Cybersecurity Weekly: Trojans, Hacks, and Emerging Threats

Here’s a translated and uniquely rephrased version of your text:

We have compiled the key cybersecurity news from the past week.

In a recent update, Google Play services introduced a feature for Android devices that automatically restarts them. This enhancement complicates data extraction with contemporary forensic tools.

When a phone is turned on, it enters a mode called Before First Unlock, during which the majority of user data remains encrypted. However, after the first unlocking, in the After First Unlock (AFU) state, this data becomes accessible for extraction.

With the new feature, the device will restart automatically after 72 hours of inactivity.

Researchers from Dr.Web reported finding pre-installed trojan applications on budget versions of premium model Android smartphones from Samsung and Huawei. Among the modified apps are popular messaging platforms like WhatsApp and Telegram, as well as QR code scanners and others.

The Shibai malware intercepts the app update process and scans for Ethereum or Tron wallet addresses in messages, replacing them with fraudulent ones. Additionally, it scans stored images for seed phrases.

Attackers operate around 30 domains to distribute their malicious software and use more than 60 command servers.

Over the last two years, the wallets involved in this scheme have accumulated over $1.6 million.

Coinspect researchers uncovered critical vulnerabilities in the Stellar Freighter, Frontier Wallet, and Coin98 browser wallets that could allow stealthy asset theft.

When connecting to decentralized applications (dapps), these wallets inject code into every tab the user opens, establishing a communication channel. This allows the application to recognize the wallet and request access to essential features such as balance viewing or initiating transaction approval requests.

Messages are sent to a Background Script that has access to the private key. The final interaction occurs within the wallet interface. Unlike long-lasting connections that establish separate channels for different parts of the extension, this method lacks such separation.

An attacker could deliberately create confusion by sending a message to a privileged API through the Background Script listener. Malicious requests can mimic legitimate ones, potentially leading to the exposure of seed phrases for backup purposes.

Experts have communicated details about these vulnerabilities to the developers of each wallet. As of now, all have implemented the necessary fixes.

On April 14, the online forum 4chan experienced a significant attack and temporarily suspended its operations. Responsibility for the incident was claimed by members of the imageboard Soyjak.party.

Screenshots of administrator and staff panels, as well as a list of emails allegedly belonging to the platform’s leaders and moderators, were leaked online.

According to Bleeping Computer, the potential interception of maintenance tools grants hackers access to the location and IP address of any user, allowing them to restart any 4chan boards and manage databases.

Later that same day, the forum’s source code surfaced on Kiwi Farms.

The suspected hackers did not disclose the attack vector. The community speculates that an outdated version of PHP from 2016 used by the platform could be the cause.

To minimize damage, administrators likely disabled the servers. As of this writing, the site is unavailable.

Swiss cybersecurity firm Prodaft announced a campaign to purchase accounts from dark web forums, specifically targeting accounts on XSS, Exploit, RAMP4U, Verified, and BreachForums that were registered before December 2022.

Account holders are assured payment in cryptocurrency, with higher amounts offered for moderator or administrator accounts. However, the accounts must not be on any law enforcement’s wanted list. Additionally, through this initiative, users can anonymously report cybercrimes committed by others.

The transactions take place anonymously through secure communication channels. The data obtained will later be forwarded to law enforcement agencies for use in human intelligence operations and infiltration of closed cybercriminal groups.

In the latter half of 2024, the American platform Reddit received 122 requests from government entities and law enforcement agencies from various countries for content removal. Notably, Russia submitted 15 unique requests, of which the social network complied with only four (26%).

According to the report, less than a third of the requested content (27%) violated the platform’s guidelines. No cases involved the use of geoblocking.

The highest number of requests (24) came from authorities in the UAE. Additionally, a total of 27 legal requests were found to be fraudulent, which Reddit alerted law enforcement about.

We are analyzing manipulative practices in the DeFi sector and the methods for countering them.