By Waqas
The ad fraud was discovered while the researchers were investigating an iOS application that had been heavily impacted by an app spoofing attack.
This is a post from HackRead.com Read the original post: Massive Ad Fraud Scheme Shut Down: 11 Million Phones Targeted

Dubbed VASTFLUX, the ad fraud had 1,700 apps spoofed, targeting 120 publishers on 11 million devices with 12 billion ad requests per day.

The cybersecurity researchers at HUMAN Security Inc. have announced the takedown of a sophisticated, organized, and large-scale ad fraud operation dubbed VASTFLUX.

HUMAN Security is among the world’s leading firms offering advanced defences against digital attacks. Previously, the company reported large-scale scams involving iOS and Android devices, such as **Scylla**, **PARETO**, **Methbot,** and **3ve**.

VASTFLUX is a combination of two terms that reflect its functionality. VAST represents the Digital Video Ad Serving Template exploited in this operation. The name Flux is inspired by the Fast Flux concept, which is an evasion tactic used by cybercriminals.

Team Satori from HUMAN discovered the operation when investigating an iOS application, which was heavily impacted by an **app spoofing attack**.

The researchers found it a highly sophisticated scheme in which cybercriminals exploited the limited signal available to the verification partners in their targeted environment, including in-app advertising mainly on iOS.

The ad fraud later evolved into spoofing bids on a particular platform to make them appear on another platform. This made cross-platform attacks impossible to deter. HUMAN worked with its partners in the HUMAN Collective to obtain further information into the fraud’s traffic volumes and verification tags used on their ads.

The team deployed three mitigation methods within two weeks to protect users from VASTFLUX before taking it down.

**Targeted Entities**

According to a **blog post** shared by HUMAN with Hackread.com, the fraudulent operation accounted for over 12 billion fake ad requests per day and affected around 11 million devices by running ads within apps. For this purpose, the perpetrators spoofed 1,700 apps targeting around 10 publishers.

This is HUMAN’s Satori Threat Intelligence and Research Team’s highest per day volume of an operation uncovered by this team. It even eclipsed Human’s previously discovered peak volumes in high-profile disruptions. This includes PARETO, Methbot, and 3ve.

**How Did the Attack Work?**

The attackers injected malicious **JavaScript code into digital ads**, which let fraudsters stack dozens of video ads upon each other and register views for ads that the user couldn’t see. HUMAN shut down this operation via a private takedown effort and protected the programming advertising ecosystem. However, the company is still monitoring its operations.

Malicious JS code (Credit: Satori Threat Intelligence and Research Team)

The company’s CISO, Gavin Reid, stated that VASTFLUX was a “technically impressive and incredibly concerning” operation because the fraudsters hijacked impressions of authentic apps, making it difficult for users to feel suspicious.

“Orchestrating a private takedown of this magnitude and severity is no small feat, and I want to take a moment to thank all involved, including the HUMAN Satori Threat Intelligence and Research Team, the team at clean.io and the industry leaders who make up The HUMAN Collective who are dedicated to making the programmatic ecosystem safe and HUMAN,” Reid said.

1.  Shazam flaw exposed location of Android, iOS users
2.  SolarWinds hackers exploited 0-day to hack iPhones
3.  European Spyware Vendor selling iOS Device Exploits
4.  Malicious SDK spying, defrauding users with iOS apps
5.  Facebook removes accounts for spreading iOS malware

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Massive Ad Fraud Scheme Shut Down: 11 Million Phones Targeted

By Habiba Rashid
Anatoly Legkodymov, a Russian national and the owner of Bitzlato Ltd., was arrested in Miami Tuesday night.
This is a post from HackRead.com Read the original post: Founder of Bitzlato Exchange Arrested for ransomware, $700 mln Fraud

According to the DoJ, Bitzlato failed to meet U.S. regulatory safeguards, including anti-money laundering requirements, and enabled criminals to profit from their wrongdoing, including ransomware and drug trafficking.

Anatoly Legkodymov, the owner of Bitzlato Ltd., was arrested in Miami on Tuesday night for his alleged operation of helping to process over $700 million in illicit funds, according to the indictment unsealed on Wednesday. 

The Department of Justice stated that Bitzlato failed to meet U.S. regulatory safeguards, including anti-money laundering requirements, and enabled criminals to profit from their wrongdoing, including ransomware and drug trafficking,” said Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department’s Criminal Division.

The 40-years-old Russian National, a resident of Shenzhen, People’s Republic of China, oversaw the exchange in Hong Kong, Bitzlato. He was expected to be arraigned Wednesday afternoon in the U.S. District Court for the Southern District of Florida. 

Bitzlato’s business flourished in its absence of required identification from users. Customers did not have to submit any proof of identity such as selfies or passports and in the few cases where it did direct users to submit identifying information, they were able to get away by providing information belonging to “straw man” registrants. 

The company often conducted business with its counterpart, the $5.2 billion Hydra Market, world’s largest and longest running dark web marketplace. **Hydra was seized and shut down in April 2022** for sale of drugs, stolen financial information, fraudulent identification documents, and money laundering services.

“Today’s actions send the clear message: whether you break our laws from China or Europe – or abuse our financial system from a tropical island – you can expect to answer for your crimes inside a United States courtroom,” Deputy Attorney General Lisa Monaco said in a **press release**.

The arrest was a result of a joint effort by the federal law enforcement agencies and European partners to push back against international cryptocurrency schemes and illegal transactions. They are determined to crack down specifically on the activities of Chinese- and Russian-based companies and people operating in the unregulated corners of cyberspace.

Legkodymov could face charges of up to five years in prison if convicted; however, it is not yet known whether he has retained a lawyer.

Five other Russian and Ukrainian nationals were also arrested in Spain, Portugal and Cyprus in connection with the investigation which revealed that in the encrypted internal company communications, Legkodymov and other executives were aware the exchange was trafficking in “dirty money,” including deposits made by drug dealers. 

1.  Nabbed: 106 involved in SIM swapping, money laundering
2.  SEC charges dark web user of insider trading, money laundering
3.  DeepDotWeb admin pleads guilty to money laundering, kickbacks
4.  BTC-e exchange’ owner arrested over money laundering accusation
5.  Crypto tumbler BestMixer.io seized for large-scale money laundering

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Founder of Bitzlato Exchange Arrested for ransomware, $700 mln Fraud

By Deeba Ahmed
These packages were uploaded between the 7th and 12th of January 2023 with the names "colorslib," "httpslib," and "libhttps."
This is a post from HackRead.com Read the original post: Malicious PyPI Packages Drop Malware in New Supply Chain Attack

The malicious packages were uploaded by a threat actor using the alias “Lolip0p,” who dropped info-stealing malware on targeted devices.

Fortinet FortiGuard Labs’ researchers have discovered three **malicious PyPI repositories**. According to their analysis, these packages are designed to infect compromised devices with malware.

For your information, PyPI (Python Package Index) is the world’s most widely used repository for Python packages used by software developers building projects. Threat actors often use malicious packages against Python developers. **Just a couple of months ago**, malicious packages were found swapping out the crypto addresses of Python developers.

Further probe revealed that the packages were uploaded by a threat actor using the alias Lolip0p. The rogue packages contain code that **drops info-stealing malware** on the developer’s device.

**According to** researchers, these packages were uploaded between 7th and 12th January 2023 with the names’ colorslib’ versions 4.6.11 and 4.6.12, ‘httpslib’ versions 4.6.9 and 4.6.11, and ‘libhttps’ version 4.6.12.

However, all malicious packages were removed from the PyPI on January 17th, 2023 after Fortinet tipped them. However, by that time, the packages had been downloaded more than 550 times. Pepy.tech, a PyPI package stat counting service, broke down the download count of these packages by the time these were removed.

*   Colorslib – 248 downloads
*   httpslib – 233 downloads
*   libhttps – 68 downloads

Moreover, the threat actors can reupload them later if they want to. Hence, the threat isn’t over yet. These modules contain similar setup scripts created to invoke PowerShell and execute a malicious binary titled Oxzy.exe, which is also distributed as a free Discord Nitro generator. This file is hosted on **Dropbox**. When this executable is launched, another binary titled update.exe is retrieved, which runs the Windows temporary folder stored at (“%USER%\\AppData\\Local\\Temp\\”).

This second file contains an information stealer that can also drop additional binaries. Microsoft reports that one of these binaries is Wacatac. The trojan can perform numerous actions, such as launching ransomware and different payloads.

The creator of these packages has made them appear legitimate and harmless by including a “convincing project description,” stated Fortinet researcher Jin Lee. But these packages actually download and run the malicious binary executable.

Users must exercise caution when downloading/running packages from unreliable sources to evade **supply chain attacks**.

1.  Gentoo Linux on Github hacked; repositories modified
2.  GitHub fixes critical flaw that exposed repositories to attackers
3.  Thousands of GitHub Repositories Cloned in Supply Chain Attack
4.  6 official Python repositories plagued with cryptomining malware
5.  Typosquatting used in trojanizing 700 libraries in Ruby Repository

Malicious PyPI Packages Drop Malware in New Supply Chain Attack

By Deeba Ahmed
Using this decryptor, BianLian victims can retrieve their encrypted data for free and avoid paying the ransom to the attackers.
This is a post from HackRead.com Read the original post: Avast Releases Free Decryptor for BianLian Ransomware

The BianLian Ransomware group targets organizations around the world, with a prime focus on Australia, the United States, and the United Kingdom.

Cybersecurity firm Avast’s analysts have released a decryptor for the dangerous BianLian ransomware, which first surfaced in August 2022. Using this decryptor, BianLian victims can retrieve their encrypted data for free and avoid paying the ransom to the attackers.

Most of the victims of BianLian ransomware belonged to industries, including healthcare, energy, media, and manufacturing. Organizations worldwide were targeted with ransomware, mainly in the UK, the USA, and Australia.

**Malware Analysis**

According to Avast’s analysis, the malware operators used the Go programming language to improve its operational capabilities and make it difficult to detect. One of the unique features of BianLian ransomware is the concurrency that allows it to encrypt the data quickly.

Furthermore, it can self-delete itself when the encryption is complete. This is where Avast’s decryptor faces a big challenge. The problem is that the decryptor can restore files that the ransomware’s known variant has encrypted.

“For new victims, it may be necessary to find the ransomware binary on the hard drive; however, because the ransomware deletes itself after encryption, it may be difficult to do so,” Avast cybersecurity analysts wrote in their **report**.

The BianLian executable is around 2MB in size. It primarily targets Windows systems and uses a novel encryption technique that divides the files into chunks to encrypt them at a higher speed and prevent detection before the encryption is complete. 

**How BianLian Attack Works?**

Initial access is gained via the **ProxyShell vulnerability chain**, after which the operators deploy a webshell or a lightweight remote access tool. The ransomware may also **exploit SonicWall VPN devices**.

After the ransomware is executed, it searches for disk drives and all files. Then, the ransomware starts encrypting the files with extensions that match the 1,013 extensions hardcoded into its binary and attaches the extension .bianlian to the files. It is worth noting that the malware encrypts data only in the file’s middle, not the beginning or the ending.

When the process is complete, the malware drops a ransom note titled “Look at this instruction.txt” in every folder on the system, informing the victim they have been hit with ransomware and should contact the attacker to restore their data. They can contact the attacker via email or an encrypted messaging app. The attacker also warns them to publish the stolen data if they don’t pay the ransom within ten days.

The BianLian attackers also warn victims of double extortion, claiming that they’ve stolen data and will publish it if they don’t receive a ransom payment within ten days.

Ransomware note of the BianLian Ransomware gang

It is yet known who’s operating the BianLian campaign, but Avast researchers believe the operators are a skilled, aggressive group but a novice in the ransomware domain. Moreover, they suspect the operators aren’t from a **defunct group like Conti**. So far, its leak sites feature 23 victims.

1.  Free Decryptor to LockerGoga Ransomware Victims
2.  Victim releases decryption keys for Mushtik ransomware
3.  Decryptor key for Sodinokibi, REvil ransomware released
4.  Free decryptor for Hakbit and Jigsaw ransomware released
5.  Decryptor for the Ransomware to Exploit Telegram Released

Avast Releases Free Decryptor for BianLian Ransomware

By Deeba Ahmed
The campaign is active, and currently, threat actors are targeting victims with NjRAT (also known as Bladabindi) in the Middle East and North Africa.
This is a post from HackRead.com Read the original post: Threat Actors Spreading NjRAT in New “Earth Bogle” Campaign

Threat actors may be using platforms such as Discord, Facebook, OneDrive, and others to spread the NjRAT, believe Trend Micro researchers.

Trend Micro researchers have discovered a currently active campaign dubbed Earth Bogle, in which threat actors are distributing **NjRAT (aka Bladabindi)**. Their targets are victims in the Middle East and North Africa.

**Findings Details**

According to Trend Micro’s research, the attackers are luring users through geopolitical-themed scams to deliver the notorious NjRAT or Bladabindi malware. The victims of this campaign are mainly located in the Middle East and Africa.

According to Trend Micro researchers Peter Girnus and Aliakbar Zahravi, the attackers use public cloud storage services like files.fm and failiem.lv for **hosting malware** distributed through compromised web servers. Reportedly, the campaign has been active since mid-2022.

(Image: Trend Micro)

**How Does the Attack Work?**

The threat actors use a malicious document hidden inside the Microsoft CAB (Cabinet) archive is masqueraded as a sensitive audio file. The title of this file is created cunningly to represent some geopolitical theme so that the targets feel compelled to open it. For instance, one of the files had this title: “A voice call between Omar, the reviewer of the command of Tariq bin Ziyad’s force, with an Emirati officer.cab.”

The malicious file is distributed on social media platforms like Discord and Facebook or sharing platforms such as OneDrive. It is also delivered via **phishing emails**.

The CAB file has an obfuscated Virtual Basic Script (VBS) dropper that executes the attack’s next step. After the CAB file is downloaded, the VBS script fetches the malware from a compromised or spoofed host and retrieves a PowerShell script that injects NRAT into the victim’s device.

(Image: Trend Micro)

In their **blog post**, researchers noted that the lure files used in the Earth Bogle campaign’s detection rates on Virus Total were surprisingly low, which allowed the attackers to stay undetected and the campaign to stay active. The dropper maintains persistence on the compromised system by the addition of a specific directory to the startup key.

**What is NjRAT?**

NjRAT is a remote access trojan malware that was first detected in 2013. The malware was used to gain unauthorized control/access to infected computers. So far, it has been used in **cyberattacks targeting Middle Eastern users and organizations**.

To prevent infection, cloud infrastructure users and operators must augment their systems’ security.

“Users should be wary of opening suspicious archive files such as CAB files, especially from public sources where the risks of compromise are high. Security teams should be aware of the dynamic nature of conflict zones when considering a security posture,” researchers noted.

1.  Fake ransomware attack infects PCs with StrRAT
2.  ToxicEye RAT hits Telegram app to spy, steal data
3.  Hacker Arrested for Selling Imminent Monitor RAT
4.  Konni RAT variant hits Russia in new attack campaign
5.  Fake WHO COVID-19 Safety Emails Drop Nerbian RAT

Threat Actors Spreading NjRAT in New “Earth Bogle” Campaign

By Habiba Rashid
In total, 18,000 customers of Nissan North America, Inc. had their personal information exposed to the public by a third-party developer.
This is a post from HackRead.com Read the original post: Third-Party Firm Exposes Personal Info for Nissan Customers

The incident took place in June 2022, but the full impact of it was only uncovered on September 26, 2022.

Nissan North America, Inc. experienced a data breach affecting roughly 18,000 customers on June 21, 2022, but the incident was not fully uncovered until September 26, 2022. This was revealed in a breach notification published by the Office of the Maine Attorney General.

This incident should not come as a surprise since **in January 2021**, Nissan exposed 20 GB worth of data assets belonging to Nissan North America. What’s worse, the automotive giant used “admin” as the username and password for the exposed repository.

**In December 2017**, Nissan’s operations in Canada were hit by a cyber attack in which personal data of 1.13 million Nissan Canada Finance were compromised.

As for the recent data exposure, the incident took place because personal information belonging to thousands of Nissan customers was provided to a third-party developer for software testing.

However, they ended up temporarily storing the data in a cloud-based public repository. On 21st June, **Nissan** was informed that this data had been inadvertently exposed by the services provider. 

“During our investigation, on 26th September 2022, we determined that this incident likely resulted in unauthorized access or acquisition of our data, including some personal information belonging to Nissan customers. Specifically, the data embedded within the code during software testing was unintentionally and temporarily stored in a cloud-based public repository.”

The exposed data included personal information such as names, birth dates, and NMAC account numbers related to vehicle financing. Nissan confirmed that the breach did not include Social Security numbers or credit card information. 

“Upon learning of this issue, we immediately ensured that the third-party provider contained the threat by disabling all unauthorized access to the data, and we commenced a prompt and thorough investigation,” Nissan says.

“We worked with the third-party service provider to assure that it takes steps to prevent events like this in the future. As part of our investigation, we worked very closely with external cybersecurity professionals experienced in handling these types of complex security incidents.”

Despite no evidence of the exposed data being misused, the possibility of it being shared online on hacker forums cannot be ruled out. Large amounts of personal information allow hackers to target customers with convincing phishing messages and elicit more information.

1.  How Hackers Can Remotely Unlock/Start Honda Cars
2.  100,300 CityBee users’ login credentials leaked online
3.  Automotive Industry Exposed to Major API Vulnerabilities
4.  Nissan Leaf Maybe At Threat Because of Vulnerable APIs
5.  App Flaw Allowed Nissan Cars Hack by Knowing VIN number

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Third-Party Firm Exposes Personal Info for Nissan Customers

By Habiba Rashid
The US military seeks public help in securing its critical cyber infrastructure with "Hack the Pentagon 3.0" bug bounty program.
This is a post from HackRead.com Read the original post: Hack the Pentagon 3.0: Groundbreaking Bug Bounty Program Is Back

Can you hack the Pentagon for good? Then it is your chance to participate in the third chapter of Hack the Pentagon 3.0, backed by the government of the United States.

The U.S. Department of Defense (DOD) has announced the third iteration of its “Hack the Pentagon” bug bounty program, which was **first launched in 2016**.

The initiative allows cybersecurity researchers to find vulnerabilities in the government’s Facility Related Controls System (FRCS) network which is used to monitor and control equipment and systems related to real property facilities. These include heating, ventilation, and air conditioning (HVAC), utility, physical security systems, and fire and safety systems.

The performance work statement (PWS) of the Hack the Pentagon 3.0 program on the **Sam.Gov website** states, “The overall objective is to obtain support from a pool of innovative information security researchers via crowdsourcing for vulnerability discovery, coordination and disclosure activities and to assess the current cybersecurity posture of the FRCS network, identify weaknesses and vulnerabilities, and provide recommendations to improve and strengthen the overall security posture.”

The Department of Defense is searching for skilled and trusted researchers from private organizations that have a diverse skill set and will be able to perform source code analysis, reverse engineering, and network and system analysis exploitation.

“The contractor shall provide all labour, material, equipment, hardware, software and training required to assess the current cybersecurity posture of the FRCS Network, identify weaknesses and vulnerabilities, and provide recommendations to improve and strengthen the overall security posture,” reads the draft.

However, it is also clarified that the 72-hour in-person critical bounty program will be limited to the “unclassified Information Systems and operational technology continued within the Pentagon FRCS Network.”

*   A 17-years-old kid hacks the US air force for the good
*   Bug bounty: Hack Tesla Model 3 to win your own Model 3
*   Hack the US Army with ‘Hack The Army’ bug bounty program
*   Homeland Security Offering $5,000 Bug Bounty to Hack DHS
*   Google Starts Bug Bounty Program for Open-Source Software

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Hack the Pentagon 3.0: Groundbreaking Bug Bounty Program Is Back

By Habiba Rashid
The company targeted in the ransomware attack is DNV, a prominent and widely-recognized provider of digital ship management solutions.
This is a post from HackRead.com Read the original post: Disruption on High Seas:  Shipping Software  Hit by Ransomware Attack

The company has confirmed that approximately 1,000 vessels had been affected and that they were in close contact with the 70 affected customers.

On January 7th, DNV, a digital ship management solutions provider, was targeted in a **ransomware attack,** causing it to take its ShipManager software offline. Users can still use the onboard, offline functionalities of the software, which allow for the construction and operation of ships.

The program is normally used for digitally enhanced management of vessels for daily tasks, such as crew oversight, shipping data analytics, dry-docking, and hull integrity inspection.

In the **announcement** on its website, the company stated, “There are no indications that any other software or data by DNV is affected. The server outage does not impact any other DNV services.”

On January 12th, they issued an update confirming that approximately 1,000 vessels had been affected and that they were in close contact with the 70 affected customers.

They further added that they were in contact with the Norwegian police to resolve the incident. 

To implement a recovery plan and investigate the threat actor behind the attack, DNV is also working with cybersecurity providers and is trying to get ShipManager back online “as soon as possible.”

As of yet, the effect of the cyberattack is felt by onshore systems rather than onboard ships. But industry experts caution that this is likely to change as bandwidth improvements enable a stronger interdependence between onshore systems and navigation and other onboard systems. 

1.  Nuclear warship data sold in a peanut butter sandwich
2.  Hackers stole 614GB of US Navy’s anti-ship missile data
3.  Ships could be hacked by exploiting VSAT comm system
4.  Ships vulnerable to hacking due to maritime platform flaw
5.  Data from US shipping management software firm exposed

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Disruption on High Seas:  Shipping Software  Hit by Ransomware Attack

By Habiba Rashid
NFT influencer @NFT_GOD downloaded malware through Google Ads while attempting to download OBS, an open-source video streaming software.
This is a post from HackRead.com Read the original post: Google Ads Malware Wipes NFT Influencer’s Crypto Wallet

Blockchain data confirms that the NFT influencer lost at least 19 Ether, worth nearly $27,000 at the time, a Mutant Ape Yacht Club (MAYC) NFT with a current floor price of 16 ETH ($25,000), and multiple other NFTs.

An NFT influencer with the Twitter handle @NFT\_GOD claims to have lost thousands of dollars worth of non-fungible tokens (NFTs) and crypto in a Google Ads-delivered malware attack.

On 14th January, NFT God, also known as Alex, shared on Twitter how his “entire livelihood was violated.” In the thread, he explained how his online accounts, including Twitter, Substack, Gmail, and Discord, were hacked into and his crypto wallet compromised after he accidentally downloaded **malicious software from Google Ad**. 

This should not come as a surprise since malicious hackers have a history of exploiting Google Ads to spread malware through the Google search engine. **In February 2018**, hackers managed to steal over $50 million in Bitcoin after using Google Ads to buy the top result slot on the Google search engine.

**More Google Ads and Malware News**

1.  Royal Ransomware Uses Google Ads and Cracked Software
2.  Nitrokod Crypto Miner Hiding in Fake Google Translate Apps
3.  Google AdSense Abused to Drop Malware on Android Devices
4.  Fake Brave browser site dropped malware, thanks to Google Ads
5.  Google Drive accounted for 50% of malicious Office docs downloads

The pseudonymous influencer has more than 80,000 followers on Twitter and thousands of followers and subscribers on Substack.

Alex said he used the Google search engine to download OBS, an open-source video streaming software. But instead of downloading the software by clicking on the official website, he used the sponsored ad for what he believed was the same thing. 

After being informed of the series of phishing tweets posted from his two Twitter accounts, Alex realized that he had downloaded malware with the software he had installed.

Blockchain data **confirms** that he lost at least 19 Ether, worth nearly $27,000 at the time, a Mutant Ape Yacht Club (MAYC) NFT with a current floor price of 16 ETH ($25,000), and multiple other NFTs.

On the other hand, the attacker moved most of the ETH through multiple wallets before sending it to the decentralized exchange (DEX) FixedFloat, where it was swapped for unknown cryptocurrencies.

Alex believes that the hackers were able to gain access to his **crypto and NFTs** because of a “critical mistake” where he set up his hardware wallet as a hot wallet by entering its seed phrase “in a way that no longer kept it cold,” or offline.

Alongside his crypto wallet, the hackers also breached his Substack account and sent phishing emails to the 16,000 subscribers on his account, compromising the trust he had built with his community. At the same time, Google’s lack of security and scrutiny is also questionable.

1.  Ad-blocker extension injected ads in Google searches
2.  This malware replaces address to steal cryptocurrency
3.  Fake Windows 11 Downloads Distributing Vidar Malware
4.  Fake TeamViewer download ads spread ZLoader variant
5.  Facebook ads dropped malware posing as Clubhouse app

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Google Ads Malware Wipes NFT Influencer’s Crypto Wallet

By Waqas
The data is now available for download on DDoSecrets and the official website Enlace Hacktivista.
This is a post from HackRead.com Read the original post: Hacktivists Leak 1.7TB of Cellebrite, 103GB of MSAB Data

According to the Enlace Hacktivista group, the Cellebrite and MSAB data (both are smartphone forensic firms) was provided to them by an “anonymous whistleblower.”

The Israeli mobile forensics firm, **Cellebrite**, has apparently suffered yet another data breach in which hackers managed to steal 1.7 TB of data. The hackers are also claiming to have stolen 103 GB of data from MSAB, a Sweden-based forensics firm.

In both cases, the trove of information is available for download on DDoSecrets and the official website **Enlace Hacktivista**. It is worth noting that, according to Enlace Hacktivista, the Cellebrite and MSAB data was provided to them by an “anonymous whistleblower.”

**Cellebrite Data Leak Details**

The Petah Tikva, Israel-based Cellebrite is **frequently criticized** for aiding governments with its tools and spyware to monitor the activities of human rights activists, officials, dissidents, and journalists.

Cellebrite UFED (Universal Forensics Extraction Device) is among its most famous services availed by intelligence agencies and law enforcement authorities globally to access data from mobile devices seized during investigations.

This time, however, the company has become a target of the data breach. The data was later posted online by Enlace Hacktivista and DDoSecrets. Further analysis revealed that 103 GB of data from MSAB, a Sweden-based forensics firm, was also leaked. The firm is **criticised for** providing services to repressive regimes including Myanmar’s security forces.

Both databases are currently being offered for downloading through torrents and direct downloads from **DDoSecrets** and **Enlance Hacktivista**.

Here, it is worth mentioning that Cellebrite is known for breaking into passcode-secured smartphones, including Android and iOS devices, and extracting their data. In fact, **in 2019, the company claimed** its new tool could unlock “almost any iOS and Android device.

Reportedly, Cellebrite also played a major role in unlocking the iPhone device of San Bernardino back in 2016. Nevertheless, the apparent hack should not come as surprise since Cellebrite has a history of data breaches.

**Previous Cellebrite Data Breaches**

1.  Cellebrite Hacked; 900 GB data stolen
2.  Anonymous Source Leaks 4TB of Cellebrite Data
3.  Signal CEO hacks Cellebrite cellphone hacking tool
4.  iPhone hacking tool Cellebrite is being sold on eBay
5.  Hacker Dumps Hacking Tools Stolen from Cellebrite

**Who Stole the Data?**

Enlance Hactivista’s homepage revealed that they received the data from an anonymous whistleblower. They received it on January 13th, 2023. However, DDoSecrets and Enlance Hacktivista hadn’t made any claims about the source of data, its validity, and the sender’s identity.

**What Data is Leaked?**

An analysis of the 1.7TB archive indicated that it contained the full suite of Cellebrite programs. This includes its flagship software UFED, the Physical Analyser, Physical Analyser Ultra, license tools, and the Cellebrite Reader.

Moreover, there were technical guides and files used to localize the software. Customer documents were also part of the archive, dated from November 19th to December 3rd, 2022.

It is reported that sensitive data wasn’t leaked, and Cellebrite’s systems or customer information wasn’t impacted. Most of the leaked files are world maps and translation packs.

1.  Clearview AI firm with photos of billions of HACKED
2.  US govt gets its hand on $15,000 iPhone cracking device
3.  Textalyzer Tells Police Everything Users Do on Smartphone
4.  Securus firm that lets US Cops track cellphone users is hacked
5.  Leaked info confirms in-house hacking capabilities of Cellebrite

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism