Author Archives: Sandhya Chauhan

Hackers Delivering New Muncy Malware Worldwide through DHL Phishing Campaign

With malicious intentions of targeting the users across the globe, attackers are reported to be disseminating new dubbed Muncy malware in the form of EXE file through DHL phishing campaigns.

Resorting to malspam emails, DHL phishing is amongst the most far-reaching campaigns which distributed several sophisticated malware. They made it appear legitimate by exploiting the deplorable configuration of SMTP servers and by employing email spoofing techniques.

DHL is a company of global repute which specializes in providing express mail services, international couriers and parcels. The reputation of the well-established company took some hits by the cybercriminals as they abused it to distribute malware. 

They did so by configuring the malicious emails to appear to be coming from DHL express. The email comprised of an infected attachment in PDF format.

How the malware is executed?

As soon as the targeted user accesses the PDF attachment, Muncy Trojan file sneaks into the system. Then the packed malware is unpacked and once unpacked it scans the whole C:\ drive for the files containing sensitive data. 

Expert takes

Commenting on the matter, Pedro Tavares, Founder, and Pentester at CSIRT.UBI told the GBHackers, “The phishing campaign is trying to impersonate DHL shipment notification and the malware is attached in the email.”

“This malware is on the rise and is affecting user’s in-the-wild while stealing sensitive information from their devices.”

Attacks on the US Companies by Chinese and Iranian Hackers Renewed

As a result of Trump pulling the U.S out of the Iran nuclear deal last year and the trade disputes between the U.S and China, Iranian and Chinese hackers heavily attacked corporations and government agencies in the United States. Security experts are of the opinion that these hackers have been fuelled by the conflicts of the past.

Referencing from the briefing of seven people who gave a glimpse of the incidents, the recent attacks which targeted multiple US corporations, government agencies, American banks, and various businesses were more brutal than those which were carried out in past. These people were not permitted to publicly discuss the details. 

Analysts and security researchers at National Security Agency sourced the attacks to Iran. Meanwhile, FireEye, which is a privately owned security firm, instigated an emergency order when the government shutdown took place last month. They did so by the Department of Homeland Security.

Reportedly, these Iranian attacks occurred simultaneously with a renewed Chinese offensive configured to steal sensitive data related to military and trade from U.S tech companies and military contractors.

Commenting on the matter, Joel Brenner, a former leader of United States counterintelligence under the director of national intelligence said, “Cyber is one of the ways adversaries can attack us and retaliate in effective and nasty ways that are well below the threshold of an armed attack or laws of war,”

Centre to seek counsel on the removal of UID data of children opting-out of Aadhaar

On the subject of the deletion of biometric data of children who decide to withdraw their Aadhaar details on turning 18, the government sought legal counsel.

The amendments made to the Aadhaar Act have been approved by The Union Cabinet. It included the provision which grants children the power to opt-out of Aadhaar on turning 18 years of age.

This bounds the Unique Authority of India to delete all the information along with the biometrics of these people from its servers.

Referencing from the statements given by UIDAI CEO and Revenue Secretary Ajay Bhushan Pandey, “A child when he or she turns the age of 18 can exercise an option to opt out, and in that particular case, their Aadhaar number will be canceled,”

“Regarding the biometric data, that is something we will have to take a legal opinion because if you delete the biometric data, then suppose that person comes again and does enrolment, then how will that operate.”

“Maybe that data could be kept somewhere separate, but how that will function, we will have to take legal opinions,” he further added.

The Aadhaar Act will need a reintroduction in the next session with a new government at the helm as it wasn’t made to pass during the recent Budget session of the Lower house.

However, those who wish to file income tax returns will not derive any benefit from this amendment which gave children attaining the age of 18 the power to quit Aadhaar as now, while filing taxes, it has been made mandatory by the court to have Aadhaar linked with PAN cards.

Popular Android App being Tampered by Hackers to Disseminate Malware

In an attempt to disseminate Triout Android malware, attackers corrupted the widely used Android app in Google Play.
The new (corrupted) version of the app which delivers the malware was discovered by security researchers at Bitdefender. Reportedly, “com.psiphon3”, the app package which is known for giving uncensored access to the content on the internet was exploited by cybercriminals as they reconfigured it with spyware framework.
The threat actors decided to distribute the corrupted version of the app via third-party app stores instead of going conventional by delivering it via the Google Play store and to generate revenue, they tied up the app with Google Ads, Mopub Ads, InMobi Ads, and various other adware components.
 While hiding its presence into the device, Triout Android Malware is programmed to collect phone calls, record videos, take pictures, access text messages, and GPS. It transfers the gathered information to the hackers’ command and control server.
As per the researchers at Bitdefender, the original and the tainted app shares the same UI which means the criminals only inserted the Triout spyware component while tampering the app and they tampered v91 of the app which currently is running on v241.
Referencing from the findings of researchers, “The original legitimate application is advertised as a privacy tool that enables access to the open internet when bundled with the Triout spyware framework it serves the exact opposite purpose.”
 “While the Triout Android spyware framework itself does not seem to have undergone changes in terms of code or capabilities, the fact that new samples are emerging and that threat actors are using extremely popular apps to bundled the malware,” 

iOS 12.1.4 being Released for the iPhone, iPad and iPod Touch

An unusual bug in Apple’s Group FaceTime which allowed eavesdropping on the person being called has been taken care of in the latest update released by the company. 
Reportedly, the flaw was identified by an Arizona based teenager, Grant Thompson. The teenager and his mother, Michele Thompson attempted to inform Apple of the hack by sending a video of the flaw which put to risk the privacy of millions of iOS users but unfortunately got no response from the company. 

Afterward, when a different developer brought the issue to Apple’s knowledge, they hurried to take action, meanwhile, keeping the Group FaceTime feature disabled. 

While, the duration for which the flaw has been exploited remains ambiguous, with the update it has been patched and the Group FaceTime service has been resumed. 

In the context of the delayed response and the skipped reports by Thompson and his mother, Apple told that it would improvise the manner in which it deals with the bug reports and warnings.

Expressing regret, Apple said in a statement given to, “We sincerely apologize to our customers who were affected and all who were concerned about this security issue. We appreciate everyone’s patience as we complete this process,” 

“We are committed to improving the process by which we receive and escalate these reports, in order to get them to the right people as fast as possible. We take the security of our products extremely seriously and we are committed to continuing to earn the trust Apple customers place in us,”

Putting into perspective the immediacy Apple later resorted to; it said that as soon as its engineers became aware of the important details required to resolve the issue, they immediately disabled the Group FaceTime feature and started working on the patch.

However, the delayed response to repetitive calls, emails, and letters did raise a few eyebrows and put into question the company’s commitment to user privacy and the recent billboard hanged by Apple in Las Vegas stating, 'What happens on your iPhone, stays on your iPhone' further inflamed the commitment issues. 

Therefore, in an attempt to rebuild the staggered trust, Apple went ahead to thank the Thompson family for reporting the bug. 

Though the bug has been resolved, Apple has been sued by a Houston lawyer putting allegations of a private deposition with his client being recorded by his phone. It was filed by attorney Larry Williams in Texas.

IoT Botnet Service Offered by Hackers as “TheMoon”

Originally identified in 2014, TheMoon botnet is configured to look for flaws on the router set up by organizations like ASUS, D-Link, Linksys, and MikroTik. The proxy botnet had been employed by the botnet operators for a number of reasons; video advertisement fraud, general traffic obfuscation, and brute force, to name a few.

With malicious intentions of further expanding the botnet, the operators are expected to constantly scan and look for exploitable services being run on IoT devices.

TheMoon botnet attacks IoT apps which are functioning on port8080 and on successfully detecting a vulnerable device, the botnet is programmed to drop a shell script which once executed, downloads the initial phases of the payload.

It has been detected by Security researchers at CenturyLink that the recent module differs from the previous one in the way that it converts the targeted device into a SOCKS5 proxy and it allows the botnet operator to offer its proxy network service to other people.

The researchers further discovered that when connecting to TCP port 8002, the person browsing automatically receives a stream of log messages in association with an advertisement fraud.

Referenced from the findings of the CenturyLink report,

“One six-hour time period from a single server resulted in requests to 19,000 unique URLs on 2,700 unique domains. After browsing some of the URLs, it was apparent they all had embedded YouTube videos.”

“The always-on nature of IoT devices and the ability to masquerade as normal home users make broadband networks prime targets for these types of attacks,”

Ransomware, RDP Logins and Credit Card Details being sold on the Dark Web

Offered at various rates on the dark web markets, there are various hacking tools which can be employed to assist and propel cybercrime, these tools are traded illicitly in the form of Cybercrime as a service.

Empire Market, DreamPoint, Wall Street Market and Berlusconi Market are some of the dark web markets known to have been hosting the hacking tools.

Referring to the findings of Eset, an array of ransomware packages has been put up for sale along with hackers providing updates, technical assistance and permit to C&C servers.

RaaS (ransomware-as-as-service) is a service which lets hackers host their product on the dark web, which further allows individuals to avail the services with their own customization and requirement. 

Besides RaaS, there are RDP logins which are traded on the dark web markets to provide access to RDP servers across the world. Notably, it is priced between the US $8-15 per server on the basis of country and operating system.

The third variant is DDoS attacks, attackers have placed botnets out for sale in order to launch DDoS attacks or to send spam emails and the price for this one depends upon the time duration for which one avails the botnet service.

Though some hackers display the tools which they employed while carrying out malicious activities, the majority of them are hidden behind tools which shield them with anonymity as they continue building up a profitable cybercrime industry which is an amalgamation of marketing, advertising, updations, customer care, and user manual.

Apple’s Delayed Response On FaceTime Flaw has put their Commitment to Security into Questioning

On 19th of January, an Arizona based teenager, Grant Thompson while using Apple’s FaceTime discovered an unusual bug which allows eavesdropping on the person being called. Thompson deduced the same when he was able to eavesdrop on the friend he called before the call was even answered.

Immediately after, Grant’s mother, Michele Thompson attempted to inform Apple of the hack by sending a video of the flaw which put to risk the privacy of millions of iOS users. When her warning did not fetch any response from the company, she resorted to other channels of communication like emailing, faxing and tweeting. She even tried to connect with Apple’s security department via Facebook.

It was on Friday, Ms. Thompson’s warning was entertained and she was encouraged by the product security team of Apple to create a developer account and then file a formal bug report.

On Monday, acknowledging the presence of the flaw, Apple said, “identified a fix that will be released in a software update later this week.” However, the company left unaddressed the question of how the flaw passed through quality assurance and what took the officials so long to respond to Ms.Thompson’s warnings.

The Group Facetime was disabled by Apple and it was said that the same is running on a fix but the fact to be noticed is that the company hurried to take action when a different developer brought the issue to their knowledge after it was also being addressed in an article which went viral.

As Apple is known for its unassailable security and the continuous advertising of its bug reward program, the delay in the responses and the preventive measures taken by the company has put its commitment to safety and security into questioning.

Insisting on their commitment to safety, the company’s chief executive, Tim Cook tweeted, “we all must insist on action and reform for vital privacy protections.”

How the flaw works?

It is a highly rare security flaw which allows such remote access and is so simple to be executed. After adding a second individual to the group FaceTime call, one can access the audio and video of the initial person called without even requiring him to answer the call.

Referencing from the statements given by Patrick Wardle, the co-founder of Digita Security, “If these kinds of bugs are slipping through, “you have to wonder if there are other problematic bugs that other hackers are exploiting that should have been caught.”

Microsoft 365 Underwent Two Day Outage, Outlook and Exchange Down

Within the last two days, Microsoft 365 online productivity suite succumbed to several outage issues. Reportedly, users lost access to their mailboxes and the process of receiving and sending emails was delayed by more than 3 hours.

Furthermore, e-mails went missing and users were exchanging multiple repeated e-mails at a time without their consent.

Microsoft Office 365 also known as Microsoft 365 or Office 365 is a line of subscription offerings by Microsoft which includes Windows 10, EMS (Enterprise Mobility + Security, which further includes Intune device management, analytics, and some Azure Active Directory capabilities). The overall idea by Microsoft is to aid customers with an easy and safe way of managing online productivity platform.

It comes as a disadvantage of an online platform that the issues which affect one of the services provided in the form of a cloud product will be faced by all users.

Referencing from tweets posted by official Microsoft account on 24th January, “We're investigating an issue where users can't access their mailboxes through multiple protocols. More details are published in the admin center under EX172491, available to your Microsoft 365 admin”

We’ve determined that a subset of Domain Controller infrastructure is unresponsive, resulting in user connection timeouts. We’re applying steps to mitigate the issue. More details can be found in the admin center published under EX172491.”

In response to the outages, Microsoft stated, "We've determined that there is higher than expected queuing within the authentication infrastructure, which may be the cause of impact. We're working to identify the cause of these queues and determine steps to remediate impact."

Two days later, users confirmed the removal of EX172491 issue altogether by Microsoft’s admin center.

100,000 malware distribution websites taken down by researchers across the globe

At the end of the March 2018, non-profit cybersecurity organization,, initiated a project called ‘URLhaus’ which brought researchers across the globe together with the intent to share URLs employed in malicious campaigns. 
The project averaged a total of 300 submissions from more than 250 security researchers who took down around 100,000 websites involved in the distribution of malware.
It demanded the cooperation of various organizations which had the offensive websites hosted onto their infrastructure and while doing so, it was noticed that some of these companies did not take immediate remedial measures which left the compromised websites in action for a prolonged period.
Reportedly, the remedial measures were delayed the most by Chinese hosting providers who took a significant amount of time in responding to abuse reports and complaints against few websites’ participation in malicious acts.
"The three top Chinese malware hosting networks have an average abuse desk reaction time of more than a month!" reads the report by
URLhaus, on a day-to-day basis, witnesses an average of 4,000 to 5,000 active malware distribution sites.
Notably, a total of 500 malware URLs were reported to ChinaNet, China Unicom, and Alibaba, however, none of them bothered with taking immediate remedial actions which left the compromised websites active for prolonged time periods, dissecting the durations: ChinaNet- one month and ~10 days, China Unicom- one month and 23 days and Alibaba- one month and 2 days.
On contrary, Critical Case in Italy is reported to be the fastest among all to take appropriate measures in response to URLhaus reports; it successfully attempted to get down 151 malicious URLs in just 22 hours. Another one was Unified Layer from the U.S, which is reported to have taken down 127 malicious URLs in a short period of two and a half days. The time taken to respond varied from organization to organization and in certain cases, it was extended up to three months.

West African Financial Institutions Attacked by Hackers via Living off the Land Tactics

Employing ‘living off the land’ tactics and generic malware, an unidentified hacker group is reported to have attacked financial institutions of West Africa.  ‘Living off the land’ tactics make use of legitimate network administration tools or operating system features to gain unauthorized access to the targets’ networks.
The hackers attacked the organizations based in Equatorial Guinea, Cameroon, Ivory Coast, Congo (DR) and Ghana. Notably, the attack was from 2017 and the latest one is reported to be in December 2018.
A total of four different attack campaigns which compromised the network of various West African financial institutions have been observed by the security researchers at Symantec.
Four Variants of Attack
In the first attack campaign, hackers made use of infected word documents which belonged to West African bank. The victims were attacked via Nanocore malware which was executed through the Microsoft Sysinternals tool PsExec on victims’ devices.
The second attack campaign made use of a hacking tool known as Mimikatz, a malware called Cobalt Strike and a remote administration tool named UltraVNC.
Referencing from the report by Symantec, the hackers employed PowerShell scripts to corrupt networks by the attacks which they probably executed in late 2017, they used Mimikatz for credential surfing and for remote administration they resorted to UltraVNC. Besides, Cobalt Strike was employed for backdooring and to secure a connection with the C&C server in order to download additional playloads.
The third variant of attack involved usage of Remote Manipulator System R AT, hacking tool – Mimikatz and RDP (Remote Desktop Protocol). This variant of attack targeted organizations based in Ivory Coast, hackers stole the credentials through Remote Manipulator System RAT and Mimikatz tool which allowed them to establish a remote desktop connection.
The fourth variant of the attack employed stealer Imminent Monitor RAT, it dealt with stealing information from compromised computers and downloading additional malware. It is reported to have originated in the month of December, last year.

India was the Biggest Victim in 2018’s Data Breaches – WEF’s Report

The government ID database, Aadhaar, became a victim to multiple data breaches which are reported to have compromised the database of 1.1 billion citizens of the country who were registered.

In 2018, Cybercrime, more threatening than ever, instigated back to back data breaches across the world which endangered the personal records of millions of people and India is reported to be the largest victim of those breaches.

The findings of the World Economic Forum's 14th edition of Global Risks Report 2019, stated the risks to which Environmental degradation is being exposed to; out of the top five most impactful global problems this year, four are related to climate. 

In 2019, geo-economic and geopolitical are the most vital concerns and 90 percent of experts are anticipating further conflict among the major powers.

In January, the criminals were reported to be selling access to the personal records of citizens at a cost of 500 Rs for a time period of 10 minutes, while, in March, a leak allowed the names and ID numbers of the registered citizens to be downloaded by anyone. 

Other recent instances of data breaches include millions of users of Facebook and MyFitnessPal having their personal data compromised. 

The report by World Economic Forum outlined the deteriorated international relations which pose serious challenges.  It highlighted the reduced ability of the world to battle urgent crises.

Other aspects put forth by The Global Risks Report includes the rapid worsening of trade disputes, deterioration in economic and geopolitical conditions and worsened international cooperation. Furthermore, the findings of the reports indicated further challenges to multilateral trading rules and agreements.

As per the eighty-five percent of the participants to 2019’s survey,   heightened risks of "political confrontations between major powers" are expected as the year progresses. Beyond the short term, environmental dangers have continued to dominate the concerns of the survey participants for over 10 years.

Referenced from the statements given by Borge Brende, President, World Economic Forum, "With global trade and economic growth at risk in 2019, there is a more urgent need than ever to renew the architecture of international cooperation. What we need now is coordinated, concerted action to sustain growth and to tackle the grave threats facing our world today,"

Unauthorized Sharing of Login Credentials at Halt; AI at work

Users with Netflix subscription who share passwords with their family and friends will no longer be able to do so.
A UK company, Synamedia, which was displayed at a Consumer Electronics Show in Las Vegas, has developed a solution based on the principles of artificial intelligence; it is designed to assist the service providers, particularly content streamers to detect the unlawful sharing of passwords and information which grants illegal access to the streaming platform.
How the solution works? 
The software examines data of all customers once a streaming platform or the operator grants access to the subscriber information. It takes various factors into consideration before it concludes an illegal sharing of login credentials taking place. The software is configured to discover informal sharing of login credentials amongst friends and families. Furthermore, it can identify a more organized and criminalized buying and selling of login credentials.
Other revelations the software can make include the location from where the account is being logged into, the changes in location, timing and duration of the platform being used, concurrent logins, the device on which the platform is being accessed and the type and genre of content being watched by the user. All the aforementioned factors give the platform a probability score, which indicates the chances of illegal credentials sharing and violation of the terms and conditions of the service by raising flags.
According to the reports, the company stated that in severe cases of passwords being bought and sold over the internet would result in the deletion of such accounts. However, in the majority of the cases, the users will be advised to get an upgrade to the multi-user subscription facility which is notably costlier than the standard one.

Expert’s take
Referenced from the statements given by Synamedia CTO Jean-Marc Racine,
“A typical pattern would be you have a subscriber that is simultaneously watching content on the East Coast and West Coast of the US,” 

“That’s unlikely to be the same person.”
Weighing the financial aspects, she added, “Casual credentials’ sharing is becoming too expensive to ignore. Our new solution gives operators the ability to take action. Many casual users will be happy to pay an additional fee for a premium, shared service with a greater number of concurrent users. It’s a great way to keep honest people honest while benefiting from an incremental revenue stream,”

Chinese Hackers Pulled a Theft of $18.6 Million

The Indian subsidiary of Tecnimont SpA, headquartered in Milan, fall prey to a fraud wherein $18.6 million (INR 130 crore) were being stolen by a group of Chinese hackers.

Tecnimont SpA is involved in a wide array of businesses like energy, chemicals, and engineering, it operates in conjunction with the publicly traded blue-chip Italian group Maire Tecnimont, which did not categorize the heist as a cyber attack but a fraud and refused to comment any further.

 Referencing from the police complaints, the hackers sent emails to Tecnimont Pvt Ltd’s head via an email address that resembled that of Pierroberto Folgiero, CEO, they manipulated local managers into believing that the money was required for acquisition.

How did the hackers execute the theft?

Sources from Mumbai Police’s cybercrime unit indicated that the con gang from China organized a series of conference calls with the motive of exchanging views on a probable secretive and highly confidential acquisition in China.

During these phone conversations, various people are reported to be playing various roles varying from the group CEO, top lawyer to the senior executives of the company.

While doing so, the hackers manipulated the Indian head and made him believe that the money could not be sent from Italy because of some regulatory issues. After being convinced, he transferred the money in three transactions during a week in the month of November, dissecting the transactions a bit — $5.6 million, $9.4 million and $3.6 million.

The aforementioned are the three tranches in which the money was transferred from India to Hong Kong and was withdrawn within a few minutes of the transfer. Immediately after, the hackers attempted the fourth transaction but fortunately, the fraud had been identified by then and it finally was unveiled during company chairman Franco Ghiringhelli’s visit to India in December. The accounts into which the money was sent were opened via fake documents.

According to ET, the matter is being taken up for investigation by a Mumbai-based law firm and a Manhattan-based security firm ‘Kroll’. Meanwhile, assisting efforts are being made by MZM, a white-collar crime and dispute resolution law firm in India.

Expert’s take

Referenced from the remarks made by Zulfiquar Memon, managing partner of MZM Legal, “This is a very serious case of electronic fraud by a very highly skilled group of international criminals working with high-end technology,”

“We are working with the Mumbai Cyber Cell to investigate the matter and get to the bottom of this.”

Sourced from the statements given by Dhruv Phophalia, managing director, Alvarez & Marsal India, “In addition to masking email addresses, hackers in the past have used malware to penetrate and monitor email communications,”

“This enables them to gather information, learn writing styles and language used by a user in email communications and replicate them in the spoofed emails.” 

Cloned Apps Configured to Steal Users’ Data Detected on Play Store

Security researchers at Trend Micro discovered spyware called 'ANDROIDOS_MOBSTSPY’ which is configured to steal users’ data from their smartphones. Reportedly, people from around 200 countries fall prey to it and the majority of them were Indian natives.

Before being flagged on Google Play store, the spyware has been downloaded for at least 100,000 times by Android users after it invaded the store via six apps. The data which the spyware can potentially compromise includes the WhatsApp data of the users. 

Modus- operandi; how do these apps steal data?

The spyware disguised itself as gaming and other applications available on the store and enticed users into downloading and installing the cloned apps. Once the infected app was installed and launched, it was exploited to steal user information. The spyware looked for an active internet connection and as soon as it detected one, it advanced to establish a connection with its command server.

After securing a connection, it transferred key device information such as manufacturer, language and registered country. Following which, it registered the device with its server that allowed the criminals to be in control and steal information from the targeted device, remotely. The data that was put to risk included call logs, media, personal texts and contact details stored on the device.

Besides, the users' data linked to various social media platforms such as Snapchat, Facebook and WhatsApp was also jeopardized. The aforementioned conclusion was drawn by the researchers after a scrupulous examination.

Flappy Bird’s faulty clone named ‘Flappy Birr Dog’, HZPermis Pro Arabe, Win7imulator, Win7Launcher, and FlashLight are some of the applications under suspicion. Notably, Google has taken down all the six malicious apps but there’s no certainty of data not being stolen as the apps were already downloaded for over 100,000 times.