Tag Archive for: Steals

LockBit ransomware gang steals data related to security of UK military bases, due to unpatched Windows 7 PC • Graham Cluley

/in


LockBit ransomware gang steals data related to security of UK military bases

An attack by the notorious LockBit ransomware gang stole 10 GB of data from a company that provides high-security fencing for military bases.

Zaun says that on 5-6 August a “sophisticated cyber attack” saw hackers exploit an obsolete Windows 7 PC to gain access to the company’s servers, and exfiltrate data which has since been published on the dark web.

According to the firm, classified documents are not believed to have been included in the haul:

“LockBit will have potentially gained access to some historic emails, orders, drawings and project files, we do not believe that any classified documents were stored on the system or have been compromised. We are in contact with relevant agencies and will keep these updated as more information becomes available. This is an ongoing investigation and as such subject to further updates.”

In what appears to be an attempt to reduce concern about the security breach, Zaun says that its perimeter fencing is hardly top secret:

“Zaun is a manufacturer of fencing systems and not a Government approved security contractor. As a manufacturer of perimeter fencing, any member of the public can walk up to our fencing that has been installed at these sites and look at it.”

Well, maybe that’s the case. But I would still be alarmed if there was sensitive information contained in the emails and other documents that were stolen. For instance, the contact details of personnel at military sites, or the specifics of a most sensitive area’s physical security.

I get the feeling that Zaun may know what it is doing when it comes to physical security, but may be lagging a little behind when it comes to digital security. Mainstream support for Windows 7 ended back in 2015.

Even if your organisation had managed to get itself on the list for extended Windows 7 security updates, the very last time you were able to receive them was until January 2023.

Zaun says it has contacted the National Cyber Security Centre (NCSC) and Information Commissioner’s Office (ICO) about the data breach.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.

Graham Cluley is a veteran of the…

Source…

Newly Uncovered ThirdEye Windows-Based Malware Steals Sensitive Data

/in


Jun 29, 2023Ravie LakshmananCyber Threat / Hacking

Info Stealer Malware

A previously undocumented Windows-based information stealer called ThirdEye has been discovered in the wild with capabilities to harvest sensitive data from infected hosts.

Fortinet FortiGuard Labs, which made the discovery, said it found the malware in an executable that masqueraded as a PDF file with a Russian name “CMK Правила оформления больничных листов.pdf.exe,” which translates to “CMK Rules for issuing sick leaves.pdf.exe.”

The arrival vector for the malware is presently unknown, although the nature of the lure points to it being used in a phishing campaign. The very first ThirdEye sample was uploaded to VirusTotal on April 4, 2023, with relatively fewer features.

The evolving stealer, like other malware families of its kind, is equipped to gather system metadata, including BIOS release date and vendor, total/free disk space on the C drive, currently running processes, register usernames, and volume information. The amassed details are then transmitted to a command-and-control (C2) server.

Cybersecurity

A notable trait of the malware is that it uses the string “3rd_eye” to beacon its presence to the C2 server.

There are no signs to suggest that ThirdEye has been utilized in the wild. That having said, given that a majority of the stealer artifacts were uploaded to VirusTotal from Russia, it’s likely that the malicious activity is aimed at Russian-speaking organizations.

“While this malware is not considered sophisticated, it’s designed to steal various information from compromised machines that can be used as stepping-stones for future attacks,” Fortinet researchers said, adding the collected data is “valuable for understanding and narrowing down potential targets.”

The development comes as trojanized installers for the popular Super Mario Bros video game franchise hosted on sketchy torrent sites are being used to propagate cryptocurrency miners and an open-source stealer written in C# called Umbral that exfiltrates data of interest using Discord Webhooks.

“The combination of mining and stealing activities leads to financial losses, a substantial decline in the victim’s system performance, and…

Source…

GravityRAT Android Malware Variant Steals WhatsApp Backups

/in


Heads up, Android users! The latest GravityRAT malware variant now targets Android devices and steals WhatsApp chat backups. The malware reaches the devices by posing as a chat app. Again, this highlights the essentiality of downloading only known apps from trusted sources.

GravityRAT Android Malware Steals WhatsApp Backups

According to a recent report from ESET, a new GravityRAT malware variant has been actively targeting Android devices.

GravityRAT is a spyware known since 2015 as a potent remote access trojan targeting Windows, macOS, and Android systems. It has run numerous malicious campaigns with different iterations, each bearing more advanced malicious capabilities.

The recent GravityRAT variant targets Android devices and steals various files, including WhatsApp backups. To achieve this goal, the threat actors rolled out “BingeChat,” – a supposed chat app. The app offers numerous attractive features, including end-to-end encryption, voice chats, file sharing, an easy user interface, and free availability to lure users.

To further instigate curiosity and add a sense of legitimacy to the app, the threat actors have restricted the app download to an “invite-only” mode with registration requirements. This seemingly prevents the app analysis from potential researchers and ensures a targeted victim base.

Apparently, the app functions usually because the threat actors have developed it on the open-source Android messenger OMEMO IM. That’s how it avoids alarming users about the embedded GravityRAT malware in this trojanized app.

After being downloaded and installed, the app requests risky permissions, which any legit messaging app would request. These include access to SMS messages, contact lists, call logs, location, and device details. Once obtained, the app transmits all this information to the attackers’ C&C.

Alongside these capabilities, the new GravityRAT malware hidden inside the BingeChat app also receives commands regarding file deletion, call log deletion, and contact list deletion. Moreover, it steals files with various extensions, including crypt14, crypt12, crypt13, and crypt18 extensions that often represent WhatsApp chat

Source…

Google disrupts malware that steals sensitive data from Chrome users

/in


Image Credits: Bryce Durbin / TechCrunch

Google has disrupted infrastructure linked to the notorious CryptBot malware, which the company claims has stolen data from hundreds of thousands of browser users in the past year alone.

CryptBot is malicious information-stealing malware first discovered in 2019. The infostealer malware is typically distributed by spoofed websites masquerading as legitimate software sites that offer free downloads. Once installed, the malware steals sensitive information from infected computers, like passwords, cookies, cryptocurrency wallets and credit card information.

In a blog post, Google said it observed the malware spreading by way of maliciously modified apps, including Google Chrome and Google Earth Pro. In the last 12 months, Google says the malware compromised about 670,000 computers in order to steal sensitive information that’s “eventually sold to bad actors to use in data breach campaigns.”

Google said it tracked recent CryptBot versions impersonating its browser and mapping software, worked to identify the malware’s Pakistan-based distributors, and took action.

After filing a legal complaint against several of CryptBot’s major distributors, the tech giant confirmed Wednesday that it had secured a temporary court order to hamper the developers’ ability to spread of the infostealer malware.

The order, granted by a federal judge in the Southern District of New York, allows Google to take down current and future domains that are linked to the distribution of the CryptBot malware.

“This will slow new infections from occurring and decelerate the growth of CryptBot,” the technology giant said in a blog post. “Lawsuits have the effect of establishing both legal precedent and putting those profiting, and others who are in the same criminal ecosystem, under scrutiny. This litigation is another step forward in holding cybercriminals accountable, by not just targeting those that operate botnets, but also those that profit from malware distribution.”

Google’s disruption of CryptBot comes after the company took legal action in 2021 against the two alleged operators of the Russia-based Glupteba botnet, which the…

Source…