Tag Archive for: Website

eFile tax website served malware to visitors for weeks

/in


Just in time for tax season, the IRS-authorized eFile website prompted users to install a Windows botnet trojan through April 1.

eFile.com was serving malware

Windows users that used eFile.com may have been exposed to a malicious JavaScript file prompting users to install a second-stage payload. While users would have needed to interact with this and install the .exe file, it is still recommended to run a virus scan.

According to a report from Bleeping Computer, Reddit users pointed out that the malware had been served since at least mid-march. It has been independently verified that eFile is no longer serving the malware as of April 4.

This affected the eFile website directly. Users that interacted with the service on a Windows PC will need to ensure their system is secure. Neither macOS nor iOS were not affected, but we’re discussing the issue to bring awareness, given that the IRS has yet to make a formal statement about the issue, and millions of Americans could be affected.

A JavaScript file called popper.js was being loaded by nearly every page of eFile.com until at least April, the report confirmed. An additional file named update.js associated with the attack would prompt users to download the next stage of the payload, a Windows executable that changed based on which browser was in use — Chrome or Firefox.

This malicious software was being served from a Tokyo-based IP address hosted with Alibaba. If installed, the trojan would act as a simple backdoor and turn the Windows machine into a botnet member.

The malware would connect to a remote command and control center every ten seconds to receive a task. And despite being a simple backdoor, it had full access to a device.

Antivirus products have reportedly already started flagging the executables as trojans. Again, we urge any Windows user that visited eFile.com in recent weeks to run a scan of their device.

Source…

Health ministry approaches CERT-In over hacking attempt of its website

/in


The Union health ministry has asked the Indian Computer Emergency Response Team (CERT-In) under the the Ministry of Electronics and Information Technology to look into the reported attempt of hacking of its website allegedly by a Russian hacker group.

Cyber security experts from CloudSEK have claimed that Russian hacker group ‘Phoenix’ targeted the website and managed to get access to the ministry’s Health Management Information System portal and has details of all the hospitals of India, employees and and physicians data. ”We have sought details and asked the CERT-In to look into the alleged hacking of the health ministry’s website. They will submit a report,” an official source told PTI. CERT-In is the national nodal agency for responding to computer security incidents and provides prevention and response services to government departments and private bodies.

According to a report by CloudSEK, the group mentioned that the attack is ”a consequence of India’s agreement over the oil price cap and sanctions of G20 over the Russia-Ukraine war”.

”The motive behind this target was the sanctions imposed against the Russian Federation where Indian authorities decided not to violate the sanctions as well as comply with the price ceiling for Russian oil approved by G7 countries,” CloudSEK said.

”This decision resulted in multiple polls on the telegram channel of the Russian Hacktivist Phoenix asking the followers for their votes,” it stated. CloudSEK stated that Phoenix has been active since January 2022 and is known for phishing scams and a history of targeting hospitals based in Japan and the UK, US based healthcare organisation serving the US military and DDoS attack on the website of Spanish foreign ministry among others.

(This story has not been edited by Devdiscourse staff and is auto-generated from a syndicated feed.)

Source…

Russian hackers hit Indian Health Ministry’s website: Cyber-security firm

/in


Cyber-security researchers from CloudSEK have claimed that a Russian hacker group targeted the Indian Health Ministry website and infiltrated its Health Management Information System (HMIS).

The pro-Russian hacker group called Phoenix allegedly compromised the HMIS Portal and had access to the data of employees and chief physicians of all the hospitals in the country, claimed the AI-driven cybersecurity company.

According to CloudSEK’s contextual AI digital risk platform XVigil, “the motive behind this target was the sanctions imposed against the Russian Federation where Indian authorities decided not to violate the sanctions as well as comply with the price ceiling for Russian oil approved by G7 countries”.

“This decision resulted in multiple polls on the telegram channel of the Russian Hacktivist Phoenix asking the followers for their votes,” it added.

According to security researchers, the Russian threat actors may sell exfiltrated license documents and personal identifiable information (PII) on cybercrime forums and conduct document fraud using PII and license documents.

Active since January 2022, the Russian hacktivist group Phoenix was observed using social engineering techniques to lure the victims in a phishing scam thereafter stealing the passwords and gaining access to its victims’ bank or e-payment accounts.

“The group has conducted a series of DDoS attacks against multiple entities in the past,” said the report.

Phoenix has also engaged in hardware hacking, unlocking lost or stolen iPhones and reselling them in Kiev and Kharkiv through a network of controlled outlets.

The Russian Hactivist group has earlier attacked hospitals based in Japan and the UK, along with a US-based healthcare organisation serving the US military, said the report.

Late last year, the All India Institute of Medical Sciences (AIIMS) in Delhi became the victim of a massive ransomware attack where Chinese involvement was suspected.

Sensitive data of at least 40 million patients, including political leaders and other VIPs, were potentially compromised in the hacking.

The attack was analysed by the Indian Computer Emergency Response Team…

Source…

International Law Enforcement Takes Down Website Selling NetWire Malware

/in


by D. Howard Kass • Mar 13, 2023

International law enforcement has seized an internet domain that cyberattackers were using to sell malware on the dark web capable of stealing credentials from a victim’s computer.

The site, worldwiredlabs.com, was selling the Netwire remote access trojan (RAT), which targets a system’s operating system and creates a backdoor that allows it to spy on and gain control of the computer to execute malicious commands.

Croation National Arrested

In this action, authorities in Croatia on Tuesday arrested a Croatian national who allegedly was the administrator of the website. This defendant will be prosecuted by Croatian authorities. Additionally, law enforcement in Switzerland have seized the computer server hosting the NetWire RAT infrastructure, said U.S. District Attorney’s Office for the Central District of California officials.

The Federal Bureau of Investigation (FBI) in Los Angeles has been investigating the website since 2020. It was the only known distributor of NetWire. In the sting, FBI undercover investigators created an account on the website, paid for a subscription plan, and “constructed a customized instance of the NetWire RAT using the product’s builder tool,” according to the affidavit in support of the seizure warrant, the D.A.’s office said.

NetWire Probe Yields Results

The website marketed NetWire as a legitimate business tool to maintain computer infrastructure and the software was advertised on hacking forums. NetWire is well known to cybersecurity providers and federal law enforcement for its use in cybercrimes.

Commenting on the investigation, Donald Alway, the Assistant Director in Charge of the FBI’s Los Angeles field office, said:

“By removing the Netwire RAT, the FBI has impacted the criminal cyber ecosystem. The global partnership that led to the arrest in Croatia also removed a popular tool used to hijack computers in order to perpetuate global fraud, data breaches and network intrusions by threat groups and cybercriminals.”

International operations to combat cybercrime has become a necessary tactic to slow the propagation of malicious software. Indeed, President Biden’s recently released…

Source…