By Deeba Ahmed
The exposed server, which belonged to the global online retailer VEVOR, was exposed twice between April and July 2022.
This is a post from HackRead.com Read the original post: Online Retailer Giant Exposed User Data and Over 1B Records

The cyber security researchers at Website Planet published a report on discovering an **unprotected database** containing a trove of data. The exposed server, which belonged to a global online retailer, was identified twice between April to July 2022.

**Research Findings**

According to Website Planet and security researcher Jeremiah Fowler, the first time the server was found was in April 2022. What’s worse, even after several responsible disclosure attempts, they didn’t receive any response from the company, and the unprotected database remained open to public access for several days post-discovery.

In July 2022, they discovered the same database hosted on a different IP address. Again, they didn’t receive any response from the owner, but the **exposed AWS server** was secured quickly.

However, a probe revealed the database was exposed due to a misconfiguration caused by the server’s owner or the company responsible for managing IT infrastructure, not Amazon Web Services’ fault.

During the first exposure in April, the database contained 706,206,770 documents (406.79GB size), and the second time in July, it contained 1,166,293,742 documents (601.84GB).

**Who Owns the Database?**

According to Fowler, the database had several references to Vevor, an online retailer based in California. However, Crunchbase claims that although the company is registered in the US, its website suggests it is based in **China**, boasting more than ten million customers across 200 countries/regions.

The brand deals in tools and equipment and offers DIYers and professionals advanced tools and equipment at low rates.

**Contents of the Database**

The content of the database was marked as Production. It contained PII and other sensitive data related to the company’s online operations. For instance, the data contained customer details, including first and last names, transaction IDs, partial credit card numbers, refund info, etc.

The checkout and payment records were also part of the database. This included names, currency, home addresses, email IDs, etc. It is worth noting that the data was stored both in hashed and plain text formats.

The email addresses were part of around seven folders named email-API. There were, in total, 8.1 million records (approx. 31.64GB). A limited sample of 10,000 records was evaluated, and 2,559 email IDs were declared unique.

Emails in the email-API folder (Image: Website Planet)

Conversely, 12.9 million records were contained in folders titled Members. Researchers found that all records didn’t have customer names in plain text. There were records with various Localized Domains, including .com, .ca, .de, .it, .uk, .es, .fr, and .au.

Also, part of the database were error messages in Chinese and internal images and documents hosted on amazonaws.com.cn. Furthermore, there were internal Vevor account admin names and plaintext passwords, active password reset links, credit card numbers (partial), and references to tax and passport numbers.

“IP addresses, Ports, Pathways, middleware, and storage info that cybercriminals could exploit to access systems or services. Overall, the exposure provided a complete look at Vevor’s operating structure, logging, monitoring and error records, and more. Configuration information that could be used to penetrate deeper in the network,” Website Planet’s **blog post** revealed.

At the time of writing, the server was either secured or taken down. Nevertheless, the good news is that it is not available for public access.

**Dangers of a misconfigured server**

Databases are a crucial part of modern technology, used to store and manage important data. However, if these databases are not properly configured, they can become a massive security flaw that can leave your personal or business information vulnerable to attack.

A misconfigured database can open the door for hackers and other malicious outsiders to access confidential information without authorization. The risks associated with an improperly configured or misconfigured database are numerous and should be taken seriously.

By leaving key ports open on your server or failing to update software regularly, hackers could gain unauthorized access to sensitive information such as usernames, passwords, credit card numbers, social security numbers, and more.

Additionally, they could manipulate stored data or even delete valuable records entirely – making it vital that proper measures are taken to ensure a secure system environment.

1.  **Misconfigured baby monitors expose video stream online**
2.  **Anonymous hacked 90% of Russian misconfigured databases**
3.  **US and China Exposed Most Servers Among 308k Found in 2021**
4.  **Misconfigured Servers Exposed 579 GB of Users’ Website Activity**
5.  **Exposed Server Revealed US Military’s Social Media Spying Campaign**

Online Retailer Giant Exposed User Data and Over 1B Records

By Owais Sultan
Before selling or trading in your laptop, it is important to prepare the device for its new owner as this will help ensure all of your personal data remains safe.
This is a post from HackRead.com Read the original post: Don’t Sell Your Laptop Without Following These Steps

In an age when every day, a new version of a laptop with better features, sleek design, and improved performance hits the market, it is no wonder that you also wish to buy a new laptop to achieve excellence in performance and enjoy new features.

You have money, you can buy a new laptop, great! But what about your previous laptop? If you are thinking of selling it, then…stop.

If you think selling a laptop is all about saving your data, finding a seller, and selling it, then you need to think again. It goes beyond this! It is not all about getting a fair price, but also saving your personal information and private data from reaching a stranger – that might cost you a lot if that stranger is fraudulent or malicious.

Before selling or trading in your laptop, it is important to prepare the device for its new owner. This can be done by taking several simple precautions that will help ensure all of your personal data remains safe.

**1 Save Your Important Data**

It goes without saying that your first step should be keeping a **backup of your essential data**, including personal and work-related files and folders, containing documents, presentations, emails, plans, strategies, or anything else that you have prepared with so much hard work.

If you don’t want to see your data slipping from your fingers, then this should be your number one step.

You can save your data on a data drive or upload it to a reliable **cloud service**. Or send them to your own email address (well, this is my favorite way of saving my data!). Do whatever suits you, but saving data is a must before selling your laptop.

However, this can only work if you have a few GB of data. In case you have terabytes of data then owning a workstation from companies like **Western Digital (WD)** is a good way to go.

**2 Delete Passwords Permanently**

Nobody wants the passwords of important accounts to get leaked. Full stop! But have you ever thought about how to save your passwords before giving your laptop? What — did you just say you can do it by signing off from all your accounts and deleting history and cookies? Ah, I wish it was really that easy, but it is not. 

Where technology has brought so much **ease into our lives**, there it has also become a trouble in many ways — like this one. Unfortunately, some software can extract passwords even if you log out from your accounts.

That is where you should act smartly if you don’t want someone to sneak into your Facebook and start sending weird messages through your accounts to your friends. It could trigger so many controversies – eh. So, cut iron with iron.

You can also use apps such as password generators. One such example is the **IPVanish** password generator which lets users delete passwords permanently from their browsers. If you wish to do that manually, follow these easy steps:

**For Chrome browser:** First, open Chrome and click on the three-dot menu icon located in the top right corner. Then select “Settings” and click on “Passwords” under Autofill. Here you will find a list of all the websites that have saved credentials, along with their usernames and passwords.

Select an entry to see the details, then click on the three-dot menu icon next to it and select “Remove.” You’ll be asked to confirm by clicking “remove” again; once confirmed all login information for that website will be deleted from your computer. (_Read more on_ **Google**.)

**For Firefox:** First, launch the Firefox browser on your device. Then, click the ‘Menu’ icon (three lines in the upper right corner) and select ‘Options’ or ‘Preferences’. In this menu, you will see a section for ‘Logins & Passwords. You can then scroll through all of your saved logins and passwords until you find the one that needs to be deleted.

**For Safari Browser:** To begin, open up the Safari browser on your computer and click the ‘Safari’ menu at the top left corner. In that menu option, select ‘Preferences’ and then navigate to the ‘Passwords’ tab. (Read more on **Mozilla**.)

Here you will see a list of all of your stored passwords that have been saved by Safari. To delete one or more of these passwords, simply check off each box next to each entry that you wish to remove and hit delete in the bottom right corner. (Read more on **Apple**.)

**3 Format the Drive**

Have you saved your important data? Great! Now, what about data that is still on your laptop? Obviously, you can’t leave it like this for others to see your private information and confidential data. No, just deleting data files and clearing Recycle Bin or Shift + Delete might not work. It can still keep the issue of data leakage and privacy breaches there. 

In this condition, most people go for drive formatting that cleans up your laptop and makes it data free. However, this method works if your files are overwritten and you are using a solid-state drive (SSD) with TRIM enabled.

With HDD or TRIM disabled, you would have to overwrite the hard drive if you don’t want cheap software to recover your data – yes, even after formatting. It is very easy to recover a permanently deleted file through even cheap software. So, be safe than sorry!

**4 Prepare Your Laptop for Selling**

Once you are done saving your information, next, it is time to prepare your laptop for sale at a good price. The price of your gadget also depends on its model, functionalities, current market price, and a lot more. However, improving the outer condition, and speed, upgrading Windows, and enhancing the memory storage can enhance the price of your laptop. 

So, work on the following things to get good bucks:

*   First, install the latest Windows to make your buyer happy. You can vow anyone with the latest functionalities already installed on the laptop, so that person wouldn’t have to go through all the trouble. It is a good chance to impress a buyer.

*   Second, work on the speed of the laptop. Half of the work is already done when you delete files and data. So, reset the laptop to speed it up.

*   Clean up your laptop, please. Don’t take your laptop to a buyer with all the lint or dust trapped between keys and scratches on the screen. You can remove lint or dust with a brush and change the screen cover. This simple work can make a lot of difference.

*   Lastly, visit a laptop expert and ask for a thorough inspection so that you can rectify if there are any internal faulty parts.

1.  **World’s most dangerous laptop has been sold for $1.3 million**
2.  **BusKill USB cable switches off your laptop in the event of theft**
3.  **German army’s sensitive data found on laptop bought from eBay**
4.  **World’s most dangerous laptop ‘Persistence of Chaos’ up for auction**

Don’t Sell Your Laptop Without Following These Steps

By Habiba Rashid
From December 7th, 2022, their Mastodon instance, Vivaldi Social, will be integrated into the sidebar of the desktop browser, creating an inbuilt Mastodon client for users.
This is a post from HackRead.com Read the original post: Vivaldi Integrates Mastodon Into its Web Browser

Riding the **Mastodon hype**, Vivaldi recently became the first browser to not only have its own Mastodon instance, Vivaldi Social but to also integrate Mastodon into its newest browser version, Vivaldi 5.6. available on Windows, macOS, and Linux.

In the recent update where the company announced its newest functionality, it also explained how **Mastodon** matched its values to give its users an algorithm-free experience with no surveillance capitalism or data profiling. 

According to the company’s **press release**, From December 7th, 2022, their Mastodon instance, Vivaldi Social, will be integrated into the sidebar of the desktop browser, creating an inbuilt Mastodon client for users. However, users will have the option to add any Mastodon server of their choice to the sidebar.

The new feature does not demand implementation and can be ignored if it is not up your alley. Moreover, the app does not run in the background which means that system resources or valuable bandwidth will not be used unless you open the panel.

Vivaldi Social has expanded to around 11,000 people ever since it went live in mid-November.  Vivaldi’s founder **Jon Stephenson von Tetzchner** explained that they “support the idea of a decentralized federated social media network like Mastodon.” 

Along with the creation of its own Mastodon instance, comes the responsibility of dealing with content moderation but the company remains confident that it has the expertise necessary to tackle the thorny issue. 

1.  **Trust Wallet Launches Browser Extension Wallet for Desktop**
2.  **8 Online Best Dark Web Search Engines for Tor Browser (2022)**
3.  **Improving privacy: Alternative browsers and chrome extensions**
4.  **Meet Plexus, An AI-based Browser Security Solution from LayerX**
5.  **Guardio: Can This Browser Extension Protect You From Cybercrime?**

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Vivaldi Integrates Mastodon Into its Web Browser

By Habiba Rashid
The bank confirmed that it had "experienced an unprecedented cyber attack from abroad."
This is a post from HackRead.com Read the original post: IT Army of Ukraine Hit Russian Banking Giant with Crippling DDoS Attack

Russia’s second-largest bank experienced the largest cyber attack (**DDoS attack**) in its history. The government-controlled St Petersburg-based VTB financial institution announced on Tuesday that it was experiencing an “unprecedented cyber attack from abroad.”

The bank warned customers of temporary difficulties in accessing its mobile app and website due to the ongoing DDoS attack (distributed denial of service attack) but assured them that their data remained safe. VTB stores its customer data in the internal perimeter of its infrastructure which the attackers did not breach.

According to the bank’s internal analysis and as **reported** by local Russian media, this DDoS attack was pre-planned and orchestrated to cause hindrance in the bank’s functionalities and to inconvenience its customers. Despite the bank’s online portals being inaccessible, all other core banking services are operating as usual.  

VTB stated that they identified most of the malicious DDoS requests from “foreign segments of the internet,” but some network-flooding traffic also originated from Russian IP addresses which the bank noted was “of particular concern.” 

Either foreign actors used local proxies for some of the attacks or they managed to recruit local dissidents in their **DDoS campaign**. The bank stated that it will hand over all the information regarding the Russian IP addresses to law enforcement for criminal investigation. 

What makes this DDoS attack particularly interesting in light of the recent political events is that VTB is 61% state-owned, implying that the attackers made an indirect blow at the Russian government. 

On Dec 6, 2022, in a **tweet**, the pro-Ukraine hacktivist group, going by the name ‘IT Army of Ukraine,’ claimed responsibility for the DDoS attacks against VTB, announcing the campaign on Telegram and Twitter.

According to the IT Army of Ukraine, over 900 Russian entities, including stores selling military equipment and drones, the Central Bank of Russia, the National Center for the Development of Artificial Intelligence, and Alfa Bank, have been targeted by the group since they started being more active in November. 

It is worth noting that the IT Army of Ukraine along with the hacktivist group Anonymous also took responsibility for **September 2022’s social engineering attack** in which the Russian Yandex taxi app was hacked to cause a massive traffic jam in Moscow.

On the other hand, Microsoft **warns** Europe to be on alert for cyber attacks from Russia because this attack follows a series of cyber campaigns launched against Russian organizations. 

Last week, **reports of data-wiping trojan** deployed against Russian mayors’ and courts’ computers surfaced. The media reported that the wiper poses as ransomware and demands half a million rubles and deletes files regardless of whether the organization pays the amount or not. 

With the latest round of wiper and DDoS attacks, GM of Microsoft’s Digital Threat Analysis Centre Clint Watts warns Europe that Russia is likely to expand its “hybrid-war” efforts beyond Ukraine. He further stated that the Kremlin might use such state-sponsored attacks to disrupt foreign supply chains. 

European nations and the US should also brace for more Kremlin-backed influence operations – preying on citizens’ concerns about rising energy prices and inflation, and pushing pro-Russian narratives, Watts wrote. 

1.  **Anonymous Hacktivists Leak 1TB of Top Russian Law Firm Data**
2.  **Ukraine Busts Pro-Russia Hackers Who Stole 30M EU Citizens’ data**
3.  **OldGremlin Gang Known for Targeting Russia Launches Linux Malware**
4.  **Russian Ministry Website Hacked to Display “Glory To Ukraine” Message**
5.  **Ukraine Thwart Russian Industroyer 2 Malware Attack on Energy Provider**

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

IT Army of Ukraine Hit Russian Banking Giant with Crippling DDoS Attack

By Habiba Rashid
Spanish Police confirmed that the SIM Swapping gang also used dark web forums to illegally obtain ID and credit card numbers through cryptocurrency purchases.
This is a post from HackRead.com Read the original post: Police Dismantle SIM Swapping Gang in Spain

The Spanish National Police successfully arrested a **SIM swapping** gang known as the “Black Panthers”, making 55 arrests in Barcelona. 

Their operation included committing bank scams through SIM swapping attacks and other methods such as social engineering techniques, and voice phishing (aka **vishing**, **phishing**, and **call forwarding**.

The group managed to accumulate a total amount of €250,000 by draining the bank accounts of a hundred victims by gaining access to their personal details after tricking the phone companies. 

The police stated that vishing was the technique majorly used to obtain **duplicate SIM cards**. “They did it directly to well-known telephone and telecommunications companies in our country, posing as customers – whose data they already had after having carried out phishing attacks on the employees of the telephone operators themselves,” said the police

By cleverly posing as technical support workers, the gang members gained straightforward access to databases containing the user credentials of phone company employees. This enabled them to acquire customers’ personal details and make duplicate SIM cards.

In its **press release**, Spanish Police added that the cybercriminals also used dark web forums to illegally obtain ID and credit card numbers through cryptocurrency purchases.

The items purchased using the cloned cards were usually luxury products that were collected at the delivery points by displaying the physical IG cards stolen or bought on black markets to make it difficult for the purchase to be traced back to them. During the bust, 45 SIM cards, 11 mobile phones, and four laptops were seized. 

The group consisted of a network of four differentiated but interconnected cells that used different methods to carry out scams. The group had an interesting collaborative dynamic that allowed them to work without a central leader, instead relying on highly specialized individuals to succeed in their separate criminal endeavors. 

1.  **Europol nabs SIM hacking network from across Europe**
2.  **10 SIM-swapping hackers nabbed for targeting US celebrities**
3.  **Turkish PoliceArrests Sim Swapping Crypto Stealing Hackers**
4.  **Sim swapping hackers charged with stealing $2.5m in crypto**
5.  **Europol nabs 106 criminals for SIM swapping, money laundering**

“Those investigated took control of mobile phone numbers of victims by making a duplicate of their SIM cards,” said police. “To do this, they used phishing, vishing, and call-forwarding techniques. Once they impersonated the identity of the users, they took control of victims’ electronic banking and made fraudulent transfers to a network of mules spread throughout the Levantine coast.”

By doing so, the criminals drained their victims’ accounts with approximately €2,500 stolen from each one.

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Police Dismantle SIM Swapping Gang in Spain

By Deeba Ahmed
A new dark web marketplace called InTheBox has surfaced online, serving smartphone malware developers and operators.
This is a post from HackRead.com Read the original post: Largest Dark Web Webinjects Marketplace “In The Box” Discovered

The California-based cybersecurity firm Resecurity has discovered a brand-new **Dark Web marketplace** that serves mobile malware developers and operators. Presented below is an overview of the firm’s findings.

**What is “In The Box”?**

According to Resecurity’s cybersecurity researchers, the new marketplace, called “In The Box” has been available for scammers and cybercriminals on the **TOR network** since at least early May 2020.

Since then, the marketplace has evolved into a full-fledged cybercrime services facilitator and has become the **Dark Web’s largest marketplace**, given the many unique tools and WEB-injects up for sale. Cybercriminals can use these tools for online banking and financial fraud, including theft.

**Why Web-Injects Are in Demand?**

Web-injects are similar to the **Man in the Browser attacks**. The difference is that these attacks previously worked on PCs using malware like SpyEye, Zeus, and Gozi, whereas threat actors have now learned to apply the same approach to mobile devices.

Web-injects successfully extract sensitive financial data because digital payments are interconnected with mobile apps. Web-injects can be integrated into mobile malware for intercepting banking credentials, social media login details, payment systems, email credentials, etc.

That’s not all. These tools can also collect sensitive data such as credit card info, phone number, personally identifiable information, and address.

**How Dangerous is this Marketplace?**

Currently, this marketplace has more than 1,849 malicious tools for sale, specifically designed to target major e-commerce and financial institutions, payment systems, social media firms, and online retailers in at least 45 countries.

This includes the UK, USA, Brazil, Canada, Colombia, Saudi Arabia, Mexico, Bahrain, Singapore, and Turkey. Cybercriminals have already targeted high-profile organizations like Citi, Amazon, Bank of America, PayPal, DBS Bank, Wells Fargo, etc. An update was made in 144 injects in November 2022 to improve their efficacy and visuals.

> There is no doubt, “In The Box” may be called the largest and probably the only one in its marketplace category providing high-quality webinjects for popular types of mobile malware.
> 
> Resecurity

As shown in the screenshot below, the team behind In The Box are offering Web-injects for $100 per month and as an “Unlim” tier that lets the buyer generate an unlimited number of injects for $2,475 and $5,888, depending on the trojans it supports.

(1) Login page of the In the Box market place (2) Prices list for each attack (3) Types of Web-injects (4) Already developed Web-injects being offered on In the Box Marketplace (Screesnhots: Resecurity)

**Who Runs “In The Box”?**

The marketplace operators are connected closely to developers of major mobile malware families, such as Ermac, Cerberus, Octopus aka Octo, Hydra, MetaDroid, and Alien, among others. The actors operating “In The Box” have Web-injects categorized by geography and can be bought by bad actors to launch attacks.

“The automation allows other bad actors to create orders to receive the most up-to-date web injects for further implementation into mobile malware,” Resecurity researchers wrote in their **blog post**.

1.  **Authorities seize world’s biggest dark web child abuse site**
2.  **What Are Dark Web Search Engines and How to Find Them?**
3.  **360m WhatsApp Records Shared on Telegram and Dark Web**

Largest Dark Web Webinjects Marketplace “In The Box” Discovered

By Deeba Ahmed
According to Tenable research, NETGEAR had to release last-minute patches for their devices that were a part of the Pwn2Own event. 
This is a post from HackRead.com Read the original post: NETGEAR Router Vulnerability Allowed Access to Restricted Services

A new report from Tenable, a Columbia, Maryland-based cybersecurity firm, outlined an emerging threat related to NETGEAR and TP-Link routers.

According to Tenable research, both TP-Link and NETGEAR had to release last-minute patches for their devices that were a part of the **Pwn2Own event**. For your information, Pwn2Own is a computer hacking competition held yearly at the CanSecWest security conference since 2007.

Last Minute Patch Issued by TP-Link

According to researchers, the NETGEAR Nighthawk WiFi6 Router (RAX30 AX2400 series) was to be included in the **bug-finding contest at Pwn2Own**. Just one day before the deadline for registering for the contest, the company identified a flaw that invalidated their submission and had to issue a patch urgently.

**What was the Issue?**

According to a **blog post** published by cybersecurity experts at Tenable, network misconfiguration was identified in NETGEAR Nighthawk router versions released before 1.0.9.90. These devices, by default, feature IPv6 for the WAN interface.

The problem is that firewall restrictions in place to determine IPv4 traffic’s access restrictions don’t work on the IPv6 WAN interface. That’s why anyone gaining random access to a service running on the device can listen to IPv6 inadvertently.

For instance, by default, Telnet servers and SSH spawned on Ports 22 and 2. An adversary can exploit this misconfiguration to interact with services accessible only by local network clients.

**Threat Mitigation Response**

Tenable discovered the patch for a flaw pending disclosure on 1st December 2022, and the next day it reached out to the vendor for its CVE identifier.

Those using the affected NETGEAR Nighthawk routers should apply the recently released patch, which can be found **here**.

It must be noted that the auto-update and Check for Updates features of the affected router don’t detect this patch at the moment, so you have to apply it manually.

1.  **415,000 routers infected by cryptomining malware**
2.  **How To Keep Your Router And WiFi Safe From Hackers**
3.  **D-Link home routers plagued with critical vulnerabilities**
4.  **Security flaws turn Netgear Routers into army of botnets**
5.  **Netgear Gaming Router Offers Protection Against DDoS Attacks**

NETGEAR Router Vulnerability Allowed Access to Restricted Services

By Deeba Ahmed
The infamous North Korean state-backed Lazarus hacking group is using AppleJeus malware to steal crypto funds from Windows users.
This is a post from HackRead.com Read the original post: Fake Windows Crypto Apps Spreading AppleJeus Malware

The cybersecurity researchers at Volexity have detected a new wave of attacks in which AppleJeus malware is distributed through fake cryptocurrency apps. Researchers claim that the North Korean APT group **Lazarus** is behind this new campaign.

It is worth noting that, as **reported** by Hackread.com in August 2018, the Lazarus hacker group was found using AppleJeus malware against macOS in its attack against multiple cryptocurrency exchanges.

**Campaign Analysis**

According to researchers, the notorious **Lazarus hacking group** uses a fake trading website and DLL Side-loading to distribute the malware. The primary targets of this campaign are cryptocurrency users and organizations.

In their recent attack, the group is using a variant of AppleJeus malware distributed via **malicious Microsoft Office documents**. This campaign started in June 2022 and is still active.

“The Lazarus Group continues its effort to target cryptocurrency users, despite ongoing attention to their campaigns and tactics. Perhaps in an attempt to allude to detection, they have decided to use chained DLL side-loading to load their payload. Despite these changes, their targets remain the same, with the cryptocurrency industry being a focus as a means for the DPRK to bolster their finances,” researchers wrote in their **blog post**.

Volexity’s findings should not come as a surprise; as of January 2022, Lazarus hackers have **stolen $1.7 billion** from cryptocurrency exchanges. In fact, in April 2022, it was **reported** that the group has been using another malware called TraderTraitor to target Blockchain organizations.

**How Did the Scheme Work?**

The scheme reportedly involves a live crypto-themed site featuring content stolen from a legit website. AppleJeus malware was deployed with a new variant of DLL Side-loading, which hasn’t been documented in the wild.

Further probe revealed that in June 2022, the threat actors registered a domain name (bloxholdercom _which was live at the time of writing_) and configured it for hosting a website related to automated cryptocurrency trading.

This site was a fake version of the genuine cryptocurrency trading platform HaasOnline (haasonlinecom). All references to this website were modified to be BloxHolder, along with a few tweaks.

Legit website (left) – Fake website (right) – Screenshot credit: Volexity

The fake website distributes a **malicious Windows MSI installer** disguised as the BloxHolder app. This app helped in the installation of AppleJeus malware and the QTBitcoinTrader app.

**Detailed Analysis**

Volexity researchers noted that the Lazarus hacker group was installing AppleJeus malware through malicious MS Office documents titled OKX Binance & Huobi VIP fee comparision.xls in the place of an MSI installer. This development was observed in October 2022.

The malicious document contained a **macro** split into two parts. The first one decoded a base64 blob containing a second OLE object, which contained a second macro.

Moreover, the first document also stored various variables, encoded with base 64 to allow defining where the malware would be deployed in the affected system. Additionally, the hackers also used OpenDrive to deploy the last stage payload.

However, researchers couldn’t retrieve the final payload deployed since October. They noted similarities in the DLL Side-loading mechanism as it was similar to the attacks involving the **MSI installer**.

Fake Windows Crypto Apps Spreading AppleJeus Malware

By Owais Sultan
SBOM or Software Bill of Materials implies a comprehensive inventory of all the constituent elements or components of the software.
This is a post from HackRead.com Read the original post: The Best Ways to Automate SBOM Creation

For the DevOps and software engineer, there’s nothing more important than having a safe and secure product. With **cybersecurity hacks** becoming more than a passing trend today, it has become imperative to take extreme steps to protect the software supply chain and its many components.

**Why is software cybersecurity important?**

The Software Development Life Cycle (**SDLC**) is a lengthy process. Given how fast-paced the world of software development is, it is common to have engineers use several other third-party sources and components to aid them rather than build everything from scratch.

This method is rather important for quick product and update delivery. However, the truth is that it exposes software to several corruptions and vulnerabilities, which, when exploited by hackers, become gaping security weaknesses that can compromise the entire project.

These vulnerabilities often exist for considerable dwell periods, such as in the case of the **SolarWinds hack**, before discovery. In the latter’s case, the vulnerabilities lay undiscovered for several months.

The respective hackers (**suspected Russians**) were only too glad to take advantage of the illegal backdoor to the software, stealing dollars worth of private and government data, including state secrets.

Upon discovery, the phenomenon shook the entire software industry, highlighting the importance of maintaining top-notch security practices throughout the development pipeline.

Since then, many standardized approaches have emerged. One essential way to protect your supply chain’s integrity is to assess the **SBOM**.

In this article, we’ll comprehensively examine the concept of SBOM and go on to explain the best ways to automate its creation.

Read on.

**What is SBOM?**

SBOM is an acronym for Software Bill of Materials. **Software Bill of Materials definition** implies a comprehensive inventory of all the constituent elements or components of the software.

In a non-software context, an SBOM can be likened to the ingredients that make up a canned good, including its source. Here, it would include the manufacturers of the can m, the farm where the raw ingredients were sourced, and so on.

An SBOM includes all third-party components used in software development, including code libraries, packages, patch status, dependencies, component version, license type, etc.

**What formats does the SBOM take?**

So vital is the data contained with SBOMs, particularly to mitigating the risk involved in cyberattacks, that the **US government has strict regulations** regarding it.

By law, software companies working with the government are required to provide a comprehensive SBOM in any one of three standardized formats.

These formats are identified by the NTIA (National Telecommunications and Information Administration) as methods for generating a comprehensive SBOM inventory list inclusive of software entities and related metadata.

Here are the three formats:

*   ●       OWASP Cyclone DX
*   ●       SPDX (Software Package Data Exchange)
*   ●       SWID (Standard for Software Identification)

The SPDX is an open standard for SBOM generation containing security references, copyrights, and software components.

On the other hand, the OWASP CycloneDX standard is used in generating inventories of third-party and proprietary software constituents for risk analysis. This makes it ideal for documenting information like firmware, libraries, containers, operating systems, frameworks, etc.

SWID is an ISO (International Organisation for Standardization) definition that consists of an XML file containing software components inventory such as patch statuses, licenses, and installation bundles.

> A “software bill of materials” (SBOM) has emerged as a key building block in software security and software supply chain risk management.
> 
> CISA

**Why is it important to automate SBOM generation?**

SBOM formats are designed to be machine-readable. As they comprise so much data, the manual analysis, curation, and processing of this data is time-consuming.

Even the smallest software is often composed of several components. Culling an inventory of these constituents is a near-impossible task per manual execution.

As such, automating the process the crucial to generating SBOMs. This way, there will be better consistency in the change implementation after release. Additionally, it facilitates the digital cryptographic verification and signing of components by vendors. Besides, it ensures continuous scanning to generate SBOMs, inherently making them valuable to the Continuous Integration/Continuous Delivery pipeline.

Also, SBOM automation offers machine speeds, thus saving valuable time. Instead of devoting crucial hours to curating the inventory, your software organization can focus on effective deployment. Additionally, it becomes easy to flag and isolate the faulty component and run update scans for **risk mitigation if vulnerabilities are detected**.

**Methods for automating SBOM creation**

There are three common methods of automating SBOM creation:

**SCA tools**

SCA stands for **software composition analysis**. These tools automate SBOM creation by comprehensively analyzing third-party code integrity, license compliance, and software security.

The process is highly efficient, guarantees code integrity boosts productivity, and does not compromise security.

Some of the components that SCA tools investigate include the following:

*   ●       Binary files
*   ●       Manifest files
*   ●       Source code
*   ●       Container images.

SCA tools provide security and reliability by analyzing tons of data points. Today, they’re highly useful in the cloud niche.

**Use plugins**

Another way to generate SBOMs is to use plugins within the **CI/CD pipeline**. This involves creating and auditing SBOMs in the DevOps pipeline.

A common plugin is the CycloneDX maven plugin which generates comprehensive SBOMs based on various project dependencies.

To begin with, the pox.xml file will have to be configured, with the culmination of the process being a generation of a bom.json file.

Next, the inventory is audited by a Dependency-Check SCA tool, after which the SBOM is finally generated.

**Use Scribe**

Scribe is an all-in-one software supply chain tool that helps developers generate comprehensive SBOMs.

The tool provides end-to-end security as far as your **software supply chain** is concerned, with a steady assurance of quality and code integrity throughout the SDLC.

The generated SBOMs can be shared with your team and your vendors, granting unhindered insight into code tampering and vulnerabilities in your software project.

With Scribe, you get comprehensive visibility, actionable insights, evidence-based compliance, and code integrity validation.

**Conclusion**

SBOMs are indispensable as far as the software supply chain is concerned. They’re the link between software developers and their respective project dependencies.

Without the comprehensive outlines they provide, optimizing cybersecurity practices within the development pipeline will be impossible.

As such, it’s important to generate a standardized SBOM in the course of a project’s development. It’s more than just essential- it is a necessity.

1.  **Importance of Automation for Businesses**
2.  **Importance of Tax Automation in Digital Business**
3.  **How Automation Affects The Interpreting Services**
4.  **Software Tech – Amp Up Your Onboarding Experience**
5.  **Cybersecurity Automation: How Businesses Benefit From It**

The Best Ways to Automate SBOM Creation

By Habiba Rashid
The Andre-Mignot Hospital in Versailles, near Paris, had to cancel operations and transfer patients after being hit by a cyber attack.
This is a post from HackRead.com Read the original post: French Hospital Suspends Operations After Crippling Cyber Attack

Over the weekend, the Andre-Mignot Hospital in Versailles, near Paris, had to cancel operations and transfer patients after being hit by a cyber attack, France’s health ministry said on Sunday.

By Saturday evening, six patients had been transferred – three belonged to intensive care while the other three were from the neonatal unit – said the minister, Francois Braun, after visiting the hospital. He added that more might follow. 

The hospital experienced a complete “reorganization” due to the cyber attack, according to Braun. The regional health agency (ARS) said the hospital had canceled operations but was doing its best to keep walk-in services and consultations running. 

Extra staff was also called into the intensive care. Although the machines were still functioning, more people were needed to watch the screens since they were no longer working as part of a network. 

The Paris prosecutor’s office has opened a preliminary investigation into attempted extortion, as well as the access and maintenance of the state digital system after the hospital filed a formal complaint on Sunday. 

This cyber attack is not a standalone event since many hospitals and health systems in France have been targeted by threat actors for several months now. Braun stated that “the health system suffers daily attacks” in France but the “vast majority of these attempts are prevented”. 

**In August**, the Corbeil-Essonnes hospital on the outskirts of Paris – which provides healthcare for nearly 700,000 residents – was targeted.

Its operations were severely disrupted for several weeks before returning to normal in mid-October. On that occasion, the cyber attack was followed by a demand for $10 million, subsequently lowered to one or two million.

The hackers had set a September 23 deadline for the hospital to pay the ransom, after which they posted confidential data on patients and staff to the “**dark web**.”

1.  **Ransomware attack on hospital causes patient’s death**
2.  **Authorities bust ransomware gang planning to hit hospitals**
3.  **CISA warns of disruptive ransomware attacks on US hospitals**
4.  **Hacker demands ransom in BTC after taking over hospital servers**
5.  **Doctor says his laptop was hacked and led to Aleppo hospital airstrike**

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.