By Waqas
It's crucial to note that this sale of compromised AnyDesk accounts isn't connected to the security breach incident disclosed by the company on February 2, 2024.
This is a post from HackRead.com Read the original post: Thousands of Stolen AnyDesk Login Credentials Sold on Dark Web

Cybersecurity researchers have identified multiple threat actors on a Russian language dark web forum actively selling AnyDesk accounts, ranging from 18,000 to 30,000 accounts.

On February 2, 2024, AnyDesk, a popular remote desktop application, disclosed a security breach incident involving unauthorized access to its production systems by unknown hackers.

Now, in its latest blog post published on Sunday, February 4, 2024, cybersecurity researchers at Resecurity disclosed alarming findings: multiple threat actors are selling compromised AnyDesk login credentials on both the clear web and the dark web.

It’s crucial to note that the sale of AnyDesk credentials on the dark web is separate from the recent security breach. According to Resecurity, the stolen login credentials being sold are a result of infostealing malware infecting PCs to harvest sensitive information.

This parallels a similar incident in June 2023, where hackers were found selling 100,000 ChatGPT login accounts. These accounts were obtained through devices infected with Raccoon, Vidar, and Redline malware worldwide.

According to Resecurity’s blog post, researchers have identified a threat actor operating under the alias “Jobaaaaa,” who has been observed selling 18,317 compromised AnyDesk accounts. These accounts are being offered for sale for $15,000 worth of Bitcoin (BTC) or Monero (XMR) cryptocurrency, with transactions facilitated through escrow services.

AnyDesk accounts being sold – Screenshot translated from Russian to English by Hackread.com using Yandex AI translator (Credit: Resecurity)

However, Alon Gal of Hudson Rock has countered Resecurity’s findings, stating that the threat actor is actually selling over 30,000 AnyDesk accounts. Despite this difference, the use of Escrow—a trusted third-party payment service—by the hacker adds a level of credibility to the offer.

These compromised AnyDesk accounts are being marketed on Exploitin, a cybercrime and hacker forum accessible on both the clear and dark web and primarily operating in Russian. This forum has gained notoriety for facilitating various cybercrimes, including exploiting vulnerabilities, selling databases, and leaking sensitive information.

Interestingly, it’s the same platform where administrators of the Genesis cybercrime market acknowledged the seizure of their clear web domain in April 2023.

****Timestamp Disaster****

Resecurity’s latest revelation centers on the timestamps related to the sale of compromised accounts. The timestamps visible on the shared screenshots illustrate instances of successful unauthorized access on February 3, 2024, after the disclosure of the security incident.

Furthermore, researchers have verified that the compromised accounts include those of both individual users and enterprises. This highlights the potential for a significant disaster for organizations and unsuspecting users if these accounts fall into the wrong hands. As a precautionary measure, it is crucial for all AnyDesk users, irrespective of their location, to promptly change their passwords.

The screenshot shared by the threat actor with Resecurity displays recent successful login sessions from the AnyDesk accounts currently being sold on the dark web forum.

****The potential impact****

The potential impact, whether on an individual or enterprise, would be devastating. Here’s what could happen if a functioning AnyDesk account for either an individual or an enterprise falls into the hands of a malicious threat actor:

****For Individual****

*   **Financial Loss:** Hackers could use stolen credentials to make fraudulent transactions, steal money from linked accounts, or commit financial extortion.
*   **Data Theft:** Personal data like documents, photos, and browsing history could be stolen and sold or used for identity theft.
*   **Identity Theft:** Hackers could impersonate the individual online or over the phone to steal their identity or commit other crimes.
*   **Reputational Damage:** Stolen accounts could be used to spread misinformation or engage in other harmful activities, damaging the individual’s reputation.
*   **Operational Disruption:** Individuals might lose access to important accounts or data if hackers change passwords or lock them out.

****For enterprises:****

*   **Financial Losses:** Businesses could suffer financial losses due to fraud, data breaches, and ransomware attacks.
*   **Data Theft:** Sensitive business data, trade secrets, and customer information could be stolen and sold or used for competitive advantage.
*   **Employee Impersonation:** Hackers could impersonate employees to gain access to sensitive systems or data.
*   **Reputational Damage:** Data breaches and other security incidents can damage a company’s brand image and customer trust.
*   **Operational Disruption:** Stolen credentials could be used to disrupt business operations, causing productivity loss and downtime.
*   **Ransomware Attacks:** Hackers could encrypt data and demand a ransom payment to decrypt it.

**What Should Victims Do?**

Here are some steps that individuals and enterprises can take to protect themselves:

*   **Change passwords immediately:** If you think your AnyDesk credentials might be compromised, change your password immediately and enable two-factor authentication if available.
*   **Be cautious of phishing emails:** Don’t click on links or open attachments in suspicious emails, even if they appear to be from AnyDesk.
*   **Report suspicious activity:** If you see any suspicious activity on your AnyDesk account, report it to AnyDesk immediately.
*   **Use strong passwords:** Use strong, unique passwords for all your online accounts, and avoid using the same password for multiple accounts.
*   **Enable two-factor authentication:** Two-factor authentication adds an extra layer of security by requiring a second factor, such as a code from your phone, to log in.
*   **Stay informed:** Keep yourself informed about the latest security threats and best practices.

Nevertheless, regardless of your location or whether you recently changed your AnyDesk account password, it’s critical to change the password once again immediately. The timestamps of login sessions from these accounts authenticate their legitimacy.

1.  **New Windows Infostealer ‘ExelaStealer’ Sold on Dark Web**
2.  **Thousands of Dark Web Posts Expose ChatGPT Abuse Plans**
3.  **360m WhatsApp Records Shared on Telegram and Dark Web**
4.  **Cloudflare Hacked After State Actors Leverages Okta Breach**
5.  **TeamViewer Used to Obtain Remote Access, Deploy Ransomware**

Thousands of Stolen AnyDesk Login Credentials Sold on Dark Web

By Deeba Ahmed
Another day, another security breach.
This is a post from HackRead.com Read the original post: AnyDesk Urges Password Change Amid Security Breach

AnyDesk users faced days-long login issues as the company investigated the problem in collaboration with cybersecurity firm CrowdStrike.

AnyDesk, a remote desktop software maker, has reportedly become a victim of a cyberattack that compromised its production systems, allegedly allowing hackers to access source code and private code signing keys.

It is worth noting that the company experienced a four-day outage from January 29th to February 1st 2024, affecting the users’ ability to log in to the AnyDesk client.

In its official advisory, Germany-based AnyDesk revealed discovering the attack after detecting signs of intrusion on its product servers. After a security audit, they activated a response plan in collaboration with CrowdStrike.

Media reports suggest that the attackers stole source code and code signing certificates; however, AnyDesk has not confirmed it yet. It has only confirmed that the incident was not a ransomware attack. 

AnyDesk responded to the incident by revoking all security-related certificates and systems replacing or remediating its systems. It also plans to revoke the previous code signing certificate for binaries with a new one.

Moreover, the company has revoked all passwords for its web portal (my.anydeskcom) too, as a precautionary measure. Relevant authorities have been notified of the breach as well.

Although AnyDesk states there is no evidence of any end-user systems affected it did not share the details on how the production system hacking occurred or regarding stealing of information and session hijacking. The company noted that it never stores private keys, security tokens, or passwords so end-users should not feel threatened by the breach.

“Our systems are designed not to store private keys, security tokens or passwords that could be exploited to connect to end-user devices. As a precaution, we are revoking all passwords to our web portal, my.anydesk.com, and we recommend that users change their passwords if the same credentials are used elsewhere,” AnyDesk’s advisory read.

Nevertheless, AnyDesk is urging users to change their passwords if reused on other online services and download the latest version AnyDesk 8.0.8, which has a new code signing certificate. It is still surprising because certificates are invalidated only when they have been compromised.

AnyDesk is a popular remote access solution for enterprise users, with over 170,000 customers including high-profile firms like Amedes, AutoForm Engineering, LG Electronics, Comcast, NVIDIA, 7-Eleven, Siemens, MIT, Samsung Electronics, Spidercam, Thales, and the United Nations.

Unfortunately, its wide reach and remote accessibility make it a popular tool among threat actors for gaining persistent access to breached devices and networks. In July 2021, Hackread reported seizing a fake call centre that had been scamming US citizens for seven months with employees posing as Amazon’s technical support team. The employees extorted Amazon users by claiming their Amazon IDs were hacked and tricked them into paying for fake ID repairs via the AnyDesk app.

1.  **Zoom Vulnerability Allowed Hackers to Take Over Meetings**
2.  **Cloudflare Hacked After State Actor Leverages Okta Breach**
3.  **TeamViewer Used to Obtain Remote Access, Deploy Ransomware**
4.  **Adobe Reset User Passwords as Precaution Against Data Breach Risk**
5.  **Microsoft Teams External Access Abuses to Spread DarkGate Malware**

AnyDesk Urges Password Change Amid Security Breach

By Waqas
The new variant of Mispadu Stealer was discovered by Palo Alto's Unit 42 researchers while investigating the Windows Defender SmartScreen vulnerability.
This is a post from HackRead.com Read the original post: Mispadu Stealer’s New Variant Targets Browser Data of Mexican Users

Originally, since 2019, Mispadu Stealer targeted Spanish- and Portuguese-speaking victims, but the new variant aims at URLs associated with Mexican citizens.

In a recent development reported by Unit 42 researchers, a new variant of the infamous Mispadu Stealer has emerged, targeting users primarily in Mexico with stealthy information-stealing techniques. The discovery shows the persistent evolution of this malware, showcasing its adaptability and the challenges it poses to cybersecurity efforts.

Initially identified in 2019, Mispadu Stealer has been a persistent threat, known for its stealthy operations primarily targeting Spanish- and Portuguese-speaking victims. The latest variant, however, demonstrates a high level of sophistication, specifically targeting regions and URLs associated with Mexican citizens.

The discovery of this new variant came as part of Unit 42’s Managed Threat Hunting initiative, while researchers were investigating the Windows Defender SmartScreen CVE-2023-36025 vulnerability.

This vulnerability, categorized as a security feature bypass within the Windows SmartScreen function, allows attackers to circumvent warnings and execute malicious payloads. Exploiting this vulnerability, the Mispadu Stealer variant was found to employ a crafty technique involving the creation of internet shortcut files (.url) or hyperlinks pointing to malicious files, effectively bypassing SmartScreen’s warnings.

One of the key findings in this investigation is the malware’s use of a parameter referencing a network share, which, when embedded in a .url file, directs victims to a threat actor’s network share to retrieve and execute the malicious payload without triggering SmartScreen warnings. This technique, while not limited to Mispadu Stealer, showcases the malware’s ability to adapt and evolve its tactics.

Further analysis of the new variant reveals a sophisticated operation that selectively targets victims based on their geographic location and system configurations. By querying the bias between the local time zone and UTC and performing checks based on the victim’s location, the malware ensures its execution primarily within specific regions, such as the Americas and certain parts of Western Europe.

Statistics of infected countries (Unit 42)

Once executed, the malware proceeds to interact with the victim’s browser history, extracting URLs and checking them against a targeted list. Notably, the malware employs encryption algorithms and techniques to evade detection, highlighting the evolving sophistication of its information-stealing capabilities.

The attribution of this new variant to previous Mispadu campaigns highlights the challenges in combating evolving cybersecurity threats. While similarities in tactics and infrastructure provide insights into the malware’s origins, the ever-changing nature of such threats demands a comprehensive approach to cybersecurity.

As Mispadu continues to evolve and target unsuspecting users, cybersecurity experts emphasize the importance of staying informed on the latest threat intelligence, deploying strong endpoint protection measures, and advocating a culture of cybersecurity awareness among employees and users. By adopting proactive measures and leveraging collective intelligence, organizations can better defend against emerging threats like the new variant of Mispadu Stealer.

1.  **Mirai Variant V3G4 Exploiting IoT Devices for DDoS Attacks**
2.  **IBM X-Force Discovers Gootloader Malware Variant- GootBot**
3.  **Fake TeamViewer download ads distributing new ZLoader variant**
4.  **New Agent Tesla Variant Uses Excel Exploit to Infect Windows PCs**
5.  **MidgeDropper Variant Hits Work-from-Home Employees on Windows**

Mispadu Stealer’s New Variant Targets Browser Data of Mexican Users

By Deeba Ahmed
CloudFlare Servers Were Hacked on Thanksgiving Day Using Auth Tokens Stolen in Okta Breach.
This is a post from HackRead.com Read the original post: Cloudflare Hacked After State Actor Leverages Okta Breach

The aftermath of the 2023 Okta breach continues to unfold, with Cloudflare disclosing the details of its security compromise.

Cloudflare, a globally renowned cloud services provider, experienced a security incident on Thanksgiving Day, 23 November 2023, allowing unauthorized access to their internal Atlassian server. The company confirmed no customer data or systems were affected by the intrusion, which was effectively blocked within 24 hours.

The investigation was concluded recently. According to the company’s blog post published on 2 February 2024, Cloudflare detected the breach on 24 November 2023 and the investigation was launched on 27th November in cooperation with CrowdStrike, called Project Code Red. 

Cloudflare’s systems were accessed by attackers using an access token and three service account credentials were stolen during a previous Okta breach in October 2023. The threat actor gained access to its Atlassian environment using stolen credentials, reportedly seeking information about Cloudflare’s global network’s architecture, security, and management. It is worth noting that Cloudflare’s Atlassian system is responsible for managing internal collaboration tools like Confluence and Jira. 

> _“The threat actor accessed Jira tickets about vulnerability management, secret rotation, MFA bypass, network access, and even our response to the Okta incident itself. The wiki searches and pages accessed suggest the threat actor was very interested in all aspects of access to our systems: password resets, remote access, configuration, our use of Salt, but they did not target customer data or customer configurations.”_
> 
> Cloudflare

Cloudflare discovered that a ‘nation-state attacker’ could be responsible for their server’s breach. However, the company did not share further details on the possible perpetrator. The attacker accessed its Confluence wiki, Jira bug database, and Bitbucket source code management system on 14 November 2023.

Cloudflare CEO Matthew Prince, CTO John Graham-Cumming, and CISO Grant Bourzikas stated that on November 22, hackers gained persistent access to their Atlassian server, source code management system, and console server.

They also unsuccessfully attempted to gain access to a data center in São Paulo, Brazil, which was not yet put into production by Cloudflare. As a precautionary measure, every piece of equipment at its Brazil data center was returned to manufacturers to ensure the facility was safe.

As for prevention, response measures from Cloudflare’s staff included rotating all 5,000 unique production credentials, physically segmenting test and staging systems, performing forensic triage on around 4,983 systems, and re-imaging and rebooting global network systems.

According to Cloudflare, this includes all Atlassian servers, including Bitbucket, Jira, and Confluence. Although all remediation efforts were completed by 5th January, Cloudflare is still actively focusing on software hardening, and credential and vulnerability management.

For your information, Okta, an identity and access management services provider, reported a data breach on 23 October 2023, allowing unauthorized access to files, including session tokens, which could be used for hijacking attacks.

The attacker compromised a stolen account between September 28 and October 17, 2023, to view, update, and extract sensitive data by accessing Okta’s support case management system. 

Okta’s chief security officer, David Bradbury, revealed that at least 134 customers were impacted by the breach and some files were HAR files containing session tokens, which could be used for session hijacking attacks.

Many firms have reportedly been targeted with stolen Okta credentials, Cloudflare being one of them. Previously, 1Password, one of Okta’s customers, reportedly was targeted. On September 29, 2023, 1Password detected suspicious activity where a threat actor used a stolen session token to access its Okta administrative portal.

1.  **10 Top DDoS Attack Protection and Mitigation Companies**
2.  **Whitehat hacker bypasses SQL injection filter for Cloudflare**
3.  **LAPSUS$ Hackers Hack Microsoft and Okta, Leak Trove of Data**
4.  **Google, Cloudflare, AWS Disclose Largest DDoS Attack in History**
5.  **Cloudflare Launches Android and iOS version of 1.1.1.1 DNS Service**

Cloudflare Hacked After State Actor Leverages Okta Breach

By Waqas
Anonymous Sudan alleges that the cyber attack they conducted has crippled the reservation system and other online assets of the targeted entity.
This is a post from HackRead.com Read the original post: Anonymous Sudan Claims DDOS Attacks on UAE’s Flydubai Airline

Anonymous Sudan claims responsibility for the cyber attack, citing their belief that the UAE is providing support to the Rapid Support Forces (RSF) in Sudan as their motive.

Anonymous Sudan, the pro-Palestinian and Russian hacktivist group, has taken credit for a series of Distributed Denial of Service Attacks (DDoS attacks) on Flydubai, an Emirati government-owned airline in Dubai, United Arab Emirates.

The group’s latest claim closely follows their January 16th, 2024 announcement of targeting Thuraya Mobile Satellite Communications Company, an international mobile-satellite service (MSS) provider based in Dubai, United Arab Emirates (UAE).

It is worth noting that in both cyber attacks, the motives revealed by Anonymous Sudan were the UAE’s apparent support to the Rapid Support Forces (RSF) for communication. Notably, RSF is a paramilitary force formerly operated by the Government of Sudan, accused by the hacktivists of committing war crimes against the Sudanese people.

The alleged cyber attack was announced on February 1, 2024, by the group through its official Telegram channel. Anonymous Sudan typically announces its attacks via Telegram, with no known website utilized by the group thus far.

> _“We have conducted a significant cyber attack on the digital infrastructure of FlyDubai. We have hit the most critical parts of FlyDubai’s digital infrastructure in one. We have confirmed that the network of Flydubai is completely disrupted. Attacks against the UAE will continue as they continue to support the genocidal Rapid Support Forces in Sudan. We therefore claim any damage to the overall health of FlyDubai systems and any collateral damage.”_
> 
> Anonymous Sudan

Despite Flydubai’s official website remaining online, Anonymous Sudan claimed in a subsequent message a few hours later that Flydubai’s infrastructure, including the reservation system, had been severely affected, leaving the airline’s website as the only functional asset.

However, Hackread.com’s attempt to book a ticket on Flydubai’s website proved successful. Here’s what Anonymous Sudan had to say on Telegram:

Anonymous Sudan on Telegram (Screenshot: Hackread.com)

Hackread.com has reached out to Flydubai for a comment, and should the company respond, we will update this article accordingly. Nevertheless, DDoS attacks have emerged as a significant concern for businesses of all scales. According to Kaspersky’s report, the DDoS economy is flourishing on the dark web, with an increasing number of cybercriminals setting their sights on critical infrastructure.

While there are DDoS attack-mitigating companies out there, the first line of defence is to secure your IoT devices from becoming a zombie for botnets utilized in such attacks. Therefore, whether you are an unsuspecting user at home or administering a large corporation, make sure your cybersecurity defences are as strong as possible.

****RELATED ARTICLES****

1.  **ChatGPT Down? OpenAI Blames Outages on DDoS Attacks**
2.  **Google, Cloudflare, and AWS Disclose Largest DDoS Attack**
3.  **Popular Swing VPN Android App Turned Out to be DDoS Botnet**
4.  **DDoS Attacks Soar by 168% on Govt Services, StormWall Warns**
5.  **IoT Botnet DDoS Attacks Threaten Global Telecom Sector, Nokia**

Anonymous Sudan Claims DDOS Attacks on UAE’s Flydubai Airline

By Waqas
The KV Botnet, a Chinese state-sponsored threat actor group gained widespread attention for compromising hundreds of U.S.-based small office/home office (SOHO) routers.
This is a post from HackRead.com Read the original post: FBI Disrupts Chinese State-Backed Volt Typhoon’s KV Botnet

Volt Typhoon, initially identified by both Microsoft and U.S. authorities, infiltrated a diverse range of critical infrastructure organizations within the country.

In a recent court-authorized operation conducted in December 2023, significant disruption was made to a botnet comprised of hundreds of U.S.-based small office/home office (SOHO) routers. These routers had been hijacked by state-sponsored hackers affiliated with the People’s Republic of China (PRC), a group known in private sectors as “Volt Typhoon.”

The operation targeted routers infected with the “KV Botnet” malware, which the hackers used to conceal the origin of their hacking activities directed against U.S. and other foreign targets.

Volt Typhoon attack diagram (Microsoft)

Identified by both Microsoft and U.S. authorities, Volt Typhoon, infiltrated a wide array of critical infrastructure organizations in the United States, including communications, manufacturing, utilities, transportation, construction, maritime, government, IT, and education.

The sophistication and dangers posed by the threat actors were also highlighted in a May 2023 advisory from the FBI, National Security Agency, Cybersecurity and Infrastructure Security Agency (CISA), and foreign partners.

The botnet primarily comprised Cisco and NetGear routers that had reached “end of life” status, meaning they were no longer supported by security patches or updates from their manufacturers. The operation aimed to remove the KV Botnet malware from these routers and sever their connection to the botnet, thereby preventing further exploitation.

In a press release, FBI Director Christopher Wray condemned the actions of the Volt Typhoon, noting the potential real-world threat their activities posed to the safety of American citizens and critical infrastructure. He underscored the FBI’s determination to thwart such malicious activities and work with partners to protect against cyber threats.

For additional insights, we reached out to Toby Lewis, Global Head of Threat Analysis at Darktrace, a leading provider of global cyber security artificial intelligence. Toby cautioned that while the botnet may be a thing of the past, the group behind it still exists and could potentially resurface with a fresh botnet.

“The actions by the US government have likely significantly disrupted Volt Typhoon’s infrastructure, but the attackers themselves remain free. Targeting infrastructure and dismantling attacker capabilities usually leads to a period of quiet from the actors where they rebuild and retool, which we’re probably going to see now,” said Toby.

“The government’s ambitious approach to mimic the attacker’s own command network is a win in the short term, but there is no way to guarantee that this has a lasting impact on the threat landscape,” Toby explained. “Organizations need intelligent systems which can detect subtle, emerging, and novel threats and take targeted action without relying on knowledge of the attacker’s specific systems,” he warned.

Nevertheless, the FBI provided notice of the operation to owners or operators of infected SOHO routers and encouraged them to replace end-of-life routers to prevent future exploitation. The investigation into the Volt Typhoon’s activities continues, with efforts ongoing to mitigate further cyber threats posed by the group.

****RELATED ARTICLES****

1.  **Chinese APT Posing as Cloud Services to Spy on Cambodia**
2.  **Chinese Hackers Stole 60K US State Dept Emails from Microsoft**
3.  **Chinese Smishing Triad Gang Hits US Users in Cybercrime Attack**
4.  **Chinese Scammers Exploit Cloned Websites in Gambling Network**
5.  **How Chinese Hackers Stole Signing Key to Breach Outlook Accounts**

FBI Disrupts Chinese State-Backed Volt Typhoon’s KV Botnet

By Deeba Ahmed
In this instance, the hackers were white hat; otherwise, things could have gone awry.
This is a post from HackRead.com Read the original post: Hackers Uncover Airbus EFB App Vulnerability, Risking Aircraft Data

Whitehat hackers from Pen Test Partners identified a critical issue in Airbus’ Flysmart+ Manager suite, which was remediated 19 months after the initial disclosure.

Cybersecurity researchers at penetration testing firm Pen Test Partners have been testing the security of various electronic flight bag (EFB), IoT and vehicle applications **for several years**. Due to their extensive research, a crucial issue was identified in the Flysmart+ Manager suite from Airbus and remediated 19 months after initial disclosure. 

**NAVBLUE**, an Airbus-owned IT services company, developed the Flysmart+ Manager app for iPad, which synchronizes and installs airline data into other apps, including EFBs. According to a report from Pentestpartners, this app has a disabled security control, allowing it to communicate with servers using insecure methods, potentially allowing an attacker to modify aircraft performance data or adjust airport information. 

For your information, Flysmart+ is a suite of apps for pilot EFBs. EFBs are crucial for storing critical flight data and information, but they can be exploited to disrupt operations or compromise aircraft systems. Airline EFBs can be exposed to untrusted networks due to known pilot layover hotels, and standard operating procedures may not detect tampering.

Research published on February 1, 2024, **reveals** that one of the suite’s iOS apps has intentionally got the App Transport Security (ATS) feature disabled. This issue exposes it to Wi-Fi interception attacks, potentially tampering with engine performance calculations, leading to tailstrike or runway excursion.

The app, Flysmart+, was previously disabled due to a lack of ATS protection, which prevents unencrypted communications. This vulnerability allows attackers to intercept and decrypt sensitive information in transit. Due to disabled ATS, insecure communication occurs, making the app susceptible to interception. An entry in the info.plist file allows insecure HTTP loads to any domain.

Airlines often use the same hotel for layover pilots, allowing attackers to modify aircraft performance data through targeted Wi-Fi networks. That’s because pilots in layover hotels can be easily identified, along with the airline and the suite of EFB apps they will likely use.

This helped Pen Test Partners to access data from NAVBLUE Servers, including SQLite databases containing aircraft information and take-off performance data (PERF), with specific table names.

Researchers downloading the data from data the NAVBLUE Servers (Screenshot: Pen Test Partners)

It is worth noting that database tables are crucial for aircraft performance, including the Minimum Equipment List (MEL) and Standard Instrument Departure (SID). Misunderstandings in MEL and SID can lead to safety issues, such as fuel starvation in the Gimli Glider. Confusion between units like US gallons, imperial gallons, litres, kilograms, and pounds can also cause safety problems.

> _“We’ve now worked on disclosures with Boeing, Lufthansa, and Airbus We’re really pleased that the vulnerability was successfully closed which is a win for aviation safety and security.”_
> 
> Antonio Cassidy – Pen Test Partners

The researchers shared the vulnerability report with Airbus on 28 June 2022 and the next day Airbus confirmed the issue. By 25th July 2022, the company had replicated the issue and promised a fix for the next version of Flysmart+ by the end of 2022.

On 22 February 2023, the Airbus VDP team confirmed fixing the issue in the latest version of Flysmart+, and the mitigation measure was communicated to customers on 26th May 2023. The findings were presented at DEF CON 31 in Las Vegas in 2023, as well as at the Aerospace Village and Aviation ISAC in Dublin.

1.  **Reporter Gets His Email Hacked on The Plane**
2.  **Warning as small planes found vulnerable to hacking**
3.  **Smart alarm flaw let hackers track and turn off car engine**
4.  **Smartwatch flaw lets hackers overdose dementia patients**
5.  **Critical Flaws Found in Devices That Provide WiFi on Airplanes**

Hackers Uncover Airbus EFB App Vulnerability, Risking Aircraft Data

By Deeba Ahmed
Ripple’s co-founder Chris Larsen has acknowledged that his personal XRP wallet was hacked.
This is a post from HackRead.com Read the original post: Ripple Co-Founder’s Personal XRP Wallet Breached in $112 Million Hack

Ripple CEO Brad Garlinghouse has also confirmed that the XRP wallet belonging to Ripple’s co-founder, Chris Larsen, was indeed hacked emphasizing that this incident was isolated and did not constitute a breach of Ripple as a cryptocurrency asset.

Another day, another shock for the cryptocurrency industry. Unknown hackers have successfully managed to steal $112 million worth of **XRP**, Ripple’s native token, in a recent hacking incident.

As a result of speculations surrounding the hacking, **Ripple’s XRP token** fell over 4% to $0.50. However, reports suggest the funds were stolen from Ripple co-founder Chris Larsen’s personal wallet and not from cryptocurrency firm Ripple itself.

According to Ripple’s co-founder Chris Larsen’s **post** on X (Twitter), on Tuesday (30th January 2024) unauthorized access to some of his “personal XRP accounts (not Ripple)” occurred. He categorically denied attackers targeting any of Ripple network’s accounts.

Ripple CEO Brad Garlinghouse clarified that the incident was an individual security breach and should not be considered a Ripple security breach.

“Given some irresponsible speculation and reporting, I want to reiterate that NO Ripple-managed wallets were compromised. Full stop,” Garlinghouse **noted**.

Larsen confirmed that most affected funds were converted out of XRP and that nearly all funds were frozen. He has taken the law enforcement agencies on board to pursue the remaining funds aggressively.

Larsen posted this confirmation after crypto sleuth and blockchain analyst ZachXBT **announced** on X that Ripple was hacked for approximately 213 million XRP. ZachXBT, who broke the news first on social media, reported that stolen XRP funds have been laundered through various crypto exchanges and platforms, including MEXC, Gate, Binance, Kraken, OKX, HTX, and HitBTC.

The exact method of hacking is still being probed, however, experts believe that Larsen’s private keys may have been compromised. XRPScan’s on-chain data analysis **revealed** that the hacked wallet, called Ripple (50), was activated by another wallet called “FundingWallet1” on 5th November 2018. This second wallet was previously activated by Larsen on 6th February 2013, a month after creating his account,”~chrislarsen.”

Binance is aware of the incident and is supporting the investigation, as per its spokesperson Simon Matthews, while Kraken’s representative Megan Thorpe claims they have engaged their incident response team to prevent such incidents.

For your information, Ripple, formerly called RippleNet, is a real-time gross settlement system, currency exchange, and remittance network established in 2012. The network recently launched the enhanced Ripple Payments solution and promotes itself as a reliable payments and enterprise infrastructure provider boasting a market capitalization of $27.4 billion.

Lately, cryptocurrency wallets have been a preferred target among cyber criminals. Mark Cuban, a renowned TV personality, investor, and billionaire, was earlier **targeted** in a hack attack, resulting in the draining of all funds (around $900,000 worth of crypto) from his inactive wallet “mcuban” on OpenSea.

The cryptocurrency community is concerned about individual wallet security and potential targeted attacks, underscoring the need for responsible digital asset management and vigilance against evolving cyber threats.

Leading blockchain cybersecurity firm, Immunefi’s November 2023 report **revealed** startling figures with cryptocurrency losses exceeding $1.75 billion due to hacks and rug pull attacks. The company reported 296 incidents, resulting in $1,753,707,812 in losses year-to-date.

****_RELATED ARTICLES_****

1.  **Trezor Data Breach Exposes Email and Names of 66,000 Users**
2.  **YouTube Crypto Con: Scammers Rake in $600K with Deepfakes**
3.  **Inferno Drainer Phishing Nets Scammers $80M from Crypto Wallets**
4.  **Hackers Stole $59 Million of Crypto Via Malicious Google and X Ads**
5.  **SEC Twitter Account Hacked, Spreads Fake News About Bitcoin ETFs**

Ripple Co-Founder’s Personal XRP Wallet Breached in $112 Million Hack

By Deeba Ahmed
The Ivanti VPN vulnerabilities have plunged into a black hole.
This is a post from HackRead.com Read the original post: Ivanti VPN Flaws Exploited to Spread KrustyLoader Malware

Hackers exploit zero-day vulnerabilities in Ivanti VPN, deploying malware and cryptocurrency miners, with targets including Fortune 500 firms, gov’t agencies, and defence contractors.

Cybersecurity concerns are rising as hackers try to exploit zero-day vulnerabilities in Ivanti VPN devices to deploy malware and cryptocurrency miners. The vulnerabilities, identified as CVE-2023-46805 and CVE-2024-21887 were discovered in Ivanti Connect Secure (ICS) and Ivanti Policy Secure Gateway appliances, allowing attackers to execute arbitrary commands remotely on targeted hosts to load a Rust-based malware named KrustyLoader.

“Vulnerabilities have been discovered in Ivanti Connect Secure (ICS), formerly known as Pulse Connect Secure and Ivanti Policy Secure gateways. These vulnerabilities impact all supported versions – Version 9.x and 22.x,” Ivanti confirmed in a recent advisory.

CVE-2023-46805 is an Authentication Bypass flaw with a CVSS score of 8.2. It allows a remote attacker to bypass control checks in the web component of Ivanti ICS 9.x, 22.x, and Ivanti Policy Secure.

CVE-2024-21887, is a command injection vulnerability, with a CVSS score of 9.1. It is discovered in Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure web components, and allows an authenticated administrator to exploit Ivanti appliances by sending crafted requests and executing arbitrary commands.

Targets include global small to large businesses, including Fortune 500 companies, government departments, telecommunications, defence contractors, technology firms, banking, finance, accounting institutions, consulting services, and aerospace entities.

The issues were first reported by Volexity, according to which these vulnerabilities have been exploited as zero-days as early as 3 December 2023. They identified a Chinese threat actor named UTA0178 (tracked by Mandiant as UNC5221) to be responsible for this exploitation. Volexity was alerted after discovering an attacker executing webshells on multiple internal and external-facing web servers.

The company launched an investigation and discovered over 2,100 compromised Ivanti Connect Secure VPN devices using the GIFTEDVISITOR webshell in December 2023. A new scan in January 2024 revealed 368 more compromised devices.

Researchers inspected a compromised Connect Secure VPN appliance and found that UTA0178 made modifications to the in-built Integrity Checker Tool, causing the tool to report no new or mismatched files.

Synacktiv researcher Théo Letailleur conducted an extensive probe and discovered that threat actors are exploiting Ivanti zero-days to install an XMRig cryptocurrency miner and execute a Golang-based Sliver backdoor from a remote server.

KrustyLoader served as a loader to download/execute Sliver on compromised hosts. Since it is based on Rust language, it is challenging to fully comprehend the malware’s behaviour.

Bishop Fox’s Sliver is a post-exploitation toolkit designed for cybercriminals to maintain control over compromised systems. It gained popularity among cybercriminals in 2023 after law enforcement attempted to shut down ‘cracked’ versions of Cobalt Strike.

The backdoor offers extensive functionalities, including network spying, command execution, loading reflective DLLs, and spawning sessions. Synacktiv reports that all samples download Sliver from different URLs, and establish a connection with the C2 using HTTP/HTTPS communication.

Ivanti’s advisory suggests that if CVE-2024-21887 and CVE-2023-46805 are used together, an attacker can send malicious requests to unpatched systems without authentication, allowing arbitrary command execution.

Ivanti and Mandiant are working to address over 2100 system compromises, and a patch was scheduled for January 30. However, no patch is currently available.

****_RELATED ARTICLES_****

1.  **Critical Flaws Found in GNU C Library, Major Linux Distros at Risk**
2.  **Excessive Expansion Flaws Leave Jenkins Servers Open to Attacks**
3.  **Critical “PixieFail” Flaws Expose Millions of Devices to Cyberattacks**
4.  **TeamViewer Exploited to Obtain Remote Access, Deploy Ransomware**
5.  **Windows Defender SmartScreen Flaw Exploited with Phemedrone Stealer**

Ivanti VPN Flaws Exploited to Spread KrustyLoader Malware

By Waqas
Imagine you’re on a boat, navigating through the ever-changing waters of the tech world. SaaS applications are like…
This is a post from HackRead.com Read the original post: Securing Your SaaS Landscape: Closer Look at Disaster Recovery, Posture Management

Imagine you’re on a boat, navigating through the ever-changing waters of the tech world. SaaS applications are like the currents – powerful and essential, but if you lose control, you’re steering towards a disaster. That’s where understanding the importance of ITDR comes into the picture.

As we delve deeper into the age of digital transformation, our reliance on Software as a Service (SaaS) applications skyrockets, making the traditional disaster recovery plans somewhat obsolete. We find **ITDR** sitting snugly in the middle of the equation, as it evolves into something more dynamic that can sustain the pace of SaaS expansion.

****The Challenge of Security Configurations Amid SaaS Diversity****

Every **SaaS application** comes with its own set of rules, and when you’re juggling multiple, it’s like trying to understand different dialects of the same language. It can be overwhelming. The problem here isn’t just the number of security settings but ensuring they sing the same tune.

Imagine one app demands a strong password that changes monthly, while another seems perfectly content with ‘password123’ forever. This jarring inconsistency can make the entire IT infrastructure susceptible to cyber threats, much like a fortress with one unguarded gate.

To further decode the dialects of SaaS applications, companies need to establish a centralized security configuration protocol. This strategy needs to be broad enough to accommodate various SaaS applications yet specific enough to maintain stringent security standards.

It’s akin to developing a universal translator that can seamlessly interpret and secure the flow of data and user access across different platforms. Such centralized command ensures a uniform security posture that is both agile and robust, mitigating risks proactively.

****Adapting Security Measures for Enhanced SaaS Management****

Staying ahead of the game is not just about having a good defence but also about being nimble and preemptive. The key lies in developing an **adaptive security strategy** that evolves with both the changing threat landscape and advancements in SaaS offerings.

An organization practising proactive **SaaS security** posture management can be likened to a chess player, anticipating moves and strategizing in advance. They’re not just reacting to threats; they’re preventing them from materializing, thus safeguarding their virtual ‘kingdom’ from potential breaches and data loss incidents.

****Boosting Cloud Defence Through SaaS Security Reinforcements****

Did you know that SaaS applications often come equipped with an arsenal of security features? That’s right, like hidden treasures waiting to be discovered and utilized. To fully harness these protective measures, regular audits and updates are essential.

It’s a matter of tailoring these features to fit your organization’s unique needs and bolstering your overall cloud security posture. It’s like fortifying a castle – you want to make sure every tower is manned, every gate reinforced and every drawbridge functional, to withstand the **sieges of cyber threats**.

****Staying Secure in the Fast Lane of SaaS Adoption****

As your organization speeds along the SaaS highway, with applications being added to your convoy regularly, how do you maintain oversight without slowing down? The answer is twofold: one part policy, one part flexibility. Consider every new SaaS addition as a new member of your fleet.

They need to understand the convoy rules (security policies) but there has to be room for manoeuvre (flexibility), enabling them to adapt to the changing traffic conditions (business needs) without causing a pile-up (**security breach**). Striking this balance is crucial for a seamless and secure journey.

So, while navigating this vast sea of SaaS applications might seem daunting with security risks lurking below the surface, realizing the importance of ITDR and a solid SaaS security posture management strategy can keep your organizational ship afloat and cruising confidently toward its goals.

****_RELATED ARTICLES_****

1.  **Advertising Strategies For PaaS Services**
2.  **SaaS Security Best Practices: Safeguard Consumer Data**
3.  **SaaS Security Guide: How to Protect Your SaaS Business**
4.  **The Role of Software Escrow in Mitigating Business Risks**
5.  **15 Best SaaS SEO Experts That Will Help You Dominate Online**

Source

HackRead