<![CDATA[myVDH - Blog]]>Thu, 29 Jan 2026 18:33:42 +0800Weebly<![CDATA[Celsius email system breach leads to phishing attack on customers]]>Wed, 14 Apr 2021 16:00:00 GMThttp://www.myvdh.com/blog/celsius-email-system-breach-leads-to-phishing-attack-on-customersCryptocurrency rewards platform Celsius Network has disclosed a security breach exposing customer information that led to a phishing attack.
Today, Celsius CEO Alex Mashinsky stated that Celsius' third-party marketing server was compromised, and threat actors gained access to a partial Celsius customer list.

"An unauthorized party managed to gain access to a back-up third-party email distribution system which had connections to a partial customer email list. Once inside the system, this unauthorized party sent a fraudulent email announcement, of which we know some of the recipients to be Celsius customers."

"The intent was to make the recipients believe the fraudulent email came from Celsius, that the fraudulent site was a true Celsius site, and to take ownership of recipients’ cryptocurrency assets from their personal (non-Celsius) wallet by prompting the user to provide the seed phrase to their personal wallet address," disclosed a Celsius advisory.
After gaining access to the customer list, the threat actors impersonated Celsius Networks in phishing texts and emails that promoted a new Celsius Web Wallet. As an incentive to get people to visit the site, the text states Celsius is offering $500 in the CEL cryptocurrency if they create a wallet and enter a special promo code.

Celsius phishing text message

Clicking on the link led recipients to the phishing site celsiuswallet[.]network, which is now down, that asked visitors to create a Celsius Web Wallet.
When you attempted to create this fake wallet, the site asked visitors to link their other online wallets and input those wallet's seed phrases. Once this seed phrase is provided, the threat actors can import your wallet and steal any cryptocurrency within it.

Celsius phishing site

VirusTotal shows that the celsiuswallet[.]network phishing domain initially had a DNS SOA record that indicated it was registered at the Njalla registrar.

Njalla SOANjalla is a registrar located in Sweden that is a favorite for certain threat actors, such as the Fancy Bear and Cozy Bear Russian hacking groups.


A recent scam site using Njalla called 'Solar Leaks' was created to allegedly sell data stolen during the SolarWinds attacks.
]]><![CDATA[100% A.I Data DISASTER RECOVERY when files get ransomware attacked]]>Tue, 13 Apr 2021 16:00:00 GMThttp://www.myvdh.com/blog/100-ai-data-disaster-recovery-when-files-get-ransomware-attacked
You cannot guarantee your management that the following disasters won’t happen.
  •  Antivirus failed to protect
  •  Hard-disks failure
  •  On-premise file backups infected
  •  Online file backups infected
  •  Office fire destroys file data
  •  Traditional data recovery services cannot work

​Traditional antivirus, online / backups can only do so much… there is still margin of failure.
  •  Companies and IT departments know that these are real problems waiting to happen.
  •  They cannot predict when these “ticking IT time bombs” will go off.

​With a.i. Data Disaster Recovery (ai-DDR) technology implemented, it helps overcome these major issues.
  •  ai-DDR is a proprietary encrypted artificial intelligence system operating in the datacentre background analyzing real-time data streams.
  •  When the client notifies our datacentre of a disaster that occurred, the ai-DDR is then helps reconstruct the corrupted files.
The a.i. Data Disaster Recovery ai-DDR system has been operating since 2010 with 100% track record.]]><![CDATA[Joker malware infects over 500,000 Huawei Android devices]]>Fri, 09 Apr 2021 16:00:00 GMThttp://www.myvdh.com/blog/joker-malware-infects-over-500000-huawei-android-devicesMore than 500,000 Huawei users have downloaded from the company’s official Android store applications infected with Joker malware that subscribes to premium mobile services.
Researchers found ten seemingly harmless apps in AppGallery that contained code for connecting to malicious command and control server to receive configurations and additional components.

Masked by functional appsA report from antivirus maker Doctor Web notes that the malicious apps retained their advertised functionality but downloaded components that subscribed users to premium mobile services.

To keep users in the dark the infected apps requested access to notifications, which allowed them to intercept confirmation codes delivered over SMS by the subscription service.
According to the researchers, the malware could subscribe a user to a maximum of five services, although the threat actor could modify this limitation at any time.
The list of malicious applications included virtual keyboards, a camera app, a launcher, an online messenger, a sticker collection, coloring programs, and a game.

Most of them came from one developer (Shanxi Kuailaipai Network Technology Co., Ltd.) and two from a different one. These ten apps were downloaded by more than 538,000 Huawei users, Doctor Web says.

Doctor Web informed Huawei of these apps and the company removed them from AppGallery. While new users can no longer download them, those that already have the apps running on their devices need to run a manual cleanup. The table below lists the name name of the application and its package:
Application Name
Package name
Super Keyboard
com.nova.superkeyboard
Happy Colour
com.colour.syuhgbvcff
Fun Color
com.funcolor.toucheffects
New 2021 Keyboard
com.newyear.onekeyboard
Camera MX - Photo Video Camera
com.sdkfj.uhbnji.dsfeff
BeautyPlus Camera
com.beautyplus.excetwa.camera
Color RollingIcon
com.hwcolor.jinbao.rollingicon
Funney Meme Emoji
com.meme.rouijhhkl
Happy Tapping
com.tap.tap.duedd
All-in-One Messenger
com.messenger.sjdoifo
The researchers say that the same modules downloaded by the infected apps in AppGallery were also present in other apps on Google Play, used by other versions of Joker malware. The full list of indicators of compromise is available here.

Once active, the malware communicates to its remote server to get the configuration file, which contains a list of tasks, websites for premium services, JavaScript that mimics user interaction.

Joker malware’s history goes as far back as 2017 and constantly found its way in apps distributed through Google Play store. In October 2019, Tatyana Shishkova, Android malware analyst at Kaspersky, tweeted about more than 70 compromised apps that had made it into the official store.

And the reports about the malware in Google Play kept coming. In early 2020, Google announced that since 2017, it had removed about 1,700 apps infected with Joker.

Last February, Joker was still present in the store and it continued to slip past Google’s defenses even in July last year.
]]><![CDATA[Fortinet FortiOS VPN Likely Exploited by Hackers, Feds Say]]>Sun, 04 Apr 2021 16:00:00 GMThttp://www.myvdh.com/blog/fortinet-fortios-vpn-likely-exploited-by-hackers-feds-sayThreat actors have been targeting VPNs even more this last year.

Two federal agencies say advanced persistent threat (APT) groups are likely exploiting vulnerabilities in the Fortinet FortiOS VPN.

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued the advisory. They said APT actors have historically exploited critical vulnerabilities to conduct distributed denial-of-service (DDoS) attacks, ransomware attacks, structured query language (SQL) injection attacks, spear phishing campaigns, website defacements and disinformation campaigns.

The ATP actors are using multiple common vulnerabilities and exposures (CVEs) to exploit Fortinet FortiOS vulnerabilities. They’re doing this to to gain access to multiple government, commercial and technology services networks.

These malicious hackers may use other CVEs to gain access to critical infrastructure networks to prepare for follow-on attacks.

Customers Urged to Upgrade 

Fortinet sent us the following statement:

“The security of our customers is our first priority. CVE-2018-13379 is an old vulnerability resolved in May 2019. Fortinet immediately issued a product security incident response team (PSIRT) advisory and communicated directly with customers and via corporate blog posts on multiple occasions in August 2019 and July 2020 strongly recommending an upgrade. Upon resolution we have consistently communicated with customers, as recently as late as 2020. CVE-2019-5591 was resolved in July 2019 and CVE-2020-12812 was resolved in July 2020. If customers have not done so, we urge them to immediately implement the upgrade and mitigations.”

Zach Hanley is senior red team engineer at Horizon3.AI.

“Attackers are increasingly targeting critical external applications,” he said. “VPNs have been targeted even more this last year. These three vulnerabilities targeting the Fortinet VPN allow an attacker to obtain valid credentials, bypass multifactor authentication (MFA), and man-in-the-middle (MITM) authentication traffic to intercept credentials. The common theme here is once they are successful, they will look just like your normal users.”

Taking Advantage of Sensitive Vulnerabilities

Yaniv Bar-Dayan is Vulcan Cyber‘s CEO and co-founder.

“Last year saw a multitude of damaging consequences from ransomware, breaches and targeted attacks against sensitive data,” he said. “From breaches of COVID-19 research data, to attacks on critical infrastructure and government agencies, cybercriminals have taken advantage of the most sensitive vulnerabilities at the expense of the organizations that have the most to lose.”
The past year should have been a wake-up call to security teams that have been resistant to change, Bar-Dayan said.

“As remote working continues to be the norm, even after this pandemic subsides, an agile security team and agile infrastructure will be critical,” he said.
Security teams must carefully orchestrate and manage remediation activities, Bar-Dayan said.

Furthermore, organizations must continue looking for new ways to be ready for the ever evolving threat landscape.

Dirk Schrader is global vice president of security research at New Net Technologies (NNT).

“Exploiting vulnerabilities in key infrastructure devices like firewalls is a critical path for attackers as it allows [them] to establish [a] foothold behind them,” he said. “For any organization, monitoring these devices, patching them [and] controlling any configuration changes on them is a priority job for the security teams.”]]><![CDATA[The Often-Overlooked Element of a Hack: Endpoints]]>Tue, 30 Mar 2021 16:00:00 GMThttp://www.myvdh.com/blog/the-often-overlooked-element-of-a-hack-endpointsIt is Vital to Maintain Granular Visibility and Control Over Access Points to Establish Resilience 

The number of data breaches has skyrocketed during the ongoing health crisis, as hackers have taken full advantage of these uncertain times. According to the FBI’s 2020 Internet Crime Report, complaints soared by 69.4% in the last year. Unfortunately, media coverage of mega breaches (e.g., SolarWinds, Capital One) often puts a spotlight on the tail end of the cyber-attack life cycle, focusing on the exfiltration points rather than how the threat actor got there. Implementing an effective enterprise security strategy requires an understanding of hackers’ tactics, techniques, and procedures (so-called TTPs). In this context, it is vital for security practitioners to review the entire cyber-attack lifecycle to gain a full grasp of the areas that need to be addressed as part of an in-depth cyber defense approach.

Post-mortem analysis has repeatedly found that the most common source of a hack are compromised credentials that are subsequently used to establish a beachhead on an end user endpoint (e.g., desktop, laptop, or mobile device). This tactic, however, is often “overlooked” in anatomy of a hack discussions. This is surprising, considering that endpoints serve as the main points of access to an enterprise network and can be exploited by malicious actors. In fact, a recent Ponemon Institute survey revealed that 68 percent of organizations suffered a successful endpoint attack within the last 12 months.

Today’s Cyber-Attack Lifecycle

Most of today’s cyber-attacks are front-ended by credential harvesting campaigns that use social engineering techniques, password sniffers, phishing campaigns, digital scanners, malware attacks, or any combination of these. Cyber criminals also take advantage of millions of stolen credentials being sold on the Dark Web. 

Once in possession of stolen, weak, or compromised credentials, attackers are leveraging brute force, credential stuffing, or password spraying campaigns to gain access to their target environment. Increasingly, cyber adversaries take advantage of the fact that organizations and their workforce are relying on mobile devices, home computers, and laptops to connect to company networks to conduct business. In turn, these endpoint devices become the natural point of entry for many attacks. 

Once they have compromised an end user device, hackers detect and disable endpoint security measures (e.g., data loss prevention; disk and endpoint encryption; endpoint detection and response; anti-virus or anti-malware) to avoid detection. Next, they move laterally to perform reconnaissance and identify IT schedules, additional security controls, network traffic flows, and scan the entire IT environment to gain an accurate picture of its resources, privileged accounts, and services. Domain controllers, Active Directory, and servers are prime reconnaissance targets to hunt for additional privileged credentials and privileged access. 

Once an attacker has identified where valuable data resides, they typically look for ways to elevate access privileges to exfiltrate the data and conceal their activity to avoid detection. 

Boosting Endpoint Visibility and Control

When establishing visibility and security controls across endpoints, security professionals need to understand that each endpoint bears some or all responsibility for its own security. This is different from the traditional network security approach, in which case established security measures apply to the entire network rather than individual devices and servers. Thus, making each endpoint resilient is paramount to implementing a successful defense strategy.

At a minimum, organizations therefore should deploy simple forms of endpoint security like anti-virus or anti-malware software across their entire fleet of devices. Many organizations are going beyond these simple measures and nowadays leverage modern endpoint security technology that encompasses encryption, intrusion detection, and behavior-blocking elements to identify and block threats and risky behavior, either by end users or intruders.

To counteract human error, malicious actions, and decayed, insecure software, Forrester Research recommends taking a pro-active approach to endpoint security and establishing endpoint resilience by:
  • Maintaining a trusted connection with endpoints to detect unsafe behaviors or conditions that could put sensitive data at risk. This includes maintaining granular visibility and control over endpoint hardware, operating systems, applications, and data gathered on the device; and self-healing capabilities for the device, mission-critical security controls, and productivity applications.
  • Ensuring that endpoint misconfigurations are automatically repaired when possible, as organizations cannot assume that the health of their IT controls or security tools installed on their employees’ endpoints will remain stable over time.
  • Focusing on the return on investment of the security tools being used. Organizations often use a variety of endpoint security and management tools. Yet, each new tool introduced can serve as both a potential risk and an operational burden. Maintaining continuous endpoint visibility ensures that controls are always working as intended. By doing so, IT security professionals will ensure the ROI of their security investments — both from risk reduction and operational perspectives. 
  • Understanding not just the tail end of the cyber-attack kill chain, but also focusing on initial attack vectors like endpoints provides a roadmap for aligning preventive measures with today’s threats. It is vital to maintain granular visibility and control over access points to prevent and remediate vulnerabilities that can and often will surface on them. 
]]>