company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Threatspy

Solutions

By Industry

Healthcare

Education

IT & Telecom

By Role

Government

CISO/CTO

DevSecOps

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Threat Feeds

Threat Research

White Paper

SB Blogs

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

Our Story

Our Team

Careers

Press & Media

Contact Us
loading..
loading..
loading..
Loading...

Phishing

Gambling

Security

loading..
loading..
loading..

Chinese companies’ gambling rackets

It is strongly suspected by the Indian security agencies that the Chinese firms may also have been taking the wrong advantage of the Indian customers by phishin...

20-Aug-2020
2 min read

Related Articles

loading..

Spyware

CapraRAT

YouTube

Alert: Pakistan-linked threat actor, Transparent Tribe, deploys Android spyware ...

A persistent threat known as the Transparent Tribe has evolved its tactics. This Pakistani actor has been targeting military, diplomatic personnel, and, more recently, the Indian education sector. Their weapon of choice: CapraRAT, a cunning Android framework hidden within innocent-looking applications. Since 2018, this group has been employing CapraRAT for surveillance, especially concerning the disputed region of Kashmir and human rights activists in Pakistan. ## Art of Deception Transparent Tribe's method is as crafty as it is malicious. They distribute their Android apps through self-run websites, relying on social engineering to lure unsuspecting users. One disturbing instance occurred in 2023 when they disguised CapraRAT Android apps as a dating service, secretly conducting espionage. ## Unmasking the Persona: Piya Sharma One intriguing discovery was the connection between CapraRAT and a YouTube channel owned by Piya Sharma. An APK associated with this channel borrowed Piya Sharma's name and likeness. This revelation implies that the Transparent Tribe still employs romance-based social engineering to deceive targets. ## The Power of CapraRAT CapraRAT isn't your run-of-the-mill malware. It boasts an array of features that make it a potent tool for cyber espionage: - **Recording & Surveillance**: Capable of using the microphone and cameras for recording. - **Data Harvesting**: Collects SMS, multimedia messages, and call logs. - **SMS Manipulation**: Can send and block SMS messages. - **Phone Control**: Initiates phone calls and takes screenshots. - **System Manipulation**: Overrides system settings like GPS and network. - **File Tampering**: Can modify files in the phone's filesystem. ## Under the Hood: App Analysis CapraRAT disguises itself as an Android APK, with roots loosely based on the AndroRAT source code. Detailed analysis was performed on several APKs, revealing a complex web of deceptive elements: - **YouTube Masquerade**: The malware often pretends to be YouTube, requesting various permissions. - **WebView Trickery**: When launched, it loads YouTube's website within the malicious app's window, mimicking a mobile web browser. - **Key Components**: The structure and files within CapraRAT differ between APKs, but they typically include configuration files, versions, main activities, and the heart of the malware, malicious activities. ## Configuration Secrets The configuration file of CapraRAT holds valuable information, including versioning. Interestingly, the version syntax matches Transparent Tribe's Windows tool, CrimsonRAT. However, no concrete relationship between these version numbers and C2 domains was found. ## Infiltrating Devices MainActivity is responsible for driving CapraRAT's core features. It achieves persistence through the onCreate method, utilizing Autostarter, an open-source project. The TPSClient class plays a pivotal role, creating alarms to ensure continuous operation. ## Commands at Their Fingertips TPSClient is where CapraRAT's commands are invoked. A series of switch statements map string commands to specific actions. While some commands have been documented previously, newer versions reveal tweaks, such as system compatibility checks. ## Permission Check A noteworthy addition in CapraRAT's recent versions is a method called check_permissions(). This method assesses several Android permissions and generates results, indicating whether each permission is granted or denied. ## Command and Control (C2) Infrastructure The SERVERIP variable within CapraRAT's configuration file points to the C2 server. Interestingly, the C2 servers for the YouTube-themed APKs use Windows Server infrastructure. Additionally, the domains associated with these C2 servers provide intriguing insights into Transparent Tribe's activities. ## Unmasking the Threat Transparent Tribe's persistence and habits make them relatively easy to identify. Their new tactic of disguising malware as a YouTube-like app is part of a broader trend of weaponizing Android applications for espionage. Anyone connected to diplomatic, military, or activist matters in the India and Pakistan regions should be on high alert. ## Defending Against CapraRAT Security professionals and individuals alike must take proactive measures: - **Stick to Official App Stores**: Avoid installing Android applications from unofficial sources. - **Social Media Vigilance**: Be cautious of new social media apps promoted within online communities. - **Permission Scrutiny**: Always review the permissions requested by unfamiliar apps. Are they necessary for the app's function? - **Avoid Third-party Apps**: Resist the temptation to install unofficial versions of apps already on your device. ## Indicators of Compromise (IOCs) Stay vigilant by monitoring the following indicators: **File Hashes - SHA1** - Piya Sharma APK: 14110facecceb016c694f04814b5e504dc6cde61 - CapraRAT (YouTube_052647.apk): 83412f9d757937f2719ebd7e5f509956ab43c3ce - CapraRAT (yt.apk): 8beab9e454b5283e892aeca6bca9afb608fa8718 **C2 Network Communications** - newsbizshow.net - ptzbubble.shop - shareboxs.net **IP Addresses** - 95.111.247.73 - 209.127.19.241 In the ever-evolving landscape of cybersecurity, threats like CapraRAT underscore the importance of vigilance and proactive defense. Transparent Tribe's crafty tactics demand a heightened level of awareness, especially for those in sensitive roles. As the digital battlefield evolves, so must our defenses. Stay informed, stay secure.

loading..   21-Sep-2023
loading..   4 min read
loading..

Pizza Hut

Data Leak

Over One Million Customer of Pizza Hut Australia Details Compromised in a Massiv...

In what has been a troubling year for Australian citizens concerned about their personal information, another cybersecurity incident has come to attention. This time, the victims are reportedly over a million customers of Pizza Hut Australia. The threat actors behind this data breach have identified themselves as the notorious ShinyHunters threat group. ## ShinyHunters' Intrusion via Amazon Web Services ShinyHunters, under the moniker “Shiny,” claims to have infiltrated Pizza Hut Australia's systems approximately one to two months ago. Their point of entry? [Amazon Web Services](https://www.secureblink.com/cyber-security-news/defunct-marketing-firm-reindeer-exposed-32-gb-worth-of-customer-data-via-a-faulty-amazon-s3-bucket) (AWS), which they leveraged through multiple access points. What's particularly alarming is that they assert that their presence was completely undetected during this period of unauthorized access. In 2020, the ShinyHunters gang gained infamy due to a series of cyberattacks that compromised the security of over 60 companies. Among their corporate targets were online dating platforms, a service for creating photo books known as Chatbooks, and even stock-trading services. Even tech giant Microsoft wasn't spared, as the group managed to pilfer more than 500GB of source code from Microsoft's confidential GitHub repository. Despite law enforcement efforts to apprehend suspected members of this hacking group, ShinyHunters remains an ongoing concern for businesses entrusted with the critical task of safeguarding their customers' sensitive information. ## Extent of this Data Leak The scale of this breach is staggering. ShinyHunters declares that they have successfully exfiltrated more than 30 million records. Among this treasure trove of data are customer orders and information pertaining to over one million Pizza Hut Australia customers. This includes a detailed breakdown of order history, delivery preferences, and contact details. ## Evidence of this Data Breach To substantiate their claims, ShinyHunters provided DataBreaches with two sample files. The first file contained 200,000 records of customer orders, encompassing a wide array of information, such as order IDs, customer names, contact information, payment details, and even web hook URLs. This information was startlingly comprehensive. The second sample file was in JSON format and contained the personal information of 100,000 customers. It included their names, email addresses, postal addresses, mobile phone numbers, service preferences (delivery or pickup), and credit card numbers. Although the credit card data was encrypted, it is concerning that other sensitive fields were stored in plaintext. ## Geo-Verification and Demands We conducted spot checks on customer names and discovered individuals whose details matched the geographic location provided in the data samples. This corroborates the authenticity of the stolen data. ShinyHunters has issued a ransom demand, seeking $300,000.00 in exchange for deleting all the compromised data. It's worth noting that ShinyHunters is known for selling or leaking data when their demands are not met. Thus far, Pizza Hut has not responded to their extortion attempts. ## Ransom Demands and Extortion ShinyHunters' demand for a $300,000.00 ransom underscores the financial motivations behind this data leak. Organizations must develop incident response plans that include strategies for dealing with extortion attempts. Engaging with law enforcement and cybersecurity experts is crucial in such situations. ## Franchise Data Security The presence of a "StoreID" field in the data raises questions about data management within franchise models. Security professionals should work closely with franchisees to ensure consistent cybersecurity practices and data protection measures across the entire network. ## Lack of Communication The absence of any data breach notification on Pizza Hut Australia’s website is a significant oversight. Security professionals should emphasize the importance of timely and transparent communication with affected customers, regulators, and law enforcement agencies during and after a breach. ## Pizza Hut Australia's Response to the Data Breach In the wake of the data breach affecting Pizza Hut Australia, the company has taken several steps to address the situation. Let's examine their response from a cybersecurity perspective: ### Prompt Notification Pizza Hut Australia reacted promptly by notifying affected customers via email. Timely notification is a crucial component of incident response, helping individuals take necessary precautions to protect themselves from potential threats. ### Transparency and Reassurance The company's communication emphasized no evidence of personal information misuse and that the exposed data cannot directly lead to identity theft or fraud. This transparency helps mitigate panic among affected customers and demonstrates a commitment to their security. ### Data Breach Reporting Pizza Hut Australia reported the breach to the Australian Information Commissioner. This is a legal obligation in many jurisdictions and showcases the organization's commitment to complying with data protection regulations. ### Protection of Credit Card Details Pizza Hut's assurance that credit card details remain secure due to processing by an approved payment platform is reassuring. It underscores the importance of secure payment processing mechanisms as an additional layer of defense against data breaches. ### Customer Vigilance Encouraging customers to remain vigilant regarding suspicious emails, SMS messages, and phone calls is a proactive measure. Education and awareness are critical aspects of cybersecurity, as they empower individuals to identify and report potential threats. ### Scam Reporting Pizza Hut Australia advises customers to report scams to Scamwatch. This collaborative approach to combating fraud and cybercrime is commendable. It leverages established authorities to investigate and take action against threat actors. Pizza Hut Australia data breach, attributed to the ShinyHunters threat group, leaves a persistent impact experienced by fast food restaurant chains. This incident underscores the need for a comprehensive and proactive approach to cybersecurity, including: Cloud Security: Rigorous assessment of cloud infrastructure and access controls is imperative to prevent unauthorized access via cloud platforms like AWS. Data Protection: Strong encryption and hashing practices should be employed to safeguard sensitive information, especially when stored in plaintext. Incident Response: Organizations must develop robust incident response plans that encompass strategies for handling ransom demands and engaging with law enforcement. Franchise Collaboration: For businesses with franchise models, consistent cybersecurity practices and data protection measures should be enforced across the entire network. Communication: Timely and transparent communication with affected parties, regulatory bodies, and law enforcement is critical in mitigating the fallout of a data breach. As the threat landscape continues to evolve, proactive measures and a commitment to best practices are essential for organizations to protect themselves and their customers from the ever-present threat of cyberattacks.

loading..   20-Sep-2023
loading..   6 min read
loading..

ICC

Security Breach

Russia

International Criminal Court Cyberattack Unveiled: Breach, Investigation, and De...

The International Criminal Court (ICC) disclosed a cybersecurity breach last week when anomalous activity was detected within its information systems. This [Threatfeed](https://www.secureblink.com/cyber-security-news) delves into the technical intricacies of the security breach, highlighting the investigative efforts, security measures, and the potential impact on the ICC's critical functions. ## **Immediate Response and Collaborative Investigation** The ICC swiftly responded to the breach by implementing immediate measures to contain the incident and mitigate its repercussions. It's worth noting that the ICC is collaborating closely with Dutch authorities, as the Netherlands serves as the host country for the court. This collaboration underscores the importance of international cooperation in cybersecurity incidents of such gravity. The ICC expressed its gratitude for the prompt response from the host country, highlighting the critical role of coordinated efforts in addressing cyber threats at an enterprise level. This incident emphasizes organizations' need to maintain strong ties with their host countries' security apparatus. ## **Enhancing Cybersecurity Defenses: The Role of Cloud Technology** As part of its response strategy, the ICC intended to bolster its cybersecurity defenses. One notable approach is the expedited adoption of cloud technology. This decision aligns with contemporary enterprise cybersecurity trends, where cloud platforms offer enhanced security features and rapid scalability. The move towards cloud technology is not merely a reaction to the breach but a proactive step to fortify the ICC's cyber resilience. This adaptation showcases the recognition that cybersecurity is an ever-evolving field, and organizations must continuously evolve their defensive strategies to stay ahead of threat actors. ## **Nature and Extent of the Security Breach** At this juncture, critical questions arise regarding the nature and extent of the cyberattack on the ICC's systems. Regrettably, the available information does not provide clarity on whether the attackers managed to access or exfiltrate any data or files from the network. The absence of such details underscores the complexity of cyber investigations, especially in the context of high-stakes organizations like the ICC. The ICC's statement emphasizes its commitment to analyzing and mitigating the breach's impact, primarily focusing on ensuring the continuity of its core operations. This is a testament to the organization's resilience in a cybersecurity crisis. ## **ICC's Limited Disclosure** Fadi El-Adballah, the ICC's spokesperson, informed BleepingComputer that the organization cannot divulge further details or information. This cautious approach aligns with best practices in cybersecurity incident response, as sharing sensitive information prematurely could inadvertently aid threat actors. The ICC's reluctance to disclose additional details may be attributed to several factors, including ongoing investigations, potential legal implications, and the sensitivity of the information handled by the court. This approach mirrors the principles of prudent information security management within the enterprise context. ## **The ICC's Role in International Justice** Before delving into the technical aspects of the breach, it's crucial to understand the ICC's significance in international justice. The ICC is an international tribunal responsible for investigating and prosecuting the gravest offenses that impact the global community. These offenses include war crimes, genocide, and crimes against humanity. An example of the ICC's pivotal role can be seen in its issuance of an arrest warrant for Russian President Vladimir Putin in March 2023 concerning crimes related to Russia's invasion of Ukraine. This case highlights the ICC's capacity to hold even the highest-ranking officials accountable for their actions on the international stage. ## **Technical Analysis of the Security Breach** Now, let's shift our focus to the technical aspects of the breach. While the specific details are limited, we can draw upon cybersecurity expertise to speculate on potential attack vectors and strategies employed by the threat actors. ### **Attack Vector and Entry Points** To breach the ICC's systems, threat actors likely exploited one or more vulnerabilities within the organization's network. Possible entry points could include: 1. **Phishing Attacks**: Threat actors may have targeted ICC employees or affiliated personnel with phishing emails containing malicious attachments or links. Once clicked, these could lead to malware infiltration. 2. **Zero-Day Exploits**: Using undisclosed and unpatched vulnerabilities, known as zero-day exploits, is a common tactic among advanced threat actors. These exploits provide an entry point that security measures have not yet addressed. 3. **Insider Threat**: It's also essential to consider the possibility of an insider threat, where a compromised or disgruntled employee could have facilitated the breach intentionally or unintentionally. ### **Malware Deployment and Propagation** Upon gaining access, threat actors likely deployed malware to infiltrate the ICC's systems further. Common malware types include: - **Trojans**: These stealthy programs can operate undetected, granting attackers remote access and control over compromised systems. - **Ransomware**: Ransomware is a growing concern in cyberattacks. It encrypts data, rendering it inaccessible until a ransom is paid. - **Spyware**: This malicious software is designed to monitor and exfiltrate sensitive information, which can significantly threaten an organization like the ICC. ### **Data Exfiltration and Covering Tracks** If the breach involved data exfiltration, threat actors may have employed various techniques to cover their tracks and avoid detection, such as: - **Data Compression**: Compressing stolen data before exfiltration can help threat actors minimize network traffic and reduce the likelihood of detection. - **Encryption**: Encrypting exfiltrated data makes it challenging for security systems to inspect the content of outbound traffic. - **Steganography**: Concealing data within other files or using steganographic techniques can hide the exfiltration of sensitive information. ### **Evasion and Persistence** For a successful breach, threat actors often aim to establish persistence within the victim's network. They may use tactics like: - **Backdoors**: Creating hidden entry points for future access, ensuring that even if the initial breach is discovered and mitigated, they can return. - **Privilege Escalation**: Exploiting vulnerabilities to gain higher levels of access within the network, which allows for more extensive compromise. - **Data Manipulation**: Altering or deleting logs and event records to remove traces of their activities and evade detection. ## **The Ongoing Investigation and Future Implications** The ICC's collaboration with Dutch authorities is pivotal to understanding the full scope of the breach. The ICC and other organizations need to share insights and intelligence with cybersecurity experts and law enforcement agencies to prevent future attacks. As this incident unfolds, it serves as a stark reminder to all enterprises, especially those handling sensitive and international matters, to prioritize cybersecurity. Vigilance, proactive defense measures, and continuous assessment of security postures are imperative to thwart the relentless and evolving tactics of cyber threat actors.

loading..   20-Sep-2023
loading..   6 min read