This Ransomware named Tycoon that was found in his reference code and researcher said that it was active since December 2019 and this time the work of the cybercriminals is highly selective in targeting the user which they plan to victimize. The Different unique technique is using an uncommon deployment technique that helped to stay inside the machine and compromised networks.

They may try to target the Educational and software organization to clear the mark of attack.

Tycoon Malware is smarter than the rest of the malware because of the unusual form of ransomware because it’s written in java which is deployed as a trojanized Java Runtime Environment and is compiled in the form of Java Image (Jimage) to hide the intention of malware.

The two main methods or you say ‘Unique’ style. First, the java is used to write the malware because it requires the Java Runtime Environment which is able to execute the code, After the second method they used Image files which are rarely used by the attackers.

The researcher said that this is another form of attack which uses the uncommon programming language and obscure data format for vulnerabilities.

The first method of tycoon Ransomware attacks is no more uncommon than the initial intrusion which insecure the internet-facing RDP server. This is a normal common attack for the malware campaigns and it often exploits the server with weak or compromised the weak password.

Once the attacker entered the network which maintained persistence by using images. File Execution options(IFEO) injection settings that more often provide the developer with the ability to debug software. The attackers also use privileges to disable the anti-malware software using Process Hacker in order to stop the removal of their attack.

When the execution is done then the ransomware encrypts the network with files encrypted by tycoon given extensions including .redrum, .grinch, and .thanos which attackers demand a ransom in exchange for the decryption key. The attackers ask for the payment in bitcoin which claims the price depends on how quickly they get in touch with email.

The campaign is still going on and suggests that those behind it are finding success extorting payments from victims. Tycoon could potentially be linked to another form of ransomware.

Organizations should make sure that the accounts that do need access to this porta aren’t using the default passwords and weak passwords because that password can easily be guessed for breaking the system security.

The post Ransomware target Windows and Linux again. appeared first on Vednam.

What New happens 

According to the report, From January 1 to April 30, 2020. Google services like file sharing and storage websites and different brand names were around 65% (100,000) being attacked by form-based which makes 4% of all spearing-phishing attacks in the first four months of 2020.

1. Microsoft brands are also used for impersonation and the number of attacks is a total of 13% of attacks: 6% attacks for the onedrive.live.com, 4% for the sway.office.com, and 3% for forms.office.com.
2. The Google Service is also used for victimizing let see which services are:Storage.googleapis.com it is around 25%, docs.google.com it is around 13% and drive.google.com is around 4%
3. The other sites who are popular for some specific services like sendgrid.net are around 10%, mailchimp.com is around 4% and formcrafts.com is around 2% that is also used for impersonation attacks.     

Some other brands

In Between, hackers are using a variety of phishing campaigns to take advantage of the COVID-19 to infect through malware and steal credentials, scams Remote Worker, steal money from the organizations. Till May 2020, the attacker launched different phishing campaigns and many of the users get victimized by them through the brand name.

1. The cyber attacker also victimized LogMeIn by sending fake emails and directed users to a phishing site to compromise LogMeIn account login credentials.
2. The attackers also used Azure AD and Microsoft 365 sign-in pages to launch phishing attacks. The attackers a lot more convincing tactics used by the Cyber attackers
3. The Magellan Health employees are also attacked by the cyber attackers and the client’s data is stolen through malware which included credentials and userid.
4. The Zoom Phishing campaigns are the latest one which mimicked the meeting notifications from the zoom and stole the Microsoft credentials.
5. The Microsoft Teams notifications were also victimized by the cyber attackers and send automated notifications to steal the credentials of the relevant accounts.

How to be safe online

After finding all the problems one thing always remembers that never ever visits the insecure website and please check the URL for the basic protection. Don’t respond to any mail immediately and don’t touch the mail link without any familiar.

The post Remote worker are targeted by cyber criminals appeared first on Vednam.

This happens when the BHIM fails to secure and store the data which is collected from users and businesses in a sign-up campaign.

On April 23, The researcher team at vpnMentor made a hint for the data related campaign that was publicly accessible after being stored in a misconfigured Amazon Web Services S3 bucket.

This was the serious concern that the large scale of data has been exposed and affected millions of people all over India. The Exposed data may be used for potentially devastating fraud, theft, and attack from the hacker and cybercriminals.

The data all exposed are confidential which BHIM app use to open an account like Aadhaar card(India’s national ID card), Caste Certificates, professional and educational certificates, photos used for the of residence, PAN ( Permanent Account Number) which is associated with income tax services and the screenshots of financial and banking apps as proof of fund transfer.

If we talk about the private personal user data contained within these documents that include names, dates of birth, gender, home address, caste status, religion, biometric details, ID photos, fingerprint scan, and social security services.

In February 2019, around 7 Million records from the dating app and every data belong to the underage 18-year-old.

After investing more, they found vpnMentor’s team found around 409 GB of data stored insecurely in BHIM, which operates via the website www.cscbhim.in. The bucket traces back to BHIM as it was labeled as “csc-bhim”.

As the researcher mentioned, “ many weeks later, we contacted CERT-In a second time”. After that, the breach was closed.

 This app is launched in 2016 to facilitate instant e-payments and money transfers between bank accounts via a user’s smartphone. This app is downloaded around 136 million times according to the non-profit business consortium.

The post Million of Data leaked from Indian Payment App appeared first on Vednam.

The Moscow headquarter vendor has not been in the working state of the companies for the past few months. The reports come from the Washington Post and Wall Street Journal that basically claimed that the product may be used by the Russian intelligence to harvest the data potentially with the Pc firms.

The New york times has another story that in the past month “the Kaspersky Lab software was compromised by the kremlin hacker and using the software as a tool. After that, the federal bureau banned all the products.

Kaspersky lab denied the media point and released a statement “ The media is circulating the older incidents that happened in 2015”.

Now the question arises on the NSA team, who took all the classified data and first how they were able to disable the Kaspersky Lab Software when they detected the new versions of APT-malware which is associated with the US Spy agency.

Let’s Go Deep 

The story does not end here” The detection for the malware, the user downloaded and installed the pirated software on his machine as it was indicated as illegal according to the cyber law but they did it. Every Pirated software carries a keygen with him to crack the activation but the keygen also activates the backdoor for the cyber attacker to enter in the machine.

Kaspersky claims” If malware or keygen runs on the system with Kaspersky security enabled then it is not possible that software will never detect that. If you want to run the keygen first you need to disable the Kaspersky security. The third-party access make the user’s machine to open the backdoor and the attacker get open path”

If the same user re-enables the Kaspersky lab software that detects the new malicious code which is sent to the vendor servers for analysis. When the suspected malicious source code found from the analyst the archive was deleted from the systems and it was not shared with the third party.

The Company also claimed that no further detections were received from the user in 2015 and there is no more incident happening after that date, except “Duqu 2.0”.

The Kaspersky lab software never created any detection method for the non-malicious document based on keywords like “top secret” and “classified “.

The main point is still doubtable that Kaspersky claimed that the incident happened in 2014 and most different reports claimed the incident in 2015.

After all the Kaspersky lab put their efforts to prove it’s being clean. So the company decided to launch the Global Transparency Initiative under which its plan to offer the source code for the independent third party review.

The post Kaspersky Lab : NSA contractor Victimizes the PC appeared first on Vednam.

The Cyber attacker made the identity of the World health organization(WHO) and that all are related to the coronavirus.

The State-backed campaigns basically target all the UK and other countries financial services, consulting, and healthcare.

Google’s statement “ The Cyber attacker encourages individuals or users to sign up for direct notifications from the WHO about the COVID-19 related announcement and the link the attacker hosted on the website looks similar to the real official website of WHO.

The website typically features a fake login system which prompts potential victims to give the Google account credentials and occasionally encourages the user or the victim to give the other personal information mainly the cell phone numbers.

The other organization and WHO at the center of a global effort to contain the coronavirus which comes under a digital bombardment by the cyber attackers who are seeking information.

According to Google Blog,” Since March, we’ve removed more than thousand youtube channel that we believe to be part of a large campaign and that we behaving in a coordinated manner”

In April, The GCHQ warned about the cybercriminals that they are taking advantage of anxiety about the coronavirus outbreak.

The Intelligence and security agency Said that the cyber attacker is using fake emails purporting to be from popular video conferencing services like Microsoft teams and Zoom.

The Main intention of cyber attackers is to know the victim’s activities and exploit the number of people who are working from home and probing for cyber vulnerabilities in remote working software. The exploitation is done under the cover of health organizations.

Google warns people to be aware of the emails and stop taking quick action without knowing that website. Please verify before sharing the details.

The post Google Sees High surges Hacking related to corona-virus appeared first on Vednam.

Finding deep news it comes that AIS is the Thailand largest GSM mobile Network which has almost “40.23 million customers” as of 2018. The database is maintained and controlled by the subsidiary Advanced Wireless Network(AWN). It has the combination of DNS query logs and NetFlow logs that appears to be an AWN customer. If someone got all this data then it is easy to create a user track of internet surfing. After this information comes then the Thailand national CERT Team (ThaiCERT) be in action and contact AIS and secure the database.

What is AWN?

According to the source, AWN is a provider of wired as well as wireless network service and telecommunication network provider. This company started in 2005 according to website information. AWN is the subsidiary company of Advanced info Service (AIS).

AWN’s network connects directly with AIS which has only upstream peers. When the ThaiCERT contacted AIS about the exposed database then the database went offline.

When did that data leak start?

Based on the source story, the data was first hit on May 1 and then after May 7, 2020. There was not a single server left exposed on the internet without any authentication.AIS has been notified about the exposed database.

How Much Data Leaked?

Overall it would be 8.3 billion documents which are around 4.7 Terabyte data. On May, 21st,2020 8,336,189,132 Documents were stored in the database, and data contained NetFlow data and DNS Query logs. When they found it was roughly logged for only 8 days but why? 

Why they stopped logging after 8 Days questions are still open. Team perception is that they got more data than they entered to capture. Forensic says they logged roughly 2,538 DNS seconds per second for that period of time.

What do they get from data?

A lot of information can come out if they really follow the documents and data. They basically know your whole query generated on the internet and after that they are also able to know your personal information.

Based on the DNS queries it might be possible that they identify the person whole data because of DNS capture whole information of machine and queries. For example :

• They use android TV is connected with internet
• They use apple devices are connected with internet 
• They use windows devices and the software you use with cloud connectivity.
• They use Antivirus.
• They even use your social media account also.
• They read you google chrome or other browser saved information and history.

The post 8 billion Thai internet records leaked ! appeared first on Vednam.