The US Federal Bureau of Investigation says criminals are hijacking weakly-secured smart devices in order to live-stream or record swatting incidents.

"Recently, offenders have been using victims' smart devices, including video and audio capable home surveillance devices, to carry out swatting attacks," the FBI said in a public service announcement published today.

Officials say suspects are taking over devices on which owners created accounts but reused credentials that previously leaked online during data breaches at other companies.

These individuals then place calls to law enforcement and report a fake crime at the victims' residence.

"As law enforcement responds to the residence, the offender watches the live stream footage and engages with the responding police through the camera and speakers," the FBI said.

"In some cases, the offender also live streams the incident on shared online community platforms."

These types of incidents, called swatting, have increased across the US in recent years and have even resulted in people's deaths through accidental shootings.

The first known cases of a swatting incident being live-streamed online date back to the mid-2010s. The difference between what the FBI is reporting now and those initial incidents is that devices weren't being hacked.

Pranksters would identify social events that were being streamed online and would arrange the event to be swatted, such as weddings, church meetings, and more.

Many of these swatting calls are being placed through online services that provide anonymous calling capabilities -- such as Discord bots and dark web services.

To counteract with this new rising hack&swat cases, bureau officials said they are now working with device vendors to advise customers on how they could select better passwords for their devices.

Furthermore, the FBI said it's also working to alert law enforcement first responders about this new swatting variation, so they may respond accordingly.

As for device owners, the same advice remains valid: Use complex and unique passwords for each of your online accounts. Use two-factor authentication where available.

The Lazarus group has tweaked its loader obfuscation techniques by abusing image files in a recent phishing campaign.

Lazarus is a state-sponsored advanced persistent threat (APT) group from North Korea.

Known as one of the most prolific and sophisticated APTs out there, Lazarus has been in operation for over a decade and is considered responsible for worldwide attacks including the WannaCry ransomware outbreak, bank thefts, and assaults against cryptocurrency exchanges.

South Korean organizations are consistent targets for Lazarus, although the APT has also been traced back to cyberattacks in the US and, more recently, South Africa.

In a campaign documented by Malwarebytes on April 13, a phishing document attributed to Lazarus revealed the use of an interesting technique designed to obfuscate payloads in image files.

The attack chain begins with a phishing Microsoft Office document (???????.doc) and a lure in the Korean language. Intended victims are asked to enable macros in order to view the file's content, which, in turn, triggers a malicious payload.

The macro brings up a pop-up message which claims to be an old version of Office, but instead, calls an executable HTA file compressed as a zlib file within an overall PNG image file.

During decompression, the PNG is converted to the BMP format, and once triggered, the HTA drops a loader for a Remote Access Trojan (RAT), stored as "AppStore.exe" on the target machine.

"This is a clever method used by the actor to bypass security mechanisms that can detect embedded objects within images," the researchers say. "The reason is because the document contains a PNG image that has a compressed zlib malicious object and since it's compressed it can not be detected by static detections. Then the threat actor just used a simple conversion mechanism to decompress the malicious content."

The RAT is able to link up to a command-and-control (C2) server, receive commands, and drop shellcode. Communication between the malware and C2 is base64 encoded and encrypted using a custom encryption algorithm that has previously been linked to Lazarus' Bistromath RAT.

In related news, Google's Threat Analysis Group (TAG) warned earlier this month that North Korean threat actors are targeting security researchers across social media. First spotted in January, the scheme now includes a web of sham profiles, browser exploits, and a fake offensive security company.

The attack chain begins with a phishing Microsoft Office document ... Intended victims are asked to enable macros in order to view the file's content ...

HIPB, run by Australian security research Troy Hunt, is a widely trusted breach alert service that underpins Mozilla's Firefox own breach-alert notifications.

The FBI collected the email addresses from Emotet's servers, following a takedown in January. The Emotet malware botnet was taken down by law enforcement in the US, Canada and Europe, disrupting what Europol said was the world's most dangerous botnet that had been plaguing the internet since 2014.

Emotet was responsible for distributing ransomware, banking trojans and other threats through phishing and malware-laden spam.

In January, law enforcement in the Netherlands took control of Emotet's key domains and servers, while Germany's Bundeskriminalamt (BKA) federal police agency pushed an update to about 1.6 million computers infected with Emotet malware that this week activated a kill switch to uninstall that malware.   

Hunt says in a blogpost that the FBI handed him "email credentials stored by Emotet for sending spam via victims' mail providers" as well as "web credentials harvested from browsers that stored them to expedite subsequent logins".

The email addresses and credentials have been loaded in to HIPB as a single "breach", even though it's not the typical data breach for which the site collects credentials and email addresses.

A VPN is a more secure or private way of connecting to a remote server.

...in both cases the objective is a secure encrypted connection