TrickMo Android Trojan Exploits Accessibility Services for On-Device Banking Fraud

-
Image
Cybersecurity researchers have uncovered a new variant of an Android banking trojan called TrickMo that comes packed with new capabilities to evade analysis and display fake login screens to capture victims' banking credentials. "The mechanisms include using malformed ZIP files in combination with JSONPacker," Cleafy security researchers Michele Roviello and Alessandro Strino  said . "In addition, the application is installed through a dropper app that shares the same anti-analysis mechanisms." "These features are designed to evade detection and hinder cybersecurity professionals' efforts to analyze and mitigate the malware." TrickMo, first caught in the wild by CERT-Bund in September 2019, has a  history  of targeting Android devices, particularly targeting users in Germany to siphon one-time passwords (OTPs) and other two-factor authentication (2FA) codes to facilitate financial fraud. The mobile-focused malware is assessed to be the work of the ...
Post a Comment

RansomHub claims Kawasaki cyberattack, threatens to leak stolen data

-

 

Kawasaki Motors Europe has announced that it's recovering from a cyberattack that caused service disruptions as the RansomHub ransomware gang threatens to leak stolen data.

The company says the attack targeted its EU headquarters, and it is currently analyzing and cleaning any "suspicious material," such as malware, that may still be lurking on systems.

"At the start of September, Kawasaki Motors Europe (KME) was the subject of a cyber-attack which, although not successful, resulted in the company's servers being temporarily isolated until a strategic recovery plan was initiated later on the same day," reads the announcement.

"KME and its country Branches operate a large number of servers and, as a precaution, it was decided to isolate each one and put a cleansing process in place whereby all data was checked and any suspicious material identified and dealt with."

Kawasaki Motors Europe is a subsidiary of Kawasaki Heavy Industries, Ltd., a global Japanese company known for manufacturing motorcycles, all-terrain vehicles (ATVs), Jet Skis, utility vehicles, and other motorized products.

KME is responsible for the distribution, sales, and marketing of Kawasaki's motorcycle products in the European market, operating an extensive network of authorized dealerships and customer service centers across the continent.

The company says that its IT staff collaborated with external cybersecurity experts following the attack, checking servers one by one before they connected them back into the corporate network.

KME estimates that by the start of next week, 90% of its server infrastructure will have been restored.

Everything that concerns business operations, including dealerships, third-party suppliers, and logistics operations, is not impacted.

RansomHub claims the attack

Kawasaki's announcement comes as the RansomHub ransomware gang claimed responsibility for the attack on the company.

The threat group added the company to its extortion portal on the dark web on September 5, 2024, claiming the theft of 487 GB of data from Kawasaki's networks.

The timer is set to expire tomorrow, and if the threat actors' demands aren't satisfied, they threaten to publish all stolen data by that point.

It is unclear if RansomHub holds customer data in the stolen files, but this scenario cannot be ruled out at this point.

BleepingComputer contacted Kawasaki both when RansomHub announced them as victims and again today, but both our requests for a comment have gone unanswered.

RansomHub has become prolific since the BlackCat/ALPHV ransomware operation shut down, with many of its affiliates moving to the newer ransomware-as-a-service program.

With the influx of skilled affiliates, RansomHub has seen a surge in successful attacks, including those against a division of Rite AidFrontierPlanned ParenthoodHalliburtonChristie's

Last month, a joint advisory between the FBI, CISA, and the Department of Health and Human Services (HHS) reported that RansomHub breached 210 victims from a wide range of critical U.S. infrastructure sectors since it launched in February.

Comments

Post a Comment

Popular posts from this blog

TrickMo Android Trojan Exploits Accessibility Services for On-Device Banking Fraud

-
Image
Cybersecurity researchers have uncovered a new variant of an Android banking trojan called TrickMo that comes packed with new capabilities to evade analysis and display fake login screens to capture victims' banking credentials. "The mechanisms include using malformed ZIP files in combination with JSONPacker," Cleafy security researchers Michele Roviello and Alessandro Strino  said . "In addition, the application is installed through a dropper app that shares the same anti-analysis mechanisms." "These features are designed to evade detection and hinder cybersecurity professionals' efforts to analyze and mitigate the malware." TrickMo, first caught in the wild by CERT-Bund in September 2019, has a  history  of targeting Android devices, particularly targeting users in Germany to siphon one-time passwords (OTPs) and other two-factor authentication (2FA) codes to facilitate financial fraud. The mobile-focused malware is assessed to be the work of the ...
Read more

Payment gateway data breach affects 1.7 million credit card owners

-
Image
  Payment gateway provider Slim CD has disclosed a data breach that compromised credit card and personal data belonging to almost 1.7 million individuals. In the notification sent to impacted clients, the company says that hackers had access to its network for nearly a year, between August 2023 and June 2024. Slim CD is a provider of payment processing solutions that enables businesses to access electronic and card payments via web-based terminals, mobile, or desktop apps. The firm first detected suspicious activity on its systems this year on June 15. During the investigation, the company discovered that hackers had gained access to its network since August 17, 2023.  “The investigation identified unauthorized system access between August 17, 2023, and June 15, 2024,” reads the  notification  to impacted individuals. However, Slim CD says that the threat actor viewed or obtained access to credit card information this year for two days, between June 14th an...
Read more

Meta fixes easily bypassed WhatsApp ‘View Once’ privacy feature

-
Image
  A privacy flaw in WhatsApp, an instant messenger with over 2 billion users worldwide, is being exploited by attackers to bypass the app's "View once" feature and view messages again. Meta says that WhatsApp's "View once" feature (introduced  three years ago ) enables users to share photos, videos, and voice messages privately, seeing that the recipient shouldn't be able to forward, share, copy, or screenshot their messages because they will automatically disappear from chats after being opened once. "Once you send a view once photo, video, or voice message, you won’t be able to view it again," the company  explains  on its support website. "Any photos or videos you send won’t be saved to the recipient’s Photos or Gallery. The recipient also can’t take a screenshot of anything you send using view once." However, "View once" will only block WhatsApp users from screenshotting what is being sent on mobile devices because deskt...
Read more