oracle through track(s) aligned to how they go to market: Cloud Build for partners that provide products or services built on or integrated with Oracle Cloud; Cloud Sell for partners that resell Oracle Cloud technology; Cloud Service for partners that implement, deploy and manage Oracle Cloud Services; and License & Hardware for partners that build, service or sell Oracle software licenses or hardware products.

Customers can expedite their business objectives with OPN partners who have achieved Expertise in a product family or cloud service.  To learn more visit Oracle.

Charlie Rubin  
Story PR  
charlie@storypr.com  
510-908-3356

Owais takes care of Hackread's social media from the very first day. At the same time He is pursuing for chartered accountancy and doing part time freelance writing.

Stellar Cyber and Oracle Cloud Partner for Enhanced Cybersecurity

By Waqas
Trellix's researchers uncovered a series of vulnerabilities in two prominent data center equipment vendors: CyberPower and Dataprobe.
This is a post from HackRead.com Read the original post: Data center flaws spurred disruptions, espionage and malware attacks

*   **Critical vulnerabilities unveiled in popular data center management platforms, posing serious security risks.**

*   **CyberPower’s PowerPanel Enterprise and Dataprobe’s iBoot PDU were found to have multiple vulnerabilities.**

*   **Potential exploitation could lead to power disruption, malware deployment, and digital espionage.**

*   **Urgent fixes released by vendors, urging affected customers to patch their systems immediately.**

*   **Emphasis on network isolation, remote access management, password updates, and regular software updates to mitigate risks.**

Trellix’s Advanced Research Center has unveiled a series of critical vulnerabilities in **data center** management platforms, shedding light on potential security risks that could cripple the foundation of our interconnected world.

**The Vulnerabilities Unveiled**

In an ongoing research effort to bolster cybersecurity and resilience in the digital realm, Trellix’s Advanced Research Center turned its attention to critical vulnerabilities within data center management platforms.

This initiative aligns seamlessly with the recently announced **2023 National Cybersecurity Strategy**, underscoring the importance of securing national critical infrastructures and enhancing overall digital ecosystem security.

The team’s initial focus was on power management and supply technologies, key components of data center infrastructure. Through detailed investigation, Trellix’s researchers uncovered a series of vulnerabilities in two prominent data center equipment vendors: CyberPower and Dataprobe.

**CyberPower’s PowerPanel Enterprise Vulnerabilities**

Trellix’s research identified four vulnerabilities in CyberPower’s PowerPanel Enterprise Data Center Infrastructure Management (DCIM) platform:

1.  **CVE-2023-3264:** Use of Hard-coded Credentials
2.  **CVE-2023-3267:** OS Command Injection (Authenticated RCE)
3.  **CVE-2023-3266:** Improperly Implemented Security Check for Standard (Auth Bypass)
4.  **CVE-2023-3265:** Improper Neutralization of Escape, Meta, or Control Sequences (Auth Bypass)

These vulnerabilities, if exploited in tandem, could grant attackers full access to these systems. Such access could lead to substantial damage and potentially pave the way for broader network compromise.

**Dataprobe’s iBoot PDU Vulnerabilities**

Dataprobe’s iBoot Power Distribution Unit (PDU) also exhibited five critical vulnerabilities:

1.  **CVE-2023-3261:** Buffer Overflow (DOS)
2.  **CVE-2023-3262:** Use of Hard-coded Credentials
3.  **CVE-2023-3260:** OS Command Injection (Authenticated RCE)
4.  **CVE-2023-3259:** Deserialization of Untrusted Data (Auth Bypass)
5.  **CVE-2023-3263:** Authentication Bypass by Alternate Name (Auth Bypass)

The potential impact of these vulnerabilities is profound, encompassing scenarios such as power disruption, widespread malware deployment, and **digital espionage**.

**The Implications of Vulnerabilities**

The implications of these vulnerabilities are far-reaching. With data centers forming the backbone of critical services, the risks extend to both consumers and enterprises. The exploitation of such vulnerabilities could lead to the following outcomes:

*   **Power Off:** Attackers could disrupt operations across multiple data centers by cutting power to connected devices, causing extensive outages and financial losses.
*   **Malware at Scale:** Compromised data center equipment could serve as a launchpad for massive ransomware, DDoS, or wiper attacks, potentially surpassing infamous incidents like StuxNet and WannaCry.
*   **Digital Espionage:** Nation-state actors and advanced persistent threats (APTs) could exploit these vulnerabilities for cyberespionage, potentially exposing sensitive information to foreign governments.

It is worth noting that Trellix researchers presented their **findings** on August 12th at the Black Hat security conference in Las Vegas, United States.

Fortunately, these vulnerabilities were discovered before they could be exploited by threat actors, minimizing the risk of malicious exploitation. Nonetheless, data centers remain attractive targets for cybercriminals due to their extensive attack surface and potential for widespread impact.

**Strategies for Mitigation and Future Preparedness**

To address these vulnerabilities, both CyberPower and Dataprobe have promptly released fixes for their affected products. Trellix strongly advises affected customers to implement these patches immediately and adopt additional precautions:

1.  **Network Isolation:** Ensure that data center management platforms are reachable only within secure intranets, shielding them from wider internet exposure.
2.  **Remote Access Management:** Disable remote access to devices and platforms when not needed, reducing potential attack vectors.
3.  **Password Management:** Update passwords for user accounts associated with vulnerable systems and revoke any compromised credentials.
4.  **Regular Updates:** Stay vigilant by applying the latest software and firmware updates promptly to reduce exposure to future vulnerabilities.

**Conclusion**

Trellix’s Advanced Research Center’s findings underscore the critical role played by data centers in modern operations and the urgent need to fortify their defences. By collaborating with vendors, promptly addressing vulnerabilities, and embracing best practices, the digital ecosystem can continue to evolve securely, resiliently, and without compromise.

**RELATED ARTICLES**

1.  China attack National Data Center with watering hole attack
2.  Login Details of Tech Giants Leaked in Two Data Center Hacks
3.  Top sites affected after OVH data center catches disastrous fire
4.  NATO bunker’s dark web data center seized for hosting child porn
5.  BlackCat (ALPHV) Claims Ransomware Attack on NCR Data Center

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Data center flaws spurred disruptions, espionage and malware attacks

By Deeba Ahmed
Cybersecurity researchers at Securelist have discovered a cyberattack against a power-generating firm in South Africa. Reportedly, the firm…
This is a post from HackRead.com Read the original post: South African Power Supplier Hit by DroxiDat Malware

*   **Cybersecurity researchers uncover cyberattack targeting South African power-generating firm.**

*   **Attackers deploy new variant of SystemBC malware, named DroxiDot, with CobaltStrike beacons.**

*   **Speculation that attack could be an initial stage of a ransomware attack, occurring in March 2023.**

*   **DroxiDot variant is a compact 8kb payload, serves as a system profiler, and sets up SOCKS5 proxies on target computers.**

*   **Attacker’s C2 infrastructure linked to energy-oriented domain potentially tied to Russian ransomware group FIN12.**

Cybersecurity researchers at Securelist have discovered a cyberattack against a power-generating firm in South Africa. Reportedly, the firm was targeted with a new variant of the SystemBC malware and a yet unidentified hacking group carried out the attack.

It is worth noting that a variant of SystemBC was also identified in the 2021 cyber attack against Colonial Pipeline, a major American oil pipeline system. In the recent attack, however, attackers deployed the proxy-capable backdoor with CobaltStrike beacons.

According to Securelist, the new SystemBC malware variant is dubbed DroxiDat. Attackers used these tools to compromise systems and remotely access the electricity generator. However, researchers speculated that it could be the “initiate stage of a ransomware attack” that took place in the third or fourth week of March 2023.

For your information, SystemBC payload is a “changing, malicious” malware-as-a-service backdoor available on darknet forums since 2018. It is a C/C++-based commodity malware first observed in 2019.

“This platform is made up of three separate parts: on the server side, a C2 web server with admin panel and a C2 proxy listener; on the target side is a backdoor payload,” Securelist’s report revealed.

Compared to previously detected SystemBC variants that were around 15-30kb+, DroxiDot is a compact, 8kb variant that serves as a system profiler, and its main job is to set up SOCKS5 proxies on target computers so that attackers can tunnel malicious traffic.

The malware can also retrieve usernames, IP addresses, and machine names from an active device, encrypts the data, and transfers it to the attacker’s C2 server. This variant doesn’t feature many of SystemBC’s functionalities and acts as a system profiler to exfiltrate information to a remote server.

However, it doesn’t feature download or executing capabilities and can only connect with “remote listeners, pass data back and forth, and modify the system registry.”

This variant, however, allows attackers to simultaneously target multiple devices through automating tasks. If the credentials are legit, they can even deploy ransomware using built-in Windows tools without manually controlling the process.

 The attacker’s C2 infrastructure involved an energy-oriented domain “powersupportplancom,” which resolved to a suspicious IP host. Researchers believe this host was previously used in an APT activity to improve the attack’s potential.

Furthermore, researchers discovered that DroxiDot was used in another healthcare-related incident during the same time when it delivered Nokoyawa ransomware.

Regarding the attackers, researchers claim that evidence suggests the involvement of a Russian ransomware group, probably FIN12 (also known as Pistachio Tempest). This group is known for deploying SystemBC with Cobalt Strike Beacons to launch ransomware attacks against healthcare facilities in 2022.

**RELATED ARTICLES**

1.  Fake Tor Browser Installers Distributing Clipper Malware
2.  Big Head Ransomware Found in Fake Windows Updates
3.  SmugX: Chinese Hackers Targeting Embassies in Europe
4.  Hackers targeting embassies with trojanized TeamViewer
5.  Cyber-Partisans hit Belarus railroad system with ransomware
6.  New malware hides behind free VPN, pirated security software

South African Power Supplier Hit by DroxiDat Malware

By Waqas
The victim of the data breach is the Roberto Polizzi Plastic Surgery Clinic based in Belo Horizonte, Brazil.
This is a post from HackRead.com Read the original post: Hackers Leak PII Data and Photos of Brazilian Plastic Surgery Patients

*   **Thesnake02 hacker group exposes sensitive data from Brazilian Plastic Surgery Clinic.**

*   **Breach occurred in July 2023, leaking 1.25 GB of private patient data, including surgery-related images and financial documents.**

*   **Trend of healthcare cyberattacks continues; Roberto Polizzi Plastic Surgery Clinic joins the list of victims.**

*   **Detailed analysis reveals trove of confidential patient info, nude images, and PII, but no passwords or credit/debit card data.**

*   **While primarily in Portuguese, leaked nude images pose significant risks; potential for exploitation by cybercriminals.**

*   **Previous cybercrime groups like REvil, The Dark Overlord, and Tsar Team targeted plastic surgery clinics, extorting ransom payments and leaking data.**

*   **Breach underscores urgent need for improved healthcare cybersecurity to protect patient confidentiality and data.**

A group of hackers operating under the alias Thesnake02 have leaked a trove of sensitive data belonging to the Roberto Polizzi Plastic Surgery Clinic based in Belo Horizonte, Brazil.

The breach, which occurred on July 26th, 2023, has resulted in the leak of approximately 1.25 GB of highly sensitive and private data, including surgery-related images, financial documents, and personal information of patients.

The clinic, managed by Dr. Roberto Polizzi, has become the latest victim of a growing trend of cyberattacks targeting healthcare and medical institutions. The leaked data, initially made public on the latest version of Breach Forums, has been closely examined by Hackread.com.

Post of the Breach Forums (Screenshot: Hackread.com)

Detailed analysis of the compromised data reveals a vast trove of confidential patient information, including nude images related to surgical procedures, WhatsApp messages, audio notes, receipts, CVs, invoices, internal clinic documents, and contact details.

The breach also exposed a wealth of personally identifiable information (PII), such as driver’s licenses, CPF IDs (Brazil’s equivalent of social security numbers), Covid certificates, and more. Importantly, no credit card or debit card information was among the leaked data.

The leaked data has been blurred over privacy concerns. (Screenshot: Hackread.com)

While the leaked records are primarily in Portuguese, we warn that the exposure of surgery-related nude images carries substantial potential risks. Cybercriminals could exploit this sensitive content in various harmful ways, including extortion and blackmail.

In the past, several notorious cybercrime syndicates, including REvil hackers (also known as the Sodinokibi group), The Dark Overlord, and Tsar Team, were involved in cyberattacks targeting plastic surgery clinics. These groups would extort ransom payments from their victims and, when these demands went unmet, proceeded to expose sensitive data online.

In December 2020, The Hospital Group, situated in Manchester, England, fell victim to REvil’s cyber attack. The plastic surgery clinic London Bridge Plastic Surgery (LBPS) was targeted by The Dark Overlord in October 2017, while Tsar Team successfully hacked and subsequently leaked data from Grozio Chirurgija, a cosmetic surgery clinic located in Kaunas, Lithuania back in May 2017.

As for the Roberto Polizzi Plastic Surgery Clinic, given the language barrier, the immediate impact of this breach might be somewhat limited. However, the incident underscores the critical need for enhanced cybersecurity measures within the healthcare sector, where patient confidentiality and data protection are of paramount importance.

**RELATED ARTICLES**

1.  Hacked Finnish psychotherapy clinic files for bankruptcy
2.  Dental clinic alerted to ransomware attack via hacker phone call
3.  Plastic surgery tech firm leaks images of 100,000s of customers
4.  Breast Cancer Charity Exposed Sensitive Images of U.S. Patients
5.  Medical software firm leaked personal data of 3.1 million patients

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Hackers Leak PII Data and Photos of Brazilian Plastic Surgery Patients

By Deeba Ahmed
MoustachedBouncer is a Belarusian government-backed hacking group that has been active since 2014.
This is a post from HackRead.com Read the original post: MoustachedBouncer Hackers Caught Spying on Embassies

*   **Belarusian MoustachedBouncer hacking group exposed for state-sponsored espionage on foreign embassies.**

*   **ESET Research reveals a years-long campaign targeting diplomats in South Asia, Africa, and Europe.**

*   **Hackers employ diverse techniques, including C++ backdoors and ISP-level attacks.**

*   **MoustachedBouncer tampered with victims’ internet access, tricking Windows with fake captive portals.**

*   **Researchers recommend encrypted VPNs for enhanced security against this sophisticated spying.**

According to ESET Research’s cybersecurity researchers, the Belarusian government had been spying upon foreign diplomats in the country for years through the MoustachedBouncer hacking group.

The research has confirmed that at least one embassy from South Asia, one from Africa, and two from Europe have been the targets of a state-sponsored espionage campaign, active since 2014.

The hackers utilized a wide range of attack techniques, including C++ modular backdoors, adversary-in-the-middle attacks, and email-based C&C protocols and performed attacks at the ISP level from within the country for spying.

“To compromise their targets, MoustachedBouncer operators tamper with their victims’ internet access, probably at the ISP level, to make Windows believe it’s behind a captive portal,” ESET’s report read.

For your information, adversary-in-the-middle attacks rely on ‘lawful interception’ espionage infrastructure e.g. SORM. In Russia and many other countries, it is deployed by security services on ISP premises.

****Campaign Active Since 2014****

The espionage activity started in 2014, which is surprising considering that this is the first time it has been disclosed. Since 2014, the group has used numerous malware families to achieve network intervention.

Initially, MoustachedBouncer used email protocols (SMTP and MAP) based malware frameworks and later switched to droppers that could steal files, take screenshots, and record conversations.

****Hackers Backed by the State** **

Researchers suspect that MoustachedBouncer had full backing from the Belarusian government and probably ties with other hacking groups. This view is strengthened by the fact that MoustachedBouncer has a close affiliation with another highly active hacking group, Winter Vivern.

The Winter Vivern group was discovered in 2021 and is known for targeting European diplomats. Their attack techniques resonate with two different threat actors called StrongPity and Turla. Both trojanized software installers at the ISP level.

****Attack Tactic Analysis****

Per ESET’s report, authored by malware researcher Matthieu Faou, the hackers fiddled with their target’s traffic to display genuine-looking but fake Windows Update URLs. This page promised them critical system security updates they needed to install urgently.

Fake Windows update website and fake Windows update on the Microsoft Edge browser are both part of the MoustachedBouncer attack. (Screenshot: ESET)

Per ESET telemetry this page delivered a fake update file containing the malicious executable, and two local ISP networks contributed to this campaign, including Beltelecom and Unitary Enterprise A1.

“We strongly recommend that foreign organizations in Belarus use an end-to-end encrypted VPN tunnel, ideally out-of-band (i.e., not from the endpoint), providing internet connectivity from a trusted network,” Faou wrote.

There is evidence that since June 2017, diplomats from four countries were targeted by MoustachedBouncer, two from Europe, one from Northeast Africa and one from South Asia. One of the two European diplomats was targeted twice between Nov 2020 and July 2022.

Timeline of MoustachedBouncer’s malicious activities (Screenshot: ESET)

****About MoustachedBouncer****

This previously undocumented cyberespionage group only targets foreign embassies in Belarus and has most likely been performing ISP-level adversary-in-the-middle attacks since 2020. This hacking group prefers using NightClub and Disco toolsets and used them in this campaign as well. 

Researchers have documented MoustachedBouncer as an independent group, but believe it works in collaboration with Winter Vivern. It was discovered in 2021. Proofpoint reported that the group used the Zimbra mail portal’s XSS vulnerability to steal the webmail credentials of diplomats from European countries.

**RELATED ARTICLES**

1.  Fake Tor Browser Installers Distributing Clipper Malware
2.  Big Head Ransomware Found in Fake Windows Updates
3.  SmugX: Chinese Hackers Targeting Embassies in Europe
4.  Hackers targeting embassies with trojanized TeamViewer
5.  Cyber-Partisans hit Belarus railroad system with ransomware

MoustachedBouncer Hackers Caught Spying on Embassies

By Habiba Rashid
The new attack has been dubbed Phishing 3.0.
This is a post from HackRead.com Read the original post: Phishing 3.0: Crooks Leverage AWS in Deceptive Email Campaigns

*   Cybercriminals are adopting advanced phishing tactics, using legitimate services like Amazon Web Services (AWS) to launch convincing attacks that bypass traditional security measures.

*   The Check Point report highlights the emergence of Business Email Compromise 3.0 (BEC 3.0), where attackers host phishing sites on AWS S3 Buckets to send seemingly genuine emails with phishing links.

*   Hackers manipulate users with social engineering and credential harvesting, often posing as password reset requests, leading victims to click on AWS S3 Bucket URLs that redirect to fake login pages.

*   Phishing attempts rely on exploiting human behaviour and urgency associated with password resets, making it crucial for users to scrutinize email URLs and remain cautious.

*   To counter this threat, cybersecurity experts recommend implementing multi-indicator phishing detection systems, and comprehensive security measures including document scanning, and URL protection mechanisms.

Cybercriminals are now leveraging legitimate services to launch highly convincing phishing attacks that evade traditional security measures. A recent report from cybersecurity firm Check Point’s subsidiary Avanan has revealed that hackers are now utilizing Amazon Web Services (AWS) as a platform for sending out phishing links, adding a new layer of sophistication to their deceptive campaigns.

Phishing attacks have long been a menace in the digital landscape, but the latest trend involves hackers exploiting reputable services to slip through the cracks of cybersecurity defences. This tactic has been previously witnessed with services such as Google, QuickBooks, and PayPal, where attackers create accounts and send out seemingly genuine emails directly from these platforms, making them difficult to identify and block.

The Check Point Harmony Email researchers shed light on how hackers are now using AWS to facilitate their phishing endeavours. In this novel attack variant, cybercriminals are hosting phishing sites on AWS S3 Buckets, which are legitimate storage containers within AWS. This approach allows the attackers to send emails containing phishing links that appear convincingly genuine, as they originate from AWS S3 Buckets.

The attack method, known as Business Email Compromise 3.0 (BEC 3.0), relies heavily on social engineering and credential harvesting techniques to manipulate users into divulging their sensitive information.

The phishing email typically mimics a password reset request, a familiar scenario that prompts users to take action. While some users might be cautious and recognize the email as suspicious due to sender address discrepancies, the attackers cunningly employ AWS S3 Bucket URLs to redirect victims to seemingly legitimate login pages.

Upon clicking the link, victims are led to a webpage that bears the hallmarks of a Microsoft login page, complete with pre-populated email addresses and password fields. While this technique requires a slightly more advanced skill set from the attackers, it remains accessible enough for the average cybercriminal to execute.

The phishing email and phishing login page aim at the login credentials of Microsoft users. (Screenshot: Avanan)

The ultimate goal is to obtain victims’ login credentials, granting the attackers unauthorized access to sensitive accounts and potentially confidential information. According to a blog post published by Jeremy Fuchs of Avanan, users can protect themselves against these increasingly sophisticated attacks by paying close attention to the URLs presented in the emails.

However, the attackers’ well-crafted scenarios and the common urgency associated with password resets can often lead users to disregard this caution. This reliance on human behaviour is precisely what the hackers are banking on, as it offers them a higher chance of success.

In response to this emerging threat, Check Point researchers promptly alerted Amazon about the campaign on July 25th. To mitigate the risks associated with such attacks, cybersecurity professionals are advised to adopt multi-indicator phishing detection systems, implement comprehensive security measures that extend to document scanning and incorporate URL protection mechanisms.

**RELATED ARTICLES**

1.  Google Drive accounted for 50% of malicious Office Docs downloads
2.  LinkedIn Phishing Scam Steals Gmail Credentials Through Google Docs
3.  Google Docs Phishing Scam Cost Minnesota State Thousands of Dollars
4.  Royal Ransomware: New Threat Uses Google Ads and Cracked Software
5.  Research sector targeted in new spear phishing attack using Google Drive

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.