LinkedIn Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Wed, 15 Mar 2023 15:30:27 +0000 en-US hourly 1 https://wordpress.org/?v=97297 200474804 North Korean Hackers Attack Cybersecurity Specialists by Offering Them Jobs via LinkedIn https://gridinsoft.com/blogs/north-korean-hackers/ https://gridinsoft.com/blogs/north-korean-hackers/#respond Wed, 15 Mar 2023 15:30:27 +0000 https://gridinsoft.com/blogs/?p=13806 Mandiant experts noticed that North Korean hackers have focused their attention and attacks on information security specialists. Attackers try to infect researchers with malware in the hope of infiltrating the networks of companies that the targets work for. Let me remind you that we also wrote that Nearly 50% of Cybersecurity Leaders Will Change Jobs… Continue reading North Korean Hackers Attack Cybersecurity Specialists by Offering Them Jobs via LinkedIn

The post North Korean Hackers Attack Cybersecurity Specialists by Offering Them Jobs via LinkedIn appeared first on Gridinsoft Blog.

]]>

Mandiant experts noticed that North Korean hackers have focused their attention and attacks on information security specialists. Attackers try to infect researchers with malware in the hope of infiltrating the networks of companies that the targets work for.

Let me remind you that we also wrote that Nearly 50% of Cybersecurity Leaders Will Change Jobs by 2025, and also that Microsoft accused Russia and North Korea of attacks on pharmaceutical companies.

The media also wrote that FBI Links North Korean Lazarus Hackers to Harmony Hack and $100 Million Theft.

Mandiant says it first discovered the North Korean hacking campaign in June 2022 while tracking a phishing campaign targeting a US technology client. Then the hackers tried to infect the target with three new malware families (Touchmove, Sideshow and Touchshift).

Shortly thereafter, there was a spate of attacks on American and European media by the UNC2970 group, which Mandiant links to North Korea. For these attacks, UNC2970 used spear-phishing emails disguised as job offers in an attempt to coerce their targets into installing the malware.

Researchers say that UNC2970 recently changed tactics and now switched from using phishing emails to using fake LinkedIn accounts allegedly owned by HR. Such accounts carefully imitate the identities of real people in order to deceive the victims and increase the chances of the attack being successful.

After contacting the victim and making her an “interesting job offer”, the attackers try to transfer the conversation to WhatsApp, and then use either the messenger itself or email to deliver the backdoor, which Mandiant called Plankwalk, as well as other malware families.

Plankwalk and other malware in the group mainly use macros in Microsoft Word. When the document is open and macros are enabled, the target machine downloads and executes the malicious payload from the hackers’ servers (mostly hacked WordPress sites). As a result, a ZIP archive is delivered to the target machine, which, among other things, contains a malicious version of the TightVNC remote desktop application that Mandiant monitors under the name LIDSHIFT.

One of the documents used for the attacks can be seen below, where the hackers impersonate the New York Times.

North Korean hackers

The victim is told to launch the TightVNC application, whose name, along with other files, matches the company where the victim plans to be tested.

Not only does TightVNC act as a legitimate remote desktop access tool, LIDSHIFT also contains many hidden features. The first is that once executed by the user, the malware sends a beacon to its hard-coded C&C server. In this case, the only action that was required from the user was the launch of the program itself. This LIDSHIFT beacon contains the original username and hostname of the victim.

The second feature of LIDSHIFT is to inject an encrypted DLL into memory. DLL is a trojanized Notepad++ plugin that functions as a loader and is tracked under the name LIDSHOT. LIDSHOT is injected as soon as the victim opens the dropdown in the TightVNC Viewer app.

LIDSHOT performs two main functions: enumeration, as well as downloading and executing shellcode from the management server.says the Mandiant report.

As a result, Plankwalk paves the way for introducing additional tools to the target machine, including:

  1. TOUCHHIFT is a dropper that downloads other malware, ranging from keyloggers and screenshot utilities to full-featured backdoors;
  2. TOUCHSHOT – takes screenshots every three seconds;
  3. TOUCHKEY – a keylogger that captures keystrokes and intercepts data from the clipboard;
  4. HOOKSHOT is a tunneling tool that connects via TCP to communicate with the server management server;
  5. TOUCHMOVE – a loader designed to decrypt and execute a payload;
  6. SIDESHOW is an AC/C++ backdoor that runs arbitrary commands and communicates via HTTP POST requests with its command and control server.

It is also reported that UNC2970 used Microsoft Intune to manage endpoints and download a PowerShell script containing a payload in the form of a CLOUDBURST backdoor written in C. It is assumed that UNC2970 uses this legitimate application to bypass endpoint protection.

Although the group has previously targeted the defense, media and technology industries, targeting security researchers suggests a change in strategy or expansion of UNC2970 activities.the experts conclude.

The post North Korean Hackers Attack Cybersecurity Specialists by Offering Them Jobs via LinkedIn appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/north-korean-hackers/feed/ 0 13806
Hackers majorly use Microsoft and DHL brands in phishing attacks https://gridinsoft.com/blogs/hackers-majorly-use-microsoft-and-dhl-brands-in-phishing-attacks/ https://gridinsoft.com/blogs/hackers-majorly-use-microsoft-and-dhl-brands-in-phishing-attacks/#respond Mon, 18 Jan 2021 16:41:55 +0000 https://blog.gridinsoft.com/?p=4999 Hackers majorly use the Microsoft and DHL brands in phishing attacks. In Q4 2020, cybercriminals used more brands from the tech industry, followed by shipping and retail businesses. Information security researchers from the Check Point Software team said that phishers love the Microsoft brand. 43% of all attempts at phishing attacks were associated with it… Continue reading Hackers majorly use Microsoft and DHL brands in phishing attacks

The post Hackers majorly use Microsoft and DHL brands in phishing attacks appeared first on Gridinsoft Blog.

]]>
Hackers majorly use the Microsoft and DHL brands in phishing attacks. In Q4 2020, cybercriminals used more brands from the tech industry, followed by shipping and retail businesses.

Information security researchers from the Check Point Software team said that phishers love the Microsoft brand. 43% of all attempts at phishing attacks were associated with it – attackers tried to influence people working remotely during the second wave of the pandemic.

Top brands most frequently used in phishing attacks:

  1. Microsoft (43% of all phishing attacks attempts with the use of brand names worldwide)
  2. DHL (18%)
  3. LinkedIn (6%)
  4. Amazon (5%)
  5. Rakuten (4%)
  6. IKEA (3%)
  7. Google (2%)
  8. Paypal (2%)
  9. Chase (2%)
  10. Yahoo (1%)

How a brand-based phishing attack works

In a phishing attack that is using brands, criminals try to imitate the official website of a well-known company using a domain name, URL and design similar to the original website.

Victims can receive a link to the fake page via email or SMS. They can also be redirected to a phishing site while browsing the web or from a malicious mobile application. Fake sites often contain a form designed to steal credentials, billing information or other personal information.

In Q4 2020, cybercriminals stepped up their attempts to steal people’s personal data, posing as well-known brands. Our data shows how they change their attack tactics to achieve maximum results. As always, we urge users to be extremely careful when entering sensitive data into business applications. Think twice before opening email attachments and following links. Be especially careful if you see emails that claim to be from Microsoft or Google. With a high degree of probability, these letters may also be from cybercriminals.says Check Point Software Technologies representative.

Examples of phishing attacks using brands:

A phishing email allegedly from DHL – an example of password theft

In November, Check Point researchers noticed a malicious phishing email that used the DHL trademark. Then the attackers tried to steal user passwords. The email that came from a fake email address Parcel.docs@dhl.com contained the following text:

“RE: Your DHL Parcel (available to receive) – []”. Cybercriminals tried to trick the victim into clicking a malicious link that redirected to a fake login page. There, the user had to enter his password, which would then be sent to the attackers’ site.

Microsoft and DHL in phishing attacks

Phishing email allegedly from Microsoft – an example of credential theft.

In December, Check Point researchers discovered a malicious phishing email that attempted to steal user credentials from a Microsoft Office 365 account. In the subject of the email was indicated: “Daily Document Delivery # – “, and the content that mimicked eFax. After the user clicked on the link, he was lead to another document that redirected the user to a fake Microsoft login page.

Microsoft and DHL in phishing attacks

Let me remind you that I talked about cybercriminals that started using Google services more often in phishing campaigns.

The post Hackers majorly use Microsoft and DHL brands in phishing attacks appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/hackers-majorly-use-microsoft-and-dhl-brands-in-phishing-attacks/feed/ 0 4999
Linus Torvalds approved exclusion of the terms slave, blacklist and others from the Linux kernel code https://gridinsoft.com/blogs/linus-torvalds-approved-exclusion-of-the-terms-slave-blacklist-and-others-from-the-linux-kernel-code/ https://gridinsoft.com/blogs/linus-torvalds-approved-exclusion-of-the-terms-slave-blacklist-and-others-from-the-linux-kernel-code/#respond Tue, 14 Jul 2020 16:33:06 +0000 https://blog.gridinsoft.com/?p=4044 More recently, we talked that the IT community has also returned to discussing inappropriate and offensive terminology under the influence of Black Lives Matter protests that swept across the United States (and not only). Linus Torvalds did not stand aside and approved excluding the terms slave, blacklist, and others from the Linux kernel code. Many… Continue reading Linus Torvalds approved exclusion of the terms slave, blacklist and others from the Linux kernel code

The post Linus Torvalds approved exclusion of the terms slave, blacklist and others from the Linux kernel code appeared first on Gridinsoft Blog.

]]>
More recently, we talked that the IT community has also returned to discussing inappropriate and offensive terminology under the influence of Black Lives Matter protests that swept across the United States (and not only). Linus Torvalds did not stand aside and approved excluding the terms slave, blacklist, and others from the Linux kernel code.

Many developers are trying to remove such terms from their source code, applications, and online services.

Such changes usually include the rejection of the use of the terms enslaver and slave and substitution them with alternatives such as central, default, primary, and, respectively, secondary. Also, the established concepts of allowlist and blocklist are replaced by the neutral allow/pass list and deny/exclusion listexplain IT community activists

For example, the developers of Android, the Go programming language, the PHPUnit library and the Curl utility have recently announced their intention to find alternatives for whitelist/blacklist. In turn, the authors of the OpenZFS project are already working on replacing the terms master/slave, used to describe the relationships between storage environments.

Although many projects do not use these terms directly in their source code or user interfaces, they turned their attention to their source repositories. The fact is that most of these projects manage source code using Git or GitHub, while Git and GitHub, in particular, use the name master for the default repository.

Linus Torvalds approved the exclusion
Linus Torvalds

The developers of GitHub and Git write that they are already “working on the problem”, and a number of open source projects have already supported Black Lives Matter and themselves have changed the names of their repositories from default to various alternatives (such as main, default, primary, root, etc.). These include OpenSSL, Ansible, PowerShell, the P5.js JavaScript library, and many others.

Also in early July, developers of Microsoft, LinkedIn, Google, and Twitter also announced similar change. They all promised to change the technical language of their products and infrastructure and eliminate terms such as enslaver, slave, blacklist, whitelist and so on.

Linux developers also did not stand aside, and a discussion of more inclusive terminology has been going on for quite long time.

As it was recently reported, the issue has finally been resolved: Linus Torvalds made the appropriate commit and approved the new project policy regarding the design of code in the Linux 5.8 kernel branch (although initially it was proposed to make changes to the 5.9 branch).

The third edition of the text was approved by 21 well-known kernel developers, including members of the Linux Foundation. As a result, it was decided to abandon the use of concepts such as master/slave and blacklist/whitelist, and also not to use the word slave separatelysaid The Linux Foundation in a statement

It is expected that the new rules will be applied to the new code, while they do not plan to carry out revision of the old one, although the developers do not exclude that, in the end, the “renaming” will affect a considerable part of the existing code. Outdated terms will be allowed only in case of acute necessity.

The terms master/slave are now recommended to be replaced with the following analogues:

  • primary, main/secondary, replica, subordinate;
  • initiator, requester/target, responder;
  • controller, host/device, worker, proxy;
  • leader/follower;
  • director/performer.

In turn, the terms blacklist / whitelist advise replacing with more neutral versions:

  • denylist/allowlist
  • blocklist/passlist.

Let me remind you also that Google vice president says “black hat” is not a neutral term.

The post Linus Torvalds approved exclusion of the terms slave, blacklist and others from the Linux kernel code appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/linus-torvalds-approved-exclusion-of-the-terms-slave-blacklist-and-others-from-the-linux-kernel-code/feed/ 0 4044