What makes Rokarolla particularly dangerous is its scale. Researchers observed the malware targeting 217 banking and cryptocurrency applications while providing operators with 137 remote commands, significantly expanding its capabilities beyond many previously documented Android banking trojans.

Threat Overview

Malware Name

Rokarolla

Malware Type

• Android Banking Trojan
• Malware-as-a-Service (MaaS)
• Credential Stealer
• Remote Access Trojan (RAT)

Primary Targets

• Mobile banking users
• Cryptocurrency investors
• Android smartphone users
• Financial institutions

How Rokarolla Infects Devices

The malware is typically distributed through malicious APK files disguised as legitimate applications. Victims are tricked into installing fake apps through phishing pages, malicious advertisements, fraudulent updates, or third-party application stores.

Once installed, Rokarolla aggressively requests permissions that allow it to interact with the Android Accessibility Service. This permission becomes the foundation for most of the malware’s malicious activities.

Accessibility Service Abuse

Android Accessibility Services were designed to assist users with disabilities. However, threat actors frequently abuse these permissions because they allow applications to:

• Read screen content
• Simulate user interactions
• Click buttons automatically
• Capture text entered by users

Rokarolla leverages these capabilities to monitor activity across banking and cryptocurrency applications while bypassing many traditional security mechanisms.

Google Play Protect Bypass

One of Rokarolla’s most concerning features is its ability to disable or interfere with Google Play Protect.

Why This Is Dangerous

Google Play Protect serves as Android’s primary built-in malware detection system. Once disabled:

• Malicious applications face fewer detection checks
• Additional malware can be installed
• Security warnings can be bypassed
• Users lose a critical layer of protection

Remote Device Control Capabilities

Researchers identified 137 attacker commands supported by Rokarolla.

These commands allow threat actors to remotely interact with infected devices and perform a wide range of malicious actions.

• Read SMS messages
• Send SMS messages
• Collect contacts
• Launch applications
• Execute commands

SMS and Two-Factor Authentication Interception

Many financial institutions rely on SMS-based two-factor authentication (2FA).

Rokarolla specifically targets these messages to bypass security controls.

Targeted Data

• One-Time Passwords (OTPs)
• Verification codes
• Authentication links
• Banking notifications

Cryptocurrency Theft Mechanism

Researchers discovered clipboard manipulation functionality within Rokarolla.

How It Works

1. User copies a cryptocurrency wallet address.
2. Malware monitors clipboard activity.
3. Original wallet address is replaced.
4. Funds are transferred to an attacker-controlled wallet.

Victims often remain unaware until the transaction has been completed because the replacement occurs silently in the background.

Indicators of Compromise (IOCs)

Security Recommendations

• Enable Google Play Protect
• Avoid Sideloading Applications
• Review Accessibility Permissions
• Keep Devices Updated

Rokarolla represents a new generation of Android banking malware that combines accessibility abuse, credential theft, SMS interception, clipboard hijacking, and Google Play Protect bypass techniques to achieve near-total control over infected devices. With support for 137 remote commands and targeting hundreds of financial applications, it demonstrates the increasing sophistication of mobile threats facing both consumers and enterprises.

The post Rokarolla Android Malware Disables Google Play Protect to Gain Full Device Control appeared first on First Hackers News.

The vulnerability carries a maximum severity rating and impacts organizations running vulnerable versions of the LiteSpeed User-End cPanel Plugin. Because cPanel is widely used across hosting environments, a successful attack could affect multiple websites, customer accounts, databases, and server resources hosted on the same infrastructure.

Vulnerability Details

CVE Information

The vulnerability stems from an incorrect privilege assignment issue within the plugin, enabling authenticated cPanel users or compromised accounts to execute scripts with elevated privileges.

Technical Analysis of the Exploit

Researchers found that attackers can abuse the plugin’s lsws.redisAble functionality to execute arbitrary commands as the root user. In a shared hosting environment, this effectively breaks the isolation between users and grants attackers complete control over the server.

Because many hosting providers rely on LiteSpeed and cPanel for website management, exploitation could allow attackers to:

• Execute arbitrary scripts
• Modify server configurations
• Access customer data
• Create backdoors Deploy malware
• Pivot to other hosted accounts

Unlike many privilege escalation flaws that require complex attack chains, this vulnerability can be abused by any authenticated cPanel user account, including accounts already compromised through phishing, credential theft, or web application attacks.

Potential Attack Chain

• Initial Access
• Vulnerability Exploitation
• Root Access
• Post-Exploitation Activities

Indicator of Compromise (IOC) Detection

LiteSpeed provided a log analysis command that administrators can use to identify potential exploitation attempts.

Detection Command

grep -rE 'cpanel_jsonapi_func=(generateEcCert|packageUserSize)|cert_action_entry .*geneccert' /usr/local/cpanel/logs/ /var/cpanel/logs/ 2>/dev/null

What This Command Does

The command searches:

• /usr/local/cpanel/logs/
• /var/cpanel/logs/

for suspicious API requests and activity patterns associated with exploitation attempts.

If the command returns no results, there may be no evidence of exploitation within the available logs.

Why This Vulnerability Matters

Shared hosting environments depend heavily on privilege separation between users. Once an attacker obtains root access, they can potentially compromise every website and account hosted on the affected server.

The widespread adoption of LiteSpeed across hosting providers significantly increases the potential impact of this vulnerability. A single successful exploitation could expose customer data, website files, SSL certificates, configuration settings, and administrative credentials.

Security Recommendations

Update Immediately

Upgrade to:

• LiteSpeed cPanel Plugin 2.4.7 or later
• LiteSpeed WHM Plugin 5.3.1.0 or later

Review Logs

Run the IOC detection command and investigate any suspicious results.

Audit User Accounts

• cPanel users
• Administrative accounts
• Recently created users
• Failed login attempts

Restrict Access

• Multi-Factor Authentication (MFA)
• IP restrictions
• Least privilege access controls

The active exploitation of CVE-2026-48172 highlights the risks posed by privilege escalation vulnerabilities in widely deployed hosting software. Since the flaw can allow attackers to obtain root-level access from a standard cPanel account, organizations and hosting providers should prioritize patching, review logs for indicators of compromise, and continuously monitor their environments for signs of malicious activity.

The post Critical LiteSpeed cPanel Plugin Vulnerability Enables Root Privilege Escalation Attacks appeared first on First Hackers News.

Hackers Exploit SVG Image Files for GUloader Malware

GuLoader is notorious for its stealth capabilities and capacity to circumvent conventional security measures by employing polymorphic code and encryption.

These features enable it to constantly alter its structure, posing challenges for antivirus software and intrusion detection systems in detecting its presence. SpiderLabs’ observations indicate a significant surge in the utilization of GuLoader.

McAfee Labs has recently detected a campaign involving the distribution of GUloader through malicious SVG files delivered via email.

SVG stands for Scalable Vector Graphics. Furthermore, it is a widely used file format for vector graphics that describes two-dimensional graphics in XML format. Moreover, SVG files are used for various purposes, including web design, icons, logos, illustrations, and interactive graphics.

One of the main advantages of SVG files is that they can be scaled to any size without losing quality, making them ideal for responsive web design and high-resolution displays. Additionally, SVG files can be edited with text editors or graphic design software. Moreover, they support features like animations and interactivity through JavaScript.

The infection process initiates when a user opens an SVG file attached to an email. This action prompts the browser to download a ZIP file that contains a Windows Script File (WSF).

The WSF file then executes, utilizing wscript to invoke a PowerShell command that establishes a connection to a malicious domain. Consequently, it executes hosted content, including shellcode injected into the MSBuild application.

More details

The attack begins with a spam email containing an SVG file named “dhgle-Skljdf.svg”. Embedded JavaScript within the SVG file triggers the creation of a malicious ZIP archive upon opening.

Once extracted, the ZIP file reveals an obfuscated WSF script, thereby complicating analysis.

This script employs PowerShell to establish a connection to a malicious domain and execute the retrieved content. Additionally, this content includes base64-encoded shellcode and a PowerShell script.

The PowerShell script endeavors to inject the shellcode into the legitimate MSBuild process through the Process Hollowing technique.

Following injection, the shellcode conducts an anti-analysis check and alters the Registry run key to establish persistence.

In the last stage, the process entails downloading and executing the final malicious executable, GUloader, or its variants.

The utilization of SVG files to distribute malware such as GUloader represents a worrisome advancement in the cybersecurity realm.

It’s imperative for organizations and individuals to exercise caution when encountering unexpected email attachments, particularly those containing SVG files.

Additionally, security professionals should prioritize updating their detection systems to effectively mitigate this evolving threat.

IOCs

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Hackers Exploit SVG Image Files for GUloader Malware Distribution appeared first on First Hackers News.

FAKE CHATGPT SITES

The buzz surrounding the public release of ChatGPT garnered significant attention, although not everyone could immediately access it. People from various countries eagerly sought access to this cutting-edge technology, providing an opportunity for scammers to exploit the eager audience. This led to the emergence of malicious fake ChatGPT apps, which have since evolved into more sophisticated and diverse scams.

Let’s discuss the typical profile of such a scam. The webpage involved in the scam typically features a suspicious URL containing the terms “ChatGPT” or “OpenAI,” often registered on a cheap top-level domain (TLD) such as .online or .xyz. The website itself is usually designed in a minimalist fashion, with minimal details and only a few clickable buttons. The main activities on the website usually revolve around two things: downloading a file or paying a certain sum of money that will never be refunded.

In some instances, fraudsters choose to distribute mobile malware disguised as a legitimate app from OpenAI. This was particularly lucrative before the official release, but such scams persist today. In the best-case scenario, they simply charge a fee for a basic shell over the GPT-3.5 API, which is freely available. Worse scenarios involve apps with no functionality, charging users without providing any service, or containing spyware/infostealer capabilities.

Chat-gpt-pc[.]online

One of the earliest malicious fake ChatGPT sites was detected around early February 2023. The site, designed fairly well, offered a desktop client for the chat bot. For those unaware that the original Chat is only available on OpenAI’s website, this seemed like a legitimate offer. However, those who downloaded and installed the client were infected with RedLine stealer. These instances were often promoted through Facebook ads and groups, and sometimes via SEO poisoning.

Openai-pc-pro[.]online

Another malicious website, mirroring the design of the original OpenAI page, effectively mirrors the first one on our list. Besides sharing the same design, it also offered a download for the “desktop client” for the chatbot. Predictably, the downloaded file contained malware, specifically Redline Stealer. Given that both were promoted from the same Facebook group with ChatGPT-related naming, it’s likely they belong to the same malware-spreading campaign.

Chatgpt-go[.]online

A malicious website mimicked the design of the original OpenAI page, featuring a ChatGPT dialogue box without the usual input prompt. Instead, a button labeled “TRY CHATGPT” led to malware downloading. Various interactive elements across the site also triggered malware downloads. Payloads from this site included Lumma Stealer and several clipper malware samples. Malicious Google Ads were the primary method of promotion.

Pay[.]chatgptftw[.]com

A fake ChatGPT differs from the previous examples by attempting to collect users’ payment information instead of spreading malware. It mimics a billing page that supposedly charges for access to the technology, allowing fraudsters to gather banking information, including usernames and email addresses. These scams were promoted through the same channels: Facebook groups and ads.

SuperGPT (Meterpreter inside)

The example involves malware disguised as a SuperGPT Android app, masquerading as a legitimate AI assistant derived from the original GPT model. With poor app moderation on Google Play, it was inevitable that scammers would take advantage of this situation. The app appeared identical to the original one on the surface, but it actually contained Meterpreter malware – a RAT/backdoor designed specifically for Android.

HOW TO DETECT AND AVOID MALICIOUS FAKE CHATGPT APPS?

To detect and avoid malicious fake ChatGPT apps, follow these guidelines:

1. Verify the Source: Only download ChatGPT apps from official sources, such as the OpenAI website or reputable app stores like Google Play Store or Apple App Store.
2. Check the URL: Be cautious of websites with suspicious URLs, especially those containing misspellings or unusual domain extensions. Official sources typically have well-established domains.
3. Review App Permissions: Before downloading any app, review the permissions it requests. Malicious apps may ask for unnecessary permissions, such as access to sensitive data or device functions.
4. Read User Reviews: Check user reviews and ratings for the app. If many users report issues or suspicious behavior, it’s best to avoid downloading it.
5. Research the Developer: Look up information about the app developer or company behind the app. Reputable developers will have a track record of producing trustworthy apps.
6. Avoid Third-Party Stores: Avoid downloading apps from third-party app stores or unknown sources, as they may host malicious or counterfeit apps.
7. Use Security Software: Install reputable antivirus or security software on your device to detect and block malicious apps before they can cause harm.
8. Stay Informed: Stay updated on the latest cybersecurity threats and scams involving fake apps. Awareness of common tactics used by scammers can help you avoid falling victim to their schemes.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Beware of Malicious Fake ChatGPT Apps appeared first on First Hackers News.

AZORULT MALWARE

Azorult malware is a type of information-stealing malware that first emerged in 2016. Known for its capabilities to pilfer sensitive data, Azorult specializes in collecting information such as browsing history, cookies, and login credentials. Originally active in campaigns associated with the STOP/Djvu ransomware, its activity declined from early 2020, with a flat curve observed in late 2021. In its recent resurgence, Azorult has exhibited more sophisticated and stealthy methods, making it challenging to detect. The malware employs new infection chains, utilizes RAM for payload deployment, and is distributed through classic methods like email phishing.

Recent research in the cyber threat landscape has revealed troubling news about the Azorult malware. Initially identified in 2016, this malware gained notoriety, particularly for its association with the STOP/Djvu ransomware in prominent campaigns. However, its activity has been on the decline since early 2020, with the activity curve flattening out in late 2021.

As a stealer malware originating from the mid-2010s, Azorult was originally designed with functionality relevant to its time. The malware specializes in pilfering sensitive information, encompassing browsing history, cookies, and login credentials. Notably absent from its target list are crypto wallets, sessions, and 2FA tokens, as these were not as valuable during its inception.

The notable aspects of the re-emerged version include enhanced sophistication and stealthy methods that significantly increase the difficulty of detection. Introducing a new infection chain, it leverages RAM as a launchpad for deploying and executing the entire payload. Researchers discovered shortcut files disguised as PDF files, ultimately facilitating Azorult’s infiltration of the device. In terms of distribution, experts indicate the utilization of classic methods such as email phishing.

In its latest form, Azorult employs process injection and “Living Off the Land” (LotL) techniques to avoid detection by security tools. It is predominantly sold on Russian underground hacker forums, and the data it steals is auctioned on Russian Dark Web marketplaces. Apart from traditional information theft, the malware gathers data for a service selling ready-made virtual identities, encompassing detailed information about users’ online behavior, including website visits, operating system details, browser information, and installed plugins.

RECOMMENDATIONS

1. Unsolicited Emails:
   • Exercise skepticism and caution regarding emails from unknown sources, particularly those requesting personal information or urging you to click on a link.
2. Verify Email Sources:
   • Before responding or clicking any links, verify the sender’s email address to ensure legitimacy. Avoid clicking on links in emails, especially if they appear suspicious or too good to be true.
3. Educate Yourself:
   • Stay informed about phishing methods and various scam techniques based on phishing. Regularly educate yourself to recognize and avoid falling victim to phishing attacks.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post AzorUlt Stealer Resurfaces, Employing Email Phishing Tactics appeared first on First Hackers News.

WHAT IS A ZERO-DAY ATTACK?

A zero-day attack is a type of cyber threat that takes advantage of a software vulnerability unknown to the developer or vendor. Attackers exploit this undisclosed weakness before a fix or patch is available, making it challenging for security measures to detect or prevent such attacks. Zero-day attacks can target various applications, posing a significant challenge for cybersecurity professionals.

Cyber attackers exploit undisclosed vulnerabilities in programs or operating systems to execute their code more effectively. The frequently utilized exploits include those enabling remote code execution and privilege escalation, granting attackers extensive control within the compromised environment. These sophisticated attacks are typically directed at corporations, given their possession of more valuable data.

Exploiting a breach without raising alarms or attracting attention is made simple when the only individual aware of it is the criminal who discovered it. Even advanced EDR solutions may err by overlooking actions from trusted programs without recognizing their potential malicious intent. Hence, opting for an endpoint protection application capable of preventing zero-day attacks is a prudent choice.

IDENTIFYING AND ADDRESSING ZERO-DAY EXPLOITS AND ATTACKS

Identifying and addressing zero-day exploits and attacks involves several key steps:

1. Continuous Monitoring: Implement robust monitoring systems to detect unusual patterns or behaviors within your network and systems. Real-time monitoring can help identify potential zero-day exploits early on.
2. Anomaly Detection: Utilize anomaly detection tools and machine learning algorithms to identify deviations from normal system behavior. Unusual network traffic, unexpected file modifications, or abnormal user activities can be indicators of zero-day exploits.
3. Threat Intelligence Feeds: Subscribe to threat intelligence feeds to stay informed about emerging threats and vulnerabilities. These feeds provide up-to-date information on potential zero-day exploits, enabling proactive measures.
4. Behavioral Analysis: Employ behavioral analysis tools that can identify malicious activities based on behavior rather than known signatures. This approach is effective against previously unseen threats.
5. Patch Management: Regularly update and patch software and systems to address known vulnerabilities. While this doesn’t directly identify zero-day exploits, it reduces the attack surface and makes it harder for attackers to find and exploit vulnerabilities.
6. User Training and Awareness: Educate users about phishing attacks and social engineering tactics, as these are common entry points for zero-day exploits. Users should be cautious about clicking on suspicious links or downloading attachments from unknown sources.
7. Network Segmentation: Implement network segmentation to limit the impact of potential exploits. Isolating critical systems and data can prevent lateral movement within the network.
8. Incident Response Plan: Develop and regularly update an incident response plan that includes procedures for addressing zero-day exploits. This ensures a coordinated and efficient response when an attack is detected.
9. Endpoint Protection: Utilize advanced endpoint protection solutions that employ heuristics, behavioral analysis, and other advanced techniques to identify and block zero-day exploits.
10. Collaboration: Engage with cybersecurity communities, share threat intelligence, and collaborate with industry peers to stay informed about evolving threats and effective mitigation strategies.

Organizations have faced persistent challenges in patch management, partly due to the sheer volume of patches requiring attention. In 2021 alone, more than 20,000 vulnerabilities were addressed, adding to the complexity of staying abreast of all the necessary updates.

Ignoring timely updates, many users believe they can postpone software updates for days or weeks without consequences. This practice poses significant risks, often underestimated by users. Additionally, patch management receives minimal emphasis in security awareness training, despite the Department of Homeland Security advising the application of critical patches within 15 days of release.

Identifying critical patches can pose a dilemma for security teams. They adhere to internal testing procedures to verify the reliability of patches before deployment, considering potential bugs or ineffectiveness that could cause harm. Additionally, IT teams have established processes to monitor and track patch deployments, ensuring comprehensive coverage to prevent any device or system from being left unpatched.

HOW TO PROTECT AGAINST ZERO-DAYS?

Protecting against zero-days involves implementing a multi-faceted approach:

1. Up-to-Date Security Measures:
   • Ensure all security software, including antivirus and intrusion detection systems, is updated regularly.
2. Network Segmentation:
   • Implement network segmentation to limit the impact of potential zero-day exploits, isolating critical systems.
3. User Training:
   • Educate users on recognizing phishing attempts and suspicious activities to minimize the risk of falling victim to zero-day attacks.
4. Behavioral Analysis:
   • Use behavioral analysis tools to identify anomalous activities and behaviors that may indicate a zero-day attack.
5. Threat Intelligence Feeds:
   • Subscribe to threat intelligence feeds to stay informed about emerging threats and vulnerabilities, including potential zero-days.
6. Patch Management:
   • Regularly update and patch software to reduce the attack surface and address known vulnerabilities, minimizing the risk of exploitation.
7. Zero-Day Threat Detection Tools:
   • Utilize advanced threat detection tools designed to identify patterns associated with zero-day attacks.
8. Endpoint Protection:
   • Employ robust endpoint protection solutions with heuristic and behavioral analysis capabilities to detect and prevent zero-day exploits.
9. Incident Response Plan:
   • Develop a comprehensive incident response plan that includes procedures specific to handling zero-day attacks, ensuring a swift and effective response.
10. Collaboration:
    • Engage with cybersecurity communities, share threat intelligence, and collaborate with industry peers to enhance awareness and preparedness against zero-day threats.
11. Continuous Monitoring:
    • Implement continuous monitoring of network traffic, user activities, and system behaviors to detect unusual patterns indicative of potential zero-day exploits.
12. Security Updates and Best Practices:
    • Stay informed about security updates, industry best practices, and recommended security configurations to strengthen overall defense against zero-day vulnerabilities.

The post Can Patches Prevent Zero-Day Attacks? appeared first on First Hackers News.

FBot hacking tool hijacking cloud and payment services

The tool, named FBot, possesses the capability for credential harvesting in spamming attacks, AWS account hijacking, and facilitates assaults against PayPal and various SaaS accounts.

As per documentation from the company’s SentinelLabs research unit, FBot is distinguished by a smaller footprint compared to similar tools, suggesting potential private development and a more targeted distribution approach.

SentinelLabs researcher Alex Delamotte analyzed the internals of the attack tool and identified functionalities geared towards targeting web servers, cloud services, and Software-as-a-Service (SaaS) technologies, including Aws, Office365, PayPal, Sendgrid, and Twilio.

While its primary purpose is to enable actors to hijack cloud, SaaS, and web services, Delamotte uncovered a secondary focus on acquiring accounts for the purpose of conducting spamming attacks.

“The tool incorporates various utilities, including an IP address generator and port scanner. Additionally, it features an email validator function that utilizes an Indonesian technology service provider for validating email addresses,” mentioned the SentinelLabs researcher.

The anti-malware company identified various features aimed at targeting payment services, such as a PayPal Validator feature, a SendGrid API key generator, and functionalities for harvesting key secrets.

Delamotte suggests that organizations implement multi-factor authentication (MFA) for AWS services with programmatic access and establish systems to notify security operations teams when a new AWS user account is added to the organization.

The researcher recommends configuring alerts for the addition of new identities or significant configuration changes to SaaS bulk mailing applications.

Indicators of Compromise

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Researchers identify FBot hacking tool hijacking cloud and payment services. appeared first on First Hackers News.

WHAT IS SMTP SMUGGLING?

SMTP (Simple Mail Transfer Protocol) Smuggling is a technique used by attackers to manipulate the behavior of mail servers during the email transmission process. It involves exploiting inconsistencies or variations in the way different servers interpret and implement the SMTP protocol.

In a typical SMTP transaction, there are two phases: the client’s request to the server (DATA phase) and the server’s response. SMTP Smuggling takes advantage of discrepancies in how proxy servers and mail servers interpret the length of the message content during these phases.

By carefully crafting the headers and body of an email, attackers can deceive the servers into misinterpreting the message length, leading to discrepancies between the front-end proxy server and the back-end mail server. This can result in various security issues, such as bypassing security filters, evading detection, and enabling malicious activities like spoofing or injecting arbitrary content into emails.

SMTP Smuggling attacks are a type of protocol-level manipulation, exploiting the intricacies of communication between different components in the email delivery process. Defending against SMTP Smuggling often involves implementing secure and consistent configurations across all involved mail servers and proxies to prevent the exploitation of these protocol variations.

SMTP smuggling centers around inconsistencies in how distinct servers process the end-of-data sequence (<CR><LF>.<CR><LF>). Through exploiting these variations, attackers can escape the standard message data, introducing unauthorized commands.

This method relies on the inbound server’s ability to accept multiple SMTP commands in a batch, a functionality widely supported by most servers today.

Thorough investigation into this vulnerability has uncovered that SMTP servers belonging to major email providers such as Microsoft, GMX, and Cisco are susceptible to this exploit. Although Microsoft and GMX have taken steps to address these issues, Cisco has categorized the findings as a feature rather than a vulnerability and has opted not to modify the default configuration.

WHAT IS THE DANGER OF SMTP VULNERABILITY?

SMTP smuggling poses alarming implications as attackers can send deceptive emails from seemingly credible sources, evading authentication checks like DKIM, DMARC, and SPF.

In essence, employing this technique could allow fraudsters to infiltrate corporate emails previously immune to spam. While companies implementing this security method are likely cognizant of the risks and employ additional protective measures, the exposure itself increases the overall vulnerability to potential cyberattacks.

MITIGATING THE EFFECTS OF VULNERABILITY

To mitigate the effects of SMTP vulnerability:

1. Implement Security Updates: Regularly update and patch SMTP servers to address known vulnerabilities and ensure they are equipped with the latest security measures.
2. Enable Encryption: Utilize encryption mechanisms, such as STARTTLS, to secure the communication channels between SMTP servers and prevent eavesdropping or unauthorized access.
3. Protocol Compliance: Ensure that SMTP servers adhere to standardized protocols and follow best practices to minimize the risk of exploitation through protocol-level vulnerabilities.
4. Network Monitoring: Implement robust network monitoring tools to detect unusual SMTP traffic patterns, which may indicate potential exploitation or malicious activities.
5. Authentication Mechanisms: Strengthen authentication mechanisms, including enforcing strong passwords and implementing multi-factor authentication, to prevent unauthorized access to SMTP servers.
6. Implement Access Controls: Configure access controls to restrict access to SMTP servers only to authorized personnel, reducing the risk of unauthorized manipulation or exploitation.
7. Regular Security Audits: Conduct regular security audits and vulnerability assessments to identify and address potential weaknesses in the SMTP infrastructure.
8. User Awareness Training: Educate users about phishing attacks and social engineering tactics that may exploit SMTP vulnerabilities, emphasizing vigilance in email interactions.
9. Intrusion Detection and Prevention: Deploy intrusion detection and prevention systems to monitor and block suspicious activities or unauthorized access attempts targeting SMTP servers.
10. Collaborate with Vendors: Stay informed about vendor advisories, security updates, and patches related to SMTP vulnerabilities, and promptly apply recommended mitigations.
11. Incident Response Plan: Develop and maintain an incident response plan specific to SMTP vulnerabilities, outlining procedures for detecting, responding to, and recovering from potential security incidents.
12. Backup and Recovery: Regularly back up critical email data and ensure the availability of efficient recovery mechanisms to minimize data loss in the event of a security breach.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post SMTP Smuggling Emerges as a Fresh Email Security Concern appeared first on First Hackers News.

VULNERABILITY IN TWITTER IN-POST LINKS

The exploit entails manipulating the account name in a tweet’s URL to impersonate high-profile accounts, enticing users into accessing fraudulent content. This method has witnessed a surge in usage in recent weeks, with scammers specifically targeting well-known crypto-related Twitter accounts boasting substantial followings, including Binance (11 million followers), the Ethereum Foundation (3 million), zkSync (1.3 million), and Chainlink (1 million).

Clicking on these altered URLs redirects users to posts that promote crypto scams instead of the anticipated legitimate content. These scams encompass fraudulent crypto giveaways and deceptive websites crafted to empty cryptocurrency wallets.

The fraudulent tweets frequently present themselves as authentic, especially on mobile devices where the Twitter app lacks an address bar, concealing the URL discrepancy. This limited visibility poses a challenge for users in verifying the authenticity of the tweet, particularly when scammers craft accounts with names resembling those of legitimate organizations.

WHAT ARE CRYPTOCURRENCY SCAMS?

Cryptocurrency scams encompass deceptive schemes involving digital currencies such as Bitcoin or Ether. These scams take advantage of the intricate and novel nature of cryptocurrencies to mislead users. Tactics employed include fraudulent giveaways, impersonation of legitimate accounts, and the promotion of fictitious investment opportunities promising unrealistic returns.

Fraudsters frequently employ social media, phishing emails, and counterfeit websites to entice victims. They make promises of high returns, leverage celebrity endorsements, or present exclusive investment opportunities, all with the intention of unlawfully obtaining funds or personal information.

TWITTER CRYPTOSCAMS – HOW TO PROTECT?

To counter these scams, users should activate Twitter’s Quality Filter, although it may unintentionally filter genuine content. Additionally, scrutinizing the URL and account name is crucial to determining the authenticity of a tweet.

To steer clear of falling prey to crypto scams, adhere to these guidelines:

1. Verify the URL and domain name of any website you visit. Fake websites frequently imitate legitimate ones but may feature slight variations in the URL. You can assess the site’s credibility by scanning it with the GridinSoft Web Scanner.
2. Exercise caution with unsolicited offers and promises that seem too good to be true, particularly on social media. Scammers often employ high-pressure tactics, creating a false sense of urgency and making unrealistic profit claims.

The post Cryptocurrency Scams on Twitter Exploit Post Features appeared first on First Hackers News.

Microsoft Issues Warning on COLDRIVER

The Microsoft Threat Intelligence team is monitoring a threat known as Star Blizzard (formerly SEABORGIUM), also referred to as Blue Callisto, BlueCharlie (or TAG-53), Calisto (alternatively spelled Callisto), and TA446.

The adversary, tied to Russia’s Federal Security Service (FSB), persistently targets individuals and organizations in international affairs, defense, logistics support to Ukraine, academia, information security companies, and entities aligned with Russian state interests, according to Redmond.

Star Blizzard, active since at least 2017, utilizes lookalike domains to impersonate login pages of targeted companies.

In August 2023, Recorded Future revealed 94 new domains that are part of the threat actor’s attack infrastructure, most of which feature keywords related to information technology and cryptocurrency.

Microsoft noted that since April 2023, the adversary has shifted tactics, employing server-side scripts to thwart automated scanning of the actor-controlled infrastructure. This involves a transition from hCaptcha for target determination to redirecting the browsing session to the Evilginx server.

The server-side JavaScript code is created to verify the presence of installed browser plugins, identify access through automation tools such as Selenium or PhantomJS, and relay the results to the server through an HTTP POST request.

“Upon receipt of the POST request, the redirector server evaluates the data gathered from the browser and determines whether to permit ongoing browser redirection,” according to Microsoft.

“When a positive decision is made, the browser receives a response from the redirection server, leading to the next phase of the chain. This could involve presenting an hCaptcha for the user to solve or directing the user straight to the Evilginx server.”

Star Blizzard has recently incorporated email marketing services such as HubSpot and MailerLite to orchestrate campaigns, serving as the initial step in the redirection chain that ultimately leads to the Evilginx server hosting the credential harvesting page.

Furthermore, the threat actor employs a domain name service (DNS) provider to resolve actor-registered domains. They send password-protected PDF lures containing embedded links to bypass email security processes and host files on Proton Drive.

Additionally, the actor upgraded its domain generation algorithm (DGA) to include a more randomized list of words, indicating awareness of public reporting on its tactics and techniques.

Despite the adjustments, Microsoft notes that “Star Blizzard continues to prioritize email credential theft, with a primary focus on cloud-based email providers hosting organizational and personal email accounts.”

The threat group consistently employs pairs of dedicated VPSs for hosting actor-controlled infrastructure, comprising redirector and Evilginx servers, particularly for spear-phishing activities. Each server typically hosts a distinct actor-registered domain.

Indicators of compromise

centralitdef[.]com
rootgatewayshome[.]com
directstoragepro[.]com
infocryptoweb[.]com
cloudwebstorage[.]com
cryptdatahub[.]com
datainfosecure[.]com
servershieldme[.]com
scandefinform[.]com
guardittech[.]com
storageinfohub[.]com
docsinfohub[.]com

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!

The post Microsoft Issues Warning on COLDRIVER: Ongoing Evolution in Evasion and Credential Theft Strategies appeared first on First Hackers News.