Cybertronium

“Canadian law enforcement authorities have arrested an individual who is suspected to have conducted a series of hacks stemming from the breach of cloud data warehousing platform Snowflake earlier this year.    The individual in question, Alexander "Connor" Moucka (aka Judische and Waifu), was apprehended on October 30, 2024, on the basis of a provisional arrest warrant, following a request by the U.S.    The development was first reported by Bloomberg and corroborated by 404 Media. The exact nature of the charges against Moucka is currently not known.”    In June 2024, Snowflake revealed that some of its customers were targeted in a cyberattack. Google-owned Mandiant linked the campaign to a North America-based hacking group called UNC5537, with an additional member in Turkey, and around 165 organizations were impacted. The attackers targeted well-known companies, including AT&T, Neiman Marcus, and Ticketmaster.    Mandiant’s involvement in attributing the attack to UNC5537 underscores the importance of threat intelligence in understanding and mitigating risks. Find out more about the news article and share your thoughts with us! https://lnkd.in/gdDpZRQE     #cybertronium #cybertroniummalaysia #databreach #cybercrime 

“Google has warned that a security flaw impacting its Android operating system has come under active exploitation in the wild.    The vulnerability, tracked as CVE-2024-43093, has been described as a privilege escalation flaw in the Android Framework component that could result in unauthorized access to "Android/data," "Android/obb," and "Android/sandbox" directories and its sub-directories, according to a code commit message.    The tech giant has also flagged CVE-2024-43047, a now-patched security bug in Qualcomm chipsets, as having been actively exploited. A use-after-free vulnerability in the Digital Signal Processor (DSP) Service, a successful exploitation of the security flaw could lead to memory corruption.”    A security flaw has been identified, and while there aren’t specifics on how it’s being used, Google noted it might be exploited in a limited and targeted way. Researchers from Google and Amnesty International spotted the issue and confirmed its use in actual attacks, potentially linked to spyware aimed at specific civil society individuals. Google has acknowledged the vulnerability, though it remains unclear when the exploit activity may have started or the exact details of these attacks.    Regularly update your device’s software and stay informed about cybersecurity advisories from trusted organizations to be aware of current and emerging threats. https://lnkd.in/gNh7KXr5   #cybertronium #cybertroniummalaysia #mobilesecurity #vulnerability 

“Google said it discovered a zero-day vulnerability in the SQLite open-source database engine using its large language model (LLM) assisted framework called Big Sleep (formerly Project Naptime).    The tech giant described the development as the "first real-world vulnerability" uncovered using the artificial intelligence (AI) agent.    "We believe this is the first public example of an AI agent finding a previously unknown exploitable memory-safety issue in widely used real-world software," the Big Sleep team said in a blog post shared with The Hacker News.”    A vulnerability was found in SQLite, a database software, where a buffer underflow could allow a program to access memory it shouldn’t, potentially leading to crashes or unauthorized code running on a system. This happens when software tries to access data outside of its memory boundaries due to miscalculated positions or indices. The issue was identified in a test version of the software, and it has been fixed as of early October 2024, before reaching any official release.    Discovering this flaw in a test branch prevented potential risks for end users, showing the importance of pre-release testing. Be cautious with any third-party software used within applications, as vulnerabilities in libraries can impact overall system security. https://lnkd.in/gE4ZV3se     #cybertronium #cybertroniummalaysia #artificialintelligence #vulnerability 

“Cybersecurity researchers have discovered a new version of a well-known Android malware family dubbed FakeCall that employs voice phishing (aka vishing) techniques to trick users into parting with their personal information.    "FakeCall is an extremely sophisticated Vishing attack that leverages malware to take almost complete control of the mobile device, including the interception of incoming and outgoing calls," Zimperium researcher Fernando Ortega said in a report published last week.    FakeCall, also tracked under the names FakeCalls and Letscall, has been the subject of multiple analyses by Kaspersky, Check Point, and ThreatFabric since its emergence in April 2022. Previous attack waves have primarily targeted mobile users in South Korea.”    FakeCall is a type of Android malware that abuses accessibility services to gain control over infected devices, enabling it to capture on-screen information and grant itself extra permissions. It collects sensitive data like SMS messages, contacts, locations, photos, and audio, and it can even record live streams from both cameras. In recent updates, FakeCall can also monitor Bluetooth activity and the screen state; it even prompts users to set it as their default dialer, which allows it to monitor all calls.    Carefully review app permissions, especially for those requesting access to Accessibility Services, and deny unnecessary permissions. Read more about the news article and share your thoughts with us! https://lnkd.in/g9rUPiFA     #cybertronium #cybertroniummalaysia #mobilesecurity #financialfraud 

“Microsoft has revealed that a Chinese threat actor it tracks as Storm-0940 is leveraging a botnet called Quad7 to orchestrate highly evasive password spray attacks.    The tech giant has given the botnet the name CovertNetwork-1658, stating the password spray operations are used to steal credentials from multiple Microsoft customers.    "Active since at least 2021, Storm-0940 obtains initial access through password spray and brute-force attacks, or by exploiting or misusing network edge applications and services," the Microsoft Threat Intelligence team said.”    The Storm-0940 hacking group is focusing on organizations across North America and Europe, targeting entities like government agencies, NGOs, defense contractors, and law firms. A botnet called Quad7 (or 7777/xlogin) is being used to exploit security flaws in popular home and small office routers and VPN devices (e.g., TP-Link, Zyxel, Asus, D-Link). This botnet installs a backdoor on infected devices that opens port 7777, allowing attackers to remotely control these compromised routers.    The targeting of widely-used SOHO routers highlights how vulnerabilities in common devices can lead to large-scale botnet attacks. Storm-0940’s focus on key sectors like government and defense underscores the need for robust security in high-stakes industries. https://lnkd.in/gtp3s_5R     #cybertronium #cybertroniummalaysia #threatintelligence #networksecurity 

“Cybersecurity researchers have flagged a "massive" campaign that targets exposed Git configurations to siphon credentials, clone private repositories, and even extract cloud credentials from the source code.    The activity, codenamed EMERALDWHALE, is estimated to have collected over 10,000 private repositories and stored in an Amazon S3 storage bucket belonging to a prior victim. The bucket, consisting of no less than 15,000 stolen credentials, has since been taken down by Amazon.    The multi-faceted criminal operation, while not sophisticated, has been found to leverage an arsenal of private tools to steal credentials as well as scrape Git config files, Laravel .env files, and raw web data. It has not been attributed to any known threat actor or group.”    The hacking group EMERALDWHALE is using tools to scan large IP address ranges for servers with exposed Git configuration files. They steal access tokens from these servers to copy both public and private repositories, which may contain more sensitive credentials. Finally, the stolen data is stored in an S3 bucket for further use. The group uses tools called MZR V2 and Seyzo-v2, popular in underground markets, to automate this scanning and exploitation process.    The use of automated tools like MZR V2 and Seyzo-v2 shows that cybercriminals can streamline attacks, making this type of credential-stealing a broader threat. Monitor for unusual repository activity and set up alerts to catch unauthorized access early. https://lnkd.in/g7ivixfu   #cybertronium #cybertroniummalaysia #vulnerability #cloudsecurity 

As the lights of Deepavali illuminate your home, may they also fill your heart with happiness, hope, and positivity. Wishing you a wonderful and prosperous Deepavali. #cybertronium #cybertroniummalaysia #happydeepavali

“Fortinet has confirmed details of a critical security flaw impacting FortiManager that has come under active exploitation in the wild.    Tracked as CVE-2024-47575 (CVSS score: 9.8), the vulnerability is also known as FortiJump and is rooted in the FortiGate to FortiManager (FGFM) protocol.    "A missing authentication for critical function vulnerability [CWE-306] in FortiManager fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests," the company said in a Wednesday advisory.”    Hackers exploited a vulnerability in FortiManager to automatically steal files containing sensitive information, such as IP addresses, credentials, and configurations of connected devices. However, the attack did not involve installing malware or altering databases, and there is no sign of any backdoors. In response, CISA has listed this vulnerability in its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply fixes by November 13, 2024.    The automated theft of device credentials and configurations highlights how attackers prioritize data that can lead to further network compromises. Organizations using FortiManager should apply the required patches immediately to prevent unauthorized access. https://lnkd.in/dQmXvDxA     #cybertronium #cybertroniummalaysia #vulnerability #networksecurity 

“New variants of a banking malware called Grandoreiro have been found to adopt new tactics in an effort to bypass anti-fraud measures, indicating that the malicious software is continuing to be actively developed despite law enforcement efforts to crack down on the operation.    "Only part of this gang was arrested: the remaining operators behind Grandoreiro continue attacking users all over the world, further developing new malware and establishing new infrastructure," Kaspersky said in an analysis published Tuesday.    Some of the other freshly incorporated tricks include the use of a domain generation algorithm (DGA) for command-and-control (C2) communications, ciphertext stealing (CTS) encryption, and mouse tracking. Also observed are "lighter, local versions" that are specifically focused on targeting banking customers in Mexico.”    The selective use of Grandoreiro in a MaaS model limits its distribution but makes it even more dangerous, as only trusted and skilled criminals use it. What are your thoughts about the news article? Share your findings with us! https://lnkd.in/g6XeBCxY      #cybertronium #cybertroniummalaysia #cybercrime #bankingsecurity 

“Bad actors have been observed targeting Docker remote API servers to deploy the SRBMiner crypto miner on compromised instances, according to new findings from Trend Micro.    "In this attack, the threat actor used the gRPC protocol over h2c to evade security solutions and execute their crypto mining operations on the Docker host," researchers Abdelrahman Esmail and Sunil Bharti said in a technical report published today.    It all starts with the attacker conducting a discovery process to check for public-facing Docker API hosts and the availability of HTTP/2 protocol upgrades in order to follow up with a connection upgrade request to the h2c protocol (i.e., HTTP/2 sans TLS encryption).”    Hackers are exploiting Docker environments by checking for gRPC methods that help manage Docker functions, like health checks, file sync, and authentication. After upgrading the connection, they send a command to create a container and use it to secretly mine XRP cryptocurrency through SRBMiner, hosted on GitHub. By using the gRPC protocol over h2c, the attackers bypass multiple security measures to carry out their crypto-mining operation undetected.    Open APIs, if not properly secured, become weak points that can be exploited for unauthorized operations like crypto-mining. Regular audits and updates of Docker environments are essential to identify vulnerabilities and mitigate potential exploits. https://lnkd.in/ghgWuUcQ     #cybertronium #cybertroniummalaysia #dockersecurity #cloudsecurity