Posts

TrickMo Android Trojan Exploits Accessibility Services for On-Device Banking Fraud

Image
Cybersecurity researchers have uncovered a new variant of an Android banking trojan called TrickMo that comes packed with new capabilities to evade analysis and display fake login screens to capture victims' banking credentials. "The mechanisms include using malformed ZIP files in combination with JSONPacker," Cleafy security researchers Michele Roviello and Alessandro Strino  said . "In addition, the application is installed through a dropper app that shares the same anti-analysis mechanisms." "These features are designed to evade detection and hinder cybersecurity professionals' efforts to analyze and mitigate the malware." TrickMo, first caught in the wild by CERT-Bund in September 2019, has a  history  of targeting Android devices, particularly targeting users in Germany to siphon one-time passwords (OTPs) and other two-factor authentication (2FA) codes to facilitate financial fraud. The mobile-focused malware is assessed to be the work of the ...

Malware locks browser in kiosk mode to steal Google credentials

Image
  A malware campaign uses the unusual method of locking users in their browser's kiosk mode to annoy them into entering their Google credentials, which are then stolen by information-stealing malware. Specifically, the malware "locks" the user's browser on Google's login page with no obvious way to close the window, as the malware also blocks the "ESC" and "F11" keyboard keys. The goal is to frustrate the user enough that they enter and save their Google credentials in the browser to "unlock" the computer. Once credentials are saved, the StealC information-stealing malware steals them from the credential store and sends them back to the attacker. Kiosk mode theft According to  OALABS researchers  who uncovered this peculiar attack method, it has been used in the wild since at least August 22, 2024, mainly by  Amadey , a malware loader, info-stealer, and system reconnaissance tool first deployed by hackers in 2018. When launched, Amade...

17-Year-Old Arrested in Connection with Cyber Attack Affecting Transport for London

Image
  British authorities on Thursday announced the arrest of a 17-year-old male in connection with a cyber attack affecting Transport for London (TfL). "The 17-year-old male was detained on suspicion of Computer Misuse Act offenses in relation to the attack, which was launched on TfL on 1 September," the U.K. National Crime Agency (NCA)  said . The teenager, who's from Walsall, is said to have been arrested on September 5, 2024, following an investigation that was launched in the incident's aftermath. The law enforcement agency said the unnamed individual was questioned and subsequently let go on bail. "Attacks on public infrastructure such as this can be hugely disruptive and lead to severe consequences for local communities and national systems," Deputy Director Paul Foster, head of the NCA's National Cyber Crime Unit, said. "The swift response by TfL following the incident has enabled us to act quickly, and we are grateful for their continued cooper...

Apple Vision Pro Vulnerability Exposed Virtual Keyboard Inputs to Attackers

Image
  Details have emerged about a now-patched security flaw impacting Apple's Vision Pro mixed reality headset that, if successfully exploited, could allow malicious attackers to infer data entered on the device's virtual keyboard. The attack, dubbed  GAZEploit , has been assigned the CVE identifier CVE-2024-40865. "A novel attack that can infer eye-related biometrics from the avatar image to reconstruct text entered via gaze-controlled typing," a group of academics from the University of Florida  said . "The GAZEploit attack leverages the vulnerability inherent in gaze-controlled text entry when users share a virtual avatar." Following responsible disclosure, Apple addressed the issue in visionOS 1.3 released on July 29, 2024. It described the vulnerability as impacting a component called Presence. "Inputs to the virtual keyboard may be inferred from Persona," it  said  in a security advisory, adding it resolved the problem by "suspending Person...

New Linux malware Hadooken targets Oracle WebLogic servers

Image
  Hackers are targeting Oracle WebLogic servers to infect them with a new Linux malware named "Hadooken," which launches a cryptominer and a tool for distributed denial-of-service (DDoS) attacks. The access obtained may also be used to execute ransomware attacks on Windows systems. Researchers at container security solution company Aqua Security observed such an attack on a honeypot, which the threat actor breached due to weak credentials.  Oracle WebLogic Server is an enterprise-level Java EE application server used for building, deploying, and managing large-scale, distributed applications. The product is commonly used in banking and financial services, e-commerce, telecommunications, government organizations, and public services. Attackers target WebLogic due to its popularity in business-critical environments that typically enjoy rich processing resources, making them ideal for cryptomining and DDoS attacks. Hadooken hitting hard Once the attackers breach an environme...

Fortinet confirms data breach after hacker claims to steal 440GB of files

Image
  Cybersecurity giant Fortinet has confirmed it suffered a data breach after a threat actor claimed to steal 440GB of files from the company's Microsoft Sharepoint server. Fortinet is one of the largest cybersecurity companies in the world, selling secure networking products like firewalls, routers, and VPN devices. The company also offers SIEM, network management, and EDR/XDR solutions, as well as consulting services. Early this morning, a threat actor posted to a hacking forum that they had stolen 440GB of data from Fortinet's Azure Sharepoint instance. The threat actor then shared credentials to an alleged S3 bucket where the stolen data is stored for other threat actors to download. BleepingComputer has not accessed this storage bucket to confirm if it contains Fortinet's stolen files. The threat actor, known as "Fortibitch," claims to have tried to extort Fortinet into paying a ransom, likely to prevent the publishing of data, but the company refused to pay. ...

RansomHub claims Kawasaki cyberattack, threatens to leak stolen data

Image
  Kawasaki Motors Europe has announced that it's recovering from a cyberattack that caused service disruptions as the RansomHub ransomware gang threatens to leak stolen data. The company says the attack targeted its EU headquarters, and it is currently analyzing and cleaning any "suspicious material," such as malware, that may still be lurking on systems. "At the start of September, Kawasaki Motors Europe (KME) was the subject of a cyber-attack which, although not successful, resulted in the company's servers being temporarily isolated until a strategic recovery plan was initiated later on the same day,"  reads the announcement . "KME and its country Branches operate a large number of servers and, as a precaution, it was decided to isolate each one and put a cleansing process in place whereby all data was checked and any suspicious material identified and dealt with." Kawasaki Motors Europe is a subsidiary of Kawasaki Heavy Industries, Ltd., a glob...