Tag Archive for: Remote

Hackers Update Vultur Banking Malware With Remote Controls

/in


Cybercrime
,
Fraud Management & Cybercrime
,
Governance & Risk Management

Attackers Can Now Download, Alter and Delete Files – Plus Click, Scroll and Swipe

Prajeet Nair (@prajeetspeaks) •
April 2, 2024    

Hackers Update Vultur Banking Malware With Remote Controls
Image: Shutterstock

Threat actors are tricking banking customers with SMS texts into downloading new and improved banking malware named Vultur that interacts with infected devices and alters files.

See Also: Combating Cyber Fraud: Best Practices for Increasing Visibility and Automating Threat Response

First documented in March 2021 by Threat Fabric, Vultur garnered attention for its misuse of legitimate applications such as AlphaVNC and ngrok, enabling remote access to the VNC server on targeted devices. Vultur also automated screen recording and keylogging for harvesting credentials.

The latest iteration of this Android banking malware boasts a broader range of capabilities and enables attackers to assume control of infected devices, hinder application execution, display customized notifications, circumvent lock-screen protections and conduct various file-related operations such as downloading, uploading, installing, searching and deleting.

The new functionalities primarily focus on remote interaction with compromised devices, although Vultur still relies on AlphaVNC and ngrok for remote access, said NCC Group security researchers in a report on Thursday.

Vultur’s creators also…

Source…

A Wake-Up Call for Securing Remote Employees’ Hardware

/in


Update: Multiple U.S. and international government agencies released an advisory Feb. 7 detailing the Volt Typhoon attacks. The threat actors targeted and compromised the IT environments of U.S. communications, energy, transportation and water infrastructure in the continental U.S. as well as non-continental areas and territories, such as Guam.

Original article: State-sponsored hackers affiliated with China have targeted small office/home office routers in the U.S. in a wide-ranging botnet attack, Federal Bureau of Investigation Director Christopher Wray announced on Wednesday, Jan. 31. Most of the affected routers were manufactured by Cisco and NetGear and had reached end-of-life status.

Department of Justice investigators said on Jan. 31, 2024, that the malware has been deleted from affected routers. The investigators also cut the routers off from other devices used in the botnet.

IT teams need to know how to reduce cybersecurity risks that could stem from remote workers using outdated technology.

What is the Volt Typhoon botnet attack?

The cybersecurity threat in this case is a botnet created by Volt Typhoon, a group of attackers sponsored by the Chinese government.

Starting in May 2023, the FBI looked into a cyberattack campaign against critical infrastructure organizations. On Jan. 31, 2024, the FBI revealed that an investigation into the same group of threat actors in December 2023 showed attackers sponsored by the government of China had created a botnet using hundreds of privately-owned routers across the U.S.

The attack was an attempt to create inroads into “communications, energy, transportation, and water sectors” in order to disrupt critical U.S. functions in the event of conflict between the countries, said Wray in the press release.

SEE: Multiple security companies and U.S. agencies have their eyes on Androxgh0st, a botnet targeting cloud credentials. (TechRepublic) 

The attackers used a “living off the land” technique to blend in with the normal operation of the affected devices.

The FBI is contacting anyone whose equipment was affected by this specific attack. It hasn’t been confirmed whether…

Source…

Remote access giant AnyDesk resets passwords and revokes certificates after hack

/in


Remote desktop software provider AnyDesk confirmed late Friday that a cyberattack allowed hackers to gain access to the company’s production systems, putting the company in lockdown for almost a week.

AnyDesk’s software is used by millions of IT professionals to quickly and remotely connect to their clients’ devices, often to help with technical issues. On its website, AnyDesk claims to have more than 170,000 customers, including Comcast, LG, Samsung and Thales.

The software is also a popular tool among threat actors and ransomware gangs, which have long used the software for gaining and maintaining access to a victim’s computer and data. U.S. cybersecurity agency CISA said in January that hackers had compromised federal agencies using legitimate remote desktop software, including AnyDesk.

News of the suspected breach began to spread last Monday when AnyDesk announced it had swapped its code-signing certificates, which companies use to prevent hackers from tampering with their code. Following a days-long outage, AnyDesk confirmed in a statement late on Friday that the company had “found evidence of compromised production systems.”

AnyDesk said that as part of its incident response, the company had revoked all security-related certificates, remediated or replaced systems where necessary and invalidated all passwords to AnyDesk’s customer web portal.

“We will be revoking the previous code signing certificate for our binaries shortly and have already started replacing it with a new one,” the company added Friday.

AnyDesk said the incident is not related to ransomware but did not disclose the specific nature of the cyberattack.

AnyDesk spokesperson Matthew Caldwell did not respond to an email from TechCrunch. CrowdStrike, which is working with AnyDesk to remediate the cyberattack, declined to answer TechCrunch’s questions when reached Monday.

AnyDesk did not respond to questions asking if any customer data was accessed, though the company said in its statement that there is “no evidence that any end-user systems have been affected.”

“We can confirm that the situation is under control and it is safe to use AnyDesk,” AnyDesk said. “Please ensure that you are using the…

Source…

TeamViewer Exploited to Obtain Remote Access, Deploy Ransomware

/in


The cybersecurity researchers at Huntress have issued a warning about a recent surge in cyber attacks, highlighting a new strategy employed by cybercriminals who are exploiting TeamViewer to deploy LockBit ransomware.

TeamViewer has a history of being exploited in large-scale cyber attacks. Recently, once again, cybersecurity experts have observed a surprising surge in cybercriminals’ attempts to exploit TeamViewer, a trusted remote access tool, to deploy LockBit ransomware, potentially exposing users to data encryption and extortion demands.

Researchers claim attackers exploit vulnerabilities in TeamViewer to gain initial access to victim devices and then deploy the aggressive LockBit ransomware, which encrypts critical files and demands substantial ransom payments for decryption.

Although infections were either contained or averted, no ransomware operation has been officially associated with the intrusions. The payload resembled LockBit ransomware encryptors. It is worth noting that in 2022, the ransomware builder for LockBit 3.0 was leaked, allowing the Bl00dy and Buhti gangs to launch their campaigns.

For your information, TeamViewer is a popular remote access tool in the enterprise world. Unfortunately, it has been exploited by scammers and ransomware actors to access remote desktops and execute malicious files for years. In March 2016, numerous victims reported their devices being breached via TeamViewer and attempts made to encrypt files with the Surprise ransomware.

Back then, TeamViewer’s unauthorized access was attributed to credential stuffing, where attackers used users’ leaked credentials instead of exploiting a zero-day vulnerability.

The software vendor explained that online criminals often log on with compromised accounts to find corresponding accounts with the same credentials, potentially allowing them to access all assigned devices for malware or ransomware installation.

The latest analysis from Huntress SOC analysts reveals that cybercriminals continue to use old techniques, abusing TeamViewer to take over devices and deploy ransomware. In one of the instances, as observed by Huntress, a single threat actor used TeamViewer to…

Source…