Normal view

There are new articles available, click to refresh the page.
Yesterday β€” 2 December 2023Security News

Agent Racoon Backdoor Targets Organizations in Middle East, Africa, and U.S.

By: Newsroom
2 December 2023 at 08:29
Organizations in the Middle East, Africa, and the U.S. have been targeted by an unknown threat actor to distribute a new backdoor called Agent Racoon. "This malware family is written using the .NET framework and leverages the domain name service (DNS) protocol to create a covert channel and provide different backdoor functionalities," Palo Alto Networks Unit 42 researcher Chema Garcia 

Russian Hacker Vladimir Dunaev Convicted for Creating TrickBot Malware

By: Newsroom
2 December 2023 at 07:52
A Russian national has been found guilty in connection with his role in developing and deploying a malware known as TrickBot, the U.S. Department of Justice (DoJ) announced. Vladimir Dunaev, 40, was arrested in South Korea in September 2021 and extradited to the U.S. a month later. "Dunaev developed browser modifications and malicious tools that aided in credential harvesting and data

Fortune-telling website WeMystic exposes 13M+ user records

2 December 2023 at 08:25

WeMystic, a website on astrology, numerology, tarot, and spiritual orientation, left an open database exposing 34GB of sensitive data about the platforms’ users.

Telling the future is a tricky business, and failure to foretell your own mishaps doesn’t help. The content platform WeMystic is a good example of this, with the Cybernews research team discovering that it exposed its users’ sensitive data.

WeMystic offers its users astrology, spiritual well-being, and esotericism alongside an online shop for natural stones, chakras, tarot cards, bracelets, and other products. The platform primarily serves Brazilian, Spanish, French, and English speakers.

According to our team, WeMystic left an open and passwordless MongoDB database containing 34 gigabytes of data related to the service as part of the MongoDB infrastructure.

Businesses employ MongoDB to organize and store large swaths of document-oriented information. While WeMystic has since closed the database, researchers said that the data was accessible for at least five days.

One of the data collections in the exposed instance, named β€œusers,” contained a whopping 13.3 million records. The exposed records include:

  • Names
  • Email addresses
  • Dates of birth
  • IP addresses
  • Gender
  • Horoscope signs
  • User system data

Our research team explains that the exposure of personal user data poses security risks for those involved since attackers may build on collected data to carry out targeted attacks, even getting creative with seemingly superstitious data.

Do you want to know the risks faced by users whose data has been exposed? Take a look at the original post at:


About the author: Vilius Petkauskas, Deputy Editor at CyberNews

Follow me on Twitter:Β @securityaffairsΒ andΒ FacebookΒ andΒ Mastodon

PierluigiΒ Paganini

(SecurityAffairs – hacking,Β WeMystic)

Expert warns of Turtle macOS ransomware

1 December 2023 at 22:18

The popular cybersecurity researcher Patrick Wardle dissected the new macOS ransomware Turtle used to target Apple devices.

The popular cyber security researcher Patrick Wardle published a detailed analysis of the new macOS ransomware Turtle.

Wardle pointed out that since Turtle was uploaded on Virus Total, it was labeled as malicious by 24 anti-malware solutions, suggesting it is not a sophisticated threat. However, the malicious code was generally detected as β€œOther:Malware-gen”, β€œTrojan.Generic”, or β€œPossible Threat”. In some cases, the anti-virus solution flagged the binary as Windows malware (β€œWin32.Troj.Undef”).

The experts speculate the malware was first developed for Windows, then ported to macOS.

Only one AV engine detects the malicious code as β€œRansom.Turtle” due to the internal name of the malware.

β€œIf we download the archive and unzip it, we find it contains files (prefixed with β€œTurtleRansom”) that appear to be compiled for common platforms, including, Windows, Linux, and yes, macOS” reads the analysis published by Wardle.

The malicious code is only signed adhoc and Gatekeeper should block it, explains Wardle. The binary also lacks of obfuscation.

The Turtle ransomware reads files into memory, encrypt them with AES (in CTR mode), rename the files, then overwrites the original contents of the files with the encrypted data. The malware adds the extension β€œTURTLERANSv0” to the filenames of encrypted files.

The malware is not sophisticated, however the discovery of a macOS version for the Turtle ransomware suggests it is becoming popular in the cybercrime underground.

Wardle discovered various strings in Chinese, some of these strings are related to ransomware operations, such as β€œεŠ ε―†ζ–‡δ»Άβ€ which translate to β€œEncrypt files”. However the presence of these strings is not enough to attribute the malware to a specific threat actor.

β€œToday we dove into a new ransomware sample, internally dubbed β€œTurtle”. And while in its current state it does not post much of a threat to macOS users, it yet again, shows that ransomware authors continue to set their sites on macOS.” concludes the analysis.

Follow me on Twitter:Β @securityaffairsΒ andΒ FacebookΒ andΒ Mastodon

PierluigiΒ Paganini

(SecurityAffairs – hacking,Β TurtleRansom)