By Deeba Ahmed
Cyberwar against critical Iranian infrastructure continues.
This is a post from HackRead.com Read the original post: Disruptions at 70% of Iran’s Gas Stations Blamed on Cyberattack

The responsibility for the attack has been claimed by Gonjeshke Darande,” (which means Predatory Sparrow in Persian), a hacker group with pro-Israeli sentiments.

A hacking group linked to Israel has claimed responsibility for a cyberattack that reportedly disrupted most gas stations in Iran, leading to long lines and angry crowds. The group, known as “**Gonjeshke Darande**,” (which means Predatory Sparrow in Persian) cited that the attack was in response to the Islamic Republic’s aggression.

In a series of **Tweets** on X (formerly Twitter) in both English and Persian languages, the group explained the reason behind the attack:

“We, Gonjeshke Darande, carried out another cyberattack today, taking out a majority of the gas pumps throughout Iran. This cyberattack comes in response to the aggression of the Islamic Republic and its proxies in the region.”

Addressing Iran’s leader Ayatollah Ali Khamenei, the group said he is playing with fire and will pay the price.

“Khamenei, playing with fire has a price.”

In a statement given to Iran’s state TV, the country’s Oil Minister Javed Owji, said that the attack was caused by external interference and led to service disruption on 70% of Iran’s gas stations. At least 30% of Iran’s gas stations are operational, with the rest gradually resolving service disruptions.

Some petrol stations, particularly in the capital, have experienced software issues with their fuel systems, and experts are working to fix the issue. The possibility of a cyberattack is also being considered.

Gonjeshke Darande revealed that the attack was conducted in a controlled manner, limiting potential damage to emergency services and ensuring a portion of gas stations were left unharmed. The group also emphasized the precautions taken to avoid harm to civilians, claiming that these companies are subject to international sanctions and continue their operations despite restrictions.

Screenshot from the Telegram channel of the Gonjeshke Darande group (Credit: Hackread.com)

“We delivered warnings to emergency services across the country before the operation began, and ensured a portion of the gas stations across the country were left unharmed for the same reason, despite our access and capability to completely disrupt their operation,” the attackers noted.

This isn’t the first time Gonjeshke Darande has targeted Iranian infrastructure. It claimed responsibility for a cyberattack on Iran’s major steel companies **in June 2022**. The attack started a fire in a steel factory, releasing top secret documents proving the companies’ affiliation with Iran’s Revolutionary Guard Corps. The plant’s CEO confirmed no harm

The country’s civil defence agency is currently investigating the Monday attack on Iran’s gas stations, and Israeli media has covered the alleged attack. It is worth noting that there has been no statement from the Israeli government about the cyberattack.

****_RELATED ARTICLES_****

1.  **Iranian Gas Stations Crippled After Suffering Cyberattack**
2.  **Watch as hackers disrupt Iran’s prison computers; leak live footage**
3.  **Anonymous Hits Iranian State Sites, Hacks Over 300 CCTV Cameras**
4.  **Iran State-Run TV’s Live Transmission Hacked by Edalate Ali Hackers**
5.  **Iranian State TV Hacked During President’s Speech on Revolution Day**
6.  **Iran’s Fars News Agency website hacked as part of anti-govt protests**
7.  **Black Reward Hackers Steal Emails from Iran’s Atomic Energy Agency**

Disruptions at 70% of Iran’s Gas Stations Blamed on Cyberattack

By Waqas
MongoDB updated its status alert page with new details about the incident on December 17, 2023, at 9:00 PM EST.
This is a post from HackRead.com Read the original post: MongoDB Breach Update: Names, Emails Exposed, Atlas Secured

Stay informed about MongoDB’s response to unauthorized access in certain corporate systems, involving exposure of customer data like names, phone numbers, and email addresses.

In a recent update regarding the security incident at **MongoDB**, the company has released information that as of 9:00 PM EST on December 17, 2023, there is no evidence of unauthorized access to MongoDB Atlas clusters.

MongoDB’s Chief Information Security Officer (CISO), Lena Smart, assured users that no security vulnerabilities have been identified in any MongoDB product as a result of the incident.

The security breach, initially detected on December 13, 2023, and **exclusively reported by Hackread.com**, involved unauthorized access to certain MongoDB corporate systems, leading to the exposure of customer account metadata and contact information. However, MongoDB now confirms that their investigation has found no indication that the authentication system for MongoDB Atlas clusters has been compromised.

The MongoDB Atlas cluster access is authenticated through a separate system from MongoDB corporate systems. This segregation of systems ensures an additional layer of security for customer data stored in MongoDB Atlas, and the company emphasizes that no evidence of compromise has been identified in this crucial authentication process.

“To be clear, we have not identified any security vulnerability in any MongoDB product as a result of this incident,” the company restated.

The accessed corporate systems contained customer names, phone numbers, email addresses, and other customer account metadata. MongoDB has taken steps to notify the affected customers promptly. Notably, the company has identified system logs access for one customer, but no evidence suggests that the system logs of any other customers were compromised.

The investigation into the security incident is ongoing, and MongoDB is actively collaborating with relevant authorities and forensic firms to gather further insights. The company has committed to keeping its users informed by updating the **alert page** with additional information as the investigation progresses.

MongoDB encourages users to remain vigilant for potential social engineering and phishing attacks, especially given the accessed customer account metadata and contact information. As a precautionary measure, MongoDB advises all customers, if not already implemented, to activate phishing-resistant multi-factor authentication (**MFA**) and regularly rotate passwords.

MongoDB users are urged to be watchful for **phishing emails** that may falsely claim to originate from the company, claiming to provide new updates. However, the actual motive could be to exploit the situation and attempt to steal user data.

****_RELATED ARTICLES_****

1.  **47% of online MongoDB databases hacked demanding ransom**
2.  **11 million personal unprotected MongoDB records leaked online**
3.  **Ride-hailing app leaks data of millions of Iranians from MongoDB**
4.  **Unprotected MongoDB leaks resume of 202M Chinese job seekers**
5.  **Hackers leave ransom note after wiping out MongoDB in 13 seconds**

MongoDB Breach Update: Names, Emails Exposed, Atlas Secured

By Waqas
The latest cybersecurity incident to impact a large-scale and highly popular company is the MongoDB Data Breach.
This is a post from HackRead.com Read the original post: Hackers Access Customer Info, Corporate Systems in MongoDB Data Breach

In an email, Lena Smart, MongoDB’s Chief Information Security Officer (CISO), confirmed the latest MongoDB Data Breach, revealing that while investigations are underway, it has been verified that hackers accessed customer metadata and contact information.

**MongoDB**, a leading database management company, has fallen victim to a security incident resulting in unauthorized access to certain corporate systems. The breach, detected on the evening of December 13th, 2023, US Eastern Standard Time, has prompted an immediate and comprehensive investigation by the company.

The breach includes the exposure of customer account metadata and contact information, heightening concerns about the potential misuse of sensitive data. MongoDB activated its incident response process upon the discovery of suspicious activities, but it is believed that the unauthorized access may have been ongoing for some time before being detected.

****Lena Smart****, MongoDB’s Chief Information Security Officer (CISO), sent an email communication to MongoDB customers, outlining the details of the breach and urging caution in the wake of potential social engineering and phishing threats. The company assures customers that, as of now, there is no indication of exposure to the data stored in MongoDB Atlas, a cloud-based database service.

Despite the incident, MongoDB is actively managing the situation, with ongoing updates promised on their alert page (**mongodb.com/alerts**) as the investigation progresses. Relevant authorities have also been notified, underlining the seriousness of the security breach.

In a subsequent update at 5:25 PM EST on December 16, 2023, MongoDB reported a spike in login attempts, causing issues for customers attempting to access the MongoDB Atlas and Support Portal. However, MongoDB clarified that this was unrelated to the security incident and advised affected users to try again in a few minutes.

Lena Smart, in her email to customers, emphasized proactive steps to mitigate potential risks. MongoDB recommends customers be vigilant for **social engineering and phishing attacks** and take immediate action, such as activating phishing-resistant multi-factor authentication (MFA) and regularly rotating MongoDB Atlas passwords.

Hi,

MongoDB is investigating a security incident involving
unauthorized access to certain MongoDB corporate
systems. This includes exposure of customer account
metadata and contact information. At this time, we
are NOT aware of any exposure to the data that
customers store in MongoDB Atlas.

We detected suspicious activity on Wednesday (Dec.
13th, 2023) evening US Eastern Standard Time and
immediately activated our incident response process.
We are still conducting an active investigation and
believe that this unauthorized access has been going
on for some period of time before discovery. We have
also started notifying relevant authorities.

What should you do next?

Since we are aware that some customer
account metadata and contact information was
accessed, please be vigilant for social
engineering and phishing attacks.

If not already implemented, we encourage all
customers to activate phishing-resistant multi-
factor authentication (MFA) and regularly rotate
passwords.

MongoDB will continue to update mongodb.com/alerts
with additional information as we continue to
investigate the matter.

Sincerely,
Lena Smart
MongoDB CISO

Email sent by the company’s CISO reveals the latest MongoDB data breach (Screenshot credit: Hackread.com)

As the investigation unfolds, MongoDB customers are anxiously awaiting further updates on the situation. The incident serves as a stark reminder of the constant and evolving threats faced by companies in the digital age, underscoring the importance of robust cybersecurity measures and the need for continuous vigilance in safeguarding sensitive customer information.

****_RELATED ARTICLES_****

1.  **47% of online MongoDB databases hacked demanding ransom**
2.  **11 million personal unprotected MongoDB records leaked online**
3.  **Ride-hailing app leaks data of millions of Iranians from MongoDB**
4.  **Unprotected MongoDB leaks resume of 202M Chinese job seekers**
5.  **Hackers leave ransom note after wiping out MongoDB in 13 seconds**

Hackers Access Customer Info, Corporate Systems in MongoDB Data Breach

By Waqas
Ethical hacking deserves celebration, not criticism or legal threats.
This is a post from HackRead.com Read the original post: Hackers Fix Polish Train Glitch, Face Legal Pushback by the Manufacturer

Whitehat hackers are vital for companies, large to small, but what if some businesses fail to grasp the significance of ethical hacking?

In a recent cybersecurity incident, three Polish hackers achieved success in repairing the malfunctioning software of a train, initially serviced by independent repair shops for a regional rail operator.

However, the narrative took a twist when accusations arose against the manufacturer, Newag, alleging that they remotely rendered inoperable trains serviced by the Polish train repair company, SPS. That’s not all, reportedly, **Newag** is threatening the hackers with a lawsuit.

The practice of remotely disabling or “bricking” products serviced by third-party entities is not unfamiliar, as major tech companies, **such as Apple**, adopt similar measures to safeguard revenue streams.

While we don’t want to get overly religious or emotional, it’s an undeniable fact that Whitehat hackers, also known as ethical hackers or cybersecurity researchers, are nothing short of a blessing. **Numerous cases exist** where ethical hackers have saved companies from devastating hacks.

Further, take, for instance, **this whitehat hacker** who went the extra mile to unlock a car for a family that lost their keys. And let’s not forget the notorious WannaCry ransomware attack, which was successfully **thwarted by a whitehat hacker,** while cybersecurity and technology giants remained clueless. However, Newag’s response to the event highlights a notable lack of understanding of cybersecurity on their part.

The issues surrounding Newag’s Impuls series of trains, which are operated by independent entities, have been ongoing since the summer, adversely affecting customer service. These trains exhibited mysterious failures, refusing to restart after routine maintenance. To unravel the mystery behind these disruptions, SPS enlisted the expertise of Dragon Sector, a group of **ethical hackers**.

Insights from **Dragon Sector** reveal a concerning aspect of Newag trains’ software programming in Poland. According to the ethical hacking group, Newag’s trains were equipped with a unique feature that triggered a software lockdown if they remained stationary for more than 10 days.

Regardless, the complexities of Newag’s software go beyond mere inactivity, extending to a sophisticated mechanism that activates when a train parks at specific GPS locations.

Remarkably, these preset GPS locations align strategically with independent repair shops spread across Poland. This means that the software lockdown could be initiated not only based on the duration of inactivity but also when a train is parked at designated locations, which happen to coincide with indie repair shops.

A noteworthy revelation is that at least one of these predetermined GPS locations included a repair shop still in the construction phase at the time when the programming details came to light. This raises questions about the intention and scope of Newag’s software lockdown strategy, as it appears to extend beyond the straightforward goal of preventing prolonged inactivity.

One of Dragon Sector’s hackers, **Michał Kowalczyk,** stated that this issue seems deliberate from Newag. “Today we are sure that it was a deliberate action on Newag’s part. We discovered the manufacturer’s interference in the software, which led to forced failures and to the fact that the trains did not start,” Michał claimed.

Zaufana Trzecia Strona, a Polish language IT security news website also **reports** that repair countermeasures would activate if parts were replaced without a hidden unlock sequence in the train’s computer. Additionally, codes would shut the train down after one million kilometres, and hardware could allow remote interaction with Newag trains.

Newag, Poland’s oldest railway company, denies accusations and blames SPS for initiating a conspiracy theory. The company now **demands** the repaired trains be removed from service immediately, claiming they had been “hacked” and might be unsafe. 

Newag claims the story is slander from competitors and threatens to sue Dragon Sector. The company believes it to be an attack on independent repair, which has become a controversial issue pitting consumers and companies like Apple, **John Deere**, and many across the car industry against each other. Right-to-repair is combated through proprietary software and encryption that the company can only read.

Lower Silesian Railways, a rail operator, has been in a **dispute** with Newag, which produces its Impuls 45WE hybrid multiple units. In June 2022, the railroad experienced multiple no-start failures with these trainsets, resulting in fewer trains running than scheduled and impacting passenger service.

Nevertheless, this should come as no surprise, as companies and businesses frequently don’t appreciate the efforts of whitehat hackers who are doing good. Cybersecurity researchers like **Rob Dyke** and **Wesley Wineberg** are prime examples of what can occur when companies fail to grasp the importance of responsible disclosures.

****_RELATED ARTICLES_****

1.  **Whitehat hacker bypasses SQL injection filter for Cloudflare**
2.  **“Good hackers” took over billboard to send security warning**
3.  **White hat hackers infect Canon DSLR camera with ransomware**
4.  **Whitehat hackers accessed primary keys of Azure’s Cosmos DB Users**
5.  **Whitehat hacker shows how to detect hidden cameras in Airbnb, hotels**

Hackers Fix Polish Train Glitch, Face Legal Pushback by the Manufacturer

By Deeba Ahmed
The malware, dubbed NKAbuse, uses New Kind of Network (NKN) technology, a blockchain-powered peer-to-peer network protocol to spread its infection.
This is a post from HackRead.com Read the original post: New ‘NKAbuse’ Linux Malware Uses Blockchain Technology to Spread

Cybersecurity researchers from Kaspersky’s Global Emergency Response Team (GERT) have identified that the NKAbuse malware is actively targeting devices in Colombia, Mexico, and Vietnam.

Kaspersky’s Global Emergency Response Team (GERT) has discovered a new multiplatform malware threat that uses innovative tactics to hijack victims. The malware, dubbed NKAbuse, uses New Kind of Network (NKN) technology, a blockchain-powered peer-to-peer network protocol to spread its infection.

NKAbuse is a Go-based backdoor used as a botnet to target Linux desktops and potentially IoT devices. The malware allows attackers to launch Distributed Denial of Service (DDoS) attacks or fling remote access trojans (RATs).

It is worth noting that the backdoor relies on NKN for anonymous yet reliable data exchange. For your information, NKN is an open-source protocol that allows peer-to-peer data exchange over a public blockchain with over 60,000 active nodes. It aims to provide a decentralized alternative to client-to-server methods while preserving speed and privacy.

The botnet can carry out flooding attacks using the 60,000 official nodes and links back to its C2 (command & control) servers. It features an extensive arsenal of DDoS attacks and multiple features to turn into a powerful backdoor or RAT.

The malware implant creates a structure called “Heartbeat” that communicates with the bot master regularly. It stores information about the infected host, including the victim’s PID, IP address, free memory, and current configuration.

Kaspersky researchers uncovered NKAbuse while investigating an incident targeting one of its customers in the finance sector. Further examination revealed that NKAbuse exploits an old Apache Struts 2 vulnerability (tracked as CVE-2017-5638).

The vulnerability, as reported by Hackread.com in December 2017, allows attackers to execute commands on the server using a “shell” header and Bash and then execute a command to download the initial script.

NKAbuse leverages the NKN protocol to communicate with the bot master and send/receive information. It creates a new account and multiclient to simultaneously send/receive data from multiple clients.

The NKN account is initialized with a 64-character string representing the public key and remote address. Once the client is set up, the malware establishes a handler to accept incoming messages, which contains 42 cases, each performing different actions based on the sent code.

NKN data routing diagram (Image: Kaspersky’s GERT)

Researchers observed that attackers exploited the Struts 2 flaw using a publicly available proof of concept exploit. They executed a remote shell script, determining the victim’s operating system and installing a second-stage payload. Using NKAbuse’s amd64 version, the attack achieved persistence through cron jobs.

> _“This particular implant appears to have been meticulously crafted for integration into a botnet, yet it can adapt to functioning as a backdoor in a specific host and its use of blockchain technology ensures both reliability and anonymity, which indicates the potential for this botnet to expand steadily over time, seemingly devoid of an identifiable central controller.”_
> 
> Kaspersky’s Global Emergency Response Team (GERT)

NKAbuse has no self-propagation functionality and can target at least eight different architectures, although Linux is the priority. Successful implantation can lead to data compromise, theft, remote administration, persistence, and DDoS attacks.

For now, its operators are focusing on infecting devices in Colombia, Mexico, and Vietnam. However, researchers suspect its potential for expansion over time.

****_RELATED ARTICLES_****

1.  **Free Download Manager Site Pushed Linux Password Stealer**
2.  **New XorDdos-Linked Linux RAT Krasue Targeting Telecom Firms**
3.  **Hamas Hackers Targeting Israelis with New BiBi-Linux Wiper Malware**
4.  **Kinsing Crypto Malware Hits Linux Systems via Apache ActiveMQ Flaw**
5.  **Looney Tunables Linux Vulnerability Exposes Millions of Systems to Attack**

New ‘NKAbuse’ Linux Malware Uses Blockchain Technology to Spread

By Waqas
Since its emergence in May 2023, the MOVEit vulnerability has been exploited by the Russian-linked Cl0p ransomware gang,…
This is a post from HackRead.com Read the original post: Delta Dental Hit with 7 Million User Data Breach in MOVEit-Linked Attack

Since its emergence in May 2023, the MOVEit vulnerability has been exploited by the Russian-linked Cl0p ransomware gang, revealing their involvement in the breach.

According to a data breach notification, the Oak Brook, Illinois, United States-based dental insurance provider Delta Dental has fallen prey to a sophisticated cyberattack orchestrated through the exploitation of a **zero-day flaw in MOVEit Transfer**.

The notorious Russian-linked ransomware syndicate, known as **Cl0p**, is behind the breach, compromising the private information of nearly seven million customers. Hackread.com can confirm that the Cl0p ransomware gang has indeed released the entire dataset on its dark web domain, making it available for public download through a torrent.

Screenshot of the Torrent link (Credit: Hackread.com)

Delta Dental’s internal investigation concluded on July 6, has shed light on the severity of the incident. The cybercriminals successfully infiltrated and exfiltrated sensitive data belonging to Delta Dental of California and its affiliated entities on the MOVEit platform during the window between May 27 and May 30.

The severity of the situation prompted the company to promptly file a **breach notification** (PDF) with the Maine Attorney General, officially documenting the security incident on December 14, 2023.

The exposed information encompasses a trove of personal and highly sensitive details, presenting a significant risk to the affected individuals. Among the compromised data are names coupled with a combination of addresses, Social Security numbers, driver’s license numbers, or other state identification numbers, passport details, financial account information, tax identification numbers, individual health insurance policy numbers, and various health-related information.

This breach not only poses a threat to the privacy and security of Delta Dental’s customers but also raises concerns about the potential misuse of the stolen data. With the involvement of the Cl0p ransomware syndicate, known for its aggressive tactics, the aftermath of this breach could extend beyond typical data exposure scenarios.

Delta Dental is now faced with the daunting task of mitigating the fallout from this significant security incident. As the affected customers grapple with the potential ramifications of identity theft and financial fraud, cybersecurity experts emphasize the urgency of implementing robust measures to safeguard sensitive information.

In a comment to Hackread.com, **Claude Mandy**, Chief Evangelist of Data Security at Symmetry Systems, expressed empathy for the victims and cautioned them about potential phishing attacks that they may encounter.

“My thoughts are with the impacted patients from the incident, who are slowly finding out what information has been exposed. While the majority of the information is fungible and easily replaced with little impact, it still requires continual vigilance from the impacted parties to avoid further impact, whether monitoring financial accounts, and credit scores or being extra vigilant for phishing,” said Claude.

The recent data breach is concerning for Delta Dental and its customers. It underscores the importance for companies to promptly apply patches and secure their infrastructure. This breach highlights the exploitation of vulnerabilities in Ipswitch INC’s managed file transfer software, MOVEit Transfer, by groups like Cl0p.

So far, numerous organizations, spanning government agencies, airlines, educational and financial institutions, as well as healthcare providers, have fallen victim to the MOVEit-linked data breach. The compromised data includes sensitive information such as credit card numbers, Personally Identifiable Information (PII), and Social Security Numbers (SSNs).

****_RELATED ARTICLES_****

1.  **900 U.S. Schools Hit by MOVEit Hack, Exposing Student Data**
2.  **Massive MOVEit Hack: 630K+ US Defense Officials’ Emails Breached**
3.  **UK’s Ofcom confirms cyber attack as PoC exploit for MOVEit is released**
4.  **Sony Data Breach via MOVEit Vulnerability Affects Thousands in the US**
5.  **Okta Breach Linked to Employee’s Google Account, Affects 134 Customers**

Delta Dental Hit with 7 Million User Data Breach in MOVEit-Linked Attack

By Deeba Ahmed
Cybersecurity firm Zerocopter has launched the first-ever Cybersecurity Marketplace led by white-hat hackers. With cybercrime projected to cost…
This is a post from HackRead.com Read the original post: Zerocopter Debuts First Hacker-Led Cybersecurity Marketplace

Cybersecurity firm Zerocopter has launched the first-ever Cybersecurity Marketplace led by white-hat hackers.

With cybercrime projected to cost $8 trillion in 2023 and businesses, **particularly smaller ones**, often lacking the resources and expertise to keep up, the digital sector is fast becoming the most vulnerable one. This calls for redefining cybersecurity solutions, and a cybersecurity firm, Zerocopter, has come up with an innovative and perhaps game-changing solution to this problem.

Zerocopter has launched a hacker-led marketplace for security solutions. The platform is designed to be accessible, flexible, and supported by a hundreds-strong hacker network. The platform offers a tailored security suite powered by ethical hackers, providing precision and agility impossible with traditional tools. 

For your information, Zerocopter is a global cybersecurity firm with a network of world-class hackers ready to provide continuous online security to organizations. Founded in 2015, the company offers affordable, scaleable **cybersecurity solutions** across various sectors, including finance, aviation, international education, and law.

The marketplace is created to offer a tailored solution for businesses, ensuring they can protect their assets and operations. **Erik Ploegmakers**, CEO of **Zerocopter**, stated in the company’s press release that it will devise solutions to curb the growing threat landscape. 

“To fully appreciate the extent of the digital attack surface and level of potential threats, companies need to go beyond the tick-box cybersecurity approach,” Ploegmakers said in a press release shared with Hackread.com.

So, what makes this marketplace different? According to Ploegmakers, Zerocopter’s “custom-made marketplace” will be operated by hackers, and their primary task will be to find flaws and security breaches, mainly focusing on flaws that generic tools cannot detect.

“Whatever the customer requirements are, we carefully match them with one of our world-class, vetted hackers with the appropriate skill set for that particular case,” he added.

The marketplace offers scaled safety by leveraging the collective intelligence of the world’s best hackers to provide top-of-the-line threat protection at a fraction of the cost of other solutions.

The CEO also highlighted that every hacker undergoes a rigorous vetting process to ensure they comply with a strict code of conduct and are the best at their job. Zerocopter also assesses and validates vulnerability reports, allowing organizations to focus on fixing security issues quickly.

Furthermore, it provides **bug bounty**, incentivizing hackers based on the threat level allowing continuous surveillance. Its Dedicated Hacker Time, a micro-consulting solution with a global hacker force, will match companies with hackers with the skillsets and knowledge needed for specific tasks. 

Moreover, Zerocopter ensures compliance with evolving regulations like the EU’s NIS2 Directive through its expertise in CVD (Coordinated Vulnerability Disclosure). This allows companies to manage the flood of reports associated with CVD easily and affordably.

The launch of the marketplace led by ethical hackers is good news for a sector where threats keep evolving and looming. The company has delivered a powerful message that cybersecurity doesn’t have to be expensive, complex, or inaccessible.

****_RELATED ARTICLES_****

1.  **Understanding the E-Commerce Marketplaces in Europe**
2.  **The Rise of Blockchain Gaming and Secure Marketplaces**
3.  **New Dark Web Market Styx: Focuses on Money Laundering**
4.  **Dark Web Domain of Genesis Market and Infrastructure Sold**
5.  **Russian Dark Net Markets Dominate the Global Illicit Drug Trade**

Zerocopter Debuts First Hacker-Led Cybersecurity Marketplace

By Waqas
Polish authorities and FortiGuard Labs have issued a warning to customers about a new wave of cyberattacks associated with TeamCity.
This is a post from HackRead.com Read the original post: Russian APT29 Hacked US Biomedical Giant in TeamCity-Linked Breach

According to cybersecurity researchers at FortiGuard Labs, the Russian intelligence-linked APT29 group exploited a critical TeamCity vulnerability, which had initially been patched in September 2023.

Polish Military Counterintelligence Service (SKW) has released an advisory revealing that Russian Foreign Intelligence Service (SVR) affiliated threat actors are utilizing JetBrains CVE in global targeting. 

Here, it is worth noting that TeamCity and JetBrains are closely linked, with TeamCity being a continuous integration (CI) server developed and maintained by JetBrains.

As **reported by Hackread**.com, the vulnerability, which scored 9.8 by CVSS, was patched in September 2023. However, authorities particularly identified the notorious advanced persistent threat group called APT29, aka the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard, to be exploiting CVE-2023-42793.

The threat actor used Scheduled Tasks to execute GraphicalProton payloads, using rundll32 proxy execution as a defence evasion method. They also used legitimate third-party binaries vulnerable to search order hijacking.

“If compromised, access to a TeamCity server would provide malicious actors with access to that software developer’s source code, signing certificates, and the ability to subvert software compilation and deployment processes—access a malicious actor could further use to conduct supply chain operations” the **advisory** read.

SKW’s findings are supported by the FortiGuard Labs team of researchers. In their latest **blog post**, FortiGuard reports that APT29 has targeted a US-based biomedical manufacturing organization (_the name of which has not been shared with the media or public_) and revealed the threat actor’s TTPs. The report discusses the intrusion of this vulnerability found in TeamCity, a Windows server, by **APT29**.

Researchers noted that on 6 September 2023, Sonar’s cybersecurity experts discovered a critical TeamCity On-Premises vulnerability (tracked as **CVE-2023-42793**). This vulnerability was assigned a CVSS score of 9.8 due to its ability to be deployed without authentication. CISA added it to its ‘Known Exploited Vulnerabilities Catalog’ on October 4, 2023.

The FortiGuard Incident Response team reports that in October 2023, a US-based biomedical manufacturing organization was compromised due to this vulnerability exploited by APT29. The attack was initially exploited using a custom-built Python script, matching the GraphicalProton malware used by APT29. 

Analysis of application and system logs revealed evidence of successful exploitation, but some threat actors were unsuccessful at running **Linux system** commands on the victim Windows Server. APT29 likely employed Nuclei to identify potential victims and began executing additional discovery commands to gather system and privilege information.

The US-based tertiary education organization was targeted by APT29 with a C2 IP address discovered by the FortiGuard IR team. They discovered the organization’s infrastructure was compromised and identified an exploitation of their vulnerable TeamCity server. 

The threat actor used the TeamCity exploit to install an SSH certificate, which they used to maintain access to another victim’s environment. The actor downloaded a DLL file, ‘AclNumsInvertHost.dll,’ on the TeamCity host and used the TeamCity RCE vulnerability to create a Windows-scheduled task referencing the DLL file for persistence.

The screenshot shows the attack timeline of TeamCity intrusion (Credit: Fortinet Labs)

Despite a patch, the attacker persisted on the compromised host, leveraging their GraphicalProton implant. FortiGuard believes this attack was part of a **new APT29 campaign**. Significant OPSEC considerations included compromised infrastructure, search order hijacking with legitimate DLLs added, quality of masquerading, and single-use infrastructure components.

Researchers recommend containment and eradication actions, including blocking IP addresses, removing TeamCity software accounts, removing Windows accounts, removing backdoors, and removing malicious files dropped by threat actors to stay protected against threats like GraphicalProton.

****_RELATED ARTICLES_****

1.  **Russian Midnight Blizzard Hackers Hit MS Teams in Precision Attack**
2.  **Russian Hackers Employ Telekopye Toolkit in Broad Phishing Attacks**
3.  **Microsoft warns of rising NOBELIUM credential attacks on defence sector**
4.  **Microsoft Outlook Vulnerability Exploited by Russian Forest Blizzard Group**
5.  **Russia Hackers Abusing BRc4 Red Team Penetration Tool in Recent Attacks**

Russian APT29 Hacked US Biomedical Giant in TeamCity-Linked Breach

By Waqas
Yet another day, yet another threat actor posing a danger to the cybersecurity of companies globally.
This is a post from HackRead.com Read the original post: New Hacker Group GambleForce Hacks Targets with Open Source Tools

Cybersecurity researchers at Singapore-based Group-IB have unmasked EagleStrike, a subgroup of the GambleForce hacker group. They are opportunistic hackers exploiting simple vulnerabilities.

In September 2023, Group-IB’s Threat Intelligence unit discovered a command and control server hosting publicly available open-source **pentesting tools**, none being custom-made, designed for SQL injections.

The attacker was identified as “GambleForce,” who had targeted 24 organizations in government, gambling, retail, travel, and job-seeking sectors across 8 countries between September and December 2023, successfully compromising 6 websites in Australia, Indonesia, the Philippines, and South Korea. The group has also targeted websites in China, India, and Thailand.

The group uses basic yet effective techniques like SQL injections. It exploits vulnerable website content management systems (CMS) to extract user databases containing logins, hashed passwords, and tables from accessible databases.

GambleForce is not selective in its targets but collects hashed and plain text credentials. This suggests a broader motive beyond targeted attacks, possibly amassing data for future exploits or selling on the **dark web**.

The threat actors aim to exfiltrate any available information within targeted databases, such as hashed and plain text user credentials. The group’s actions with the stolen data remain unknown.

In an attack targeting Brazil, GambleForce exploited **CVE-2023-23752**, a vulnerability in the Joomla CMS, and snatched data directly from contact form submissions, showcasing their adaptability and willingness to improvise.

Further probing revealed that GambleForce uses open-source tools like dirsearch, redis-rogue-getshell, and **Tinyproxy** for directory brute-forcing, web traffic intercepting, and SQL injections to exploit vulnerabilities in database servers. Their preferred tool is sqlmap, a pentesting tool that exploits SQL injection vulnerabilities. 

Researchers also found **Cobalt Strike**, a popular pen-testing framework, on their server, showcasing commands in Chinese. It is worth noting that recently Chinese scammers have wreaked havoc by creating cloned versions of legitimate websites and redirecting visitors to gambling sites. 

In November 2023, **Hackread.com reported** about the activities of Chinese hackers in which MindaNews, a Philippine newspaper, discovered a Chinese clone of its website (mmart-inn.com) that has been illegally replicating the newspaper’s content for two years, with the most recent translation being from February 2023.

In its **blog post**, Group-IB’s Threat Intelligence wrote that its researchers shared the recent findings with its 24/7 Computer Emergency Response Team (CERT-GIB), which took down the cybercriminals’ C2 server. GambleForce is likely to regroup/rebuild its infrastructure before launching new attacks.

Nevertheless, the case goes on to show that even the most basic security gaps can have significant consequences, underscoring the need for a layered defence strategy that prioritizes patching known vulnerabilities and implementing vital security controls.

****_RELATED ARTICLES_****

1.  **Domain Squatting and Brand Hijacking: A Silent Threat**
2.  **Chinese APT Posing as Cloud Services to Spy on Cambodia**
3.  **Chinese APT spying on Vietnam military with FoundCore RAT**
4.  **Hackers attack Casino’s fish tank thermometer to obtain data**
5.  **ChatGPT Clone Apps Collecting Personal Data on iOS, Play Store**

New Hacker Group GambleForce Hacks Targets with Open Source Tools

By Deeba Ahmed
The internet's underbelly is thriving on stolen identities and fake accounts, fueling mass phishing campaigns, identity theft rings, and DDoS attacks.
This is a post from HackRead.com Read the original post: Microsoft Busts Black Market for 100s of Millions of Fraudulent Accounts

Microsoft Threat Intelligence, partnered with cybersecurity firm Arkose’s ACTIR, conducted a large-scale operation against online fraudulent login markets, successfully taking down Hotmailbox.me.

Microsoft has successfully dismantled a black market for fraudulent login credentials. This action followed an investigation aimed at disrupting the fake Microsoft account network known as Storm-1152, extensively utilized by cybercriminals.

The seizure notice (Screengrab: Microsoft)

Researchers believe that cracking down on fraudulent accounts is crucial because cybercrime relies on fraudulent accounts as these act as digital keys for mass phishing, spam campaigns, and ransomware attacks.

The use of fraudulent and stolen login credentials by cybercriminals for large-scale data breaches is an undeniable reality. The recent attack on OAuth app users, **as revealed by Microsoft just yesterday**, serves as a small example amidst more significant incidents.

For your information, Storm-1152 is the world’s leading seller and creator of fraudulent Microsoft accounts. The platform has been exposed through a collaborative effort between Microsoft Threat Intelligence and cybersecurity firm Arkose’s Cyber Threat Intelligence Research unit (ACTIR). 

According to Microsoft’s **report**, Storm-1152 operates a network of illicit websites and social media pages, selling fake Microsoft accounts and identity verification bypass tools. So far, the operators have generated around 750 million fraudulent accounts, leaving a trail of destruction.

Storm-1152, a notorious group in the cybercrime-as-a-service (**CaaS**) industry, specializes in producing and selling millions of fraudulent Microsoft accounts. The group is impactful because it lowers the barrier to entry, enabling a wider range of actors to engage in cybercrime. This efficiency boosts the scope and frequency of cyberattacks, impacting countless individuals and businesses.

Microsoft aims to dismantle Storm-1152’s infrastructure and disrupt the entire ecosystem that enables their activities, aiming to create a safer online environment for everyone. Microsoft has obtained a court order from the Southern District of New York to **seize** U.S.-based infrastructure and offline websites used by Storm-1152 to harm Microsoft customers.

The case focuses on fraudulent Microsoft accounts and services sold to bypass security measures on other technology platforms. Microsoft’s Digital Crimes Unit disrupted Hotmailbox.me, 1stCAPTCHA, AnyCAPTCHA, and NoneCAPTCHA, which facilitate **CAPTCHA** solve service sales and identity verification bypass tools for other platforms.

The malicious marketplace Hotmailbox.me (Screengrab: Microsoft)

Researchers have also uncovered links between Storm-1152’s network and various cybercrime groups, including Octo Tempest, Storm-0252, and Storm-0455.

Nevertheless, this was a multi-phased operation launched to expose the people operating the malicious servers. Researchers used various investigative techniques, including network traffic analysis, telemetry data, and reverse engineering, to identify the source of the storm.

They identified three individuals, Duong Dinh Tu, Linh Van Nguyễn, and Tai Van Nguyen, as the masterminds behind the Storm-1152 machine. They hosted illegitimate platforms, authored the code, published tutorials, and offered live chat support.

Screengrab: Microsoft

Exposing the individuals behind Storm-1152 was crucial in dismantling this criminal network and holding accountable those who actively enabled online crime. Additionally, this coordinated takedown sends a clear message to Storm-1152 and others following their path: they are being watched and soon will be caught.

****_RELATED ARTICLES_****

1.  **Storm-1283 Sent 927K Phishing Emails with Malicious OAuth Apps**
2.  **Chinese Group Storm-0558 Hacked European Govt Emails, Microsoft**
3.  **Storm-0324 Exploits MS Teams Chats to Facilitate Ransomware Attacks**
4.  **Microsoft and Fortra to Take Down Malicious Cobalt Strike Infrastructure**
5.  **EvilProxy Phishing Kit Targets Microsoft Users via Indeed.com Vulnerability**
6.  **Scammers Use Fake Ledger App on Microsoft Store to Steal $800K in Crypto**