Tag Archive for: mysterious

A Mysterious Leak Exposed Chinese Hacking Secrets

/in


While the documents have now been removed from GitHub, where they were first posted, the identity and motivations of the person, or people, who leaked them remains a mystery. However, Chang says the documents appear to be real, a fact confirmed by two employees working for i-Soon, according to the Associated Press, which reported that the company and police in China are investigating the leak.

“There are around eight categories of the leaked files. We can see how i-Soon engaged with China’s national security authorities, the details of i-Soon’s products and financial problems,” Chang says. “More importantly, we spotted documents detailing how i-Soon supported the development of the notorious remote access Trojan (RAT), ShadowPad,” Chang adds. The ShadowPad malware has been used by Chinese hacking groups since at least 2017.

Since the files were first published, security researchers have been poring over their contents and analyzing the documentation. Included were references to software to run disinformation campaigns on X, details of efforts to access communications data across Asia, and targets within governments in the United Kingdom, India, and elsewhere, according to reports by the New York Times and the The Washington Post. The documents also reveal how i-Soon worked for China’s Ministry of State Security and the People’s Liberation Army.

According to researchers at SentinelOne, the files also include pictures of “custom hardware snooping devices,” such as a power bank that could help steal data and the company’s marketing materials. “In a bid to get work in Xinjiang–where China subjects millions of Ugyhurs to what the UN Human Rights Council has called genocide–the company bragged about past counterterrorism work,” the researchers write. “The company listed other terrorism-related targets the company had hacked previously as evidence of their ability to perform these tasks, including targeting counterterrorism centers in Pakistan and Afghanistan.”

The Federal Trade Commission has fined antivirus firm Avast $16.5 for collecting and selling people’s web browsing data through its browser extensions and security software. This included the details…

Source…

8Base ransomware gang activity explodes, but they remain mysterious

/in


The 8Base ransomware group has been detected since March 2022, but has suddenly become much more active in the past month than before. The hacker collective uses known cybercrime methods, but is suddenly operating at lightning speed with victims in many industries. VMware warns in a blog of the danger the group presents.

8Base describes itself as a group of “simple pen-testers”, short for “penetration testers.” This can in principle be a legitimate service. With this group, it is patently not, owing to the fact it demands a ransom after hacking their supposed ‘customers’. Like other cybercriminals, 8Base maintains a “leak site,” where victims’ data becomes available if people are unwilling to pay a ransom.

Interestingly, security experts have not yet figured out the malicious actors’ exact methodology, motivation and identity. What is clear, however, is that the group operates quickly and efficiently.

What VMware discovered

VMware’s analysis shows that 8Base’s communication style is strikingly similar to that of RansomHouse, another criminal organization. That group came into the crosshairs of cyber experts earlier this year, when it was revealed to have carried out a giant hack on AMD with 450GB of financial data and research data. However, it is not entirely clear whether we can call this collective a proper ransomware gang, as VMware describes that it buys stolen data and tries to extort companies on that basis.

The statistics regarding 8Base activity are pretty clear: in June, the ransomware gang went from having the fewest detections in more than a year to the most by far.

Source: VMware

The targets vary widely, from business-oriented service providers to financial services, manufacturing, IT and healthcare. For that reason, VMware characterizes the choice of victims as “opportunistic.”

Unlike more brutal organizations such as RagnarLocker, 8Base tries to maintain a tinge of authenticity. Under the guise of the aforementioned “pen tester” excuse, it claims to serve affected companies. On top of that, they have a full-fledged FAQ, Terms of Service and offer assurances about course of action after payment.

Unclear…

Source…

Nearly 40,000 Macs infected by mysterious malware, researchers say

/in


The malware, dubbed Silver Sparrow, has not yet engaged in malicious activity.

Catherine Thorbecke

February 23, 2021, 9:32 PM

4 min read

Mysterious malware — that has not yet engaged in malicious activity — has infected nearly 40,000 Mac devices, according to the cybersecurity firm Red Canary, which first detected the threat.

The malware, dubbed by Red Canary as “Silver Sparrow,” is baffling researchers because of its elusive motives.

“Most malware has an ultimate goal,” Brian Donohue, an intelligence analyst at Red Canary, told ABC News via email. “It might be to steal sensitive information, cause damage to devices or servers, or block access to data. In this case, we don’t actually know what that ultimate goal is, because we haven’t observed Silver Sparrow engaging in malicious activity.”

Donohue noted, however, that most malware operations consist of multiple supporting functions that occur prior to the execution of malicious activity, such as gaining initial access or moving between devices on a network.

“In the case of Silver Sparrow, while we haven’t observed the final payload, we have seen other parts of the malware operation,” he added. “For example, we’ve observed it using built-in functions of macOS to install itself on victim machines and to maintain persistence across reboots.”

Donohue said a member of Red Canary’s cyber incident response team first detected the malware — which includes a code that runs on Apple’s new M1 chip — based on suspicious behavior from a customer’s device. They have not identified its origins.

“As of today, we can confirm that the threat has infected nearly 40,000 macOS devices,” he told ABC News, citing published data from antivirus firm Malwarebytes, though he said this is likely an “underestimation of the total scope of the threat.”

He added that the malware has been dubbed mysterious for two reasons, including that it lacks an ultimate payload and researchers cannot determine the purpose of the threat.

“The second relates to a file that, if present on an infected machine, causes Silver Sparrow to uninstall itself,” Donohue said. “We do not know why this file is present on certain systems or why its…

Source…

Mysterious malware discovered on 30,000 new Macs – and researchers have no idea what it was designed to do

/in


Security researchers have discovered a piece of malware called Silver Sparrow on 30,000 Mac computers, including those with Apple’s latest M1 chips.

Instead, spreading across 153 countries, the malware is designed to deliver a payload that the researchers have yet not discovered.

It also has a system in place to self-destruct – hiding its existence totally.

As Ars Technica reports, infected computers check a server every hour to see if there are any new commands from malicious individuals to execute.

The malware is even stranger due to the fact it uses the macOS Installer JavaScript API to execute commands, which makes it hard to analyse the contents of the package.

When the malware is executed, all that the researchers found were two messages: for computers using Intel chips, the malware displays the words “Hello World!”, while for M1 Macs it says “You did it!”

The researchers hypothesise that these are simply placeholders for a later execution.

“We’ve found that many macOS threats are distributed through malicious advertisements as single, self-contained installers in PKG or DMG form, masquerading as a legitimate application—such as Adobe Flash Player—or as updates”, the researchers describe.

Apple has already revoked the binaries that could be mean users accidentally install the malware. The malware does not seem to have delivered any malicious payload, and the company emphasises that using its own Mac App Store is the safest place to get software for its computers Mac.

For programs downloaded outside the store Apple does use technical technical mechanisms including as the Apple notary service detect and block malware.

“To me, the most notable [thing] is that it was found on almost 30K macOS endpoints… and these are only endpoints the MalwareBytes can see, so the number is likely way higher,” says Patrick Wardle, a macOS security expert, according to Ars Technica.

“That’s pretty widespread… and yet again shows the macOS malware is becoming ever more pervasive and commonplace,…

Source…