Common Methods of Hacking Android Devices
Malware and Trojans:
Hackers create malicious apps that look legitimate but steal data once installed.
Phishing Attacks:
Fake websites or messages trick users into sharing sensitive information.
Exploiting Vulnerabilities:
Hackers exploit flaws in the OS or apps to gain control.
Man-in-the-Middle (MitM) Attacks:
Hackers intercept data between the device and services, often using fake Wi-Fi hotspots.
Rooting Exploits:
Exploits are used to gain root access, bypassing security.
Social Engineering:
Manipulating users into performing actions or sharing information.
Real-Time Attack Scenario: Man-in-the-Middle via Rogue Wi-Fi
Setup:
Hacker creates a fake Wi-Fi hotspot named “Free_Public_WiFi.”
Baiting:
Users connect to the free Wi-Fi. The hacker uses tools to intercept traffic.
Data Interception:
Hacker captures unencrypted data, including login credentials.
Code Injection:
Hacker injects malicious scripts into websites visited by the user.
Exploitation:
Captured data is used to access accounts, or malware is installed on the device.
Covering Tracks:
Hacker disconnects from the network, leaving minimal trace.
Preventive Measures
Update Regularly: Keep the OS and apps updated.
Strong Passwords: Use unique passwords and a password manager.
Enable 2FA: Adds extra security.
Be Cautious with Public Wi-Fi: Use VPNs if necessary.
Trusted Sources: Install apps only from reputable sources.
User Education: Awareness about phishing and social engineering.
By following these measures, users can significantly reduce the risk of their Android devices being compromised.
DarkGate, also known as MehCrypter, emerged in the cybersecurity scene in 2018.
Since then, it has become a popular choice among cybercriminals due to its versatile feature set, including HVNC (Hidden VNC), keylogging, information theft, and the ability to download and execute additional payloads.
This malware variant has been involved in multiple campaigns in the past few months, making it a persistent and evolving threat.
https://lnkd.in/dcn8FSga
Microsoft Disables MSIX App Installer Protocol Widely Used in Malware Attacks.
Microsoft on Thursday said it's once again disabling the ms-appinstaller protocol handler by default following its abuse by multiple threat actors to distribute malware.
"The observed threat actor activity abuses the current implementation of the ms-appinstaller protocol handler as an access vector for malware that may lead to ransomware distribution," the Microsoft Threat Intelligence team said.
It further noted that several cybercriminals are offering a malware kit for sale as a service that leverages the MSIX file format and ms-appinstaller protocol handler. The changes have gone into effect in App Installer version 1.21.3421.0 or higher.
The attacks take the form of signed malicious MSIX application packages that are distributed via Microsoft Teams or malicious advertisements for legitimate popular software on search engines like Google.
At least four different financially motivated hacking groups have been observed taking advantage of the App Installer service since mid-November 2023, using it as an entry point for follow-on human-operated ransomware activity.
Microsoft says criminals are misusing OAuth apps to launch scam attacks
#Microsoft says its Threat Intelligence team has been observing financially motivated attacks and scams using OAuth apps as automation tools.
In a new post, the team explained how threat actors have #compromised user accounts to create, modify, and grant high privileges to OAuth apps to hide malicious activity.
Fortunately, the scale of the attacks has been measured by means of account protection – #attackers have been targeting user accounts without strong #authentication mechanisms – which at least gives users and admins some hope to apply further #protection against the scams.
https://lnkd.in/edP-FCpU#cybernews#cybersecurity#OAuth
Lvl 1 SOC should know this :
I’d like to use MRT tools provided by Microsoft, its a built-in Malicious Removal Tools which is Prevalent Malicious file Removal tools locally, but not strictly use APT scanning tools to consistently scan every endpoint filesystem. By using python script to interact with Powershell via RMM.
In case the threat are inspected after escalating to the next level SOC.
In case it cannot be deleted through OS Level, i certainly try to post-remove it next system restart via Eraser by Heidi Project which is Opensource project tools to ensure the file is unable to recovered. Sometimes Internal Threat with sufficient knowledge can reverse the file via recovering/undeleted the malicious files with any recover tools technology, such as Recuva or Hiren’s Boot.
Those deletion by using Eraser can be done before the OS Started to get inside the Desktop Environment. And its provide irrecoverable
#cybersecurity#itsupport
Azure registered application is common backdoor for Illicit attacks.
The attack may consist of an adversary creating an Azure registered application which requests access to customer data (contact information, email, documents, etc.), and then tricking an end user into granting that application consent to access their data through a phishing attack, or by injecting illicit code into a trusted website. Once the illicit application has been granted consent, it functionally has account-level access to data but without needing an actual account in the organization.
The good news is that this attack pattern is detectable and can be remediated in the Office 365 ecosystem.
IT Administrators are the first line of defence and they should count their Eggs (Apps ) to check if there is a dinosaurs eggs(Illicit Apps) hatched in their eggs by running Automated script to assess their enterprise registered apps and attach weekly scheduled Power flow to assess the new apps.
Note: The same process for app inventory script can be done separately by each service like Power Plat form, teams services etc.
Reference: https://lnkd.in/gVh5hCfJ
