Cloud9 is a botnet, or computer network, controlled by a group of hackers that allows hackers to remotely access any computer, including all of its data, and use it for any purpose. Instead of installing a Trojan on victims' computers, they used a malicious web browser extension distributed via web stores such as the Chrome store. The extension appeared in the browser as a Flash plugin, allowing it to load this type of content. If you install the plugin, it will join the botnet and wait for orders from hackers. Furthermore, hackers could steal online accounts, record all keystrokes, and inject ads and malicious JavaScript code without raising the user's suspicion. Infected computers are also used to launch denial of service (DDoS) attacks. Even if the Windows malware component is not present, the Cloud9 extension can steal cookies from the compromised browser and use them to hijack legitimate user sessions and take over accounts.
The malicious browser extension is not available through any official web store; instead, it is distributed through malicious websites and, in one case, as a free Adobe Flash Player download. It is composed of three javascript files, each of which is in charge of a malicious compromise that, depending on the browser, will also load exploits for the aforementioned CVEs. The malware within these extensions is also capable of leveraging various vulnerabilities to escape the browser and infect the Windows operating system.
Apache Log4j is a popular open-source logging library that is found in almost every environment where a Java application is used. Enterprise applications, cloud services, web applications, email services, and open-source software are all examples of this. This library is used to record information about security and performance. Recently, CISA discovered traffic between the network of an unnamed US government organization and a hostile IP address known for exploiting the Log4j vulnerability. Furthermore, they discovered that the actor had exploited the vulnerability months before its discovery and had gained network persistence. In addition, the actor had installed XMRig crypto mining software and compromised the domain controller, gaining access to user credentials and inserting Ngrok proxies. However, the threat actors' attempt to disable the Local Security Authority Subsystem Service (LSASS) process was foiled by the organization's anti-malware solution.
For more details on the Log4j remote code execution vulnerability, check the link on the ngCERT advisory below.
The Invisible Challenge involves wrapping a somewhat transparent body contouring filter around a presumed naked individual. Attackers are uploading videos to TikTok with a link to software that they claim can reverse the filter's effects. Those who click on the link and attempt to download the software, known as "unfilter," are infected with the WASP stealer. Suspended accounts had amassed over a million views after initially posting the videos with a link. Following the link leads to the "Space Unfilter" Discord server, which had 32,000 members at its peak but has since been removed by its creators.
Nordpass and independent researchers who specialize in cybersecurity incidents combed through a 3TB database to compile the list of passwords. The researchers had to divide the data into several verticals in order to conduct a statistical analysis focused on countries and gender. The top three most commonly used passwords in Nigeria are 123456, 1982 and 12345678 – all of which will take a moderately-skilled hacker less than a second to compromise. The table below shows the top 10 most commonly used passwords in Nigeria and in all the 30 countries whose data was available.
|
S/N |
Nigeria |
All Countries |
|
1. |
123456 |
password |
|
2. |
1982 |
123456 |
|
3. |
12345678 |
123456789 |
|
4. |
12345 |
guest |
|
5. |
1234567 |
qwerty |
|
6. |
123456789 |
12345678 |
|
7. |
1234 |
111111 |
|
8. |
36874399 |
12345 |
|
9. |
000000 |
col123456 |
|
10. |
Abdul44@ |
123123 |
For the complete list and the period it will take to crack them, check the link below.
Since anti-virus software scans a device or, in the case of EDR solutions, continuously scans a device for suspect or malicious files with the intent of quarantining or deleting them, this exploit deceives the vulnerable solutions into deleting non-malicious files by using customized paths via what is known as a junction point.
A junction point is a type of re-parse point that contains a link to a directory that serves as an alias for that directory. So, during the brief period in which an EDR or anti-virus detects a malicious file and attempts to delete it, the threat actor can use a junction point to redirect the solution to a path (directory) of their choice.
So to completely wipe a directory, the threat actor can use a software such as the Aikido wiper to trigger privileged delete by planting a malicious file at the trick directory and not granting it any permission, thereby making the EDRs or anti-virus to postpone deletion until the next restart. The actor can then delete the directory containing the planted malicious file and use the junction point to target the directory they wish to delete and then restart the system to effect the wipe out the target directory.
The affected solutions are:
Windows 7 was released back in 2009 and reached its end date in January 2015. Its end date was extended to January 2020 and for those customers that needed particular important applications past this end date, the ESU programme was initiated which gives them critical security updates for a maximum of three years after the end of the extended end date.
Windows 8.1, however, was released in November 2013 and reached its end date in January 2018. Its extended end date will elapse on January 10, 2023.
