By Deeba Ahmed
FortiGuard Labs’ latest research report reveals a concerning trend: threat actors are leveraging the Python Package Index (PyPI),…
This is a post from HackRead.com Read the original post: Crypto Stealing PyPI Malware Hits Both Windows and Linux Users

FortiGuard Labs’ latest research report reveals a concerning trend: threat actors are leveraging the Python Package Index (PyPI), an open repository for Python\-developed software packages, to upload malware-infected packages. This exploitation of PyPI’s infrastructure poses significant risks to users.

FortiGuard Labs team recently identified a PyPI malware author, “WS,” uploading malicious packages to PyPI, estimating over 2000 potential victims. The identified packages, including nigpal, figflix, telerer, seGMM, fbdebug, sGMM, myGens, NewGends, and TestLibs111, show attack methodologies that resemble the attacks identified by Checkmarx in 2023.

These packages contain base64-encoded Python scripts, which are executed depending on the victim’s operating system. The packages deploy Whitesnake PE malware on Windows devices or a Python script to steal information from Linux devices.

What’s interesting in this scheme is that Python scripts are using a new method to transmit stolen data, using a range of IP addresses as the destination instead of a single fixed URL. This helps ensure successful data transmission even when one server fails.

Recently identified packages primarily target Windows users, whereas previous ones targeted both Linux and Windows users. The objective is to exfiltrate sensitive information from victims.

The Whitesnake PE payload is a Python-compiled executable created using the PyInstaller tool, displaying an incomplete script file ‘main.pyc’ and another file ‘addresses.py.’ This is rather suspicious. ‘Main.pyc’ is clandestine code that copies itself to the Windows startup folder for autorun, probes logical drives, and monitors the count of running instances.

It also retrieves clipboard contents and compares them against predefined cryptocurrency address patterns, prompting it to overwrite the clipboard with corresponding addresses from ‘addresses.py’, potentially deceiving victims into directing cryptocurrency transactions to an unexpected destination.

The payload, an encrypted.NET executable launches an invisible window right after its installation and adds itself to Windows Defender‘s exclusion list. It then creates a scheduled task to run every hour on the compromised device. The task connects a malicious IP to a client using “socket.io” and collects sensitive user data, including IP address and host credentials.

The payload captures wallet and browser data and sends it to a suspicious IP address via a remote server as a.zip file with multiple encryption layers, which the attacker extracts and exfiltrates. Debugging revealed strings that indicated information stolen from a wide range of devices, such as cryptocurrency services, applications, and browsers.

Timeline of the malicious PyPI packages published by “WS” (Screenshot: Fortinet Labs)

The research reveals how easily a single malware author can distribute multiple info-stealing packages into the PyPI library, highlighting the need for vigilance when using open-source packages.

“Information-stealing malware is an increasingly pertinent and pressing subject. Safeguarding against such persistent adversaries demands a strategic and forward-thinking approach to fortify your defences,” FortiGuard Labs researchers concluded.

****_RELATED ARTICLES_****

1.  **Luna Grabber Malware Hits Roblox Devs Through npm Packages**
2.  **6 official Python repositories plagued with cryptomining malware**
3.  **GitHub Abused to Spread Malicious Packages on PyPI in Image Files**
4.  **NPM Typosquatting Attack Deploys r77 Rootkit via Legitimate Package**
5.  **FortiGuard Labs Uncovers Series of Malicious NPM Packages Stealing Data**

Crypto Stealing PyPI Malware Hits Both Windows and Linux Users

By Waqas
Soap2day: From Ashes to Pixels - The Curious Case of a Streaming Phoenix.
This is a post from HackRead.com Read the original post: New Soap2day Domains Emerge Despite Legal Challenges

Soap2day permanently shut down in June 2023 – While the official site and its major mirror sites closed down, it seems like some copycats or imitators have emerged using new domains to offer similar illegal streaming services.

Soap2day, the once-infamous haven for free movie and TV show streaming, met its apparent demise in June 2023. Legal pressure and a barrage of copyright infringement takedowns seemingly snuffed out the life of this unauthorized streaming giant. But just like a phoenix rising from the ashes, Soap2day has begun to flicker back to life under new guises, leaving users and authorities alike scratching their heads.

The original Soap2day was a hydra of sorts, with countless mirror sites popping up as fast as the old ones were shut down. This online game of whack-a-mole frustrated content creators and copyright holders for years. However, a coordinated takedown effort in mid-2023 seemed to deal a decisive blow, leaving behind a digital graveyard of dormant URLs.

This was the goodbye message from Soap2day (Screenshot credit: Hackread.com)

But death, it seems, can be temporary in the ever-evolving web. New domains bearing the Soap2day name have started surfacing, offering the same illicit library of movies and TV shows.

These digital doppelgangers appear disconnected from the original operators, possibly opportunistic copycats eager to fill the void left in the streaming underworld. Some of these new domains, like **Soap2day.rs**, **Soap2day.day**, and **Soap2day.store**, are easily accessible through Google. They offer access to thousands of recently released content for free.

The screenshot shows 2 of the new Soap2day domains currently online (Screenshot credit: Hackread.com)

However, there is no such thing as a free lunch. Online streaming services are infamous for phishing users or even dropping malware through pop-up bombardment. The risks are far greater than the potential benefits, making it not worth it. Therefore, engaging with these copycat sites exposes users to a plethora of dangers, including:

*   **Privacy violations:** Dodgy data practices are often rampant on such sites, putting your online privacy at risk.
*   **Malware and phishing attacks:** Disguised software installs and fraudulent links can lurk within these illegal platforms, jeopardizing your device and personal information.
*   **Legal repercussions:** Accessing copyrighted content illegally can lead to hefty fines and legal consequences in many countries.

So, why take the risk when a plethora of legal alternatives exist? Streaming platforms like Netflix, Hulu, and Disney+ offer vast libraries of content for a reasonable price. Additionally, numerous free, legal options like Tubi TV and Crackle provide access to movies and TV shows without compromising your security or wallet.

Here is a detailed list of legal and free online streaming services for movies and TV shows. Remember, using legal platforms not only ensures a safer and more reliable experience but also supports the entertainment industry and content creators.

The Soap2day saga highlights the ephemeral nature of illegal streaming sites. Their days are numbered, yet copycats will always appear, and the risks associated with them far outweigh the fleeting satisfaction of pirated content. Choose legal and safe alternatives, and enjoy your favourite shows and movies with peace of mind.

1.  **Streaming site 123movies has been shut down**
2.  **Fake streaming sites using Star Wars as bait to spread malware**
3.  **Poker player jailed for illegal video streaming, downloading sites**
4.  **Adult streaming site CAM4 leaks 7 TB of data with 11 billion records**
5.  **Police shut down illegal video streaming app Mobdro with 100M users**
6.  **US COVID-19 relief bill to make copyrighted content streaming a felony**

New Soap2day Domains Emerge Despite Legal Challenges

Mexican financial institutions are under the radar of a new spear-phishing campaign that delivers a modified version of an open-source remote access trojan called AllaKore RAT.
The BlackBerry Research and Intelligence Team attributed the activity to an unknown Latin American-based financially motivated threat actor. The campaign has been active since at least 2021.
"Lures use Mexican Social

Malware / Software Update

Mexican financial institutions are under the radar of a new spear-phishing campaign that delivers a modified version of an open-source remote access trojan called AllaKore RAT.

The BlackBerry Research and Intelligence Team attributed the activity to an unknown Latin American-based financially motivated threat actor. The campaign has been active since at least 2021.

"Lures use Mexican Social Security Institute (IMSS) naming schemas and links to legitimate, benign documents during the installation process," the Canadian company said in an analysis published earlier this week.

"The AllaKore RAT payload is heavily modified to allow the threat actors to send stolen banking credentials and unique authentication information back to a command-and-control (C2) server for the purposes of financial fraud."

The attacks appear to be designed to particularly single out large companies with gross revenues over $100 million. Targeted entities span retail, agriculture, public sector, manufacturing, transportation, commercial services, capital goods, and banking sectors.

The infection chain begins with a ZIP file that's either distributed via phishing or a drive-by compromise, which contains an MSI installer file that drops a .NET downloader responsible for confirming the Mexican geolocation of the victim and retrieving the altered AllaKore RAT, a Delphi-based RAT first observed in 2015.

"AllaKore RAT, although somewhat basic, has the potent capability to keylog, screen capture, upload/download files, and even take remote control of the victim's machine," BlackBerry said.

The new functions added to the malware by the threat actor include support for commands related to banking fraud, targeting Mexican banks and crypto trading platforms, launching a reverse shell, extracting clipboard content, and fetching and executing additional payloads.

The threat actor's links to Latin America come from the use of Mexico Starlink IPs used in the campaign, as well as the addition of Spanish-language instructions to the modified RAT payload. Furthermore, the lures employed only work for companies that are large enough to report directly to the Mexican Social Security Institute (IMSS) department.

"This threat actor has been persistently targeting Mexican entities for the purposes of financial gain," the company said. "This activity has continued for over two years, and shows no signs of stopping."

The findings come as IOActive said it identified three vulnerabilities in the Lamassu Douro bitcoin ATMs (CVE-2024-0175, CVE-2024-0176, and CVE-2024-0177) that could allow an attacker with physical access to take full control of the devices and steal user assets.

The attacks are made possible by exploiting the ATM's software update mechanism and the device's ability to read QR codes to supply their own malicious file and trigger the execution of arbitrary code. The issues were fixed by the Swiss company in October 2023.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

AllaKore RAT Malware Targeting Mexican Firms with Financial Fraud Tricks

By Uzair Amir
While cybercriminals create their toolbox, as a user you should also keep yourself ready for unsuspecting cyberattacks and keep a safety toolbox for your defence. 
This is a post from HackRead.com Read the original post: Building Your Defense Toolbox: Tools and Tactics to Combat Cyber Threats

It is a well-known fact that cybercriminals have evolved over the years. The emergence of AI-powered malicious chatbots, such as WormGPT and FraudGPT, has enabled malicious threat actors to not only refine their skills but also consolidate all their malicious activities and tools into one, like a toolbox. Understanding these tools is the first step towards safeguarding yourself against their scams.

While cybercriminals create their toolbox, as a user you should also keep yourself ready for unsuspecting cyberattacks and keep a safety toolbox for your defence.

One major part of that toolbox should be a Virtual Private Network or VPN. Why? because this tool hides your real-time IP address and protects your online privacy from cyber criminals and state-backed threat actors. VPNs, like CyberGhost, encrypt your internet connection, shielding your online activities from prying eyes.

Additionally, employing two-factor authentication (2FA), such as Google Authenticator, Microsoft Authenticator, Okta, and Authy, adds an extra security layer, making it harder for fraudsters to gain unauthorized access to your accounts, even if they have your passwords. These tools, combined with regular updates and vigilance, are crucial in safeguarding against sophisticated scams.

Let’s dive into the tools commonly used by fraudsters, followed by the countermeasures you can employ to protect yourself.

****Common Fraud Tactics********Spoofing****

Spoofing is a deceptive practice where fraudsters falsify information to appear as a legitimate entity. This can involve altering caller IDs or email addresses to mimic those of trusted organizations or individuals. The primary goal is to gain the victim’s trust, making them more susceptible to divulging sensitive information or granting access to their accounts.

****Phishing****

Phishing is a widespread technique that involves sending fraudulent communications that appear to come from a reputable source. Typically executed through email, these messages aim to steal sensitive data such as login credentials, credit card numbers, or personal identification information. Phishers often use urgency or fear to bypass rational judgment.

****Fake Profiles****

Creating fake profiles on social media, dating websites, and other platforms is a common tool in a fraudster’s arsenal. These profiles are carefully crafted to appear genuine, often mimicking the identities of real individuals or organizations. The objective is to build trust with potential victims, eventually manipulating them into financial transactions or sharing confidential information.

****Fake Photos and Entities****

Fraudsters frequently utilize stolen or altered images to bolster the credibility of their fake profiles or websites. Additionally, they might establish counterfeit entities, such as businesses or charities, to appear legitimate. These entities are used to facilitate various scams, including fraudulent sales, charity fraud, and investment scams.

The latest and ongoing incident involving deepfake images of Taylor Swift is just one example of the nightmarish scenarios that cybercriminals can create in your life.

****Fake Claims****

Scammers use persuasive narratives and false claims to trick their victims. These may include threats of legal action, false claims of lottery winnings, or other deceptive propositions that require the victim to make payments or provide personal information.

****Misrepresentation****

Fraudsters often impersonate authority figures or institutions using fake names, credentials, and badge numbers. This tactic is designed to intimidate or convince the victim of the legitimacy of their requests, thereby facilitating the extraction of sensitive information or money.

****Computer Pop-ups****

The prevalence of unwanted pop-ups bombarding your screen is a key reason why adblockers have gained immense popularity. Pop-up warnings on computers are commonly used to spread malware or obtain personal information.

These pop-ups often carry false alerts about viruses or security breaches, prompting the user to take immediate action, which usually involves downloading harmful software or calling a fraudulent support number.

****Robocalls****

Automated calls, or robocalls, are used extensively by scammers to reach many potential victims efficiently. These calls might contain deceptive messages about unpaid taxes or lottery winnings or offer fake services, aiming to extract personal information or direct payments.

****Lead Lists****

Lead lists are databases of individuals who have previously fallen for scams. Fraudsters trade and sell these lists, knowing that individuals scammed once are more likely to be targeted and tricked again.

****Secrecy and Persuasion****

A common tactic used by scammers is to demand secrecy from their victims. By insisting that the dealings remain confidential, fraudsters aim to isolate the victim and prevent them from seeking advice or help from others. They often employ a mix of charm, flattery, and threats to manipulate and control their targets.

****Emotional Manipulation****

Emotional manipulation involves fraudsters playing on the victim’s emotions to extract money or personal information. They may pretend to be in a romantic relationship, a distressed family member, or a charity representative. The fabricated scenarios often evoke strong emotional responses, compelling the victim to act impulsively.

****Search Engine Optimization and Malicious Links****

Fraudsters often use search engine optimization techniques (SEO Poisoning) to promote their scam websites, making them appear legitimate and trustworthy in online searches. They also distribute malicious links through emails or messages, which lead to fraudulent websites or directly install malware when clicked.

****Protective Measures Against Fraud********Caller Verification****

Always verify the identity of callers, especially when they request personal information. If someone claims to be from a legitimate organization, hang up and contact the organization directly using a verified phone number to confirm their authenticity.

****Email Caution****

Exercise caution with email links and attachments, especially from unknown senders. Hover over email addresses and links to verify their authenticity. Be cautious of emails that use urgency or pressure tactics to gather personal information or payments.

****Continuous Education****

Staying informed about common scam tactics and trends is essential. Regularly educating oneself and others about the latest fraud methods can significantly reduce the risk of falling victim to these scams. In simple terms, having cybersecurity knowledge for yourself and your employees is the master key to protecting against every known cyberattack to date.

****Anti-Virus Software****

Ensure your devices are protected with reliable and updated anti-virus software. This software is capable of detecting and preventing malware attacks, which are commonly used in various scams.

****Pop-Up Blockers****

Pop-up or ad blockers can prevent malicious ads and links from appearing on your devices. These pop-ups often contain false claims or threats designed to trick users into downloading malware or revealing personal information.

If you are on Chrome browser, you can disable pop-ups from settings. > Chrome > Settings > Privacy and security > Site Settings > Pop-ups and redirects.

****Secure Network Usage****

Avoid conducting sensitive transactions over public wi-fi networks. Always use secure, private networks for online banking, shopping, and other activities that require personal information.

Businesses should employ a variety of fraud detection tools to safeguard their operations. These include:

*   **Geolocation and Proxy Piercing:** Identifying the physical location of transaction attempts can flag suspicious activities, especially if the location mismatches the user’s typical pattern.
*   **Device Fingerprinting:** This tool helps recognize devices used in previous fraudulent activities, enabling businesses to block transactions from these devices.
*   **Address Verification (AVS):** AVS checks if the billing address provided by the customer matches the address on file with the card issuer.
*   **Velocity Checks:** Monitoring the frequency and volume of transactions from a single user can help detect and prevent fraud.
*   **Biometric Verification:** Using biometrics in payment processes adds an extra layer of security.
*   **Blacklists and Whitelists:** These lists allow businesses to control traffic based on known fraudulent sources or trusted entities.
*   **Machine Learning:** AI models can detect patterns indicative of fraud, improving over time as they process more data.
*   **3-D Secure Technology:** This adds authentication steps for online credit and debit card transactions, reducing the risk of card-not-present fraud.
*   **Fraud Scoring:** Analyzing transactions based on various risk factors helps identify potentially fraudulent activities.

****Regular Updates and Vigilance****

Keeping software and fraud detection tools up to date is crucial. Regularly updating your knowledge about new fraud tactics and protective measures can help you stay ahead of scammers.

****Conclusion****

Fraudsters are always changing their tactics, which makes it crucial for individuals and businesses to stay informed and alert. Understanding the tools used by fraudsters and implementing strong protective measures can significantly reduce the risk of falling victim to these sophisticated scams. Regular updates, continuous education, and employing advanced fraud detection tools are key to safeguarding against these threats.

****_RELATED ARTICLES_****

1.  **What is an OSINT Tool – Best OSINT Tools**
2.  **McAfee’s Mockingbird AI Tool Detects Deepfake Audio**
3.  **Temporary Phone Number: An Essential Tool for Privacy Protection**
4.  **Kaspersky’s iShutdown Tool Detects Pegasus Spyware on iOS Devices**
5.  **Understanding Reverse Email Lookup: A Tool to Strengthen Cybersecurity**

Building Your Defense Toolbox: Tools and Tactics to Combat Cyber Threats

US spy agencies purchased Americans’ phone location data and internet metadata without a warrant but only admitted it after a US senator blocked the appointment of a new NSA director.

United States officials fought to conceal details of arrangements between US spy agencies and private companies tracking the whereabouts of Americans via their cell phones. Obtaining location data from US phones normally requires a warrant, but police and intelligence agencies routinely pay companies instead for the data, effectively circumventing the courts.

Ron Wyden, the US senator from Oregon, informed the nation’s intelligence chief, Avril Haines, on Thursday that the Pentagon only agreed to release details about the data purchases, which had always been unclassified, after Wyden hindered the Senate's efforts to appoint a new director of the National Security Agency. “The secrecy around data purchases was amplified,” Wyden wrote, “because intelligence agencies have sought to keep the American people in the dark."

Wyden's office says it’s been investigating sales of location data to the government for years, uncovering multiple ties between the Department of Defense and what the senator refers to as “shady companies" committing “flagrant violations” of people's privacy. The companies' practices are “not just unethical, but illegal,” he says.

Pentagon offices known to have purchased location data from these companies include the Defense Intelligence Agency and the NSA, among others. Wyden's letter, first reported by _The New York Times_, indicates that the NSA is also “buying Americans' domestic internet metadata.”

Wyden's disclosure comes amid a fight in the US House of Representatives over efforts to outlaw the purchases entirely. Last month, members of the House Judiciary Committee attached legislation doing so, known as the _Fourth Amendment Is Not For Sale Act_, to a bill reauthorizing a contentious surveillance program known as Section 702.

The bill, originally coauthored by Wyden, nearly received a vote last month during a showdown with rival legislation introduced by the House Intelligence Committee that does not seek to ban the purchases. Congressional sources tell WIRED the vote was called off at the last minute after Biden administration officials and members of the intelligence committee staged a campaign against the privacy-enhancing measures.

Intelligence officials in the House held separate meetings with members and their aides aiming to discourage support for the judiciary bill—the _Protect Liberty Act_—alleging that new warrant requirements would be overly burdensome for law enforcement, despite a slew of exemptions for cyberwarfare, terrorism, and espionage threats.

Six sources who attended the meetings told WIRED that intelligence committee members used images of Hamas militants in presentations to drive home its argument for relaxing limits on domestic surveillance. The message, Republican aides said, was, “it could happen here.” Three Democrats who attended meetings with representatives from the FBI, CIA, and NSA, among other agencies, described the presentation as a “scare tactic.”

The home surveillance debate, which has exploded in recent months, hampering the passing of routine legislation, has largely focused on Section 702, an authority under which the government monitors the calls, texts, and emails of foreign nationals. Section 702 is set to expire in under four months.

Both the _Protect Liberty Act_ and its intelligence committee rival—the _FISA Reform and Reauthorization Act_—aim to reauthorize Section 702 into the future. In how that's accomplished the bills are radically different. With access by the FBI to foreign intelligence for domestic investigations being the biggest point of contention, federal lawmakers can now effectively be divided into two factions: people who support surveillance warrants and people who don't.

The pro-warrant _Protect Liberty Ac_t could receive a vote as early as next month, with its provisions banning the government from buying data as a means of evading warrant requirements. Republicans on the Hill say they can't be sure whether House Speaker Mike Johnson will allow a vote, however, due to the intense amount of pressure he faces from the intelligence system.

“There is a lot of baloney going around about surveillance reform," Wyden says. “Probably because some surveillance supporters are worried they won’t win an honest debate.”

The Pentagon Tried to Hide That It Bought Americans’ Data Without a Warrant

Authorities in Australia, the United Kingdom and the United States this week levied financial sanctions against a Russian man accused of stealing data on nearly 10 million customers of the Australian health insurance giant Medibank. 33-year-old Aleksandr Ermakov allegedly stole and leaked the Medibank data while working with one of Russia's most destructive ransomware groups, but little more is shared about the accused. Here's a closer look at the activities of Mr. Ermakov's alleged hacker handles.

Authorities in Australia, the United Kingdom and the United States this week levied financial sanctions against a Russian man accused of stealing data on nearly 10 million customers of the Australian health insurance giant **Medibank**. 33-year-old **Aleksandr Ermakov** allegedly stole and leaked the Medibank data while working with one of Russia’s most destructive ransomware groups, but little more is shared about the accused. Here’s a closer look at the activities of Mr. Ermakov’s alleged hacker handles.

Aleksandr Ermakov, 33, of Russia. Image: Australian Department of Foreign Affairs and Trade.

The allegations against Ermakov mark the first time Australia has sanctioned a cybercriminal. The documents released by the Australian government included multiple photos of Mr. Ermakov, and it was clear they wanted to send a message that this was personal.

It’s not hard to see why. The attackers who broke into Medibank in October 2022 stole 9.7 million records on current and former Medibank customers. When the company refused to pay a $10 million ransom demand, the hackers selectively leaked highly sensitive health records, including those tied to abortions, HIV and alcohol abuse.

The U.S. government says Ermakov and the other actors behind the Medibank hack are believed to be linked to the Russia-backed cybercrime gang **REvil**.

“REvil was among the most notorious cybercrime gangs in the world until July 2021 when they disappeared. REvil is a ransomware-as-a-service (RaaS) operation and generally motivated by financial gain,” a statement from the **U.S. Department of the Treasury** reads. “REvil ransomware has been deployed on approximately 175,000 computers worldwide, with at least $200 million paid in ransom.”

The sanctions say Ermakov went by multiple aliases on Russian cybercrime forums, including **GustaveDore**, **JimJones**, and Blade Runner. A search on the handle GustaveDore at the cyber intelligence platform Intel 471 shows this user created a ransomware affiliate program in November 2021 called **Sugar** (a.k.a. Encoded01), which focused on targeting single computers and end-users instead of corporations.

An ad for the ransomware-as-a-service program Sugar posted by GustaveDore warns readers against sharing information with security researchers, law enforcement, or “friends of Krebs.”

In November 2020, Intel 471 analysts concluded that GustaveDore’s alias JimJones “was using and operating several different ransomware strains, including a private undisclosed strain and one developed by the REvil gang.”

In 2020, GustaveDore advertised on several Russian discussion forums that he was part of a Russian technology firm called Shtazi, which could be hired for computer programming, web development, and “reputation management.” Shtazi’s website remains in operation today.

A Google-translated version of Shtazi dot ru. Image: Archive.org.

The third result when one searches for **shtazi\[.\]ru** in Google is an **Instagram** post from a user named **Mikhail Borisovich Shefel**, who promotes Shtazi’s services as if it were also his business. If this name sounds familiar, it’s because in December 2023 KrebsOnSecurity identified Mr. Shefel as “Rescator,” the cybercriminal identity tied to tens of millions of payment cards that were stolen in 2013 and 2014 from big box retailers Target and Home Depot, among others.

How close was the connection between GustaveDore and Mr. Shefel? The Treasury Department’s sanctions page says Ermakov used the email address **ae.ermak@yandex.ru**. A search for this email at DomainTools.com shows it was used to register just one domain name: **millioner1\[.\]com**. DomainTools further finds that a phone number tied to Mr. Shefel (79856696666) was used to register two domains: **millioner\[.\]pw**, and **shtazi\[.\]net**.

The December 2023 story here that outed Mr. Shefel as Rescator noted that Shefel recently changed his last name to “**Lenin**,” and had launched a service called Lenin\[.\]biz that sells physical USSR-era Ruble notes that bear the image of Vladimir Lenin, the founding father of the Soviet Union. The Instagram account for Mr. Shefel includes images of stacked USSR-era Ruble notes, as well as multiple links to Shtazi.

The Instagram account of Mikhail Borisovich Shefel, aka MikeMike aka Rescator.

In a report published this week, Intel 471 said investigators connected Ermakov to REvil because the stolen Medibank data was published on a blog that had one time been controlled by REvil affiliates who carried out attacks and paid an affiliate fee to the gang.

But by the time of the Medibank hack, the REvil group had mostly scattered after a series of high-profile attacks led to the group being disrupted by law enforcement. In November 2021, **Europol** announced it arrested seven REvil affiliates who collectively made more than $230 million worth of ransom demands since 2019. At the same time, U.S. authorities unsealed two indictments against a pair of accused REvil cybercriminals.

“The posting of Medibank’s data on that blog, however, indicated a connection with that group, although the connection wasn’t clear at the time,” Intel 471 wrote. “This makes sense in retrospect, as Ermakov’s group had also been a REvil affiliate.”

It is easy to dismiss sanctions like these as ineffective, because as long as Mr. Ermakov remains in Russia he has little to fear of arrest. However, his alleged role as an apparent top member of REvil paints a target on him as someone who likely possesses large sums of cryptocurrency, said **Patrick Gray**, the Australian co-host and founder of the security news podcast **Risky Business**.

“I’ve seen a few people poo-poohing the sanctions…but the sanctions component is actually less important than the doxing component,” Gray said. “Because this guy’s life just got a lot more complicated. He’s probably going to have to pay some bribes to stay out of trouble. Every single criminal in Russia now knows he is a vulnerable 33 year old with an absolute ton of bitcoin. So this is not a happy time for him.”

Who is Alleged Medibank Hacker Aleksandr Ermakov?

It's Data Privacy Week so here are 10 tips from our VP of Consumer Privacy, Oren Arar, about how to stay private online.

**1\. **Set up two-factor authentication****

Do this for as many of your online accounts as you can, especially the major ones like your email and social media accounts. Two-factor authentication (2FA) adds an extra step of protection and makes it much harder for attackers to login as you. We recommend using authenticator apps or physical security keys, but sometimes SMS is the easiest option and that’s fine. In most services you won’t have to enter the 2FA code every time, only when using a new device.

**2\. Use a different password for every account**

If your password is breached on one site, cybercriminals can use that login information to access your other online accounts that use the same passwords. If you use a different password for each account they can’t do this. Make sure your passwords are long (15 characters or more is good) and use a mix of upper and lower case characters, numbers and symbols too.

To make it easy, you can chose a phrase or a line from a song you like (for instance: DancingInTheMoonlight1999!). You can also use a password manager built-in on your browser, or a stand-alone password manager (see below). If you’ve received a notification from Google, Malwarebytes or any other service telling you your password has been exposed make sure to not use it or any variation of it again for any of your accounts. 

**3\. Use a password manager**

Making different and complicated passwords for each and every online account you have is one thing, but **remembering** them all is a lot more difficult. That’s why we use a password manager, and why you should too. It will generate passwords for you and then remember them all. Choose a vendor you trust for it, or simply use Apple or Google.

**4\. Keep software and hardware up to date**

Make sure your computer, phone, browser, apps and other programs are always on the latest version. If someone finds a security bug, the company that makes that software or hardware will release a new version with a patch for the bug. If you’re not on the latest version, you will be vulnerable. We know it can sometime be a hassle to update the version – but it’s not only about the latest features, in many cases it’s about keeping you safe!

**5\. Double check everything**

Got an email or SMS saying your delivery has been delayed that asks you to click on a link? Double check that you are expecting a delivery from where it says it’s coming from. Got a message from a friend on Facebook that seems off? Double check via text or phone that it is really them. Is your CEO suddenly asking you to buy $5000 of gift cards on the company credit card? Double check that it really is the CEO (it probably isn’t). There’s a ton of scams out there and they are getting more and more sophisticated with time, you just have to stay vigilant and aware of it.

Does that restaurant you’re making a reservation with really need to know your actual date of birth? Does that shopping site really need to know your mother’s maiden name as a password reset question? Consider carefully where you share your data and keep in the back of your mind that the service you are using could be breached. If it is breached, what of your information would be taken? If you can use false information, we really encourage you to do that. Pro-tip: create an “avatar online identity” for yourself with a separate email, date of birth and information you remember and use this information for vendors that don’t require your real identity.

**7\. Cover your camera**

When your camera isn’t in use, make sure you cover it with a physical cover. You can get webcam covers that slide open and shut to make it easy for you to use your camera when you like, and they look a lot nicer than a sticking plaster! Hackers have been known to take over webcams and take snapshots – so sometimes a physical cover is our last line of defense!

**8\. Use an identity monitoring solution**

Identity theft is a real challenge today, including stealing your credit and even opening new lines of credit in your name. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after. Malwarebytes Identity Theft Protection can help with this.

**9\. Check what data of yours has already been exposed**

It’s very likely that your personal information has already been involved in a breach, but you might be wondering how much information can be gained about you from all the pieces of data about you that’s online—aka your digital footprint. We created a tool that will show you just that. You enter your most commonly-used email address, we’ll run a scan and then we’ll send you the results. Try the free scan now.

**10\. Use security software**

Finally, make sure you have protected your devices with security software. It doesn’t take long and it’s such a basic step we must all do. Malwarebytes Premium detects or blocks over 95 million pieces of malware a day so we definitely have you covered. We protect Windows, Mac, Chrome, Android, and iOS.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

 10 things to do to improve your online privacy 

Apple Security Advisory 01-22-2024-2 - iOS 17.3 and iPadOS 17.3 addresses bypass and code execution vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-01-22-2024-2 iOS 17.3 and iPadOS 17.3iOS 17.3 and iPadOS 17.3 addresses the following issues.Information about the security content is also available athttps://support.apple.com/kb/HT214059.Apple maintains a Security Updates page athttps://support.apple.com/HT201222 which lists recentsoftware updates with security advisories.Apple Neural EngineAvailable for devices with Apple Neural Engine: iPhone XS and later,iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1stgeneration and later, iPad Air 3rd generation and later, iPad 8thgeneration and later, and iPad mini 5th generation and laterImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: The issue was addressed with improved memory handling.CVE-2024-23212: Ye Zhang of Baidu SecurityCoreCryptoAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An attacker may be able to decrypt legacy RSA PKCS#1 v1.5ciphertexts without having the private keyDescription: A timing side-channel issue was addressed with improvementsto constant-time computation in cryptographic functions.CVE-2024-23218: Clemens LangKernelAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: The issue was addressed with improved memory handling.CVE-2024-23208: fmyy(@binary_fmyy) and lime From TIANGONG Team ofLegendsec at QI-ANXIN GroupMail SearchAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to access sensitive user dataDescription: This issue was addressed with improved redaction ofsensitive information.CVE-2024-23207: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab), andIan de MarcellusNSSpellCheckerAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to access sensitive user dataDescription: A privacy issue was addressed with improved handling offiles.CVE-2024-23223: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)Reset ServicesAvailable for: iPhone XS and laterImpact: Stolen Device Protection may be unexpectedly disabledDescription: The issue was addressed with improved authentication.CVE-2024-23219: Peter Watthey and Christian ScaleseSafariAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: A user's private browsing activity may be visible in SettingsDescription: A privacy issue was addressed with improved handling ofuser preferences.CVE-2024-23211: Mark BowersShortcutsAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: A shortcut may be able to use sensitive data with certainactions without prompting the userDescription: The issue was addressed with additional permissions checks.CVE-2024-23203: an anonymous researcherCVE-2024-23204: Jubaer Alnazi (@h33tjubaer)ShortcutsAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to bypass certain Privacy preferencesDescription: A privacy issue was addressed with improved handling oftemporary files.CVE-2024-23217: Kirin (@Pwnrin)TCCAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to access user-sensitive dataDescription: An issue was addressed with improved handling of temporaryfiles.CVE-2024-23215: Zhongquan Li (@Guluisacat)Time ZoneAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to view a user's phone number in system logsDescription: This issue was addressed with improved redaction ofsensitive information.CVE-2024-23210: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)WebKitAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: A maliciously crafted webpage may be able to fingerprint theuserDescription: An access issue was addressed with improved accessrestrictions.WebKit Bugzilla: 262699CVE-2024-23206: an anonymous researcherWebKitAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Processing web content may lead to arbitrary code executionDescription: The issue was addressed with improved memory handling.WebKit Bugzilla: 266619CVE-2024-23213: Wangtaiyu of Zhongfu infoWebKitAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Processing maliciously crafted web content may lead to arbitrarycode executionDescription: Multiple memory corruption issues were addressed withimproved memory handling.WebKit Bugzilla: 265129CVE-2024-23214: Nan Wang (@eternalsakura13) of 360 VulnerabilityResearch InstituteWebKitAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Processing maliciously crafted web content may lead to arbitrarycode execution. Apple is aware of a report that this issue may have beenexploited.Description: A type confusion issue was addressed with improved checks.WebKit Bugzilla: 267134CVE-2024-23222This update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 17.3 and iPadOS 17.3".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmWvDP8ACgkQX+5d1TXaIvp1NA//Ziu4pKJd/OIbEjiPfVw8w/q2A4uPkHzOtxWWeSsuQHmUjULi9PGLtjFdOy6SGjIAXKkP5wpt2qoOXcqEwP8kQzMQZwmRSHyPbSNXLyDiThgLdFWOqV5GcO1+eM7vOvKfcf7ITJJashPS4gJet7QpqX0vM5Pop9XJlS679IdhnauCY/ocmoWafvayY7IZf6SXYXh/V6wWk76zW7ZAgdWz0qxPjoObc3UrggJagBuBGzbSbEj1aK+tw8GMKw0whSG1fMqoLWsIielGaAahHmyIrg424S3HK/JdAXU8QXKKUc3HYVyShceLIgf7Gn/RFtIFiqoAlublgbEXthPYVG+pwFMvjUiCFPZK4tQ9yDtst+6ViPT+LK8Ea21ZqwvWTYqcFzKVbc+DcA4W0sLZE9Rc3tMXm60qoy5x1T4tIOFGSotrjH0M8CthxaxSMxRusr4ejiczr5dbeq/4pjU5PevU/kZVIp0lA65WkznSqio/UxpJ9uD2Oh2C8ZKOHE/az3I3zD7Tll52RPWA201fvo9Q3bCL5JRd/ayXN+tVRuyACkLPcDgPMNB8TdjoBrzFvJ8KRg9XHn9qJSsz/h15UJ/lwVOKBHmSP3H+VWBR/ts0oKcj+UQGmNSHtWNXvreC6ZbQi16JSK2wp0MvVWbFrWnwg0Ory4e5x5hHbrBEvvw0Qwk==kOJs-----END PGP SIGNATURE-----

Apple Security Advisory 01-22-2024-2

Vinchin Backup and Recovery versions 7.2 and below suffer from a command injection vulnerability in SystemHandler.class.php.

    CVE ID: CVE-2024-22903Title: Command Injection Vulnerability in SystemHandler.class.php of Vinchin Backup & Recovery Versions 7.2 and EarlierDescription:A significant security vulnerability, CVE-2024-22903, has been identified in the `deleteUpdateAPK` function within the `SystemHandler.class.php` file of Vinchin Backup & Recovery software, affecting versions 7.2 and earlier. This function, designed to delete APK files, is prone to a command injection vulnerability due to improper handling of input parameters.Function Analysis:- The function extracts `md5` and `file_name` parameters from user input.- It includes a check for an empty `file_name`, but lacks adequate validation or sanitization for the input used in constructing system commands.- The command to delete the specified APK file, built using the `file_name` parameter, is executed via the `exec` function, leading to a security vulnerability.Exploitation Risk:Attackers can exploit this flaw by inserting malicious commands in the `file_name` parameter. When this parameter is processed by the vulnerable function, the injected commands are executed on the server, presenting a severe risk of unauthorized access or control.Current Status:As of the latest information, there is no known patch available for this vulnerability in versions 7.2 and earlier of Vinchin Backup & Recovery.Recommendation:Users are urged to be vigilant and to monitor Vinchin for any security updates. Until a patch is released, implementing additional security controls and closely monitoring system activity is crucial for mitigating the risk posed by this vulnerability.Signed,Valentin Lobstein

Vinchin Backup And Recovery 7.2 SystemHandler.class.php Command Injection

Vinchin Backup and Recovery version 7.2 has been identified as being configured with default root credentials, posing a significant security vulnerability.

CVE ID: CVE-2024-22902

Title: Default Root Credentials Vulnerability in Vinchin Backup & Recovery v7.2

Suggested Description:  
Vinchin Backup & Recovery version 7.2 has been identified as being configured with default root credentials, posing a significant security vulnerability.

Additional Information:  
There is no documentation or guidance from Vinchin on changing the root password for this version. The use of password authentication as root is possible, leading to potential unauthorized access.

Vulnerability Type:  
Incorrect Access Control

Vendor of Product:  
Vinchin

Affected Product Code Base:  
Vinchin - Version 7.2

Attack Type:  
Remote

Impact - Escalation of Privileges:  
True

Attack Vectors:  
This security flaw can be exploited through both local and remote access using the default root credentials provided in the software.

Discoverer:  
Valentin Lobstein

References:  
- http://vinchin.com

Conclusion:  
The existence of default root credentials in Vinchin Backup & Recovery v7.2 (CVE-2024-22902) is a serious security oversight. Users of this software version should be aware of the risks and stay alert for any updates or security patches from Vinchin. Immediate action should be taken to change these credentials to prevent unauthorized access.

Signed,Valentin Lobstein

Tag

#auth