Hacking ATMs by exploiting flaws in ScrutisWeb ATM fleet software

Researchers found several flaws in the ScrutisWeb ATM fleet monitoring software that can expose ATMs to hack. Researchers from the Synack Red Team found multi flaws (CVE-2023-33871, CVE-2023-38257, CVE-2023-35763 and CVE-2023-35189) in the ScrutisWeb ATM fleet monitoring software that can be exploited to remotely hack ATMs. ScrutisWeb software is developed by Lagona, it allows to […]

The post Hacking ATMs by exploiting flaws in ScrutisWeb ATM fleet software appeared first on Security Affairs.

QwixxRAT, a new Windows RAT appears in the threat landscape

QwixxRAT is a new Windows remote access trojan (RAT) that is offered for sale through Telegram and Discord platforms. The Uptycs Threat Research team discovered the QwixxRAT (aka Telegram RAT) in early August 2023 while it was advertised through Telegram and Discord platforms. The RAT is able to collect sensitive data and exfiltrate them by […]

The post QwixxRAT, a new Windows RAT appears in the threat landscape appeared first on Security Affairs.

Over 12,000 Computers Compromised by Info Stealers Linked to Users of Cybercrime Forums

A "staggering" 120,000 computers infected by stealer malware have credentials associated with cybercrime forums, many of them belonging to malicious actors. The findings come from Hudson Rock, which analyzed data collected from computers compromised between 2018 to 2023. "Hackers around the world infect computers opportunistically by promoting results for fake software or through YouTube

North Korean Hackers Suspected in New Wave of Malicious npm Packages

The npm package registry has emerged as the target of yet another highly targeted attack campaign that aims to entice developers into downloading malevolent modules. Software supply chain security firm Phylum told The Hacker News the activity exhibits similar behaviors to that of a previous attack wave uncovered in June, which has since been linked to North Korean threat actors. As many as nine

Catching the Catphish: Join the Expert Webinar on Combating Credential Phishing

Is your organization constantly under threat from credential phishing? Even with comprehensive security awareness training, many employees still fall victim to credential phishing scams. The result? Cybercriminals gaining immediate and unhindered access to sensitive data, email accounts, and other applications. But what if you could outsmart these criminals and protect your organization? Join

Tesla reassures Chinese users on data security amid spying concerns

The relationship between American tech giants and the Chinese government has never been an easy one. We reported previously how Apple finds itself in a predicament as it strives to conquer the colossal smartphone market in China, the world’s largest. The tech giant has to balance appeasing both Beijing and Western politicians, which tend to […]

How to Build a Simple Application Powered by ChatGPT

OpenAI’s ChatGPT API enables applications to access and integrate ChatGPT, a large language model (LLM) that generates human-like responses to input. Learn how to build a web application that utilizes ChatGPT to generate useful output.

RDPCredentialStealer: steal credentials provided by users in RDP

RDPCredentialStealer RDPCredentialStealer it’s malware that steals credentials provided by users in RDP using API Hooking with Detours in C++. Code RDPCredStealerDLL: This code is an implementation of a hooking technique in C++ using the...

The post RDPCredentialStealer: steal credentials provided by users in RDP appeared first on Penetration Testing.

Discord.io Admits Data Breach: Info of 760K Users Sold Online

By Waqas

Amid the data breach, Discord.io has shut down all of its operations indefinitely in the foreseeable future.

This is a post from HackRead.com Read the original post: Discord.io Admits Data Breach: Info of 760K Users Sold Online

Threat actors use beta apps to bypass mobile app store security

The FBI is warning of a new tactic used by cybercriminals where they promote malicious "beta" versions of cryptocurrency investment apps on popular mobile app stores that are then used to steal crypto.

The threat actors submit the malicious apps to the mobile app stores as "betas," meaning that they are in an early development phase and are meant to be used by tech enthusiasts or fans to test and submit feedback to developers before the software is officially released.

The benefit of this approach is that beta apps do not go through a standard, rigorous code review process but are instead superficially scrutinized for their safety.

This less thorough code review process is insufficient to uncover the hidden malicious code that activates post-installation to perform various hostile actions.

"The malicious apps enable theft of personally identifiable information (PII), financial account access, or device takeover," explains the FBI.

"The apps may appear legitimate by using names, images, or descriptions similar to popular apps."

Usually, the apps mimic cryptocurrency investment and digital asset management tools, asking the user to enter their legitimate account details, deposit money for investments, etc.

Victims are directed to these apps via social engineering using phishing or romance scams, and they look legitimate as they are hosted on reputable app stores.

Sophos first documented this problem in March 2022 in a report that warned about scammers abusing Apple's TestFlight system, a platform created to help developers distribute beta apps for testing in iOS.

A more recent Sophos report explores a malicious app campaign called 'CryptoRom', which masquerades as cryptocurrency investment scam apps. These apps are promoted through the Apple TestFlight system, which the threat actors continue to abuse for malware distribution.

Infection process (Sophos)

The threat actors initially upload what appears to be a legitimate app to the iOS app store for use on Test Flight.

However, after the app is approved, the threat actors change the URL used by the app to point to a malicious server, introducing the malicious behavior into the app.

Fake cryptocurrency apps
Source: Sophos

Google's Play store also supports the submission of beta testing apps; however, it is unclear if more lenient code review processes are followed there too.

FBI advised that you always confirm whether an app's publisher is reputable by reading user reviews on the app store and avoiding software with very few downloads or high download counts combined with very few or no user reviews.

Users should also be cautious during the installation phase of a new app and examine the requested permissions for anything that appears to be unrelated to that software's core functionality.

Some common signs of malware on your device include unusually high battery drain rate, elevated internet data consumption, sudden appearance of pop-up ads, performance degradation, and overheating.

Discord.io confirms breach after hacker steals data of 760K users

The Discord.io custom invite service has temporarily shut down after suffering a data breach exposing the information of 760,000 members.

Discord.io is not an official Discord site but a third-party service allowing server owners to create custom invites to their channels. Most of the community was built around the service's Discord server, with over 14,000 members.

Yesterday, a person known as 'Akhirah' began offering the Discord.io database for sale on the new Breached hacking forums. As proof of the theft, the threat actor shared four user records from the database.

For those unfamiliar with the new Breached, it is the rebirth of a popular cybercrime forum known for the sale and leaking of data stolen in data breaches.

Forum post selling Discord.io database
Source: BleepingComputer

According to the threat actor, the database contains the information for 760,000 Discord.io users and includes the following types of information:

"userid","icon","icon_stored","userdiscrim","auth","auth_id","admin","moderator","email","name","username","password","tokens","tokens_free","faucet_timer","faucet_streak","address","date","api","favorites","ads","active","banned","public","domain","media","splash_opt","splash","auth_key","last_payment","expiration"

The most sensitive information in the breach is a member's username, email address, billing address (small number of people), salted and hashed password (small number of people), and Discord ID.

"This information is not private and can be obtained by anyone sharing a server with you. Its inclusion in the breach does, however, mean that other people might be able to link your Discord account to a given email address," Discord.io explained about the leaking of Discord IDs.

As first reported by StackDiary, Discord.io has confirmed the authenticity of the breach in a notice to its Discord server and website and has begun temporarily shutting down its services in response.

"Discord.io has suffered a data breach. We are stopping all operations for the foreseeable future," reads a message on the service's Discord server.

"For more information, please refer to our #breah-notification channel. We'll be updating our website soon with a copy of this message."

The website for Discord.io contains a timeline explaing that they first learned of the data breach after seeing the post on the hacking forum.

Soon after, they confirmed the authenticity of the leaked data and began shutting down its services and cancelling all paid memberships.

Discord.io says they have been contacted by the individual behind the breach and have not shared any information on how they were breached.

What should Discord.io members do?

The passwords in this breach are hashed using bcrypt, making them hardware-intensive and slow to crack.

However, email addresses can be valuable to other threat actors as they could be used for targeted phishing attacks to steal more sensitive information.

Therefore, if you are a member of Discord.io, you should be on the lookout for unusual emails with links to pages asking you to enter your password or other information.

For any updates about the breach, you should check the main website, which should contain any information about potential password resets or emails from the service.

Women in CyberSecurity (WiCyS) Hosting Fifth Annual Virtual Career Fair

Phishing Operators Make Ready Use Of Abandoned Websites For Bait

Abandoned sites — like Wordpress — are easy to break into, offer a legitimate looking cover, and can remain active for longer than average.

Diligere, Equity-Invest Are New Firms of U.K. Con Man

John Clifton Davies, a convicted fraudster estimated to have bilked dozens of technology startups out of more than $30 million through phony investment schemes, has a brand new pair of scam companies that are busy dashing startup dreams: A fake investment firm called Equity-Invest[.]ch, and Diligere[.]co.uk, a scam due diligence company that Equity-Invest insists all investment partners use. A native of the United Kingdom, Mr. Davies absconded from justice before being convicted on multiple counts of fraud in 2015. Prior to his conviction, Davies served 16 months in jail before being cleared on suspicion of murdering his third wife on their honeymoon in India.

What's New in the NIST Cybersecurity Framework 2.0

Update to the NIST framework adds new "govern" function for cybersecurity.

Tenable Capture the Flag 2023: And the Winners Are...

It’s time to crown the winners of this year’s Capture the Flag Event!

The Tenable Capture the Flag 2023 competition presented a series of security-related challenges in a Jeopardy-style format. Challenges ranged in difficulty and topics including Web App, Reverse Engineering, Crypto, Stego, OSINT, Forensics, Code and more.

In the face of stiff competition, the following teams captured the titles, earning first, second and third place respectively.

And now - the moment you’ve all been waiting for…

Congratulations for your superior performance in the 2023 Tenable CTF:

1st Place

Team: Th3Os

Score: 6997

2nd Place

Team: EPT*

Score: 6499

3rd Place

Team: coldboots

Score: 6499

*EPT won the tiebreaker based on the time taken to reach the score.

A HUGE thank you to all those who participated. The response from the community was fantastic and we look forward to seeing you at the 2024 Capture the Flag!

Here are the final Capture the Flag stats:

Check out the CTFtime page to view some of the community’s write ups.

That’s a wrap on the 2023 Tenable Capture the Flag event!

Thanks for making the 2023 Tenable Capture the Flag Event a SUCCESS. We hope you all had as much fun competing as we had putting it together.​

Over 100K hacking forums accounts exposed by info-stealing malware

Researchers discovered 120,000 infected systems that contained credentials for cybercrime forums. Many of the computers belong to hackers, the researchers say.

Analyzing the data, threat researchers found that the passwords used for logging into hacking forums were generally stronger than those for government websites.

Hacker logins compromised

After pouring through 100 cybercrime forums, researchers at threat intelligence company Hudson Rock found that some hackers had inadvertently infected their computers and had their logins stolen.

Hudson Rock says that 100,000 of the compromised computers belonged to hackers and the number of credentials for cybercrime forums was in excess of 140,000.

The researchers collected the information from publicly available leaks as well as info-stealer logs sourced directly from threat actors.

Info-stealers are a type of malware that search specific locations on the computer for login information. A common target is web browsers, because of their autofill and password storage features.

Alon Gal, chief technology officer at Hudson Rock, told BleepingComputer that “hackers around the world infect computers opportunistically by promoting results for fake software or through YouTube tutorials directing victims to download infected software.”

Among those that fell for the lure were other hackers, likely less skilled ones, so they got infected just like any other gullible user trying to take a shortcut.

Identifying the owners of those compromised computers as hackers, or at least hacker enthusiasts, was possible by looking at the data from the info-stealer logs, which also exposed the individual’s real identity:

• Additional credentials found on the computers (additional emails, usernames)
• Auto-fill data containing personal information (names, addresses, phone numbers)
• System information (computer names, IP addresses)

In a previous blog post, Hudson Rock describes how a prominent threat actor called La_Citrix, known for selling Citrix/VPN/RDP access to companies, accidentally infected their computer.

Looking at the collected data, Hudson Rock determined that more than 57,000 compromised users had accounts to the Nulled[.]to community of budding cybercriminals.

Cybercrime forum accounts exposed by info stealers
source: Hudson Rock

Users of the defunct BreachForums had the strongest passwords to log into the site, the researchers found, with more than 40% of the credentials being at least 10 characters long and containing four types of characters.

Users of BreachForums used stronger passwords
source: Hudson Rock

However, hackers also used very weak passwords like a string of consecutive numbers. This could be explained by their lack of interest in getting involved in the community.

They could be using the account just to keep up with the discussions, check what data was for sale, or just to have access to the forum whenever something more important occurred.

The researchers also discovered that the credentials for cybercrime forums were generally stronger than the logins for government websites, although the difference is not large.

Info-stealer logs had weaker passwords for government services
source; Hudson Rock

According to Hudson Rock, most of the infections were from just three info-stealers, which also happen to be popular choices with many hackers: RedLine, Raccoon, and Azorult.

At the moment, a large number of initial access compromises start with an info-stealer, which collects all the data a threat actor needs to impersonate a legitimate user, typically called a system fingerprint.

Colorado Health Agency Says 4 Million Impacted by MOVEit Hack

Colorado’s health programs administrator says the personal information of 4 million individuals was compromised in the recent MOVEit hack.

The post Colorado Health Agency Says 4 Million Impacted by MOVEit Hack appeared first on SecurityWeek.

Russian-African Security Gathering Exposes Kremlin's Reduced Influence

Messaging from joint summit in Saint Petersburg amounts to little more than "diplomatic subterfuge," observers note.

Fake Chrome Browser Update Installs NetSupport Manager RAT

By Waqas

Trellix Uncovers Deceptive Chrome Browser Update Campaign Leveraging NetSupport Manager RAT.

This is a post from HackRead.com Read the original post: Fake Chrome Browser Update Installs NetSupport Manager RAT

Ongoing Xurum attacks target Magento 2 e-stores

Experts warn of ongoing attacks, dubbed Xurum, targeting e-commerce websites using Adobe’s Magento 2 CMS. Akamai researchers warn of ongoing attacks, dubbed Xurum, targeting e-commerce websites running the Magento 2 CMS. The attackers are actively exploiting a server-side template injection issue, tracked as CVE-2022-24086, (CVSS score: 9.8), in Adobe Commerce and Magento Open Source. The […]

The post Ongoing Xurum attacks target Magento 2 e-stores appeared first on Security Affairs.

Microsoft enables Windows Kernel CVE-2023-32019 fix for everyone

Microsoft has enabled a fix for a Kernel information disclosure vulnerability by default for everyone after previously disabling it out of concerns it could introduce breaking changes to Windows.

The vulnerability is tracked as CVE-2023-32019 and has a medium severity range 4.7/10, with Microsoft rating the flaw as 'important' severity.

The bug was discovered by Google Project Zero security researcher Mateusz Jurczyk, and it allows an authenticated attacker to access the memory of a privileged process to extract information.

While it is not believed to have been exploited in the wild, Microsoft initially released the security update with the fix disabled, warning that it could cause breaking changes in the operating system.

"The resolution described in this article introduces a potential breaking change. Therefore, we are releasing the change disabled by default with the option to enable it," explained Microsoft.

Instead, Windows users had to enable the update manually by adding the following registry values under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides key:

• Windows 10 20H2, 21H2, 22H2: Add a new DWORD registry value named 4103588492 with a value data of 1
• Windows 11 21H2: Add a new DWORD registry value named 4204251788 with a value data of 1
• Windows 11 22H2: Add a new DWORD registry value named 4237806220 with a value data of 1
• Windows Server 2022: Add a new DWORD registry value named 4137142924 with a value data of 1

However, Microsoft would not share what conflicts could arise from enabling the update, simply telling BleepingComputer at the time that it would be enabled by default in the future.

This uncertainty led to many Windows admins not deploying the fix out of fear it would cause problems in their Windows installations.

As first spotted by Neowin, Microsoft has now enabled the fix for CVE-2023-32019 by default in the August 2023 Patch Tuesday updates.

"The resolution described in this article has been released enabled by default. To apply the enabled by default resolution, install the Windows update that is dated on or after August 8, 2023." explains Microsoft in an update to its support bulletin.

"No further user action is required."

BleepingComputer has spoken to numerous Windows admins about this update, and none have reported issues with this change enabled.

Lux Vide Wins $1.86m Judgment Against Operator of File-Hosting Site EasyBytez

After a four-year legal process that began before the coronavirus pandemic, Italian film production company Lux Vide has emerged with a $1.86m judgment against the operator of file-hosting platform Easybytez. A Michigan district court found Sven Hansche liable for 748 violations of copyright law and was guided on damages awarded in lawsuits against IPTV providers Nitro TV and Area 51.

From: TF, for the latest news on copyright battles, piracy and more.

SecureWorks layoffs affect 15% staff

SecureWorks said Monday it will let go of 15% of its workforce, the cybersecurity company’s second round of layoffs this year. In a regulatory filing, SecureWorks said that it would incur about $14.2 million in expenses due to the layoffs, mostly related to employee termination benefits and real-estate costs. SecureWorks chief executive Wendy Thomas cited […]

FBI warns of increasing cryptocurrency recovery scams

The FBI is warning of an increase in scammers pretending to be recovery companies that can help victims of cryptocurrency investment scams recover lost assets.

The bulletin mentions that the money lost to cryptocurrency investment fraud surpassed $2.5 billion in 2022, and this only concerns cases reported to the authorities. Furthermore, many people lose cryptocurrency through information-stealing malware or phishing attacks that steal wallets, likely making this number far larger.

This situation creates an opportunity for recovery scheme scammers who tap into this vast pool of victims, taking advantage of their desperation to recover their funds while only deceiving them a second time.

"Representatives of fraudulent businesses claiming to provide cryptocurrency tracing and promising an ability to recover lost funds may contact victims directly on social media or messaging platforms," reads the FBI notice.

"Victims may also encounter advertisements for fraudulent cryptocurrency recovery services in the comment sections of online news articles and videos about cryptocurrency; among online search results for cryptocurrency; or on social media."

BleepingComputer has seen these types of scams posted to our own news stories, in other sites' comment sections, and on Medium.

Comment promoting fake crypto recovery services (BleepingComputer)

While social media, especially Twitter, has been attempting to crack down on these scams, they are still plagued by cryptocurrency support and recovery scams.

Today, BleepingComputer tweeted a fake request for help recovering lost cryptocurrency and was immediately flooded with responses from bots promoting cryptocurrency support and recovery scams.

Twitter bot pushing cryptocurrency recovery scam
Source: BleepingComputer

The FBI explains that recovery schemes aim to deceive individuals into bearing the expenses of the purported recovery, often asking for an advance fee or some form of deposit.

Once the payment is made, the scammers either cut off communication with the victims or try to solicit additional funds by presenting an incomplete tracing report, suggesting they need more resources to finalize it.

In many cases observed by the FBI, the scammers claim they're affiliated with law enforcement agencies or other legitimate organizations to instill a sense of trustworthiness in their targets.

However, as the FBI highlights, no private sector entity can issue seizure orders to recover stolen digital assets, so all claims of that kind are false, and those making them should be treated as highly suspicious.

To protect yourself against these fraudulent companies or individual scammers, do not trust cryptocurrency recovery services promoted via internet ads, comments, and social media. Furthermore, never share any personal or financial details with unknown individuals online.

Instead, fraud victims should report the incident to their country's law enforcement. In the US, this can be done through the IC3 portal.

Victims of these scams can also pursue civil litigation to recover the lost assets, so keeping all records, transaction details, and interactions with suspicious individuals is essential.

However, as many of these recovery companies are operating under fake names, it will likely not be possible to litigate this type of theft in court.