By Deeba Ahmed
In June 2023, Xplain, a Swiss IT services provider, fell victim to a cyberattack claimed by the Play ransomware group.
This is a post from HackRead.com Read the original post: Xplain Hack Aftermath: Play Ransomware Leaks Sensitive Swiss Government Data

The Play ransomware group leaked around 65,000 documents belonging to the federal government, including classified documents and login credentials, which were published on its dark web leak site on 14 June 2023.

Following the cyberattack on Swiss IT service provider, Xplain, details of the leaked data have been disclosed in a press release from the Swiss National Center for Cybersecurity (NCSC) – The Federal Office for Cybersecurity (BACS) has also taken part in the investigation.

The department analyzed the data leaked stolen by the Play ransomware group from Xplain, which is a “major provider of IT services to national and cantonal authorities,” the department confirmed.

****Background****

Back in May 2023, hackers exploited a vulnerability to target Xplain servers hosting applications for cantonal services, blocking access until a key or unblocking tool is sent in exchange for ransom. The attack, carried out by the Play ransomware group, had far-reaching consequences, impacting the Federal Office of Police, the Federal Office of Customs and Border Protection, Swiss Federal Railways and Aargau cantonal authorities.

In June 2023, Swiss federal government websites and the Swiss Federal Railways’ online portal were targeted in DDoS attacks, causing several websites to be unavailable. The finance ministry reported on 12 June 2023 that a pro-Russian group, “NoName,” claimed responsibility for the attack on its Telegram channel and that no data was lost in the attack. This group was also involved in the attack on the Swiss parliament website earlier in June 2023.

The Play ransomware group leaked around 65,000 documents belonging to the federal government, including classified documents and login credentials, which were published on its dark web leak site on 14 June 2023.

As per NCSC’s press release published earlier today, the BACS then took over the coordination of incident response within the federal administration and analysis of leaked data. A policy strategy crisis team was formed on 28 June and an administrative investigation was launched officially on 23 August to find out details of data leak at Xplain.

Official dark web leak site on the Play ransomware group (Screenshot: Hackread.com)

****Report Details****

The BACS emphasized that the report focuses on data types and analysis challenges, not the content of leaked data. Around 70% (around 47,413) of files belong to Xplain and 14% (9,040) to the Federal Administration.  Hackers have leaked 95% of the 9040 files belonging to the Swiss federal government, mainly from the Federal Department of Justice and Police, Federal Office of Justice, Federal Office of Police, State Secretariat for Migration, and ISC-FDJP. 

Around half of the Federal Administration’s files contain sensitive content like personal data, technical information, classified information, and passwords, with 4,779 files containing personal data, and 278 files containing technical information. 121 objects were dubbed classified under the Information Protection Ordinance with 4 of them containing readable passwords.

The department aims to collaborate with authorities and Xplain to address potential consequences. This investigation is expected to be completed in March 2024.

****About Play Ransomware Group****

The Play ransomware group is believed to be based in Russia and is responsible for around 300 successful attacks on businesses and critical infrastructure in North America, South America, and Europe from June 2022 to October 2023. The group uses a double extortion model, ranging from unauthorized access to external services like RDP and VPN.

1.  Ransomware Attack Disrupts Services in 18 Romanian Hospitals
2.  LockBit Ransomware Gang Returns, Taunts FBI, Vows Data Leaks
3.  LoanDepot Ransomware Attack Leads to Data Breach; 17M Impacted
4.  Schneider Electric Energy Giant Confirms Cactus Ransomware Attack
5.  TeamViewer Exploited to Obtain Remote Access, Deploy Ransomware

Xplain Hack Aftermath: Play Ransomware Leaks Sensitive Swiss Government Data

By Deeba Ahmed
Another day, another Linux malware!
This is a post from HackRead.com Read the original post: New Linux Malware Alert: ‘Spinning YARN’ Hits Docker, Other Key Apps

Linux Users Beware: “Spinning YARN” Malware Campaign Targets Misconfigured Servers Running on Apache Hadoop YARN, Docker, Confluence and Redis.

Cado Security Labs has discovered an emerging Linux malware campaign dubbed Spinning Yarn targeting misconfigured servers running Apache Hadoop YARN, Docker, Confluence, and Redis web-facing services. 

The emergence of the new Linux malware shouldn’t come as a surprise, given the recent surge in threats targeting Linux devices and servers. Just a couple of days ago, an old Linux malware known as Bifrost RAT resurfaced with a new variant that mimics VMware domains.

According to Cado Security’s research research shared with Hackread.com ahead of publication on Wednesday, Spinning Yarn is a malicious campaign that exploits weaknesses in popular Linux software used by businesses across various sectors. 

These services are crucial components in organizations’ IT infrastructure. Docker is critical for developing, deploying, and managing containerized applications. Apache Hadoop allows distributed processing of large datasets. Redis, a widely used in-memory data store, helps in caching real-time applications, and Confluence allows collaboration and knowledge management.

By compromising these applications, attackers can gain unauthorized access to systems, steal sensitive data, disrupt operations, or deploy ransomware, posing a significant threat to servers and critical infrastructure.

In Spinning Yarn, threat actors have used several unique payloads, including four Golang binaries that automate the discovery and infection of hosts and let them exploit code. They use Confluence to exploit common misconfigurations and vulnerabilities, launching Remote Code Execution (RCE) attacks and infecting new hosts.

The attackers exploit CVE-2022-26134, an n-day vulnerability in Confluence, and deploy a container for the Docker compromise. The vulnerability has been exploited since 2022, including by Mirai malware variant V3G4 against IoT devices for DDoS attacks

Further probing revealed a series of shell scripts and standard Linux attack techniques used to deliver a cryptocurrency miner, spawn a reverse shell, and enable persistent access to compromised hosts. They also deploy an instance of the Platypus open-source reverse shell utility to maintain access.

In an attempt to evade detection, multiple user-mode rootkits are deployed. Researchers observed that the shell script payloads employed in this campaign share similarities with those used in previous cloud attacks.

In their blog post, Cado Security Labs detailed initial access activity on a docker Engine API honeypot on this IP address: 47966971. The attacker spawned a new container using Alpine Linux and created a bind mount for the underlying server’s root directory. This technique is common in Docker attacks, allowing attackers to write files to the host and execute a job for the Cron scheduler eventually achieving RCE.

In this campaign, the attacker wrote an executable and registered a Cron job to execute base64-encoded shell commands. Such extensive attack on Linux applications demonstrates attackers’ growing sophistication in targeting web-facing services in cloud environments, keeping abreast of vulnerabilities.

To mitigate the risks from campaigns like Spinning Yarn, regularly update software, enable strong passwords, educate employees on cybersecurity best practices, segment your network to limit potential damage, and deploy security solutions like endpoint security solutions and firewalls to detect and prevent malware infections. This will help protect against known vulnerabilities and ensure a secure environment.

1.  New Linux Malware “Migo” Exploits Redis for Cryptojacking
2.  Free Download Manager Site Pushed Linux Password Stealer
3.  Malicious Ads Infiltrate Bing AI Chatbot in Malvertising Attack
4.  Hamas Hackers Hit Israelis with New BiBi-Linux Wiper Malware
5.  Mirai-based NoaBot Botnet Hits Linux Systems with Cryptominer

New Linux Malware Alert: ‘Spinning YARN’ Hits Docker, Other Key Apps

By Waqas
Logged out of your Meta Platform services?
This is a post from HackRead.com Read the original post: Meta Platforms Face Outage: Facebook, Instagram, Messenger, Threads Down

You are not alone, Facebook, Instagram, Messenger and Threads are down worldwide.

Users of Meta Platforms’ services, including Facebook, Instagram, Messenger, and Threads, are currently experiencing difficulties accessing their accounts. Reports indicate a widespread outage impacting individuals globally.

Starting around 4:30 PM GMT, a surge in user reports on Downdetector, a platform tracking online outages, signaled login issues across all four platforms. Users attempting to log in have encountered error messages, with some being logged out unexpectedly. The problem appears to be affecting users on both desktop and mobile applications.

Instagram error (screenshot: Hackread.com)

Meta Platforms has yet to acknowledge the outage on its official communication channels officially, but it’s expected that the company is actively investigating the cause of the issue.

The full extent of the outage remains unclear, but it’s evident that it’s not limited to just Facebook. Downdetector is currently swamped with user reports for all four affected platforms, suggesting a significant disruption to Meta’s services.

Here’s what we know so far:

*   **The outage began around 4:30 PM GMT.**
*   **Both desktop and mobile platforms seem to be affected.**
*   **Meta Platforms has not yet officially acknowledged the issue.**
*   **Users across the globe are facing problems accessing Facebook, Instagram, Messenger, and Threads.**

This is a developing story, and we will update this article as more information becomes available. We advise users to monitor Meta’s official channels for further updates and avoid attempting repeated logins to prevent potential account security issues.

1.  Video Chat Website Omegle Permanently Shuts Down
2.  ChatGPT Down? Anonymous Sudan Claims Responsibility
3.  ChatGPT Down? OpenAI Blames Outages on DDoS Attacks

Meta Platforms Face Outage: Facebook, Instagram, Messenger, Threads Down

Red Hat Security Advisory 2024-0269-03 - An update for run-once-duration-override-container, run-once-duration-override-operator-bundle-container, and run-once-duration-override-operator-container is now available for RODOO-1.1-RHEL-9. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0269.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: Run Once Duration Override Operator for Red Hat OpenShift 1.1.0 for RHEL 9  
Advisory ID:        RHSA-2024:0269-03  
Product:            Run Once Duration Override Operator  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0269  
Issue date:         2024-02-28  
Revision:           03  
CVE Names:          CVE-2023-39325  
====================================================================

Summary: 

An update for run-once-duration-override-container, run-once-duration-override-operator-bundle-container, and run-once-duration-override-operator-container is now available for RODOO-1.1-RHEL-9.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The Run Once Duration Override Operator for Red Hat OpenShift is an optional  
operator that makes it possible to override activeDeadlineSecondsOverride  
field during pod admission.

Security Fix(es):

* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)

* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

* golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests (CVE-2023-39326)

* golang: crypto/tls: Timing Side Channel attack in RSA based TLS key exchanges. (CVE-2023-45287)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-39325

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003  
https://bugzilla.redhat.com/show_bug.cgi?id=2242803  
https://bugzilla.redhat.com/show_bug.cgi?id=2243296  
https://bugzilla.redhat.com/show_bug.cgi?id=2253193  
https://bugzilla.redhat.com/show_bug.cgi?id=2253330  
https://issues.redhat.com/browse/OCPBUGS-25123  
https://issues.redhat.com/browse/WRKLDS-897

Red Hat Security Advisory 2024-0269-03

By Waqas
LoanDepot identified the ransomware attack on January 4, 2024
This is a post from HackRead.com Read the original post: LoanDepot Ransomware Attack Leads to Data Breach; 17 Million Impacted

LoanDepot suffered a ransomware attack exposing the sensitive data of nearly 17 million individuals including PII data – Now, the company is offering credit monitoring and working to mitigate potential damage.

A major ransomware attack leading to a massive data breach at LoanDepot, a leading mortgage lender, has exposed the personal information of nearly 17 million individuals. In a **data breach notification** to Maine’s attorney general’s office, the company confirmed that the breach took place on January 3, 2024, and was discovered a day later on January 4.

****The Breach:****

Details surrounding the attack remain limited, but LoanDepot acknowledges unauthorized access to their systems, potentially compromising sensitive customer data. While the specific types of information exposed haven’t been confirmed, the letter sent to the **victims of the data breach** suggests it could include their full name, address, email address, financial account numbers, social security number, phone number, and date of birth.

****Impact on Individuals:****

LoanDepot estimates that approximately 16.9 million (16,924,071) individuals have been affected. This includes current and former customers, as well as individuals who inquired about loan products but ultimately did not pursue them.

The company has begun notifying affected parties through letters and emails, outlining the potential scope of the breach and offering resources to help them protect themselves.

****LoanDepot’s Response:****

LoanDepot took immediate action to contain the attack and secure their systems. They launched an investigation in collaboration with cybersecurity experts and notified law enforcement authorities. Additionally, the company has offered one year of complimentary credit monitoring and identity theft protection services to all impacted individuals.

****Uncertainties and Concerns:****

The full extent of the damage caused by this attack remains unclear. The potential for **identity theft** and financial fraud is a significant concern for millions of individuals.

LoanDepot is urging affected individuals to remain alert and take proactive steps to safeguard their personal information, including being cautious of suspicious emails or phone calls, monitoring credit reports for unauthorized activity, and considering placing a freeze on their credit files.

****Regulatory and Legal Ramifications:****

The LoanDepot data breach is likely to attract scrutiny from regulators and may lead to legal repercussions. The Federal Trade Commission (**FTC**) is responsible for enforcing data privacy regulations, and they may investigate the incident to determine if LoanDepot followed appropriate data security practices. Further, affected individuals may have legal recourse against LoanDepot for failing to protect their personal information.

For insights into the LoanDepot data breach, we reached out to **Javvad Malik**, Lead Security Awareness Advocate at KnowBe4 who stated “This breach at LoanDepot is a reminder of the far-reaching consequences of ransomware attacks and it’s concerning to see the scale and sensitivity of the data involved, particularly the inclusion of Social Security numbers, which opens up Pandora’s box of identity theft and financial fraud possibilities.”

Javvad emphasised the importance of employee training within the organisations especially those responsible for data handling. “This incident highlights the critical need for organizations, especially those handling vast amounts of personal information, to invest in strong cybersecurity measures, including threat detection, response strategies, and most importantly, providing employees with timely and relevant security awareness and training.”

****Ransomware Gangs****

While the LoanDepot data breach was confirmed in January 2024, the specific ransomware group responsible for the attack hasn’t been officially disclosed by the company or law enforcement agencies as of today, February 26, 2024.

Nevertheless, ransomware is one of the most prevalent threats to organizations of all sizes. While the United States has **vowed** to take strict measures against ransomware groups, with LockBit ransomware’s recent **demise** and **resurrection**, it is obvious that these groups are here to stay and plan to cause long-term damage.

****Moving Forward:****

While the immediate aftermath of the LoanDepot data breach is concerning, the company’s commitment to transparency and its efforts to mitigate the damage are positive steps. Individuals must remain informed, take appropriate precautions, and actively monitor their financial information to minimize the potential impact of this incident.

1.  **5 Biggest Ransomware Attacks of All Time**
2.  **Kaspersky Reveals Alarming IoT Threats, Dark Web DDoS Boom**
3.  **Ransomware Attack Disrupts Services in 18 Romanian Hospitals**
4.  **Schneider Electric Energy Giant Confirms Cactus Ransomware Attack**
5.  **Hackers Leak 2.5M Private Plane Owners’ Data in LA Intl. Airport Breach**

LoanDepot Ransomware Attack Leads to Data Breach; 17 Million Impacted

By Waqas
You are not alone, an AT&T outage is happening across the United States, and the company is working…
This is a post from HackRead.com Read the original post: AT&T Outage Disrupts Service for Millions of Users Across US

You are not alone, an AT&T outage is happening across the United States, and the company is working to bring back service to normal.

Millions of AT&T customers across the United States woke up to widespread service disruptions on Thursday, February 22nd, 2024. The outage, which began early in the morning, has impacted mobile phone service, leaving users unable to make and receive calls, text messages, and access data.

Reports from users and outage tracking websites like Downdetector indicate the issue is nationwide, affecting major cities like New York, Los Angeles, Chicago, Dallas, and Atlanta. Social media is flooded with complaints from frustrated customers, many unable to connect with loved ones or conduct essential business activities.

The cause of the outage remains unclear. AT&T has yet to officially comment on the issue, leaving users in the dark about the root cause and expected resolution timeframe. This lack of communication is further adding to the frustration of affected customers.

**Cyber Attack?**

The cause behind the widespread outage affecting AT&T services across the United States remains uncertain, with conflicting reports suggesting it could be either a cyber attack or technical issues. Users across various regions have reported difficulties accessing wireless services, prompting concerns about the extent and nature of the disruption.

****AT&T is Aware!****

Although some users are reporting on social media that their service has been restored, on X (formerly Twitter), AT&T stated, “Some of our customers are experiencing wireless service interruptions. We are working urgently to restore service to all who are impacted.” It is worth noting that the company also provided a link to visit and keep an eye on updates.

Ironically, that link was also down and showing an error message to visitors. However, according to a live outage map from Down Detector, a platform that monitors internet outages, AT&T is still facing service issues across the United States.

The potential impact of this outage is significant. Disruptions to mobile phone service can hinder communication, impact emergency services for some, and cause inconvenience for countless individuals and businesses relying on their mobile devices for daily activities.

While AT&T is working to restore service, no estimated time for resolution has been announced. In the meantime, users are advised to:

*   **Use Wi-Fi calling:** If available, utilize Wi-Fi calling to make and receive calls over a Wi-Fi network.
*   **Stay informed:** Check the AT&T website and social media for updates on the outage.
*   **Consider alternative communication methods:** Explore options like text messaging apps or social media to connect with others if unable to use your phone.

This latest outage highlights the critical role of reliable mobile phone service in today’s interconnected world. It also underscores the importance of clear and timely communication from service providers during such disruptions to minimize inconvenience and ensure user safety.

As the situation unfolds, we will continue to monitor developments and provide updates on this evolving story.

1.  **ChatGPT Down? OpenAI Blames Outages on DDoS Attacks**
2.  **Amazon Web Services suffer outage taking popular sites down**
3.  **Facebook down with Messenger, Instagram, WhatsApp disruption**

AT&T Outage Disrupts Service for Millions of Users Across US

By Deeba Ahmed
Migo Malware Campaign: User-Mode Rootkit Hides Cryptojacking on Linux Systems.
This is a post from HackRead.com Read the original post: New Linux Malware “Migo” Exploits Redis for Cryptojacking, Disables Security

New “Migo” malware targets Linux servers, exploiting Redis for cryptojacking. Using a user-mode rootkit, hides its activity, making detection difficult. Secure your Redis servers and stay alert!

A sophisticated Linux malware campaign has been discovered **targeting Redis**, a popular data store system, to gain initial access using “System Weakening Commands,” revealed Cado Security Labs.

Cado researchers disclosed that the malware, dubbed Migo, exploits Redis for **cryptojacking**. The attackers execute commands on their target’s Redis servers to disable configuration options and make them vulnerable before deploying the payload.

The primary payload, Migo, is a Golang ELF binary that retrieves an **XMRig installer** from GitHub. Redis system weakening commands are used to disable configuration options, such as protected mode and replica-read-only, using CLI commands to execute malicious payloads from external sources like **Pastebin** to mine cryptocurrency in the background.

For your information, Protected mode is a Redis server operating mode introduced in version 3.2.0 to mitigate potential network exposure. It only accepts connections from the loopback interface and is likely disabled at initial access to allow attackers to send additional commands.

Conversely, the replica-read-only feature in Redis prevents accidental writes to replicas that may result in out-of-sync. Cado researchers report exploitation of this feature for malicious payload delivery, with Migo attackers likely disabling it for future Redis server exploitation.

Migo uses compile-time obfuscation and a user-mode rootkit ‘libprocesshider,’ to hide processes and artefacts, making it difficult for security analysts to detect and mitigate the threat. Once the miner is installed, Migo sets XMRig’s configuration to query system information, including logged-in users and resource limits.

“It also sets the number of Huge Pages available on the system to 128, using the vm.nr\_hugepages parameter. These actions are fairly typical for cryptojacking malware,” Matt Muir, Cado Security’s security researcher noted in a **blog post**.

It executes shell commands to copy the binary, disable SELinux, identify uninstallation scripts, execute the miner, kill competing processes, register persistence, and prevent outbound traffic to specific IP addresses and domains.

Moreover, Migo relies on systemd service and timer for persistence and the developers have obfuscated symbols and strings in the pclntab structure to complicate the malware analysis process. The involvement of a user-mode rootkit also complicates post-incident forensics of compromised hosts, and libprocesshider hides on-disk artefacts.

Migo’s emergence shows that cloud-focused attackers are continually refining their techniques and focused on exploiting web-facing services. They used Redis system weakening commands to disable security features, a move not previously reported in campaigns exploiting Redis for initial access, researchers concluded.

****RELATED ARTICLES****

1.  **Hackers behind Mirai botnet & DYN DDoS attacks plead guilty**
2.  **Hackers behind Mirai botnet to avoid jail for working with the FBI**
3.  **Tiny Mantis Botnet Can Launch Powerful DDoS Attacks Than Mirai**
4.  **Reaper malware outshines Mirai; hits millions of IoT devices worldwide**
5.  **Mirai Variant ‘OMG’ Turns IoT Devices into Proxy Servers for Cryptomining**

New Linux Malware “Migo” Exploits Redis for Cryptojacking, Disables Security

Debian Linux Security Advisory 5626-1 - It was discovered that malformed DNSSEC records within a DNS zone could result in denial of service against PDNS Recursor, a resolving name server.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5626-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffFebruary 18, 2024                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : pdns-recursorCVE ID         : CVE-2023-50387 CVE-2023-50868It was discovered that malformed DNSSEC records within a DNS zone couldresult in denial of service against PDNS Recursor, a resolvingname server.For the stable distribution (bookworm), these problems have been fixed inversion 4.8.6-1.We recommend that you upgrade your pdns-recursor packages.For the detailed security status of pdns-recursor please refer toits security tracker page at:https://security-tracker.debian.org/tracker/pdns-recursorFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmXSMZcACgkQEMKTtsN8TjaCXA//RzokD4ns3XxUhHK3Q3i2KDp1Y1c2sbZzSRXw0Lw7K8xrCqZDksURciCkThiKqF+F3sKHaRt2Agj99DwWJ7fC+BuHJ0s73yRsrKX7HL6At/z1XE+Cw4UU775c3pydDoS+hTfLGbSLgnpdKg7do/u9uZ29tMpTWv6QpNl5mF0irsKnbYdz9XEe9SaJnlj5tpBYhptZP4AlmDXbWr4tIjx01X3JWOqKbsT8/08JYqd0AcKlihsqs4Wv1ggBmRBo4/1YjPD3ONgqrswikehbd9dMtzyFIJy6Yjo/HxVe1RnQH39rx4PzdkezP9MX4Ug6a2vzcqy3E3kGBgetQ6e7FETnV+94XFN2UfUtmBWjiTmU84k3+isgb8Xe+liFFVx86OZbUlkQ+tRgsNHw3uSsJf+5J3kr9Bacs4xdvZXxMSz5JrG484/YUd1wHVb3S/bv0vC7/BLhletXBhoz3MBa0m7qntNFexJyYoe2AYD1WLTfl10IuiZwpO6lnolj2XIIulORIhi72TdC4L7ZE6/fZr3XilMA4Y06ODlAQw3hpwf66YcOjuTC2lgrqoX09zyGrO3j729rW/O5JASnSR5jFv6eXV9a+YEqN7f6vgTjiE0GABpAdQ8CSp95WVLis51UtQ37FZdPp27/2lCFAd4UMnrJmDnVpsPTVFyNjQoBuKYdf8Y==rNYz-----END PGP SIGNATURE-----

Debian Security Advisory 5626-1

By Waqas
One in five children aged 10-16 in the UK have engaged in online activities that violate the Computer Misuse Act, NCA has revealed.
This is a post from HackRead.com Read the original post: 1 in 5 Youth Engage in Cybercrime, NCA Finds

A recent report by the National Crime Agency (NCA) has revealed a disturbing trend: one in five children aged 10-16 in the UK have engaged in online activities that violate the Computer Misuse Act. This raises serious concerns about the increasing prevalence of cybercrime among young people and stresses the urgent need for greater awareness and education.

The report, based on a comprehensive survey, highlights several concerning online behaviours, including:

*   **Unauthorized access to computer systems or data:** This encompasses hacking into someone else’s account, downloading illegal software, or accessing restricted information.
*   **Cyberbullying and harassment:** Online harassment and bullying can have severe consequences for both the victim and the perpetrator, inflicting emotional distress and potentially leading to real-world harm.
*   **Copyright infringement:** Downloading or sharing copyrighted material without permission, such as music, movies, or software, is illegal and can have legal repercussions.
*   **Online gaming offenses:** This encompasses activities like making in-game purchases without permission, using cheats or hacks to gain an unfair advantage, or engaging in distributed denial-of-service (DDoS) attacks that disrupt online services.

The NCA emphasizes that many children may unknowingly engage in these activities, unaware of the legal implications and potential consequences. This underlines the critical need for open communication between parents, educators, and children about online safety and responsible behaviour.

The report also stresses the importance of proactive education and awareness campaigns targeted at both children and adults. Educating young people about cybercrime, its various forms, and the legal ramifications associated with it can significantly deter them from engaging in risky online behaviour.

Furthermore, the NCA advocates for promoting positive alternatives to encourage children to engage in safe and productive online activities. This can involve fostering their interest in educational resources, creative pursuits, and responsible online communities.

While the report paints a concerning picture, it is crucial to remember that not all online activity by children is illegal. It is essential to distinguish between harmless exploration and deliberate malicious intent based on the specific details and context surrounding each case.

> _“Many young people are getting involved in cybercrime without realising that they are breaking the law. Our message to these teenagers is simple – don’t play games with your future. Whether you engage in this behaviour knowingly or without realising, you are committing an offence – and could face serious consequences for your actions.”_
> 
> _“We’d encourage any concerned parents and teachers to speak to young people with an interest in tech, help them understand the dangers, and highlight the many rewarding and varied careers available to them. Our Cyber Choices team are here to help children, teachers and parents with advice and guidance.”_
> 
> Paul Foster – NCA Deputy Director and Head of the National Cyber Crime Unit

The NCA’s report should be a wake-up call, urging parents, educators, and policymakers to work collaboratively to address the growing issue of cybercrime among young people. By fostering open communication, promoting education and awareness, and encouraging responsible online behaviour, we can create a safer and more positive digital environment for future generations.

_**Editor’s Note:** We must have open and honest conversations with young people about their online activities. We need to educate them about the potential risks and consequences of their actions and equip them with the knowledge and skills to navigate the online world safely and responsibly._

1.  **Kids breach and bypass Linux Mint screensaver lock**
2.  **Snapchat Safety for Parents: How to Safeguard Your Child**
3.  **13-year-old student arrested for hacking school computers**
4.  **Utilizing Programmatic Advertising to Locate Abducted Children**
5.  **Gender Diversity in Cybercrime Forums: Women Users on the Rise**

1 in 5 Youth Engage in Cybercrime, NCA Finds

There was about a 24-hour period where many news outlets reported on a reported DDoS attack that involved a botnet made up of thousands of internet-connected toothbrushes.

Thursday, February 15, 2024 14:00

I’ll be the first to admit that, like many people on the internet last week, I got caught up in the toothbrush distributed denial-of-service attack that wasn’t.  

I had a whole section on it written up in last week’s newsletter, and then I came across Graham Cluley’s blog post debunking the whole thing, and I had to delete it about an hour before the newsletter went live.  

There was about a 24-hour period where many news outlets reported on a reported DDoS attack that involved a botnet made up of thousands of internet-connected toothbrushes, it all started with one international newspaper report, and then was aggregated to death and spread quickly on social media.  

This attack was only a _hypothetical_ that a security researcher posed in an interview but was reported or translated as an attack that happened. 

To me, I think we can all learn from a few major takeaways from this entire saga — myself included.  

It’s easy to see why this was a ready-made story to go viral: It involved a silly device that probably doesn’t need to be connected to the internet anyway, it involved a large number that would grab headlines and it was a DDoS attack, which have suddenly come back in vogue over the past year. 

But, I’ll admit, the aggregated stories seemed a little fishy to me at first, because all the reports didn’t include any specifics about which company was targeted, how long the attack lasted, or the name of the device that was reportedly compromised. 

That last part should be a red flag going forward for any of us wanting to share a meme about something the next time a cybersecurity story goes viral — in my opinion, responsible disclosure of an attack or compromise should always include information about whatever vulnerability it was that was exploited. In this hypothetical scenario, I don’t think an adversary would have been able to compromise an internet-connected toothbrush without first exploiting some sort of vulnerability, which if it’s being reported on in public, should at least include information on patches or mitigations. 

I also think we all need to be asking the fundamental question: Why? In this case, I should have asked myself why an attacker would want to go through the trouble of compromising smart toothbrushes. And what would be the end goal of targeting a private company with a DDoS attack? Likely, it would be to demand a ransom in exchange for the attacker stopping the attack, but without knowing what sector the targeted company was in, it’s tough to guess how profitable that might even be. (For example, a health care agency may be looking to do anything to get back to operating asap, as lives could literally be at stake.) 

And once the attacker compromised a toothbrush, what information can they glean from the user besides their dental hygiene habits? Usually, they’d be looking to steal some sort of personal information, login credentials or financial data that they could then turn around and sell on the dark web. 

Needless to say, there were multiple red flags we all ignored when this story started to spread. And I’m not here to blame anyone in this case; it was all honest mistakes that, all things considered, ended up not being that serious. But the toothbrush botnet that wasn’t does serve as a reminder to all of us to be a bit more mindful before clicking share or posting a story on social media.  

**The one big thing **

Cisco Talos has identified a new backdoor authored and operated by the Turla APT group, a Russian cyber espionage threat group. This new backdoor we’re calling “TinyTurla-NG” (TTNG) is similar to Turla’s previously disclosed implant, TinyTurla, in coding style and functionality implementation. Talos assesses with high confidence that TinyTurla-NG, just like TinyTurla, is a small “last chance” backdoor that is left behind to be used when all other unauthorized access/backdoor mechanisms have failed or been detected on the infected systems. 

**Why do I care? **

Turla has been widely known to target entities across the world using a huge set of offensive tools in geographies including the U.S., European Union, Ukraine and Asia. They’ve previously used malware families such as CAPIBAR and KAZUAR to target Ukrainian defense forces. After Crutch and TinyTurla, Turla has now expanded their arsenal to include the TinyTurla-NG and TurlaPower-NG malware families, while also widening its net of targets to NGOs. 

**So now what? **

Talos has released new ClamAV signatures and Snort rules to protect against TinyTurla and the actors’ actions. We don’t know what the initial access vector is, so it’s tough to give targeted advice on how to avoid this malware, but having any endpoint detection in place will block this “last chance” backdoor.  

**Top security headlines of the week **

**Chinese state-sponsored actor Volt Typhoon may have silently sat on U.S. critical infrastructure networks for more than five years,** according to a new report from American intelligence agencies. According to the advisory, the infamous hacking group has been exploiting vulnerabilities in routers, firewalls and VPNs to target water, transportation, energy and communications systems across the country. Volt Typhoon has been able to control some victims’ surveillance camera systems, and the access could have allowed them to disrupt critical energy and water controls. The actor is known for using living-off-the-land binaries (LoLBins) to remain undetected once they gain an initial foothold. Authorities in Canada, Australia and New Zealand also contributed to last week’s advisory, citing their concern for similar activity in their countries. The FBI’s director recently said in testimony to U.S. Congress that authorities had dismantled a bot network of hundreds of compromised devices that was connected to VoltTyphoon. (Axios, The Guardian) 

**A new spyware network called TheTruthSpy may have compromised hundreds of Android devices using silent tracking apps that users download thinking they’re legitimate.** Security researchers uncovered the information of thousands of devices that have already been compromised, including their IMEI numbers and advertising IDs. TheTruthSpy appears to actively spy on large clusters of victims across Europe, India, Indonesia, the U.S. and U.K. The operators behind TheTruthSpy also did not address a security vulnerability in the software, identified as CVE-2022-0732, which left the victim data they stole potentially vulnerable to other bad actors. These types of stalkerware tools are often used by family members, spouses or peers of victims who want to track their physical locations and spy on messages and phone calls. The spyware is downloaded via an app, which doesn’t appear on the victim’s home screen and operates quietly in the background. (TechCrunch, maia blog) 

**Apple removed a fake LastPass app called “LassPass” after the popular password management service reported it.** The phony LassPass used a similar logo to that of the legitimate LastPass and was up on the App Store for an unknown amount of time. Apple also said it was removing the creator of the app from its Developer Program. This is a very rare case for the Apple App Store, as it has a strict review policy. LastPass released a warning to all users last week of the fake app’s existence, including a link to the legitimate LastPass app. LassPass only had one review on the store, and multiple reviews warning it was fake. However, it’s safe to assume that the app was likely set up as some sort of phishing scam meant to get users to enter their legitimate LastPass login information to be stolen by the fake app’s creator. (Ars Technica, Bleeping Computer) 

**Can’t get enough Talos? **

*   Beers with Talos Ep. #143: The Reddit security diaries 
*   The Need to Know: How are attackers using QR codes in phishing emails and lure documents? 
*   First Microsoft Patch Tuesday zero-day of 2024 disclosed as part of group of 75 vulnerabilities 

**Upcoming events where you can find Talos **

**S4x24** **(March 4 - 27)** 

Miami Beach, Florida 

_To protect themselves during Russian aggression, the Ukrainian military utilizes electronic warfare to blanket critical infrastructure to defeat radar and GPS-guided smart munitions. This has the unintended consequence of disrupting GPS synchrophasor clock measurements and creating service outages on an already beleaguered and damaged transmission electric grid. Joe Marshall from Talos’ Strategic Communications team will tell an incredible story of how a group of engineers and security professionals from a diverse coalition of organizations came together to solve this electronic warfare GPS problem in an unconventional technical way, and helped stabilize parts of the transmission grid of Ukraine._ 

**RSA** **(May 6 - 9)** 

_San Francisco, California_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:** 7bdbd180c081fa63ca94f9c22c457376   
**Typical Filename:** c0dwjdi6a.dll   
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1      
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515      
**Typical Filename:** IMG001.exe      
**Claimed Product:** N/A      
**Detection Name:** Win.Dropper.Coinminer::1201 

**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa     
**MD5:** df11b3105df8d7c70e7b501e210e3cc3     
**Typical Filename:** DOC001.exe     
**Claimed Product:** N/A     
**Detection Name:** Win.Worm.Coinminer::1201 

**SHA 256:** 5e537dee6d7478cba56ebbcc7a695cae2609010a897d766ff578a4260c2ac9cf   
**MD5:** 2cfc15cb15acc1ff2b2da65c790d7551   
**Typical Filename:** rcx4d83.tmp   
**Claimed Product:** N/A     
**Detection Name:** Win.Dropper.Pykspa::tpd 

**SHA 256:** 77c2372364b6dd56bc787fda46e6f4240aaa0353ead1e3071224d454038a545e   
**MD5:** 040cd888e971f2872d6d5dafd52e6194   
**Typical Filename:** tmp000c3787   
**Claimed Product:** Ultra Virus Killer   
**Detection Name:** PUA.Win.Virus.Ultra::95.sbx.tg

Tag

#ddos