Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label CloudSEK. Show all posts

Fortinet Cybersecurity Breach Exposes Sensitive Customer Data

 

Fortinet experienced a significant cybersecurity breach involving a third-party cloud drive, where 440 GB of data was leaked by a hacker named “Fortibitch” after the company refused to pay the ransom. The breach affected about 0.3% of Fortinet’s customers, roughly 1,500 corporate users, and included sensitive information such as financial documents, HR data, customer details, and more. Experts highlight that the breach underscores the critical need for implementing rigorous cybersecurity measures like multi-factor authentication (MFA) and robust identity access management (IAM) systems. 

Multi-factor authentication is particularly emphasized as a vital layer of defense against unauthorized access, significantly reducing the risk of data exposure when combined with strong identity access management. Organizations need to ensure that they enforce MFA and other identity management protocols consistently, especially for accessing essential systems like SharePoint and cloud storage services. Jim Routh, Chief Trust Officer at Saviynt, pointed out the growing concern over cloud security, given its increased adoption in software development and data storage. He stressed that without proper safeguards, such as MFA and secure access controls, sensitive data is at risk of exposure. 

Cybersecurity analyst Koushik Pal from CloudSEK echoed this sentiment, advocating for stricter IAM policies and urging organizations to regularly monitor repositories for potential misconfigurations, exposed credentials, or sensitive data leaks. This kind of vigilance is necessary for all teams to adhere to security best practices and minimize vulnerabilities. Relying on third-party vendors for data storage, as Fortinet did, is not inherently dangerous but introduces additional risks if strict security protocols are not enforced. The breach serves as a reminder that even established cybersecurity companies can fall victim to attacks, highlighting the need for ongoing vigilance. 

According to Routh, it’s crucial for system administrators to manage accounts meticulously, ensuring that identity access management protocols are properly configured and that privileged access is monitored effectively. The breach exemplifies how cybercriminals exploit security weaknesses to gain unauthorized access to sensitive data. As cloud technologies continue to be integrated into businesses, the responsibility to protect data becomes increasingly important. Cybersecurity experts emphasize that organizations must invest in proper training, regularly update security measures, and remain vigilant to adapt to evolving cyber threats. 

Ensuring that MFA, identity management systems, and monitoring practices are in place can go a long way in protecting against similar breaches in the future. This Fortinet incident serves as a wake-up call, showing that no organization is entirely immune to cyber threats, regardless of its expertise in cybersecurity.

Vietnamese Hackers Target Indian Users with Fake WhatsApp E-Challan Messages

 

A highly technical Android malware campaign orchestrated by Vietnamese hackers is currently targeting Indian users via fake traffic e-challan messages on WhatsApp. Researchers from CloudSEK, a cybersecurity firm, have identified this malware as part of the Wromba family. So far, it has infected over 4,400 devices, resulting in fraudulent transactions amounting to more than ₹16 lakh by just one scam operator. 

Vikas Kundu, a threat researcher at CloudSEK, reported that these scammers send messages impersonating Parivahan Sewa or Karnataka Police, tricking recipients into downloading a malicious app. Once the link in the WhatsApp message is clicked, it leads to the download of a harmful APK disguised as a legitimate application. This malware then requests excessive permissions, including access to contacts, phone calls, SMS messages, and even the ability to become the default messaging app. By intercepting OTPs and other sensitive messages, the attackers can log into victims’ e-commerce accounts, purchase gift cards, and redeem them undetected. 

Kundu explained that once the app is installed, it extracts all contacts from the infected device, enabling the scam to propagate further. Additionally, all SMS messages are forwarded to the attackers, allowing them access to various e-commerce and financial apps. The attackers cleverly use proxy IPs to avoid detection and maintain a low transaction profile. The report indicates that the attackers have accessed 271 unique gift cards, conducting transactions worth ₹16,31,000. 

Gujarat has been identified as the most affected region, followed by Karnataka. To guard against such malware threats, CloudSEK advises users to stay vigilant and adopt security best practices. These include installing apps only from trusted sources like the Google Play Store, regularly reviewing and limiting app permissions, maintaining updated systems, and enabling alerts for banking and sensitive services. This campaign underscores the growing sophistication of cyber threats and the importance of robust cybersecurity measures. 

As cybercriminals continue to develop new methods to exploit vulnerabilities, it is crucial for users to remain cautious and proactive in protecting their personal and financial information. Collaboration between cybersecurity firms and users is essential to effectively combat these evolving threats and safeguard against future incidents. By staying informed and adopting best practices, users can significantly reduce their risk of falling victim to such malicious campaigns.

Hackers Find a Way to Gain Password-Free Access to Google Accounts


Cybercriminals find new ways to access Google accounts

Cybersecurity researchers have found a way for hackers to access the Google accounts of victims without using the victims' passwords.

According to a research, hackers are already actively testing a potentially harmful type of malware that exploits third-party cookies to obtain unauthorized access to people's personal information.

When a hacker shared information about the attack in a Telegram channel, it was first made public in October 2023.

The cookie exploit

The post explained how cookies, which websites and browsers employ to follow users and improve their efficiency and usability, could be vulnerable and lead to account compromise.

Users can access their accounts without continuously entering their login credentials thanks to Google authentication cookies, but the hackers discovered a way of restoring these cookies to evade two-factor authentication.

What has Google said?

With a market share of over 60% last year, Google Chrome is the most popular web browser in the world. Currently, the browser is taking aggressive measures to block third-party cookies.

Google said “We routinely upgrade our defenses against such techniques and to secure users who fall victim to malware. In this instance, Google has taken action to secure any compromised accounts detected.” “Users should continually take steps to remove any malware from their computer, and we recommend turning on Enhanced Safe Browsing in Chrome to protect against phishing and malware downloads.”

What's next?

Cybersecurity experts who first found the threat said it “underscores the complexity and stealth” of modern cyber attacks.”

The security flaw was described by intelligence researcher Pavan Karthick M. titled "Compromising Google accounts: Malware exploiting undocumented OAuth2 functionality for session hijacking."

Karthick M further stated that in order to keep ahead of new cyber threats, technical vulnerabilities and human intelligence sources must be continuously monitored. 

“This analysis underscores the complexity and stealth of modern cyber threats. It highlights the necessity for continuous monitoring of both technical vulnerabilities and human intelligence sources to stay ahead of emerging cyber threats. The collaboration of technical and human intelligence is crucial in uncovering and understanding sophisticated exploits like the one analyzed in this report,” says the blog post. 



Diwali Shopper Beware: Cyber Experts Uncover Fake Flipkart, Amazon Sites Exploiting Festive Fervor

 


CloudSEK's threat research team has discovered a rise in malicious activities targeted at festive shoppers during the Diwali celebrations, which is a reminder of how vulnerable shoppers are to malicious activity. Cyber experts have noticed that phishing scams and fraud schemes have increased as a result of the festival season and are targeting consumers with a variety of fraudulent schemes and scams designed to take advantage of the occasion. 

Amidst the festive season of Diwali, there's a dark side lurking about the internet that needs to be addressed. A hacker team at CloudSEK has revealed that the holiday season is leading to the emergence of numerous sneaky online scams. Diwali shoppers are being hit hard by these shady schemes, especially on popular platforms to get the best deals in time for the special day. 

A series of phishing campaigns have been discovered by CloudSEK’s cyber intelligence team which is targeting the recharge and e-commerce industries to disrupt their operation. As a result of these malicious actors, prominent brands' reputations are being tarnished, causing them to cease their operations during the festive season so that they can intensify their activities using tactics such as crypto redirects and betting schemes. 

CloudSEK has recently detected 828 suspicious domains linked to phishing activities, in which the culprits attempt to deceive individuals into divulging their personal information by falsely presenting themselves as an official Facebook page. It has been reported that the head of cloud surveillance platform CloudSEK, Rishika Desai, has shed light on the spike in fake shopping websites during the Diwali celebrations this year. 

There have been reports that these scams have gone beyond mere disruption of online shopping for a customer to full-blown financial fraud that involves hackers posing as customer service representatives and swindling unknowing consumers out of their money. 

In the case of Diwali, when cybercriminals exploit the festive mood, exploiting potential lapses in vigilance among celebrants, early detection of these tactics must be explored to avoid potential repercussions. During the holiday season, many new websites have emerged with the name 'Diwali' in them, pretending to be huge Indian e-commerce sites, posing as big Indian e-commerce players. They even used tricky tricks like typosquatting to make their fake sites appear genuine. 

They changed 'shop.com' into 'shoop. Xyz - the same look, same content, just out to fool you into thinking they had done it. Newly registered Diwali domains closely mimic the brands of leading Indian e-commerce vendors, exploiting the massive demand from e-commerce consumers. 

Phishing campaigns are exploiting this demand. In particular, typosquatting techniques can create a sense of legitimacy in a less technologically advanced audience by giving these domains a sense of legitimacy. There is an interesting aspect to the fraud discovered by CloudSEK that most of these fraudulent websites featured admin panels. 

Upon receiving the report, these pages were promptly removed and reported as brand abuse. However, an error message appeared on the backend of most of these sites. The researchers at CloudSEK, along with many of their colleagues, were able to identify instances of betting redirects, including domains with keywords like 'Diwali' and 'Pooja', hosted by Megalayer in Hong Kong. 

It was discovered that fraudsters exploited the increased internet traffic during to Diwali period to redirect users to various Chinese betting sites. Cybercriminals exploit the increase in internet traffic to build malicious sites that mimic actual gambling sites to target traffic. The redirection of cryptocurrency websites was also found on social media channels, where genuine users were misled into registering with unreliable cryptocurrency websites through the use of cryptocurrency redirects.

It is common for cybercriminals to lure users to questionable crypto platforms by offering them freebies, resulting in potential financial losses. "Hackers often employ cunning tactics such as giving users freebies or bribes to lure them into creating accounts," said Rishika Desai, urging users to exercise caution, stay vigilant, and report any suspicious activity to prevent becoming victims of such frauds. 

As the festive season approaches, users are strongly advised to exercise caution, remain vigilant, and report any suspicious activities to prevent falling victim to these frauds. Once hooked, victims are gradually encouraged to deposit funds, often leading to substantial financial losses." 

There has been an e-commerce website selling jewellery identified as promoting a Trojan application and encouraging customers to download it. The domain name included the word 'Diwali', which leads to the application containing Android Trojan malware. 

Here Are Some Tips to Stay Safe This Diwali


  1. It is recommended not to open emails or messages that seem suspicious. 
  2. Clicking on links or attachments from individuals you do not know is a bad idea. 
  3. When sharing links on social media from sources users are not familiar with, they should proceed with caution. 
  4. Gift cards should be purchased from a reputable source. 
  5. It is also important to be aware of job ads that promise high salaries for minimal work. 

These might be scams and should be avoided. Send a report to the moderator so that the post can be investigated. Several digital tricksters are working in full force during Diwali, so Diwali shoppers are advised to remain vigilant. 

To keep from being victimized by online scams, it is recommended to take a little extra precaution when purchasing gifts online. As part of ensuring that a safe and joyful Diwali celebration takes place for all, it is crucial to report any suspicious activity.

Globally, Over 4 Million Shopify Users Are at Risk

 


In a report published on Friday by CloudSEK's BeVigil, a security search engine for mobile apps, it has been found that over four million users of e-commerce apps around the world are exposed to the risk of hardcoded Shopify tokens.   

As an e-commerce platform, Shopify allows anyone to create a store that enables them to sell their products online and allows businesses to do the same. Shopify is expected to be used by more than 4.4 million websites by the end of 2023 and is located in more than 175 countries. 
 
Researchers are claiming that there is a risk that crooks will gain access to sensitive data belonging to millions of Android users with e-commerce apps. 

It was recently revealed in a CloudSEK BeVigil report that researchers discovered 21 e-commerce apps that had 22 hardcoded Shopify API keys and that these keys/tokens could potentially expose the personally identifiable information (PII) of roughly four million users to the possibility of identity theft. 

A hardcoded API key becomes visible to anyone with access to the code, including attackers and unauthorized users, as soon as the key is hardcoded in the code. An attacker can access sensitive data and perform actions on behalf of the program if they can access the hardcoded key. They can then use it to access sensitive data. The company said in a press release that even if they do not have the authorization to do so, they could still do it of their own volition. 

Information About Credit Cards

It is estimated that at least 18 of the 22 hardcoded keys allow attackers to use them to view sensitive data that belongs to customers. The researchers explained that this is based on their findings further in their report. A second report provided by the researchers states that seven API keys enable users to view and modify gift cards. In addition, six API keys allow a threat actor to steal information about payment accounts.  

As part of the sensitive data, collect name, email address, website address, country, address complete, phone number, and other information related to the shop owner is collected. The site also enables customers to access information regarding their past orders and their preferences for receiving emails.  

Regarding information on payment accounts, threat actors may be able to access details about banking transactions, like credit or debit cards used by customers to make purchases. These can be obtained by obtaining the BIN numbers of credit cards, the ending numbers of the cards, the name of the company that issued the cards, the IP addresses of browsers, the names on the cards, expiration dates, and other sensitive information. 

According to the researchers, one of the exposed API keys used by the shop provided shop details on authentication, hoping to show their point. 

Researchers have also pointed out that this is not a Shopify employee error but rather a widespread issue with app developers leaking API keys and tokens to third parties.   

An e-commerce platform such as Shopify enables businesses of all sizes to easily create an online store and, in turn, sell their products online. It is estimated that there are more than four million websites with Shopify integration today, enabling both physical and digital purchases from their online shoppers.   

CloudSEK notified Shopify about their findings however, no response has yet been received from Shopify in response.   

Missile Supplier MBDA Breach Disclosed by CloudSEK

In July, a threat actor operating by the online alias Adrastea claimed to have breached MBDA. The threat actor describes itself as a team of independent cybersecurity experts and researchers.

According to Adrastea, they have taken 60 GB of sensitive data and discovered significant flaws in the organization's infrastructure. As per attackers, the stolen material includes details about the remaining workforce participating in military programs, business ventures, contract agreements, and correspondence with other businesses.

A new advisory about the suspected hacking campaign against MBDA has been published by security researchers at CloudSEK. The blog site, posted on Sunday, claimed that CloudSEK's researchers were successful in locating and decrypting the password-protected ZIP file holding the evidence for the data breach. 

The hackers uploaded a post in which the password to unlock the file was mentioned. Two folders with the names 'MBDA' and 'NATO Diefsa' were included in the ZIP file.

The folder, according to the security professionals, contained files outlining the private personally identifiable information (PII) of MBDA's employees as well as numerous standard operating procedures (SOPs) supporting the need for NATO's Counter Intelligence to prevent threats related to terrorism, espionage, sabotage, and subversion (TESS).

The SOPs define NATO collection and plan functions, roles, and practices utilized in support of NATO operations and exercises. According to CloudSEK, "the SOPs also contain all IRM & CM (Intelligence Requirement Management and Collection Management) process activities that result in the successful and efficient execution of the intelligence cycle." 

Internal drawings of missile system wiring diagrams, electrical schematic diagrams, and records of actions connecting the MBDA to the European Union's Ministry of Defence were also apparently included in the retrieved papers. 

The cybersecurity firm made it clear that Adrastea's reputation as a threat actor is currently poor due to the numerous objections and concerns noted in the dark web forums where hackers purportedly posted the MBDA material. 

Furthermore, as this is the group's first known activity, it is challenging to determine whether the material posted is accurate. 


How Leaked Twitter API Keys Can be Used to Build a Bot Army

CloudSEK’s Attack Surface Monitoring Platform recently found a list of 3,207 mobile apps that are exposing Twitter API keys in the clear, some of the keys are being utilized to gain illegal commands on Twitter handles associated with them. 

CloudSEK reported that the takeover is made possible because of the leak of legitimate Consumer Key and Consumer Secret information Singapore-based cybersecurity firm.  

Additionally, cloudsek Attack Surface Monitoring Platform discovered that 3207 apps were leaking valid Consumer Key and Consumer Secret. 230 apps, some of which are unicorns, were leaking all 4 Auth Creds and can be used to fully take over their Twitter Accounts to perform critical/sensitive actions such as: 

• Read Direct Messages 
• Retweet 
• Like 
• Delete 
• Remove followers 
• Follow any account 
• Get account settings 
• Change display picture 

"Out of 3,207, 230 apps are leaking all four authentication credentials and can be used to fully take over their Twitter Accounts and can perform any critical/sensitive actions," the researchers said. 

To get access to the Twitter API, hackers have to generate secret keys and access tokens, which act as the usernames and passwords for the apps as well as the users on whose behalf the API requests will be made. Further, the researchers said, this can range from reading direct messages to carrying out arbitrary actions including retweeting, liking, and deleting tweets, removing followers, following any account, accessing account settings, and even changing the account profile picture. 

With access to this information, malicious actors can create a Twitter bot army that could compromise to spread misinformation on the social media platform. 

“The Twitter bot army that we will try to create can fight any war for you. But perhaps the most dangerous one is the misinformation war, on the internet, powered by bots. Time Berners-Lee, the founding father of the internet said that it is too easy for misinformation to propagate because most people get their news from a small set of social media sites and search engines that make money from people clicking on links. These sites’ algorithms often prioritize content based on what people are likely to engage with, which means fake news can “spread like wildfire”, CloudSEK reported.