Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Advanced Volatile Threats. Show all posts

Time to Guard : Protect Your Google Account from Advanced Malware

 

In the ever-changing world of cybersecurity, a new type of threat has emerged, causing serious concerns among experts. Advanced malware, like Lumma Stealer, is now capable of doing something particularly alarming – manipulating authentication tokens. These tokens are like secret codes that keep your Google account safe. What makes this threat even scarier is that it can continue to access your Google account even after you've changed your password. In this blog post, we'll explore the details of this evolving danger, shining a light on how it manipulates OAuth 2.0, an important security protocol widely used for secure access to Google-connected accounts. 

Of particular concern is its manipulation of OAuth 2.0, leveraging an undocumented aspect through a technique known as blackboxing. This revelation marks Lumma Stealer as the first malware-as-a-service to employ such a sophisticated method, highlighting the escalating complexity of cyber threats. 

The manipulation of OAuth 2.0 by Lumma Stealer not only poses a technical challenge but also jeopardises the security of Google-related accounts. Despite efforts to seek clarification, Google has yet to comment on this emerging threat, giving Lumma Stealer a distinct advantage in the illicit market. 

In a concerning trend, various malware groups, including Rhadamanthys, RisePro, Meduza, Steal Stealer, and the evolving Eternity Stealer, swiftly adopted Lumma Stealer's exploit. This underscores the urgency for users to update their security practices and stay vigilant against the continuously changing tactics employed by malicious actors. 

This vulnerability traces back to an attacker operating under the pseudonym PRISMA, who unveiled a zero-day exploit in late October. Exploiting this flaw provides the advantage of "session persistence," allowing sustained access even after a password change. The revelation emphasises the widespread impact of the vulnerability across various cyber threats, necessitating urgent user awareness and robust cybersecurity measures. 

The exploitation of this vulnerability extends beyond compromising Google accounts, granting threat actors the ability to manipulate various OAuth-connected services. Pavan Karthick M, a threat researcher at CloudSEK, stresses the serious impact on both individual users and organisations. Once an account is compromised, threat actors can control critical services such as Drive and email login, emphasising the urgent need to fortify defences against the ever-evolving cybersecurity landscape. 

As Lumma Stealer and its counterparts exploit vulnerabilities, it's crucial for users to adopt proactive cybersecurity measures. Regularly updating passwords, enabling two-factor authentication, and staying informed about emerging threats are essential steps in mitigating risks. In the face of advancing cyber threats, staying vigilant and taking proactive steps remain imperative to safeguard our online presence.

File-less Malware Is Wreaking Havoc Via PowerShell.


File-less Malware Is Wreaking Havoc Via PowerShell





Advanced Volatile Threats (AVTs) also known as the File-less Malware, is another threat which works directly from the memory. PowerShell is a major course adapted by the cyber-cons to achieve the attack.

The malware first suspends a malicious code into the target’s system. Whenever the system is working the code begins to collect the credentials on the system.

In case of a victimized company, the malicious code had started gathering the credentials of its employees, along with the administrator permissions.

The next step it took was to hunt for the most valuable assets of the organization and beeline them.

The code was too cleverly designed to be spotted by the company’s security system and the organization was never alerted.

After doing so much damage to the company and its credibility, the code disappeared without a trace.

These AVTs had surfaced around a year ago, and it works especially on working on the memory rather than on the hard drive.

The traditional and old-fashioned threat detection systems would never in a million chances sense that something’s fishy.

PowerShell is the very basic medium they use to employ the file-less malware attack.

PowerShell lets systems administrators completely automate the tasks on the servers and computers.

Meaning, if the cyber-cons happen to take control of the server and computer they could easily get hold of as many permissions as they’d wish for.



Windows is not a platform PowerShell is limited to. Microsoft Exchange, IIS and SQL servers also fall into line.

What file-less malware does is that it forces PowerShell to institute its malicious code into the console and the RAM.

It becomes a “lateral” attack once the code gets executed, meaning the attack propagates from the central server.

As after the dirty work’s done the malware leaves no traces behind, traditional security solutions are never able to place what was behind the attack.

Only heuristic monitoring systems, if run constantly could help in tracing the attack’s culprit.

Precautionary Measures Against Fileless  Malware

  • Disable PowerShell (If it’s not required to administer systems)
  • If it can’t be disabled, ensure that you’re using the latest version of it. (PowerShell 5 has better security measures in Windows)
  • Only enable specific features of PowerShell via “Constrained Language” mode.
  • Enable automatic transcription of commands which will help in making the system suspicious about file-less attacks.
  • Employ advanced cyber-security methods such as permanent anti-malware services.
  • Do constant research on unknown processes occurring within the system which could generate file-less malware.