Hackers Claiming Breach of Five Eyes Intelligence Group (FVEY) Documents

A group of hackers has announced the release of sensitive documents purportedly belonging to the Five Eyes Intelligence Group (FVEY), a prominent intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom, and the United States.

The United States Department of State has launched an investigation into a possible cyber attack after confidential documents, which were reportedly obtained by a malicious actor, were leaked from a government contractor.

Breach Announcement on BreachForums

The announcement was made on a forum known as BreachForums, where a user with the handle “IntelBroker” posted a message to the community.

Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

Run Free Threat Scan

The post, dated April 2, 2024, claims that the data was obtained by infiltrating Acuity Inc, a company alleged to work closely with the US government and its allies.

According to a recent tweet by HackManac, the alleged security breach at Acuity Inc has resulted in the exposure of highly sensitive intelligence documents belonging to the Five Eyes Intelligence Group (FVEY).

[

#DataBreach

](https://twitter.com/hashtag/DataBreach?src=hash&ref_src=twsrc%5Etfw)

Alert ⚠️

🇺🇸

[

#USA

](https://twitter.com/hashtag/USA?src=hash&ref_src=twsrc%5Etfw)

: Alleged Acuity Inc breach leads to leak of sensitive Five Eyes Intelligence Group (FVEY) documents.

The threat actor group consisting of IntelBroker, Sanggiero, and EnergyWeaponUser claims to have breached Acuity Inc, a federal tech consulting firm,…

[

pic.twitter.com/qGV8IUmkT7

](https://t.co/qGV8IUmkT7)

— HackManac (@H4ckManac)

[

April 3, 2024

](https://twitter.com/H4ckManac/status/1775402497768628236?ref_src=twsrc%5Etfw)

The hackers assert that the breach resulted in acquiring full names, emails, office numbers, personal cell numbers, and government, military, and Pentagon email addresses.

⚠️

[

#BREAKING

](https://twitter.com/hashtag/BREAKING?src=hash&ref_src=twsrc%5Etfw)

⚠️Allegedly, notorious threat actor IntelBroker, has released National Security Documents and data. Per IntelBroker below..

[

#Clearnet

](https://twitter.com/hashtag/Clearnet?src=hash&ref_src=twsrc%5Etfw)

[

#DarkWebInformer

](https://twitter.com/hashtag/DarkWebInformer?src=hash&ref_src=twsrc%5Etfw)

[

#Cyberattack

](https://twitter.com/hashtag/Cyberattack?src=hash&ref_src=twsrc%5Etfw)

[

#Cybercrime

](https://twitter.com/hashtag/Cybercrime?src=hash&ref_src=twsrc%5Etfw)

[

#Infosec

](https://twitter.com/hashtag/Infosec?src=hash&ref_src=twsrc%5Etfw)

[

#CTI

](https://twitter.com/hashtag/CTI?src=hash&ref_src=twsrc%5Etfw)

[

#NSA

](https://twitter.com/hashtag/NSA?src=hash&ref_src=twsrc%5Etfw)

Documents belonging to the Five Eyes Intelligence..

Compromised Data:…

[

pic.twitter.com/I5n41utQN9

](https://t.co/I5n41utQN9)

— Dark Web Informer (@DarkWebInformer)

[

April 2, 2024

](https://twitter.com/DarkWebInformer/status/1775295354910466200?ref_src=twsrc%5Etfw)

The compromised data also includes classified information and communications between the Five Eyes countries and their allies.

Implications of the Leak

If confirmed, the leak could have significant implications for national security and the operational integrity of the intelligence-sharing network.

The Five Eyes alliance is known for its collaborative intelligence gathering and analysis efforts, playing a pivotal role in global security operations.

At the time of reporting, there has been no official statement from any of the Five Eyes member countries or Acuity Inc. regarding the authenticity of the leaked documents or the extent of the breach.

The silence from official channels has led to speculation and concern among cybersecurity experts and government officials alike.

Cybersecurity agencies are likely to conduct thorough investigations to ascertain the validity of the claims made by the hackers.

The incident underscores the persistent threat cybercriminals pose to national and international security.

`Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide`

The post Hackers Claiming Breach of Five Eyes Intelligence Group (FVEY) Documents appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
posted by pod_feeder

Nemesis Market: Leading Darknet Market Seized

The infamous Nemesis Market, a leading figure in the darknet marketplace ecosystem, has been successfully seized.

This operation dismantles a major hub of illegal online trade, ranging from narcotics to stolen data, affecting thousands of users worldwide.

The Rise of Nemesis Market

Nemesis Market emerged as a dominant player in the darknet space, filling the void left by previous marketplaces that were taken down by law enforcement.

Free Webinar : Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities. :

• The problem of vulnerability fatigue today

• Difference between CVSS-specific vulnerability vs risk-based vulnerability

• Evaluating vulnerabilities based on the business impact/risk

• Automation to reduce alert fatigue and enhance security posture significantly

AcuRisQ, that helps you to quantify risk accurately:

Book Your spot

It quickly gained notoriety for its sophisticated security measures, a wide array of illicit goods, and its ability to evade the authorities.

The platform was known for trading in drugs, weapons, stolen identity data, and other illegal goods and services.

The seizure of Nemesis Market was the culmination of Operation Dark Hunt, a coordinated effort by law enforcement agencies in several countries.

The operation involved months of meticulous planning, surveillance, and collaboration between various international cybersecurity units.

Details of the operation remain classified, but sources indicate that combining cutting-edge digital forensics and traditional detective work was vital to infiltrating the market’s defenses.

The breakthrough came when investigators traced transactions to the market’s administrators, leading to their identification and arrest.

According to a recent tweet by Dark Web Informer, the Nemesis Market, one of the top five online marketplaces on the dark web, has been taken down.

🚨BREAKING🚨Nemesis Market, a top 5 darknet market, has been seized.

[

#Nemesis

](https://twitter.com/hashtag/Nemesis?src=hash&ref_src=twsrc%5Etfw)

[

#DarkWebInformer

](https://twitter.com/hashtag/DarkWebInformer?src=hash&ref_src=twsrc%5Etfw)

[

#DarkWeb

](https://twitter.com/hashtag/DarkWeb?src=hash&ref_src=twsrc%5Etfw)

[

#Cybersecurity

](https://twitter.com/hashtag/Cybersecurity?src=hash&ref_src=twsrc%5Etfw)

[

#Cyberattack

](https://twitter.com/hashtag/Cyberattack?src=hash&ref_src=twsrc%5Etfw)

[

#Cybercrime

](https://twitter.com/hashtag/Cybercrime?src=hash&ref_src=twsrc%5Etfw)

[

#Infosec

](https://twitter.com/hashtag/Infosec?src=hash&ref_src=twsrc%5Etfw)

[

#CTI

](https://twitter.com/hashtag/CTI?src=hash&ref_src=twsrc%5Etfw)

[

#Darknet

](https://twitter.com/hashtag/Darknet?src=hash&ref_src=twsrc%5Etfw)

[

pic.twitter.com/P22VDSo79v

](https://t.co/P22VDSo79v)

— Dark Web Informer (@DarkWebInformer)

[

March 21, 2024

](https://twitter.com/DarkWebInformer/status/1770787868975210700?ref_src=twsrc%5Etfw)

The Impact on the Darknet Landscape

The takedown of Nemesis Market sends a powerful message to the darknet community: no entity is beyond the reach of the law.

This operation has significantly disrupted the supply chains of various illegal goods and services, temporarily decreasing their availability on the dark web.

However, experts warn that the void left by Nemesis Market is likely to be filled by other emerging platforms.

The dynamic nature of the darknet means that as one market falls, others rise to take its place.

Law enforcement agencies know this cycle and continuously develop new strategies to combat illegal online trade.

The Future of Cyber Law Enforcement

The successful seizure of Nemesis Market highlights the growing sophistication and international cooperation of cyber law enforcement.

Agencies are increasingly relying on advanced technology and cross-border collaborations to tackle the challenges posed by the darknet.

As the digital landscape evolves, so do the strategies of those operating within it.

The battle against illegal online marketplaces is ongoing, with both sides continuously adapting to the ever-changing environment.

The seizure of Nemesis Market is a significant milestone in the fight against darknet marketplaces.

It demonstrates the effectiveness of international law enforcement cooperation and the importance of staying ahead in the technological arms race against cybercriminals.

While challenges remain, the takedown of Nemesis Market is a testament to the global commitment to combating cybercrime and protecting citizens from the dangers of the dark web.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

The post Nemesis Market: Leading Darknet Market Seized appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
posted by pod_feeder

Nemesis Market: Leading Darknet Market Seized

The infamous Nemesis Market, a leading figure in the darknet marketplace ecosystem, has been successfully seized.

This operation dismantles a major hub of illegal online trade, ranging from narcotics to stolen data, affecting thousands of users worldwide.

The Rise of Nemesis Market

Nemesis Market emerged as a dominant player in the darknet space, filling the void left by previous marketplaces that were taken down by law enforcement.

Free Webinar : Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities. :

• The problem of vulnerability fatigue today

• Difference between CVSS-specific vulnerability vs risk-based vulnerability

• Evaluating vulnerabilities based on the business impact/risk

• Automation to reduce alert fatigue and enhance security posture significantly

AcuRisQ, that helps you to quantify risk accurately:

Book Your spot

It quickly gained notoriety for its sophisticated security measures, a wide array of illicit goods, and its ability to evade the authorities.

The platform was known for trading in drugs, weapons, stolen identity data, and other illegal goods and services.

The seizure of Nemesis Market was the culmination of Operation Dark Hunt, a coordinated effort by law enforcement agencies in several countries.

The operation involved months of meticulous planning, surveillance, and collaboration between various international cybersecurity units.

Details of the operation remain classified, but sources indicate that combining cutting-edge digital forensics and traditional detective work was vital to infiltrating the market’s defenses.

The breakthrough came when investigators traced transactions to the market’s administrators, leading to their identification and arrest.

According to a recent tweet by Dark Web Informer, the Nemesis Market, one of the top five online marketplaces on the dark web, has been taken down.

🚨BREAKING🚨Nemesis Market, a top 5 darknet market, has been seized.

[

#Nemesis

](https://twitter.com/hashtag/Nemesis?src=hash&ref_src=twsrc%5Etfw)

[

#DarkWebInformer

](https://twitter.com/hashtag/DarkWebInformer?src=hash&ref_src=twsrc%5Etfw)

[

#DarkWeb

](https://twitter.com/hashtag/DarkWeb?src=hash&ref_src=twsrc%5Etfw)

[

#Cybersecurity

](https://twitter.com/hashtag/Cybersecurity?src=hash&ref_src=twsrc%5Etfw)

[

#Cyberattack

](https://twitter.com/hashtag/Cyberattack?src=hash&ref_src=twsrc%5Etfw)

[

#Cybercrime

](https://twitter.com/hashtag/Cybercrime?src=hash&ref_src=twsrc%5Etfw)

[

#Infosec

](https://twitter.com/hashtag/Infosec?src=hash&ref_src=twsrc%5Etfw)

[

#CTI

](https://twitter.com/hashtag/CTI?src=hash&ref_src=twsrc%5Etfw)

[

#Darknet

](https://twitter.com/hashtag/Darknet?src=hash&ref_src=twsrc%5Etfw)

[

pic.twitter.com/P22VDSo79v

](https://t.co/P22VDSo79v)

— Dark Web Informer (@DarkWebInformer)

[

March 21, 2024

](https://twitter.com/DarkWebInformer/status/1770787868975210700?ref_src=twsrc%5Etfw)

The Impact on the Darknet Landscape

The takedown of Nemesis Market sends a powerful message to the darknet community: no entity is beyond the reach of the law.

This operation has significantly disrupted the supply chains of various illegal goods and services, temporarily decreasing their availability on the dark web.

However, experts warn that the void left by Nemesis Market is likely to be filled by other emerging platforms.

The dynamic nature of the darknet means that as one market falls, others rise to take its place.

Law enforcement agencies know this cycle and continuously develop new strategies to combat illegal online trade.

The Future of Cyber Law Enforcement

The successful seizure of Nemesis Market highlights the growing sophistication and international cooperation of cyber law enforcement.

Agencies are increasingly relying on advanced technology and cross-border collaborations to tackle the challenges posed by the darknet.

As the digital landscape evolves, so do the strategies of those operating within it.

The battle against illegal online marketplaces is ongoing, with both sides continuously adapting to the ever-changing environment.

The seizure of Nemesis Market is a significant milestone in the fight against darknet marketplaces.

It demonstrates the effectiveness of international law enforcement cooperation and the importance of staying ahead in the technological arms race against cybercriminals.

While challenges remain, the takedown of Nemesis Market is a testament to the global commitment to combating cybercrime and protecting citizens from the dangers of the dark web.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

The post Nemesis Market: Leading Darknet Market Seized appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
posted by pod_feeder

Multistage RA World Ransomware Exploits Group Policy Infrastructure

The RA World ransomware, previously known as the RA Group, has been a significant threat to organizations worldwide since its emergence in April 2023.

Focusing on the healthcare and financial sectors, ransomware has predominantly targeted entities in the United States while also affecting organizations in Germany, India, and Taiwan.

Industries affected by RA World ransomware based on the group’s leak site Countries affected by RA World ransomware based on the group’s leak site

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities. :

• The problem of vulnerability fatigue today

• Difference between CVSS-specific vulnerability vs risk-based vulnerability

• Evaluating vulnerabilities based on the business impact/risk

• Automation to reduce alert fatigue and enhance security posture significantly

AcuRisQ, that helps you to quantify risk accurately:

Book Your spot Initial Access: The Entry Point

RA World operators commence their attack by compromising domain controllers and deploying their malicious components into the SYSVOL share path for a machine Group Policy Object (GPO), setting the stage for a widespread attack within the organization’s network.

The RA World attack chain

The attackers leverage a PowerShell script to execute Stage1.exe, indicating a modification in Group Policy settings to allow such actions.

This strategic placement within the Group Policy infrastructure suggests deliberate tampering to include the malicious payload, enabling its execution across multiple machines during Group Policy processing.

Lateral Movement: Spreading Across the Network

Stage1.exe plays a crucial role in identifying and validating domain controllers, setting conditions for further actions based on the presence of specific files, and proceeding to deploy Stage2.exe across the network.

Stage1.exe checks if the conditions are met before proceeding

This step signifies a targeted attack strategy, emphasizing the use of Group Policies for spreading the ransomware.

A recent analysis by the Trend Micro threat hunting team has unveiled a sophisticated multistage attack targeting healthcare organizations in Latin America. The attack showcases the group’s methodical approach to maximizing the impact of its operations.

The global attack of RA World Ransomware Cyber Alert has increased, as reported by Ensar Seke – a cyber researcher, in a recent tweet.

🚨 Cyber Alert: RA World Ransomware Expands Global Assault 🚨

1️⃣ Rapid Evolution: RA World, once known as RA Group, escalates its attack strategy, targeting healthcare sectors in Latin America with sophisticated, multistage cyberattacks. 🌎💻

[

#GlobalThreat

](https://twitter.com/hashtag/GlobalThreat?src=hash&ref_src=twsrc%5Etfw)

[

#CyberAttack

](https://twitter.com/hashtag/CyberAttack?src=hash&ref_src=twsrc%5Etfw)

…

[

pic.twitter.com/DHwBUwxzMs

](https://t.co/DHwBUwxzMs)

— Ensar Seker (@cyberguideme)

[

March 7, 2024

](https://twitter.com/cyberguideme/status/1765707056663675164?ref_src=twsrc%5Etfw)

Persistence and Defense Evasion Techniques

The attackers ensure their presence within the compromised system by creating a new service and manipulating the Boot Configuration Data (BCD) to enable Safe Mode with Networking.

These actions and registry modifications highlight the ransomware’s ability to persist and evade detection.

Upon successful deployment, Stage3.exe encrypts data and drops a ransom note, employing extortion tactics by listing recent victims unable to pay the ransom.

This stage underscores the ransomware’s ultimate goal: To coerce payment from its victims.

Anti-AV Measures and System Manipulation

RA World operators deploy scripts to disable antivirus measures and manipulate system settings, including wiping specific directories and removing Safe Mode options. This culminates in a forced system reboot.

These actions demonstrate the ransomware’s comprehensive approach to evading detection and ensuring its payload’s effectiveness.

The RA World ransom note

The leakage of Babuk ransomware’s source code has facilitated the emergence of new threat actors, including RA World.

This incident highlights the ongoing challenges in the cybersecurity landscape, where source code leaks enable less technically skilled criminals to launch sophisticated ransomware attacks.

Recommendations and Solutions for Organizations

To mitigate the risk of ransomware attacks, organizations are advised to employ best practices such as limiting administrative rights, updating security products, conducting regular backups, and educating users on potential threats.

A multi-layered security approach, including solutions like Trend Vision One™ and Trend Micro Apex One™, can significantly enhance an organization’s defense against such threats.

This article synthesizes the provided information into a structured news piece.

For actual images and references, one would typically include links to reputable sources or embed pictures directly related to the content, such as screenshots of the ransomware’s notes or graphical representations of its attack chain.

With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

The post Multistage RA World Ransomware Exploits Group Policy Infrastructure appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
posted by pod_feeder

PetSmart warns of Active Password Cracking Attacks

PetSmart, Inc. is a renowned retail chain operating in the United States, Canada, and Puerto Rico.

It offers a comprehensive range of pet products and services such as pet supplies, grooming, training, and in-store adoptions.

PetSmart prides itself on being a trusted partner to pet parents and a dedicated advocate for pets’ well-being.

PetSmart has issued a warning regarding an uptick in password-guessing attempts on their website.

The pet retail giant reassures that there has been no breach of their systems, but the increased activity has prompted them to take precautionary measures.

Security Measures in Place

PetSmart’s vigilant security tools detected the unusual activity, which led to the company’s decision to deactivate the passwords of potentially affected accounts.

@import url(‘https://fonts.googleapis.com/css2?family=Poppins&display=swap’); @import url(‘https://fonts.googleapis.com/css2?family=Poppins&family=Roboto&display=swap’); *{ margin: 0; padding: 0; text-decoration: none; } .container{ font-family: roboto, sans-serif; width: 90%; border: 1px solid lightgrey; padding: 20px; background: linear-gradient(2deg,#E0EAF1 100%,#BBD2E0 100%); margin: 20px auto ; border-radius: 40px 10px; box-shadow: 5px 5px 5px #e2ebff; } .container:hover{ box-shadow: 10px 10px 5px #e2ebff; } .container .title{ color: #015689; font-size: 22px; font-weight: bolder; } .container .title{ text-shadow: 1px 1px 1px lightgrey; } .container .title:after { width: 50px; height: 2px; content: ‘ ‘; position: absolute; background-color: #015689; margin: 20px 8px; } .container h2{ line-height: 40px; margin: 2px 0; font-weight: bolder; } .container a{ color: #170d51; } .container p{ font-size: 18px; line-height: 30px; } .container button{ padding: 15px; background-color: #4469f5; border-radius: 10px; border: none; background-color: #00456e ; font-size: 16px; font-weight: bold; margin-top: 5px; } .container button:hover{ box-shadow: 1px 1px 15px #015689; transition: all 0.2S linear; } .container button a{ color: white; } hr{ / display: none; / } Integrate ANY.RUN in your company for Effective Malware Analysis

Are you from SOC and DFIR teams? – Join With 400,000 independent Researchers

Malware analysis can be fast and simple. Just let us show you the way to:

• Interact with malware safely

• Set up virtual machine in Linux and all Windows OS versions

• Work in a team

• Get detailed reports with maximum data

If you want to test all these features now with completely free access to the sandbox: ..

Analyze malware in ANY.RUN for free

Customers will need to reset their passwords the next time they attempt to log in to petsmart.com.

The company has provided straightforward instructions for password reset:

users can click the “forgot password” link on the login page or directly navigate to www.petsmart.com/account/ to initiate the process.

A Call for Stronger Password Hygiene

The PetSmart Data Security Team emphasizes the importance of robust password practices in the face of persistent threats from online fraudsters.

These malicious actors are known to obtain usernames and passwords and test them across various platforms, including those like PetSmart’s.

According to a recent tweet by Dark Web Informer, PetSmart has notified its customers about a security breach in its system via email.

.

[

@PetSmart

](https://twitter.com/PetSmart?ref_src=twsrc%5Etfw)

sent out the following email.

[

#Ransomware

](https://twitter.com/hashtag/Ransomware?src=hash&ref_src=twsrc%5Etfw)

[

#DarkWebInformer

](https://twitter.com/hashtag/DarkWebInformer?src=hash&ref_src=twsrc%5Etfw)

[

#Cybersecurity

](https://twitter.com/hashtag/Cybersecurity?src=hash&ref_src=twsrc%5Etfw)

[

#Cyberattack

](https://twitter.com/hashtag/Cyberattack?src=hash&ref_src=twsrc%5Etfw)

[

#Cybercrime

](https://twitter.com/hashtag/Cybercrime?src=hash&ref_src=twsrc%5Etfw)

[

#PetSmart

](https://twitter.com/hashtag/PetSmart?src=hash&ref_src=twsrc%5Etfw)

[

pic.twitter.com/Rib9SHtcaD

](https://t.co/Rib9SHtcaD)

— Dark Web Informer (@DarkWebInformer)

[

March 6, 2024

](https://twitter.com/DarkWebInformer/status/1765476096760262942?ref_src=twsrc%5Etfw)

To combat this, the retailer advises customers to create strong, unique passwords for their accounts and to update them several times a year.

The use of different passwords for separate important accounts is also strongly recommended.

Understanding the inconvenience this may cause to their patrons, PetSmart extends its customer service support for any questions or concerns arising from this issue.

Customers can reach out via email at customercare@petsmart.com.

Maintaining Vigilance

PetSmart’s prompt response to the detected password-cracking attempts is part of its ongoing commitment to customer data security.

The company’s efforts to communicate with its customers about the potential risks and the steps being taken to mitigate them reflect an industry-wide push towards greater transparency and proactive security measures in the digital age.

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are incredibly harmful, can wreak havoc, and damage your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

The post PetSmart warns of Active Password Cracking Attacks appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
posted by pod_feeder

Heavily Obfuscated PIKABOT Evades EDR Protection

PIKABOT is a polymorphic malware that constantly modifies its code, making it hard to recognize and easily bypasses the Endpoint Detection and Response (EDR) systems.

Obfuscation, encryption, and anti-analysis techniques help the object avoid these traditional security measures.

PIKABOT is able to avoid signature-based detection by dynamically changing its structure, which makes it harder for EDR solutions to keep up with their ever-changing behaviors.

Cybersecurity researchers at Elastic Security Labs recently discovered new and upgraded PIKABOT campaigns on February 8th.

A popular loader used by malicious actors to disseminate extra payloads is called PIKABOT.

Technical Analysis

Elastic Security Labs detected a fresh instance of PIKABOT with the updated loader, new unpacking method, and heavy obfuscation for strings decryption as well as other obfuscation changes.

The update is an indication that a new code base has been laid down for future improvements.

However, these changes are expected to break signatures and previous tools like the previous versions.

PIKABOT execution flow (Source – Elastic)

PIKABOT has been quiet during the New Year but resurfaced in February, with a campaign launched on Feb 8.

ZIP archives in emails contained hyperlinks to download obfuscated Javascript.

The attacker altered grepWinNP3.exe, which is a legitimate tool, to appear real.

The call stack analysis traced back malicious code entering their Detonate sandbox and Elastic Defend’s call stack.

Executions begin before offset 0x81aa7 and jump towards memory allocation at offset 0x25d84 as indicated by this last part of the previous sentence.

There were no normal calls for process creation; instead, there were unbacked memory syscalls via shellcode evading EDR products and bypassing user-mode hooks on WOW64 modules.

In a hard-coded address for PIKABOT loader execution at offset 0x81aa7, researchers found. JMP instructions are used after each assembly line in the code to make analysis difficult because of heavy obfuscation.

This loader uses custom decryption by means of bitwise operations to recover its payload from the .text section.

However, this can lead to any PE file not being written into a disk and executed in memory.

By doing this, on the host system, the stealth is improved by reducing the digital footprint.

The PIKABOT core is initialized by the stage 2 loader using code and string obfuscation, NTDLL Zw APIs, and advanced anti-debugging.

Moreover, the PIKABOT core makes direct system calls, allowing it to bypass EDR user-land hooking and debugging.

Besides, malware utilizes ZwQuerySystemInformation, ZwQueryInformationProcess, PEB inspection, GetThreadContext methods, and many others as techniques that are undetected by forensic and debugging tools.

The current version of PIKABOT core functions similarly with its previous releases.

However, there are some differences, such as a new obfuscation style, different string decryption processes, use of plain text configuration, and network communication changes (RC4 instead of AES).

This binary is relatively less obfuscated but still remains familiar. The remaining in-line RC4 functions utilize legitimate strings as keys.

Obfuscation is done through junk code insertion to confuse an analyst. While the command execution, discovery, and process injection form part of core functionality.

The Twitter user reecDeep, who specializes in malware analysis, noticed that Pikabot malware is being distributed by TA577 through HTML files.

⚠️TA577 starts spreading

[

#Pikabot

](https://twitter.com/hashtag/Pikabot?src=hash&ref_src=twsrc%5Etfw)

[

#malware

](https://twitter.com/hashtag/malware?src=hash&ref_src=twsrc%5Etfw)

eml>.zip>.html(link)

html files with 0 detections on Virustotal and decoy latin words

🔥staging ip:

204.44.125.68

103.124.104.76

103.124.104.22

66.63.188.19

104.129.20.167

[

#infosecurity

](https://twitter.com/hashtag/infosecurity?src=hash&ref_src=twsrc%5Etfw)

[

#CyberAttack

](https://twitter.com/hashtag/CyberAttack?src=hash&ref_src=twsrc%5Etfw)

[

pic.twitter.com/0VXEGlqCjA

](https://t.co/0VXEGlqCjA)

— reecDeep (@reecdeep)

[

February 26, 2024

](https://twitter.com/reecdeep/status/1762081212124827948?ref_src=twsrc%5Etfw)

Surprisingly, these files have not been detected by any of the antivirus programs on VirusTotal.

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are extremely harmful, can wreak havoc, and damage your network.

*Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.*

The post Heavily Obfuscated PIKABOT Evades EDR Protection appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
posted by pod_feeder

Hundreds more flights cancelled in fallout from #UK air #traffic #control #failure

source: https://www.theguardian.com/world/2023/aug/29/air-passengers-face-further-delays-after-uk-air-traffic-control-failure

“Our systems, both primary and the backups, responded by suspending automatic processing to ensure that no incorrect safety-related information could be presented to an air traffic controller or impact the rest of the air traffic #system. There are no indications that this was a cyber-attack.”

So just crappy #software that was cheaply cobbled together without #security.

#technology #flight #problem #fail #economy #news #cyberattack #bug #backup

#Google restricting #internet access to some employees to reduce #cyberattack risk

Source: https://www.cnbc.com/2023/07/18/google-restricting-internet-access-to-some-employees-for-security.html

#economy #technology #news #security #wtf

In another news, the headquarter and training camp oc the MKO of Iran in Albenia was raided by the police in an unusual and brutal way that led to the death of one of the senior members of the group and injury of many more with 7 in critical condition.

The head of MKO posted this tweet blaming the western governments trying to please Iran by attacking the "protected" camp of the organization, that was built under Obama in Albenia after he made an agreement with the group, Iraqi and Kurdish authorities to close the "Camp Ashraf 2" from Iraqi Kurdistan.

In the last 2 years of Camp Ashraf 2 in Iraq, the group came under constant attacks by Shia militia and other Iraqis who saw them as security risk and some people even blame the group for helping ISIS in the early days of their movements with weapons and money to attack Iran backed groups and interests.

The Albanian site has been a source of contraversy as many parents of young girls and boys kept in the "camp" claimed that their children were lured into the camp and have no rights to move freely of leave the organization once they joned.

Several members of the groups who managed to "flee" the camp mention systematic Pol Pot like indoctrination, total separation of female and male members, including those married and strong rules against sexual relationship and having children among mostly middle-aged but also some in their 20s and 30s.

The reports from #Albenia claims that they wenr in to "free some hostages" and put and end to ongoing cyber attacks and troll factories driven systematically by the group on social media where some members reported to have over 30 fake accounts on #Facebook, #Reddit, #Twitter and #Instagram.

The other sources say that it comes after mounting pressure from Iranian government on the Albenians to close the camp and deport the #MKO members from the country.

#CanpAshraf3 #Mujahedin #Rajavi #Iran #IRI ##Europe #Terrorism #CyberAttack #TrollFactory #IranianOpposition #Iranpolitics #Police #EU #Obama #Iraq #Kurdistan

A flock of chickens, held for #ransom — Growing #cyberattacks on #Canada's #food system threaten #disaster

Source: https://ca.finance.yahoo.com/news/safety-net-flock-chickens-held-110035438.html

Farms are now complex technical operations that use networks of remote monitors that measure soil moisture, or robotic milkers that can detect an infection in a single teat, or environmental control systems that maintain the precise indoor temperature and air filtration needs of a poultry barn. All that, theoretically, could be commandeered and held for ransom in a #cyberattack. For example, a hacker could gain control of a thermostat and threaten to turn up the heat and kill an entire flock of chickens.

#news #technology #security #agriculture #farm #problem #cybercrime #software #hacker #hack

The most serious #cyberattack suffered by the Mexican #government in its history exposed tens of thousands of emails hosted on the servers of the Ministry of National #Defense, dating from 2016 until September of this year.

source: https://latinus.us/2022/09/29/loret-capitulo-96/

#hack #military #news #security #security

Albania cuts ties with Iran

Back in July, the government websites of #Albania were knocked offline. Last month, security company Mandiant researchers revealed that Iranian hackers, working on behalf of #Tehran, were **likely **to be behind the attacks, which took out public services for hours. “These are disruptive attacks, which affect the lives of everyday Albanians who live within the #NATO alliance,” John Hultquist, Mandiant’s vice president of intelligence, told #WIRED when it published its findings.

This week, the government of Albanian took the unprecedented step to cut diplomatic ties with #Iran, accusing it of launching the #cyberattack. The country also ordered Iranian embassy staff to leave the country. “The deep investigation put at our disposal undeniable evidence that the cyberattack against our country was orchestrated and sponsored by the Islamic Republic of Iran which had involved four groups for the attack on Albania,” prime minister Edi Rama said in a statement. (Microsoft conducted the investigation for the Albanian government.)

While Iran denies the attack, the US National Security Council also said it concluded Iran was behind the attack. In a further response, the #US Department of the Treasury’s Office of Foreign Assets Control sanctioned Iran’s Ministry of Intelligence and Security and minister for intelligence. “Iran’s cyberattack against Albania disregards norms of responsible peacetime State behavior in cyberspace, which includes a norm on refraining from damaging critical infrastructure that provides services to the public,” said Brian Nelson, the undersecretary of the Treasury for #Terrorism and Financial Intelligence.

https://www.wired.com/story/la-school-district-ransomware-albania-iran-security-roundup

The #cyberattack in #ukraine is a #microsoft #windows thing, but Microsoft-sponsored media keeps throwing in the word #linux to confuse and distract.

Cyber-attack targets Red Cross Red Crescent data | ICRC

#icrc #cyberAttack #dataBreach

https://www.icrc.org/en/document/sophisticated-cyber-attack-targets-red-cross-red-crescent-data-500000-people

#lockbit added @thalesgroup to their victims' list !!

#ransomware #CyberAttack #databreach

Source: https://nitter.eu/S0ufi4n3/status/1478019768431087623

---

#news #cybercrime #economy #security

Sunrise brief: The value of net-metered solar is up for a vote in California

---

Also on the rise: Solar in Kentucky set to employ displaced coal workers, steps to take to mitigate cyberattack risks, net-metered solar up for a vote in nation’s largest rooftop solar market, and details emerge on what the Build Back Better program means for solar
https://pv-magazine-usa.com/2021/12/14/sunrise-brief-the-value-of-net-metered-solar-is-up-for-a-vote-in-california/
#back, #build, #cyberattack, #business, #better, #markets, #jobs, #policy

---