Mexican financial institutions are under the radar of a new spear-phishing campaign that delivers a modified version of an open-source remote access trojan called AllaKore RAT.
The BlackBerry Research and Intelligence Team attributed the activity to an unknown Latin American-based financially motivated threat actor. The campaign has been active since at least 2021.
"Lures use Mexican Social

Malware / Software Update

Mexican financial institutions are under the radar of a new spear-phishing campaign that delivers a modified version of an open-source remote access trojan called AllaKore RAT.

The BlackBerry Research and Intelligence Team attributed the activity to an unknown Latin American-based financially motivated threat actor. The campaign has been active since at least 2021.

"Lures use Mexican Social Security Institute (IMSS) naming schemas and links to legitimate, benign documents during the installation process," the Canadian company said in an analysis published earlier this week.

"The AllaKore RAT payload is heavily modified to allow the threat actors to send stolen banking credentials and unique authentication information back to a command-and-control (C2) server for the purposes of financial fraud."

The attacks appear to be designed to particularly single out large companies with gross revenues over $100 million. Targeted entities span retail, agriculture, public sector, manufacturing, transportation, commercial services, capital goods, and banking sectors.

The infection chain begins with a ZIP file that's either distributed via phishing or a drive-by compromise, which contains an MSI installer file that drops a .NET downloader responsible for confirming the Mexican geolocation of the victim and retrieving the altered AllaKore RAT, a Delphi-based RAT first observed in 2015.

"AllaKore RAT, although somewhat basic, has the potent capability to keylog, screen capture, upload/download files, and even take remote control of the victim's machine," BlackBerry said.

The new functions added to the malware by the threat actor include support for commands related to banking fraud, targeting Mexican banks and crypto trading platforms, launching a reverse shell, extracting clipboard content, and fetching and executing additional payloads.

The threat actor's links to Latin America come from the use of Mexico Starlink IPs used in the campaign, as well as the addition of Spanish-language instructions to the modified RAT payload. Furthermore, the lures employed only work for companies that are large enough to report directly to the Mexican Social Security Institute (IMSS) department.

"This threat actor has been persistently targeting Mexican entities for the purposes of financial gain," the company said. "This activity has continued for over two years, and shows no signs of stopping."

The findings come as IOActive said it identified three vulnerabilities in the Lamassu Douro bitcoin ATMs (CVE-2024-0175, CVE-2024-0176, and CVE-2024-0177) that could allow an attacker with physical access to take full control of the devices and steal user assets.

The attacks are made possible by exploiting the ATM's software update mechanism and the device's ability to read QR codes to supply their own malicious file and trigger the execution of arbitrary code. The issues were fixed by the Swiss company in October 2023.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

AllaKore RAT Malware Targeting Mexican Firms with Financial Fraud Tricks

By Uzair Amir
While cybercriminals create their toolbox, as a user you should also keep yourself ready for unsuspecting cyberattacks and keep a safety toolbox for your defence. 
This is a post from HackRead.com Read the original post: Building Your Defense Toolbox: Tools and Tactics to Combat Cyber Threats

It is a well-known fact that cybercriminals have evolved over the years. The emergence of AI-powered malicious chatbots, such as WormGPT and FraudGPT, has enabled malicious threat actors to not only refine their skills but also consolidate all their malicious activities and tools into one, like a toolbox. Understanding these tools is the first step towards safeguarding yourself against their scams.

While cybercriminals create their toolbox, as a user you should also keep yourself ready for unsuspecting cyberattacks and keep a safety toolbox for your defence.

One major part of that toolbox should be a Virtual Private Network or VPN. Why? because this tool hides your real-time IP address and protects your online privacy from cyber criminals and state-backed threat actors. VPNs, like CyberGhost, encrypt your internet connection, shielding your online activities from prying eyes.

Additionally, employing two-factor authentication (2FA), such as Google Authenticator, Microsoft Authenticator, Okta, and Authy, adds an extra security layer, making it harder for fraudsters to gain unauthorized access to your accounts, even if they have your passwords. These tools, combined with regular updates and vigilance, are crucial in safeguarding against sophisticated scams.

Let’s dive into the tools commonly used by fraudsters, followed by the countermeasures you can employ to protect yourself.

****Common Fraud Tactics********Spoofing****

Spoofing is a deceptive practice where fraudsters falsify information to appear as a legitimate entity. This can involve altering caller IDs or email addresses to mimic those of trusted organizations or individuals. The primary goal is to gain the victim’s trust, making them more susceptible to divulging sensitive information or granting access to their accounts.

****Phishing****

Phishing is a widespread technique that involves sending fraudulent communications that appear to come from a reputable source. Typically executed through email, these messages aim to steal sensitive data such as login credentials, credit card numbers, or personal identification information. Phishers often use urgency or fear to bypass rational judgment.

****Fake Profiles****

Creating fake profiles on social media, dating websites, and other platforms is a common tool in a fraudster’s arsenal. These profiles are carefully crafted to appear genuine, often mimicking the identities of real individuals or organizations. The objective is to build trust with potential victims, eventually manipulating them into financial transactions or sharing confidential information.

****Fake Photos and Entities****

Fraudsters frequently utilize stolen or altered images to bolster the credibility of their fake profiles or websites. Additionally, they might establish counterfeit entities, such as businesses or charities, to appear legitimate. These entities are used to facilitate various scams, including fraudulent sales, charity fraud, and investment scams.

The latest and ongoing incident involving deepfake images of Taylor Swift is just one example of the nightmarish scenarios that cybercriminals can create in your life.

****Fake Claims****

Scammers use persuasive narratives and false claims to trick their victims. These may include threats of legal action, false claims of lottery winnings, or other deceptive propositions that require the victim to make payments or provide personal information.

****Misrepresentation****

Fraudsters often impersonate authority figures or institutions using fake names, credentials, and badge numbers. This tactic is designed to intimidate or convince the victim of the legitimacy of their requests, thereby facilitating the extraction of sensitive information or money.

****Computer Pop-ups****

The prevalence of unwanted pop-ups bombarding your screen is a key reason why adblockers have gained immense popularity. Pop-up warnings on computers are commonly used to spread malware or obtain personal information.

These pop-ups often carry false alerts about viruses or security breaches, prompting the user to take immediate action, which usually involves downloading harmful software or calling a fraudulent support number.

****Robocalls****

Automated calls, or robocalls, are used extensively by scammers to reach many potential victims efficiently. These calls might contain deceptive messages about unpaid taxes or lottery winnings or offer fake services, aiming to extract personal information or direct payments.

****Lead Lists****

Lead lists are databases of individuals who have previously fallen for scams. Fraudsters trade and sell these lists, knowing that individuals scammed once are more likely to be targeted and tricked again.

****Secrecy and Persuasion****

A common tactic used by scammers is to demand secrecy from their victims. By insisting that the dealings remain confidential, fraudsters aim to isolate the victim and prevent them from seeking advice or help from others. They often employ a mix of charm, flattery, and threats to manipulate and control their targets.

****Emotional Manipulation****

Emotional manipulation involves fraudsters playing on the victim’s emotions to extract money or personal information. They may pretend to be in a romantic relationship, a distressed family member, or a charity representative. The fabricated scenarios often evoke strong emotional responses, compelling the victim to act impulsively.

****Search Engine Optimization and Malicious Links****

Fraudsters often use search engine optimization techniques (SEO Poisoning) to promote their scam websites, making them appear legitimate and trustworthy in online searches. They also distribute malicious links through emails or messages, which lead to fraudulent websites or directly install malware when clicked.

****Protective Measures Against Fraud********Caller Verification****

Always verify the identity of callers, especially when they request personal information. If someone claims to be from a legitimate organization, hang up and contact the organization directly using a verified phone number to confirm their authenticity.

****Email Caution****

Exercise caution with email links and attachments, especially from unknown senders. Hover over email addresses and links to verify their authenticity. Be cautious of emails that use urgency or pressure tactics to gather personal information or payments.

****Continuous Education****

Staying informed about common scam tactics and trends is essential. Regularly educating oneself and others about the latest fraud methods can significantly reduce the risk of falling victim to these scams. In simple terms, having cybersecurity knowledge for yourself and your employees is the master key to protecting against every known cyberattack to date.

****Anti-Virus Software****

Ensure your devices are protected with reliable and updated anti-virus software. This software is capable of detecting and preventing malware attacks, which are commonly used in various scams.

****Pop-Up Blockers****

Pop-up or ad blockers can prevent malicious ads and links from appearing on your devices. These pop-ups often contain false claims or threats designed to trick users into downloading malware or revealing personal information.

If you are on Chrome browser, you can disable pop-ups from settings. > Chrome > Settings > Privacy and security > Site Settings > Pop-ups and redirects.

****Secure Network Usage****

Avoid conducting sensitive transactions over public wi-fi networks. Always use secure, private networks for online banking, shopping, and other activities that require personal information.

Businesses should employ a variety of fraud detection tools to safeguard their operations. These include:

*   **Geolocation and Proxy Piercing:** Identifying the physical location of transaction attempts can flag suspicious activities, especially if the location mismatches the user’s typical pattern.
*   **Device Fingerprinting:** This tool helps recognize devices used in previous fraudulent activities, enabling businesses to block transactions from these devices.
*   **Address Verification (AVS):** AVS checks if the billing address provided by the customer matches the address on file with the card issuer.
*   **Velocity Checks:** Monitoring the frequency and volume of transactions from a single user can help detect and prevent fraud.
*   **Biometric Verification:** Using biometrics in payment processes adds an extra layer of security.
*   **Blacklists and Whitelists:** These lists allow businesses to control traffic based on known fraudulent sources or trusted entities.
*   **Machine Learning:** AI models can detect patterns indicative of fraud, improving over time as they process more data.
*   **3-D Secure Technology:** This adds authentication steps for online credit and debit card transactions, reducing the risk of card-not-present fraud.
*   **Fraud Scoring:** Analyzing transactions based on various risk factors helps identify potentially fraudulent activities.

****Regular Updates and Vigilance****

Keeping software and fraud detection tools up to date is crucial. Regularly updating your knowledge about new fraud tactics and protective measures can help you stay ahead of scammers.

****Conclusion****

Fraudsters are always changing their tactics, which makes it crucial for individuals and businesses to stay informed and alert. Understanding the tools used by fraudsters and implementing strong protective measures can significantly reduce the risk of falling victim to these sophisticated scams. Regular updates, continuous education, and employing advanced fraud detection tools are key to safeguarding against these threats.

****_RELATED ARTICLES_****

1.  **What is an OSINT Tool – Best OSINT Tools**
2.  **McAfee’s Mockingbird AI Tool Detects Deepfake Audio**
3.  **Temporary Phone Number: An Essential Tool for Privacy Protection**
4.  **Kaspersky’s iShutdown Tool Detects Pegasus Spyware on iOS Devices**
5.  **Understanding Reverse Email Lookup: A Tool to Strengthen Cybersecurity**

Building Your Defense Toolbox: Tools and Tactics to Combat Cyber Threats

It's Data Privacy Week so here are 10 tips from our VP of Consumer Privacy, Oren Arar, about how to stay private online.

**1\. **Set up two-factor authentication****

Do this for as many of your online accounts as you can, especially the major ones like your email and social media accounts. Two-factor authentication (2FA) adds an extra step of protection and makes it much harder for attackers to login as you. We recommend using authenticator apps or physical security keys, but sometimes SMS is the easiest option and that’s fine. In most services you won’t have to enter the 2FA code every time, only when using a new device.

**2\. Use a different password for every account**

If your password is breached on one site, cybercriminals can use that login information to access your other online accounts that use the same passwords. If you use a different password for each account they can’t do this. Make sure your passwords are long (15 characters or more is good) and use a mix of upper and lower case characters, numbers and symbols too.

To make it easy, you can chose a phrase or a line from a song you like (for instance: DancingInTheMoonlight1999!). You can also use a password manager built-in on your browser, or a stand-alone password manager (see below). If you’ve received a notification from Google, Malwarebytes or any other service telling you your password has been exposed make sure to not use it or any variation of it again for any of your accounts. 

**3\. Use a password manager**

Making different and complicated passwords for each and every online account you have is one thing, but **remembering** them all is a lot more difficult. That’s why we use a password manager, and why you should too. It will generate passwords for you and then remember them all. Choose a vendor you trust for it, or simply use Apple or Google.

**4\. Keep software and hardware up to date**

Make sure your computer, phone, browser, apps and other programs are always on the latest version. If someone finds a security bug, the company that makes that software or hardware will release a new version with a patch for the bug. If you’re not on the latest version, you will be vulnerable. We know it can sometime be a hassle to update the version – but it’s not only about the latest features, in many cases it’s about keeping you safe!

**5\. Double check everything**

Got an email or SMS saying your delivery has been delayed that asks you to click on a link? Double check that you are expecting a delivery from where it says it’s coming from. Got a message from a friend on Facebook that seems off? Double check via text or phone that it is really them. Is your CEO suddenly asking you to buy $5000 of gift cards on the company credit card? Double check that it really is the CEO (it probably isn’t). There’s a ton of scams out there and they are getting more and more sophisticated with time, you just have to stay vigilant and aware of it.

Does that restaurant you’re making a reservation with really need to know your actual date of birth? Does that shopping site really need to know your mother’s maiden name as a password reset question? Consider carefully where you share your data and keep in the back of your mind that the service you are using could be breached. If it is breached, what of your information would be taken? If you can use false information, we really encourage you to do that. Pro-tip: create an “avatar online identity” for yourself with a separate email, date of birth and information you remember and use this information for vendors that don’t require your real identity.

**7\. Cover your camera**

When your camera isn’t in use, make sure you cover it with a physical cover. You can get webcam covers that slide open and shut to make it easy for you to use your camera when you like, and they look a lot nicer than a sticking plaster! Hackers have been known to take over webcams and take snapshots – so sometimes a physical cover is our last line of defense!

**8\. Use an identity monitoring solution**

Identity theft is a real challenge today, including stealing your credit and even opening new lines of credit in your name. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after. Malwarebytes Identity Theft Protection can help with this.

**9\. Check what data of yours has already been exposed**

It’s very likely that your personal information has already been involved in a breach, but you might be wondering how much information can be gained about you from all the pieces of data about you that’s online—aka your digital footprint. We created a tool that will show you just that. You enter your most commonly-used email address, we’ll run a scan and then we’ll send you the results. Try the free scan now.

**10\. Use security software**

Finally, make sure you have protected your devices with security software. It doesn’t take long and it’s such a basic step we must all do. Malwarebytes Premium detects or blocks over 95 million pieces of malware a day so we definitely have you covered. We protect Windows, Mac, Chrome, Android, and iOS.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

 10 things to do to improve your online privacy 

Apple Security Advisory 01-22-2024-1 - Safari 17.3 addresses code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-01-22-2024-1 Safari 17.3

Safari 17.3 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214056.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Safari  
Available for: macOS Monterey and macOS Ventura  
Impact: A user's private browsing activity may be visible in Settings  
Description: A privacy issue was addressed with improved handling of  
user preferences.  
CVE-2024-23211: Mark Bowers

WebKit  
Available for: macOS Monterey and macOS Ventura  
Impact: A maliciously crafted webpage may be able to fingerprint the  
user  
Description: An access issue was addressed with improved access  
restrictions.  
WebKit Bugzilla: 262699  
CVE-2024-23206: an anonymous researcher

WebKit  
Available for: macOS Monterey and macOS Ventura  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 266619  
CVE-2024-23213: Wangtaiyu of Zhongfu info

WebKit  
Available for: macOS Monterey and macOS Ventura  
Impact: Processing maliciously crafted web content may lead to arbitrary  
code execution. Apple is aware of a report that this issue may have been  
exploited.  
Description: A type confusion issue was addressed with improved checks.  
WebKit Bugzilla: 267134  
CVE-2024-23222

Safari 17.3 may be obtained from the Mac App Store.  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmWvDK4ACgkQX+5d1TXa  
IvpsdQ/+LRXsqQK9ZIXoBoXhj0w15DUKVrVfQr/jauI3pgxBZcuZeYiM0SyNnROH  
SXppIL9KGUaOxDm+RqggN4rVB/PFPBTfZ7NB42odpnyxswVe7ozTir09BaYGnwoo  
o+S2I8IN6Nn7ePV5wTXjmftUjNetk6J5iGQ4KboVPTPsNOuw+3r/nohjrYt2ERgq  
YFVAsBK0gOQwY1chnNxOqFghWtZCkYKIinYCc89KcYVwZ6WpFaQlqk++E1p1vd1C  
l4teK1uJv7thLkpneq9e3alb1qQCfX5XLpHX596uNrs0HXJYESQgwZgHmMqsssJa  
LOCTahxE39Oevjy9q5z+UzaIBK2SAULgmaMdnrRLDV8641hDsjVuYyCzVs5jMNOa  
+ty80EmEUiwcR/yuzbAmOgmdvuVuowdkGWR9pdhTWM9Co7PMdTRZLUiOsi4qUUPT  
HxqJ42o53gNWzJhINTyufVRDd2VTcOH8X+C/uEbwMF/LHO4scNnI/0n1SrRsUCKg  
msV7r3VheTGylX3KV/ivZiJq8agjheh/awRDQ1/1Lyd7yGb8tZSdP0iFrCgayB9d  
RgrVR7yyXd/SCQsjI2hGRzTMoTQhARsx78dXtf2LFxONZZOFIaYnupzLxHeX58kp  
lcN/OmgEb9w0t+/M9Lwn4kdvTZ/rbfF5+1BAI9VTuuAt9N+0fyk=  
=jmbL  
-----END PGP SIGNATURE-----

Apple Security Advisory 01-22-2024-1

Chinese-speaking users have been targeted by malicious Google ads for restricted messaging apps like Telegram as part of an ongoing malvertising campaign.
"The threat actor is abusing Google advertiser accounts to create malicious ads and pointing them to pages where unsuspecting users will download Remote Administration Trojan (RATs) instead," Malwarebytes' Jérôme Segura said in a

Malvertising / Phishing-as-a-service

Chinese-speaking users have been targeted by malicious Google ads for restricted messaging apps like Telegram as part of an ongoing malvertising campaign.

"The threat actor is abusing Google advertiser accounts to create malicious ads and pointing them to pages where unsuspecting users will download Remote Administration Trojan (RATs) instead," Malwarebytes' Jérôme Segura said in a Thursday report. "Such programs give an attacker full control of a victim's machine and the ability to drop additional malware."

It's worth noting that the activity, codenamed FakeAPP, is a continuation of a prior attack wave that targeted Hong Kong users searching for messaging apps like WhatsApp and Telegram on search engines in late October 2023.

The latest iteration of the campaign also adds messaging app LINE to the list of messaging apps, redirecting users to bogus websites hosted on Google Docs or Google Sites.

The Google infrastructure is used to embed links to other sites under the threat actor's control in order to deliver the malicious installer files that ultimately deploy trojans such as PlugX and Gh0st RAT.

Malwarebytes said it traced the fraudulent ads to two advertiser accounts named Interactive Communication Team Limited and Ringier Media Nigeria Limited that are based in Nigeria.

"It also appears that the threat actor privileges quantity over quality by constantly pushing new payloads and infrastructure as command-and-control," Segura said.

The development comes as Trustwave SpiderLabs disclosed a spike in the use of a phishing-as-a-service (PhaaS) platform called Greatness to create legitimate-looking credential harvesting pages targeting Microsoft 365 users.

"The kit allows for personalizing sender names, email addresses, subjects, messages, attachments, and QR codes, enhancing relevance and engagement," the company said, adding it comes with anti-detection measures like randomizing headers, encoding, and obfuscation aim to bypass spam filters and security systems.

Greatness is offered for sale to other criminal actors for $120 per month, effectively lowering the barrier to entry and helping them conduct attacks at scale.

Attack chains entail sending phishing emails bearing malicious HTML attachments that, when opened by the recipients, direct them to a fake login page that captures the login credentials entered and exfiltrates the details to the threat actor via Telegram.

Other infection sequences have leveraged the attachments to drop malware on the victim's machine to facilitate information theft.

To increase the likelihood of success of the attack, the email messages spoof trusted sources like banks and employers and induce a false sense of urgency using subjects like "urgent invoice payments" or "urgent account verification required."

"The number of victims is unknown at this time, but Greatness is widely used and well-supported, with its own Telegram community providing information on how to operate the kit, along with additional tips and tricks," Trustwave said.

Phishing attacks have also been observed striking South Korean companies using lures that impersonate tech companies like Kakao to distribute AsyncRAT via malicious Windows shortcut (LNK) files.

"Malicious shortcut files disguised as legitimate documents are continuously being distributed," the AhnLab Security Intelligence Center (ASEC) said. "Users can mistake the shortcut file for a normal document, as the '.LNK' extension is not visible on the names of the files."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Malicious Ads on Google Target Chinese Users with Fake Messaging Apps

40-year-old Russian national Vladimir Dunaev has been sentenced to five years and four months in prison for his role in creating and distributing the TrickBot malware, the U.S. Department of Justice (DoJ) said.
The development comes nearly two months after Dunaev pleaded guilty to committing computer fraud and identity theft and conspiracy to commit wire fraud and bank fraud.
"

40-year-old Russian national **Vladimir Dunaev** has been sentenced to five years and four months in prison for his role in creating and distributing the TrickBot malware, the U.S. Department of Justice (DoJ) said.

The development comes nearly two months after Dunaev pleaded guilty to committing computer fraud and identity theft and conspiracy to commit wire fraud and bank fraud.

"Hospitals, schools, and businesses were among the millions of TrickBot victims who suffered tens of millions of dollars in losses," DoJ said. "While active, Trickbot malware, which acted as an initial intrusion vector into victim computer systems, was used to support various ransomware variants."

Originating as a banking trojan in 2016, TrickBot evolved into a Swiss Army knife capable of delivering additional payloads, including ransomware. Following efforts to take down the botnet, it was absorbed into the Conti ransomware operation in 2022.

The cybercrime crew's allegiance to Russia during the Russo-Ukrainian war led to a series of leaks dubbed ContiLeaks and TrickLeaks, which precipitated its shutdown in mid-2022, resulting in its fragmentation into numerous other ransomware and data extortion groups.

Dunaev is said to have provided specialized services and technical abilities to further the TrickBot scheme between June 2016 and June 2021, using it to deliver ransomware against hospitals, schools, and businesses.

Specifically, the defendant developed browser modifications and malicious tools that made it possible to harvest credentials and sensitive data from compromised machines as well as enable remote access. He also created programs to prevent the Trickbot malware from being detected by legitimate security software.

Another TrickBot developer, a Latvian national named Alla Witte, was sentenced to two years and eight months in prison in June 2023.

News of Dunaev's sentencing comes days after governments from Australia, the U.K., and the U.S. imposed financial sanctions on Alexander Ermakov, a Russian national and an affiliate for the REvil ransomware gang, for orchestrating the 2022 attack against health insurance provider Medibank.

Cybersecurity firm Intel 471 said Ermakov went by various online aliases such as blade\_runner, GustaveDore, JimJones, aiiis\_ermak, GistaveDore, gustavedore, GustaveDore, Gustave7Dore, ProgerCC, SHTAZI, and shtaziIT.

As JimJones, he has also been observed attempting to recruit unethical penetration testers who would supply login credentials for vulnerable organizations for follow-on ransomware attacks in exchange for $500 per access and a 5% cut of the ransom proceeds.

"These identifiers are linked to a wide range of cybercriminal activity, including network intrusions, malware development, and ransomware attacks," the company said, offering insights into his cybercrime history.

"Ermakov had a robust presence on cybercriminal forums and an active role in the cybercrime-as-a-service economy, both as a buyer and provider and also as a ransomware operator and affiliate. It also appears that Ermakov was involved with a software development company that specialized in both legitimate and criminal software development."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Russian TrickBot Mastermind Gets 5-Year Prison Sentence for Cybercrime Spree

By Deeba Ahmed
HP CEO Enrique Lores defended HP's practice of bricking printers when loaded with third-party ink.
This is a post from HackRead.com Read the original post: HP Claims Monopoly on Ink, Alleges 3rd-Party Cartridge Malware Risk

The company now claims that allowing third-party ink cartridges in its printers would expose them to viruses and malware.

Hewlett-Packard (HP) claims to have laptops that effectively block unwelcome snoopers, but why does the company maintain a monopoly over its ink cartridges? Well, HP is reaffirming its monopoly on refillable ink cartridges for printers following a lawsuit for blocking third-party ink with Dynamic Security updates.

The company claims that third-party cartridges can infect users’ PCs with viruses or malware, which can then reach the printer and network. In an interview with CNBC, HP CEO Enrique Lores defended HP’s practice of bricking printers when loaded with third-party ink, based on the company’s 2022 research.  It suggests ink cartridge microcontroller chips could be a cyber threat.

The company tasked Bugcrowd researchers to determine it under its bug bounty program in 2022 and learned that HP’s cartridges, which typically use a secure chip for communication with printers, could contain malicious software if sold by third parties.

HP’s chief technologist of print security, Shivaun Albright, stated back then that the hacker could inject code into the device beyond the bounds of the buffer. HP acknowledges that there is no evidence of in-the-wild exploitation of this hack, but given that the chips used in third-party ink cartridges are reprogrammable, they are indeed vulnerable.

However, Ars Technica Senior Security Editor Dan Goodin believes there are no known attacks that can infect printers using hacked ink cartridges. Goodin raised concerns about the potential use of ink cartridges as a cyber threat, but cybersecurity professionals were sceptical.

Hackread.com’s Founder and Editor, Waqas, dismisses the argument that third-party cartridges can compromise a printer with malware as weak and unconvincing. He draws a comparison, stating, “This reminds me of Kellyanne Elizabeth Conway, the Counselor to then-President Donald Trump, who quite convincingly claimed in an interview that she believes microwaves can be hacked and turned into cameras for spying purposes.”

However, Lores’ comments raise concerns about security vulnerabilities as he presented a scenario where a compromised ink cartridge could launch malware onto a connected network. HP claims its chips are secure, implying that its authentication mechanisms are reliable. Still, fearing infection from third-party cartridges may prevent some customers from purchasing ink from HP, despite HP’s claims of chip authenticity.

For your information, HP has been hit with a lawsuit over its Dynamic Security system (PDF), which stops printer operation if an ink cartridge without an HP chip or HP electronic circuitry is installed.

The lawsuit (PDF) seeks class-action certification, alleging that HP customers were not informed that firmware updates issued in late 2022 and early 2023 could result in printer features not working.

The lawsuit seeks monetary damages and an injunction to deter HP from issuing printer updates, which block ink cartridges without an HP chip as compromised ink cartridges can allow malware to invade the connected network.

Printer manufacturers like HP have faced criticism for security flaws, potentially allowing hackers to access sensitive data or control printing functions. Lores emphasized the need for stronger security measures in the printer industry.

“I think for us it is important for us to protect our IP. There is a lot of IP that we’ve built in the inks of the printers, in the printers themselves. And what we are doing is when we identify cartridges that are violating our IP, we stop the printers from work” Lores stated in an interview with CNBC.

****_RELATED ARTICLES_****

1.  HP Printer’s Hard Drive Can Be Used To Host Malicious Files
2.  Keylogger spotted – HP machines could turn into a spyware
3.  Lenovo removes backdoor in networking switches since 2004
4.  Hacker takes over thousands of Printers; sends alerts to users
5.  Researcher finds pre-installed keylogger in hundreds of HP laptops

HP Claims Monopoly on Ink, Alleges 3rd-Party Cartridge Malware Risk

Chinese speaking users looking for Telegram, or LINE are being targeted with malicious ads. Instead of downloading the legitimate application, they install malware.

An ongoing campaign of malicious ads has been targeting Chinese-speaking users with lures for popular messaging applications such as Telegram or LINE with the intent of dropping malware. Interestingly, software like Telegram is heavily restricted and was previously banned in China.

Many Google services, including Google search, are also either restricted or heavily censored in mainland China. Having said that, many users will try to circumvent those restrictions by using various tools such as VPNs.

The threat actor is abusing Google advertiser accounts to create malicious ads and pointing them to pages where unsuspecting users will download Remote Administration Trojan (RATs) instead. Such programs gives an attacker full control of a victim’s machine and the ability to drop additional malware.

It may not be a coincidence that the malvertising campaigns are primarily focused on restricted or banned applications. While we don’t know the threat actor’s true intentions, data collection and spying may be one of their motives. In this blog post, we share more information about the malicious ads and payloads we have been able to collect.

Visitors to google.cn are redirected to google.com.hk where searches are said to be uncensored. Doing a lookup for ‘telegram’ we see a sponsored search result.

The following description is associated with this ad:

> TeIegram official application – TeIegram Chinese version download docs.google.com https://docs.google.com › 2024 › Official download Latest Telegram Understand your users Androd needs and engage them with relevant personalized solutions in real time. One of the top 5 most downloaded apps in the world with over 700 million active users.

Here is an ad for ‘LINE’

Description:

> LINE is the largest communication platform that provides an end-to-end encrypted experience, allowing cross-platform communication across mobile phones, computers, tablets, etc. Simple, reliable, and free\* private messages and calls can be used around the world.

We identified two advertiser accounts behind those ads, both of them being associated with a user profile in Nigeria:

*   Interactive Communication Team Limited
*   Ringier Media Nigeria Limited

Due to the number of ads for each of these accounts (including many unrelated to these campaigns), we believe they may have been taken over by the threat actors.

**Infrastructure**

This threat actor seems to rely on Google infrastructure in the form of Google Docs or Google sites. This allows them to insert links for the download or even redirect to other sites they control.

**Malware payloads**

We collected a number of payloads from this campaign, all in MSI format. Several of those used a technique known as DLL side-loading, which consists of combining a legitimate application with a malicious DLL that gets loaded automatically.

In the example above, the DLL is signed with a now revoked certificate from _Sharp Brilliance Communication Technology Co., Ltd._ which was also recently used to sign a PlugX RAT sample. (PlugX is a RAT from China that also performs DLL side-loading).

Not all dropped malware is new, in fact some were previously used in other campaigns and are variants of Gh0st RAT.

**Active threat**

A website and forum (bbs\[.\]kafan\[.\]cn) dedicated to security frequented by Chinese users keeps up with malware from these campaigns that they refer to as FakeAPP.

It also appears that the threat actor privileges quantity over quality by constantly pushing new payloads and infrastructure as command and control.

Online ads are an effective way to reach a certain audience, and of course they can be misused as well. People (such as activists) that live in countries where encrypted communication tools are banned or restricted will attempt to bypass these measures. It appears that a threat actor is luring potential victims with such ads.

The payloads are consistent with threats observed in the South Asia region, and we see similar techniques such as DLL side-loading that is quite popular with many RATs. This type of malware is ideal to gather information about someone and silently dropping additional components if and when necessary.

We have notified Google regarding the malicious ads and have reported the supporting infrastructure to the relevant parties.

Malwarebytes detects the malicious payloads upon execution.

**Indicators of Compromise**

Fake domains

telagsmn\[.\]com  
teleglren\[.\]com  
teleglarm\[.\]com

Redirectors

5443654\[.\]site  
5443654\[.\]world

Payloads

CS-HY-A8-bei.msi
63b89ca863d22a0f88ead1e18576a7504740b2771c1c32d15e2c04141795d79a

w-p-p64.msi
a83b93ec2a5602d102803cd02aecf5ac6e7de998632afe6ed255d6808465468e

mGtgsotp\_zhx64.msi
acf6c75533ef9ed95f76bf10a48d56c75ce5bbb4d4d9262be9631c51f949c084

cgzn-tesup.msi
ec2781ae9af54881ecbbbfc82b34ea4009c0037c54ab4b8bd91f3f32ab1cf52a

tpseu-tcnz.msi
c08be9a01b3465f10299a461bbf3a2054fdff76da67e7d8ab33ad917b516ebdc

C2s

47.75.116\[.\]234:19858
216.83.56\[.\]247:36061
45.195.148\[.\]73:15628

 Malicious ads for restricted messaging applications target Chinese users 

ThreatDown has earned 37/37 awards over nine consecutive quarters.

ThreatDown Endpoint Protection (EP) achieved the highest possible score (100%) and received certifications for Level 1, Exploit, Online Banking, and Ransomware in the most recent anti-malware efficacy assessment results for the Q3 2023 evaluation performed by MRG Effitas, a world leader in independent IT research.

These results mark the ninth time in a row ThreatDown has received all certification awards, and is now officially the only vendor to win every single certification and award from Q3 2021 through Q3 2023.

MRG Effitas assesses a product’s ability to meet today’s most pressing threats in-the-wild, such as stopping zero-day malware, ransomware, and exploits—and doing so with speedy performance and low false positives.

After unveiling their new phishing assessment in Q2 2023, MRG Effitas in Q3 2023 began awarding a full-on 360° Phishing Certification to vendors who could take down phishing threats.

ThreatDown blocked 100% of phishing attempts in the In-the-Wild (ITW) Phishing Test. In other words, ThreatDown is the only vendor to consistently receive all 4 award logos and block 100% of phishing attempts.

How we were able to do it: The signature and behavior-based detection techniques and proprietary anti-exploit technology of ThreatDown EP allowed it to detect and autoblock more malware than any other competitor on the Q3 test. In addition, the Web protection layer of our EP blocks access to and from known or suspicious Internet addresses, allowing us to ace the phishing tests.

As an integral foundation layer for ThreatDown Bundles, these results prove that ThreatDown provides reliable and comprehensive protection against a wide range of threats.

Let’s dive into where we prevented more than the rest and how we were able to do it.

**100% of phishing attempts blocked **

Given the frequency and risks associated with phishing attacks today, it’s clear that modern endpoint security needs to protect against these attacks.

According to Verizon, attackers used phishing for initial access in 15% of data breaches in 2022. CISA also showed that, within the first 10 minutes of receiving a phishing email, 84% of employees took the bait. After successfully compromising a system through phishing, threat actors can further their attacks by dropping ransomware or stealing sensitive data, leading to costly financial and reputational damages.

**ThreatDown blocked 100% of phishing attempts in the ITW Phishing Test and was only one of two vendors to score 80% or above in the Phishing Simulator Test.**

How we were able to do it: ThreatDown EP, the foundation for ThreatDown Bundles, features a Web protection layer that blocks access to and from known or suspicious Internet addresses.

**100% of ransomware blocked **

Using a blend of signature and signature-less technologies, the anti-ransomware layer of ThreatDown EP constantly monitors endpoint systems and automatically kills processes associated with ransomware activity.

MRG Effitas tested security products against 65 ransomware samples. In addition, they tested four ransomware simulator samples created in-house, ensuring the security product could only rely on its behavior scanning modules. To test for false positives, a device running ThreatDown EP also ran three benign programs designed to mimic ransomware behavior.

ThreatDown blocked 100 percent of ransomware threats in the MRG Effitas assessment and did so with no false positives, allowing the three benign programs to run. For this we earned the 360° Ransomware Certification.

**100% of banking malware blocked **

In 2021, 37% of banking malware attacks targeted corporate users. 

We were one of the few vendors who earned a 360° Online Banking Certification, which means ThreatDown EP stopped 100% of threats designed to steal financial information and money from victim’s accounts. To outperform the others, our unique detection technology again came into play.

ThreatDown EP blocked 100% of the 16 financial malware samples, the Magecart credit card-skimming attack, and Botnets designed to steal credentials.

**100% of zero-day threats blocked **

One of the many strong suits of our detection is that it can detect malware that has never been seen before, also called zero-day malware. Again, we were one of the only vendors to detect and block these pernicious threats, which account for 80% of successful breaches.  

Built on machine learning (ML) and behavioral analysis techniques, our behavior-based detection enabled ThreatDown EP to detect and block 100% of all zero-day threats. For this, as well as blocking all Botnets, we earned the 360° Level 1 Certification.

**100% of exploits blocked **

The anti-exploit feature of ThreatDown EP protects organizations from one of the most advanced cyber attacks: zero-day exploits targeting browser and application vulnerabilities.  

But don’t take our word for it: MRG Effitas used 8 different exploitation techniques to try and deliver a malicious payload on a device running ThreatDown EP—but they didn’t get very far. Malwarebytes earned the 360° Exploit Certification for autoblocking 100% of Exploit/Fileless attacks, entirely protecting the system from infection.  

We were one of the few to earn the 360° Exploit Certification all thanks to our proprietary anti-exploit technology, which wraps vulnerable programs in four defensive layers that prevent an exploit from installing its payload, or even executing initial shellcode. 

**Consistency is key **

If there is one shining take away from this accomplishment, it’s that consistency is key.

You don’t want a security solution that passes rigorous tests like MRG Effitas only some of the time. You want a solution that passes them with flying colors all of the time. Clearly, ThreatDown EP, and by extension our ThreatDown Bundles, is that solution.

For organizations that are concerned their current solution may not be up-to-par, the MRG Effitas assessment has demonstrated that ThreatDown—more consistently than anybody else—has what it takes to keep your business safe from today’s most pressing cyberthreats.

 Malwarebytes wins every MRG Effitas award for 2 years in a row 

Cyber insurance premiums are expected to rise this year after leveling out in 2023.

Thursday, January 25, 2024 14:00

I just bought an electric car last week, so I’ve been shopping for new car insurance policies that could offer me a discount for ditching gas. 

We’re all familiar with the boring process of entering the same information 10 times over into 10 different companies’ websites trying to see who comes out the cheapest and offers the best bundles, discounts or deals. 

Unfortunately, with cybersecurity insurance, there are no bundles or “Personal Price Plans” to enroll in, and costs are rising. 

This is nothing to say about whether an organization should get cyber insurance. That is 100 percent their decision to make, and every case is going to be different. But for companies who are interested in getting these types of policies to be best prepared to recover from and deal with a potential security incident, it’s now more expensive than ever to get cyber insurance. 

A report last week from Dark Reading indicated that cyber insurance costs are expected to rise over the next 12 to 24 months. This would be after premiums for these plans rose 50 percent in 2022, according to Bloomberg, though they largely held steady in 2023. 

This problem isn’t isolated to just the U.S., either. A November report from business continuity service Databarracks surveyed companies in the U.K. and found that nearly a third of respondents said their cyber insurance had increased in cost over the past year, while more companies than ever said they had any type of cyber insurance policy, implying a totally new line item for their budgets. 

This rising cost could certainly be attributed to all the classic factors of why anything gets more expensive: market demand, inflation, rising costs of doing business, etc. But an increase in ransomware activity seems to be a large driver, too. 

The same Databarracks survey found that 24 percent of all IT downtime for respondents was due to a cyber incident, up 14 percent from 2018. Thirty-seven percent of all companies said they experienced a ransomware attack in 2023, and more than half experienced some sort of security incident in general. 

As we saw in our most recent Talos Incident Response Quarterly Trends Report, ransomware may rise again after a relatively quiet period from mid-2022 through the summer of 2023. Ransomware, including pre-ransomware activity, was the top observed threat in the fourth quarter of 2023, accounting for 28 percent of engagements, according to Talos IR, a 17 percent increase from the previous quarter. 

That’s not to say that it’s a lock that ransomware attacks are going to be up in 2024, but if they are, cyber insurance policies are only going to get more expensive, which means further shifting budgets for companies of all sizes.  

There is no one-size-fits-all approach for how anyone should approach getting a cybersecurity insurance policy. Still, if companies can’t steady the cost of premiums, it may send executives shopping for other, potentially less effective, methods of preparing for a cyber attack. 

**The one big thing **

Cisco Talos Incident Response (Talos IR) saw a significant increase in ransomware activity in its engagements during the fourth quarter of 2023, while education remains one of the most targeted sectors. Talos IR also observed several brand new ransomware operations for the first time in Q4, including Play, Cactus, BlackSuit and NoEscape. The latest Talos IR Quarterly Trends Report has a full breakdown of the top threats they saw in the wild and an idea of where attacker tactics might be headed in 2024. 

**Why do I care? **

This was the first time in all of 2023 that the rate of ransomware attacks rose during IR engagements. Education and manufacturing were tied for the most targeted verticals, accounting for nearly 50 percent of the total number of incident response engagements, so those industries should note Talos IR’s findings. 

**So now what? **

The lack of MFA remains one of the biggest impediments to enterprise security and led to many of the attacks Talos IR saw in Q4. All organizations should implement some form of MFA, such as Cisco Duo. 

**Top security headlines of the week **

**One of the largest password dumps ever was posted last week to an online forum, seemingly containing more than 25 million login credentials that had never been leaked before.** In all, the collection includes 71 million unique credentials for a range of websites, including the online video game “Roblox,” Yahoo, Facebook and eBay. Though many of these credentials had already been leaked in the past, the user hosting the file claims they all came through an information-stealing malware that collected the usernames and passwords in plain text. Credentials that are stolen via data breaches often contain encrypted passwords. The operator behind the website Have I Been Pwned? first discovered the trove of data earlier this month, but it’s likely been in circulation in various online forums for at least four months. Each line in the dataset, which consists of images and plain text, includes a login URL, the associated account’s name and a password. (Ars Technica, Bleeping Computer) 

**A new report indicates that each Facebook user could be sharing their personal data with thousands of other companies.** The study, conducted by the non-profit Consumer Report, followed more than 700 volunteers’ Facebook accounts and found that, on average, each participant in the study had their data sent to Facebook by 2,230 companies. Some respondents had their data shared with more than 7,000 different companies, and in all, the study captured more than 180,000 organizations that shared data with Facebook. The study was specifically meant to capture “server-to-server” tracking, in which personal data goes from a company’s servers to Meta’s, the parent company of Facebook, servers. The more “traditional” form of tracking for Meta through pixels on other companies’ websites can easily be spotted in a web browser, while server-to-server cannot. The three companies that appeared the most often connected to participants’ accounts in the study were all data brokers, who presumably turned around and sold that data to additional companies for a profit. Consumer Reports listed multiple recommendations for Facebook to improve its data protection, including improving the transparency of Facebook’s data collection tools, making it easier for users to opt out of data sharing and asking the U.S. government to pass data minimization laws. (Consumer Reports, The Markup) 

**Apple released a series of security updates this week for its devices that fixed three vulnerabilities in the WebKit browser engine** that were already being exploited in the wild. One of the vulnerabilities, CVE-2024-23222, is believed to have been exploited in more recent versions of Apple’s mobile operating system iOS. An attacker could exploit this vulnerability to execute remote code on the targeted device. Two other vulnerabilities, CVE-2023-42916 and CVE-2023-42917, were likely exploited in version of iOS dating back to before 16.7.1. The U.S. Cybersecurity and Infrastructure Security Agency added CVE-2024-23222 to its Known Exploited Vulnerabilities (KEV) list. Apple released patches for all its devices, including the Apple TV streaming box, iPad and macOS desktop computers. (SecurityWeek, Computer Weekly) 

**Can’t get enough Talos? **

*   Talos Takes Ep. #169: What's new with CVSS 4.0, and does it really change anything? 
*   Best Practices for Handling Incident Response During a Merger and Acquisition 
*   Cisco Tech Beat Podcast: Talking Past, Current, and Future Cyber Threats with Nick Biasini 
*   Critical vulnerability in ManageEngine could lead to file creation, dozens of other vulnerabilities disclosed by Talos to start 2024 
*   Exploring malicious Windows drivers (Part 1): Introduction to the kernel and drivers 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** e340aa9f08ce8128e17a3186053bfaf2dc119d98a64f7bc4d37fb7be03365c93   
**MD5:** 5800fc229e3a5f13b32d575fe91b8512   
**Typical Filename:** client32.exe   
**Claimed Product:** NetSupport Remote Control   
**Detection Name:** W32.Riskware:Variant.27dv.1201 

**SHA 256:** 1fa0222e5ae2b891fa9c2dad1f63a9b26901d825dc6d6b9dcc6258a985f4f9ab   
**MD5:** 4c648967aeac81b18b53a3cb357120f4   
**Typical Filename:** yypnexwqivdpvdeakbmmd.exe   
**Claimed Product:** N/A    
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** 581866eb9d50265b80bae4c49b04f033e2019797131e7697ca81ae267d1b4971   
**MD5:** 4c5fdfd4868ac91db8be52a9955649af   
**Typical Filename:** N/A   
**Claimed Product:** N/A   
**Detection Name:** W32.581866EB9D-100.SBX.TG 

**SHA 256:** 4c3c7be970a08dd59e87de24590b938045f14e693a43a83b81ce8531127eb440   
**MD5:** ef6ff172bf3e480f1d633a6c53f7a35e   
**Typical Filename:** iizbpyilb.bat   
**Claimed Product:** N/A    
**Detection Name:** Trojan.Agent.DDOH 

**SHA 256:** bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a   
**MD5:** 200206279107f4a2bb1832e3fcd7d64c   
**Typical Filename:** lsgkozfm.bat   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::tpd

Tag

#mac