By Owais Sultan
This article will highlight some of the most significant Microsoft innovations that could make an impact in 2023 and beyond.
This is a post from HackRead.com Read the original post: Microsoft Innovations for 2023: What to Look Out for This Year

Over the past several decades, **Microsoft** has continually been a leader in computer and technological innovations. As we enter into 2023, Microsoft continues to innovate by introducing new products and services that are reshaping our lives. This article will highlight some of the most significant Microsoft innovations that could make an impact in 2023 and beyond.

**Windows 11 Updates**

Microsoft Windows 11 is the latest operating system available for PCs. With **Windows 11 version** 22H2 Microsoft has launched a new system called “Moments.” The purpose is to provide continuous innovations to Windows users.

So, instead of waiting for annual updates to the Windows system, users can experience new features every few months. The next Windows update, which is **Moments 2**, is expected to be released in February and March of 2023.

If you’re a Windows 11 user, you can expect new features like:

*   Table mode taskbar
*   System tray updates
*   More search bar options
*   Full-screen widgets panel
*   Voice access enhancements

Alongside a major user interface redesign, one other big update found inside Windows 11 is Cortana – Microsoft’s voice-activated digital assistant originally designed for mobile phones.

Users can use Cortana to quickly locate files stored or their **email client** anywhere on their machines, as well as ask questions about anything related to information found online.

Furthermore, Microsoft is planning a Moment 3 release during late spring or early summer. However, it’s too early to say what the innovations will include for this launch. On the other hand, there are rumours that the brand is considering significant improvements for laptops. There may also be some improvements to apps and the launch of the **Outlook web app**. 

One of the key advantages of upgrading to Windows 11 is its improved performance over earlier versions of the OS. This includes faster boot times, quicker app loading times, and better overall responsiveness from your PC or laptop when switching between tasks and running multiple programs simultaneously.

**Microsoft Teams for Education**

**Microsoft Teams** for Education is a digital social hub that brings apps, conversations, and content together on a streamlined platform. With this platform, educators can create collaborative classrooms and even communicate with school staff.

2023 has kicked off to a good start for the platform as Microsoft has introduced new features to make it easier for educators to organize their work.

**Jupyter Notebook Integration**

The first notable integration is that Python script files and **Python Jupyter Notebooks** can now be rendered in Teams Assignments.

Students and teachers can now distribute, edit and execute Python code on the platform. This means users don’t have to set up a separate coding environment. Help or feedback can be given under Python Notebooks to assist team members.

**Team Meetings**

Microsoft Teams has made it easier for the deaf community to communicate with team members. In Meetings, there is now a **Sign Language View option**. Hosts are able to prioritize two other videos, so they are always visible during the meeting.

When Sign Language View is activated, the video streams automatically on the right-hand side of the viewer’s screen. Sign Language View is personal to you, so it won’t affect what other team members see in the meeting.

**Quizzes or Polls**

Some teachers use quizzes or questionnaires to test their student’s knowledge of the work they’ve learned. Educators can now expand these check-ins by creating multiple questions under one poll.

Additionally, teachers can add images to polls to help students process questions. Students can select these images to enlarge them in a new browser for better visibility.

**Parent Meetings**

Some parents can’t travel to meet teachers regularly. So to save time, there is a parent meetings scheduler that allows for improved communication between educators and parents. Educators can create individual profiles for each student’s parent or guardian. The teacher can then schedule meetings at times that are convenient for all parties involved.

**Microsoft Forms**

Microsoft has made several improvements to Forms. Most notably, there is a change in cover page designs and more ways to distribute your forms. So if you want to design a survey or a registration form, you now have more options to design your cover pages.

With regards to form distributions, you can now send your forms through multiple channels **like Facebook**, Twitter, Teams, or through QR codes.

Users can also add images as an answer in **Microsoft Forms**. This feature is available to all Business and Education accounts. You can also create multi-question polls to collect valuable data from your audience. Create multiple polls and then schedule them at different times during your meetings.

**Final Thoughts**

Microsoft is constantly creating new and innovative ways to improve technology for users. This makes it easier for people to run businesses or collaborate on large projects. It’s going to be an exciting year for Microsoft users, especially for those who use Teams regularly.

Those who use Windows 11 operating systems can expect regular updates and added features throughout the year. These updates can improve device performance and boost productivity. Keep an eye out for more Microsoft innovations to come in 2023.

1.  Will Microsoft add Android support to Windows 10?
2.  Microsoft patent reveals chatbot to talk to dead people
3.  Microsoft Windows PCs protection with Pluton security chip

Owais takes care of Hackread's social media from the very first day. At the same time He is pursuing for chartered accountancy and doing part time freelance writing.

Microsoft Innovations for 2023: What to Look Out for This Year

By Deeba Ahmed
According to T-Mobile, the data breach occurred in November of 2022, but the company only discovered the incident in January of 2023.
This is a post from HackRead.com Read the original post: T-Mobile Hacked Again: 37 Million Accounts Compromised

The compromised T-Mobile customers’ data includes names, dates of birth, email addresses, billing addresses, and more.

The telecom giant **T-Mobile** has been hacked again. On Thursday, T-Mobile published a regulatory filing stating that a threat actor managed to access the data of millions of its current customers.

The data breach occurred in November 2022. According to T-Mobile Inc., the breach was discovered on January 5th, 2023 after which law enforcement officials were informed. The company also contacted cybersecurity consultants.

This should not come as a surprise, since T-Mobile has a history of suffering large-scale data breaches. **In April 2022**, Lapsus$ hackers stole and sold T-Mobile’s source code along with its system’s data. **In December 2021**, T-Mobile suffered a data breach that exposed its customers to SIM-SWAPPING attacks.

**In August 2021**, a hacker sold 200 million T-Mobile customers’ account info on the dark web. Then, **in January 2021**, T-Mobile announced yet another security breach in which the company exposed user call records and phone numbers. _**The list of T-Mobile data breaches goes on and on…**_

As for the latest breach, T-Mobile claims the hacker had gained access to the data by November 25th, 2022, after which the company initiated efforts to halt the malicious activity.

T-Mobile says it hired an external **cybersecurity team** to probe the incident, and eventually, they discovered the source of the breach one day after discovering the attack. The breach impacted 37 million of its customers, while the accessed data includes the following:

1.  Names
2.  Dates of birth
3.  Email addresses
4.  Billing addresses
5.  T-Mobile account numbers
6.  Details on service subscription.

The data that wasn’t accessed includes Social Security numbers, government ID numbers, credit card information, passwords, PINs, and financial data.

However, cybersecurity experts believe this information is relatively easy to obtain, given that hackers can use the available data to launch scams and steal the impacted customers’ identities or funds.

T-Mobile didn’t mention what it would do to address the situation. The company noted that the breach would significantly affect it financially.

According to the **filing**, T-Mobile has begun notifying its customers whose information has been disclosed in this breach. It stated that the investigation is still underway, but they believe the threat has been mitigated, and its systems and network weren’t hacked.

 “Protecting our customers’ data remains a top priority. We will continue to make substantial investments to strengthen our cybersecurity program,” T-Mobile stated in its filing.

1.  Hackers Breach TPG Telecoms’ Email Host to Steal Data
2.  Spanish telecom MasMovil hit by Revil ransomware gang
3.  Onyx Fms: Monitor & Prevent Telecom Fraud In Real-time
4.  Croatian Police arrests minor over A1 Telecom data breach
5.  Australia’s 2nd-largest telecom firm suffered massive breach
6.  Telecom firm behind routing SMS discloses 5-year-long breach

T-Mobile Hacked Again: 37 Million Accounts Compromised

By Waqas
The researchers managed to create the Polymorphic malware by bypassing the content filters in ChatGPT by using an authoritative tone. 
This is a post from HackRead.com Read the original post: OpenAI’s ChatGPT Can Create Polymorphic Malware

Polymorphic malware typically works by altering its appearance with each iteration, making it difficult for antivirus software to recognize.

CyberArk’s cybersecurity researchers have shared details on how the **ChatGPT** AI chatbot can create a new strand of polymorphic malware.

According to a technical blog authored by Eran Shimony And Omer Tsarfati, the **malware created by ChatGPT** can evade security products and complicate mitigation efforts with minimal effort or investment from the attacker.

In addition, the bot can create highly advanced malware that doesn’t contain any malicious code at all, which would make it hard to detect and mitigate. This can be troubling, as hackers are already **eager to use ChatGPT** for malicious purposes.

**What is Polymorphic Malware?**

Polymorphic malware is a type of malicious software that has the ability to change its code in order to **evade detection by antivirus programs**. It is a particularly powerful threat as it can quickly adapt and spread before security measures are able to detect it.

Polymorphic malware typically works by altering its appearance with each iteration, making it difficult for antivirus software to recognize.

Polymorphic malware functions in two ways: first, the code mutates or alters itself slightly during each replication so that it becomes unrecognizable; second, the malicious code may have encrypted components which make the virus harder for antivirus programs to analyze and detect.

This makes it difficult for traditional signature-based detection engines—which scan for known patterns associated with malicious software—to identify and stop polymorphic threats from spreading.

**ChatGPT and Polymorphic Malware**

Explaining how the malware could be created, Shimony and Tsarfati wrote that the first step is bypassing the content filters that prevent the chatbot from creating malicious software. This is achieved by using an authoritative tone.

The researchers asked the bot to perform the task using multiple constraints and to obey, after which they received a functional code.

They further noted that the system didn’t use its content filter when they used the API version of ChatGPT instead of the web version. Researchers couldn’t understand why this happened. However, it made their task easier since the web version couldn’t process complex requests.

Image credit: CyberArk

Shimony and Tsarfati used the bot to mutate the original code and successfully created its multiple unique variations.

“In other words, we can mutate the output on a whim, making it unique every time. Moreover, adding constraints like changing the use of a specific API call makes security products’ lives more difficult,” researchers **wrote**.

They could create a polymorphic program by continuous creation and mutation of injectors. This program was highly evasive and hard to detect. Researchers claim that by using ChatGPT’s capability of generating different persistence techniques, malicious payloads, and anti-VM modules, attackers can develop a vast range of **malware**.

They didn’t determine how it would communicate with the C2 server, but they were sure this could be done secretly. CyberArk researchers plan to release some malware source code for developers to learn.

The malware, ChatGPT, and the C&C (Image credit: CyberArk)

“As we have seen, the use of ChatGPT’s API within malware can present significant challenges for security professionals. It’s important to remember, this is not just a hypothetical scenario but a very real concern.”

1.  AI-based Model to Predict Extreme Wildfire Danger
2.  Website uses AI to create utterly realistic human faces
3.  Microsoft patent reveals chatbot to talk to dead people
4.  This AI Can Generate Unique and Free Bored Ape NFTs
5.  AI-Powered Smart Glasses Give Deafs Power of Speech

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

OpenAI’s ChatGPT Can Create Polymorphic Malware

By Habiba Rashid
According to PayPal, hackers managed to access the personal information of 34,942 users; however, no transactions were performed from the breached accounts.
This is a post from HackRead.com Read the original post: PayPal Notifies 35,000 Users of Data Breach

PayPal claims that this was not a result of a breach in its systems, since no evidence suggests that the user credentials were obtained directly from them.

On Thursday, January 19th, 2023, **PayPal** began contacting nearly 35,000 users with a data breach notification, explaining that their accounts had been hacked between December 6th and 8th, 2022.

The company was able to detect and mitigate the attack as soon as it occurred, but the conclusive investigation was not finished until December 20th, 2022. At this point, they confirmed that the hackers had gained unauthorized access to the accounts using valid credentials.

PayPal claims that this was not a result of a breach in its systems, since no evidence suggests that the user credentials were obtained directly from them.

The hackers were able to access the accounts by using credential stuffing, whereby pairs of usernames and passwords sourced from data leaks are tried on various websites. With the help of bots, lists of credentials are inserted into login portals for various services. Users who employ the same password for multiple online accounts, known as password recycling, are most prone to credential-stuffing attacks.

According to the data breach notification by PayPal, 34,942 users have been affected by the incident. While unauthorized third parties had access to the accounts, they could view the following information about the account holders:

*   Full names
*   Dates of birth
*   Postal addresses
*   Social security numbers
*   Individual tax identification

According to Bleeping Computer’s **report**, transaction histories, connected credit or debit card details, and PayPal invoicing data are all accessible through the accounts, as well.

Screenshot: Bleeping Computer

PayPal claims to have taken quick action to limit the hackers’ access to the platform by resetting the passwords of all the affected accounts. Impacted users will receive a free, two-year identity monitoring service from **Equifax**.

PayPal further confirmed that the attackers did not attempt or manage to perform any transactions from the breached accounts.

> “We have no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account.”
> 
> PayPal

In a conversation with Hackread.com, Jasson Casey, CTO at Beyond Identity said that “It’s no wonder the Verizon Data Breach Report 2022 found credentials were the most likely form of data to be compromised in both the US (66%) and EMEA (67%).

“If a threat actor can access legitimate credentials – even if they’re dumped in a dark web repository – they are only a few short, and in most cases, automated steps away from a successful intrusion,” Jasson added.

The CTO praised PayPal for its quick response and for mitigating the attack, but questioned whether merely changing passwords is the solution. “In this incident, the company is doing the best it can for its customers – strongly recommending they change their passwords. But passwords – whether unique or complex – are fundamentally flawed. More than 80% of data breaches are the direct result of passwords, with threat actors deploying compromised credentials in the first phase of their attack,” Jasson said.

**How to secure your PayPal account**

PayPal accounts are a great way to shop online and make payments, but this incident highlights the fact that they can also be **vulnerable to hackers**. It is important that PayPal users take steps to protect their accounts and personal information from potential theft.

To prevent unauthorized access, it is essential that PayPal users create a strong password with at least 8 characters and include a mix of numbers, symbols, upper-case letters, and lower-case letters.

It’s also recommended that users change the password periodically. Additionally, two-factor authentication **(2FA)** should be enabled on the account so that any suspicious activity will have an extra layer of security before it can be completed. Finally, users should check their accounts regularly for unusual activity or unauthorized transactions.

Using these tips can help ensure your PayPal account remains secure against potential threats or breaches.

1.  PayPal rejects account takeover vulnerability report
2.  Microsoft, PayPal & Facebook most phished brands
3.  Ransomware sends PayPal phishing link in ransom note
4.  Android malware found stealing its victims’ PayPal funds
5.  PayPal’s TIO Networks breach affects millions of customers

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

PayPal Notifies 35,000 Users of Data Breach

By Waqas
The ad fraud was discovered while the researchers were investigating an iOS application that had been heavily impacted by an app spoofing attack.
This is a post from HackRead.com Read the original post: Massive Ad Fraud Scheme Shut Down: 11 Million Phones Targeted

Dubbed VASTFLUX, the ad fraud had 1,700 apps spoofed, targeting 120 publishers on 11 million devices with 12 billion ad requests per day.

The cybersecurity researchers at HUMAN Security Inc. have announced the takedown of a sophisticated, organized, and large-scale ad fraud operation dubbed VASTFLUX.

HUMAN Security is among the world’s leading firms offering advanced defences against digital attacks. Previously, the company reported large-scale scams involving iOS and Android devices, such as **Scylla**, **PARETO**, **Methbot,** and **3ve**.

VASTFLUX is a combination of two terms that reflect its functionality. VAST represents the Digital Video Ad Serving Template exploited in this operation. The name Flux is inspired by the Fast Flux concept, which is an evasion tactic used by cybercriminals.

Team Satori from HUMAN discovered the operation when investigating an iOS application, which was heavily impacted by an **app spoofing attack**.

The researchers found it a highly sophisticated scheme in which cybercriminals exploited the limited signal available to the verification partners in their targeted environment, including in-app advertising mainly on iOS.

The ad fraud later evolved into spoofing bids on a particular platform to make them appear on another platform. This made cross-platform attacks impossible to deter. HUMAN worked with its partners in the HUMAN Collective to obtain further information into the fraud’s traffic volumes and verification tags used on their ads.

The team deployed three mitigation methods within two weeks to protect users from VASTFLUX before taking it down.

**Targeted Entities**

According to a **blog post** shared by HUMAN with Hackread.com, the fraudulent operation accounted for over 12 billion fake ad requests per day and affected around 11 million devices by running ads within apps. For this purpose, the perpetrators spoofed 1,700 apps targeting around 10 publishers.

This is HUMAN’s Satori Threat Intelligence and Research Team’s highest per day volume of an operation uncovered by this team. It even eclipsed Human’s previously discovered peak volumes in high-profile disruptions. This includes PARETO, Methbot, and 3ve.

**How Did the Attack Work?**

The attackers injected malicious **JavaScript code into digital ads**, which let fraudsters stack dozens of video ads upon each other and register views for ads that the user couldn’t see. HUMAN shut down this operation via a private takedown effort and protected the programming advertising ecosystem. However, the company is still monitoring its operations.

Malicious JS code (Credit: Satori Threat Intelligence and Research Team)

The company’s CISO, Gavin Reid, stated that VASTFLUX was a “technically impressive and incredibly concerning” operation because the fraudsters hijacked impressions of authentic apps, making it difficult for users to feel suspicious.

“Orchestrating a private takedown of this magnitude and severity is no small feat, and I want to take a moment to thank all involved, including the HUMAN Satori Threat Intelligence and Research Team, the team at clean.io and the industry leaders who make up The HUMAN Collective who are dedicated to making the programmatic ecosystem safe and HUMAN,” Reid said.

1.  Shazam flaw exposed location of Android, iOS users
2.  SolarWinds hackers exploited 0-day to hack iPhones
3.  European Spyware Vendor selling iOS Device Exploits
4.  Malicious SDK spying, defrauding users with iOS apps
5.  Facebook removes accounts for spreading iOS malware

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Massive Ad Fraud Scheme Shut Down: 11 Million Phones Targeted

By Habiba Rashid
Anatoly Legkodymov, a Russian national and the owner of Bitzlato Ltd., was arrested in Miami Tuesday night.
This is a post from HackRead.com Read the original post: Founder of Bitzlato Exchange Arrested for ransomware, $700 mln Fraud

According to the DoJ, Bitzlato failed to meet U.S. regulatory safeguards, including anti-money laundering requirements, and enabled criminals to profit from their wrongdoing, including ransomware and drug trafficking.

Anatoly Legkodymov, the owner of Bitzlato Ltd., was arrested in Miami on Tuesday night for his alleged operation of helping to process over $700 million in illicit funds, according to the indictment unsealed on Wednesday. 

The Department of Justice stated that Bitzlato failed to meet U.S. regulatory safeguards, including anti-money laundering requirements, and enabled criminals to profit from their wrongdoing, including ransomware and drug trafficking,” said Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department’s Criminal Division.

The 40-years-old Russian National, a resident of Shenzhen, People’s Republic of China, oversaw the exchange in Hong Kong, Bitzlato. He was expected to be arraigned Wednesday afternoon in the U.S. District Court for the Southern District of Florida. 

Bitzlato’s business flourished in its absence of required identification from users. Customers did not have to submit any proof of identity such as selfies or passports and in the few cases where it did direct users to submit identifying information, they were able to get away by providing information belonging to “straw man” registrants. 

The company often conducted business with its counterpart, the $5.2 billion Hydra Market, world’s largest and longest running dark web marketplace. **Hydra was seized and shut down in April 2022** for sale of drugs, stolen financial information, fraudulent identification documents, and money laundering services.

“Today’s actions send the clear message: whether you break our laws from China or Europe – or abuse our financial system from a tropical island – you can expect to answer for your crimes inside a United States courtroom,” Deputy Attorney General Lisa Monaco said in a **press release**.

The arrest was a result of a joint effort by the federal law enforcement agencies and European partners to push back against international cryptocurrency schemes and illegal transactions. They are determined to crack down specifically on the activities of Chinese- and Russian-based companies and people operating in the unregulated corners of cyberspace.

Legkodymov could face charges of up to five years in prison if convicted; however, it is not yet known whether he has retained a lawyer.

Five other Russian and Ukrainian nationals were also arrested in Spain, Portugal and Cyprus in connection with the investigation which revealed that in the encrypted internal company communications, Legkodymov and other executives were aware the exchange was trafficking in “dirty money,” including deposits made by drug dealers. 

1.  Nabbed: 106 involved in SIM swapping, money laundering
2.  SEC charges dark web user of insider trading, money laundering
3.  DeepDotWeb admin pleads guilty to money laundering, kickbacks
4.  BTC-e exchange’ owner arrested over money laundering accusation
5.  Crypto tumbler BestMixer.io seized for large-scale money laundering

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Founder of Bitzlato Exchange Arrested for ransomware, $700 mln Fraud

By Deeba Ahmed
These packages were uploaded between the 7th and 12th of January 2023 with the names "colorslib," "httpslib," and "libhttps."
This is a post from HackRead.com Read the original post: Malicious PyPI Packages Drop Malware in New Supply Chain Attack

The malicious packages were uploaded by a threat actor using the alias “Lolip0p,” who dropped info-stealing malware on targeted devices.

Fortinet FortiGuard Labs’ researchers have discovered three **malicious PyPI repositories**. According to their analysis, these packages are designed to infect compromised devices with malware.

For your information, PyPI (Python Package Index) is the world’s most widely used repository for Python packages used by software developers building projects. Threat actors often use malicious packages against Python developers. **Just a couple of months ago**, malicious packages were found swapping out the crypto addresses of Python developers.

Further probe revealed that the packages were uploaded by a threat actor using the alias Lolip0p. The rogue packages contain code that **drops info-stealing malware** on the developer’s device.

**According to** researchers, these packages were uploaded between 7th and 12th January 2023 with the names’ colorslib’ versions 4.6.11 and 4.6.12, ‘httpslib’ versions 4.6.9 and 4.6.11, and ‘libhttps’ version 4.6.12.

However, all malicious packages were removed from the PyPI on January 17th, 2023 after Fortinet tipped them. However, by that time, the packages had been downloaded more than 550 times. Pepy.tech, a PyPI package stat counting service, broke down the download count of these packages by the time these were removed.

*   Colorslib – 248 downloads
*   httpslib – 233 downloads
*   libhttps – 68 downloads

Moreover, the threat actors can reupload them later if they want to. Hence, the threat isn’t over yet. These modules contain similar setup scripts created to invoke PowerShell and execute a malicious binary titled Oxzy.exe, which is also distributed as a free Discord Nitro generator. This file is hosted on **Dropbox**. When this executable is launched, another binary titled update.exe is retrieved, which runs the Windows temporary folder stored at (“%USER%\\AppData\\Local\\Temp\\”).

This second file contains an information stealer that can also drop additional binaries. Microsoft reports that one of these binaries is Wacatac. The trojan can perform numerous actions, such as launching ransomware and different payloads.

The creator of these packages has made them appear legitimate and harmless by including a “convincing project description,” stated Fortinet researcher Jin Lee. But these packages actually download and run the malicious binary executable.

Users must exercise caution when downloading/running packages from unreliable sources to evade **supply chain attacks**.

1.  Gentoo Linux on Github hacked; repositories modified
2.  GitHub fixes critical flaw that exposed repositories to attackers
3.  Thousands of GitHub Repositories Cloned in Supply Chain Attack
4.  6 official Python repositories plagued with cryptomining malware
5.  Typosquatting used in trojanizing 700 libraries in Ruby Repository

Malicious PyPI Packages Drop Malware in New Supply Chain Attack

By Deeba Ahmed
Using this decryptor, BianLian victims can retrieve their encrypted data for free and avoid paying the ransom to the attackers.
This is a post from HackRead.com Read the original post: Avast Releases Free Decryptor for BianLian Ransomware

The BianLian Ransomware group targets organizations around the world, with a prime focus on Australia, the United States, and the United Kingdom.

Cybersecurity firm Avast’s analysts have released a decryptor for the dangerous BianLian ransomware, which first surfaced in August 2022. Using this decryptor, BianLian victims can retrieve their encrypted data for free and avoid paying the ransom to the attackers.

Most of the victims of BianLian ransomware belonged to industries, including healthcare, energy, media, and manufacturing. Organizations worldwide were targeted with ransomware, mainly in the UK, the USA, and Australia.

**Malware Analysis**

According to Avast’s analysis, the malware operators used the Go programming language to improve its operational capabilities and make it difficult to detect. One of the unique features of BianLian ransomware is the concurrency that allows it to encrypt the data quickly.

Furthermore, it can self-delete itself when the encryption is complete. This is where Avast’s decryptor faces a big challenge. The problem is that the decryptor can restore files that the ransomware’s known variant has encrypted.

“For new victims, it may be necessary to find the ransomware binary on the hard drive; however, because the ransomware deletes itself after encryption, it may be difficult to do so,” Avast cybersecurity analysts wrote in their **report**.

The BianLian executable is around 2MB in size. It primarily targets Windows systems and uses a novel encryption technique that divides the files into chunks to encrypt them at a higher speed and prevent detection before the encryption is complete. 

**How BianLian Attack Works?**

Initial access is gained via the **ProxyShell vulnerability chain**, after which the operators deploy a webshell or a lightweight remote access tool. The ransomware may also **exploit SonicWall VPN devices**.

After the ransomware is executed, it searches for disk drives and all files. Then, the ransomware starts encrypting the files with extensions that match the 1,013 extensions hardcoded into its binary and attaches the extension .bianlian to the files. It is worth noting that the malware encrypts data only in the file’s middle, not the beginning or the ending.

When the process is complete, the malware drops a ransom note titled “Look at this instruction.txt” in every folder on the system, informing the victim they have been hit with ransomware and should contact the attacker to restore their data. They can contact the attacker via email or an encrypted messaging app. The attacker also warns them to publish the stolen data if they don’t pay the ransom within ten days.

The BianLian attackers also warn victims of double extortion, claiming that they’ve stolen data and will publish it if they don’t receive a ransom payment within ten days.

Ransomware note of the BianLian Ransomware gang

It is yet known who’s operating the BianLian campaign, but Avast researchers believe the operators are a skilled, aggressive group but a novice in the ransomware domain. Moreover, they suspect the operators aren’t from a **defunct group like Conti**. So far, its leak sites feature 23 victims.

1.  Free Decryptor to LockerGoga Ransomware Victims
2.  Victim releases decryption keys for Mushtik ransomware
3.  Decryptor key for Sodinokibi, REvil ransomware released
4.  Free decryptor for Hakbit and Jigsaw ransomware released
5.  Decryptor for the Ransomware to Exploit Telegram Released

Avast Releases Free Decryptor for BianLian Ransomware

By Deeba Ahmed
The campaign is active, and currently, threat actors are targeting victims with NjRAT (also known as Bladabindi) in the Middle East and North Africa.
This is a post from HackRead.com Read the original post: Threat Actors Spreading NjRAT in New “Earth Bogle” Campaign

Threat actors may be using platforms such as Discord, Facebook, OneDrive, and others to spread the NjRAT, believe Trend Micro researchers.

Trend Micro researchers have discovered a currently active campaign dubbed Earth Bogle, in which threat actors are distributing **NjRAT (aka Bladabindi)**. Their targets are victims in the Middle East and North Africa.

**Findings Details**

According to Trend Micro’s research, the attackers are luring users through geopolitical-themed scams to deliver the notorious NjRAT or Bladabindi malware. The victims of this campaign are mainly located in the Middle East and Africa.

According to Trend Micro researchers Peter Girnus and Aliakbar Zahravi, the attackers use public cloud storage services like files.fm and failiem.lv for **hosting malware** distributed through compromised web servers. Reportedly, the campaign has been active since mid-2022.

(Image: Trend Micro)

**How Does the Attack Work?**

The threat actors use a malicious document hidden inside the Microsoft CAB (Cabinet) archive is masqueraded as a sensitive audio file. The title of this file is created cunningly to represent some geopolitical theme so that the targets feel compelled to open it. For instance, one of the files had this title: “A voice call between Omar, the reviewer of the command of Tariq bin Ziyad’s force, with an Emirati officer.cab.”

The malicious file is distributed on social media platforms like Discord and Facebook or sharing platforms such as OneDrive. It is also delivered via **phishing emails**.

The CAB file has an obfuscated Virtual Basic Script (VBS) dropper that executes the attack’s next step. After the CAB file is downloaded, the VBS script fetches the malware from a compromised or spoofed host and retrieves a PowerShell script that injects NRAT into the victim’s device.

(Image: Trend Micro)

In their **blog post**, researchers noted that the lure files used in the Earth Bogle campaign’s detection rates on Virus Total were surprisingly low, which allowed the attackers to stay undetected and the campaign to stay active. The dropper maintains persistence on the compromised system by the addition of a specific directory to the startup key.

**What is NjRAT?**

NjRAT is a remote access trojan malware that was first detected in 2013. The malware was used to gain unauthorized control/access to infected computers. So far, it has been used in **cyberattacks targeting Middle Eastern users and organizations**.

To prevent infection, cloud infrastructure users and operators must augment their systems’ security.

“Users should be wary of opening suspicious archive files such as CAB files, especially from public sources where the risks of compromise are high. Security teams should be aware of the dynamic nature of conflict zones when considering a security posture,” researchers noted.

1.  Fake ransomware attack infects PCs with StrRAT
2.  ToxicEye RAT hits Telegram app to spy, steal data
3.  Hacker Arrested for Selling Imminent Monitor RAT
4.  Konni RAT variant hits Russia in new attack campaign
5.  Fake WHO COVID-19 Safety Emails Drop Nerbian RAT

Threat Actors Spreading NjRAT in New “Earth Bogle” Campaign

By Habiba Rashid
In total, 18,000 customers of Nissan North America, Inc. had their personal information exposed to the public by a third-party developer.
This is a post from HackRead.com Read the original post: Third-Party Firm Exposes Personal Info for Nissan Customers

The incident took place in June 2022, but the full impact of it was only uncovered on September 26, 2022.

Nissan North America, Inc. experienced a data breach affecting roughly 18,000 customers on June 21, 2022, but the incident was not fully uncovered until September 26, 2022. This was revealed in a breach notification published by the Office of the Maine Attorney General.

This incident should not come as a surprise since **in January 2021**, Nissan exposed 20 GB worth of data assets belonging to Nissan North America. What’s worse, the automotive giant used “admin” as the username and password for the exposed repository.

**In December 2017**, Nissan’s operations in Canada were hit by a cyber attack in which personal data of 1.13 million Nissan Canada Finance were compromised.

As for the recent data exposure, the incident took place because personal information belonging to thousands of Nissan customers was provided to a third-party developer for software testing.

However, they ended up temporarily storing the data in a cloud-based public repository. On 21st June, **Nissan** was informed that this data had been inadvertently exposed by the services provider. 

“During our investigation, on 26th September 2022, we determined that this incident likely resulted in unauthorized access or acquisition of our data, including some personal information belonging to Nissan customers. Specifically, the data embedded within the code during software testing was unintentionally and temporarily stored in a cloud-based public repository.”

The exposed data included personal information such as names, birth dates, and NMAC account numbers related to vehicle financing. Nissan confirmed that the breach did not include Social Security numbers or credit card information. 

“Upon learning of this issue, we immediately ensured that the third-party provider contained the threat by disabling all unauthorized access to the data, and we commenced a prompt and thorough investigation,” Nissan says.

“We worked with the third-party service provider to assure that it takes steps to prevent events like this in the future. As part of our investigation, we worked very closely with external cybersecurity professionals experienced in handling these types of complex security incidents.”

Despite no evidence of the exposed data being misused, the possibility of it being shared online on hacker forums cannot be ruled out. Large amounts of personal information allow hackers to target customers with convincing phishing messages and elicit more information.

1.  How Hackers Can Remotely Unlock/Start Honda Cars
2.  100,300 CityBee users’ login credentials leaked online
3.  Automotive Industry Exposed to Major API Vulnerabilities
4.  Nissan Leaf Maybe At Threat Because of Vulnerable APIs
5.  App Flaw Allowed Nissan Cars Hack by Knowing VIN number

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Source

HackRead