لرن سرا

دسته: هسته اصلی سیستم‌عامل

  • Digital Personal Data Protection act Guide for Healthcare Leaders

    Digital Personal Data Protection act Guide for Healthcare Leaders


    The digital transformation of India’s healthcare sector has revolutionized patient care, diagnostics, and operational efficiency. However, this growing reliance on digital platforms has also led to an exponential increase in the collection and processing of sensitive personal data. The Digital Personal Data Protection (DPDP) Act 2023 is a critical regulatory milestone, shaping how healthcare organizations manage patient data.

    This blog explores the significance of the DPDP Act for hospitals, clinics, pharmaceutical companies, and other healthcare entities operating in India.

    Building an Ethical and Trustworthy Healthcare Environment

    Trust is the cornerstone of patient-provider relationships. The DPDP Act 2023 reinforces this trust by granting Data Principals (patients) fundamental rights over their digital health data, including access, correction, and erasure requests.

    By complying with these regulations, healthcare organizations can demonstrate a commitment to patient privacy, strengthening relationships, and enhancing healthcare outcomes.

    Strengthening Data Security in a High-Risk Sector

    The healthcare industry is a prime target for cyberattacks due to the sensitivity and value of patient data, including medical history, treatment details, and financial records. The DPDP Act mandates that healthcare providers (Data Fiduciaries) implement comprehensive security measures to protect patient information from unauthorized access, disclosure, and breaches. This includes adopting technical and organizational safeguards to ensure data confidentiality, integrity, and availability.

    Ensuring Regulatory Compliance and Avoiding Penalties

    With strict compliance requirements, the Digital Personal Data Protection Act provides a robust legal framework for data protection in healthcare. Failure to comply can result in financial penalties of up to ₹250 crore for serious violations. By aligning data processing practices with regulatory requirements, healthcare entities can avoid legal risks, safeguard their reputation, and uphold ethical standards.

    Promoting Patient Empowerment and Data Control

    The DPDP Act empowers patients with greater control over their health data. Healthcare providers must establish transparent mechanisms for data collection and obtain explicit, informed, and unambiguous patient consent. Patients also have the right to know how their data is used, who has access, and for what purposes, reinforcing trust and accountability within the healthcare ecosystem.

    Facilitating Innovation and Research with Safeguards

    While prioritizing data privacy, the Digital Personal Data Protection Act also enables responsible data utilization for medical research, public health initiatives, and technological advancements. The Act provides pathways for the ethical use of anonymized or pseudonymized data, ensuring continued innovation while protecting patient rights. Healthcare organizations can leverage data analytics to improve treatment protocols and patient outcomes, provided they adhere to principles of data minimization and purpose limitation.

    Key Obligations for Healthcare Providers under the DPDP Act

    Healthcare organizations must comply with several critical obligations under the DPDP Act 2023:

    • Obtaining Valid Consent: Secure explicit patient consent for collecting and processing personal data for specified purposes.
    • Implementing Security Safeguards: To prevent breaches, deploy advanced security measures, such as encryption, access controls, and regular security audits.
    • Data Breach Notification: Promptly report data breaches to the Data Protection Board of India and affected patients.
    • Data Retention Limitations: Retain patient data only as long as necessary and ensure secure disposal once the purpose is fulfilled.
    • Addressing Patient Rights: Establish mechanisms for patients to access, correct, and erase their personal data while addressing privacy-related concerns.
    • Potential Appointment of a Data Protection Officer (DPO): Organizations processing large volumes of sensitive data may be required to appoint a DPO to oversee compliance efforts.

    Navigating the Path to DPDP Compliance in Healthcare

    A strategic approach is essential for healthcare providers to implement the DPDP Act effectively. This includes:

    • Conducting a comprehensive data mapping exercise to understand how patient data is collected, stored, and shared.
    • Updating privacy policies and internal procedures to align with the Act’s compliance requirements.
    • Training employees on data protection best practices to ensure organization-wide compliance.
    • Investing in advanced data security technologies and establishing robust consent management and incident response mechanisms.

    A Commitment to Data Privacy in Healthcare

    The Digital Personal Data Protection Act 2023 is a transformative regulation for the healthcare industry in India. By embracing its principles, healthcare organizations can ensure compliance, strengthen patient trust, and build a secure, ethical, and innovation-driven ecosystem.

    Seqrite offers cutting-edge security solutions to help healthcare providers protect patient data and seamlessly comply with the DPDP Act.

     



    Source link

  • How To Convert A List To A String In Python (With Examples)



    How To Convert A List To A String In Python (With Examples)



    Source link

  • 6 Automotive Technologies That Have Hit the Scene Recently


    Automotive technology has come a long way since the first concept car was built in the 1700s. New innovations have been exploding onto the scene at a rapid pace since then. Cars are becoming more capable of assisting drivers in all aspects of their driving experiences as well. These are some of the technologies that have hit the scene recently.

    1. Adaptive Cruise Control

    Adaptive cruise control came about over the past few years and is an excellent upgrade to standard cruise control. Adaptive cruise control has a feature that enables the vehicle to slow down swiftly and speed up according to a pre-determined following distance. This technology has done wonders to protect drivers from getting into accidents. Millions of people sustain injuries on the highway yearly, and every little attempt to make the roadways safer is a huge plus.

    2. Lane Departure Warning

    Lane departure warning is a god-send for exhausted drivers worldwide. It also helps people who have to take long trips. The feature alerts the driver with a loud sound, light, or vibration when the vehicle swerves in the lane. The driver then regains alertness and corrects the issue.

    3. Lane-Keeping Assistance

    Lane-keeping assistance usually works with the lane departure warning system. It goes the extra mile and helps the driver get back into the lane from which he or she strayed. You might be interested in this feature if you have long rides to work or travel a lot by yourself. It can help you avoid having to deal with a lawsuit, too. The statute of limitations for driving incidents in Texas in two years. Thus, you might have to worry for two whole years if you get into an accident in the state. Having these features can help you avoid all such incidents.

    4. Automatic Emergency Braking

    Automatic Emergency Braking is exactly what it sounds like. The vehicle has a set of sensors that can pick up objects and people in the way. If the system senses a near accident, the braking system will stop the vehicle. It’s like mechanical assistance for emergencies and can be a real lifesaver if anything happens. It can be useful if someone ever lacks the reaction time to stop the vehicle quickly enough.

    5. Cameras

    More vehicles are being crafted with cameras that give a view of the entire road as well as the vehicle’s surroundings. These cameras cut down on accidents and leave lots of evidence for theft and vandalism incidents. Even the police are starting to use cruiser vehicles with cameras. In 2000, only 11% of police used cars with cameras. That figure has since blown up to a whopping 72%. If the police force uses them, that should be a cue for you to consider purchasing a car with the feature.

    6. Autonomy

    Some cars are now capable of driving on their own. The feature still requires drivers to stay alert and keep their hands near the wheels. However, the most intricate of the newer vehicles have an autonomy feature that can help when a driver wants to relax. This option is available mostly in all-electric high-end vehicles.

    You can add it to your package for additional pay, which might add up to several thousand dollars. However, you’ll be one of the first people to try out this exciting new feature. Consider inquiring about it the next time you want to purchase a vehicle.

    This list is not at all exhaustive. Many more features exist in cars today. It’s up to you to find the best fit for you and your family. Ask your sales rep to explain your vehicle’s features and benefits.



    Source link

  • JavaScript Location.reload() Explained (With Examples)

    JavaScript Location.reload() Explained (With Examples)


    In modern web development, there are times when a page needs to refresh itself without the user pressing a button. Whether you are responding to updated content, clearing form inputs, or forcing a session reset, JavaScript provides a simple method for this task: location.reload().

    This built-in method belongs to the window.location object and allows developers to programmatically reload the current web page. It is a concise and effective way to refresh a page under controlled conditions, without relying on user interaction.

    What Is JavaScript location.reload()?

    The location.reload() method refreshes the page it is called on. In essence, it behaves the same way a user would if they clicked the browser’s reload button. However, because it is called with JavaScript, the action can be triggered automatically or in response to specific events. 

    Here is the most basic usage:

    location.reload();

    This line of code tells the browser to reload the current page. It does not require any parameters by default and typically loads the page from the browser’s cache. Note that you can use our free resources (namely, online code editors) to follow along with this discussion.

    Forcing a Hard Reload

    Sometimes a regular reload is not enough, especially when you want to ensure that the browser fetches the latest version of the file from the server instead of using the cached copy. You can force a hard reload by passing true as a parameter:

    location.reload(true);

    However, it is important to note that modern browsers have deprecated this parameter in many cases. Instead, they treat all reloads the same. If you need to fully bypass the cache, server-side headers or a versioned URL might be a more reliable approach.

    And let’s talk syntax:

    So what about the false parameter? That reloads the page using the web browser cache. Note that false is also the default parameter. So if you run reload() without a parameter, you’re actually running object.reload(false). This is covered in the Mozilla developer docs.

    So when do you use Location.reload(true)? One common situation is when the page has outdated information. A hard reload can also bypass caching issues on the client side.

    Common Use Cases

    The location.reload() method is used across a wide range of situations. Here are a few specific scenarios where it’s especially useful:

    1. Reload after a form submission:

    document.getElementById("myForm").onsubmit = function() {
    setTimeout(function() {
        location.reload();
    }, 1000);
};

    This use case helps clear form inputs or reset the page state after the form has been processed. You can test this in the online Javascript editor. No download required. Just enter the code and click run to immediately see how it looks.

    2. Refresh after receiving new data:

    In web applications that rely on live data, such as dashboards or status monitors, developers might use location.reload() to ensure the page displays the most current information after an update.

    3. Making a manual refresh button:

    <button onclick="location.reload();">Refresh Page</button>

    This is a simple way to give users control over when to reload, particularly in apps that fetch new content periodically.

    4. Reload a Page Without Keeping the Current Page in Session History

    This is another common use. It looks like this.

    window.location.replace(window.location.href);

    Basically, if a user presses the back button after they hit reload, they might be taken back to a page that no longer reflects the current application logic. The widow.location.replace() method navigates to a new URL, often the same one, and replaces the current page in the session history.

    This effectively reloads the page without leaving a trace in the user’s history stack. It is particularly useful for login redirects, post-submission screens, or any scenario where you want to reset the page without allowing users to revisit the previous state using the back button.

    Limitations and Best Practices

    While location.reload() is useful; it should be used thoughtfully. Frequent or automatic reloads can frustrate users, especially if they disrupt input or navigation. In modern development, reloading an entire page is sometimes considered a heavy-handed approach.

    For dynamic updates, using JavaScript to update only part of the page, through DOM manipulation or asynchronous fetch requests, is often more efficient and user-friendly.

    Also, keep in mind that reloading clears unsaved user input and resets page state. It can also cause data to be resubmitted if the page was loaded through a form POST, which may trigger browser warnings or duplicate actions. If you’re looking for a job, make sure to brush up on this and any other common JavaScript interview questions.

    Smarter Alternatives to Reloading the Page

    While location.reload() is simple and effective, it is often more efficient to update only part of a page rather than reloading the entire thing. Reloading can interrupt the user experience, clear form inputs, and lead to unnecessary data usage. In many cases, developers turn to asynchronous techniques that allow content to be refreshed behind the scenes.

    AJAX, which stands for Asynchronous JavaScript and XML, was one of the earliest ways to perform background data transfers without refreshing the page. It allows a web page to send or receive data from a server and update only the necessary parts of the interface. Although the term AJAX often brings to mind older syntax and XML data formats, the concept remains vital and is now commonly used with JSON and modern JavaScript methods.

    One of the most popular modern approaches is the Fetch API. Introduced as a cleaner and more flexible alternative to XMLHttpRequest, the Fetch API uses promises to handle asynchronous requests. It allows developers to retrieve or send data from a server and then apply those updates directly to the page using the Document Object Model, or DOM.

    Here is a simple example:

    fetch('/api/data')
  .then(response => response.json())
  .then(data => {
    document.getElementById('content').textContent = data.message;
  });

    This example retrieves data from the server and updates only a single element on the page. It is fast, efficient, and keeps the user interface responsive.

    By using AJAX or the Fetch API, developers can create a more fluid and interactive experience. These tools allow for partial updates, background syncing, and real-time features without forcing users to wait for an entire page to reload. In a world where performance and responsiveness matter more than ever, these alternatives offer a more refined approach to managing content updates on the web.

    Conclusion

    The location.reload() method in JavaScript is a straightforward way to refresh the current web page. Whether used for resetting the interface or updating content, it offers a quick and accessible solution for common front-end challenges. But like all tools in web development, it should be used with an understanding of its impact on user experience.

    Before reaching for a full page reload, consider whether updating the page’s content directly might serve your users better. When applied appropriately, location.reload() can be a useful addition to your JavaScript toolkit.

    Want to put this into action? Add it to a JavaScript project and test it out.

     





    Source link

  • Russian R&D Networks Targeted via Decoy PDFs

    Russian R&D Networks Targeted via Decoy PDFs


    Contents

    • Introduction
    • Key Targets
      • Industries Affected
      • Geographical Focus
    • Infection Chain
    • Initial Findings
      • Looking into the decoy-document
    • Technical Analysis
      • Stage 1 – Malicious RAR File
      • Stage 2 – Malicious .NET malware-dropper
      • Stage 3 – Malicious Golang Shellcode loader
      • Stage 4 – Shellcode Overview
    • Hunting and Infrastructure
    • Conclusion
    • Seqrite Protection
    • IOCs
    • MITRE ATT&CK
    • Authors

    Introduction

    SEQRITE Labs APT-Team has been tracking and has uncovered a campaign targeting the Baltic State Technical University, a well-known institution for various defense, aerospace, and advanced engineering programs that contribute to Russia’s military-industrial complex. Tracked as Operation HollowQuill, the campaign leverages weaponized decoy documents masquerading as official research invitations to infiltrate academic, governmental, and defense-related networks. The threat entity delivers a malicious RAR file which contains a .NET malware dropper, which further drops other Golang based shellcode loader along with legitimate OneDrive application and a decoy-based PDF with a final Cobalt Strike payload.

    Key Targets

    Industries Affected

    • Academic & Research Institutions
    • Military & Defense Industry.
    • Aerospace & Missile Technology
    • Government oriented research entities.

    Geographical Focus

    Infection Chain.

     

    Initial Findings.

    In the early months of 2025, our team found a malicious RAR archive file named as Исх 3548 о формировании государственных заданий на проведение фундаментальных и поисковых исследований БГТУ «ВОЕНМЕХ» им. Д.Ф. Устинова.rar , which translates to Outgoing 3548 on the formation of state assignments for conducting fundamental and exploratory research at BSTU ‘VOENMEKH’ named after D.F. Ustinov.rar surfaced on Virus Total. Upon investigation, we determined that this RAR has been used as a preliminary source of infection, containing a malicious .NET dropper which contains multiple other payloads along with a PDF based decoy.

    The RAR archive contains a malicious .NET executable functioning as a dropper, named “Исх 3548 о формировании государственных заданий на проведение фундаментальных и поисковых исследований БГТУ «ВОЕНМЕХ» им. Д.Ф. Устинова” which also translates to Outgoing No. 3548 regarding the formation of state assignments for conducting fundamental and exploratory research at BSTU ‘VOENMEKH’ named after D.F. Ustinov. This dropper is responsible for deploying a legitimate OneDrive executable alongside a malicious shellcode loader written in Golang. Upon execution, the .NET executable performs several operations: one of them it deploys the Golang loader containing shellcode, injects the shellcode into the legitimate OneDrive process, and spawns a decoy document. Before delving into the technical details, let’s first examine the decoy document.

    Looking into the decoy-document.

    Upon looking into the decoy document, it turns out that this lure is a document related to the Ministry of Science and Higher Education of Russia, specifically concerning Baltic State Technical University “VOENMEKH” named after D.F. Ustinov. The document appears to be an official communication addressed to multiple organizations, potentially discussing state-assigned research projects or defense-related academic collaborations.

    The above is a translated version of the initial sections of the decoy.

    The contents and the entire decoy confirm that this PDF serves as a comprehensive guideline for the allocation of state-assigned research tasks, outlining the process for organizations to submit proposals for fundamental and applied research projects under the 2026-2028 budget cycle. It provides instructions for institutions, particularly those engaged in advanced scientific and technological research, on how to register their technological requests within the Unified State Information System for Scientific Research and Technological Projects (ЕГИСУ НИОКТР) before the specified deadline.

    Now, looking into the later part of the decoy it can be seen that the decoy document provides additional information on the submission process for state-assigned research tasks, emphasizing that financial support for these projects will come from budgetary allocations through the Ministry of Science and Higher Education of Russia. Also, the document mentions contact details for inquiries of Bogdan Evgenyevich Melnikov, a senior researcher in the Department of Fundamental and Exploratory Research, with an email address for communication.

    Well, at the end of this decoy, it can be seen that it has been signed by A.E. Shashurin, who is identified as a Doctor of Technical Sciences (д.т.н.), professor, and acting rector (и.о. ректора) of the institution. Overall, this lure document serves as an official communication from the Ministry of Science and Higher Education of Russia, providing guidelines for organizations regarding state-funded research initiatives.

    Technical Analysis

    We will divide our analysis into four main sections. First, we will examine the malicious RAR archive. Second, we will delve into the malicious .NET dropper. Third, we will focus on analyzing the working of the malicious Golang based shellcode injector and at the end, we will look into the malicious Cobalt Strike payload. This detailed exploration will shed light on the methodologies employed and provide insights into the threat actor’s tactics within this particular campaign.

    Stage 1 – Malicious RAR File.

    Upon examining the malicious RAR file, it contains another malicious executable named Исх 3548 о формировании государственных заданий на проведение фундаментальных и поисковых исследований БГТУ «ВОЕНМЕХ» им. Д.Ф. Устинова. After initial analysis of the file’s artefacts it was revealed it is a 32-bit .NET-based executable. In the next section, we will explore the functionality of this.NET executable.

    Stage 2 – Malicious .NET malware-dropper.

    Now, let us look into the workings of the .NET file which was compressed inside the RAR archive. As in the previous section we found that the binary is basically a 32-bit.NET executable, it is also renamed as SystemUpdaters.exe while we loaded it into analysis tools.

    Upon looking inside, the sample, we found three interesting methods. Now let us dive deep into them.

    Looking into the first method we can see that the Main function, we can see that it calls another method MyCustomApplicationContext . Let us analyze the method.

    Next, looking into the method, we found that the code initially checks whether the decoy PDF is present inside the C:\Users\Appdata\Roaming\Documents location, in case the PDF file is not present, it goes ahead and copies the decoy, which is stored under the resources section, and writes it into the location.

    Next, looking into the code further, we found that it checks if the file OneDrive.exe which is basically the legitimate OneDrive application exists, in case it does not find it on the desired location, it goes ahead and copies the legitimate application stored under the resource section, and writes it into the location.

    Looking into the later part of code, we found that it checks for a file named as OneDrives_v2_1.exe under the location C:\Users\Appdata\Roaming\Driver , in case it did not find the file, just like similar files, it copies the executable from the resources section and writes it to the location.

    Then looking into one of the most intriguing aspects of this dropper is its use of a shortcut (.lnk) file named X2yL.lnk as a persistence mechanism by placing it in the Windows Startup folder to ensure execution upon system boot. Upon analyzing the H3kT7fXw method, we observed that it is responsible for creating this shortcut file. The method utilizes WshShell to generate the .lnk file and assigns it a Microsoft Office-based icon, making it less suspicious. Additionally, the target path of the shortcut is set to the location where the malicious payload I.e., OneDrives_v2_1.exe is stored, ensuring its execution whenever the shortcut is triggered upon booting.

    At the end, it goes ahead and spawns the decoy PDF into the screen. As, we conclude the analysis of the malicious .NET dropper, in the next sections, we will analyze the malicious executable dropped by this dropper.

    Stage 3 – Malicious Golang Shellcode loader.

    Initially, upon looking into the sample inside analysis tools. we can confirm that this executable is programmed using Golang. Next, we will look into the working of the shellcode loader and its injection mechanism.

    Looking into the very first part of this shellcode loader, we found that the binary executes time_now function to initially capture the current system time, then it calls time_sleep which is also a Golang function with a hardcoded value, then again it calls the time_now function, which checks for the timestamp after the sleep. Then, it calls time_Time_Sub which checks the difference between the timestamp captured by the function and goes ahead and checks if the total sleep time is less then 6 seconds, in case the sleep duration is shorter, the program exits, this acts as a little anti-analysis technique.

    Next, moving ahead and checking the code, we found that the legitimate OneDrive executable, which was dropped by the.NET dropper, that similar process is being created using the CreateProcess API in Golang, and the process is being created in a suspended mode.

    Then, the shellcode which is already embedded in this loader binary is being read by using Golang function embed_FS_ReadFile which returns the shellcode.

    Next, the shellcode which was returned by the previous function in a base64 encoded format is being decoded using Golang native function base64.StdEncoding.DecodeString and returned.

    Then, the code basically uses a hardcoded 13-byte sized key, which is basically used to decode the entire shellcode.

    Then finally, the code performs APC Injection technique to inject the shellcode inside the memory, by first starting with the process in a suspended state, followed by decoding and decrypting the shellcode, followed by allocating memory on the suspended OneDrive.exe process, then once the memory is allocated, it goes ahead and writes the shellcode inside the memory using WriteProcessMemory , then it uses QueueUserAPC API to queue a function call inside the main thread of the suspended OneDrive.exe process. Finally using ResumeThread which causes the queued APC function (containing the shellcode) to execute, effectively running the injected malicious code within the context of OneDrive.exe. Now, let us analyze some key artifacts of the shellcode.

    Stage 4 -Shellcode overview.

    Upon looking inside, the malicious shellcode and analyzing it we found that the shellcode is actually a loader, which works by initially loading a Windows wwanmm.dll library.

    Once, the DLL is loaded it zeroes out the .text section of the DLL. It uses a windows API DllCanUnloadNow which helps to prepare the beacon in memory. Thus, further facilitating the working of the shellcode which is a Cobalt Strike beacon.


    Further analyzing it becomes quite evident that the beacon is connecting to the C2-server, hosted by the attacker using certain user-agent. As, this tool is quite commonly used, therefore, we will not delve in-depth on the workings of the malicious beacon. The configuration of the beacon can be extracted as follows.

    Extracted Configuration:

    Method : GETHost[Command & Control] : phpsympfony.comUser-Agent : “Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko”

    Hunting and Infrastructure.

    Upon analysis of the shellcode injector programmed in Golang, we found little OPSEC related mistakes from the threat actor such as leaving Go-build ID along with the injector, which helped us to hunt for similar payloads, used by the same threat actor. The Go-build ID is as follows:

    -_APqjT14Rci2qCv58VO/QN6emhFauHgKzaZvDVYE/3lVOVKh9ePO_EDoV_lSN/NL58izAdTGRId20sd3CJ

    Now, looking into the infrastructural artefacts, the malicious command-and-control server which has been hosted at the domain phpsymfony[.]com , has been rotating the domain across multiples ASN services. Also, there has been a unique HTTP-Title which has also been rotated multiple times across the C2-server.

    Looking into the response across the history we can see that the title Coming Soon – pariaturzzphy.makebelievercorp[.]com has been set up multiple times.

    Upon further searching for the same HTTP-Title, we found that a lot of hosts are serving the same title, out of which some of them are serving malicious binaries such as ASyncRAT and much more.

    Looking into the ASNs, the C2 server has been rotating since the date of activation. The list is as follows.

    ASN Geolocation Owner
    AS13335 United States Cloudflare Net
    AS35916 United States MULTA-ASN1
    AS135377 Hong Kong UCLOUD-HK-AS-AP UCLOUD INFORMATION TECHNOLOGY HK LIMITED
    AS174 United States COGENT-174
    AS47846 Germany SEDO-AS
    AS8560 🌍 Unknown IONOS-AS

    Conclusion

    We have found that a threat actor is targeting the Baltic Technical University using research themed lure where they have been using a.NET dropper to shellcode loader finally delivering a Cobalt Strike in-memory implant. Analyzing the overall campaign and TTPs employed by the threat actor, we can conclude that the threat actor has started targeting few months back since December 2024.

    SEQRITE Protection.

    • Trojan.Ghanarava.1738100518c73fdb
    • Trojan.Ghanarava.1735165667615275

    IOCs.

    MD5 Filename
    ab310ddf9267ed5d613bcc0e52c71a08 Исх 3548 о формировании государственных заданий на проведение фундаментальных и поисковых исследований БГТУ «ВОЕНМЕХ» им. Д.Ф. Устинова.rar
    fad1ddfb40a8786c1dd2b50dc9615275 SystemsUpdaters.exe
    cac4db5c6ecfffe984d5d1df1bc73fdb OneDrives_v2_1.exe

    C2

    phpsymfony[.]com
    hxxps://phpsymfony[.]com/css3/index2.shtml

    MITRE ATT&CK.

    Tactic Technique ID Name
    Initial Access T1566.001 Phishing: Spear phishing Attachment

     

     
    Execution T1204.002

    T1053.005

    		 User Execution: Malicious File

    Scheduled Task.
    Persistence T1547.001 Registry Run Keys / Startup Folder
    Defense Evasion T1036
    T1027.009
    T1055.004
    T1497.003    		 Masquerading
    Embedded Payloads.
    Asynchronous Procedure Call
    Time Based Evasion
    Command and Control T1132.001 Data Encoding: Standard Encoding

    Authors

    • Subhajeet Singha
    • Sathwik Ram Prakki



    Source link

  • HTML Editor Online with Instant Preview and Zero Setup



    HTML Editor Online with Instant Preview and Zero Setup



    Source link

  • Write and Test Code Instantly With an Online Python Editor



    Write and Test Code Instantly With an Online Python Editor



    Source link

  • How to Market Your Business Internationally


    It’s every business owner’s dream that their business will scale up, even reaching an international status if possible. That said, it may seem like an impossible task to take your business to the international level. The truth is that it’s doable, with a few tips that may take resources to put in place. Here are a few of the ways in which you can market your business internationally and scale up beyond your wildest imagination.

    Understand the Different Laws and Cultures

    The first thing that you need to do is to understand the laws and social norms of the various regions that you hope to expand to. By doing this, you can avoid doing things that are likely to backfire on you and make it even harder to scale up down the road. In addition to learning the social norms, you should also be aware of the legalities in the market that you want to appeal to. Remember to also make considerations for the issues that people generally face in the market in question.

    For the best outcome, you may want to work with a lawyer. This should be easy to do because you can find legal assistance for practically any issue that you may face, including family affairs. On this note, keep in mind that anyone of the 43% of people in Tennessee working through a difficult custody battle, going through a difficult divorce, or even making modifications to a parenting plan, it’s crucial to enlist the assistance of an experienced family law attorney who can advocate for your legal rights and needs.

    Do Thorough Research

    Next, you need to do thorough research on the best ways to make your products or services beneficial and appealing to the markets in question. To this end, look at what other businesses in your niche are doing. Borrow from what works and make fixes to whatever doesn’t so that you can end up with an efficient plan. This research may need to be extensive to the point of helping you learn that Belize has a coral reef system that’s as long as 185 miles, according to NASA, especially if your business has anything to do with coastal areas and such.

    Choose the Right Channels

    Keep in mind that there are many different channels that you can use to market your business. The ones that you focus on can make or break your business, so make sure to find the right ones. These should be those that are the most likely to have a large segment of your target market, which will be influenced by factors such as age. That said, some channels are a safe bet because they have a massive selection of a mixed demographic. One of these is Facebook, on which an estimated 86% of marketers advertise, according to Oberlo.

    Make Your Payment Methods Seamless

    Last but not least, do your best to ensure that clients don’t have a hard time when trying to give you their money. Find the best way to make sure that your payment methods are both safe and seamless. This will have the effect of building trust in your business among the people who interact with it. As a result, they’re quite likely to market your business to others by word of mouth, which is one of the most effective methods of marketing that any business owner could ever hope for. If there aren’t issues like information leaks and hacks in your business systems, it will be easy for you to scale up.

    These are some of the best ways in which you can market your business internationally. If you put in the time and work that’s required, you can improve your chances of getting a great outcome. Keep an open mind and learn from any mistakes that you make so that you move from one level to the next as seamlessly as possible.



    Source link

  • Importance of Digital Personal Data Protection for Retail Sector

    Importance of Digital Personal Data Protection for Retail Sector


    India’s retail sector is undergoing a significant digital transformation, with e-commerce, loyalty programs, and personalized marketing becoming the norm. This evolution means retailers are collecting and processing vast amounts of customer data, making compliance with the Digital Personal Data Protection (DPDP) Act 2023 a business necessity.

    This blog explores why the DPDP Act is critical for the Indian retail ecosystem, highlighting its role in strengthening customer trust, enhancing data security, and ensuring responsible data management. By aligning with this legislation, retailers can meet regulatory requirements and differentiate themselves through stronger data governance and transparency.

    • Building Stronger Customer Relationships Through Trust

    Customer trust is a critical business asset in today’s competitive retail landscape. The DPDP Act grants consumers (Data Principals) key rights over their data, including access, correction, and erasure under specific conditions. By aligning with the DPDP Act’s compliance framework, retailers can reinforce their commitment to data privacy and transparency, strengthening customer relationships.

    These principles enhance brand credibility and foster long-term customer loyalty, positioning retailers as responsible data stewards in an evolving digital marketplace.

    • Ensuring Data Security in a Digital Marketplace

    The retail sector faces growing cybersecurity risks, with data breaches potentially exposing sensitive customer information such as payment details and contact data. Under the DPDP Act, as Data Fiduciaries, retailers must implement robust security measures to prevent breaches and promptly notify the Data Protection Board of India and affected customers in case of an incident.

    By prioritizing compliance-driven data security, retailers can mitigate cyber risks, protect customer information, and safeguard brand reputation, ensuring long-term business resilience in an increasingly digital landscape.

      • Promoting Fair and Transparent Data Practices

    The DPDP Act enforces key principles like purpose limitation and data minimization. It requires retailers to collect only necessary data for defined purposes—such as processing transactions or personalizing offers—and retain it only as long as needed.

    By adopting transparent data practices, retailers can ensure ethical data usage, reduce compliance risks, and enhance customer confidence. The Act also mandates clear customer notifications on data collection and usage, reinforcing trust and regulatory accountability in an increasingly data-driven retail landscape.

    • Ensuring Regulatory Compliance in a Growing Sector

    The DPDP Act establishes a comprehensive legal framework for data protection, which is crucial for India’s rapidly expanding retail industry. Compliance ensures that retailers meet regulatory standards for processing digital personal data, mitigating risks of penalties and legal liabilities.

    By aligning with the Act’s requirements, retailers can reinforce their commitment to ethical data practices, enhance customer trust, and operate with greater transparency and accountability in the evolving digital marketplace.

    • Empowering Consumers with Control Over their Data

    The DPDP Act grants consumers the right to access, correct, and request the erasure of their digital personal data held by retailers. To ensure compliance, businesses must implement efficient mechanisms for handling these requests within the legal framework.

    By prioritizing consumer data rights, retailers can enhance transparency, strengthen accountability, and foster trust, allowing customers to make informed decisions about the data they share—ultimately improving brand credibility and customer engagement.

    • Key Compliance Obligations for Retailers under the DPDP Act

    Retailers must align with several critical obligations under the DPDP Act 2023 to ensure compliance and data protection:

    • Obtaining Informed Consent: Customer consent is required to process personal data, including marketing and loyalty programs.
    • Implementing Security Measures: Strong technical and organizational controls must safeguard customer data, such as secure access to corporate resources and endpoint protection.
    • Data Breach Notification: Any data breaches must be promptly reported to the Data Protection Board and affected customers.
    • Data Retention Policies: Clear policies must ensure customer data is retained only as long as necessary for its intended purpose.
    • Handling Data Principal Rights Requests: Efficient processes should be in place to manage customer requests for data access, correction, and erasure.
    • Potential Appointment of a Data Protection Officer (DPO): Large retailers classified as Significant Data Fiduciaries may be required to appoint a DPO for compliance oversight.

     

    • Navigating the Path to DPDP Compliance in Retail

    Retailers must take a proactive approach to ensure compliance with the DPDP Act. This includes conducting a comprehensive assessment of current data processing practices and updating privacy policies to align with regulatory requirements.

    Staff training on data privacy protocols and investing in data privacy management systems are essential. Additionally, retailers must establish clear procedures for obtaining and managing customer consent, ensuring compliance, transparency, and enhanced customer trust in the digital marketplace.

    Building a Privacy-First Retail Ecosystem

    The Digital Personal Data Protection Act 2023 is pivotal in strengthening data security and trust in India’s retail sector. The Act enhances customer relationships and industry integrity by enforcing responsible data handling, empowering consumers, and prioritizing privacy compliance.

    Retailers who proactively adopt DPDP Act compliance fulfill legal requirements and gain a competitive edge by showcasing their commitment to customer data protection. Seqrite offers comprehensive data protection solutions to help retailers navigate compliance complexities and implement robust security frameworks. Contact us or visit our website for information.

     



    Source link

  • Kimsuky APT Targets South Korea with Deceptive PDF Lures

    Kimsuky APT Targets South Korea with Deceptive PDF Lures


    Kimsuky: A Continuous Threat to South Korea with Deceptive Tactics

    Contents

    • Introduction
    • Infection Chain
    • Initial Findings
    • Campaign 1
      • Looking into PDF document.
    • Campaign 2
      • Looking into PDF document.
    • Technical Analysis
    • Conclusion
    • Seqrite Protection
    • MITRE ATT&CK
    • IOCs

    Introduction:

    Security researchers at Seqrite Labs have recently uncovered two distinct campaigns carried out by the APT group “Kimsuky,” also known as “Black Banshee.” This group has been actively targeting South Korea using evolving tactics. In these campaigns, the threat actors delivered two South Korean government-themed documents as lures, specifically targeting government entities within South Korea.

    In this blog, we will delve into the technical details of the campaigns uncovered during our analysis. We will examine the various stages of infection, starting with a phishing email containing an LNK (shortcut) file attachment. The LNK file was designed to drop an obfuscated VBA (Visual Basic for Applications) script, After de-obfuscating the script, we found that it was responsible for dropping two additional files: One Pdf file and One ZIP file The ZIP file contained four malicious files: two log files (1.log and 2.log), one VBA script (1.vba), and one PowerShell script (1.ps1). Both campaigns involved the same set of malicious files.

    Infection Chain:

    Fig .1 infection chain

    Initial Findings:

    Campaign-1:

    In the first campaign, we identified a document related to tax reduction and tax payment related to revenue, which contained the same malicious LNK attachment. This attachment subsequently deployed a malicious VBScript, facilitating further compromise.

     

    Fig .2 Revanue.pdf file

     

    Based on our initial findings, we discovered that the adversary utilized a different document containing the same LNK file content.

    Campaign-2:

    In campaign-2, it has come to our attention that South Korea has enacted a new policy aimed at preventing recidivism among sex offenders. The initiative involves circulating a detailed document outlining the regulations, which was shared with households, daycare centers, kindergartens, and various local administrative offices, including township and village authorities, as well as neighbourhood community centres. However, hackers, including cyber-criminals, are exploiting this dissemination process by sending deceptive emails containing harmful attachments. These emails are targeting residential recipients and key personnel at local offices.

     

    Fig .3 Sex Offender Personal Information Notification.pdf

     

    The adversaries have exploited the distribution of this information and document by circulating it via email, disguised under the filename 성범죄자 신상정보 고지.pdf.lnk (Sex Offender Personal Information Notification.pdf.lnk). This attachment contains a malicious LNK file, which poses a cybersecurity threat to the recipients.

     

    Technical Analysis and Methodology:

    Campaign 1 & 2:

    We have downloaded the file named 28f2fcece68822c38e72310c911ef007f8bd8fd711f2080844f666b7f371e9e1.lnk from campaign-1 and “성범죄자 신상정보 고지.pdf.lnk” from campaign-2 (Sex Offender Personal Information Notification.pdf.lnk) that was shared via email. During the analysis of this LNK file, it appears to be fetching additional files from an external C2 server, as shown in the snapshot below.

    Fig.4 Downloading VBScript from C2 (Campaign –1)

     

    Fig .5 Downloading VBScript From C2 (Campaign -2)

    The file was downloaded from the URL provided above and saved into the Temp folder, as indicated below.

    Fig .6 downloaded into Temp Folder (Campaign-1)

     

    Fig .7 downloaded into Temp Folder (Campaign-2)

    The file downloaded from the C2 server appears to be an obfuscated VBScript. Upon DE obfuscating the script, we discovered two additional files: one PDF and one ZIP file.

    Fig .8 Obfuscated VB Script

    The first section of the file is encoded in Base64 strings.

    Fig .9 Base64 Encoded PDF

    After Decoding we have found one PDF file.

     

    Fig .10 PDF after Decoding

     

    The second part of the VBScript is also encoded in Base64. After decoding it, we discovered a ZIP file.

    Fig .11 Zip File

     

    Fig. 12 Detect It Easy

    Zip files contain the below numbers of files in it.

    Fig .13 Inside Zip File

    Within the ZIP archive, four files were identified: a VBScript, a PowerShell script, and two Base64-encoded text files. These encoded text files house obfuscated data, which, upon further dissection, may yield critical intelligence regarding the malware’s functionality and objectives. The following figures illustrate the encoded content of the two text files, which will be subsequently decoded and analysed to elucidate the next phase in the attack chain.

    Fig. 14- 1 Log.txt file with Base64 encoding

     

    Fig.15 – 2 Log .txt file with Base64 encoding

    The 1.vbs file employs advanced obfuscation techniques, utilizing the chr() and CLng() functions to dynamically construct characters and invoke commands at runtime. This strategy effectively circumvents signature-based detection mechanisms, allowing the script to evade detection during execution.

    Upon script termination, the concatenated characters form a complete command, which is subsequently executed. This command is likely designed to invoke the 1.ps1 PowerShell script, passing 1.log as an argument for further processing.

    Fig .16 – 1.vbs

    Upon attempting to DE-obfuscate the VBScript, we uncovered the following command-line execution, which subsequently triggers the PowerShell script for further processing.

    Fig .17  De-Obfuscated VB Script

    Upon executing the 1.vbs file, it triggered the invocation of the 1.ps1 file, as illustrated in the snapshot below.

    Fig .18 Executing 1.VBS

    The 1.ps1 script includes a function designed to decode Base64-encoded data from the 1.log file and execute the resulting script.

    Fig.19 – 1.ps1 file

     

    Fig.20 – 1 Log.txt after decoding

    The 1.ps1 script retrieves the BIOS serial number, a unique system identifier, from the compromised host. This serial number is subsequently used to create a dedicated directory within the system’s temporary folder, ensuring that attack-related files are stored in a location specific to the compromised machine, as shown in above snapshot.

    As a VM-aware sample, the script checks if it is executing within a virtual machine environment. If it detects a virtual machine, it will delete all four files associated with the attack (1.vbs, 1.ps1, 1.log, and any payload files stored in the directory named after the serial number), effectively halting its execution, as illustrated.

    The script encompasses 11 functions that define the subsequent phases of the malware’s operation, which include data exfiltration, cryptocurrency wallet information theft, and the establishment of Command-and-Control (C2) communications. These functions are integral to the attack’s execution, facilitating the malware’s objectives and ensuring persistent communication with the threat actor.

    List of malicious function retrieved from 1 log file:

    1. UploadFile ():

    The upload function exfiltrates data by transmitting it to the server in 1MB chunks, allowing it to handle large file sizes efficiently. The script awaits a response from the server, and if it receives an HTTP status code of “200,” it proceeds with further execution. If the response differs, the script terminates its operation. Each chunk is sent via an HTTP POST request, with the function verifying the success of each upload iteration before continuing.

    Fig .21 UploadFile()

     

    1. GetExWFile ():

    The GetExWFile function iterates through a set of predefined hash tables containing cryptocurrency wallet extensions. When a match is found, it identifies the associated”.ldb” and ”.log” files linked to those extensions for exfiltration. These files are subsequently transferred to the specified destination folder, as indicated by the $Storepath variable.

    Fig.22 GetExWFile ()
    1. GetBrowserData ():

    The script checks whether any of the following browsers—Edge, Firefox, Chrome, or Naver Whale—are actively running, to extract user profile data, including cookies, login credentials, bookmarks, and web data. Prior to collecting this information, the script terminates the browser processes to ensure uninterrupted access. It then proceeds to retrieve data on installed extensions and cache files, such as webcacheV01.dat, for each identified browser. For certain browsers, it also performs decryption operations to unlock encrypted keys, allowing it to extract sensitive information, which is then stored alongside the decrypted master encryption key.

    Fig.23 BrowserData ()
    1. Download file () :

    The download file function downloads any file based on the C2 command.

    Fig.24 Download File ()
    1. RegisterTask () :

    It creates persistence for the files “1.log” and “1.vbs”.

    Fig.25 RegisterTask()
    1. Send ():

    The send () function uploads all the collected information to the server after compressing the data into a ZIP file named “init.zip”. It then renames the ZIP file to “init.dat” and deletes all backup files from the system after uploading.

    Fig.26 Send ()

    The execution flow of the functions follows a sequence where several actions are carried out within the attack. Among these functions, one triggers another PowerShell command that calls the 2.log file, which is responsible for performing keylogging activities.

     

    Fig. 27 Flow of execution of functions and command to execute “2.log”.
    Fig.28 Executing 2 log file

     

    Fig.29 Inside 2 log file

     

    The decoded content of the 2.log file is shown above. It contains a script that imports essential Windows API functions for detecting key presses, retrieving window titles, and managing keyboard states. The script executes actions such as clipboard monitoring, keystroke logging, and recording window titles.

    Fig. 30.2 Code for clipboard monitoring.

    Conclusion

    As observed, threat actors are utilizing time-consuming, multi-component techniques that are interlinked to enhance their evasiveness. Unlike other stealers, this one primarily focuses on network-related information, which could be leveraged for active reconnaissance. Given that the stealer targets sensitive user data, it is crucial to protect yourself with a reputable security solution such as Seqrite Antivirus in today’s digital landscape. At Seqrite Lab, we provide detection capabilities for such stealers at various stages of infection, along with protection against the latest threats.

    Seqrite Protection:

    • Trojan.49424.SL
    • Trojan.49422.C

     

    MITRE ATT&CK:

    Initial Access T1566.001 Phishing: Spearphishing Attachment
    Execution T1059.001

     

    T1059.005

    		 Command and Scripting Interpreter: PowerShell

    Command and Scripting Interpreter: Visual Basic
    Persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
    Defense Evasion T1140 Deobfuscate/Decode Files or Information
    Credential Access T1555.003 Credentials from Password Stores: Credentials from Web Browsers
    Discovery T1082 System Information Discovery
    Collection T1056.001 Input Capture: Keylogging
    Command and Control T1071.001 Application Layer Protocol: Web Protocols
    Exfiltration T1041 Exfiltration Over C2 Channel

    IoCs:

    MD5  File Name
    1119A977A925CA17B554DCED2CBABD8  *.lnk
    64677CAE14A2EC4D393A81548417B61B  1.log
    F0F63808E17994E91FD397E3A54A80CB  2.log
    A3353EA094F45915408065D03AE157C4  prevenue.hta
    CE4549607E46E656D8E019624D5036C1  1.vbs
    1B90EFF0B4F54DA72B19195489C3AF6C  *.lnk
    1D64508B384E928046887DD9CB32C2AC 성범죄자 신상정보 고지.pdf.lnk

    C2

    • hxxps[:]//cdn[.]glitch[.]global/
    • hxxp[:]//srvdown[.]ddns.net

     

    Authors

    Dixit Panchal

    Kartik Jivani

    Soumen Burma

     

     



    Source link