Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Credential Theft. Show all posts
identity-based attacks
AI-driven cyberattacks Credential Theft Cyber Attacks Cybercrime economy Cybersecurity Threats identity-based attacks

Data Reveals Identity-Based Attacks Now Dominate Cybercrime

 

Cyberattacks are undergoing a significant transformation, shifting away from malware-driven methods toward identity exploitation. According to the CrowdStrike 2024 Global Threat Report, three out of four cyberattacks now leverage valid credentials instead of malicious software.

This change is fueled by the expanding cybercrime economy, where stolen identities are becoming as valuable as exploitable system vulnerabilities. A booming underground market for credentials, combined with AI-powered deception and automated phishing, is rendering traditional security measures ineffective.

“You may have really locked down environments for untrusted external threats, but as soon as you look like a legitimate user, you’ve got the keys to the kingdom,” said Elia Zaitsev, CTO at CrowdStrike. This shift presents a pressing challenge for enterprises: if attackers no longer need malware to infiltrate networks, how can they be stopped?

The CrowdStrike report also highlights the speed at which attackers escalate privileges once inside a network. The fastest recorded eCrime breakout time—the duration between initial access and lateral movement—was just 2 minutes and 7 seconds.

Traditional security models that focus on malware detection or manual threat investigation are struggling to keep up. In identity-driven attacks, there are no suspicious payloads to analyze—just adversaries impersonating authorized users. This has led to a rise in living-off-the-land techniques, where attackers use built-in system tools to evade detection. Instead of deploying custom malware, they exploit legitimate credentials and remote monitoring tools to blend seamlessly into network activity.

A key challenge outlined in the 2024 Global Threat Report is the expansion of identity attacks beyond a single environment. Cybercriminals now utilize stolen credentials to move laterally across on-premises, cloud, and SaaS environments, making detection even more difficult.

Jim Guinn, a cybersecurity leader at EY, explained this evolving strategy: “You have to get in, and you have to be able to laterally move throughout the network, which means you have some level of access. And access requires identity.”

Guinn also emphasized the growing role of nation-state actors, who infiltrate networks months or even years in advance, waiting for the right moment to launch an attack.

For companies that still treat endpoint security, cloud security, and identity protection as separate entities, this shift presents a major challenge. Attackers increasingly pivot between these environments, making detection and prevention even more complex.

“The moment that man created AI, he also created a way for bad actors to use AI against you,” Guinn noted. “They're creating a quicker way to get to a set of targets that cybercriminals can use, and they're creating code bases and ways to manipulate users' credentials faster than the human can think about it.”

With identity-based attacks outpacing traditional security defenses, organizations are rethinking their cybersecurity strategies.

One crucial change is the adoption of continuous identity verification. Historically, authentication has been a one-time process, where users log in and remain trusted indefinitely. However, as attackers increasingly impersonate legitimate users, companies are implementing real-time behavioral monitoring to detect anomalies.

Another key adaptation is just-in-time privileges, where employees are granted administrative access only when required—and revoked immediately afterward—to minimize risk.

“We're bringing all that to bear,” Zaitsev explained. “We are taking that cross-domain, multi-domain visibility approach, unifying it all, and then, of course, also focusing heavily on continuous detection, prevention, and response.”

Guinn shared a compelling example of an organization recognizing the importance of identity security. “One of their senior executives said, ‘I think the only reason we haven’t really had a breach—like a significant breach—is because we have multi-factor authentication for our user credentials.’”

The CrowdStrike 2024 Global Threat Report underscores a fundamental shift in cybersecurity: identity, not malware, is the new battleground. Attackers no longer rely on complex exploits or hidden backdoors when they can buy access credentials, phish an employee, or manipulate AI-driven authentication systems.

Simply put, without access to valid credentials, cybercriminals are powerless. This makes identity security the core of modern cybersecurity strategies.

As organizations adapt to this evolving threat landscape, one thing is clear: failing to prioritize identity security leaves businesses vulnerable to adversaries who no longer need to break in—they already have the keys.
Read more »
Ransomware
Credential Theft Cyber Attacks Healthcare Ransomware

Healthcare Sector Faces Highest Risk in Third-Party Cyber Attacks

 



Cybersecurity experts have identified the healthcare industry as the most frequently targeted sector for third-party breaches in 2024, with 41.2% of such incidents affecting medical institutions. This highlights a critical need for improved security measures across healthcare networks.


The Growing Threat of Unnoticed Cyber Breaches  

A recent cybersecurity study warns of the increasing risk posed by “silent breaches.” These attacks remain undetected for extended periods, allowing hackers to infiltrate systems through trusted third-party vendors. Such breaches have had severe consequences in multiple industries, demonstrating the dangers of an interconnected digital infrastructure.

Research from Black Kite’s intelligence team examined cybersecurity incidents from regulatory disclosures and public reports, revealing an alarming rise in sophisticated cyber threats. The findings emphasize the importance of strong third-party risk management to prevent security lapses.


Why Healthcare is at Greater Risk  

Several factors contribute to the vulnerability of healthcare institutions. Medical records contain highly valuable personal and financial data, making them prime targets for cybercriminals. Additionally, the healthcare sector relies heavily on external vendors for essential operations, increasing its exposure to supply chain weaknesses. Many institutions also struggle with outdated security infrastructures, further amplifying risks.

Encouragingly, the study found that 62.5% of healthcare vendors improved their security standards following a cyber incident. Regulatory requirements, such as HIPAA compliance, have played a role in compelling organizations to enhance their cybersecurity frameworks.


Major Findings from the Report

The study highlights key security challenges that organizations faced in 2024:

1. Unauthorized Access to Systems: More than half of third-party breaches involved unauthorized access, underscoring the need for stronger access control measures.

2. Ransomware Attacks on the Rise: Ransomware remained a leading method used by cybercriminals, responsible for 66.7% of reported incidents. Attackers frequently exploit vendor-related weaknesses to maximize impact.

3. Software Vulnerabilities as Entry Points: Cybercriminals took advantage of unpatched or misconfigured software, including newly discovered weaknesses, to infiltrate networks.

4. Credential Theft Increasing: About 8% of attacks involved stolen or misused credentials, highlighting the necessity of robust authentication methods, such as multi-factor authentication.

5. Targeting of Software Vendors: A major 25% of breaches were linked to software providers, reflecting an increased focus on exploiting weaknesses in the software supply chain.


With organizations becoming increasingly reliant on digital tools and cloud-based systems, cyber risks continue to escalate. A single vulnerability in a widely used platform can trigger large-scale security incidents. 

To mitigate risks, businesses must adopt proactive strategies, such as continuous monitoring, prompt software updates, and stricter access controls. Strengthening third-party security practices is essential to minimizing the likelihood of breaches and ensuring the safety of sensitive data.

The healthcare sector, given its heightened exposure, must prioritize comprehensive security measures to reduce the impact of future breaches.



Read more »
MITRE ATT&CK
Credential Theft Cyber Security Info-stealing malware Cybersecurity Malware Threats MITRE ATT&CK

Credential-Stealing Malware Surges, Now a Top MITRE ATT&CK Threat

 

Cybersecurity researchers have uncovered a sharp rise in credential-stealing malware, with 25% of over a million malware samples analyzed in 2024 targeting user credentials. This marks a threefold increase from 2023, propelling credential theft from password stores into the MITRE ATT&CK framework's top 10 techniques. These attacks accounted for 93% of all malicious cyber activities last year.

According to "The Red Report 2025" by Picus Security, threat actors are shifting towards multi-stage, sophisticated attacks, leveraging a new breed of malware. Researchers have labeled this emerging trend "SneakThief," emphasizing its focus on stealth, persistence, and automation. 

Cybercriminals are refining these malware strains to execute highly evasive operations, aiming to carry out "the perfect heist" with built-in capabilities to bypass defenses and extract sensitive data.

Despite growing concerns over AI-driven threats, researchers found no evidence of AI-powered malware in 2024. However, malware samples analyzed were capable of executing an average of 14 malicious actions, with data exfiltration and stealth techniques responsible for 11.3 million cyber incidents last year.

"Focusing on the Top 10 MITRE ATT&CK techniques is the most viable way to stop the kill chain of sophisticated malware strains as early as possible," said Volkan Ertürk, CTO and co-founder of Picus Security. "SneakThief malware is not an exception; enterprise security teams can stop 90% of malware by focusing on just 10 of MITRE's entire library of techniques."
Read more »
SharePoint
Credential Theft Cyber Fraud Cyber Threats Microsoft 365 login Microsoft visio Phishing Attack Phishing Campaigns SharePoint

New Two-Step Phishing Attack Exploits Microsoft Visio and SharePoint

 

A novel two-step phishing strategy is targeting Microsoft Visio files (.vsdx) and SharePoint, signaling a new trend in cyber deception, according to experts. Researchers at Perception Point have noted a significant rise in attacks leveraging these previously uncommon .vsdx files.

These files act as delivery tools, directing victims to phishing pages that replicate Microsoft 365 login portals, aiming to steal user credentials.

The two-step phishing attacks employ layered techniques to evade detection. Rather than delivering harmful content directly, these campaigns use trusted platforms like Microsoft SharePoint to host files that appear legitimate. Attackers embed URLs within Visio files, which redirect victims to malicious websites when clicked, bypassing traditional email security systems.

Microsoft Visio, a popular tool for professional diagram creation, has now become a phishing vector. Cybercriminals send emails with Visio files from compromised accounts, often mimicking urgent business communications such as proposals or purchase orders. This tactic encourages recipients to act quickly, increasing the likelihood of success.

Since the emails come from stolen accounts, they often pass authentication checks and evade recipient security filters. In some cases, attackers include .eml files within the emails, embedding additional malicious URLs linked to SharePoint-hosted files.

The Visio files typically contain a clickable button labeled "View Document." Victims are instructed to press the Ctrl key while clicking the button to access the malicious URL. This step, requiring manual interaction, bypasses automated security systems that cannot simulate such behaviors.

Perception Point advises organizations to strengthen their defenses against sophisticated phishing campaigns by adopting advanced threat detection solutions. Suggested measures include:

  • Dynamic URL analysis to identify harmful links.
  • Object detection models to flag suspicious files.
  • Enhanced authentication mechanisms to reduce the impact of compromised accounts.
Read more »
secure email gateways
Credential Theft Cyber Security Cyber Threats cybersecurity breaches Group-IB report Phishing Campaign phishing techniques secure email gateways

Group-IB Unveils Sophisticated Phishing Campaign Targeting Global Organizations

 


A recent report by Group-IB has exposed a highly advanced phishing campaign targeting employees from 30 companies across 15 jurisdictions. Using trusted domains and cutting-edge personalization techniques, attackers have bypassed Secure Email Gateways (SEGs) and exploited victims in critical sectors such as finance, government, aerospace, and energy.

Advanced Obfuscation and Multi-Layered Deception

The investigation, initiated in July 2024, uncovered the attackers' use of:

  • Over 200 phishing links hosted on legitimate platforms like Adobe’s InDesign cloud service and Google AMP.
  • Techniques to bypass detection systems that typically block suspicious or unknown domains.

“Nine out of ten cyberattacks start with a phishing email, making it the most common entry point for threat actors,” the report emphasized.

Phishing Emails That Mimic Trusted Brands

The attackers used professionally designed phishing emails that impersonated well-known brands, including:

  • DocuSign, prompting victims to sign fake contracts.
  • Adobe-hosted links, disguising fraudulent login pages as critical documents.

These emails featured professional formatting, familiar logos, and dynamically personalized elements. For example, by extracting a victim’s email domain, the attackers matched logos and page titles to the targeted organization, enhancing credibility.

“Scammers use a technique that dynamically pulls company logos from the official website to make the phishing links look legitimate,” the report noted.

Exploitation of APIs for Realistic Branding

The attackers leveraged APIs like https://logo.clearbit.com/[company domain] to integrate authentic logos into phishing sites. This seamless branding approach increased user trust and made phishing attempts harder to detect.

Concealing Operations with URL Redirection and Encoding

To evade detection, attackers used:

  • URL redirections via Google AMP to create complex trails.
  • Encoded parameters to obscure the attack path.

Victims were redirected to phishing pages that appeared legitimate, with pre-filled email addresses further enhancing the illusion of authenticity. Once users entered their credentials, the stolen data was sent to Command-and-Control (C2) servers or Telegram bots via API endpoints.

Advanced Data Exfiltration Techniques

The phishing sites contained JavaScript snippets that transmitted stolen credentials using Base64 encoding, effectively hiding the data during analysis. Group-IB analysts observed: “The JSON response from Telegram’s API confirms that the stolen credentials were successfully sent to a private chat controlled by the attacker.”

Ongoing Evolution in Phishing Tactics

Group-IB warns that these techniques signify a continuous evolution in phishing methodologies: “Threat actors are quickly adapting, constantly refining and improving their techniques to bypass security measures and exploit vulnerabilities.”

Conclusion: A Growing Need for Vigilance

This campaign serves as a stark reminder of the ever-evolving nature of cyber threats. Organizations must strengthen their defenses and educate employees to identify and respond to increasingly sophisticated phishing attempts.

Read more »
malware
Akira Ransomware Black Basta Ransomware Credential Theft malware

Black Basta Ransomware: New Tactics and Growing Threats

 


The Black Basta ransomware group, an offshoot of the now-defunct Conti group, has adapted its attack strategies by integrating sophisticated social engineering techniques. Recent trends include email bombing, malicious QR codes, and credential theft, showcasing the group’s commitment to exploiting vulnerabilities in organizational defenses. 
 
The group begins its operations with email bombing—flooding a target's inbox with subscription-based messages from various mailing lists. This overload often leads victims to seek assistance, creating an opportunity for attackers to impersonate IT staff or support teams. Since August 2024, impersonation tactics have extended to platforms like Microsoft Teams, where attackers persuade victims to install legitimate remote access tools such as AnyDesk, TeamViewer, or Microsoft’s Quick Assist. Microsoft has identified the misuse of Quick Assist by threat actors labeled "Storm-1811." 
 
Malicious QR codes are another tool in the group’s arsenal. Victims are sent codes via chats, claiming to link trusted mobile devices. These QR codes redirect users to malicious websites, enabling attackers to harvest credentials. Cybersecurity experts have noted that attackers sometimes use OpenSSH clients to open reverse shells, providing deeper system access. 
  
Malware Delivery and Payload Objectives 
 
After gaining initial access, Black Basta deploys malicious payloads designed to escalate the attack. Key malware tools include:
  • Zbot (ZLoader): Credential-harvesting malware.
  • DarkGate: Multi-purpose malware for executing subsequent attacks.
These tools allow attackers to steal sensitive information, such as user credentials and VPN configurations, which they use to bypass multi-factor authentication (MFA) and infiltrate organizational systems. Black Basta’s proprietary tools further enhance its effectiveness:
  • KNOTWRAP: Executes payloads directly in memory, bypassing traditional detection methods.
  • KNOTROCK: Specialized utility for deploying ransomware.
  • PORTYARD: Facilitates secure connections with command-and-control servers.
Emerging Ransomware Trends 
 
Black Basta’s innovations align with broader trends in ransomware development. New groups, like Akira and Rhysida, are also leveraging advanced techniques. Akira, developed in Rust, uses pre-built libraries to enhance efficiency, while Rhysida employs tactics like fake software websites and SEO poisoning to spread malware. These trends highlight the growing sophistication of ransomware operations. 
 
 
Defensive Measures for Organizations 
 

The Black Basta group exemplifies the evolution of cybercrime, combining email bombing, impersonation, and advanced malware tools in hybrid attack models. To counter these threats, organizations must:
  • Regularly update security systems to address vulnerabilities.
  • Implement robust training programs to help employees identify social engineering tactics.
  • Strengthen multi-factor authentication and endpoint protection measures.
As cybercriminals continue to adapt, proactive defense and vigilance remain essential to safeguarding organizational systems from these evolving threats.
Read more »
voice API
AI Security bank transfer fraud ChatGPT-4o Credential Theft cybercriminals Deepfake financial scams OpenAI Technology text-to-speech tools voice API

UIUC Researchers Expose Security Risks in OpenAI's Voice-Enabled ChatGPT-4o API, Revealing Potential for Financial Scams

 

Researchers recently revealed that OpenAI’s ChatGPT-4o voice API could be exploited by cybercriminals for financial scams, showing some success despite moderate limitations. This discovery has raised concerns about the misuse potential of this advanced language model.

ChatGPT-4o, OpenAI’s latest AI model, offers new capabilities, combining text, voice, and vision processing. These updates are supported by security features aimed at detecting and blocking malicious activity, including unauthorized voice replication.

Voice-based scams have become a significant threat, further exacerbated by deepfake technology and advanced text-to-speech tools. Despite OpenAI’s security measures, researchers from the University of Illinois Urbana-Champaign (UIUC) demonstrated how these protections could still be circumvented, highlighting risks of abuse by cybercriminals.

Researchers Richard Fang, Dylan Bowman, and Daniel Kang emphasized that current AI tools may lack sufficient restrictions to prevent misuse. They pointed out the risk of large-scale scams using automated voice generation, which reduces the need for human effort and keeps operational costs low.

Their study examined a variety of scams, including unauthorized bank transfers, gift card fraud, cryptocurrency theft, and social media credential theft. Using ChatGPT-4o’s voice capabilities, the researchers automated key actions like navigation, data input, two-factor authentication, and following specific scam instructions.

To bypass ChatGPT-4o’s data protection filters, the team used prompt “jailbreaking” techniques, allowing the AI to handle sensitive information. They simulated interactions with ChatGPT-4o by acting as gullible victims, testing the feasibility of different scams on real websites.

By manually verifying each transaction, such as those on Bank of America’s site, they found varying success rates. For example, Gmail credential theft was successful 60% of the time, while crypto-related scams succeeded in about 40% of attempts.

Cost analysis showed that carrying out these scams was relatively inexpensive, with successful cases averaging $0.75. More complex scams, like unauthorized bank transfers, cost around $2.51—still low compared to the potential profits such scams might yield.

OpenAI responded by emphasizing that their upcoming model, o1-preview, includes advanced safeguards to prevent this type of misuse. OpenAI claims that this model significantly outperforms GPT-4o in resisting unsafe content generation and handling adversarial prompts.

OpenAI also highlighted the importance of studies like UIUC’s for enhancing ChatGPT’s defenses. They noted that GPT-4o already restricts voice replication to pre-approved voices and that newer models are undergoing stringent evaluations to increase robustness against malicious use.
Read more »
Stolen Credentials
Credential Theft Cyber Security Cyber Threats initial access breaches Malware attacks Password Security Stolen Credentials

Rising Threat of Stolen Credentials and Initial Access Breaches

 

Weak or reused passwords continue to pose significant risks for organizations, as criminals increasingly exploit stolen credentials to access user accounts. This trend has fueled a thriving market for stolen credentials and the initial access they provide. The ENISA Threat Landscape 2023 report highlights a year-over-year growth in the Initial Access Broker (IAB) market, with credentials being the primary commodity for sale.

Stealer malware frequently infiltrates victim machines through social engineering tactics, primarily phishing, and sometimes through paid distribution schemes using the Emotet and Qakbot botnets. Other campaigns entice users to download seemingly legitimate software via malvertising.

ENISA anticipates that future social engineering campaigns will adapt to new defensive measures aimed at protecting credentials from abuse.

Increasing Challenges with Stolen Credentials
Organizations face growing challenges with stolen credentials. The Verizon 2024 Data Breach Investigation Report (DBIR) reveals a 180% increase in attacks exploiting vulnerabilities to initiate breaches compared to the previous year. Stolen credentials were the leading initial action in breaches, accounting for 24%, just ahead of ransomware at 23%.

Fraudsters employ various methods to steal credentials, including malware that steals passwords and sells them on the dark web. Popular tools for this purpose include Redline, Vidar, and Raccoon Stealer. The FBI has warned of cybercriminals using search engine advertisements to impersonate brands and direct users to malicious sites that host ransomware to steal login credentials.

Credentials can also be compromised through brute force attacks, where cybercriminals use tools to test password combinations until the correct one is found. These methods range from simple trial and error to more sophisticated dictionary attacks, exploiting common password choices.

Potential for Major Breaches
The Solarwinds attack, described by Microsoft Corp President Brad Smith as "the largest and most sophisticated attack the world has ever seen," exemplifies the potential danger of stolen credentials. A compromised SolarWinds password was discovered on a private Github repository, where an intern had set the password "solarwinds123" on an account with access to the company's update server.

Other notable examples include the Dropbox breach, which impacted millions of users. A Dropbox employee reused a password from a LinkedIn breach, where millions of passwords were accessed by thieves.

ENISA notes that while abusing valid accounts for initial access is not a new technique, it remains effective for cybercriminals. Misconfigured accounts and those with weak passwords are particularly vulnerable. Although multi-factor authentication (MFA) can prevent many attacks, it is not foolproof, with actors intercepting MFA codes and harassing users with push notifications.

ENISA expects credentials to remain a focal point for cybercrime actors despite technical protective measures, as these actors continually find ways around them.

Cybersecurity experts recognize the danger of stolen credentials and the necessity of strong security measures. However, complacency is not an option. The threat posed by stolen credentials is constantly evolving, necessitating ongoing adaptation.

Organizations must enforce the creation of strong passwords resistant to brute force attacks and other forms of exploitation. Specops Password Policy can help build robust password policies by:

  • Generating personalized dictionary lists to prevent the use of commonly used words within the company.
  • Providing immediate and interactive updates to users when changing passwords.
  • Restricting the use of usernames, display names, certain words, consecutive characters, incremental passwords, and repeating parts of previous passwords.
  • Applying these features to any GPO level, computer, individual user, or group within the organization.
  • Continuously scanning for and blocking over 4 billion compromised passwords, ensuring that breached passwords are found daily.
Increasing overall password security, enforcing good password hygiene, and eliminating weak passwords enhance the security of Active Directory environments and privileged accounts. Organizations must prepare their defenses by scanning for password vulnerabilities in Active Directory to detect weak and compromised passwords.
Read more »
Subscribe to: Posts (Atom)