CySecurity News - Latest Information Security and Hacking Incidents: Credential Theft

AI Security bank transfer fraud ChatGPT-4o Credential Theft cybercriminals Deepfake financial scams OpenAI Technology text-to-speech tools voice API

UIUC Researchers Expose Security Risks in OpenAI's Voice-Enabled ChatGPT-4o API, Revealing Potential for Financial Scams

Researchers recently revealed that OpenAI’s ChatGPT-4o voice API could be exploited by cybercriminals for financial scams, showing some success despite moderate limitations. This discovery has raised concerns about the misuse potential of this advanced language model.

ChatGPT-4o, OpenAI’s latest AI model, offers new capabilities, combining text, voice, and vision processing. These updates are supported by security features aimed at detecting and blocking malicious activity, including unauthorized voice replication.

Voice-based scams have become a significant threat, further exacerbated by deepfake technology and advanced text-to-speech tools. Despite OpenAI’s security measures, researchers from the University of Illinois Urbana-Champaign (UIUC) demonstrated how these protections could still be circumvented, highlighting risks of abuse by cybercriminals.

Researchers Richard Fang, Dylan Bowman, and Daniel Kang emphasized that current AI tools may lack sufficient restrictions to prevent misuse. They pointed out the risk of large-scale scams using automated voice generation, which reduces the need for human effort and keeps operational costs low.

Their study examined a variety of scams, including unauthorized bank transfers, gift card fraud, cryptocurrency theft, and social media credential theft. Using ChatGPT-4o’s voice capabilities, the researchers automated key actions like navigation, data input, two-factor authentication, and following specific scam instructions.

To bypass ChatGPT-4o’s data protection filters, the team used prompt “jailbreaking” techniques, allowing the AI to handle sensitive information. They simulated interactions with ChatGPT-4o by acting as gullible victims, testing the feasibility of different scams on real websites.

By manually verifying each transaction, such as those on Bank of America’s site, they found varying success rates. For example, Gmail credential theft was successful 60% of the time, while crypto-related scams succeeded in about 40% of attempts.

Cost analysis showed that carrying out these scams was relatively inexpensive, with successful cases averaging $0.75. More complex scams, like unauthorized bank transfers, cost around $2.51—still low compared to the potential profits such scams might yield.

OpenAI responded by emphasizing that their upcoming model, o1-preview, includes advanced safeguards to prevent this type of misuse. OpenAI claims that this model significantly outperforms GPT-4o in resisting unsafe content generation and handling adversarial prompts.

OpenAI also highlighted the importance of studies like UIUC’s for enhancing ChatGPT’s defenses. They noted that GPT-4o already restricts voice replication to pre-approved voices and that newer models are undergoing stringent evaluations to increase robustness against malicious use.

Rising Threat of Stolen Credentials and Initial Access Breaches



 

Stolen Credentials

Credential Theft Cyber Security Cyber Threats initial access breaches Malware attacks Password Security Stolen Credentials

Rising Threat of Stolen Credentials and Initial Access Breaches

Weak or reused passwords continue to pose significant risks for organizations, as criminals increasingly exploit stolen credentials to access user accounts. This trend has fueled a thriving market for stolen credentials and the initial access they provide. The ENISA Threat Landscape 2023 report highlights a year-over-year growth in the Initial Access Broker (IAB) market, with credentials being the primary commodity for sale.

Stealer malware frequently infiltrates victim machines through social engineering tactics, primarily phishing, and sometimes through paid distribution schemes using the Emotet and Qakbot botnets. Other campaigns entice users to download seemingly legitimate software via malvertising.

ENISA anticipates that future social engineering campaigns will adapt to new defensive measures aimed at protecting credentials from abuse.

Increasing Challenges with Stolen Credentials

Organizations face growing challenges with stolen credentials. The Verizon 2024 Data Breach Investigation Report (DBIR) reveals a 180% increase in attacks exploiting vulnerabilities to initiate breaches compared to the previous year. Stolen credentials were the leading initial action in breaches, accounting for 24%, just ahead of ransomware at 23%.

Fraudsters employ various methods to steal credentials, including malware that steals passwords and sells them on the dark web. Popular tools for this purpose include Redline, Vidar, and Raccoon Stealer. The FBI has warned of cybercriminals using search engine advertisements to impersonate brands and direct users to malicious sites that host ransomware to steal login credentials.

Credentials can also be compromised through brute force attacks, where cybercriminals use tools to test password combinations until the correct one is found. These methods range from simple trial and error to more sophisticated dictionary attacks, exploiting common password choices.

Potential for Major Breaches

The Solarwinds attack, described by Microsoft Corp President Brad Smith as "the largest and most sophisticated attack the world has ever seen," exemplifies the potential danger of stolen credentials. A compromised SolarWinds password was discovered on a private Github repository, where an intern had set the password "solarwinds123" on an account with access to the company's update server.

Other notable examples include the Dropbox breach, which impacted millions of users. A Dropbox employee reused a password from a LinkedIn breach, where millions of passwords were accessed by thieves.

ENISA notes that while abusing valid accounts for initial access is not a new technique, it remains effective for cybercriminals. Misconfigured accounts and those with weak passwords are particularly vulnerable. Although multi-factor authentication (MFA) can prevent many attacks, it is not foolproof, with actors intercepting MFA codes and harassing users with push notifications.

ENISA expects credentials to remain a focal point for cybercrime actors despite technical protective measures, as these actors continually find ways around them.

Cybersecurity experts recognize the danger of stolen credentials and the necessity of strong security measures. However, complacency is not an option. The threat posed by stolen credentials is constantly evolving, necessitating ongoing adaptation.

Organizations must enforce the creation of strong passwords resistant to brute force attacks and other forms of exploitation. Specops Password Policy can help build robust password policies by:

Generating personalized dictionary lists to prevent the use of commonly used words within the company.
Providing immediate and interactive updates to users when changing passwords.
Restricting the use of usernames, display names, certain words, consecutive characters, incremental passwords, and repeating parts of previous passwords.
Applying these features to any GPO level, computer, individual user, or group within the organization.
Continuously scanning for and blocking over 4 billion compromised passwords, ensuring that breached passwords are found daily.

Increasing overall password security, enforcing good password hygiene, and eliminating weak passwords enhance the security of Active Directory environments and privileged accounts. Organizations must prepare their defenses by scanning for password vulnerabilities in Active Directory to detect weak and compromised passwords.

Hackers Reveal Their Strategy of Stealing Snowflake's Ticketmaster Data



 

Malicious Campaign

CISA Credential Theft Data Breach Data Leak Malicious Campaign

Hackers Reveal Their Strategy of Stealing Snowflake's Ticketmaster Data

Ticketmaster and other organisations' Snowflake accounts were said to have been accessed by a ShinyHunters hacker via a breach of software engineering firm EPAM Systems, validating a Mandiant report attributing some of the intrusions to third-party contractor hacks, Wired reported.

According to the hacker, information-stealing malware and a remote access trojan deployed against one of EPAM Systems' Ukraine-based employees allowed ShinyHunters to gain access to unencrypted credentials used by the employee to access the firm's customers' Snowflake accounts, which were then used to infiltrate the Snowflake accounts, including the one owned by Ticketmaster.

EPAM ruled out the ShinyHunters hacker's claims, but independent security researcher "Reddington" discovered an infostealer-harvested data repository online, including the internal EPAM URL to Ticketmaster's Snowflake account and the credentials employed by the EPAM worker to access Ticketmaster's account.

"This means that anyone that knew the correct URL to [Ticketmaster’s] Snowflake could have simply looked up the password, logged in, and stolen the data" noted Reddington.

In the hacking campaign targeting Snowflake's clients, nearly 165 customer accounts were potentially compromised, but only a few of these have been identified thus far. In addition to Ticketmaster, the banking corporation Santander has recognised that their data was stolen but has neglected to name the account from which it was taken.

However, a local media outlet has confirmed that it was a Snowflake account; the stolen data included bank account information for 30 million customers, including 6 million account numbers and balances, 28 million credit card numbers, and human resources information about employees, according to a post published by the hackers. Lending Tree and Advance Auto Parts have also confirmed that they could possibly be victims of this campaign.

In a notice published earlier this week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged that organisations follow Snowflake's recommendations to look for signals of odd behaviour and take precautions to prevent unauthorised access. A similar advice issued by the Australian Signals Directorate's Australian Cyber Security Centre (ACSC) warned of "successful compromises of several companies using Snowflake environments.”

Notorious Cyber Gang UNC3944 Shifts Focus to SaaS Apps vSphere and Azure



 

Threat Landscape

Credential Theft Cyber Crime Cyber Extortion Cyber Gang SaaS Apps Threat Landscape

Notorious Cyber Gang UNC3944 Shifts Focus to SaaS Apps vSphere and Azure

The notorious cyber gang UNC3944, which is suspected of involvement in the recent attacks on Snowflake and MGM Entertainment, among other things, has modified its methods and is now targeting SaaS apps.

According to Google Cloud's Mandiant threat intelligence team, UNC3944's operations coincide significantly with those of the assault groups known as "0ktapus," "Octo Tempest," "Scatter Swine," and "Scattered Spider." The group's operations began with credential harvesting and SIM swapping attacks, progressed to ransomware and data theft extortion, and has now transitioned to "primarily data theft extortion, without the use of ransomware.”

Mandiant claimed to have heard recordings of UNC3944's calls to corporate help desks, in which it attempted social engineering attacks.

"The threat actors spoke with clear English and targeted accounts with high privilege potential,” Mandiant's researchers noted last week. In some cases, callers already possessed victims' personally identifiable information – allowing the attackers to bypass identity verification checks.

Scammers posing as callers from UNC3944 would frequently say they were getting a new phone, requiring an MFA reset. Help desk employees would enable the attackers to reset passwords and get around MFA protections if they allowed such reset.

"UNC3944 has occasionally resorted to fearmongering tactics to gain access to victim credentials," Mandiant added. "These tactics include threats of doxxing personal information, physical harm to victims and their families, and the distribution of compromising material.”

When the hackers infiltrated an organization's infrastructure, they would immediately hunt for information on tools such as VPNs, virtual desktops, and remote telework programmes that would provide persistent access. Access to Okta was another target; tampering with the vendor's single sign-on tools (SSO) allowed attackers to create accounts that could be used to log into other systems.

VMware's vSphere hybrid cloud management tool was one of the targets of attacks resulting from compromised SSO tools. Microsoft Azure was another option. Both were intended to allow UC3944 operatives to design virtual machines within an organisation and use them for malicious purposes. This makes sense because most of an organization's resources will use IP addresses within a safe range.

STR RAT: A Persistent Remote Access Trojan



 

STR RAT

Credential Theft cybersecurity threat Java Malware keylogging Malicious Payloads malware Phishing Campaigns Remote Access Trojan STR RAT

STR RAT: A Persistent Remote Access Trojan

The STR RAT is a remote access trojan (RAT) written in Java, first detected in 2020. Like other RATs, it allows threat actors full control of an infected machine. STR RAT is capable of keylogging, credential theft, and deploying additional malicious payloads.

The malware is updated annually, aligning with its renewed use by threat actors. Cofense's analysis from January 2023 to April 2024 reveals that 60% of STR RAT samples are delivered directly via email rather than embedded links.

History of STR RAT

STR RAT resembles a seasonal flu, with yearly updates making it more prominent for short periods. Initially discovered on an antivirus forum in 2020, version 1.2 already featured keylogging, password theft, and backdoor access, along with a fake “.crimson” ransomware module that only renamed files. In 2021, Microsoft Threat Intelligence highlighted STR RAT in phishing campaigns. By 2022, it spoofed the Maersk shipping brand and employed a polyglot file technique, allowing execution as an MSI or Java file. In 2023, version 1.6 used Zelix KlassMaster and Allatori for code obfuscation. In 2024, STR RAT was uploaded to legitimate services like GitHub and AWS, making it harder to detect.

STR RAT steals passwords from Chrome, Firefox, Internet Explorer, and email clients like Outlook, Thunderbird, and Foxmail. Key commands include o-keylogger for logging keystrokes, down-n-exec for file execution, remote-screen for commandeering the computer, and power-shell for PowerShell access.

Current Usage and Impact

Though not as prevalent as other RATs like Remcos, STR RAT showed sustained activity from March to August 2023, likely due to the new version and polyglot file technique. In March 2024, significant activity was noted again, attributed to the use of legitimate services like GitHub and AWS for hosting and delivering the malware. STR RAT is typically delivered via email as an archive containing a .jar file, requiring a Java Runtime Environment (JRE) to execute. These archives may also contain necessary JRE binaries or download them from Maven and GitHub repositories.

Delivery Mechanisms

STR RAT's second most common delivery mechanism is loaders, which reach out to a payload location to download and run the malware. Jar Downloaders, CVE-2017-11882 exploits in Microsoft Office, and Windows Registry File downloaders are commonly used loaders. Additionally, embedded URLs in emails or attached PDFs often lead to the malware hosted on legitimate services like AWS, GitHub, and Discord’s CDN.

Unlike loaders, droppers contain the malware to be deployed. STR RAT's most common dropper is the JavaScript Dropper (JS Dropper), a .js file that executes natively on Windows. JS Droppers are usually attached to emails and contain both the dropper and STR RAT.

Behavior and Capabilities

Upon execution, STR RAT places files, creates persistence, and installs dependencies. It uses geolocator services to geo-fingerprint infected computers and sends system information to its command-and-control (C2) server. The malware also uses legitimate Java libraries for keylogging and database connectivity.

Detection and Hunting

Different versions of STR RAT leave various indicators of compromise (IOCs). After execution, STR RAT copies itself to multiple locations, creates a \lib\ folder with legitimate files, and generates a XXXXlock.file in the user's local home profile. The configuration can be observed through memory analysis, revealing the C2 server, port, and domain.

Persistence

STR RAT can create persistence through Registry Run Keys, Startup Folder entries, or Scheduled Tasks, ensuring the malware runs every time the user logs in. Endpoint detection and response software can monitor specific locations for signs of STR RAT persistence.

Network Traffic

STR RAT communicates with C2 servers using subdomains of free dynamic DNS services and legitimate services like GitHub and Maven. HTTP is used for C2 communications, though the port is not the standard tcp/80.

Legitimate Services

STR RAT reaches out to legitimate services for hosting tools and malware. Indicators of suspicious activity include access to GitHub and Maven repositories in conjunction with other malicious behaviors.

By understanding STR RAT's history, capabilities, and delivery mechanisms, cybersecurity professionals can better detect and defend against this persistent threat.



 

Networks

Active Directory Cloud Computing Credential Theft cyber attack Cyber Attacks Networks

Why Active Directory Is A Big Deal?

In a cutting-edge study by XM Cyber and the Cyentia Institute, a comprehensive analysis has unveiled a startling reality: a staggering 80% of cybersecurity vulnerabilities within organisations stem from issues related to Active Directory. This might sound like tech jargon, but basically, it's a crucial part of how computers in a company talk to each other.

Active Directory functions as the central nervous system of an organisation's digital environment. Its vulnerabilities, often stemming from misconfigurations and attempts to compromise user credentials, pose significant risks. Tools like Mimikatz further exacerbate these vulnerabilities, enabling malicious actors to exploit weaknesses and gain unauthorised access.

Cloud Computing: New Risks, Same Problems

Even though we talk a lot about keeping things safe in the cloud, it turns out that's not always the case. More than half of the problems affecting important assets in companies come from cloud services. This means attackers can jump between regular computer networks and the cloud, making it harder to keep things safe.

Different Industries, Different Worries

When it comes to who's facing the most trouble, it depends on the industry. Some, like energy and manufacturing, have more issues with things being exposed on the internet. Others, like healthcare, deal with way more problems overall, which makes sense since they have a lot of sensitive data. Tailored strategies are essential, emphasising the importance of proactive measures to mitigate risks effectively.

What We Need to Do

Zur Ulianitzky, Vice President of Security Research at XM Cyber, emphasises the need for a holistic approach to exposure management. With a mere 2% of vulnerabilities residing in critical 'choke points,' organisations must broaden their focus beyond traditional vulnerability patching. Prioritising identity management, Active Directory security, and cloud hygiene is vital in making sure our cloud services are safe.

We need to be smarter about how we protect our computer systems. We can't just focus on fixing things after they've gone wrong. We need to be proactive and think about all the ways someone could try to break in. By doing this, we can make sure our businesses stay safe from cyber threats. Only through concerted efforts and strategic investments in cybersecurity can organisations stay ahead of the curve and protect against the ever-present spectre of cyber threats.

More than 800 False "Temu" Domains Trick Customers Into Losing Their Credentials



 

Temu

Credential Theft Fake Domains Phishing scam Privacy Temu

More than 800 False "Temu" Domains Trick Customers Into Losing Their Credentials

Cybersecurity experts caution against falling for Temu phishing scams since they use phony freebies to obtain passwords. In the last three months, more than 800 new "Temu" domains have been registered.

The most recent company that con artists have used for their phishing schemes is Temu. With over 800 new domains registered as "Temu" in the last three months, cybersecurity researcher Jeremy Fuchs of Checkpoint's Harmony Email has observed that hackers are taking advantage of Temu's giveaway offers to persuade users to divulge their passwords.

Just so you know, Temu is an international e-commerce site with 40% of its users residing in the United States. It provides customers with direct shipping of discounted goods. Launched in 2022, Temu is accessible in 48 nations, encompassing Australia, Southeast Asia, Europe, and the Middle East.

It ranks second in the Apple App Store and first in the Google Play Store for shopping apps as of February 7, 2024. The majority of app users are older folks, aged 59 and up.

The Scam

According to analysts, Temu Rewards is the source of the example phishing email. On closer inspection, though, you'll see that it was received from an unconnected onmicrosoft.com email account. The email has a link to a page that harvests credentials and a blank image. By telling recipients they have won, the threat actors hope to draw in receivers.

Phishing and Brand Names

Threat actors have previously used popular brands and current trends to their advantage to obtain sensitive data, including credentials, from unsuspecting consumers.

Cyjax researchers uncovered a sophisticated phishing campaign that was aimed at over 400 firms in a variety of industries. To spread malware and get money from advertisements, the con artists—who most likely have Chinese ties—used 42,000 domains, and at least 24,000 survey and landing pages to advertise the scheme.

Bloster AI cybersecurity experts have uncovered a USPS Delivery phishing campaign that employs sophisticated tactics to target victims in the United States. CheckPhish from Bolster found more than 3,000 phishing domains that imitated Walmart. Customers were misled by the advertising into believing they had failed delivery and unpaid bills. Threat actors have refined their attack strategies, moving from misleading messaging to enticing victims to download apps that steal banking or financial data.

In January 2024, it was found that business owners of Meta Platforms, Inc. were the target of a phishing scam that attempted to obtain their email addresses and passwords to gain control of their Facebook page, profile, and financial information. The hoax created a sense of urgency and authenticity by leveraging Meta Platforms' authority.

Cybersecurity and Temu

Temu has experienced several cybersecurity-related problems, including claims that it was gathering data from users and devices, including SMS messages and bank account details.

A class-action lawsuit was launched in November 2023 in the United States, claiming that the corporation had obtained its customers' data illegally. Moreover, an additional revelation emerged that implicated Temu in the unapproved release of customer information, specifically concerning data that allegedly surfaced for sale on the dark web following transactions made by users of the app.

Infostealer Malware Exposes Over 100K Accounts From Hacking Forums



 

malware

Credential Theft Data Leak Hacker Forum Infostealer malware

Infostealer Malware Exposes Over 100K Accounts From Hacking Forums

Security experts identified over 140,000 compromised passwords linked to accounts on hacker forums after their owners were infected with data-stealing malware.

Hudson Rock searched its cybercrime intelligence database for infected computers with credentials connected with the top 100 cybercrime sites. It discovered 120,000 identical computers, claiming that many of them belonged to hackers.

When a machine is infected with information-stealing malware, a "substantial" amount of data, including emails and account usernames, auto-fill data containing personal information such as addresses and phone numbers, and system information such as IP addresses, can be retrieved, security firm explained.

“Info-stealer infections as a cybercrime trend surged by an incredible 6000% since 2018, positioning them as the primary initial attack vector used by threat actors to infiltrate organisations and execute cyber-attacks, including ransomware, data breaches, account overtakes, and corporate espionage,” the company added.

Redline, Raccoon, and Azorult accounted for the majority of the info-stealer malware that was discovered throughout the research. The analysis found that the majority of those exposed were from Tunisia, then Malaysia, Belgium, the Netherlands, and Israel.

The cybercrime forum "Nulled.to," which was followed by "Cracked.io" and "Hackforums.net," had the most users who had been exposed to malware.

It's interesting that the research team discovered that a large portion of the credentials used on hacking sites were more robust than those employed on government and military websites.

“By analyzing passwords of users from the various forums, Hudson Rock determined that the forum with the strongest user passwords is Breached.to, while the one with the weakest user passwords is the Russian site Rf-cheats.ru,” the vendor concluded.

The cybercrime underground frequently sees a high number of usernames and passwords in circulation. SpyCloud detected billions more pieces of personal information (PII) and almost 1.5 billion compromised log-in combinations online in 2021.

SpyCloud discovered that 60% of credentials for users who had multiple passwords exposed were shared across accounts, and that number rose to 87% for US.gov emails, leaving them vulnerable to brute force attacks and credential stuffing.

Prevention tips

Having strong, dependable antivirus software installed on your device and keeping it updated on a regular basis is the best preventative measure you can take.

You should also use antivirus software that has dark web monitoring technologies so that you'll be immediately informed if your information is compromised. You can either do this by changing your login details or by warning your friends and family to be on the lookout for scammers impersonating as you.

Data of 4,000 Patients at VCU Health Exposed



 

User Privacy

Credential Theft Data Leak Healthcare Privacy User Privacy

Data of 4,000 Patients at VCU Health Exposed

A recent incident compromising the privacy of user-protected health information has been reported by Virginia Commonwealth University Health System.

The institution revealed the confidential health information of almost 4,000 individuals for 16 years. According to VCU Health's research, the information was available to donors, and recipients as early as January 4, 2006.

There is no proof, according to VCU Health, that any information has been exploited. There were 4,441 donors and beneficiaries in total for this incidence.

On February 7, 2022, a data leak was discovered. On March 29 and May 27, 2022, additional details about the categories of data involved, were disclosed. The information which could be seen in the medical records of other transplant patients or donors included names, Social Security numbers, lab results, medical record numbers, and dates of service.

Customers who are notified have been reminded to keep an eye out for any fraudulent behavior by regularly monitoring their financial account statements. Individuals who may have had their Social Security data exposed have been provided free credit monitoring.

''Many health care systems are built in a way that sensitive data, such as SSNs, DOBs, or other PII/PHI, is either not shared at all, is at least hidden on the screen by default, and reading them requires additional step-up verification.'' The Synopsys Software Integrity Group's Ashutosh Rana, a senior security consultant, stated.

84% of US Businesses Experienced Identity-Related Breaches



 

User Privacy

Credential Theft Cyber Attacks MFA Phishing Attacks Security Breach User Privacy

84% of US Businesses Experienced Identity-Related Breaches

According to new information from the non-profit Id Outlined Safety Alliance, the range of security breaches resulting from phishing or exploiting identities has reached epidemic proportions (IDSA). For its 2022 Developments in Securing Digital Identities report, the IDSA surveyed 500 US identity and security experts.

In the past year, 84 % of respondents reported having suffered an identity-related hack, with the clear majority (78 %) stating that it had a direct effect on the firm. Increased identity fraud in the corporate sector daily contributes to the issue.

When leaders prioritize identity security, risky behavior is reduced. 71 % of companies have executives who publicly address staff members about password security. In the light of that, risky security behaviors were acknowledged by 60% of IT/security stakeholders.

Having focused on the fundamentals and investments in security outcomes 97% will invest in identity-focused security results. MFA is a major area of interest, especially for employees and privileged users.

The report suggested a few basic steps businesses may take to enhance security outcomes of unauthorized access. When executives discuss corporate credentials, for instance, the survey found that 72% of respondents are more cautious with their work passwords than with using personal passwords.

However, it seems that businesses are making sense. Almost all respondents (97%) stated they intended to invest in "identification-focused security outcomes," and 94 % reported that identity investments are a part of strategic efforts, such as cloud adoption (62 %), the deployment of Zero Trust (51 %), and digital transformation activities (42% ).

According to the Anti-Phishing Working Group(APWG), phishing reached an all-time high in the first quarter of 2022.

Microsoft Accounts Attacked by Russian-Themed Credential Theft



 

Ukraine

Credential Theft Credentials Harvesting Cyber Attacks Data Hacking Email Fraud Microsoft Spam Mails Ukraine

Microsoft Accounts Attacked by Russian-Themed Credential Theft

The Ukrainian conflict is being capitalized by malicious emails notifying Microsoft users of "unusual sign-in activity" from Russia. While there are valid concerns that the Russian-Ukrainian conflict would launch a global cyber warfare conflagration, small-time cybercriminals are stepping up their efforts amid the crisis.

According to Malwarebytes, which discovered a slew of spam emails referencing Russian hacking activities. Phishing emails to Microsoft users have begun to circulate, warning of Moscow-led account hacking and attempting to steal credentials and other personal information. The messages' subject line reads, "Microsoft account unusual sign-in activity." The text in the body is as follows:

“Unusual sign-in activity

We detected something unusual about a recent sign-in to the Microsoft account

Sign-in details

Country/region: Russia/Moscow

IP address:

Date: Sat, 26 Feb 2022 02:31:23 +0100

Platform: Kali Linux

Browser: Firefox

A user from Russia/Moscow just logged into your account from a new device, If this wasn’t you, please report the user. If this was you, we’ll trust similar activity in the future.

Report the user

Thanks,

The Microsoft account team”

According to Malwarebytes' Tuesday research, the emails then include a button to "report the user" as well as an unsubscribe option. When you click the button, a new message is created with the short subject line "Report the user." Microsoft account protection is referenced in the recipient's email address. Using email to answer could expose users to a variety of threats.

The researchers explained, “People sending a reply will almost certainly receive a request for login details, and possibly payment information, most likely via a bogus phishing page. It’s also entirely possible the scammers will keep everything exclusively to communication via email. Either way, people are at risk of losing control of their accounts to the phishers. The best thing to do is not reply, and delete the email.”

As usual, the spam contains red flags in the form of grammatical problems, such as misspellings like "acount." To put it another way, it's not a highly sophisticated attempt, but it's clever. Climbing curiosity (or terror) is a catnip for social engineers, as it is with any significant world event.

“Given current world events, seeing ‘unusual sign-in activity from Russia’ is going to make most people do a double, and it’s perfect spam bait material for that very reason. [The emails] (deliberately or not) could get people thinking about the current international crisis. Being on your guard will pay dividends over the coming days and weeks, as more of the below is sure to follow,” stated researchers.

The email is targeted just at Microsoft account holders, but the good news is that Outlook is sending it directly to spam.. However, the firm pointed out that, “depending on personal circumstance and/or what’s happening in the world at any given moment, one person’s ‘big deal’ is another one’s ‘oh no, my stuff.’ That’s all it may take for some folks to lose their login, and this mail is perhaps more salient than most for the time being.”

Threat actors are Looking for Ways to Bypass MFA with Evolving Phishing Kits



 

phishing kit

Credential Theft Cyber Security Multi-factor authentication phishing kit

Threat actors are Looking for Ways to Bypass MFA with Evolving Phishing Kits

People have been concerned about information security since the first password was included in the Compatible Time-Sharing System at MIT in 1961. While multi-factor authentication (MFA) did not arrive on the scene until years later, in 1986, with the first RSA tokens, it has recently achieved broad consumer acceptance. According to the annual State of the Auth Report from MFA digital authenticator firm Duo, 78% of respondents have used two/multi-factor authentication (2FA/MFA) in 2021, up from 28% in 2017.

While several organisations, including Duo and RSA, have contributed to making MFA more widespread and user-friendly, threat actors have not been sitting on their laurels, preferring to attack MFA as well as seeking for ways to circumvent MFA with changing phishing kits.

Phishing kits are software created to assist threat actors acquire credentials and swiftly capitalise on them. Many of these kits, which are either installed on a dedicated server owned by the threat actor or secretly put on a hacked server owned by an unlucky user, may be purchased for less than a cup of coffee.

Proofpoint threat researchers have seen a wide range of MFA phishing kits, from simple open-source kits with human-readable code and no-frills functionality to sophisticated kits with multiple layers of obfuscation and built-in modules that allow for the theft of usernames, passwords, MFA tokens, social security numbers, and credit card numbers. These kits, at their heart, use the same mechanisms for credential harvesting as conventional kits that steal only usernames and passwords.

Proofpoint researchers have witnessed the introduction of a new sort of kit in recent years that does not rely on duplicating a target website. Instead, these kits use a transparent reverse proxy to provide the victim with the actual website. A reverse proxy is a computer network application that sits in front of back-end applications and forwards client (e.g., browser) requests to those apps. Scalability, performance, resilience, and security are all improved by using reverse proxies.

Modern web pages are dynamic and constantly change. As a result, providing the actual site rather than a copy considerably improves the perception that an individual is logging in safely. Another advantage of using a reverse proxy is that it allows a threat actor to man-in-the-middle (MitM) a session and capture not only the usernames and passwords, but also the session cookie in real-time.

In a recent publication, researchers from Stony Brook University and Palo Alto Networks investigated MitM phishing kits and uncovered an industry blind spot. The researchers created Phoca, a machine learning tool, to scan suspected phishing pages and identify if they were utilising a transparent reverse proxy to access MitM credentials. They discovered over 1200 MitM phishing sites.

Hackers Exploit Glitch Platform to Host Malicious URLs



 

Phishing Campaign

Credential Theft Middle East Mobile Security Phishing Campaign

Hackers Exploit Glitch Platform to Host Malicious URLs

Threat actors are actively abusing the Glitch platform with the aim of hosting free credential-harvesting SharePoint phishing pages on this platform that perform credential theft. The campaign is targeting employees of major firms from the Middle East.

The phishing campaign started in July 2021, and is, unfortunately, still active, stated security researcher Chad Anderson from DomainTools. The spear-phishing campaign included suspicious PDFs that do not contain any malicious content.

Instead, these PDFs contain a link that leads the user to a malicious website hosted at Glitch, which would display a landing page that includes obfuscated JavaScript for stealing credentials. Glitch is a cloud-based hosting solution with a built-in code editor for operating and hosting software projects ranging from simple websites to large applications.

Exploiting Glitch

According to Bleeping Computer, Glitch is vulnerable to phishing assaults because they provide a free version through which users can design an app or a page and keep it running on the internet for five minutes. After that, the user has to enable it again manually.

“For example, one document directed the recipient to hammerhead-resilient-birch. glitch[.]me where the malicious content was stored. Once the five minutes is up, the account behind the page has to click to serve their page again,” Anderson explained.

“Spaces, where code can run and be hosted for free, are a gold mine for attackers, especially considering many of the base domains are implicitly trusted by the blocklists corporations ingest,” he added. “This delegation of trust allows for attackers to utilize a seemingly innocuous PDF with only a link to a trusted base domain to maneuver past defenses and lure in user trust.”

The perfect combination for attackers is the platform’s credibility and the free version, which is the path for attackers to host malicious URLs for a short period of time, favorably treating Glitch’s domain with security tools. A team of experts went further with their research and discovered the Glitch website linked with a service of commercial malware sandbox. This included a screenshot of the Microsoft SharePoint phishing login page.

The discovery of the PDF through which the researchers were directed to that website led to the identification of various HTML documents linked to that sample after it was submitted to Virus Total. The chunks of obfuscated JavaScript could be spotted after the pages were pulled. These code chunks passed through these malicious WordPress sites and then were used for the purpose of leaking credentials. Researchers attempted to speak to Glitch regarding the exploit of the platform, but the company is yet to respond.

Threat Actors Use Marvel's Black Widow Movie To Spread Malware



 

Marvel Movie

Black Widow Credential Theft Cyber Criminals malware Marvel Movie

Threat Actors Use Marvel's Black Widow Movie To Spread Malware

Marvel's Black Widow film has finally been released in theatres and online streaming platforms after being delayed for over a year due to the COVID-19 epidemic. Unfortunately, Marvel Universe fans aren't the only ones who are enthusiastic, as the launch of the Black Widow film has sparked the interest of several fraudsters and hackers.

According to research conducted by cybersecurity firm Kaspersky, threat actors have been unlawfully monetizing interest in the upcoming film for months.

Kaspersky warns of Black Widow movie-themed malware: The film was released on July 9th in the United Kingdom, however, it's yet to be aired in many other countries. Researchers have discovered malware downloads posing as the new Black Widow film that is already spreading on the internet.

Several Black Widow-themed phishing sites are running, according to the company, with the motives of obtaining user credentials. One of the websites examined by researchers promised viewers an early screening of the film in exchange for registering on the site. Users were requested to provide their banking card information during the registration procedure to validate their residency region. However, they later discovered that money had been deducted from their account and they still didn’t get access to the movie.

According to Kaspersky experts, there has been an increase in attempts to infect users who are keenly awaiting the new film's release. They first saw the rise in infection attempts following the film's formal announcement in May 2020, then again around its original November 2020 release date, and finally in May 2021.

Since the movie's release date was pushed back to July 2021, hackers have tried to take advantage of the misunderstanding by infecting 13 percent of streaming services and even launching the movie's downloadable files.

Kaspersky security expert Anton V. Ivanov wrote, “Right now, we have observed intensified scamming activities around Black Widow, the release of which, fans all over the world have been eagerly anticipating for a long time. In their excitement to watch the long-awaited movie, viewers have become inattentive to the sources they use, and this is exactly what fraudsters benefit from.”

Precautionary Measures:

Scammers are not only utilizing phishing websites to deceive innocent users, but they are also redirecting executable files disguised as movie downloads. To remain safe, avoid files that have a . EXE or .MSI extension, because movie files generally have .MP4, .AVI, .MOV, .WMV, or .M4P extensions.

Furthermore, pay special attention to the website URL you visit in order to see or download the film. Scammers frequently make minor modifications to the domain or movie name, so double-check the address to rule out any bad activity.

Finally, use anti-malware software that has a phishing site detection capability.

Email Bug Permits Message Snooping, Credential Theft



 

Vulnerabilities and Exploits

Credential Theft Email Bug Message Snooping Patch Fix Vulnerabilities and Exploits

Email Bug Permits Message Snooping, Credential Theft

Researchers warned that hackers may snoop on email communications by attacking a flaw in the underlying technology used by most of the email servers that run the Internet Message Access Protocol or known as IMAP.

The flaw was initially reported in August 2020 and was fixed on 21st June 2021. According to the Open Email Survey, it is linked to the email server software Dovecot, which is used by nearly three-quarters of IMAP servers.

According to a paper by researchers Fabian Ising and Damian Poddebniak of Münster University of Applied Sciences in Germany, the vulnerability allows for a meddle-in-the-middle (MITM) attack.

In accordance with research linked to a bug bounty page, dated August 2020, “the vulnerability allows a MITM attacker between a mail client and Dovecot to inject unencrypted commands into the encrypted TLS context, redirecting user credentials and mails to the attacker.”

Dovecot version v2.3.14.1, a patch for the vulnerability is rated -severity by the vendor and critical by the third-party security firm Tenable, is available for download. According to a technical analysis provided by Anubisnetworks, the flaw revolves around the execution of the START-TLS email instruction, which is a command issued between an email program and a server that is used to protect the delivery of email messages.

“We found that Dovecot is affected by a command injection issue in START-TLS. This bug allows [an attacker] to bypass security features of SMTP such as the blocking of plaintext logins. Furthermore, it allows [an attacker] to mount a session fixation attack, which possibly results in stealing of credentials such as the SMTP username and password,” researchers stated.

According to an OWASP description, a session fixation attack permits an adversary to take over a client-server connection once the user logs in. As per researchers, due to a START-TLS implementation issue in Dovecot, the intruder can log in to the session and transfer the entire TSL traffic from the targeted victim's SMTP server as part of its own session.

“The attacker obtains the full credentials from its own inbox. At no point was TLS broken or certificates compromised,” the researchers wrote.

For Dovecot operating on Ubuntu, a Linux version based on Debian, a fix for the issue, dubbed CVE-2021-33515, is now available. Ising and Poddebniak have provided workaround fixes for the vulnerability. Disabling START-TLS and configuring Dovecot to accept only “pure TLS connections” on port 993/465/995 is one solution.

The researchers stated, “Note that it is not sufficient to reconfigure a mail client to not use START-TLS. The attack must be mitigated on the server, as any TLS connection is equally affected.”

Search This Blog

Sections

Popular Posts

Blog Archive

Labels

Report Abuse

About Me

Showing result(s) for