By Deeba Ahmed
Blank Image, Fake Link: Unraveling the Temu Phishing Scam Targeting Senior Shoppers!
This is a post from HackRead.com Read the original post: Over 800 Phony “Temu” Domains Lure Shoppers into Credential Theft

Stay alert against Temu phishing scams: Cybersecurity experts warn of scammers using fake giveaways to steal credentials. Over 800 new ‘Temu’ domains registered in the past 3 months.

Temu is the latest brand chosen by scammers for their phishing scams. Checkpoint’s Harmony Email’s cybersecurity researcher Jeremy Fuchs, has noted that hackers are using Temu’s giveaway rewards to entice users to give away their credentials, with over 800 new domains registered as “Temu” in the last three months.

For your information, Temu is an international e-commerce store having 40% of its user base in the USA. It offers discounted goods shipped directly to consumers. Temu was launched in 2022 and is available in 48 countries, including Europe, the Middle East, Southeast Asia, and Australia.

As of February 7, 2024, it is the number one shopping app on Google Play Store and second on the Apple App Store. The app’s most frequent shoppers are senior citizens, mostly 59 and above.

The sample phishing email identified by researchers claims to be from Temu Rewards. However, if you look closely, it is sent by an unrelated email address- onmicrosoft.com. The email contains a blank image and a link to a credential harvesting page. The threat actors try to attract recipients by informing them that they have won.

According to Checkpoint’s blog post, the email has Temu’s name as the sender. However, if the user realizes the sender address isn’t related to Temu or the links don’t lead to a Temu page, they’ll stay away from this scam. The email should raise suspicion as it is sent from a generic address on onmicrosoft (.) com, and the image does not load.

One of the phishing emails used in the scam (Check Point)

****Brand Names and Phishing****

This isn’t the first time threat actors have exploited brand names and the latest trends to steal credentials or other sensitive information from innocent users.

In November 2022, Hackread reported that Cyjax researchers discovered a sophisticated phishing campaign targeting over 400 brands across various sectors. The scammers, likely having Chinese affiliations, used 42,000 domains to distribute malware and generate ad revenue with at least 24,000 survey/landing domains used to promote the scam.

Cybersecurity researchers at Bloster AI recently discovered a USPS Delivery phishing campaign utilizing advanced techniques to target victims in the US. Bolster’s CheckPhish detected over 3,000 phishing domains mimicking Walmart. The campaign tricked consumers into thinking they had failed deliveries and late payments. Threat actors have improved their attack tactics, transitioning from deceptive messages to luring victims into downloading financial or banking data-stealing apps.

A phishing scam targeting Meta Platforms, Inc. business owners to steal their email addresses and passwords, leading to the takeover of their Facebook page, profile, and financial information was discovered in January 2024. The scam used Meta Platforms’ authority to create urgency and legitimacy.

****Temu and Cybersecurity****

Temu itself has faced several cybersecurity-related issues, including allegations of collecting user and device data such as text messages and banking information.

In November 2023, a class-action lawsuit was filed in the United States, alleging that the company had unlawfully collected its customers’ data. Furthermore, another report surfaced, implicating Temu in the unauthorized disclosure of customer data, particularly in connection with data purportedly appearing for sale on the dark web after customers make purchases through the app.

Nevertheless, it’s crucial to emphasize basic security measures with users and ensure that all threats can be stopped, both simple and sophisticated, especially scams like these, which exploit users’ trust in big brands.

Additionally, to protect against phishing attacks, security professionals must implement AI-based security, robust URL protection, and full-suite security to scan documents and files.

****RELATED ARTICLES****

1.  **Fake LastPass Password Manager App Lurks on iOS App Store**
2.  **Google Suspends Chinese Shopping App Pinduoduo Over Malware**
3.  **Google Removes Swing VPN Android App Exposed as DDoS Botnet**
4.  **Check Point Research: Microsoft the Most Phished Brand in Q2 2023**
5.  **Domain Squatting and Brand Hijacking: A Threat to Digital Enterprises**

Over 800 Phony “Temu” Domains Lure Shoppers into Credential Theft

By Waqas
Remember, it is LastPass Password Manager, not LassPass Password Manager!
This is a post from HackRead.com Read the original post: Fake LastPass Password Manager App Lurks on iOS App Store

The popular LastPass Password Manager application has warned iOS users about a fraudulent app exploiting the app’s name circulating on the official Apple App Store.

Attention, LastPass users! A cunning imposter has infiltrated the iOS App Store, posing as the legitimate **LastPass Password Manager** app. This fake app, aptly named “LassPass Password Manager,” seeks to deceive users and potentially steal their sensitive login credentials.

Despite slight alterations to the logo and name, the fake LastPass app operates seamlessly to scam unsuspecting users into downloading it, as its colour scheme and font closely mimic those of the original LastPass app.

It all began on February 7, 2024, when LastPass published a **blog post** warning unsuspecting users to remain vigilant and avoid downloading a fraudulent application. Despite LastPass’s report, the app remains available on the App Store and is developed by an individual using the name Parvati Patel. Interestingly, the developer also has another app on their account, a community service app for India, hinting at their location.

Just to clarify, the LastPass password manager app is owned by GoTo, formerly known as LogMeIn Inc. Therefore, the official app lists LogMeIn Inc., as its developer on the Apple App Store.

Fake LastPass Password Manager app called LassPass Password Manager App (left) – Authentic LastPass Password Manager app (right) (Screenshots: Hackread.com)

****IN SUMMARY****

*   **The fake app:** The app is called “LassPass Password Manager” and is listed under the developer name Parvati Patel.
*   **Mimicking tactics:** The app closely copies LastPass’ branding and user interface, even using similar screenshots, to potentially mislead users into downloading it.
*   **Potential dangers:** If downloaded, the fake app could steal your login credentials and other sensitive information.
*   **Action taken:** LastPass is actively working to get the app removed from the App Store and is urging users to be cautious.

The fake app can be seen **here**, while the authentic one can be downloaded from **here**.

Nevertheless, this isn’t the first instance of a fake app mimicking a popular developer making its way onto the Apple App Store. **In July 2023**, Apple approved a fake THREADS app, which later surged to number 1 on the Apple Store in Europe. Interestingly, the original THREADS app had been launched by META just a few days prior to the incident and was not yet available in Europe when the fake one appeared in the store.

****RELATED ARTICLES****

1.  **Google Deletes Fake BatteryBot Pro Malware App**
2.  **Scylla Ad Fraud Attack on iOS Users Halted by Apple**
3.  **Apple removes Clearview AI iPhone app from App Store**
4.  **Apple removes anti-virus apps from store for “stealing data”**
5.  **Google removes ClearURLs Chrome extension from app store**
6.  **Google Removes Swing VPN Android App Exposed as DDoS Botnet**

Fake LastPass Password Manager App Lurks on iOS App Store

Your essential guide to toothbrush security.

February 7, 2024 - We look at a scam campaign on Facebook that continues to do the rounds, and how you can recover your compromised account.

February 6, 2024 - The State of Malware 2024 report covers some topics that are of special interest to home users: privacy, passwords, malvertising, banking Trojans, and Mac malware.

February 6, 2024 - Big Game ransomware is just one of six threats resource-constrained IT teams need to pay attention to in 2024.

February 6, 2024 - Safer Internet Day is all about raising awareness about a safer and better internet for all, and especially for children and young people.

February 5, 2024 - Clorox has reported losses of $49 million following a cyberattack in mid-2023.

 How to tell if your toothbrush is being used in a DDoS attack 

Plus: Russia was likely behind widespread GPS outages, Vault 7 leaker was sentenced, police claim to trace Monero cryptocurrency, and more.

An indictment from the US Department of Justice may have solved the mystery of how disgraced cryptocurrency exchange FTX lost over $400 million in crypto. The indictment, filed last week, alleges that three individuals used a SIM-swapping attack to steal hundreds of millions in virtual currency from an unnamed company. The timing and the amount stolen coincides with FTX's theft. Meanwhile, in a letter obtained by WIRED this week, seven lawmakers have demanded the DOJ stop funding biased and inaccurate predictive policing tools until the agency has a way to ensure law enforcement won’t use them in a way that has a “discriminatory impact.”

In Florida, prosecutors say a 17-year-old named Alan Winston Filion is responsible for hundreds of swatting attacks around the United States. The news of his arrest was first reported by WIRED days before law enforcement made it public. It was the culmination of a multi-agency manhunt to piece together a trail of digital breadcrumbs left by the teenager. In Ukraine, unmanned aerial vehicles have been powerful tools since the Russian invasion began in February 2022. But as the war rages on, another kind of unmanned robot has increasingly appeared on the front-lines: the unmanned ground vehicle, or UGV.

For months lawyers affiliated with an India based hacker-for-hire firm called Appin Technology have used legal threats to censor reporting about the company’s alleged cyber mercenary past. The EFF, Techdirt, MuckRock, and DDoSecrets are now pushing back, publicly sharing details for the first time about the firm's efforts to remove content from the web. It’s a dangerous world out there, so we’ve also got a list of some major patches issued in January that you can use to update your devices to keep them secure.

And there’s more. Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

For years Western security officials have warned about the threat of China collecting data about millions of people and the country’s hackers infiltrating sensitive systems. This week, Federal Bureau of Investigation director Christopher Wray said hackers affiliated with the Chinese Communist Party are constantly targeting US critical infrastructure, such as water treatment plants, the electrical grid, and oil and gas pipelines. Wray’s testimony, at a House subcommittee on China, came as the FBI also revealed it removed malware from hundreds of routers in people’s homes and offices that had been planted by the Chinese hacking group Volt Typhoon.

“China’s hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities,” Wray said in the public appearance. “Low blows against civilians are part of China’s plan.” The FBI director added that China has a bigger hacking operation than “every other major nation combined,” and claimed that if all of the FBI’s cyber-focused agents were assigned to work on issues related to China, they would still be outnumbered “by at least 50 to 1.”

While concerns about the scale of China’s espionage and cyber operations aren’t new, the US intelligence community has been increasingly vocal and worried about critical infrastructure being targeted by Volt Typhoon and other groups. “The threat is extremely sophisticated and pervasive,” NSA officials warned in November. In May 2023, Microsoft revealed it had been tracking Volt Typhoon intrusions at communications and transportation infrastructure, among other critical infrastructure, in US states and Guam.

The FBI and DOJ, also revealed this week that they remotely removed the KV Botnet malware from hundreds of routers infected by Volt Typhoon. The impacted routers, from Cisco and Netgear, were mostly at the end of their life, but were being used as part of wider operations. “​​The Volt Typhoon malware enabled China to hide, among other things, pre-operational reconnaissance and network exploitation against critical infrastructure like our communications, energy, transportation, and water sectors,” Wray said. It isn’t the first time US officials have obtained a court order to remotely wipe devices infected by hackers, but the move is still rare.

Since the first cryptocurrencies emerged more than a decade ago, there has been the assumption that the blockchain-based digital currencies are anonymous and untraceable. They are, in fact, very traceable. Researchers have shown how people can be linked to the transactions they make and law enforcement have used the techniques to help bust illicit dark web markets and catch pedophiles. There are, however, still some privacy-focused cryptocurrencies that appear to be less traceable than Bitcoin. This includes Monero, which is increasingly being adopted by sellers of child sexual abuse materials.

This week investigators in Finland said Moreno-tracing helped reveal the identity of a hacker who allegedly attacked psychotherapy company Vastaamo in 2020, stealing thousands of patient records and threatening to leak them unless people paid a ransom. Investigators from the Finnish National Bureau of Investigation claim they used heuristic analysis to infer where funds were moved to. The investigators did not reveal the full methods of how they allegedly traced the Monero payments, however, they add to the growing body of evidence that cryptocurrency tracing firms and investigators may be able to track the currency.

Planes flying over Europe have faced a spike in accuracy issues with GPS systems used for navigation in recent months. The head of Estonia’s Defense Forces has claimed that Russia is likely the source of this interference, according to an interview with Bloomberg. “Someone is causing it, and we think it’s Russia,” Martin Herem told the publication, adding that Russia may be testing its electronic warfare capabilities and “learning” the most effective tactics. Across Europe, and particularly the Baltics region, there has been a reported increase in GPS jamming, with Finland reporting large interferences in December and pilots repeatedly reporting issues with their navigation systems.

In 2017, the Vault 7 leaks exposed some of the CIA’s most sophisticated hacking tools, including how the agency could compromise routers, phones, PC, and TVs. Joshua Schulte, a former CIA engineer in the agency’s Operations Support Branch who prosecutors identified as being behind the data breach and responsible for leaking the materials to Wikileaks, was convicted in numerous trials in recent years. Schulte, who denied the allegations, has been sentenced to 40 years in prison for the espionage and also for possessing thousands of child abuse images. Judge Jesse Furman, sentencing Schulte, said he had caused “untold damage to national security.” In June 2022, _The New Yorker_ published this comprehensive investigation into the data breach and Schulte’s troubled history working at the agency.

China’s Hackers Keep Targeting US Water and Electricity Supplies

By Waqas
The new variant of Mispadu Stealer was discovered by Palo Alto's Unit 42 researchers while investigating the Windows Defender SmartScreen vulnerability.
This is a post from HackRead.com Read the original post: Mispadu Stealer’s New Variant Targets Browser Data of Mexican Users

Originally, since 2019, Mispadu Stealer targeted Spanish- and Portuguese-speaking victims, but the new variant aims at URLs associated with Mexican citizens.

In a recent development reported by Unit 42 researchers, a new variant of the infamous Mispadu Stealer has emerged, targeting users primarily in Mexico with stealthy information-stealing techniques. The discovery shows the persistent evolution of this malware, showcasing its adaptability and the challenges it poses to cybersecurity efforts.

Initially identified in 2019, Mispadu Stealer has been a persistent threat, known for its stealthy operations primarily targeting Spanish- and Portuguese-speaking victims. The latest variant, however, demonstrates a high level of sophistication, specifically targeting regions and URLs associated with Mexican citizens.

The discovery of this new variant came as part of Unit 42’s Managed Threat Hunting initiative, while researchers were investigating the Windows Defender SmartScreen CVE-2023-36025 vulnerability.

This vulnerability, categorized as a security feature bypass within the Windows SmartScreen function, allows attackers to circumvent warnings and execute malicious payloads. Exploiting this vulnerability, the Mispadu Stealer variant was found to employ a crafty technique involving the creation of internet shortcut files (.url) or hyperlinks pointing to malicious files, effectively bypassing SmartScreen’s warnings.

One of the key findings in this investigation is the malware’s use of a parameter referencing a network share, which, when embedded in a .url file, directs victims to a threat actor’s network share to retrieve and execute the malicious payload without triggering SmartScreen warnings. This technique, while not limited to Mispadu Stealer, showcases the malware’s ability to adapt and evolve its tactics.

Further analysis of the new variant reveals a sophisticated operation that selectively targets victims based on their geographic location and system configurations. By querying the bias between the local time zone and UTC and performing checks based on the victim’s location, the malware ensures its execution primarily within specific regions, such as the Americas and certain parts of Western Europe.

Statistics of infected countries (Unit 42)

Once executed, the malware proceeds to interact with the victim’s browser history, extracting URLs and checking them against a targeted list. Notably, the malware employs encryption algorithms and techniques to evade detection, highlighting the evolving sophistication of its information-stealing capabilities.

The attribution of this new variant to previous Mispadu campaigns highlights the challenges in combating evolving cybersecurity threats. While similarities in tactics and infrastructure provide insights into the malware’s origins, the ever-changing nature of such threats demands a comprehensive approach to cybersecurity.

As Mispadu continues to evolve and target unsuspecting users, cybersecurity experts emphasize the importance of staying informed on the latest threat intelligence, deploying strong endpoint protection measures, and advocating a culture of cybersecurity awareness among employees and users. By adopting proactive measures and leveraging collective intelligence, organizations can better defend against emerging threats like the new variant of Mispadu Stealer.

1.  **Mirai Variant V3G4 Exploiting IoT Devices for DDoS Attacks**
2.  **IBM X-Force Discovers Gootloader Malware Variant- GootBot**
3.  **Fake TeamViewer download ads distributing new ZLoader variant**
4.  **New Agent Tesla Variant Uses Excel Exploit to Infect Windows PCs**
5.  **MidgeDropper Variant Hits Work-from-Home Employees on Windows**

Mispadu Stealer’s New Variant Targets Browser Data of Mexican Users

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned that more than 2,000 computers in the country have been infected by a strain of malware called DirtyMoe.
The agency attributed the campaign to a threat actor it calls UAC-0027.
DirtyMoe, active since at least 2016, is capable of carrying out cryptojacking and distributed denial-of-service (DDoS) attacks. In March

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned that more than 2,000 computers in the country have been infected by a strain of malware called DirtyMoe.

The agency attributed the campaign to a threat actor it calls **UAC-0027**.

DirtyMoe, active since at least 2016, is capable of carrying out cryptojacking and distributed denial-of-service (DDoS) attacks. In March 2022, cybersecurity firm Avast revealed the malware's ability to propagate in a worm-like fashion by taking advantage of known security flaws.

The DDoS botnet is known to be delivered by means of another malware referred to as Purple Fox or via bogus MSI installer packages for popular software such as Telegram. Purple Fox is also equipped with a rootkit that allows the threat actors to hide the malware on the machine and make it difficult to detect and remove.

The exact initial access vector used in the campaign targeting Ukraine is currently unknown. CERT-UA is recommending that organizations keep their systems up-to-date, enforce network segmentation, and monitor network traffic for any anomalous activity.

The disclosure comes as Securonix detailed an ongoing phishing campaign known as STEADY#URSA targeting Ukrainian military personnel with the goal of delivering a bespoke PowerShell backdoor dubbed SUBTLE-PAWS.

"The exploitation chain is relatively simple: it involves the target executing a malicious shortcut (.lnk) file which loads and executes a new PowerShell backdoor payload code (found inside another file contained within the same archive)," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said.

The attack is said to be related to a threat actor known as Shuckworm, which is also known as Aqua Blizzard (formerly Actinium), Armageddon, Gamaredon, Iron Tilden, Primitive Bear, Trident Ursa, UNC530, and Winterflounder. Active since at least 2013, it's assessed to be part of Russia's Federal Security Service (FSB).

SUBTLE-PAWS, in addition to setting up persistence on the host, uses Telegram's blogging platform called Telegraph to retrieve the command-and-control (C2) information, a technique previously identified as associated with the adversary since early 2023, and can propagate through removable attached drives.

Gamaredon's ability to spread via USB drives was also documented by Check Point in November 2023, which named the PowerShell-based USB worm LitterDrifter.

"The SUBTLE-PAWS backdoor uses advanced techniques to execute malicious payloads dynamically," the researchers said.

"They store and retrieve executable PowerShell code from the Windows Registry which can assist in evading traditional file-based detection methods. This approach also aids in maintaining persistence on the infected system, as the malware can initiate itself again after reboots or other interruptions."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

DirtyMoe Malware Infects 2,000+ Ukrainian Computers for DDoS and Cryptojacking

By Deeba Ahmed
CloudFlare Servers Were Hacked on Thanksgiving Day Using Auth Tokens Stolen in Okta Breach.
This is a post from HackRead.com Read the original post: Cloudflare Hacked After State Actor Leverages Okta Breach

The aftermath of the 2023 Okta breach continues to unfold, with Cloudflare disclosing the details of its security compromise.

Cloudflare, a globally renowned cloud services provider, experienced a security incident on Thanksgiving Day, 23 November 2023, allowing unauthorized access to their internal Atlassian server. The company confirmed no customer data or systems were affected by the intrusion, which was effectively blocked within 24 hours.

The investigation was concluded recently. According to the company’s blog post published on 2 February 2024, Cloudflare detected the breach on 24 November 2023 and the investigation was launched on 27th November in cooperation with CrowdStrike, called Project Code Red. 

Cloudflare’s systems were accessed by attackers using an access token and three service account credentials were stolen during a previous Okta breach in October 2023. The threat actor gained access to its Atlassian environment using stolen credentials, reportedly seeking information about Cloudflare’s global network’s architecture, security, and management. It is worth noting that Cloudflare’s Atlassian system is responsible for managing internal collaboration tools like Confluence and Jira. 

> _“The threat actor accessed Jira tickets about vulnerability management, secret rotation, MFA bypass, network access, and even our response to the Okta incident itself. The wiki searches and pages accessed suggest the threat actor was very interested in all aspects of access to our systems: password resets, remote access, configuration, our use of Salt, but they did not target customer data or customer configurations.”_
> 
> Cloudflare

Cloudflare discovered that a ‘nation-state attacker’ could be responsible for their server’s breach. However, the company did not share further details on the possible perpetrator. The attacker accessed its Confluence wiki, Jira bug database, and Bitbucket source code management system on 14 November 2023.

Cloudflare CEO Matthew Prince, CTO John Graham-Cumming, and CISO Grant Bourzikas stated that on November 22, hackers gained persistent access to their Atlassian server, source code management system, and console server.

They also unsuccessfully attempted to gain access to a data center in São Paulo, Brazil, which was not yet put into production by Cloudflare. As a precautionary measure, every piece of equipment at its Brazil data center was returned to manufacturers to ensure the facility was safe.

As for prevention, response measures from Cloudflare’s staff included rotating all 5,000 unique production credentials, physically segmenting test and staging systems, performing forensic triage on around 4,983 systems, and re-imaging and rebooting global network systems.

According to Cloudflare, this includes all Atlassian servers, including Bitbucket, Jira, and Confluence. Although all remediation efforts were completed by 5th January, Cloudflare is still actively focusing on software hardening, and credential and vulnerability management.

For your information, Okta, an identity and access management services provider, reported a data breach on 23 October 2023, allowing unauthorized access to files, including session tokens, which could be used for hijacking attacks.

The attacker compromised a stolen account between September 28 and October 17, 2023, to view, update, and extract sensitive data by accessing Okta’s support case management system. 

Okta’s chief security officer, David Bradbury, revealed that at least 134 customers were impacted by the breach and some files were HAR files containing session tokens, which could be used for session hijacking attacks.

Many firms have reportedly been targeted with stolen Okta credentials, Cloudflare being one of them. Previously, 1Password, one of Okta’s customers, reportedly was targeted. On September 29, 2023, 1Password detected suspicious activity where a threat actor used a stolen session token to access its Okta administrative portal.

1.  **10 Top DDoS Attack Protection and Mitigation Companies**
2.  **Whitehat hacker bypasses SQL injection filter for Cloudflare**
3.  **LAPSUS$ Hackers Hack Microsoft and Okta, Leak Trove of Data**
4.  **Google, Cloudflare, AWS Disclose Largest DDoS Attack in History**
5.  **Cloudflare Launches Android and iOS version of 1.1.1.1 DNS Service**

Cloudflare Hacked After State Actor Leverages Okta Breach

By Waqas
Anonymous Sudan alleges that the cyber attack they conducted has crippled the reservation system and other online assets of the targeted entity.
This is a post from HackRead.com Read the original post: Anonymous Sudan Claims DDOS Attacks on UAE’s Flydubai Airline

Anonymous Sudan claims responsibility for the cyber attack, citing their belief that the UAE is providing support to the Rapid Support Forces (RSF) in Sudan as their motive.

Anonymous Sudan, the pro-Palestinian and Russian hacktivist group, has taken credit for a series of Distributed Denial of Service Attacks (DDoS attacks) on Flydubai, an Emirati government-owned airline in Dubai, United Arab Emirates.

The group’s latest claim closely follows their January 16th, 2024 announcement of targeting Thuraya Mobile Satellite Communications Company, an international mobile-satellite service (MSS) provider based in Dubai, United Arab Emirates (UAE).

It is worth noting that in both cyber attacks, the motives revealed by Anonymous Sudan were the UAE’s apparent support to the Rapid Support Forces (RSF) for communication. Notably, RSF is a paramilitary force formerly operated by the Government of Sudan, accused by the hacktivists of committing war crimes against the Sudanese people.

The alleged cyber attack was announced on February 1, 2024, by the group through its official Telegram channel. Anonymous Sudan typically announces its attacks via Telegram, with no known website utilized by the group thus far.

> _“We have conducted a significant cyber attack on the digital infrastructure of FlyDubai. We have hit the most critical parts of FlyDubai’s digital infrastructure in one. We have confirmed that the network of Flydubai is completely disrupted. Attacks against the UAE will continue as they continue to support the genocidal Rapid Support Forces in Sudan. We therefore claim any damage to the overall health of FlyDubai systems and any collateral damage.”_
> 
> Anonymous Sudan

Despite Flydubai’s official website remaining online, Anonymous Sudan claimed in a subsequent message a few hours later that Flydubai’s infrastructure, including the reservation system, had been severely affected, leaving the airline’s website as the only functional asset.

However, Hackread.com’s attempt to book a ticket on Flydubai’s website proved successful. Here’s what Anonymous Sudan had to say on Telegram:

Anonymous Sudan on Telegram (Screenshot: Hackread.com)

Hackread.com has reached out to Flydubai for a comment, and should the company respond, we will update this article accordingly. Nevertheless, DDoS attacks have emerged as a significant concern for businesses of all scales. According to Kaspersky’s report, the DDoS economy is flourishing on the dark web, with an increasing number of cybercriminals setting their sights on critical infrastructure.

While there are DDoS attack-mitigating companies out there, the first line of defence is to secure your IoT devices from becoming a zombie for botnets utilized in such attacks. Therefore, whether you are an unsuspecting user at home or administering a large corporation, make sure your cybersecurity defences are as strong as possible.

****RELATED ARTICLES****

1.  **ChatGPT Down? OpenAI Blames Outages on DDoS Attacks**
2.  **Google, Cloudflare, and AWS Disclose Largest DDoS Attack**
3.  **Popular Swing VPN Android App Turned Out to be DDoS Botnet**
4.  **DDoS Attacks Soar by 168% on Govt Services, StormWall Warns**
5.  **IoT Botnet DDoS Attacks Threaten Global Telecom Sector, Nokia**

Anonymous Sudan Claims DDOS Attacks on UAE’s Flydubai Airline

A loose coalition of anti-censorship voices is working to highlight reports of one Indian company’s hacker-for-hire past—and the legal threats aimed at making them disappear.

Hacker-for-hire firms like NSO Group and Hacking Team have become notorious for enabling their customers to spy on vulnerable members of civil society. But as far back as a decade ago in India, a startup called Appin Technology and its subsidiaries allegedly played a similar cyber-mercenary role while attracting far less attention. Over the past two years, a collection of people with direct and indirect links to that company have been working to keep it that way, using a campaign of legal threats to silence publishers and anyone else reporting on Appin Technology’s alleged hacking past. Now, a loose coalition of anti-censorship voices is working to make that strategy backfire.

For months, lawyers and executives with ties to Appin Technology and to a newer organization that shares part of its name, called the Association of Appin Training Centers, have used lawsuits and legal threats to carry out an aggressive censorship campaign across the globe. These efforts have demanded that more than a dozen publications amend or fully remove references to the original Appin Technology’s alleged illegal hacking or, in some cases, mentions of that company’s cofounder, Rajat Khare. Most prominently, a lawsuit against Reuters brought by the Association of Appin Training Centers resulted in a stunning order from a Delhi court: It demanded that Reuters take down its article based on a blockbuster investigation into Appin Technology that had detailed its alleged targeting and spying on opposition leaders, corporate competitors, lawyers, and wealthy individuals on behalf of customers worldwide. Reuters “temporarily” removed its article in compliance with that injunction and is fighting the order in Indian court.

As Appin Training Centers has sought to enforce that same order against a slew of other news outlets, however, resistance is building. Earlier this week, the digital rights group the Electronic Frontier Foundation (EFF) sent a response—published here—pushing back against Appin Training Centers’ legal threats on behalf of media organizations caught in this crossfire, including the tech blog Techdirt and the investigative news nonprofit MuckRock.

No media outlet has claimed that Appin Training Centers—a group that describes itself as an educational firm run in part by former franchisees of the original Appin Technology, which reportedly ceased its alleged hacking operations more than a decade ago—has been involved in any illegal hacking. In December, however, Appin Training Centers sent emails to Techdirt and MuckRock demanding they too take down all content related to allegations that Appin Technology previously engaged in widespread cyberspying operations, citing the court order against Reuters.

Techdirt, Appin Training Centers argued, fell under that injunction by writing about Reuters' story and the takedown order targeting it. So had MuckRock, the plaintiffs claimed, which hosted some of the documents that Reuters had cited in its story and uploaded to MuckRock's DocumentCloud service. In the response sent on their behalf, the EFF states that the two media organizations are refusing to comply, arguing that the Indian court's injunction “is in no way the global takedown order your correspondence represents it to be.” It also cites an American law called the SPEECH Act that deems any foreign court’s libel ruling that violates the First Amendment unenforceable in the US.

“It's not a good state for a free press when one company can, around the world, disappear news articles,” Michael Morisy, the CEO and cofounder of MuckRock, tells WIRED. “That's something that fundamentally we need to push back against.”

Techdirt founder Mike Masnick says that, beyond defeating the censorship of the Appin Technology story, he hopes their public response to that censorship effort will ultimately bring even more attention to the group’s past. In fact, 19 years ago, Masnick coined the term “the Streisand effect” to describe a situation in which someone's attempt to hide information results in its broader exposure—exactly the situation he hopes to help create in this case. “The suppression of accurate reporting is problematic,” says Masnick. “When it happens, it deserves to be called out, and there should be more attention paid to those trying to silence it.”

The anti-secrecy nonprofit Distributed Denial of Secrets (DDoSecrets) has also joined the effort to spark that Streisand Effect, “uncensoring” Reuters' story on the original Appin Technology as part of a new initiative it calls the Greenhouse Project. DDoSecrets cofounder Emma Best says the name comes from its intention to foster a “warming effect”—the opposite of the “chilling effect” used to describe the self-censorship created by legal threats. “It sends a signal to would-be censors, telling them that their success may be fleeting and limited,” Best says. “And it assures other journalists that their work can survive.”

Neither Appin Training Centers nor Rajat Khare responded to WIRED's request for comment, nor did Reuters.

The fight to expose the original Appin Technology’s alleged hacking history began to reach a head in November of 2022, when the Association for Appin Training Centers sued Reuters based only on its reporters’ unsolicited messages to Appin Training Centers’ employees and students. The company’s legal complaint, filed in India’s judicial system, accused Reuters not only of defamation, but “mental harassment, stalking, sexual misconduct and trauma.”

Nearly a full year later, Reuters nonetheless published its article, “How an Indian Startup Hacked the World.” The judge in the case initially sided with Appin Training Centers, writing that the article could have a “devastating effect on the general students population of India.” He quickly ordered an injunction stating that Appin Training Centers can demand Reuters take down their claims about Appin Technology.

That ruling has preceded any legal arguments over the truth of Reuters’ reporting, which the news agency has promised to bring up in an appeal. In fact, Reuters wrote that it based its story on interviews with dozens of Appin Technology's former staff and hundreds of alleged targets, as well as thousands of its internal documents. Those files include Appin Technology's marketing pitch documents that remain publicly available on DocumentCloud thanks to MuckRock, and appear to show the company explicitly offering to hack targets on behalf of clients via “phishing,” “social engineering,” “trojan” infections, and even discussing specific cases when clients hired them for hacking operations.

Appin Training Centers, for its part, argues that it’s merely a collection of educational institutions whose brand has been tarnished by Reuters’ reporting. Reuters has responded in a legal filing arguing that Appin Training Centers was created “solely for purposes of this lawsuit, with ulterior motive,” and pointed out, through an exhibit attached to a court filing, that it was incorporated only months _after_ it named itself as the plaintiff suing Reuters.

Even so, a little more than two weeks after publishing its investigation into Appin Technology, on December 5, Reuters complied with the Indian court's injunction, removing its story. Soon, in a kind of domino effect of censorship, others began to take down their own reports about Appin Technology after receiving legal threats based on the same injunction. SentinelOne, the cybersecurity firm that had helped Reuters in its investigation, removed its research on an Appin Technology subsidiary’s alleged hacking from its website. The Internet Archive deleted its copy of the Reuters article. The legal news site Lawfare and cybersecurity news podcast Risky Biz both published analyses based on the article; Risky Biz took its podcast episode down, and Lawfare overwrote every part of its piece that referred to Appin Technology with Xs. WIRED, too, removed a summary of Reuters' article in a news roundup after receiving Appin Training Centers' threat.

Aside from the injunction that Appin Training Centers has used to demand publishers censor their stories, Appin cofounder Rajat Khare has separately sent legal threats to another collection of news outlets based on a court order he obtained in Switzerland. Two Swiss publications have publicly noted that they responded to court orders by removing Khare’s name from stories about alleged hacking. Others have removed Khare’s name or removed the articles altogether without a public explanation, including the Bureau of Investigative Journalism, the UK’s _Sunday Times_, several Swiss and French news outlets, and eight Indian ones.

“This is an organization throwing everything against the wall, trying to make as many allegations in as many venues as possible in the hopes that something, somewhere sticks,” says one person at a media outlet that has received multiple legal threats from people connected to Appin Technology, who declined to be named due to the legal risks of speaking out. “Sometimes it works, sometimes it doesn’t. Unfortunately, in India, it’s worked.”

Even before the EFF, Techdirt, MuckRock, and DDoSecrets began to push back against that censorship, some had immediately resisted it. _The New Yorker_, for instance, had mentioned a subsidiary of Appin Technology and Rajat Khare in a feature about India's hacker-for-hire industry in June of last year. It was sued by Appin Training Centers, but has kept its piece online while the lawsuit proceeds. (_The New Yorker_ and WIRED are both published by Condé Nast.) Ronald Deibert, a well-known security researcher and founder of the University of Toronto's Citizen Lab, a group that focuses on exposing hackers who target members of civil society, had also mentioned Appin Technology in a blog post. Deibert received and refused Appin Training Centers' takedown threat, posting a screenshot of its email to his X feed in December along with his response: seven middle-finger emojis.

As the backlash to the censorship of reporting on Appin Technology's alleged hacking snowballs, however, it may now be going beyond a few cases where Appin Training Centers’ and Rajat Khare’s censorship attempts have failed, says Seth Stern, director of advocacy for the Freedom of the Press Foundation, who has written about the censorship campaign. Instead, it may be backfiring, he says, particularly for Appin Technology cofounder Rajat Khare. “It does seem like a sort of dubious strategy to be stirring this up now, and I do wonder if he is starting to regret that given the coverage it's getting,” says Stern. “You could easily see that it'll do more reputational harm than good for Khare and for Appin.”

MuckRock's Morisy says that attention is exactly the intention of his move, along with Techdirt and the EFF, to put a spotlight on the legal threats they've received. “It’s leveraging the Streisand effect to an extent. But also just finding ways to push back,” says Morisy. “There needs to be a cost for groups that are trying to silence journalists.”

A Startup Allegedly ‘Hacked the World.’ Then Came the Censorship—and Now the Backlash

The threat actor behind a peer-to-peer (P2P) botnet known as FritzFrog has made a return with a new variant that leverages the Log4Shell vulnerability to propagate internally within an already compromised network.
"The vulnerability is exploited in a brute-force manner that attempts to target as many vulnerable Java applications as possible," web infrastructure and security

The threat actor behind a peer-to-peer (P2P) botnet known as **FritzFrog** has made a return with a new variant that leverages the Log4Shell vulnerability to propagate internally within an already compromised network.

"The vulnerability is exploited in a brute-force manner that attempts to target as many vulnerable Java applications as possible," web infrastructure and security company Akamai said in a report shared with The Hacker News.

FritzFrog, first documented by Guardicore (now part of Akamai) in August 2020, is a Golang-based malware that primarily targets internet-facing servers with weak SSH credentials. It's known to be active since January 2020.

It has since evolved to strike healthcare, education, and government sectors as well as improved its capabilities to ultimately deploy cryptocurrency miners on infected hosts.

What's novel about the latest version is the use of the Log4Shell vulnerability as a secondary infection vector to specifically single out internal hosts rather than targeting vulnerable publicly-accessible assets.

"When the vulnerability was first discovered, internet-facing applications were prioritized for patching because of their significant risk of compromise," security researcher Ori David said.

"Contrastly, internal machines, which were less likely to be exploited, were often neglected and remained unpatched — a circumstance that FritzFrog takes advantage of."

This means that even if the internet-facing applications have been patched, a breach of any other endpoint can expose unpatched internal systems to exploitation and propagate the malware.

The SSH brute-force component of FritzFrog has also received a facelift of its own to identify specific SSH targets by enumerating several system logs on each of its victims.

Another notable change in the malware is use of the PwnKit flaw tracked as CVE-2021-4034 to achieve local privilege escalation.

"FritzFrog continues to employ tactics to remain hidden and avoid detection," David said. "In particular, it takes special care to avoid dropping files to disk when possible."

This is accomplished by means of the shared memory location /dev/shm, which has also been put to use by other Linux-based malware such as BPFDoor and Commando Cat, and memfd\_create to execute memory-resident payloads.

The disclosure comes as Akamai revealed that the InfectedSlurs botnet is actively exploiting now-patched security flaws (from CVE-2024-22768 through CVE-2024-22772, and CVE-2024-23842) impacting multiple DVR device models from Hitron Systems to launch distributed denial-of-service (DDoS) attacks.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#ddos