QNAP Ransomware: Thousands Infected with DeadBolt

Read Time:1 Minute, 26 Second

QNAP Ransomware: Thousands Infected with DeadBolt

Thousands of QNAP users have been infected by a new ransomware variant flagged by the network-attached storage (NAS) vendor last week, according to a security vendor.

Taiwan-headquartered QNAP said last week that customers should urgently upgrade their systems to the latest version of its QTS operating systems and take steps to disconnect devices from the internet to mitigate the campaign.

Dubbed “DeadBolt,” the new ransomware variant demands a 0.03 Bitcoin ($1100) payment in return for a decryption key.

“This is not a personal attack,” reads the notice. “You have been targeted because of the inadequate security provided by your vendor (QNAP).”

Inventory firm Censys last week claimed there were around 5000 such devices impacted by the ransomware, although this is out of a total of 130,000 globally.

Interestingly, the vendor observed that the number fell sharply between January 26 and 27.

“Overnight, the number of services with the DeadBolt ransomware dropped by 1061, down to a total of 3927 infected services on the public internet,” it wrote.

“The exact reason for this drop is unknown at the moment, and we are continuing to monitor the situation. But earlier today, Malwarebytes reported that QNAP released a forced automatic update for their Linux-based operating system called QTS to address the vulnerability. This update reportedly removed the ransomware executable and reverted the web interface changes made by the ransomware.”

QNAP’s extorters had given it the opportunity to pay a flat rate of 50 BTC ($1.8m) to decrypt all customer data, but it does not appear to have acceded to these demands.

Some users have reported that decryption keys they were given following payment did not work.

Read More

Latest Proof of Concept Details How iOS Malware May Snoop on Our Devices

Read Time:6 Minute, 26 Second

Smartphones have become such an integral part of our lives that it’s hard to imagine a time when we didn’t have them. We carry so much of our lives on our devices, from our social media accounts and photos of our pets to our banking information and home addresses. Whether it be just for fun or for occupational purposes, so much of our time and attention is spent on our smartphones. 

Because our mobile devices carry so much valuable information, it’s important that we stay educated on the latest cyber schemes so we can be prepared to combat them and keep our data safe.  According to Bleeping Computer1, researchers have developed a trojan proof of concept tool that fakes a shutdown or reboot of iPhones, preventing malware from being removed and allowing hackers to secretly snoop on microphones and cameras.  

Let’s dive into the details of this technique.  

How “NoReboot” allows hackers to spy on a device 

Typically, when an iOS device is infected with malware, the solution is as simple as just restarting the device. However, with this new technique researchers are calling “NoReboot,” ridding a device of malware is not quite as simple. 

“NoReboot” blocks the shutdown and reboot process from being carried out, preventing the device from actually restarting. Without a proper shutdown and reboot, a malware infection on an iOS device can continue to exist. Because the device appears to be shut off with a dark screen, muted notifications, and a lack of response, it is easy to assume that the device has shut down properly and the problem has been solved. However, the “NoReboot” technique has only simulated a reboot, allowing a hacker to access the device and its functions, such as its camera and microphone. If a hacker has access to these functions, they could record the user without their knowledge and potentially capture private information.  

This attack is not one that Apple can fix, as it relies on human-level deception rather than exploiting flaws found on iOS. That’s why it’s important that we know how to use our devices safely and stay protected. 

How to know if your smartphone has been hacked 

As previously mentioned, smartphone usage takes up a big chunk of our time and attention. Since we are so often on these devices, it is usually fairly easy to tell when something isn’t working quite like it is supposed to. While these things could very well just be technical issues, sometimes they are much more than that, such as malware being downloaded onto your smartphone. 

Malware can eat up the system resources or conflict with other apps on your device, causing it to act oddly. 

Some possible signs that your device has been hacked include: 

Performance issues 

A slower device, webpages taking way too long to load, or a battery that never keeps a charge are all things that can be attributed to a device reaching its retirement. However, these things may also be signs that malware has compromised your phone. 

Your phone feels like it’s running hot 

Malware running in the background of a device may burn extra computing power, causing your phone to feel hot and overheated. If your device is quick to heat up, it may be due to malicious activity. 

Mysterious calls, texts, or apps appear 

If apps you haven’t downloaded suddenly appear on your screen, or if outgoing calls you don’t remember making pop up on your phone bill, that is a definite red flag and a potential sign that your device has been hacked. 

Pop-ups or changes to your screen 

Malware may also be the cause of odd or frequent pop-ups, as well as changes made to your home screen. If you are getting an influx of spammy ads or your app organization is suddenly out of order, there is a big possibility that your device has been hacked. 

Six tips to prevent your phone from being hacked 

To avoid the hassle of having a hacked phone in the first place, here are some tips that may help. 

1. Update your phone and its apps

Promptly updating your phone and apps is a primary way to keep your device safe. Updates often fix bugs and vulnerabilities that hackers rely on to download malware for their attacks. 

2. Avoid downloading from third-party app stores

Apple’s App Store and Google Play have protections in place to help ensure that apps being downloaded are safe. Third-party sites may not have those same protections or may even be purposely hosting malicious apps to scam users. Avoiding these sites altogether can prevent these apps from allowing hackers into your device. 

3. Stay safer on the go with a VPN

Hackers may use public Wi-Fi to gain access to your device and the information you have inside of it. Using a VPN to ensure that your network is private and only you can access it is a great way to stay protected on the go. 

4. Turn off your Wi-Fi and Bluetooth when not in use

Turning off your Wi-Fi and Bluetooth when you are not actively using them is a simple way to prevent skilled hackers from working their way into your devices. 

5. Avoid public charging stations

Some hackers have been known to install malware into public charging stations and hack into devices while they are being charged. Investing in your own personal portable charging packs is an easy way to avoid this type of hack.  

6. Encrypt your phone

Encrypting your phone can protect your calls, messages, and information, while also protecting you from being hacked. iPhone users can check their encryption status by going into Touch ID & Passcode, scrolling to the bottom, and seeing if data protection is enabled.  

7. Determine whether your device rebooted properly

Although researchers agree that you can never trust a device to be fully off, there are some techniques that can help you determine whether your device was rebooted correctly.2 If you do suspect that your phone was hacked or notice some suspicious activity, restart your device. To do this, press and hold the power button and either volume button until you are prompted to slide the button on the screen to power off. After the device shuts down and restarts, notice if you are prompted to enter your passcode to unlock the device. If not, this is an indicator that a fake reboot just occurred. If this happens, you can wait for the device to run out of battery, although researchers have not verified that this will completely remove the threat.  

Stay protected 

If you are worried that your device has been hacked, follow these steps: 

Install and run security software on your smartphone if you haven’t already. From there, delete any apps you didn’t download, delete risky texts, and then run your mobile security software again. 
If you still have issues, wiping and restoring your phone is an option. Provided you have your photos, contacts, and other vital info backed up in the cloud, it’s a relatively straightforward process. A quick search online can show how to wipe and restore your model of phone. 
Lastly, check your accounts and your credit to see if any unauthorized purchases have been made. If so, you can go through the process of freezing those accounts, getting new cards, and credentials issued with the help of McAfee Identity Protection Service. Further, update your passwords for your accounts with a password that is strong and unique.   

The post Latest Proof of Concept Details How iOS Malware May Snoop on Our Devices appeared first on McAfee Blog.

Read More

Fake Investor John Bernard Sinks Norwegian Green Shipping Dreams

Read Time:5 Minute, 4 Second

Several articles here have delved into the history of John Bernard, the pseudonym used by a fake billionaire technology investor who tricked dozens of start-ups into giving him tens of millions of dollars. Bernard’s latest victim — a Norwegian startup hoping to build a fleet of environmentally friendly shipping vessels — is now embroiled in a lawsuit over a deal gone bad, in which Bernard falsely claimed to have secured $100 million from six other wealthy investors, including the founder of Uber and the artist Abel Makkonen Tesfaye, better known as The Weeknd.

John Bernard is a pseudonym used by John Clifton Davies, a convicted fraudster from the United Kingdom who is currently a fugitive from justice and residing in Ukraine. Davies’ Bernard persona has fleeced dozens of technology companies out of an estimated $30 million with the promise of lucrative investments.

For several years until reinventing himself again quite recently, Bernard pretended to be a billionaire Swiss investor who made his fortunes in the dot-com boom 20 years ago and who was seeking investment opportunities. Bernard generated a stream of victims by offering extraordinarily generous finder’s fees for investment brokers who helped him secure new clients. But those brokers would eventually get stiffed as well because Bernard’s company would never consummate a deal.

In case after case, Bernard would promise to invest millions in tech startups, and then insist that companies pay tens of thousands of dollars worth of due diligence fees up front. However, the due diligence company he insisted on using — another Swiss firm called Inside Knowledge — also was secretly owned by Bernard, who would invariably pull out of the deal after receiving the due diligence money.

The scam artist John Bernard (left) in a recent Zoom call, and a photo of John Clifton Davies from 2015.

But Bernard would adopt a slightly different approach to stealing from Freidig Shipping Ltd., a Norwegian company formed in 2017 that was seeking the equivalent of USD $100 million investment to bring its green fleet of 30 new offshore service vessels to fruition.

Journalists Harald Vanvik and Harald Berglihn from the Norwegian Business Daily write that through investment advisors in London, Bernard was introduced to Nils-Odd Tønnevold, co-founder of Freidig Shipping and an investment advisor with 20 years of experience.

“Both Bernard and Inside Knowledge appeared to be professionals,” the reporters wrote in a story that’s behind a paywall. “Bernard appeared to be experienced. He knew a lot about start-ups and got into things quickly. Credible and reliable was the impression of him, said Tønnevold.”

“Bernard eventually took on the role of principal investor, claiming he had six other wealthy investors on the team, including artist Abel Makkonen Tesfaye, known as The Weeknd, Uber founder Garrett Camp and Norilsk Nickel owner Russian Vladimir Potanin,” the Norwegian journalists wrote. “These committed to contribute $99.25 million to Freidig.”

So in this case Bernard conveniently claimed he’d come up with almost all of the investment, which came $750,000 short of the goal. Another investor, a Belgian named Guy Devos, contributed the remaining $750,000.

But by the spring of 2020, it was clear that Devos and others involved in the shipping project had been tricked, and that all the money which had been paid to Bernard — an estimated NOK 15 million (~USD $1.67 million) — had been lost. By that time the two co-founders and their families had borrowed USD $1.5 million, and had transferred the funds to Inside Knowledge.

“Further investigations indicated that Bernard was in fact a convicted and wanted Briton based in the Ukrainian capital Kiev,” the Norwegian Business Daily reported. “Guy Devos has sued Nils-Odd Tønnevold with a claim of 750,000 dollars because he believes Tønnevold has a responsibility for the money being transferred to Bernard. Tønnevold rejects this.”

Bernard’s scam is genius because he never approaches investors directly; rather, investors are incentivized to put his portfolio in front of tech firms seeking financial backing. And because the best cons begin as an idea or possibility planted in the target’s mind.

What’s remarkable about Freidig Shipping’s fleecing is that we heard about it at all. In the first of this now five-part series, we heard from Jason Kane, an attorney who focuses on investment fraud. Kane said companies bilked by small-time investment schemes rarely pursue legal action, mainly because the legal fees involved can quickly surpass the losses. What’s more, most victims will likely be too ashamed to come forward.

“These are cases where you might win but you’ll never collect any money,” Kane said. “This seems like an investment twist on those fairly simple scams we all can’t believe people fall for, but as scams go this one is pretty good. Do this a few times a year and you can make a decent living and no one is really going to come after you.”

It does appear that Bernard took advantage of a stunning lack of due diligence by the Freidig co-founders. In this May 2020 post on Twitter — well after their funds had already been transferred to Bernard — Nils-Odd Tønnevold can be seen asking Uber co-founder Garrett Camp if he indeed had agreed to invest in his company:

John Clifton Davies, a.k.a. John Bernard, Jonathan Bibi, John Cavendish, is a U.K. man who absconded from justice before being convicted on multiple counts of fraud in 2015. Prior to his conviction, Davies served 16 months in jail on suspicion of murdering his third wife on their honeymoon in India. The U.K. authorities later dropped the murder charges for lack of evidence. Davies currently resides with his fourth wife in or near Kyiv, Ukraine.

If you liked this story, check out my previous reporting on John Bernard/Davies:

Due Diligence That Money Can’t Buy

Who is Tech Investor John Bernard?

Promising Infusions of Cash, Fake Investor John Bernard Walked Away With $30 Million

Investment Scammer John Davies Reinvents Himself?

Read More

FBI Issues Warning Over Iranian Cyber Company

Read Time:1 Minute, 49 Second

FBI Issues Warning Over Iranian Cyber Company

The Federal Bureau of Investigation (FBI) has issued a Private Industry Notice on protecting against malicious activity by Iranian cyber company Emennet Pasargad (formerly known as Eeleyanet Gostar).

Two Iranian nationals employed by the company were indicted on October 20 2021 by a grand jury in the US District Court for the Southern District of New York over their alleged involvement in a campaign to influence and interfere with the outcome of the 2020 US presidential election.

Seyyed Mohammad Hosein Musa Kazemi and Sajjad Kashian were accused of conspiring with others to run a sophisticated campaign that included sending threatening emails to voters, hacking into the computer networks of an American media company and impersonating a far-right organization to cast doubt over the integrity of electoral ballots.

The Department of the Treasury Office of Foreign Assets Control sanctioned Emennet, four members of the company’s management team and Kazemi and Kashian for attempting to influence the same election.

The Notice states that Emmenet also previously conducted cyber-enabled information operations that used a false flag persona to spread propaganda via text message.

“According to FBI information, in late 2018, the group masqueraded as the ‘Yemen Cyber Army’ and crafted messaging critical of Saudi Arabia,” states the Notice. 

“Emennet also demonstrated interest in leveraging bulk SMS services, likely as a means to mass-disseminate propaganda or other messaging.”

Included in the Notice was a summary of Emennet’s past tactics, techniques and procedures (TTPs), which included using virtual private network services to obfuscate the origin of their activity. 

Over the past three years, Emennet has selected potential victims by performing web searches for leading businesses in various sectors. The group would then scan the websites of the businesses that appeared in the search results for vulnerable software that could be exploited to establish persistent access.

Information gathered by the FBI indicates that Emennet also attempted to leverage cyber intrusions conducted by other actors for its own benefit. 

“This includes searching for data hacked and leaked by other actors and attempting to identify webshells that may have been placed or used by other cyber-actors,” said the FBI.

Read More

Most Ransomware Infections are Self-installed

Read Time:1 Minute, 50 Second

Most Ransomware Infections are Self-installed

New research from managed detection and response (MDR) provider Expel found that most ransomware attacks in 2021 were self-installed. 

The finding was included in the company’s inaugural annual report on cybersecurity trends and predictions, Great eXpeltations, published on Thursday. 

Researchers found eight out of ten ransomware infections occurred after victims unwittingly opened a zipped file containing malicious code. Abuse of third-party access accounted for 3% of all ransomware incidents, and 4% were caused by exploiting a software vulnerability on the perimeter.

The report was based on the analysis of data aggregated from Expel’s security operations center (SOC) concerning incidents spanning January 1 2021 to December 31 2021. 

Other key findings were that 50% of incidents were BEC (business email compromise) attempts, with SaaS apps a top target. 

More than 90% of those attacks were geared towards Microsoft O365, while assaults against Google Workspace accounted for fewer than 1% of incidents. The remaining 9% targeted Okta.

Ransomware attacks accounted for 13% of all opportunistic attacks. The five most targeted industries in descending order were legal services, communications, financial services, real estate and entertainment. 

In addition, 35% of web app compromises Expel responded to resulted in the deployment of a crypto miner.

To protect against threats in 2022, Expel recommended implementing network layer controls to detect and block network communications to crypto mining pools and confirming event data recorder (EDR) coverage across all endpoints. 

The company also advised forwarding computing resource alarms to a security information and event management (SIEM) software solution to flag overtaxed resources potentially deployed for crypto-jacking. 

Other advice included defending the self-installation attack surface on Windows, deploying MFA everywhere, especially for remote access, patching and updating regularly and deploying EDR policies in block mode. 

Users were also advised not to expose RDP (remote desktop protocol) directly to the internet. 

“We founded Expel with a goal of bringing more transparency to security,” said Dave Merkel, CEO of Expel, on Thursday. 

“Today we reach a new milestone tied to that commitment – we’re sharing the most important threats and trends our SOC identified last year and their advice on what to do about them.”

Read More

Water Utilities Get 100-Day Cybersecurity Plan

Read Time:1 Minute, 51 Second

Water Utilities Get 100-Day Cybersecurity Plan

The United States Environmental Protection Agency (EPA) has drawn up a 100-day game plan to help protect the nation’s water systems from cyber-attacks.

The Industrial Control Systems Cybersecurity Initiative – Water and Wastewater Sector Action Plan focuses on high-impact acts that can be performed within 100 days to improve cybersecurity across the water sector.

Strategies detailed in the roadmap promote and support the early detection of cyber-threats and the rapid sharing of data across the government to speed up cyber-threat analysis and action.

The plan advocates the establishment of a cybersecurity task force comprising leaders from the water sector. It also calls for the implementation of pilot projects to demonstrate and accelerate the adoption of incident monitoring.

“Cyber-attacks represent an increasing threat to water systems and thereby the safety and security of our communities,” said EPA administrator Michael S. Regan. 

“As cyber-threats become more sophisticated, we need a more coordinated and modernized approach to protecting the water systems that support access to clean and safe water in America.”

The plan was announced on Thursday by the EPA and its federal partners. It was developed by the EPA, the National Security Council (NSC), the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the Water Sector Coordinating Council and Water Government Coordinating Council (WSCC/GCC).

“The action plans for the electric grid and pipelines have already resulted in over 150 electricity utilities serving over 90 million residential customers and multiple critical natural gas pipelines deploying additional cybersecurity technologies,” said deputy national security advisor for cyber and emerging technology, Anne Neuberger.  

She added: “This plan will build on this work and is another example of our focus and determination to use every tool at our disposal to modernize the nation’s cyber defenses, in partnership with private sector owners and operators of critical infrastructure.”

The EPA said it intends to “encourage, incentivize and assist” water sector stakeholders to rapidly deploy industrial control systems (ICS) cybersecurity monitoring technologies. 

“Public-private sector collaboration like this initiative is central to protecting the American public and their ability to safely access critical services,” said secretary of homeland security Alejandro Mayorkas.

Read More

News, Advisories and much more

Exit mobile version