The malware, named “Mandrake,” is designed to steal sensitive information from victims, including messages, call logs, contacts, and more. The malware is spread through WhatsApp and Telegram, two popular messaging apps used by millions of people worldwide.

According to Lookout’s researchers, Mandrake works by posing as an innocuous file that is shared through a messaging app. When a victim clicks on the file, Mandrake silently installs itself on the victim’s device, without the victim’s knowledge. The malware then begins to collect data from the victim’s device and sends it back to the attacker’s command-and-control (C&C) server.

What makes Mandrake particularly dangerous is its ability to evade detection by most antivirus programs. The malware is designed to remain dormant until it detects that it is being analyzed by an antivirus program. Once it detects this, it will delete itself from the victim’s device, leaving no trace behind.

The Donot APT group has been known to use sophisticated techniques to evade detection and infiltrate their targets. Mandrake is just the latest example of their capabilities. The group has also been known to use social engineering tactics, such as posing as job recruiters or creating fake social media profiles, to gain access to their targets.

To protect yourself from Mandrake and other malware like it, it is important to take some basic security measures. First, be cautious when clicking on links or downloading files from unknown sources, especially through messaging apps. Second, keep your antivirus software up-to-date and perform regular scans of your device. Third, avoid sharing sensitive information, such as passwords or financial information, through messaging apps or other unsecured channels.

In conclusion, the Donot APT group’s development of Mandrake is a reminder that even seemingly harmless messaging apps can be used to spread dangerous malware. It is important to remain vigilant and take necessary precautions to protect your device and sensitive information from cyber threats.

The post Donot APT delivers Android malware via messaging apps appeared first on Vednam.

As it was also mentioned that the data which has been leaked or hacked from 90 videos of clips from the game, which has been leaked over the weekend on GTA forums by a user with an alias” Teapotuberhacker,” which hinting that the party is same person responsible for the recent Uber breach.

“ At this time, we do not anticipate any disruption to the live game services which are nor any long-term effect on the development of our ongoing projects,” as the company said in a notice shared on its social media handles.

The company also said the third party has accessed  confidential information from our systems which although it’s not immediately clear if it involved any other data beyond the game footage.

The Uber hacker which found by the information it runs on the name “TeaPot “ which should to be an 18-year -old teenager and no more further information has been found yet.

“The teapotuberhacker said in one of the forum messages‘’ These videos were downloaded from slack”. This also likely means that the threat actor resorted to the same  methods of MFA bombing to get past extra account security layers.

The leaker posted a negotiation deal with company and said “ I will leak more if Rockstar/Take2 Doesn’t pay me” as per conversation mentioned in the media

Found this article informative? Follow Vednam on Facebook, Twitter, Mix, Tumbler, and Linkedin to know more exclusive content we post.

TeaBot Trojan Spreads via Fake Antivirus Apps

Russian military which targeted passwords in wide-ranging hacking campaign, US and UK officials say

Record Breaking Data Breach happens with British Airways

Uber Officials Said the Investigation of Potential breach of Server

The post Hacker stole Early Grand Theft Auto VI footages Confirm by Rockstar Games appeared first on Vednam.

The United states marshals Servce(USMS) is a crucial bureau operating under the department of justice, which is connected to the federal justice system.The federal law enforcement agency has confirmed that the recently stolen data contains personally identifiable information of its employees.The agency released red flag for all the employees whose data has been compromised and asked them to be extra vigilant with their personal information.

As per report it has been confirmed by the NBC report, the federal law enforcement agency has been confirmed that the data has been stolen recently which has the personally identifiable information of its employee.Even the notice has been passed from the higher authorities to be very attentive with their personal information.

Even the USMS has released notice and executed the investigation for the culprits behind it which has taken this incident.Even they has just offline all the affected systems which were in the network to stop the culprit for more action.

What Really Hacked ?

There are lots of data Personal, Professional , Government, Public and Financial but lot more there are:

• Returns from legal process
• PII related to USMS investigations
• PII related to third parties
• PII related to USMS employees
• Administrative information 

USMS has a witness security File information System which has not been accessed by the attackers which means they are unable to establish any access to the system. 

This breach also did not put the danger to anyone in the witness protection system.

The compromised data has been having a long story and it has been a very concerning point for the documents which are very essential and not to be disclosed in public for safety reasons.

The U.S Marshals Service takes this data compromised seriously and even takes all the necessary steps which can prevent the data breach next time and protect the data which has been sensitive information.

The agency has taken alternate shifts till the system has been recovered and be on track.This service again be online and operational when all data has been on the track again with safety calls.

The post U.S Marshals Service Hacked! appeared first on Vednam.

On Feb 20, A student and cybersecurity researchers Robin Justin Posted a blog which contain the details of vulnerabilities which impact the Sarathi Parivahan ( the Website where Indian People apply for Driving and other RTO application) which comes under the Guidance of India Ministry of Road Transport and Highways.

The Issues which they face where portal allows citizen to appy the learner’s license for driving . But when they faced issues after a minute then he got hit and went to the RTO but at the end of the RTO said there are some issues but it was resolved soon.

What was the Issue?

The Researcher found that, to authenticate any application you need application number and date of birth. However, at an endpoint intended to check the application state was flawed where an attacker could supply a random application number to learn the associated applicants date of birth, address and driving license number and name and even pull the photos of individual.

The researcher Justin just explored and found the second vulnerabilities which only require Phone number and the applicant Date of birth to access the applicant application number.

The third vulnerability found was the public domain feature which has been too restricted to the administrator. The feature allowed the researcher to access the document uploaded by any applicant.

He quoted lastly “ This may impact the personal information of the individual who ever applied or issued License from Sarathi Parivahan , The application Number has been retrieved by entering mobile number and date of birth which may  have access to the application number then you can use application number and date of birth to access the applicants data which they uploaded on https://parivahan.gov.in/parivahan/ and here your personal data like name , Aadhar number, and all document which you uploaded.

This is not the END of the Problem

Even the whole scenario has been sent to the CERT-IN ( Computer Emergency Response Team- India ) and has not gotten a response from the other side . The researcher reached to the main issue which is a poorly-secured one-time Password (OTP system for a SYSadmin account.

Even he managed to login the portal of administrator account and granting him access of viewing applicant and their document. The researcher has been aslo the option to process application without any in-person verification checks, approved requests to change the license information and even gave access of PII of government staff working in regional transport officials. 

The main issue is that anyone with this level of knowledge can get all the information about the Aadhar card and passport of 185 Millions + applicants who hold an Indian Driving License. Even that person can generate as much as a driving License they want without knowing anyone.

What happens after Reporting 

After Reporting as the Justin sent the mail to CERT-IN and her sent in Nov 2022 but the response he never get but on Dec 5, 2022 he sent again to the official about the issue.

Finally on Jan 25 , 2023 the happy mail was received with confirmation of vulnerability resolved .

The post Exposing 185M+ Indian Personal Information, you be the next appeared first on Vednam.

The gain popularity of the concept of cryptomining which generates revenue with various threat actor which have been attempting to do illegitimate mining activities which used for their victim’s infrastructure, along with several other parallel malicious activities. Recently a malware was used in targeting the victims for crypto mining as well as DDoS attacks.

Whole Campaigns

Palo Alto Network the unit 42 team said that they are identified with the two versions of the lucifer malware which took advantage of known vulnerabilities for infiltrating and performing malicious activities on target systems.

• The Self-propagating Hybrid malware variant which dubbed lucifer, leverages known vulnerabilities that spread and perform malicious activities on the platform such as cryptojacking and Distributed denial-of-service (DDoS)attacks.
• The Lucifer Malware where we are talking about are targeting the Rejetto Http File Server (CVE-2017-6287), Microsoft Window (CVE-2017-0144, CVE-2017-0145, and CVE-2017-8464), Oracle Weblogic (CVE-2017-10271) Apache Struts (CVE-2017-9791), ThinkPHP RCE (CVE-2018-20062) and Laravel Framework (CVE-2019-9081)
• The Brute force which can attack the credentials, the malware dropped XMRIg Miner for crypto-jacking Monero and exploited EternalBlue, EternalRomance, and DoublePulsar backdoor-exploits against vulnerable targets for internet infections.

Cryptojacking Campaigns

Cryptojacking is on the rise and hackers are frequently using and coming with this to compromise computer resources and for the crypto-mining.

• A Monero cryptocurrency-mining campaign called Blue Mockingbird which exploited a deserialization vulnerability (CVE-2019-18935) in unpatched versions of Telerik UI for the ASP .Net. It deployed the XNRig Monero-mining Payload in a dynamic-link library form on windows systems. ( Happens In May 2020)
• The Victory Gate Botnet used USB Drivers In Propagation mechanism which deployed auto and XNRig on infected machines for Crypto Mining.

What We Need 

We need to stay safe while applying any updates and patches for all the deployed software, firmware, and operating systems as soon as you can do. The User should use the Browser extensions to the block crypto miners across the web which are used for trusted ad-blocker and detect to block the malicious crypto-mining code embedded in online ads,

Found this article informative? Follow Vednam on Facebook, Twitter, Mix, Tumbler, and Linkedin to know more exclusive content we post.

You can Also read Articles :

Thousands of Printers Exposed Online leaking WiFi SSIDs

New Ransomware Attacks: Android Devices are under threat

The post Lucifer Malware : Windows Vulnerabilities for Cryptomining appeared first on Vednam.

A non-profitable foundation called Shadow server which works as a security organization that aims to analyze malicious Internet activity which is particular in IoT.

Even they are the part of a project which called as VARIoT (Vulnerability and attack Repository for IoT) , it was the ultimate goal which provides actionable security-related information about the Internet of Things (IoT)

Exposed Online

The company which monitors these types of issues can normally scan for online printers over TCP port 631 and they start regular scanning as usual and found 4 billion routable IPV4 address on the 5th of June 2020 and it was added open IPP reporting as part of our daily public benefits as the network report on the 8th of June 2020.

The scan indicates that an average of 80,000 printers is exposed online via IPP (Internet Printing Protocol ) on a daily basis, they were able to query those printers which use parameter IPP Get-Printer-Attributes.

The IPP is an Internet Printing Protocol service that enables the port 631/TCP.If an attacker connects the devices it may disclose the result information which manipulates for the printing jobs and in some cases remote code execution.

There are printers that are behind the firewall and theta are directly exposed over the internet shadow server Foundation which provide the country-wise breakdown.

The top countries which are affected are South Korea (36.3k), United States (7.9k), Taiwan(6.7k), France (2.8k), and the others.

There are 79,174 devices that are exposed on the day 7th of 2020,%8,091 devices which are open source printing system CUPS developed by Apple Inc. It also supports macOS and other UNIX-like Operating systems.

“ The out of roughly 80,000 exposed services with a large percentage returned additional printer information attributes such as printer names, locations, models, firmware versions, organizational units, and even printer wifi SSIDS”.

All over the exposing the printer to online without any firewalls may pose serious attacks which can use it a gateway to propagate the further network,

Found this article informative? Follow Vednam on Facebook, Twitter, Mix, Tumbler, and Linkedin to know more exclusive content we post.

You can Also read Articles :

Russian Hacker Evil Crop Group targets US workers at home

Best WiFi hacking Apps for Android

The post Thousands of Printers Exposed Online leaking WiFi SSIDs appeared first on Vednam.

The new Superseding incident does not contain any additional charges beyond the prior 18-count indictment filed against Assange in May 2019 but it does “Broaden the scope of the conspiracy surrounding alleged computer intrusions with the Assange was previously charged”, the DoJ said.

Around May 2019, Assange was charged with 18 counts which is under the old U.S Espionage Act for the unlawful publishing of the classified and diplomat document on his popular Wikileaks website in 2010 and which obtained firm former Army intelligence analyst Chelsea Manning.

The Assange which has been alleged to have obtained classified documents by conspiring with Manning to crack a password hash to a classified U.S Department of Defense computer.

The New Superseding indictment unsealed Wednesday  [PDF], Assange, and other WikiLeaks also recruited hackers at conferences in Europe and Asia which conspired with them to commit computer intrusions to benefit Wikileaks.

The early days of the Wikileaks which Assange has spoken in conferences about his own last activities as a “famous teenage hacker in Australia” which encouraged others to hack and obtain information for WikiLeaks.

In around 2009, for the instance which Assange and told the hacking at the random conference that Wikileaks  which obtained nonpublic documents from the Congressional Research Service by exploiting “a Small Vulnerability” inside the document distribution system of the United States Congress and then after assessed that “This is what anyone of you would find if you were actually looking”

The Indictment also accused Assange of gaining unauthorized access to a government computer system of a NATO country (30 Member states from North America and Europe) in 2010.

Even Assange communicated directly with the leader of the hacking group LulzSec (This group also cooperating with the FBI) and they asked for the list of targets to hack.

“With due respect to one target, the Assange asked the Lulzsec leader to look for the databases, documents, pdfs, and mail which the Wikileaks provide. Finding another communication the Assange also mentions the LulzSec chief that the it that mostly released and exposed materials would be from CIA, NSA or the new york times” as the DoJ mention in the quote.

According to the threat actor, Assange has been indirectly pushed and asked him to spam the victim company again. The Assange has abstained and published the emails from data breach which are committed against the U.S intelligence Consulting company by the hackers which are mentioned with “Anonymous” and LulzSec which is published on Wikileaks.

Assange was arrested in April 2019 in London after Ecuador withdrew his asylum and was later sentenced for the 50 weeks in U.K prison for breaching the bail condition in 2012.

Even the 48-Year-old is still awaiting possible extraction to the United States who is currently in prison in the U.K.

Now he will be convicted for all counts, The Assange could face a total maximum sentence of 175 years in the U.S prison for the alleged role in compromising the classified information in the history of the united state.”

Found this article informative? Follow Vednam on Facebook, Twitter, Mix, Tumbler, and Linkedin to know more exclusive content we post.

The post Wikileaks Owner charged for the involvement in conspiracy appeared first on Vednam.

When we talk about the Ransomware these days the hike in these attacks is increased and the threat actor worked with such dedication that we all become aware or next maybe you.

Russian Hacker Evil Corp has worked and accessed at least 31 organization networks in order to cripple systems and demand millions of dollars in ransom.

The US Justice Department has indicated the two alleged leaders in December 2019.

As a report mentioned from BBC that last year the US authorities filed charges against Evil Corp which alleged leaders Maskim Yakubets and Igor Turashev which are accused of using malware and stealing millions of dollars from the group which includes schools and religious organizations in over 40 organizations.

Even the organization who is finding these goons also announced $5m rewards for the information to their arrest that was the largest amount ever offered for a cyber-criminal.

According to the Gallup Poll, around 62% of the threat comes with the Americans who were working from home and still supporting the company or family in this pandemic time.

The US election is ahead and just a month away that’s why the federal and local officials have been putting hard measures in place to protect the voter records as well as manage safe voting practices amid the pandemic.

Attack Analysis

A firm named Symantec Corporation which monitors the corporate and government networks has released a notice of threat warning on Thursday night as it was identified.

The attacks which the Symantec have described as a relatively new type of the ransomware which was called WastedLocker which the Evil crop attributed it.

Ransomware is the computer virus that threatens the victim if they won’t pay the amount then their files are deleted. The most important this (Wasted Locker ransomware) virus demands ransoms around $500,000 to $ 1m and then after they unlock the file it seizes.

The Symantec firm also mentioned the “Vast majority of targets are the major corporations which include many household names and the main they target the 500 companies.

They attacked almost all the companies which are US-based and expect one owned.

According to the Symantec firm, the Russian hacker has breached the network of these companies and was “laying the groundwork” for the future ransomware attack, and that would let them block access to data and demand millions of dollars.

The New York Times also mentioned, “ The Russian hacker is using VPN for taking advantage of employees and now using virtual private networks(VPNs) to access work systems”.

Even though they use VPNs to identify which company a user works for, they are used to infect the computer when they visit a public or commercial site. After that even after the user connects then the Russian hacker can attack.

Found this article informative? Follow Vednam on Facebook, Twitter, Mix, Tumbler, and Linkedin to know more exclusive content we post.

The post Russian Hacker Evil Crop Group targets US workers at home appeared first on Vednam.

New ransomware which hit the android users for the particular users in Canada posing as an official COVID-19 tracing app from the health Canada. 

The CryCryptor ransomware is used for targeting and is open-source ransomware which is published in Jun 2020.

#Android #Banking #Trojan #Malware@Spam404 @malwrhunterteam
tracershield.apk
covid19tracer.apk
https://tracershield[.ca/download/tracershield.apk
https://covid19tracer[.ca/download/covid19tracer.apk
“faa0efaad40e78bf27ca529171aaf0551db998a276d4ff501209d1f5ef830dfb” pic.twitter.com/ccAwdgKcbA

— Re-ind (@ReBensk) June 23, 2020

The campaign which started after the candaina government announced it officially tracing app. From the source, the app is still in the testing phase and to be live possibly next month.

Malicious Ransomware 

The security researcher from the team of ESET has discussed the observation that the malicious COVID-19 tracing app is distributed by using two third party websites and not through google play.

Once this malicious app launches in the device it can get access to the files on the device, once permission is provided it encrypts files with certain extensions.

The extensions include txt,jpg,BMP,png,Pdf docx,ppt,pptx,avi,xls.vcf,pdf and db files.

The Ransomware encrypts the file and does not even lock the device where it leaves a “read me: file in every directory with the encrypted files that have the threat actor email addresses”.

ESET researcher has mentioned that they have the good news about having decorating tools that are available for ransomware, the bug with the malinois app which allows them to create decryption tools.

Found this article informative? Follow Vednam on Facebook, Twitter, Mix, Tumbler, and Linkedin to know more exclusive content we post.

The post New Ransomware Attacks : Android Devices are under threat appeared first on Vednam.

A teenager who is around 22-years has been caught and sentenced for more than a year in prison for the development of Mirai Botnet variants that compromised thousands of devices all over the world.

The Man named “ Kenneth Curran Schuchman” from Vancouver was sentenced for 13 months in the prison after pleading guilty to creating and operating the Satori, Masuta, and Tsunami Botnets. The Botnets are considered “ Successors” to Mirai as they use the same source code and infamous botnet.

Schuchman added additional features to the botnets over time, so that they even grew more “complex and effective “ according to the Department of Justice (DoJ) on Thursday.

The man behind the attack uses the botnets to facilitate DDoS attacks which occur when multiple computers reacting in unison flood and target the computers with information to prevent them from being able to access the internet as DoJ mentioned.

Two of Schuman’s criminal associates have also been charged for their involvement in the development and operating of these botnets which can conduct distributed denial of service (DDoS) attacks as according to DoJ.

The Associates are Aaron Sterritt who is a U.K national and Logan Shwydiuk as Canadian national.

He engaged in a criminal botnet and involve from at least August 2017 that time he both rented out the internet-of-things (IoT) botnets and operated them himself. After that following his arrest in August 2018 as they continued to engage in criminal botnet activity which violet several other conditions of his pretrial release, as DoJ mention.

Satori was first identified by the checkpoint researcher in November 201. In December 2017 the researcher at Qihoo 360 Netlab said Satori had infected more than 280,000 Ip addresses in just 12 hours of time and had gained control over 500,000 to 700,000 IoT devices.

In December 2017, the research team identified a vulnerability in a Huawei home router model that was being exploited which spread Satori Ikiru.

In 2018, the researchers then linked the hacker behind Satori botnet as the same one behind another botnet family.

In 2016 the DDoS attack targeted DNS Providers and caused several damages to many websites in which –Twitter, Spotify, and Netflix have been affected for an hour.

The Mirari variants continue to affect companies like DNS providers, the financial sector, and enterprise companies.

The Botnet activities are still continuing with the IoT devices and hit the market and DDoS attacks Grow. On June 21, The Akami Said that it may mitigate the largest packets per second (PPS) and that was DDoS attack ever been recorded. The attack generates 809 Million packets per second (MppS) which targets a large number of banks in Europe.

Found this article informative? Follow Vednam on Facebook, Twitter, Mix, Tumbler, and Linkedin to know more exclusive content we post.

The post Botnet Satori creator arrested poisoned for 13 months appeared first on Vednam.