Tag

Hackers

Browsing

A Chinese cyber espionage group is using a fake news site to infect government and energy industry targets in Australia, Malaysia and Europe with malware, according to a blog posted online on Tuesday by Proofpoint and PwC Threat Intelligence .

The group is known by several names, including APT40, Leviathan, TA423 and Red Ladon. Four of its members were indicted by the US Department of Justice in 2021 for hacking several companies, universities and governments in the United States and around the world between 2011 and 2018.

APT40 members indicted by the United States Department of Justice in 2021

The United States Department of Justice indicted APT40 members in 2021 / Image Credit: FBI


The group is using its fake Australian news site to infect visitors with the Scanbox exploit framework. “Scanbox is a reconnaissance and exploitation framework deployed by an attacker to collect a variety of information, such as the target’s public-facing IP address, the type of web browser used, and its configuration,” Proofpoint Vice President for Threat Research and Detection Sherrod explained DeGripo.

“It serves as a setup for the information gathering steps that follow and potential follow-up exploits or compromises, where malware is deployed to gain persistence on the victim’s system and allow the attacker to carry out espionage activities.” can be done,” she told TechNewsWorld.

“It creates a perception of the victim’s network that the actors then study and determine the best path forward for further compromise,” she said.

“Watering hole” attacks that use Scanbox appeal to hackers because the point of compromise is not within the victim’s organization, added John Bumbleneck, a principle threat hunter at Netenrich, a San Jose, California-based IT and digital security operations company. .

“Therefore, it is difficult to detect that information is being stolen,” he told TechNewsWorld.

modular attack

According to the Proofpoint/PwC blog, the TA423 campaign primarily targeted local and federal Australian government agencies, Australian news media companies and global heavy industry manufacturers, which maintain a fleet of wind turbines in the South China Sea.

It noted that the phishing emails for the campaign were sent from Gmail and Outlook email addresses, which Proofpoint believes were created by attackers with “moderate trust.”

Subject lines in phishing emails included “sick leave,” “user research,” and “request collaboration.”

Threatened actors often pose as employees of the fictional media publication “Australian Morning News”, the blog explained, and provide a URL to their malicious domain, to view their website or share research material that the website is publishing. Ask for goals.

If someone clicks on the target URL, they will be redirected to a fake news site and without their knowledge, the Scanbox malware will be introduced. To give credibility to their fake website, opponents posted content from legitimate news sites such as the BBC and Sky News.

Scanbox can distribute its code in one of two ways: in a single block, which gives an attacker instant access to the full functionality of the malware, or as a plug-in, modular architecture. The TA423 crew chose the plug-in method.

According to PwC, the modular route can help avoid accidents and errors that would alert a target that their system is under attack. It is also a way for researchers to reduce the visibility of the attack.

phishing boom

As such campaigns show, phishing remains the tip of the spear used to break into many organizations and steal their data. “Phishing sites will see an unexpected increase in 2022,” said Monia Deng, director of product marketing at Bolster, a provider of automated digital risk protection in Los Altos, Calif.

“Research has shown that this problem will increase tenfold in 2022 because this method is easy, effective and a perfect storm to deploy in the post-work digital age,” she told TechNewsWorld.

DeGripo said phishing campaigns continue to work as threat actors adapt. “They use current affairs and holistic social engineering techniques, at times hunting down target fear and a sense of urgency or importance,” she said.

A recent trend among threat actors, he continued, is attempting to increase the effectiveness of their campaigns by building trust with intended victims through extended interactions with individuals or through existing interactions between coworkers. .

Roger Grimes, a defense campaigner with KnowBe4, a security awareness training provider in Clearwater, Fla., stressed that social-engineering attacks are particularly resistant to technical security.

“Try as much as you can, there is no great technical defense so far that prevents all social engineering attacks,” he told TechNewsWorld. “This is especially difficult because social engineering attacks can come across email, phone, text messages and social media.

Even though social engineering is involved in 70% to 90% of all successful malicious cyber attacks, it is the rare organization that spends more than 5% of its resources to mitigate this, he continued.

“It’s the number one problem, and we treat it like a small part of the problem,” he said. “It’s the fundamental disconnect that allows attackers and malware to be so successful. Until we see this as the number one problem, it will continue to be the primary way attackers attack us. It’s just math.” “

two things to remember

While TA423 used email in its phishing campaign, Grimes notes that opponents are moving away from that approach.

“Attackers are using other methods, such as social media, SMS text messages, and voice calls to do their social engineering more often,” he explained. “This is because many organizations focus almost exclusively on email-based social engineering and the training and tools to combat social engineering on other types of media channels are not at the same level of sophistication in most organizations.”

“That’s why it’s important that every organization builds an individual and organizational culture of healthy skepticism,” he adds, “where everyone is taught how to recognize the signs of a social engineering attack, no matter how it comes.” , web, social media, SMS messages or phone calls – and it doesn’t matter who it appears to be sent by.”

He explained that most social engineering attacks have two things in common. First, they come unexpectedly. The user was not expecting this. Second, it is asking the user to do something that the sender – whatever he is pretending to be – has never asked the user to do it before.

“This may be a valid request,” he continued, “but all users should be taught that any message with those two traits is at very high risk of being a social engineering attack, and should be verified using a reliable method. as if calling that person directly on a known good phone number.”

“If more organizations taught two things to remember,” he said, “the online world would be a much safer place to calculate.”

Navigating the Internet can be a troublesome journey. Bad actors constantly hide behind emails, websites and social media invitations with the intention of exploiting uninformed users. Even your Wi-Fi router and the now-ubiquitous QR code are danger points. Add to that, the never-ending virus and malware threats.

Computer and mobile device users are often unaware of the danger zone. However, the Internet does not require a continuous journey through the Badlands. To stay safe online, it’s important to know what to avoid and how to protect yourself.

Here are five things you have under your control to help keep your digital activity safe.

1. QR Codes, Easy But Potentially Harmful

QR code for TechNewsWorld.com
A secure QR code for TechNewsWorld.com

These postage-sized image links can be convenient for websites. Simply point your smartphone’s camera at it and instantly visit a website, tech support location, discount offer on purchases, or restaurant menu.

However, QR codes can also take you to a nefarious place where malware or worse is waiting. QR codes can be programmed to link to anything, putting your privacy and security at great risk.

Think before scanning the QR code. If the code is displayed on a website or printed document that you trust, it is probably a safe one. If not, or you’re unsure, check it out.

You can download reputed QR reader apps that will do security checks at the endpoint of destination of the QR code. One such security tool I use is the Trend Micro QR Scanner app, which is available for Android and iOS.

2. Avoid ‘Unsubscribe’ Email Scams

This is a popular ongoing scam that has a high success rate for hackers. Potential victims receive an email asking for a product offer or other business invitation. The opt-out action move is enticing, looks familiar, and feels appropriate. “Don’t want to receive our emails? Click here to unsubscribe,” it prompts.

Sometimes annoying repetitive emails asking if you want to unsubscribe from future emails. Some even provide a link for you to unsubscribe.

Do not select any option. Clicking on the link or replying confirms your active address.

Never enter your email address in the “Unsubscribe me” field. More senders will follow.

A better way to remove unwanted email, especially from an unknown sender, is to mark it as spam. This moves it to the spam folder. You can add that sender to your email program’s block list, or set a filter to automatically remove it before it reaches your inbox.

Finally, check out the free service Unroll.me. There you can unsubscribe from unwanted emails, keep others, or receive the rest in the Daily Digest.

3. Lockout Facebook Hackers

Other villains try to usurp Facebook accounts. Hackers can change your password, email address, phone number and even add a security code to lock you out of a pirated account. Before trouble strikes, be proactive to prevent these situations. Facebook provides the following security settings that you need to enable.

Enable two-factor authentication (2FA) to require your login approval on a different device.

To do so, log into your Facebook account on a desktop computer and navigate to Settings & Privacy. Next, select Security and login. Then scroll down and edit the Two-Factor Authentication option.

Facebook Two-Factor Authentication Settings

You will need to enter your Facebook password to complete this step.


Activate these two additional features to block Facebook hackers:

  • Enable the code generator feature in the Facebook mobile app
  • Set up login alerts in your email

First, open the Facebook mobile app and tap on the magnifying glass, enter the word “code generator” and tap the search icon. Tap on the Result Code Generator to navigate to the next screen, then tap the “Turn on Code Generator” button to receive a 6 digit code that changes every 30 seconds. You will need to enter this code within that short amount of time to login to your account on another device.

Next, set an alert about unfamiliar logins. You can do this from a computer or mobile device.

  • Computer: Go to Settings & Privacy > Settings > Security & Login > Receive alerts about unrecognized logins (see screenshot above).
  • mobile application: Tap Menu > Settings & privacy gear icon > Settings. Then tap Password & Security. Next, scroll down to Set up additional security > Receive alerts about unfamiliar logins > Tap to select your preferred notification methods.

If you’re having trouble logging in, visit facebook.com/login/identify to have the problem fixed. If you are unable to log in there, go to this Facebook help page instead and fill out the request form for Facebook to review your account. You will need to answer a few security questions to prove your identity. This may include providing proof of ID, like a picture of a driver’s license.

4. Secure Your Wi-Fi Router

The influx of people working remotely since Covid has put home Wi-Fi routers among the target sites of hackers. As a result, malware attacks on home Wi-Fi networks are on the rise because residential setups often lack the level of security and protection found on enterprise networks.

One nasty attack tool, called ZuoRAT, is a remote access Trojan designed to hack into small office/home office routers. It can affect macOS, Windows, and Linux computers.

With it, hackers can collect your data and hijack any site you visit on your network. One of the worst factors of ZuroRAT is that once your router is infected, it can infect other routers to spread the hackers’ reach.

Follow these steps to better secure your home/office Wi-Fi network:

  • Be sure to enable WPA2 or WPA3 encryption on your router. The default factory setting is often the old WEP (Wired Equivalent Privacy) security protocol, or is set to none. See the user manual or the router manufacturer’s website for instructions.
  • Change your router’s SSID (Service Set Identifier) ​​and password. It is critical. Typically, the factory setting shows the make or model of the router and has a universal password such as 0000 or 1234. Change the name of the SSID to not identify you easily. Avoid names that include all or part of your name or address. Make sure the password is very strong.
  • For added security, change the router’s password regularly. Yes, this is a major inconvenience as you will also have to update the password on all your devices that use that Wi-Fi network. But considering that it will keep hackers away, it is well worth the trouble.
  • Keep the router’s firmware up to date. Refer to the user manual and/or the manufacturer’s website for steps on how to download the latest update.

general question
How do I create a password that is hard to hack?

The strongest passwords have all these characteristics:

  • Long – the more characters, the better
  • mix of upper-case and lower-case letters, numbers, and special characters
  • No jargon words or anything related to personal information

Pro Tip: When using a password generator, always replace at least a few characters from the random result to create your final credential.

5. Beware of the phony tech support plans

Some fraudsters call you on the phone to tell you they are a tech support department working for a well-known computer or software company. The caller claims to have detected a virus on your device or made a call in response to an alert from your computer of malware. The scammer offers to fix it if you only provide your credit card number.

Keep phone. Your computer is not infected.

A modified version of this tech support scam is a text or email claiming the same details. do not respond. Just delete the message and move on.

You can also browse the web when a pop-up message crashes on your screen. I have received too loud Audio alerts warn me that my computer is in danger and should not be turned off without responding for help.

In all these cases, scammers want to scare you into following their instructions. The action they seek to fix the alleged problem will damage your bank account and possibly let them transmit the actual infection.

Follow these best practices to protect yourself from tech support fraud:

  • never Allow a scammer to trick you into visiting a website or clicking on a link.
  • never Agree to a remote connection by the so called technical support agent who initiated contact with you.
  • never Provide payment information for technical support you haven’t started. Legitimate tech companies will not call you and ask for payment to fix a problem detected on your device.

If you suspect that your computer has a virus or malware problem, contact a self-repair center. You probably already have a support plan or active warranty from where you bought the computer. If you have not contacted a technical support company, the call or message you have received is illegitimate.