By Waqas
Important to understand: Chess.com has not suffered a data breach.
This is a post from HackRead.com Read the original post: Hacker Leaks 800,000 Scraped Chess.com User Records

The scraped Chess.com data was leaked on Breach Forums on November 8th, 2023 by a threat actor operating under the alias ‘DrOne.’

A threat actor operating under the alias ‘DrOne’ has claimed responsibility for leaking the scraped database of Chess.com containing the personal data of more than 800,000 registered users.

Announcement on the Breach Forums (Screenshot credit: Hackread.com)

Chess.com is a highly popular online platform for chess enthusiasts and a social networking website. As of 2023, the platform boasts more than 150 million registered users, indicating that the leaked records account for approximately only 0.533% of the total user base.

The database was disclosed on November 8th, 2023 on Breach Forums, a well-known platform for hackers and cybercrime activities. Interestingly, this forum recently saw another threat actor leaking a **scraped database from LinkedIn** just a couple of days prior, which contained information from 25 million users.

****The Leaked Data****

After a comprehensive scan of the Chess.com database by Hackread.com, our analysis confirms the exposure of personal data from 828,327 registered users. The leaked information includes:

*   Full names
*   Usernames
*   Profile links
*   Email addresses
*   Users’ originating countries
*   Avatar URLs (containing profile pictures)
*   Universally Unique Identifier (UUID) and User IDs
*   Date of registration (with the most recent sign-up in September 2023)

If combined, the leaked information can serve as a treasure trove for cybercriminals. This data could be utilized for identity theft, phishing scams, social engineering attacks, or even to cross-reference previously leaked login credentials in order to obtain passwords.

Announcement from the leaked Chess.com data – Clicking on links would open the user profile and profile images (Screenshot credit: Hackread.com)

Fortunately, the leaked data does not include passwords. However, when Hackread.com attempted to sign up using the leaked email addresses, nearly every email address used prompted the message **_‘An account already exists with this email address.’_** This suggests that the leaked database contained valid and active email addresses associated with existing Chess.com accounts.

(Screenshot credit: Hackread.com)

****Web Scraping is Hard to Avoid/Block****

Web scraping or data scraping, is an automated process utilized by software to extract data from websites, primarily for gathering specific information from web pages. The process is almost impossible to block since Chess.com is a large website.

Large websites use a variety of measures to prevent scraping, such as rate limiting and captcha challenges. However, scrapers are constantly developing new techniques to circumvent these measures and some scrapers may collect the data for research purposes, such as to study social networks or to develop machine learning models.

****Chess.com and Cybersecurity****

This is not the first time Chess.com has made headlines for cybersecurity-related issues. **In February 2021**, a well-known ethical hacker, Sam Curry, discovered and reported a critical vulnerability within the platform. This flaw allowed the researcher to potentially access any account on the site, including the administrator account.

This new breach poses a significant threat to Chess.com users, potentially facilitating various scams such as identity theft and phishing. For Chess.com users, it is strongly recommended to change your password not only on the platform but also across any other online accounts where the same password is used.

Cybercriminals might deploy **phishing tactics**, sending emails with links leading to malicious websites mimicking Chess.com or other legitimate platforms. It is crucial to refrain from clicking on any such links. However, you can safely check the real URL by hovering over the link before clicking it.

_Hackread.com has informed Chess.com about the data leak. This article will be updated if the company responds._

****_RELATED ARTICLES_****

1.  **Hackers leak scraped data of 87,000 GETTR users**
2.  **Scraped data of 1.3 million Clubhouse users published online**
3.  **Twitter Scraping Breach: 209M Accounts Leaked on Hacker Forum**
4.  **API Misuse: Hacker Exposes 2.6M Duolingo Users’ Emails & Names**
5.  **Data scraping firm leaks 235m Instagram, TikTok, YouTube user data**

Hacker Leaks 800,000 Scraped Chess.com User Records

By Daily Contributors
By Liz Smith, Digital Marketing Consultant for Elsewhen – Digital technologies have transformed how we live, work, and…
This is a post from HackRead.com Read the original post: Opinion: The Pros and Cons of the UK’s New Digital Regulation Principles

_By Liz Smith, Digital Marketing Consultant for Elsewhen_ – Digital technologies have transformed how we live, work, and play. The UK government’s announced approach in October 2023, with its objectives and principles for digital regulation, is a commendable stride in this direction. However, like all regulatory propositions, it’s not without its merits and drawbacks.

****The Pros****

**1\. Encouraging Innovation:**  A central tenet of the UK’s approach is the promotion of innovation. By committing to minimise unnecessary regulatory burdens and considering non-regulatory measures first, the UK is sending a clear message to start-ups and scale-ups that they are a valued part of the ecosystem. This can position the UK as a hub for digital entrepreneurship.

**2\. A Holistic, Forward-Thinking Approach:**  The emphasis on achieving forward-looking and coherent outcomes acknowledges the fluid nature of digital technology. Addressing the root causes rather than merely the symptoms of digital challenges ensures that regulations remain relevant and effective as technology evolves.

**3\. Global Considerations:**  Digital technologies are borderless. By considering international commitments, regulations developed by other nations, and international interoperability, the UK is taking a step to ensure that its domestic policies align with global standards and trends.

****The Cons****

**1\. Potential for Ambiguity:**  While the vision is comprehensive, it can also be viewed as broad. Without explicit details on how certain trade-offs will be managed, businesses might find it challenging to anticipate the exact regulatory environment and make long-term decisions.

**2\. Balancing Innovation and Safety:**  The twin goals of promoting innovation and ensuring safety can sometimes be at odds. There’s a potential risk that in the bid to foster innovation, regulatory oversight might not be as stringent as needed, leading to unforeseen challenges down the line.

**3\. Risk of Overlapping Regulations:**  Though the aim is to ensure coherence and minimise overlaps, the interconnected nature of digital technologies means that there’s a risk of inadvertently creating overlapping or contradictory regulations, especially as technology continually evolves.

**In Conclusion**: The UK’s approach to digital regulation is a vital step towards shaping a future where digital technologies can thrive while ensuring the safety and security of its citizens. As with any regulation, its effectiveness will largely depend on its execution and adaptability. It’s vital for stakeholders, including businesses like ours at Elsewhen, to engage proactively with the government to refine and enhance these principles, ensuring a win-win for all.

_**Disclaime**r: The views expressed in this article are those of the author and do not necessarily reflect the official policy or position of Elsewhen or any of its affiliates._

1.  **Top SEO Agencies in the UK: Expert Insights**
2.  **The 10 Best Cybersecurity Companies in the UK**
3.  **Navigating London’s Free Electric Car Charging Points**
4.  **The Evolution of Influencer Marketing in Manchester, UK**
5.  **SEO vs. PPC: Choosing the Right Strategy for Your Business**

Opinion: The Pros and Cons of the UK’s New Digital Regulation Principles 

By Waqas
Hive Ransomware had its infrastructure seized by the FBI and Europol back in January 2023.
This is a post from HackRead.com Read the original post: Hive Ransomware Resurfaces as Hunters International, Bitdefender Claim

Bitdefender researchers and the cybersecurity community speculate that Hunters International might be a revival or successor to the Hive Ransomware, especially in the absence of any reported arrests by the authorities.

Hive, one of the most notorious global ransomware operators, targeted over 1,300 companies and amassed $100 million in ransom payments. However, it was **dismantled** in January 2023 through a joint operation by the FBI and law enforcement agencies in the Netherlands and Germany.”

However, no arrests were made at the time due to the group’s covert, transnational operations. According to Bitdefender’s research, the group appears to have recommenced its activities under a new name, Hunters International.

Bitdefender’s **blog post** revealed that Hive’s leadership strategically ceased operations and transferred their remaining assets to Hunters International. This information was initially reported by security researcher @rivitna2 in a **post** on X (formerly Twitter) on October 20, 2023.

“#Hive is back! Now they are #Hunters International!”

Security researcher Will Thomas @BushidoToken also found startling similarities and code overlaps between both groups’ codes. Thomas **reportedly** found a 60% match between both sets.

“Ever since the takedown of Hive ransomware by the FBI, it seems the operators have been busy developing their next project: Hunters International. Multiple code overlaps and similarities link Hive and Hunters together, at least +60% match from my research 🔍 h/t @rivitna2.”

While these discoveries seem to confirm that Hunters International is a rebranded version of Hive, the group has refuted these assumptions in a surprising turn. Hunters International maintains that they are an independent entity formed after acquiring and rectifying Hive’s infrastructure and source code.

Their preference lies in data exfiltration rather than data encryption, and the dismantling of Hive provided them with the ideal opportunity to pursue this avenue.

“All of the Hive source codes were sold including the website and old Golang and C versions and we are those who purchased them,” the group stated.

Here’s what Hunters International had to say in response to claims made by researchers

This opportunistic group doesn’t focus on specific regions or industries. Primarily, they target victims in the United States, the UK, Germany, and Namibia including hospitals. The group employs a simplistic approach because it uses fewer command line parameters, has streamlined the process of encryption key storage, and their **preferred malware** is less verbose. 

The gang offer Ransomware-as-a-Service, using Rust language ransomware. Their approaches are rather unique as they don’t embed the encryption key in each file. Instead, they generate two key sets in memory for file encryption and store both as the encrypted drive’s root with a .key extension.

Their ransomware family, identified by Bitdefender’s flagship security platform GravityZone, was Trojan.Ransom.Hunters**.** Regarding their payment method, the victims have to access a chat portal using the credentials provided in the ransom note.

Ransom note from Hunters International 

Whether Hive has resurfaced as Hunters International or not, there’s no doubt that ransomware groups are constantly evolving and developing new techniques. Therefore, extended international cooperation and implementing strong cybersecurity measures are essential to mitigate the threats timely.

**_**RELATED ARTICLES**_**

1.  **FIN8 Resurfaces with New Sardonic Backdoor**
2.  **Mamba ransomware that encrypts entire hard drives resurfaces**
3.  **BBTok Malware Returns, Targeting Over 40 Banks in Brazil and Mexico**
4.  **US-Led Alliance of 40 Countries Unites to Combat Ransomware Threat**
5.  **RansomedVC Ransomware Quitting and Selling its Entire Infrastructure**

Hive Ransomware Resurfaces as Hunters International, Bitdefender Claim

By Waqas
OpenAI and ChatGPT began experiencing service outages on November 8th, and the company is actively working to restore full service.
This is a post from HackRead.com Read the original post: ChatGPT Down? OpenAI Blames Outages on DDoS Attacks

Is your ChatGPT down? Are you experiencing issues with ChatGPT, such as connectivity problems or encountering a ‘Network error on long responses’? – ChatGPT has been under a series of DDoS attacks, apparently orchestrated by Anonymous Sudan.

OpenAI’s ChatGPT, a popular AI-powered chatbot, has been experiencing outages for the past 24 hours due to distributed denial-of-service (DDoS) attacks. The company confirmed the attacks in a statement on its status website, saying that it is working to mitigate the attacks and restore full service.

> _“We are dealing with periodic outages due to an abnormal traffic pattern reflective of a DDoS attack. We are continuing to work to mitigate this.“_
> 
> OpenAI on Nov 08, 2023 – 19:49 PST

According to OpenAI CEO Sam Altman, as of this week, ChatGPT now boasts 100 million weekly active users. While this places ChatGPT as the most popular platform on the internet, it also renders it a lucrative target for cybercriminals and hacktivists.

OpenAI has not yet said when it expects the ChatGPT outages to be fully resolved. However, the company has assured users that it is working to resolve the issue as quickly as possible.

ChatGPT’s status page as of Nov 09, 2023

The ChatGPT outages have had a significant impact on users of the service. Many users have been unable to access ChatGPT at all, while others have experienced intermittent outages.

DDoS attacks are a type of cyberattack in which an attacker sends a large number of requests to a website or server in order to overwhelm it and make it unavailable to legitimate users. In the case of ChatGPT, the attackers are flooding the service with more requests than it can handle, causing it to go down.

****Anonymous Sudan Claims Responsibility****

_Hackread.com_ can confirm that the responsibility for the attacks on OpenAI’s infrastructure has been claimed by Anonymous Sudan. The group shared various screenshots on its Telegram channel, depicting examples where OpenAI’s website and ChatGPT’s dashboard experienced downtime or displayed various errors and connectivity issues.

The group further elaborated on their motives for targeting OpenAI and ChatGPT, highlighting the reasons behind their DDoS attacks on one of the most popular platforms globally. In a Telegram post, they stated that as they are specifically targeting American companies, OpenAI, being an American company, is naturally among their prime targets.

The group additionally cited another major reason for targeting OpenAI, pointing to its association with the state of Israel, its investment plans in Israel, and the recent meeting between OpenAI’s CEO, Sam Altman, and the Israeli Prime Minister, Benjamin Netanyahu. Emphasizing their support for the Palestinians, the group mentioned this as a significant rationale behind targeting OpenAI and ChatGPT.

For your information, Anonymous Sudan is a group of hacktivists who claim to be affiliated with the Anonymous collective. However, cybersecurity experts have cast doubt on these claims, suggesting that Anonymous Sudan may be a front for other Russian hacktivist groups.

Anonymous Sudan first emerged in January 2023, when they launched a series of DDoS attacks against Swedish and Danish organizations in response to the far-right activist Rasmus Paludan. In February 2023, Anonymous Sudan also **DDoSed Swedish SAS Airlines**.

The group has since claimed responsibility for a number of other DDoS attacks, including attacks against X (formerly Twitter), Microsoft, and other Western targets.

If you are a user of ChatGPT, there is not much you can do to prevent DDoS attacks. However, you can check the OpenAI status page for updates on the situation and to see if the service is available. You can also try accessing ChatGPT at different times of day, as the attacks may not be continuous.

**_RELATED ARTICLES_**

1.  **Hackers Target Israeli Rocket Alert App Users with Spyware**
2.  **10 Top DDoS Attack Protection and Mitigation Companies in 2023**
3.  **Google, Cloudflare and AWS Disclose Largest DDoS Attack in History**
4.  **Hackers Send Fake Rocket Alerts to Israelis via Hacked Red Alert App**
5.  **Researchers Leverage ChatGPT to Expose Notorious macOS Malware**
6.  **WormGPT – Malicious ChatGPT Alternative Empowering Cybercriminals**

ChatGPT Down? OpenAI Blames Outages on DDoS Attacks

By Deeba Ahmed
Palo Alto's Unit 42 Reveals Chinese APT Spying on 24 Cambodian Government Entities as Part of Long-Term Cyberespionage.
This is a post from HackRead.com Read the original post: Chinese APT Posing as Cloud Services to Spy on Cambodian Government

Cybersecurity researchers are confident that the targeted organizations are “still compromised” by “two prominent Chinese APT” groups.

Palo Alto Networks’ Unit 42 cybersecurity researchers have discovered that Chinese APT groups could be involved in a long-term espionage campaign against Cambodian government organizations using infrastructure masqueraded as cloud backup services.

According to the Unit 42 report, researchers noted network connections—specifically inbound connections—primarily originating from 24 Cambodian government organizations.

The researchers also believe that these organizations are ‘still compromised’ by ‘two prominent Chinese APT’ actors due to the infrastructure’s characteristics and the enduring persistence of these connections over several months.

It is worth noting that the certainty about the involvement of two **Chinese APT groups** stemmed from monitoring telemetry data, which established a clear link with these groups.

“We assess that these organizations are likely the targets of long-term cyberespionage activities that have leveraged this infrastructure for persistent access to government networks of interest,” said the Santa Clara, California-based cybersecurity giant.

These organizations were communicating regularly with the infrastructure between September and October 2023. Many of these organizations provided critical services to the following industries.

*   Politics
*   Commerce
*   Human rights
*   National defense
*   Election oversight
*   Natural resources
*   Telecommunications
*   National treasury and finance

The research emerged just days after **Canada banned the Chinese WeChat app** from all government devices due to spying concerns, prompting employees to promptly uninstall the application.

Researchers noted that organizations in these sectors could be targets of interest because of storing vast amounts of sensitive information, including financial data, classified government data, and PII (personally identifiable information) of citizens. They discovered at least six target-facing IP addresses used in the campaign, each hosting numerous subdomains. 

These domains were masqueraded as cloud storage services, which is the perfect alibi to create a sense of legitimacy to the unusually high traffic the server may observe during “high activity levels from the actor, such as data exfiltration from the victim network,” researchers wrote in their **blog post**.

Moreover, they had “high confidence” that these IP addresses served as the C2 infrastructure for the actor, and running the Cowrie honeypot on port 2222. Most likely, this honeypot was a cover to trick network defenders and security researchers investigating the “anomalous activity.”

In addition, they observed IP filtering on this infrastructure. It was used for blocking connections from IP ranges from known Palo Alto Networks several Big Tech and cybersecurity firms, and a number of VPS and cloud hosting providers. 

These C2 ports open only when the actor is active (between 08:30 and 17:30 UTC +08:00 (China Standard Time) on weekdays (Monday to Friday)) and remain closed otherwise. This means the actor is filtering connections to the malicious infrastructure to reduce the risk of C2 profiling by IP scanners or to evade detection.

Infrastructure overview of the Chinese APT groups (Unit42)

“This pattern might indicate the actor is attempting to avoid detection by blending into regular Cambodian business hours which are UTC +07:00.”

However, between September 29-October 8 2023, during China’s Golden Week and Special Working Days, the APT actors ceased their activity. This suggests that the attackers are based in **China** and following the country’s regular working hours, thus, validating Unit 42’s assessment regarding the attackers.

It is worth noting that Cambodia is **among** the signatories of the Chinese Belt and Road Initiative. The countries share strong economic and diplomatic relations. China has made significantly high investments to **modernize** Cambodia’s Ream Naval Base, despite that the project sparked **concerns** within the West. After completion, this base will become China’s first overseas outpost in Southeast Asia. This indicates that Cambodia is an important ally of China.

****_RELATED ARTICLES_****

1.  **Who Killed the IoT Zombie Mozi Botnet – China or India?**
2.  **Chinese Scammers Use Fake Loan Apps for Money Laundering**
3.  **Chinese Silent Skimmer Attack Hits Businesses in APAC and NALA regions**
4.  **Chinese Hackers Stole 60,000 US State Department Emails from Microsoft**
5.  **Chinese Smishing Triad Gang Hits US Users in Extensive Cybercrime Attack**
6.  **Chinese Hackers Stole Microsoft’s Signing Key to Breach Outlook Accounts**

Chinese APT Posing as Cloud Services to Spy on Cambodian Government

By Deeba Ahmed
esearchers have labeled this as the "ultimate cryptominer."
This is a post from HackRead.com Read the original post: Microsoft Azure Exploited to Create Undetectable Cryptominer

SafeBreach Labs’ researchers have successfully exploited MS Azure Automation Service to develop the first Free and Undetectable Cryptocurrency miner.

**Cryptomining** can cause harm if someone unauthorized does it on a regular person’s device. SafeBreach Labs found that researchers can use trustworthy, widely-used software to mine cryptocurrency without using many resources or incurring costs.

In a report shared with _Hackread.com_ ahead of publication on Wednesday, SafeBreach researchers demonstrated this by creating the first completely undetectable cryptominer that operates freely using Microsoft Azure’s Automation service. This service is specifically made to automate cloud-management tasks, eliminating the need for building or maintaining infrastructure. Users only need to provide the scripts for execution.

In a blog post by Ariel Gamrian, three methods for running a cryptocurrency miner on **Microsoft Azure** servers without detection or charges were discovered. SafeBreach Labs’ researchers referred to this as the ultimate cryptominer.

They found that the Azure automation service allows the uploading of custom Python packages, which are then utilized within the runbook scripts. Whenever a package is uploaded, the service silently installs it in the background to ensure successful installation and prevent runbook execution problems. The researchers from SafeBreach Labs exploited this behaviour to develop the cryptominer successfully.

“We knew that code could not be directly executed on a .whl file installation, but we could assume what command was used in the background for installation. We assumed the .whl file would be installed by the pip executable already installed in the Automation Account using the command “pip install “pip install <whl\_file>,” **explained** Gamrian.

“If our assumptions were correct, we could create a malicious package named “pip” and upload it to the Automation Account. The upload flow would replace the current pip in the Automation account.”

Once the custom pip was stored in the Automation account, the service automatically employed it whenever a package was uploaded. Leveraging this flow, the researchers managed to execute code. They ran this in a temporary sandboxed environment, obtaining an access token that represented the Automation Account’s assigned identity. This token allowed them to make requests on behalf of that identity, almost entirely obscuring any trace back to them.

Additionally, researchers found that they could achieve code execution by utilizing the Powershell module upload flow. This involved creating a Powershell module file containing the desired code for upload. While exploring the pricing, they discovered that the feature’s pricing details were not documented.

To determine the cost, they had to manually identify the code runtime and the associated flow cost. To test this, they initiated 55 import flows simultaneously, which theoretically accounted for approximately 10,000 minutes of runtime considering the three-hour import flow limitation.

A short demo about package upload shared by SafeBreach

After a month, they checked and found they were not charged anything, confirming that their developed cryptominer incurred no charges and was maintenance-free. Subsequently, they developed a tool named CloudMiner, enabling anyone to execute code for free on Azure using the same technique. Users only need to provide the Python or Powershell script they wish to execute and grant access to their Automation Account, and the tool will manage the rest.

CloudMiner in action (SafeBreach)

This research could significantly impact not only **crypto mining** but also other domains requiring code execution on Azure. Users can obtain cryptocurrency through various means, such as online exchanges, as payment, or by mining virtually.

Mining is a favoured method for earning crypto, involving a network of computers that verify and secure blockchains and digital ledgers recording crypto transactions. Miners are rewarded with new coins within this self-sustaining cycle, making it a preferred avenue for scammers.

The researchers reported their findings to the Microsoft Security Response Center, but no Common Vulnerabilities and Exposures (**CVEs**) were issued. However, the software company acknowledged the issue in their Security Researcher Acknowledgements for Microsoft Online Services. Subsequently, they addressed and resolved the Python 3.10 free runtime issue.

****_RELATED ARTICLES_****

1.  **Mirai botnet exploiting Azure OMIGOD vulnerabilities**
2.  **Sensitive source codes exposed in Microsoft Azure Blob account leak**
3.  **Researchers accessed primary keys of Azure’s Cosmos DB customers**
4.  **SolarWinds hackers accessed source code of Azure, Exchange, Intune**
5.  **240 top Microsoft Azure-hosted subdomains hacked to spread malware**
6.  **CISA’s Sparrow.ps1 tool detects malicious activity on Azure, Microsoft 365**

Microsoft Azure Exploited to Create Undetectable Cryptominer

By Waqas
BlueNoroff is a subgroup of the larger North Korean state-backed group called Lazarus.
This is a post from HackRead.com Read the original post: Lazarus-Linked BlueNoroff APT Targeting macOS with ObjCShellz Malware

The threat actor has a history of targeting cryptocurrency exchanges, venture capital firms, and banks.

Jamf Threat Labs’ security experts have discovered a new malware variant attributed to the BlueNoroff APT group. According to the company’s blog post published on 7 November 2023, this campaign, like BlueNoroff’s previous campaigns, seems to be financially motivated.

The threat actor has a history of targeting cryptocurrency exchanges, venture capital firms, and banks. BlueNoroff is a subgroup of the larger North Korean state-backed group called Lazarus.

The malware, dubbed ObjCShellz, is part of the RustBucket campaign, researchers believe. It is a later-stage malware variant of BlueNoroff’s RustBucket malware, because of their similar characteristics.

For your information, a later-stage malware is one that’s executed after the attacker has gained initial access and used for data exfiltration, lateral movement within the network, or maintaining persistence.

The malware was discovered while performing routine threat hunting. Further probing revealed that it was a Mach-O universal binary communicating with a domain (swissborgblog registered on May 31, 2023) that the company had previously classified as malicious because it was a fake version of the original domain (swissborg.com). The attackers created a **fake crypto exchange website** on this fake domain to trick users.

The malware is ad-hoc signed and can split its C2 URL into two different strings to evade detection. The IP address researchers detected (104.168.214151) was also linked to the same APT actor from their previous campaigns.

 “We have observed submissions to VirusTotal from countries such as Japan and the US in September and October” researchers noted in their **blog post**.

ObjCShellz is written in Objective-C, a programming language used for macOS applications. It is used as a macOS implant that establishes C2 communication after infiltrating the device and downloads/executes multiple payloads.

ObjCShellz is a lightweight malware featuring advanced obfuscation features. It operates as a simple remote shell and executes shell commands received from the C2 server. The malware sends a POST message to the fake URL version and gains information about the malware process before retrieving the operatingSystemVersionString to find out the macOS version.

Researchers could not determine how initial access was achieved. However, they are sure that this is a later-stage malware used in this multi-stage attack to run remote shell commands manually on Intel and Arm Macs.

The threat actor generally reaches out to victims as an investor or creates domains belonging to a legitimate crypto exchange. In this campaign too, the attacker contacts the victims as a head hunter or investor, offering them something beneficial or a partnership. Despite being simple, this malware is very functional and can allow threat actors to carry out a range of malicious objectives.

Hackread.com has observed a continuous surge in attacks against macOS devices and BlueNoroff’s **activities**. Earlier in November, Elastic Security Labs **detected** Lazarus group using a new macOS malware dubbed KandyKorn, targeting cryptocurrency users and blockchain engineers.

Back in 2021, AT&T Alien Labs researchers **discovered that** threat actors were harnessing malware-infected Macs and Windows devices as proxy exit nodes to reroute proxy requests. In December 2022, Kaspersky researchers **reported** that BlueNoroff is targeting cryptocurrency-related financial entities worldwide with new, sophisticated malware strains and 70 fake domains of venture capital firms and banks.

To protect against ObjCShellz malware, organizations must keep software and operating systems patched against new security flaws, use EDR (endpoint detection and response) solutions to monitor network activities, and employ network segmentation strategies to limit malware distribution by isolating critical systems.

Cybersecurity expert at the California-based **Menlo Security** browser security provider firm, Mr. Ngoc Bui, shared his findings on the BlueNoroff APT actor exclusively with Hackread.com. Bui noted that it has been active since 2016-2017 and its key targets are financial entities in Europe and North America. 

“BlueNoroff is a North Korean-backed advanced persistent threat (APT) group that has been active since at least 2016/2017. The group is known for targeting cryptocurrency exchanges, venture capital firms, and banks in North America and Europe,” explained Bui BlueNoroff’s attacks are typically financially motivated, and the group has been known to use a variety of malware and techniques to steal sensitive data and funds from its victims.”

About their malware RustBucket, Bui noted that this backdoor is written in rust and collects basic system details before contacting the C2. 

“RustBucket is a backdoor written in rust. The backdoor collects basic system information and communicates to the URL provided via the command line. Supported backdoor commands include file execution and exit. RustBucket is a malware campaign also attributed to BlueNoroff, first uncovered in 2021. It uses phishing emails posing as job recruiters to infect targets with backdoor malware that can steal data and remotely control infected systems,” Bui said.

Bui believes that Jamf Threat Labs’ discover holds significance because it highlights that the actor is continually improving its malware strains. 

“The discovery of the new malware strain by Jamf Threat Labs is significant because it shows that BlueNoroff is continuing to develop new and sophisticated malware. The fact that the malware was undetected by VirusTotal at the time of uploading suggests that BlueNoroff is taking steps to evade detection. For North Korea, this is a big deal if you have been following the different APTs and activities from that country.”

Bui noted that ObjCShellz is a big threat for macOS users “because it is disguised as legitimate software and can be difficult to detect. The malware can also steal sensitive data, such as cryptocurrency wallets and passwords. And a low detection rate means it may get past AV.”

Colorado-based cybersecurity advisory services provider **Coalfire**’s vice president Andrew Baratt told Hackread.com that it is hard to draw definite linkages between malware.

“It’s hard to really draw official linkages between malware that shares commonalities as many disparate threat actors borrow and steal from other malware campaigns. Copying legit sites is a fairly common tactic to evade detection on the C2 side of a malicious capability.” 

“We’ve been pointing out for some time that VirusTotal (VT) is only as good as its first observation time, and if malware authors are building up offline testing capabilities, the time it takes for detection is going to be much more significant. We also potentially have the signs of AI usage creeping into malware development,” said Baratt.

Historically, it can be seen in VT as it has been used as a test run for a piece of malware – as a cross over for detection -then multiple iterations are used until evasion is achieved. The challenge for the malware is that this creates a timeframe and VT, now owned by Google, has a window of advantage to do further analysis. If they’re using generative AI to help modify the malware, there is a real potential for new evasion techniques to be used with a reasonably high degree being under the purview of VT,” Baratt explained.

****_RELATED ARTICLES_****

1.  **MacStealer: A New Malware Targeting macOS Catalina Devices**
2.  **New macOS malware XcodeSpy found sneaking into spy on victims**
3.  **Linux, Windows and macOS Hit By New “Alchimist” Attack Framework**
4.  **Researchers Leverage ChatGPT to Expose Notorious macOS Malware**
5.  **UpdateAgent malware variant impersonates legitimate macOS software**

Lazarus-Linked BlueNoroff APT Targeting macOS with ObjCShellz Malware

By Waqas
Jamf Threat Labs’ security experts have discovered a new malware variant attributed to the BlueNoroff APT group. According…
This is a post from HackRead.com Read the original post: BlueNoroff APT Targets macOS with new RustBucket Malware Variant

Jamf Threat Labs’ security experts have discovered a new malware variant attributed to the BlueNoroff APT group. According to the company’s blog post published on 7 November 2023, this campaign, like BlueNoroff’s previous campaigns, seems to be financially motivated. The threat actor has a history of targeting cryptocurrency exchanges, venture capital firms, and banks. BlueNoroff is a subgroup of the larger North Korean state-backed group called Lazarus.

The malware, dubbed ObjCShellz, is part of the RustBucket campaign, researchers believe. It is a later-stage malware variant of BlueNoroff’s RustBucket malware, because of their similar characteristics. For your information, a later-stage malware is one that’s executed after the attacker has gained initial access and used for data exfiltration, lateral movement within the network, or maintaining persistence.

The malware was discovered while performing routine threat hunting. Further probing revealed that it was a Mach-O universal binary communicating with a domain (swissborgblog registered on May 31, 2023) that the company had previously classified as malicious because it was a fake version of the original domain (swissborg.com). The attackers created a fake crypto exchange website on this fake domain to trick users.

The malware is ad-hoc signed and can split its C2 URL into two different strings to evade detection. The IP address researchers detected (104.168.214151) was also linked to the same APT actor from their previous campaigns.

 “We have observed submissions to VirusTotal from countries such as Japan and the US in September and October” researchers noted.

ObjCShellz is written in Objective-C, a programming language used for macOS applications. It is used as a macOS implant that establishes C2 communication after infiltrating the device and downloads/executes multiple payloads. It is a lightweight malware featuring advanced obfuscation features. It operates as a simple remote shell and executes shell commands received from the C2 server. The malware sends a POST message to the fake URL version and gains information about the malware process before retrieving the operatingSystemVersionString to find out the macOS version.

Researchers could not determine how initial access was achieved. However, they are sure that this is a later-stage malware used in this multi-stage attack to run remote shell commands manually on Intel and Arm Macs.

The threat actor generally reaches out to victims as an investor or creates domains belonging to a legitimate crypto exchange. In this campaign too, the attacker contacts the victims as a head hunter.investor, offering them something beneficial or a partnership. Despite being simple, this malware is very functional and can allow threat actors to carry out a range of malicious objectives.

Hackread.com has observed a continuous surge in attacks against macOS devices and BlueNoroff’s activities. Earlier in November, Elastic Security Labs detected Lazarus group using a new macOS malware dubbed KandyKorn, targeting cryptocurrency users and blockchain engineers. Back in 2021, AT&T Alien Labs researchers discovered that threat actors were harnessing malware-infected Macs and Windows devices as proxy exit nodes to reroute proxy requests. In December 2022, Kaspersky researchers reported that BlueNoroff is targeting cryptocurrency-related financial entities worldwide with new, sophisticated malware strains and 70 fake domains of venture capital firms and banks.

To protect against ObjCShellz malware, organizations must keep software and operating systems patched against new security flaws, use EDR (endpoint detection and response) solutions to monitor network activities, and employ network segmentation strategies to limit malware distribution by isolating critical systems.

Cybersecurity expert at the California-based Menlo Security browser security provider firm, Mr. Ngoc Bui, shared his findings on the BlueNoroff APT actor exclusively with Hackread.com. Bui noted that it has been active since 2016-2017 and its key targets are financial entities in Europe and North America. 

“BlueNoroff is a North Korean-backed advanced persistent threat (APT) group that has been active since at least 2016/2017. The group is known for targeting cryptocurrency exchanges, venture capital firms, and banks in North America and Europe. BlueNoroff’s attacks are typically financially motivated, and the group has been known to use a variety of malware and techniques to steal sensitive data and funds from its victims.”

About their malware RustBucket, Bui noted that this backdoor is written in rust and collects basic system details before contacting the C2. 

“RustBucket is a backdoor written in rust. The backdoor collects basic system information and communicates to the URL provided via the command line. Supported backdoor commands include file execution and exit. RustBucket is a malware campaign also attributed to BlueNoroff, first uncovered in 2021. It uses phishing emails posing as job recruiters to infect targets with backdoor malware that can steal data and remotely control infected systems,” Bui explained.

Bui believes that Jamf Threat Labs’ discover holds significance because it highlights that the actor is continually improving its malware strains. 

“The discovery of the new malware strain by Jamf Threat Labs is significant because it shows that BlueNoroff is continuing to develop new and sophisticated malware. The fact that the malware was undetected by VirusTotal at the time of uploading suggests that BlueNoroff is taking steps to evade detection. For North Korea, this is a big deal if you have been following the different APTs and activities from that country.”

 Bui noted that ObjCShellz is a big threat for macOS users “because it is disguised as legitimate software and can be difficult to detect. The malware can also steal sensitive data, such as cryptocurrency wallets and passwords. And a low detection rate means it may get past AV.”

Colorado-based cybersecurity advisory services provider Coalfire’s vice president Andrew Baratt told Hackread.com that it is hard to draw definite linkages between malware.

“It’s hard to really draw official linkages between malware that shares commonalities as many disparate threat actors borrow and steal from other malware campaigns. Copying legit sites is a fairly common tactic to evade detection on the C2 side of a malicious capability.” 

“We’ve been pointing out for some time that VirusTotal (VT) is only as good as its first observation time, and if malware authors are building up offline testing capabilities, the time it takes for detection is going to be much more significant. We also potentially have the signs of AI usage creeping into malware development. Historically, it can be seen in VT as it has been used as a test run for a piece of malware – as a cross over for detection -then multiple iterations are used until evasion is achieved. The challenge for the malware is that this creates a timeframe and VT, now owned by Google, has a window of advantage to do further analysis. If they’re using generative AI to help modify the malware, there is a real potential for new evasion techniques to be used with a reasonably high degree being under the purview of VT,” Baratt stated.

BlueNoroff APT Targets macOS with new RustBucket Malware Variant

By Waqas
The hacker responsible for this leak is the same individual who previously leaked databases from InfraGard and Twitter.
This is a post from HackRead.com Read the original post: Hacker Leaks 35 Million Scraped LinkedIn User Records

The scraped LinkedIn database was leaked in two parts: one part contained 5 million user records, while the second part contained 35 million records.

A LinkedIn database, holding the personal information of over 35 million users, was leaked by a hacker operating under the alias USDoD. The database was leaked on the infamous cybercrime and hacker platform, **Breach Forums**.

It is important to note that USDoD is the same hacker responsible for breaching the FBI’s security platform InfraGard last year and disclosing the personal details of 87,000 of its members.

The hacker confirmed in a post on Breach Forums that the most recent LinkedIn database was obtained through **web scraping**. Web scraping is an automated process utilized by software to extract data from websites, primarily for gathering specific information from web pages.

The data was leaked in two parts (Screenshot: Hackread.com)

Regarding the contents of the data, as observed by _Hackread.com_, the database predominantly comprises publicly available information from **LinkedIn** profiles, containing full names and profile bios. Although the database contains millions of email addresses, it’s a relief to note that no passwords are included in the leaked data.

The screenshot below shows email addresses included in the breach belong to high-ranking US government officials and institutions. Additionally, email addresses from various government agencies worldwide have also been identified.

(Screenshot: Hackread.com)

****Legitimacy of LinkedIn Data: Authentic or Fraudulent?****

Troy Hunt of HaveIBeenPwned **analysed** over 5 million accounts from the database and concluded that it includes a mixture of information from various sources such as public LinkedIn profiles, fabricated email addresses, and other sources. Troy emphasizes that while some of the data might be anecdotal or partially fabricated, the people, companies, domains, and many email addresses are real.

_“_Because the conclusion is that there’s a significant component of legitimate data in this corpus, I’ve loaded it into HIBP,_“_ Hunt explained. _“_But because there are also a significant number of fabricated email addresses in there, I’ve flagged it as a spam list which means the addresses won’t impact the scale of anyone’s paid subscription if they’re monitoring domains._“_

The LinkedIn database has been identified and labelled as “scraped and fabricated data” on HIBP

This however is not the first time when LinkedIn’s scrapped database has been leaked online. In April 2021, a threat actor was selling 2 scraped LinkedIn databases with 500 million and 827 million records. In June 2021, a hacker sold a scrapped LinkedIn database containing data of 700 million users.

****_RELATED ARTICLES_****

1.  **Hackers Posed as Israelis in Targeted LinkedIn Phishing Attack**
2.  **Twitter Scraping Breach: 209M Accounts Leaked on Hacker Forum**
3.  **API Misuse: Hacker Exposes 2.6M Duolingo Users’ Emails & Names**
4.  **Meta Fined €265 million in Facebook Data Scraping Case in the EU**
5.  **Data scraping firm leaks 235m Instagram, TikTok, YouTube user data**

Hacker Leaks 35 Million Scraped LinkedIn User Records

By Waqas
You reap what you sow!
This is a post from HackRead.com Read the original post: US Man Sentenced to Over 21 Years for Dark Web Distribution of CSAM

In April 2023, Austen Peppers from Lawton, Oklahoma, pleaded guilty to advertising and distributing child sexual abuse material (CSAM) on the dark web.

Austen Peppers, a 36-year-old resident of Lawton, Oklahoma, faced the gavel and received a sentencing of 21 years and 10 months in prison, followed by 15 years of supervised release. This judgment came after Peppers was **found guilty** in April 2023, of the advertising and distribution of child sexual abuse material (CSAM) on the dark web, as announced by U.S. Attorney Phillip A. Talbert.

The distribution of CSAM has emerged as a significant challenge for law enforcement, exacerbated by AI services capable of generating harmful images. Recently, the Internet Watch Foundation, a UK-based internet watchdog, **revealed that** cybercriminals are turning to generative AI platforms to create child sexual abuse material (CSAM).

The court documents unveiled a disturbing timeline spanning from March 2018 to August 2019, during which Peppers was involved in the sale and solicitation of images portraying minors subjected to sexual abuse. His transactions were executed in the shadows of the **dark web**, employing cryptocurrency, and utilizing platforms that he believed shielded him from law enforcement scrutiny.

Peppers also engaged in explicit conversations with individuals he believed were minors, persuading them to create sexually explicit self-images. Shockingly, Peppers accumulated an extensive library of thousands of images and videos depicting children suffering sexual abuse.

According to a **press release** from the US Department of Justice (DoJ),, Austen Peppers has been in confinement since his initial appearance in court on November 14, 2019. As part of the sentencing, Peppers was also directed to pay restitution of $57,000 to 19 victims who suffered due to his vile actions.

This case highlights the dangers posed by individuals utilizing the anonymity of the dark web for criminal activities, especially those exploiting and abusing minors. Engaging in illegal activities, particularly heinous crimes such as the distribution of CSAM, on the dark web is a serious offence that should be strictly avoided.

Hackread.com has consistently cautioned users about the dangerous nature of the illicit sections of the dark web, emphasizing the importance of refraining from engaging in unlawful actions while navigating its depths. To gain a deeper understanding of the potential risks and the activities that should be avoided on the dark web, you can explore further details **here**.

****_RELATED ARTICLES_****

1.  Dark Web’s worst pedophile sentenced to 32 years in prison
2.  NHS Psychiatrist Jailed; Dark Web Forum and 7,000 Images Seized
3.  Creators of dark web chat room arrested for facilitating child abuse
4.  210 days prison for crypto CEO who held 13k child abuse, beastiality files
5.  School Principal Gets 9 Years in Prison for Trading Nude Pictures of Students

Source

HackRead