Call of Duty: Warzone cheat programs were disguised by remote-access trojan (RAT) malware, according to a warning issued by Activision.
Threat actors are targeting popular cheating sites to circulate the masqueraded cheats across the users. While this "newbie-friendly" strategy that explicitly shows how to circulate this malware through convincing it to be a video game cheat to the users of Call of Duty: Warzone was posted in a hacking forum back in March for the first time, as per the **[Activision](https://research.activision.com/publications/2021/03/cheating-cheaters-malware-delivered-as-call-of-duty-cheats)** warning.



***“It is common practice when configuring a cheat program to run it with the highest system privileges, ”*** Activision reported. 

***“Guides for cheats will typically ask users to disable or uninstall antivirus software and host firewalls, disable kernel code-signing, etc.”***

Now for those who are not familiar with the team, 'cheats' are a program that creates interference with the in-game activities or players' interactions that leads to additional advantages that may seem to be unfair to their opponents. However, they are often banned from being utilized by the official creators of the game. 


![COD-fake-cheat-ad](https://sb-cms.s3.ap-south-1.amazonaws.com/COD-fake-cheat-ad_d80cd8fa0d/COD-fake-cheat-ad_COD-fake-cheat-ad_d80cd8fa0d.png)





###  **IDENTIFIED AS DROPPER**





“COD-Dropper v0.1.” is the name of the malware that the researchers eventually identified.


***“Instead of malicious actors putting in hours of work creating complicated mitigation bypasses or leveraging existing exploits – they can instead work to create convincing cheat advertisements, which is priced competitively, could potentially get some attention,"*** Activision’s report added. 


***“In December 2020, the dropper was also included in a ‘black hat’ tutorial aimed at ‘noobies’ looking to make some easy money.”***

Moreover, the Activision report also pinpoints that cheat forums filter out any malicious activities, which means the threat actors might have maintained a low profile to keep from getting booted.


***“This advertisement did not appear to be particularly clever or take much effort, but still had people replying, asking if anyone had tried it before being removed a day later, ”*** the report said.


Additionally, the threat actor behind injecting this malware posted the entire malware file to set up the attack, which gained over 10,000 views and 260 replies. Besides, it was later followed up by further instruction in the post's comment along with a video tutorial link that redirects to a YouTube video that has over 5,000 views. 



***“In likely a further attempt to scam people, the description also offered a private version of the cheat for a $10 BTC payment, ”*** the report added.


![COD-youtube-](https://sb-cms.s3.ap-south-1.amazonaws.com/COD-youtube-_937b7931bb/COD-youtube-_COD-youtube-_937b7931bb.png)


Here these comments indicate that the members of the hacking forum did try out and download the tool.

Following YouTube video pushing, the same malware showed up last August, with a direct link to infect the user, which had received 376 views, Activision added.

Activision also illustrated that manipulating the game players into downloading the software wasn't a heavy lift.

***“While this method is rather simplistic, it is ultimately a social-engineering technique that leverages the willingness of its target (players that want to cheat) to voluntarily lower their security protections and ignore warnings about running potentially malicious software, ”*** Activision added.








##CALL OF DUTY UNDER ATTACK BY MALICIOUS 







While it is a RAT that allows the threat actors to gain full access to the victim's device but it is also a dropper that can be customizable in installing other malicious code on the victim's device, as the observed dropper in this attack is a .NET app that implores the target to agree in allowing the bug admin privilege post successful downloading.

***“Once the payload has been saved to disk, the application creates a VBScript named ‘CheatEngine.VBS,'”*** according to the report. 


***“It then starts the ‘CheatEngine.exe’ process and deletes the ‘CheatEngine.exe’ executable. The creator/generator is a .NET executable that contains the dropper .NET executable as a resource object.”***

If the victim clicks on **“:: Build::, the application inspects the ‘COD_bin’ object with the ‘dnlib’ .NET assembly library, it replaces the URL placeholder named ‘[[URL]]’ with the provided URL and saves the ‘COD_bin’ resource under a new filename, ”** according to the analysis.



**“The video gaming industry is a popular target for various threat actors, ”**
Activision said.
***“Players, as well as studios and publishers themselves, are at risk for both opportunistic and targeted cyberattacks – tactics range from leveraging fake APKs of popular mobile games to compromising accounts for resale. Even [advanced persistent threat] actors have been known to target the video-gaming industry.”***


The Call of Duty: Warzone incident surfaced on the same day that the Talos security team of Cisco **[published](https://blog.talosintelligence.com/2021/03/cheating-cheater-how-adversaries-are.html?m=1)** a new malware campaign targeting gamers who use cheats.


These malicious cheats were previously utilized by unknown cryptor tools that deterred antivirus programs from detecting the payload. Talos didn’t identify the game titles that were targeted.






Call of Duty cheats turned out to be RAT malware and dropper, threat actor posted in a hacking forum

Call of Duty cheats revealed as RAT malware & Dropper

While talking about online safety Cyber Attack pops in many people's minds being the most common intimidation across the internet. And why it shouldn't be, as it often remains to be inevitable, leaving the netizens at stake. The ever-evolving threat landscape has grown to be even more sophisticated. So do the attack vectors that cybercriminals leverage to gain unauthorized access to any system or network, making it way more challenging to implement targeted cybersecurity solutions without quickly becoming obsolete. 
 
This translates to staying ahead of any threat actors; enterprises and individuals also need to have a comprehensive awareness of prevalent cyber-attacks. And without that, preventive policies targeting the attacks won't be effective enough any longer, resulting in ballooning the cost of tackling cybercrime and its associated repercussions. As much as 50% of all cyberattacks target small businesses, costing over $200,000, which is fairly enough to jeopardize less-established companies out of business.

 

The significance of threat identification has never been easily exposed from a cybersecurity perspective in finding out the fundamental nature of posing a critical risk to an organization or personal life, making it circumstantially prone to formulating the ultimate enterprise-grade cybersecurity strategy in safeguarding against any abnormalities. 
This will ensure the effectiveness of the preventive measures and the allowance for better cybersecurity management on purpose. But it is also equally important to educate about the same in helping to develop substantial compatibility with the cybersecurity strategies and resources adopted by enterprises or individuals.

 

Understanding the cyber attacks and the different techniques cyber criminals employ to execute them can go a long way in establishing appropriate security frameworks. While there are several different ways to infiltrate an IT system, most cyber-attacks rely on similar techniques.

 

This proactive approach to internalizing application security is essential in defending enterprises from underlying threats & vulnerabilities of cyberattacks and maintaining business revenue with unwavering user loyalty.

 

#### **Cyber Attack**

 

A conscious attempt to maliciously exploit anyone through leveraging the underlying loopholes laid across in their interconnected IT system or network to a various extent depending upon the technology with the involvement of sophisticated resources and skills resulting in a compromised system or network, data breach, the infected system can be considered as a scenario of Cyber Attack.

 

#### **Categorical Explanation Of Cyber Attacker**

 

Cyberattack is mostly executed for malicious purpose, as the attackers may use several tools and techniques to perpetuate the cyberattack. Depending on their intent and the end objective, cyber attackers can be roughly grouped into:

 

**Cyber-Criminals**

 

This is classified based on individuals who primarily target organization information, customer data, or other critical data and monetize it on the dark web. They make use of sophisticated tools and techniques, use computer/mobile devices as a medium to perpetrate intelligent, hard-to-discover malicious cyberattacks.

 

**Hacktivists**

 

This is often classified as a prolific group having a non-financial agenda to propagate. They may perform an attack to reinforce their belief system, which could be political agenda, religious ideology, or a cause they want to be made known through their digital malfeasance. Depending on the political beliefs, they can be described as progressive, ethical, or plain disruptions, among other categories.

 

**State-Sponsored Attackers**

 

This is classified as cyberattacks targeted at a particular country to destabilize its social, economic, or military administration through the support of the country of their origin. They could perpetrate lone wolf attacks as well, showing allegiance to a particular state.

 

**Insider Threats**

 

Originate from employees, contractors, third-party affiliates of an organization and are hard to detect and prevent because of the trust factor involved. These attacks could be either malicious, accidental, or carried out due to pure negligence.

 

Although there are a plethora of ways to execute Cyber Attacks, However, here is some notable compilation of salient techniques that pretty much every user should be familiar with to remain vigilant against any cyber threats:

 

#### **Social Engineering**

 

![Social-Engineering](https://sb-cms.s3.ap-south-1.amazonaws.com/Social-Engineering_c79980af5d/Social-Engineering_Social-Engineering_c79980af5d.png)

 

Social engineering is an umbrella term for a wide spectrum of disruptive practices in cybersecurity. To convince or manipulate people into doing such acts or obtain valuable information, cybercriminals use social engineering. In order to hijack accounts, impersonate characters, make fake payments, and more, they carry out these kinds of assaults.

 

The multiple types of attacks involving social engineering include:

 

**Phishing**: It is one of the most exploited social engineering attacks, where attackers send clickable links to malicious emails, enticing WhatsApp forwards, social media messages, and text messages.

 

**Spear Phishing**: Spear phishing is an email attack focused on customized ed, much like phishing.

 

**Vishing**: Often referred to as voice phishing, it includes scammers sending phone calls or leaving voice messages to mislead citizens into sharing confidential details.

 

**Baiting**: The intruder baits a person into doing the desired action in exchange for something, as the name implies.

 

**Quid Pro Quo**: Also known as a "something for something" attack where, in return for sensitive knowledge or resources, hackers provide free assistance or service.

 

**Pretexting**: To establish trust with end-users, the attacker impersonates a co-worker. The scammer appears to be highly influential and sends an email demanding tend-users to reveal vital business details.

 

**Tailgating**: The perpetrator secretly follows an approved person without knowing that person is breaching a protected area.

 

#### **Salami Slicing Attack**

 

![Salami-Slicing-Attack](https://sb-cms.s3.ap-south-1.amazonaws.com/Salami-Slicing-Attack_0e3edd63aa/Salami-Slicing-Attack_Salami-Slicing-Attack_0e3edd63aa.png)

 

A “salami-slicing attack” or “salami fraud” is a technique leveraged by threat actors to extort financial assets or bit-sized resources at a time, avoiding any noticeable difference in the overall size. The threat actors manage to get away with these little pieces from many resources and thus accumulate a considerable amount over a while. The essence of this method is the failure to detect misappropriation. The most classic approach is the “collect-the-roundoff” technique. Most calculations are carried out in a particular currency and are rounded off up to the nearest number about half the time and down the rest of the time. If a programmer decides to collect these excess fractions of rupees to a separate account, no net loss to the system seems apparent. This is done by carefully transferring the funds into the perpetrator’s account. Attackers insert a program into the system to automatically carry out the task. Logic bombs may also be employed by unsatisfied greedy employees who exploit their network's know-how and privileged access to the system. In this technique, the criminal programs the arithmetic calculators to automatically modify data, such as interest calculations. Stealing money electronically is the most common use of the salami-slicing technique, but it’s not restricted to money laundering.

 

The salami technique can also be applied to gather little information to deduce an organization's overall picture.

 

This act of distributed information gathering may be against an individual or an organization. Data can be collected from websites, advertisements, documents collected from trash cans, and the like, gradually building up a whole database of actual intelligence about the target. Since misappropriation is just below the threshold of perception, we need to be more vigilant. Careful examination of our assets, transactions, and every other dealing, including sharing confidential information with others, might help reduce the chances of an attack by this method.

 

#### **Data Diddling**

 

![Data-Diddling](https://sb-cms.s3.ap-south-1.amazonaws.com/Data-Diddling_4ceea37b8b/Data-Diddling_Data-Diddling_4ceea37b8b.png)

 

The unauthorized data alteration before or during entry into a computer system and then changing it back after processing is called Data Diddling. While using this technique, the threat actor may modify the expected output and is challenging to track. In translated terms, the original information to be entered is changed, either by a person typing in the data, a virus that's programmed to change the data, the programmer of the database or application, or anyone else involved in the process of creating, recording, encoding, examining, checking, converting or transmitting data.

 

This is one of the simplest methods of committing a cyber-related crime because even a computer amateur can do it. Despite this being an effortless task, it can have detrimental effects. For example, a person responsible for accounting may change data about themselves or a friend or relative showing that they're paid in full. By altering or failing to enter the information, they're able to steal from the enterprise. Other examples include forging or counterfeiting documents and exchanging valid computer tapes or cards with prepared replacements. Electricity boards in India have been victims of data diddling by computer criminals when private parties computerized their systems.

 

#### **Web Jacking**

 

![Web-Jacking](https://sb-cms.s3.ap-south-1.amazonaws.com/Web-Jacking_406e564510/Web-Jacking_Web-Jacking_406e564510.png)

 

Web jacking derives its name from "hijacking." Here, the hacker takes control of a website fraudulently. He may change the original site's content and redirect the user to another fake similar-looking page controlled by him. The website owner retains it, and the attacker may use the website for his selfish intentions. Cases have been reported where the attacker has asked for a ransom and even published obscene material on the site.

 

The web jacking method attack may be used to create a website clone and present the victim with the new link saying that it has moved. Unlike usual phishing methods, when you hover your cursor over the link provided, the URL presented will be the original one and not the attacker's site. But when you click on the new link, it opens and is quickly replaced with the malicious web server. The address bar's name will be slightly different from the original website that can trick the user into thinking it's a legitimate site. For example, "Gmail” may direct you to "gmai1". Notice the one in place of 'Ľ. It can be easily overlooked.

 

#### **DNS Tunneling**

 

![DNS-Tunneling](https://sb-cms.s3.ap-south-1.amazonaws.com/DNS-Tunneling_4dcb5ccd5d/DNS-Tunneling_DNS-Tunneling_4dcb5ccd5d.png)

 

DNS tunneling is a sophisticated attack vector designed to provide attackers with continued access to a given target. Since many organizations fail to monitor DNS traffic for malicious activity, attackers can insert or “tunnel” malware into DNS queries (DNS requests sent from the client to the server). The malware is used to create a persistent communication channel that most firewalls are unable to detect. For malicious use, DNS requests are manipulated to exfiltrate data from a compromised system to the threat actor's infrastructure. It can also be used for command and control callbacks from the threat actor's infrastructure to a compromised system.

 

#### **Watering Hole Attacks**

 

![Watering-Hole- Attacks](https://sb-cms.s3.ap-south-1.amazonaws.com/Watering-Hole-_Attacks_b7f8b1a7ac/Watering-Hole-Attacks_Watering-Hole-_Attacks_b7f8b1a7ac.png)

 

A watering hole attack occurs when an attacker injects malicious code onto a public website to steal personal information. Threat actors will monitor the web activity logs of upper-level executives to identify the sites they visit most often. From there, an exploit code is written and uploaded. This form of attack is often coupled with Zero-day exploits, making it very hard to protect against. The success rate of watering hole attacks made it a go-to attack method for cybercriminals in 2019, and this trend is expected to continue in 2020.

 

#### **Injection Attacks**

 

![Injection-Attacks](https://sb-cms.s3.ap-south-1.amazonaws.com/Injection-Attacks_07827d7f7a/Injection-Attacks_Injection-Attacks_07827d7f7a.png)

 

Injection attacks refer to a broad class of attack vectors mainly targeting the underlying vulnerabilities of web architecture. In an injection attack, a threat actor supplies untrusted input to a program. This input gets processed by an interpreter as part of a command or query. In turn, this alters the execution of that program

 

Injections are amongst the oldest and most dangerous attacks aimed at web applications.

 

They can lead to data theft, data loss, data integrity loss, denial of service, and complete system compromise. The primary reason for injection vulnerabilities is usually a lack of sufficient user input validation. This attack type is considered a significant problem in web security. It is listed as the number one web application security risk in the OWASP Top 10 – and for a good reason. Injection attacks, particularly SQL Injections (SQLi attacks) and Cross-site Scripting (XSS) are hazardous and widespread, especially in legacy applications.

 

Cyberattacks are pacing at an alarming extent; especially the techniques used behind some of them seem to be quite unprecedented in this world, aided by rapid technological transitions at every turn. While it may be intimidating to identify and eradicate the underlying threats and vulnerabilities in the entire system, which often tends to be dormant and stealthily exploit the resources, however, without complying with the standard security protocol even makes the system more prone to becoming a victim of the next big attack. Besides, it also becomes equally essential to have the accessibility of a management platform that offers visibility of the entire system application, real-time surveillance, automated detection, and response against any abnormalities identified in the radar, ensuring that the whole application possesses a robust strategy to endure any future attacks and minimize it's pertaining consequences.

 

![Threat-Spy](https://sb-cms.s3.ap-south-1.amazonaws.com/Threat-Spy_dbd9970841/Threat-Spy_Threat-Spy_dbd9970841.png)

 

SecureBlink's **[ThreatSpy](https://www.secureblink.com/threat-spy)** actually takes care of all the points mentioned above, along with some other parks, to streamline the process of threat management. It is an automated application security management platform with AI-graded capabilities that primarily focuses on critical Threats & Vulnerabilities while targeting enterprises' application security at the code level. Though it identifies and rolls out patches depending upon the threat landscape of the application, however, its future threat predictability comes with a complete accuracy rate based on the instant scores of the application, including a detailed report that offers red alerts to critical vulnerabilities while ensuring an effective threat incident response with compliance to ZERO-TRUST strategies to keep all the malicious intents at bay.

Here is some notable compilation of salient techniques that pretty much every user should be familiar with to remain vigilant against any cyber threats

Critical Techniques of Cyberattack commonly adopted by Hackers

Cyber Attacks can be grievously detrimental to any extent, not only for an entire enterprise but as an individual; it is not less than a nightmare. However, ironically, behind 90% Of Cyber Attacks Successfully Across The World, Human Errors Are Considered To Be The Prime Reason Of Their **[Origination](https://www.secureblink.com/blog/upgrade-your-organisations-cybersecurity-with-six-key-points)** 

 

![HUMAN_ERRORS_IN_CYBERSECURITY](https://sb-cms.s3.ap-south-1.amazonaws.com/HUMAN_ERRORS_IN_CYBERSECURITY_88c0b17503/HUMAN_ERRORS_IN_CYBERSECURITY_HUMAN_ERRORS_IN_CYBERSECURITY_88c0b17503.png)

 

And yet, one of the most significant impacts of a successful cyber attack is the exposure of information, loss of intellectual property, and the infection of malware. A report by **[Vormetric](https://cpl.thalesgroup.com/encryption/vormetric-data-security-platform)** found that 59% of respondents agree that most information technology security threats that directly result from insiders are the result of honest and straightforward mistakes rather than the abuse of privileges.

 

There’s not a single person alive who never makes mistakes. Making mistakes is a core part of the human experience - it is how we grow and learn. Yet, in cybersecurity, human mistakes are far too often overlooked. In other words, if human error was somehow eliminated, 19 out of 20 cyber breaches may not have taken place at all!

 

So, why does human error cause so many breaches, and why have existing solutions failed to address it? Let’s take a look at the story behind human error - and what you can do to improve employee cyber behavior in your organization.

 

###**What are human errors in cybersecurity security?**

 

![Humanerror-Cyberattack](https://sb-cms.s3.ap-south-1.amazonaws.com/Humanerror-Cyberattack_c085a2fbe8/Humanerror-Cyberattack_Humanerror-Cyberattack_c085a2fbe8.png)

 

When discussing human error in cybersecurity, what is meant by the term is slightly different from its use in more general terms. In a cybersecurity context, human error means unintentional actions - or lack of movement - by employees and users that cause, spread, or allow a security breach to take place.

 

This comprises a wide range of activities, from downloading a malware-infected attachment to failing to **[use a strong password](https://www.secureblink.com/blog/the-worst-passwords-of-all-time-that-may-become-a-matter-of-concern-for-anyone)** - which is part of the reason why it can be so challenging to address.

 

With our ever more advanced and complicated work environments, we have an increasing number of tools and services that we use - and we have usernames and passwords and other things to remember for each of them. This all adds up, and when not provided alternative, secure solutions, employees start taking shortcuts to make life easier for themselves.

 

As if this wasn’t enough for end-users to struggle to make the right actions, they also have to deal with the constant threat of cybercriminals affecting their decision-making. Social engineering has an increasing role in all types of security breaches. It is used to exploit employees' capability to hand over data or credentials right into the hands of bad actors without them having to write a single line of a malware program or software exploit.

 

###**Types of human error**

 

While human error opportunities are almost infinite, they can broadly be categorized into two different types: skill-based and decision-based errors. The difference between these two essentially comes down to whether or not the person had the required knowledge to perform the correct action.

 

 **•Skill-based errors**

 

The skill-based human error consists of slips and lapses: small mistakes occur when performing familiar tasks and activities. In these scenarios, the end-user knows what the correct course of action is but fails to do so due to a temporary lapse, mistake, or negligence. This might happen because the employee is tired, not paying attention, is distracted, or otherwise has a brief lapse of memory.

 

**•Decision-based errors**

 

Decision-based errors are when a user makes a wrong decision. There can be many different factors that play into this: often, it includes the user not having the necessary level of knowledge, not having enough information about the specific circumstance, or not even realizing that they are deciding on their inaction.

 

###**Underlying Threat Posed By Human Errors**

 

![Human-Error-Cyber-Security](https://sb-cms.s3.ap-south-1.amazonaws.com/Human-Error-Cyber-Security_43e4fac723/Human-Error-Cyber-Security_Human-Error-Cyber-Security_43e4fac723.png)

 

The most widespread mistake employees encounter while sending sensitive documents to unintended recipients. This is relatively easy to solve when deploying security controls to monitor sensitive information being leaked out of the organization. These controls were once considered complex to deploy but have now been made considerably more comfortable to implement by vendors in recent years. This has dramatically reduced the level of user involvement required and increased the use of such controls.

 

These tools can also preclude users from engaging in inappropriate behavior. Sending documents home via email or placing them on file-sharing sites or removable media such as USB sticks can all be avoided. The thriving culture of bring-your-own-device **(BYOD)** exposes more crucial concerns, especially with the risk of lost or stolen mobile devices. Again, technology is available to help companies control what happens to data stored on such devices, even allowing sensitive data to be remotely wiped so that it doesn’t fall into the wrong hands.

 

Even the most trusted and highly skilled employees run significant risks of human error. System and influential network administrators are commonly guilty of system misconfigurations, poor patch management practices, and the use of default names and passwords. There are numerous security controls that organizations can explore to guard against these types of threats.

 

 **•Misdelivery**

 

While sending something to the wrong recipient is a common threat to corporate data security, however, according to Verizon's 2018 breach report. Misdelivery was the fifth most common cause of all cybersecurity breaches. With many people relying on features such as auto-suggestion in their email clients, it is easy for any user to accidentally send confidential information to the wrong person if they aren't careful.

 

One of the most severe data breaches caused by human error was when an NHS practice revealed the email ids (and thus names) of over 800 patients who had visited HIV clinics? How did the error happen? 
The emp employee sending out an email notification to HIV patients accidentally entered their email addresses to the to'' field, rather than the "bcc'' field, exposing their details to each other. This is a classic example of a skill-based error, as the employee knew the correct course of action but didn't take enough care to ensure that they were doing what they intended to be.

 

 **•Patching**

 

Cybercriminals are always on the lookout for new explanations in software. When exploits are discovered, the software developers race to fix the vulnerability and send out the patch to all users before cybercriminals can compromise more users. This is why users must install security updates on their computers as soon as they are available. Unfortunately, more often than not, end-users delay the installation of updates - and with dire results

 

The 2017 **[WannaCry ransomware attack](https://www.secureblink.com/cyber-security-news/north-korean-hackers)** affected hundreds of thousands of computers worldwide, costing companies and organizations millions of dollars in damages. The exploit used by the attack dubbed EternalBlue was patched by Microsoft months before the attacks took place. If the affected computers had just had the security update downloaded and installed, they would never have been compromised.

 

 **•Password Problems**

 

Humans and passwords don't get along. The facts from the **[National Centre for Cyber Security's 2019 report](https://www.ncsc.gov.uk/news/annual-review-2019)** cast a lousy image that 123456 remains the most popular password globally, and 45% of people reuse the password of their primary email account on other services. In addition to not creating strong, unique, passwords untrained users commit many different passwords, mistakes including writing down passwords on post-it notes on their monitors or sharing them with colleagues.

 

 **•Physical security errors**

 

While data breaches are most often attributed to cyberattacks, businesses are also liable to physical threats. Confidential information and credentials can be stolen or viewed by unauthorized persons to gain access to secure premises. Physical security errors come in many different forms, but one of the most common is leaving sensitive documents unattended on desks, meeting rooms, or even printer output trays. Anyone gaining access to the enterprise premises can then just pick up the paper without letting anyone know about it's missing.

 

Another widespread physical security error allowing tailgating is when an unauthorized person follows someone through a secure door or barrier, usually by merely walking close behind them. Many employees will feel it rude to contest anyone following behind them through a door, ensuring a high success rate on tailgating attempts.

 

###**Human Errors Mitigation With Practical Cybersecurity Awareness**

 

![cyber-security-cyber-attack](https://sb-cms.s3.ap-south-1.amazonaws.com/cyber-security-cyber-attack_2c260aaad9/cyber-security-cyber-attack_cyber-security-cyber-attack_2c260aaad9.png)

 

The avoidance of Human Errors can be considered as the best strategy for keeping their data secure. The absence of immediate damage to your organization isn’t a reason to leave your cybersecurity policy as is.

 

The only way to mitigate human mistakes in cybersecurity is to use a complex holistic strategy for preventing insider threats and enhancing your cybersecurity.

 

Here are the most common ways to adopt the following practices and solutions, which can effectively protect an enterprise from any future possible human errors leading to a cyber attack:

 

**•Corporate Security Policy Scrutiny & Updation:**

 

Your security policy should clearly outline how to handle critical data and passwords, who can access them, which security and monitoring software to use, etc. Revise your security rules and check whether all current best practices are reflected in the document.

 

**•Bring Awareness Among Humans:**

 

Make sure every employee is aware of potential threats and explain how dangerous and expensive the consequences of their mistakes can be. It will help educate your employees about the risks such errors pose to the organization’s security. Make sure everyone is familiar with the corporate security policy and is motivated to follow the rules.

 

**•Use the principle of least privilege:**

 

The easiest and reliable way to secure data access is to deny all access by default. Allow privileged access only when needed on a case-by-case basis. If users can only access data required for their work, you can prevent accidental data leaks and data deletion caused by employees who aren’t supposed to work with specific sensitive data in the first place while keeping an additional backup.

 

**•Monitor your employees:**

 

User activity behavior monitoring tools must detect malicious activity meticulously and secure the system from future data leaks and malicious attacks. The most reliable way to ensure accurate detection and prevention of unwanted anomalies is by integrating an automated application security management platform such as **[ThreatSpy](https://www.secureblink.com/threat-spy)**.

 

**•Communicative Practices:**

 

Several workspace errors involving humans can be traced to a lack of communication. Every employee on your team should feel comfortable communicating with each other and with superiors. Without open lines of communication at all levels, dangerous accidents are inevitable.

 

###**Conclusions: Humans Errors; The Most Vulnerable Link To Exploit**

 

![Cyber-Security-Human-Error](https://sb-cms.s3.ap-south-1.amazonaws.com/Cyber-Security-Human-Error_6ae88cfa58/Cyber-Security-Human-Error_Cyber-Security-Human-Error_6ae88cfa58.png)

 

An attempt to articulate the most significant facts and figures that often remain undermined from everyone's attention tells an entirely different story with a frightening statistic about how many cyberattacks are caused by human error; however, the same perspective can be changed at that statistic If 95% of the breaches are caused by human error, taking even the smallest steps towards reducing human error can create huge gains in security. The mitigation of human error has to come from two angles: reducing opportunity and effectively educating as many users as possible. The fewer chances there will be for error, the fewer users will be tested for their knowledge. The more experience your users have, the less likely they are to make a mistake even when they come across an opportunity to do so.

 

Although the issues caused by human errors are comparatively less expensive, unlike any data beaches due to malware, nonetheless, they still manage to pose a critical threat to the security and the availability of your sensitive data and business-critical resources.

 

This approach should be adapted most often by promoting to encourage you to see the human risk from a different light. Although untrained end-users may often be the weakest link of an organization's security, the right tools and training allow the same to be empowered as the first line of defense against any cyber attack, espionage, or a breach, safeguarding the entire business in the long term.

90% Of Cyber Attacks Successfully  Across The World, Human Errors Are Considered To Be The Prime Reason Of Their Origination.

Human Errors: A Fare Share Of Reasons Behind Many Gruesome Cyber Attacks

Malware

Cyberattack

Healthcare 

Vulnerability

APT Group

Phishing

Data Breach 

DeFi

Blockchain

OpenSource

Ransomware

Government 

Finance

Privacy 

Zola, a popular wedding registry, recently confirmed that hackers attempted to exfiltrate fraudulent cashouts after managing access to its users accounts but has denied a system breach. Many of its users took to social media to report about the suspicious incident that their accounts had been compromised, bringing the matter to the spotlight. While others began to complain that thousands of dollars had been unknowingly debited to their credit cards, moreover others also filed complaints that their Zola accounts had been exhausted.





 






Emily Forrest, a spokesperson for Zola, said in a statement to [TechCrunch](https://techcrunch.com/2022/05/23/zola-accounts-hacked/) that accounts had been compromised due to a credential stuffing attack, in which existing sets of exposed or compromised usernames and passwords were used to access accounts on different sites that share the same set of credentials.



 



_"While this attack did not vastly affect Zola couples, we extend our sincerest apologies to anyone who experienced any skeptical activity in their account,''_ stated Forrest. _"Our staff acted as swiftly as possible to protect our community of couples and guests, and we were able to prevent all fraudulent transfer attempts."_




 



Telegram channel messages boasting about users discussing and spreading screenshots of unauthorized access to user accounts via the Zola app. The partially redacted screenshots depict hackers ordering gift cards from a user's account, including using the credit card on file with Zola. The gift cards are then delivered to the hackers' email address placing the order. Fraudsters frequently utilize gift cards due to their infamously difficult traceability.



 



Zola acknowledged the gift card orders and stated that the company is _"immediately working"_ to rectify the errors. The great majority of orders for gift cards have already been returned, according to Forrest. Any step a couple failed to take will be rectified.
Zola stated that it briefly halted its iOS and Android apps during the incident and reset all user passwords out of _"an excess of caution."_



 



Less than 0.1% of accounts were compromised, according to Zola, although the company would not specify how many users were affected. The wedding register also declined to respond to any additional inquiries regarding the lack of two-factor authentication (2FA) currently provided to users.
_"Our support team is working feverishly to reply to every affected customer, and we really appreciate their patience,"_ Forrest added. 




 




We guarantee that all unresolved customer concerns will be answered and addressed.
In a tweet, the business asked consumers who had had funds stolen or fraudulent transactions to email its support team. Forrest informed TechCrunch that _"all monies, credit cards, and bank information remain secure"_ and _" all cash funds have been recovered."_

Hackers infiltrated Zola to initiate fraudulent cash transfers by accessing users accounts, however, the wedding registry denied any attempt of data breach...

Zola accounts hacked after confirming fraudulent transactions

Researchers publish new findings about the Chaos ransomware developer, revealing a tangled family tree that connects it to both the Onyx and Yashma ransomware strains.

The BlackBerry research and intelligence team stated in a blog post that clues to the Chaos malware's links to Onyx and Yashma emerged via a conversation between a recent victim and the threat group behind Onyx ransomware. The conversation happened on the threat actor's leak site.

According to the researchers, a person claiming to be the creator of the Chaos ransomware builder's kit entered the discussion and revealed that Onyx was built using the author's own Chaos v4.0 Ransomware Builder. The author then promoted the most recent version of the Chaos ransomware family, now known as Yashma.

This was not the first time the link between Chaos and Onyx had been revealed. Onyx's wares were also found to be built on the Chaos ransomware creator, according to SC Media on April 29.

Chaos-adaptability Yashma's and widespread availability, according to BlackBerry researchers, make it worrisome in the future. Because the malware is initially marketed and distributed as a malware builder, any threat actor who acquires it can mimic the actions of the threat group behind Onyx, generating their ransomware strains and targeting specific victims.

"Our research delves into the mindset of these threat actors by showing an online exchange from someone claiming to be the very same Chaos ransomware builder author, in addition to the technical deep-dive provided on the Chaos malware family tree," said Ismael Valenzuela Espejo, BlackBerry's vice president of threat research and intelligence.

"It's interesting to observe how, aside from the obvious money motivation, there's a sense of pride in their creations, even if this malware has been labeled as a 'proof of concept' and 'unsophisticated wiper' by several researchers in the last year," Espejo continued. "It's also fascinating to observe how this comes from someone who, approximately a year earlier, tried to steal the thunder from an existing threat group (Ryuk), but was enraged when their creation (Chaos/Yashma) was also stolen and utilized as the foundation of a new threat (Onyx)."

According to John Hammond, senior security researcher at Huntress, the BlackBerry research provides a great historical perspective of the Chaos ransomware's roots and development leading up to its sixth iteration and new branding name, Yashma. According to Hammond, the newest crypter incorporates new features and functionalities to detect if the ransomware is being operated in a prohibited country, disable antivirus, and terminate services for other preventive measures.

"It's a little frightening to see the rapid evolution of ransomware tooling becoming something so configurable and advanced," Hammons added. "A cybercriminal group, like a software firm, provides new features and upgrades to their product, making it faster, more versatile, and more accessible to their customers...but this time, with malicious purpose." The announcement of a new and improved Chaos ransomware variant isn't reason to raise the alarms and turn on the sirens, but it is another wind of warning: the adversaries are just getting stronger. A good security posture that includes monitoring, redundancy, and strong detection efforts remains the greatest basis for combating a threat actor's end-goal of ransomware."

According to Nicole Hoffman, senior cyber threat intelligence analyst at Digital Shadows, the Maze ransomware gang changed everything in 2019 by introducing double-extortion, and now the majority of ransomware attacks result in data breaches. According to Hoffman, Chaos ransomware variants can erase files larger than about 2 gigabytes, resulting in a highly damaging attack for many enterprises.

"It would be sad if destructive ransomware becomes a new industry trend, with more amateur crooks entering the picture," Hoffman said. "In any case, security teams should stay ahead of the threat by following the 3-2-1 back-up rule, which means three copies of the data, two media types used for back-ups, and one offsite backup." This is not a new rule, but it is more important than ever in combating destructive ransomware attacks."


BlackBerry researchers linked Onyx and Yashma ransomware with the Chaos ransomware builder. Pictured: A team from the U.S... 

Researchers linked Chaos ransomware with Onyx & Yashma variants

Regional Eye Associates in West Virginia has issued a [data breach alert](https://www.readocs.com/medical-record-breach-2021/) informing 194,035 patients that their personally identifiable information was unauthenticated accessed and erased from a third-party vendor's system in December 2021, before of a ransomware attack.


 



Although Eye Care Leaders is not explicitly mentioned in the letter, it is similar to several other provider notices related to a ransomware attack on the cloud-based electronic medical record company. In addition to the December event, ECL has been embroiled in provider-based litigation following a year of purported disruptions connected to various ransomware attacks and claims of an insider incident.



 



ECL notified Regional Eye on 1st March about the occurrence and its potential consequences. The warning, like the EvergreenHealth and Summit Eye Associates releases, was issued a month after the 60-day deadline mandated by The Health Insurance Portability and Accountability Act.



 



According to the Regional Eye notification, an attack gained access to ECL's system on December 4 and _"removed many databases between the hours of 7:18 p.m. and 10:13 p.m. before being found and locked out of the system."_



 



So far, no evidence has been found that any health information was stolen before being destroyed. The probe, however, remains ongoing. As a result, Regional Eye advises patients to post fraud warnings on their credit reports to protect themselves against identity theft.



 




Notably, Regional Eye is still using ECL for its services and is collaborating with the vendor on the forensic inquiry. _"To prevent future attacks, ECL has installed technical, administrative, and physical precautions."_ Access restrictions, permissions, and data storage security protocols must be reviewed and updated.

More than 194,000 patients were notified by Regional Eye Associates that their data had been accessed and destroyed by Eye Care Leaders, a cloud-based...

194,000 patients of Regional Eye hit by databreach after a cyberattack

Killnet, a pro-Russia group, recently infiltrated multiple European institutions, while Anonymous hackers have already claimed to have leaked the organization's personal information via a database dump.



 



Following that, the infamous hacktivist group has reportedly declared full-fledged cyberattacks against the pro-Russia hacking group Killnet. The hacktivist group [tweeted](https://twitter.com/YourAnonOne/status/1528048043647434752) about this recent development via their @YourAnonOne account.



 



Soon after releasing the tweet, Anonymous disclosed that Killnet's official website (Killnet.ru) had been taken offline. Later, Anonymous posted that Killnet's user database had also been [compromised](https://twitter.com/AnonOpsSE/status/1528631617023102976). The compromised database consists of 146 email addresses and their passwords in plaintext.





 


![Anonymous announced a cyberattack against Killnet.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Anonymous_announced_a_cyberattack_against_Killnet_4f5a8286b0.jpg)



 





## Anonymous Hacktivist After Killnet





 




This move could be in retaliation to the warning made by cybersecurity officials in the United Kingdom, the United States, Canada, New Zealand, & Australia that pro-Russian hackers may soon target businesses outside the borders of Ukraine.




 




Yesterday, the FVEY (Five Eyes Alliance) released a [threat assessment report](https://www.cisa.gov/uscert/ncas/alerts/aa22-110a), which is noteworthy. Numerous Russian government-sponsored and independent hacker groups have sworn assistance to Russia, according to the organization.




 




According to the same research, these groups may target important national infrastructure organizations in the West. DDoS attackers [Killnet](https://bit.ly/39hLAIQ), CoomingProject, Salty Spider of Sality botnet fame, and Mummy, operators of [Emotet](https://bit.ly/3Duptcx), were among the identified cybercrime organizations. Anonymous desires to impair Killnet's offensive capabilities, which have recently intensified in Europe.




 





Killnet shared their perspective on current events in an interview with the Russian news network RT. The group claimed in a Russian-language interview that it consists of _"regular individuals from around Russia who stepped up to defend their nation."_




 




***"We've always been despised. First the "awful" empire, then the "bad" Soviet Union, and now "evil" Russia. DDoS is our project's public face. Behind the scenes, a substantial amount of work is performed on an invisible front. This entails calculating the positions of the Ukrainian Armed Forces, hacking adversary systems, monitoring and gathering intelligence, and seizing control systems.***






 



![Killnet under the radar of Anonymous.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Killnet_under_the_radar_of_Anonymous_7c532a8add.jpg)





 






Killnet, which specializes in DDoS attacks, has recently targeted the websites of a number of Italian government ministries and institutions, including the customs agency, foreign affairs department, culture and heritage ministry, education ministry, and the supreme council of the court.





 






Killnet attacked the Italian upper chamber of parliament, the Automobile Club of Italy, and the [National Health Institute](https://www.yahoo.com/now/italian-police-prevents-pro-russian-070642047.html) on the 16th of May. In April, Killnet launched DoS attacks from Russia on websites belonging to the Romanian government, notably the Ministry of Defense.






 





The pro-Russian group has also attacked the websites of the governments of the United States, the Czech Republic, Estonia, Poland, and other NATO allies.

Killnet is under the radar of the infamous hacktivist group Anonymous for a possible incoming cyberattack as they are already claiming to have leaked vitalities of the group...

Anonymous broke out a cyberattack against Pro-Russian group Killnet

According to [Check Point Research](https://research.checkpoint.com/2022/twisted-panda-chinese-apt-espionage-operation-against-russians-state-owned-defense-institutes/) (CPR) researchers a targeted APT campaign by China-linked threat actors leveraged sanctions-related lure to breach Russian state-owned defense institutes.


 



The campaign, nicknamed Twisted Panda, is part of a larger Chinese espionage effort that has been ongoing for some months, according to the report's authors.


 



The probe follows past reports of Beijing's attempts to hack into Russian networks. Mustang Panda, a threat actor linked to China, sent malicious emails to Russian agencies concerning political developments in Eastern Europe, for example.



 




Researchers in Russia have also discovered a new cyber gang targeting Russia's space technology business with previously undiscovered malware.




 




According to CPR's researchers, malicious actors have targeted at least two Russian research organizations, working on building high-tech military solutions.




 




Another target of the campaign was most likely Belarus, whose president, Alexander Lukashenko, is a close ally of Russian President Vladimir Putin.



 




Both of the Russian institutions attacked by the hackers are owned by Rostec, a Russian state-owned defense corporation. According to the researchers, the targeted companies develop and manufacture electronic warfare systems and other military communications equipment.




 




Twisted Panda, according to Check Point Research, is part of a long-running campaign against Russia that began in June and is still active. Stone Panda and Mustang Panda, two China-linked state-sponsored entities, are thought to be behind the operation, according to researchers.




 




Before the Kremlin's forces rushed into Ukraine on February 24, Russia boasted about the 'really unparalleled nature' of Russo-Chinese relations.



 



Threat actors sent several emails to employees of Russia's defense research organizations, according to the study, with the subject hinting that the contents of the email would reveal the names of persons sanctioned by the US over Russia's invasion of Ukraine.




 




'US Spread of Deadly Pathogens in Belarus' was aimed at a Belarusian institute. Emails were sent to organizations in Russia and Belarus that looked like they came from Russia's Ministry of Health.




 




SPINNER, a previously unknown backdoor, was found in documents linked to the emails.




 




_"The backdoor and operation are expected to collect information from targets inside Russia's high-tech defense industry to boost China's technological growth,"_ the study states.

Twisted Panda, a sophisticatedly emerged Chinese APT espionage operation against Russian state-owned defense institutes baiting the Russo-Ukrainian war…

Russian defense targeted by Chinese APT espionage operation baiting war

A newly emerged malware distribution campaign leveraging PDF attachments to transport infected Word documents for targeting users with malware has been discovered by threat researchers.




 




Most phishing emails currently include DOCX or XLS attachments containing malware-loading macro code; therefore, the use of PDFs is rare.




 





As users grow more aware of the dangers of opening fraudulent Microsoft Office attachments, however, threat actors resort to different techniques to distribute harmful macros and avoid detection.





 





In a recent analysis from [HP Wolf Security](https://threatresearch.ext.hp.com/pdf-malware-is-not-yet-dead/#), researchers demonstrate how PDFs are being leveraged as a delivery mechanism for documents containing malicious macros that download and install information-stealing malware on victims' computers.





 





## Clasping Word Documents into PDFs





 





In a campaign seen by HP Wolf Security, the PDF attachment coming through email is titled _"Remittance Invoice,"_ and the email body likely provides ambiguous assurances of payment.



 




Adobe Reader invites the user to open a DOCX file when the PDF is accessed, which is already odd and may confuse the victim.




 




Because the threat actors titled the embedded document _" has been validated,"_ the Open File question displays _"The file has been confirmed."_ This message may mislead readers into assuming that Adobe has authenticated the file and that it is safe to open.




 



![Keylogger.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Keylogger_bbe2d76470.jpg)
 ***PDF document prompting the user to open another document***




 






Malware experts can investigate embedded PDF files using parsers and scripts, but average users who receive these deceptive emails would not go that far or even know where to begin.




 





As a result, many individuals may open the DOCX file in Microsoft Word, and if macros are allowed, they will download and open an RTF (rich text format) file from a remote location.





 



![Keylogger Malware.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Keylogger_Malware_d10c65a5d0.jpg)
 ***HTTP GET request returning RTF file***





 






The payload is hosted at the URL _"vtaurl[.]com/IHytw"_, which is hardcoded into the Word document. The RTF file is downloaded as a consequence of the following command, which is inserted in the Word document with the URL _"vtaurl[.]com/IHytw"_.






 





![Malware String.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Malware_String_c59d3dd6ad.jpg)
 ***List of URLs in the Word document***








 





## Exploiting Undisclosed RCE






 






The _"f_document_shp.doc"_ RTF document contains malformed OLE objects that are likely to circumvent detection. HP's experts discovered that it tries to exploit an outdated Microsoft Equation Editor vulnerability to launch arbitrary code after doing some targeted rebuilding.







 




![Malware Snake Keylogger.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Malware_Snake_Keylogger_9b5b8938b3.jpg)
 ***Decrypted shellcode presenting the payload (HP)***




 






The shellcode attacks [CVE-2017-11882](https://nvd.nist.gov/vuln/detail/CVE-2017-11882), a remote code execution vulnerability in Equation Editor patched in November 2017 but is still exploitable in the wild.




 




As a result of the sluggish patching that followed the disclosure of this vulnerability, it became one of the most abused flaws of 2018.




 




Through exploitation of CVE-2017-11882, the shellcode in the RTF downloads and executes Snake Keylogger, a modular information thief with potent persistence, defense evasion, credential access, data harvesting, and data exfiltration capabilities.

PDF attachments used in circulating Snake Keylogger malware to infect users through malicious word documents laced with malware-loading macro code to evade detection...

Snake Keylogger malware deployed using malicious word doc via PDF

Google's Threat Analysis Group (TAG) reports that state-sponsored threat actors exploited five zero-day vulnerabilities to install Cytrox's Predator spyware.



 




In these operations, which were part of three campaigns launched between August and October 2021, the attackers utilized zero-day flaws against Chrome and the Android OS to install Predator spyware implants on Android devices with the most recent software updates. [Google TAG](https://twitter.com/ShaneHuntley/status/1527322415293865986) members Clement Lecigne and Christian Resell stated, _"We have high confidence that these vulnerabilities were packaged by a single commercial surveillance outfit, Cytrox, and sold to various government-backed actors who utilized them in at least three campaigns."_




 



While investigation identifies Egypt, Armenia, Greece, Madagascar, Côte d'Ivoire, Serbia, Spain, and Indonesia as the countries of origin for the malicious actors that acquired and utilized these exploits to infect Android devices with spyware.



 




These findings are consistent with a report on Cytrox mercenary spyware [published by Citizen Lab](https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/) in December 2021. Its researchers identified the malicious application on the mobile phone of exiled Egyptian politician Ayman Nour.




 




According to CitizenLab's analysis, Nour's phone was also infected with NSO Group's [Pegasus spyware](https://www.secureblink.com/cyber-security-news/pegasus:-the-rise-of-a-sophisticated-spyware-behind-mass-surveillance), with the two programs being managed by two distinct government clients.



 



### Zero-Day Vulnerabilities Exploited In Three Android-centric Malicious Campaigns



 



Five unknown zero-day vulnerabilities exploited in these campaigns includes:



 



- [CVE-2021-37973](https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_24.html), [CVE-2021-37976](https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_30.html), [CVE-2021-38000](https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_28.html), [CVE-2021-38003](https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_28.html) in Chrome
- [CVE-2021-1048](https://source.android.com/security/bulletin/2021-11-01#kernel-components_1) in Android



 




The threat actors deployed exploits targeting these zero-days in three separate campaigns:




 




- Campaign #1 - redirecting to SBrowser from Chrome (CVE-2021-38000)
- Campaign #2 - Chrome sandbox escape (CVE-2021-37973, CVE-2021-37976) 
- Campaign #3 - Full Android 0-day exploit chain (CVE-2021-38003, CVE-2021-1048)




 





_"All three campaigns sent targeted Android users one-time links imitating URL shortening providers through email. The campaigns were minimal; in each instance, we estimate that the number of users targeted was in the tens"_ [mentioned](https://blog.google/threat-analysis-group/protecting-android-users-from-0-day-attacks/) by the experts at Google TAG. _"Once the link was clicked, the target was transferred to an attacker-controlled domain that provided the exploits before redirecting the browser to a genuine website. The visitor was forwarded to a valid website if the link was inactive."_




 




This malicious tactic was also leveraged against journalists and other Google users who were informed they were the subject of [intrusion backed by the government](https://support.google.com/a/answer/9007870).




 




### Android Banking Trojan Involved In Deploying Spyware





 




In these campaigns, the attackers first installed the [Android Alien banking trojan](https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien) with RAT features in order to load the Predator Android implant, which permits audio recording, the addition of CA certificates, and the concealment of applications.




 




This paper is a follow-up to an investigation of four more 0-day vulnerabilities identified in Chrome, Internet Explorer, and WebKit in July 2021. (Safari).






 




According to Google TAG researchers, Russian-backed government hackers affiliated with the Russian Foreign Intelligence Service (SVR) used the zero-day vulnerability in Safari to target iOS devices belonging to western European government officials.





 




Google TAG stated on Thursday that "TAG is currently tracking more than 30 vendors with varied levels of expertise and public exposure that offer vulnerabilities or surveillance capabilities to government-backed entities."

Google TAG hunts down 9 zero-day vulnerabilities exploited in-the-wild to deploy Predator spyware across Chrome, Android, Apple and Microsoft, leading to patches to protect users from these attacks...

Multiple zero-day vulnerabilities exploited to deploy Predator Spyware

The Chicago Public Schools experienced a massive data breach exposing the personal information of almost 500,000 students & 60,000 employees following their vendor, Battelle for Kids, who was hit by a ransomware attack in December.






 






Ohio-based Battelle for Kids is a non-profit corporation that analyzes student data supplied by public school systems in order to build instructional models and evaluate teacher effectiveness.





 




According to [Battelle for Kid](https://static.battelleforkids.org/Documents/BFK/BFK-Annual-Report-2021.pdf), its initiatives have touched over 2.8 million students in 267 school districts.




 




## Chicago Public Schools Becomes A Cyberattack Victim





 




The Chicago Public School (CPS) administration said yesterday that a ransomware attack on Battelle for Kids on December 1st compromised the data of 495,448 kids and 56,138 workers in the district.




 




Battelle for Kids is a partner of Chicago Public Schools in the upload of student course and assessment data for teacher evaluations.




 





The data held on Battelle for Kids' servers, according to Chicago Public School, was for school years 2015 through 2019 and exposed children's personal information and assessment scores.




 




The Chicago Public School student [data breach letter notes](https://www.cps.edu/globalassets/cps-pages/about-cps/policies/student-online-personal-protection-act/battelle-for-kids-data-breach-english.pdf), _" Specifically, an unauthorized party acquired access to your child's name, date of birth, gender, grade level, school, Chicago Public Schools student ID number, State Kid ID number, information about the courses your student completed, and scores from performance tasks used in teacher evaluations for school years 2015-2016, 2016-2017, 2017-2018, and/or 2018-2019."_





 





During the school years 2015-2016, 2016-2017, 2017-2018, and/or 2018-2019, threat actors may have gained access to staff members' names, schools, employee identification numbers, Chicago Public School email addresses, and Battelle for Kids usernames.





 






Chicago Public School reports that no Social Security Numbers, home addresses, health data, or financial data were compromised in the attack.





 





Any impacted students or staff members are eligible for free credit monitoring and identity theft protection via Chicago Public School. On the [Chicago Public Schools data breach page](https://www.cps.edu/about/policies/student-online-personal-protection-act/breach-notifications), which was developed by the school system, there are instructions for obtaining this free credit report.






 






## Four Months Old Data Breach Discloses Now





 





In April, Ohio school districts began delivering [data breach notifications](https://lakotaonline.com/about_us/what_s_new/battelle_for_kids_data_breach), informing kids and employees that their personal information was compromised during the ransomware attack on Battelle for Kids.





 





Even though Chicago Public School's contract with Battelle for Kids demands timely disclosure of a data breach, the school only learned about the compromise on April 26, 2022, four months after the contract said that notice was required.





 





On the 11th of May, however, they realized for the first time that students and employees had their information compromised.







 







On their data breach page, Chicago Public School explains, _"Our vendor, Battelle for Kids, informed us that the delay in notifying Chicago Public School was due to the time it took Battelle to verify the authenticity of the breach through an independent forensic analysis and for law enforcement to investigate the matter."_








 




![Chicago Public School Ransom Note.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Chicago_Public_School_Ransom_Note_815dd24faa.jpg)
###### _Ransom Note_






 





Although it is uncertain which ransomware gang is responsible for this attack, all groups send ransom notes on encrypted devices that contain email addresses or links to ransom negotiation sites.





 





As part of the extortion process, ransomware groups frequently give evidence that they stole data by providing a list of all the stolen folders and, on occasion, individual files.




 






When a victim refuses to pay a ransom, threat actors reveal publicly that they attacked them and begin exposing their stolen data.






 





There has been no public revelation by a [ransomware group declaring](https://www.ny1.com/nyc/all-boroughs/education/2022/03/26/data-of-820-000-students-compromised-in-hack-of-online-grading-system--doe) that they infiltrated Battelle for Kids, perhaps implying that Battelle for Kids complied with a ransom demand.







 






In March, the New York City Department of Education announced a similar but separate data breach involving the hacking of a vendor that exposed the personal information of 820,000 children.

Chicago Public Schools suffered a data breach exposing details of over 500,000 students that got recently disclosed after its vendor Battelle for Kids became a...

500K students data of Chicago Public Schools exposed in a cyberattack

It has been reportedly discovered that the PyPI registry has yet another malicious Python package carrying out supply chain attacks to install Cobalt Strike beacons and backdoors on devices running macOS, Linux, and Windows.


 




PyPI is a repository of open-source packages that allow developers to contribute their work or profit from the efforts of others by obtaining the necessary functional libraries for their projects.



 



Threat actors published a malicious package to PyPI with the name 'pymafka' The name is quite similar to PyKafka, a popular Apache Kafka client with over four million downloads from the PyPI registry.




 





The typo-squatted package only received 325 downloads before being deleted. As it provides initial access to the developer's network, however, it might still inflict substantial harm to anyone impacted.




 




## PyMafka Infection Process




 




Sonatype identified pymafka and reported it to the PyPI, who recently deleted it. However, developers who downloaded it must immediately replace it and inspect their computers for Cobalt Strike beacons and Linux backdoors.



 



According to security researchers, the infection occurs when the 'setup.py' script in the package is executed.




 





This script identifies the host operating system and, depending on whether it is Windows, Linux, or Darwin (macOS), retrieves and executes a compatible malicious payload.



![script.png](https://sb-cms.s3.ap-south-1.amazonaws.com/script_04e43aa0fc.png)

 




On Linux machines, the Python script connects to a remote URL at 39.107.154.72 and redirects the output to the bash shell. Unfortunately, this host is down at the time of writing, so it is unknown which commands are run; nonetheless, it is thought that a reverse shell is opened.





 



The payload for Windows and macOS is a Cobalt Strike beacon that grants remote access to the infected device.



 




Cobalt Strike is a frequently exploited penetration testing package with sophisticated capabilities like command execution, keylogging, file actions, SOCKS proxying, privilege escalation, credential theft, and port scanning, among others.




 




Its "beacons" are file-less shellcode agents that are difficult to detect, granting remote actors stable and reliable access to infiltrated computers for espionage, lateral movement, and the deployment of second-stage payloads such as ransomware.




 




Sonatype's [report](https://blog.sonatype.com/new-pymafka-malicious-package-drops-cobalt-strike-on-macos-windows-linux) states, "On Windows PCs, the Python script attempts to drop the Cobalt Strike beacon at 'C:\Users\Public\iexplorer.exe',"




 




Note that this typo stands out since the proper Microsoft Internet Explorer process is generally named "iexplore.exe" (no 'r' at the end) and is not present in the C:UsersPublic directory.




 




The executables downloaded correspond to the OS they target, notably 'win.exe' and macOS,' and, once started, attempt to contact a Chinese IP address.





 




In terms of detection rates, VirusTotal scans get a score of 20 out of 61, so while the payloads are not precisely stealthy, their evasion percentage is decent.




 

![vt-scan.png](https://sb-cms.s3.ap-south-1.amazonaws.com/vt_scan_9d2cf813fb.png)


 





This assault is meant to offer initial access to the developer's network, allowing the attackers to expand laterally throughout the network in order to steal data, install more malware, or execute ransomware attacks.



 




## Available Best Practices To Stay Safe





 





From the standpoint of a software developer, a number of errors are made when an untrustworthy package is used, but the most prevalent and apparently simple error is misspelling package names during construction.






 







When something seems unusual, software engineers should analyze package names and specifics and double-check their selection of building pieces.




 


![PyPi Package.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Py_Pi_Package_f8dfbb620f.jpg)




 




In this scenario, the package attempts to impersonate a well-known project, despite lacking a PyPI page description, a homepage link, a very little release history, and unusually recent release date.




 




These are all significant indications that something is amiss, but none of them will be visible from the terminal; thus, it is crucial to validate the package selections.

Python package has been spotted in the PyPI registry performing supply chain attacks to drop Cobalt Strike beacons and backdoors on Windows, Linux, and macOS systems...


PyPI packages dropping CS beacons & backdoors by supply chain attacks

Sberbank, Russian financial services and banking institution, became a victim of an unprecedented wave of distributed denial-of-service (DDoS) attacks that was repelled by the bank earlier this month.



 




Sergei Lebed, vice president and director of cybersecurity at Sberbank, told the Positive Hack Days conference audience that thousands of internet users had attacked the company during the previous several months.

With assets over $570 billion, Sberbank is the largest financial institution in Russia and the third-largest in Europe.



 




As a result of being one of the first entities to be sanctioned following the Russian invasion of Ukraine, the entity's operations on the European continent have been severely constrained.

Since the conflict's inception in February, hackers allied with Ukraine have had Sberbank in their sights. This activity has not subsided, per the bank.




 




On May 6, 2022, Sberbank said it had successfully defeated the 450GB/sec DDoS attack, its largest ever.

DDoS are resource-depletion attacks that try to render online services inaccessible to clients, resulting in business interruption and monetary losses.





 




The malicious traffic that enabled the attack on the main website of Sberbank was generated by a botnet of 27,000 infected devices located in the United States, the United Kingdom, Japan, and Taiwan.



 



According to Lebed, the hackers utilized various methods to execute this onslaught, such as code injections into advertising scripts, malicious Chrome extensions, and [Docker containers](https://bit.ly/3vB1i9A) equipped with DDoS tools.





 






Lebed reports that over one hundred thousand Internet users have attacked them in the previous several months, while in March, they recorded 46 simultaneous DDoS attacks on various Sberbank services.




 




Many of these attacks leveraged traffic on online streaming and movie theater websites, similar to the strategy adopted by pro-Russian threat groups against important Ukrainian websites.



 



The web browsers of users to these hijacked websites execute specially constructed code contained in injected scripts that produce many requests to certain URLs, in this case under the Sberbank domain.




 



_"The bank is currently subject to constant cyberattacks. The Security Operation Center of Sberbank monitors and responds swiftly to cyber threats around-the-clock."_ Sergei Lebed

_"However, when it comes to businesses in other industries, the vast majority of them have never faced anything like this before and may incur losses,"_ said the vice president of Sberbank.



 




As long as global tensions continue to produce a polarized climate, DDoS attacks of this magnitude are likely to continue. As [Sberbank's announcement](https://www.sberbank.ru/en/press_center/all/article?newsID=2d7a96e6-3f8a-416e-aadb-d0ffc828bf97&blockID=1539%C2%AEionID=77&lang=en&type=NEWS) comes to a close, they may decrease in number but increase strength.



 



This is consistent with what [Radware](https://blog.radware.com/security/2022/05/radware-mitigates-1-1tbps-ddos-attack/) disclosed yesterday, a DDoS intrusion of 1.1 terabits per second (Tbps) that lasted for 36 hours, indicating that threat actors are significantly more capable than they were a year ago.

Over $570 billion assets of Russia's largest financial institute reportedly remains at critical amid the unprecedented wave of DDoS attacks...

Sberbank targeted by a staggering wave of DDoS attacks that was earlier mitigated

FortiGuard Labs attributed the campaign to an Iranian cyber espionage threat actor tracked under the moniker APT34, citing resemblances

Saitama Backdoor: Jordan's Foreign Ministry Targeted by Spear Phishing 

Black Basta, a newly emerged name around the ransomware families, is getting popular across the masses, indicating an attempt to rebrand the previously dissolved ransomware family...



Black Basta: a new ransomware group or rebranded ransomware operation

Microsoft Researchers located previously undiscovered vulnerabilities in Linux systems tracked as Nimbuspwn, if chained together, may provide elevated root access...

Nimbuspwn: Linux Endpoint Vulnerabilities allowing Root Privilege Escalation

MetaStealer, a newly emerged infostealer malware actively circulated via a malspam campaign to steal user credentials & cryptocurrency wallet details…

MetaStealer malware: An improved version of RedLine actively distributed via malspam campaign

SunCrypt has failed to grow more significant than a small private RaaS of a closed circle of affiliates.

Suncrypt RaaS regained prominence

Aberebot, Android banking trojan resurrected with a new name as Escobar Trojan with updated features while offering a homage to Colombian Drug Lord...

Escobar Malware: An emerging threat to stealing credentials from your Phone

SharkBot an android Trojan was first spotted in October 2021 on google play, it has successfully evaded Google security checks. Security Researcher at NCC and Cleafy found it and marked it one of a kind...

Banking Trojan SharkBot Discovered in anti-virus app on google play

TeaBot resurrected with evolved malware distribution tactics active across Google Play Store, primarily circulating through OR Code Apps…


TeaBot: revamped banking trojan resurrected to steal SMS & other credentials of android users

Threat researchers observed a recent spike in infections of Snake information-stealing malware that is now being sold as low as $25 on hacking forums...


Snake Malware, an infamous information stealer active through phishing attempts 

Apache releases a patch for the recently discovered zero-day vulnerability Log4Shell that results in remote code execution by logging in a certain string...

Log4Shell Comprehensive Threat Research On New Zero-Day Vulnerability Jeopardizes Apache Frameworks

Cuba ransomware operators emerge to obtain $43.9 Million following executing multiple cyberattacks against 49 critical infrastructure organizations in the US...

Cuba ransomware operators run down $43.9 Million compromising 49 firms in the U.S

Threat actors conduct targeted attacks against U.S corporations using the recently discovered Yanluowang ransomware; they are further suspected of having links to the Canthriod (Fivehands) group...


Yanluowang ransomware linked to Thieflock operators

The research team of ESET has unveiled an undocumented loader for Windows. Its target victims are mainly from Central Europe, North America, and the Middle East...


Wslink: undocumented malware loader that runs as a server

TangleBot, a newly discovered malware distributed only through android devices, strategically lures users by legitimately appearing SMS Updates regarding COVID19...


TangleBot: The Obscure Android Malware

FontOnLake, a new malware discovered by ESET researchers that leverages custom modules in targeting Linux systems; their advanced design indicates that they might be used for targeted attacks...

FontOnLake Malware: Undocumented Malware Family Activity Targeting Linux Machines

Modified Mozi P2P Botnet implemented new capabilities to target its victim's web traffic via MITM and DNS Spoofing attacks...


Mozi P2P Botnet evolved, executed new capabilities to target its victims traffic

Qlocker, an infamous ransomware rise in prominence after victimizing the QNAP NAS storage, uses 7-zip to move files into password-protected archives...

QLocker Ransomware

Qakbot creates a specialized phishing e-mail that incorporates an Office document in the mail content...

Qakbot:  An infamous Banking Trojan Family

Western Government operatives found to be actively conducting a counterterrorism operation for the past nine months discovered by Google as a hacking attack

Google took down the hacking attack as a counterterrorism operation in disguise

SHAREit the infamous peer-to-peer file transfer app, mostly familiar for leaking its user data and maliciously spying on them, was recently identified to be occupied with numerous patched vulnerabilities

SHAREIt: Unpatched Vulnerability Targeting To Remote Code Execution

Winnti' a cyberespionage group from the Chinese origins primarily identified for targeting software companies and political organisations worldwide, gained traction over a series of cyberattacks

Winnti or Higaisa resurrected from APT41 Backdoor

Solarwinds, a SaaS-based firm known for their IT & Network management solutions, was spotted under the radar of a manual supply chain attack.

Solarwinds Hack: Why it is not like any other cyberattack

Zerologon is the name that has been given to a vulnerability identified in CVE-2020-1472. It’s called zerologon due to the flaw in the logon process where the initialisation vector (IV) is set to all zeros all the time while an Initialisation Vector (IV) should always be a random number

Zerologon vulnerability

DHS CISA agency published a Malware Analysis Report (MAR) on October 1, 2020 released information about a malware family called SlothfulMedia

IAmTheKing and the SlothfulMedia malware family

Dragos Platform regularly detects and responds to Major ransomware outbreaks within industrial environments and maintains a report related to the attack...

EKANS Ransomware

A malware analysis report published on Monday about the composition of a virus named Taidoor.

Taidoor Malware

CLOP is a malware threat that spreads via fake software updates, trojans, cracks, unauthorized software download sources and spam emails.

CLOP Ransomware

Evil Corp, a Russian hacker group is suspected to be responsible for WastedLocker Ransomware.

WastedLocker and Evil Corp

 The Iron Liberty group
a hacker group allegedly working with the Russian government, targeting energy sectors

The Iron Liberty group

 Cerberus banking trojan, the most recent malware warning sign amid the coronavirus
pandemic and rising concerns over cybersecurity

Cereberus Banking Virus

User Datagram Protocol attack, a type of DDoS attack used by exploiters to render a target incompetent.

User Datagram Protocol

Zloader malware resurfaces amidst the pandemic and has become more evasive

Zloader malware

Dorkbot, a member of the infectious malware family that used to conduct Denial of Service (DoS) attacks

Dorkbot Malware

Amidst the Pandemic, NetWalker Ransomeware has become one of the major cyberspace threat

Our Product

Resource Library

Subscribe to Our Weekly Threat Digest

Contact Us

PRODUCT

threatspy

threatspy

SOLUTIONS

By Industry

Health Care

Health Care

Education

Education

IT & Telecom

IT & Telecom

By Role

Government

Government

CISO/CTO

CISO/CTO

DevSecops

DevSecops

RESOURCES

Threat Feed

Threat Feed

Threat Research

Threat Research

White Paper

White Paper

SB Blogs

SB Blogs

COMPANY

Our Story

Our Story

Our Team

Our Team

Career

Career

Press And Media

Press And Media

Contact Us

Contact Us

Topics

Hackers infiltrated Zola to initiate fraudulent cash transfers by accessing user...

BlackBerry researchers linked Onyx and Yashma ransomware with the Chaos ransomwa...

More than 194,000 patients were notified by Regional Eye Associates that their d...

No articles

ThreatSpy

Reinventing cyber security

Trending Tags

Cyberattack

Malware

Cryptocurrency

Healthcare

Data Breach

DeFi

Ransomware

Threat Research

FortiGuard Labs attributed the campaign to an Iranian cyber espionage threat actor tracked under the moniker APT34, citing resemblances

Black Basta, a newly emerged name around the ransomware families, is getting popular across the masses, indicating an attempt to rebrand the previously dissolved ransomware family...

Microsoft Researchers located previously undiscovered vulnerabilities in Linux systems tracked as Nimbuspwn, if chained together, may provide elevated root access...

Popular Blogs

Call of Duty cheats turned out to be RAT malware and dropper, threat actor posted in a hacking forum

Here is some notable compilation of salient techniques that pretty much every user should be familiar with to remain vigilant against any cyber threats

90% Of Cyber Attacks Successfully Across The World, Human Errors Are Considered To Be The Prime Reason Of Their Origination.

Stay Cyber-Updated

Product

Solutions

Resources

Company

Find Us Online

[email protected]

@ Copyright 2022 Secure Blink. All rights reserved.

4th Floor, Plot No- 7-10 Sector 126, Noida, UP -201303