Archive for June 30, 2020

Golang: A Cryptomining Malware that Maybe Targetting Your PC


Cybersecurity experts at Barracuda Networks have discovered a unique kind of crypto mining malware called "Golang." The malware can attack Windows as well as Linux systems, according to the experts. This latest malware is targeting Monero cryptocurrency with the help of Xmrig, a popular miner. The number of attacks related to the malware may be relatively low, but the cybersecurity experts have discovered 7 IP addresses associated with this malware, all originating from China.


The experts also observed that the Golang malware's primary targets are non-HTTP features like MSSQL and Redis, app servers, web apps frameworks, whereas easy to attack targets like end-users are safe. If we look back into the issue, we will find that the earlier versions of Golang only affected the Linux systems; however, the present version targets Windows and the former. The attacks are carried out using various exploits such as IoT devices, Hadoop, Drupal, ElasticSearch, and Oracle Weblogic. For instance, in a recent malware attack in China, the malware used exploits that targeted ThinkPHP app frameworks widely used in the country.

According to the experts, the Golang malware is capable of evolving every day and using more exploits as each day passes by. Golang malware works by infiltrating the system, and once it does, it uses required files to complete the task. These may include downloaded update scripts, configuration files, scanner, and a miner. It all depends on the type of platform. Whereas, when attacking Windows, the hackers can use backdoors too. In recent times, more and more hackers have shifted towards using Golang as it can't be identified by anti-virus software.

The malware is infamous for targeting vulnerable servers, making it accessible among cybercriminals looking for vulnerabilities to exploit. The only way to be safe from this malware is to keep track of the CPU usage activity (when it goes unusually high) and observe any suspicious activity at the endpoints. Any threat, similar to the likes of Golang, can be avoided by vigilante inspections and immediate responses. Awareness about crypto mining threats is also a must.

IM Platforms Increasingly Used by Threat Actors in Place of Dark Web Marketplaces


Researchers at IntSight have discovered that IM platforms such as WhatsApp, Telegram, Discord, IRC, and Jabber are being used by cybercriminals for advertising and putting their goods and services on sale. One of the major reason as to why cybercriminals are switching to these IM platforms from the conventional ones is 'law enforcement practices'; law enforcement operations have been targeting online darknet markets one after another. Earlier in 2017, the world's largest dark web market, AlphaBay was taken offline, sending darknet users into chaos. Immediately after, the cyberspace witnesses the shut down of Hansa, another major darknet market. As more and more major dark web markets went offline due to the law enforcement penetrations, cybercriminals are wisely migrating to new platforms.

Although threat actors are loving IM platforms, the regular cybercrime sources such as dark web markets, credit card shops, and forums are still witnessing their web usual traffic. These platforms have more advantages such as chatbots, fewer rules, and automated replies due to their core nature, unlike IM platforms that are majorly meant for communication.

While giving insights, Etay Maor, IntSights CSO, said, "Telegram appears to be experiencing the most growth, with more than 56,800 Telegram invite links shared across cybercrime forums and over 223,000 general mentions of the application across forums. Telegram is also the platform most often discussed in foreign language forums."

"Financial threat actors and fraudsters exchange stolen carding information, selling or trading all kinds of credit card dumps, and publishing methods or techniques relevant for the fraud community. In addition, there is also a trade of physical items stolen or counterfeited from organizations in the retail industry.” He added.

“While the data itself is fully encrypted and law enforcement needs sophisticated algorithms in order to decrypt it, some countries have authorized law enforcement agencies to access the private information of their citizens if sanctioned by courts or other judicial authorities – including information that lives in IM platforms. Threat actors are worried about the cooperation between technology companies and law enforcement agencies, especially in the United States.” Maor further explained.

Russian Medvedev pleaded guilty to cybercrime in a US court


The US Department of Justice considers Sergei Medvedev one of the founders of the transnational organization Infraud, which sold stolen personal, banking and financial data, as well as information from credit and debit cards

Russian Sergei Medvedev, accused in the United States of cybercrime and causing damage of $568 million, pleaded guilty, said the US Justice Department on June 26.

"Sergey Medvedev, also known as Stells, segmed, serjbear, aged 33, from the Russian Federation, pleaded guilty to US District Court judge James Mahan in Nevada," said the Department in a statement.
According to the Ministry of Justice, Infraud engaged in large-scale acquisition, sale and distribution of stolen identification data, information from compromised debit and credit cards, personal information, banking and financial data, and malicious computer programs.

The prosecution believes that Infraud was created in October 2010 by a native of Ukraine Svyatoslav Bondarenko, also known as Obnon, Rector, Helkern. In the United States, Medvedev is also considered one of the creators of the platform. The organization's slogan is "In Fraud We Trust". By March 2017, the organization had almost 11,000 registered members (according to the US Department of Justice). The loss from Infraud's operations amounted to more than $568 million.

Recall that on February 8, 2018, the Agency reported that 36 people were accused of involvement in the activities of Infraud. At the same time, the Ministry of Justice reported on the arrest of 13 people who were members of the organization. They were citizens of the United States, Australia, Britain, France, Italy, Kosovo and Serbia.

The next day, it became known about the detention of Sergei Medvedev in Thailand. The operation to detain the Russian was conducted by local police at the request of the FBI. The Bangkok Post then reported that Medvedev was engaged in illegal online trading for bitcoins. More than 100 thousand bitcoins were found on the Russian's accounts.

Earlier on Friday, it was reported that a court in the United States found Russian Alexey Burkov guilty of cybercrime and sentenced him to nine years in prison.

Apple catches TikTok spying on million of iPhone users globally


Apple announced its latest OS iOS14 at this year's WWDC and during the beta testing for the same, the tech giant caught TikTok recording user's cut-paste data and whatever the user was typing on their keyboard.


The new alert on iOS14 lets the user know if any app is pasting from the clipboard and if they are reading from the cut-paste data. This alert leads to TikTok's reveal. This alert was added based on the research by German software engineer Tommy Mysk in February; he discovered that every app installed on an iPhone or iPad can access clipboard data. And thus Apple added this new banner alert in its latest OS.

Soon after the update, many users started complaining about the issue, “Hey @tiktok_us, why do you paste from my clipboard every time I type a LETTER in your comment box?” wrote @MaxelAmador actor and podcast host on Twitter. “Shout out to iOS 14 for shining a light on this HUGE invasion of privacy.” Though many other apps like Accu Weather, Call of Duty Mobile, and even Google News can read clipboard data it seems strange as to why TikTok would need to do so.

After finding this glitch, Apple released a patch and fixing the issue, even TikTok said in March that it would stop the practice but it seems like they are still snooping on user's data.

In response, the social media app stated, “For TikTok, this was triggered by a feature designed to identify repetitive, spammy behavior. We have already submitted an updated version of the app to the App Store removing the anti-spam feature to eliminate any potential confusion”. 

The clipboard tool in iOS helps the user to copy text and images and paste them on another app, the glitch leads to apps access this data, making it quite worrisome. And all this data could be accessed without the user's consent. Apple should be appalled for this expose but another pressing question remains- should the Android community be worried about the same?

Hackers Leak Tons of Personal Data as IndiaBulls Fails to Meet the First Ransomware Deadline


Hackers demanding ransom released data, as the IndiaBull failed to meet the first ransom deadline. It happened after a 24-hour ransomware warning was issued, and when the party was unable to make ends meet, the hackers dumped the data. According to Cyble, a Singapore based cybersecurity agency, the hackers have threatened to dump more data after the second deadline ends. The hackers are using ransomware, which the experts have identified as "CLOP."


The hackers stole the data from IndiaBulls and released around 5 Gb of personal data containing confidential files and customer information, banking details, and employee data. It came as a warning from the hackers, in an attempt to threaten the other party, says a private cybersecurity agency.

About the data leak-
The dumped data resulted in exposing confidential client KYC details like Adhaar card, passport details, Pan card details, and voting card details. The leak also revealed personal employee information like official ID, contact details, passwords, and codes that granted access permission to the company's online banking service. The IndiaBulls' spokesman said that the company was informed about the compromise of its systems on Monday; however, the data leaked is not sensitive. When asked about the data leak incident that happened on Wednesday, he said that the company had nothing to say.

The cybersecurity agency, however, tells a different story. It says that the spokesperson's information is incorrect as the attack did not happen on Monday. It also says that it requires some time to carry out such an attack, in other words, the transition phase from initial attack to extortion. The company may have been confused or misguided, say the cybersecurity experts. In a ransomware attack, the hacker makes it impossible for the user to access the files by encrypting them. Most of the time, the motive behind the ransomware threat is money, which is quite the opposite of state-sponsored hackers, whose aim is to affect the systems. In the IndiaBulls' incident, hackers encrypted the files using CLOP ransomware. It is yet to confirm how the hackers pulled this off, but according to Cyble, it was mainly due to vulnerabilities in the company's VPN.