Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Credentials. Show all posts
Privacy
API AT&T Credentials Google Cloud Privacy

Weak Cloud Credentials Behind Most Cyber Attacks: Google Cloud Report

 



A recent Google Cloud report has found a very troubling trend: nearly half of all cloud-related attacks in late 2024 were caused by weak or missing account credentials. This is seriously endangering businesses and giving attackers easy access to sensitive systems.


What the Report Found

The Threat Horizons Report, which was produced by Google's security experts, looked into cyberattacks on cloud accounts. The study found that the primary method of access was poor credential management, such as weak passwords or lack of multi-factor authentication (MFA). These weak spots comprised nearly 50% of all incidents Google Cloud analyzed.

Another factor was screwed up cloud services, which constituted more than a third of all attacks. The report further noted a frightening trend of attacks on the application programming interfaces (APIs) and even user interfaces, which were around 20% of the incidents. There is a need to point out several areas where cloud security seems to be left wanting.


How Weak Credentials Cause Big Problems

Weak credentials do not just unlock the doors for the attackers; it lets them bring widespread destruction. For instance, in April 2024, over 160 Snowflake accounts were breached due to the poor practices regarding passwords. Some of the high-profile companies impacted included AT&T, Advance Auto Parts, and Pure Storage and involved some massive data leakages.

Attackers are also finding accounts with lots of permissions — overprivileged service accounts. These simply make it even easier for hackers to step further into a network, bringing harm to often multiple systems within an organization's network. Google concluded that more than 60 percent of all later attacker actions, once inside, involve attempts to step laterally within systems.

The report warns that a single stolen password can trigger a chain reaction. Hackers can use it to take control of apps, access critical data, and even bypass security systems like MFA. This allows them to establish trust and carry out more sophisticated attacks, such as tricking employees with fake messages.


How Businesses Can Stay Safe

To prevent such attacks, organizations should focus on proper security practices. Google Cloud suggests using multi-factor authentication, limiting excessive permissions, and fixing misconfigurations in cloud systems. These steps will limit the damage caused by stolen credentials and prevent attackers from digging deeper.

This report is a reminder that weak passwords and poor security habits are not just small mistakes; they can lead to serious consequences for businesses everywhere.


Read more »
Security Vendors
Credentials Cyber Hackers Cyberattacks CyberCrime Cybersecurity CyberThreat Darkweb Data Breach Security Vendors

Credentials of Major Cybersecurity Vendors Found on Dark Web for $10

 


As a result of recent findings on dark web marketplaces, it has been found that many account credentials from major security vendors are being sold. According to Cyble, the rise of information stealers has been largely responsible for this alarming situation, since the credentials of vendors and their clients are compromised. This poses a substantial risk to both vendors and their clients, which makes the need for enhanced cybersecurity measures more urgent than ever before. 

As a result of these credentials, which can be purchased on cybercrime markets for a mere $10, access to internal accounts, customer systems, and cloud-based environments can be acquired. This is alarming because it encompasses internal enterprise accounts of security companies as well as internal development accounts, thereby posing a severe security threat. 

The best solution would have been to protect these accounts by implementing multifactor authentication (MFA). This would have made it much harder for unauthorized individuals to gain access to these accounts in the first place. It is evident from this incident that there are critical vulnerabilities in access management practices when these protections are not in place or fail, further emphasizing the necessity of robust dark web monitoring as a proactive security measure. 

It is important to detect credential leaks early on so that organizations can minimize the risk of such exposures escalating into large-scale cyberattacks. This will prevent operational integrity from being compromised as well as stakeholder trust from being compromised. It is important to remember that even the most well-defended organizations face persistent threats and that continuous vigilance is essential to preventing those threats from happening. This is a very timely report, as Cyble's data focuses on leaks from the current year, highlighting a more urgent threat than old breaches. 

As these accounts are often associated with sensitive management and development interfaces, attackers may be able to use them to conduct reconnaissance, locate sensitive data, and exploit system vulnerabilities, thereby being able to exploit sensitive data. Even multi-factor authentication (MFA) systems are at risk of misuse because of the stolen credentials, which include company email addresses. 

It has been reported that cybersecurity vendors' credentials are becoming increasingly accessible on dark web marketplaces for as little as $10. According to the findings from Cyble, these credentials were likely harvested from information stealer logs and sold in bulk, which indicates that cybercrime targeting sensitive access data has increased significantly in recent years. In a study aimed at examining leaks occurring in 2025, all 14 vendors that were examined had exposed their customers' and internal credentials.

Among these vendors are those that mainly offer enterprise security solutions and cloud security services, as well as consumer security solutions, but Cyble did not reveal the names of the affected vendors because it wanted to protect their identities and emphasize that such a situation poses a serious risk to the integrity of the company as well as client trust. Based on the findings in this study, it is obvious that drastic security measures, as well as comprehensive monitoring, are required to prevent credential theft from occurring in the cybersecurity sector, as the threat of credential theft continues to grow. 

The researchers at Cyble did not attempt to determine whether any credentials were valid. Many of these vulnerabilities were associated with easily accessible web console interfaces, single-sign-on (SSO) logins, and other web-based account access points. The researchers concluded that vulnerabilities likely caused these leaks in potentially critical internal systems, such as password managers, authentication systems, device management platforms, or common internet services, such as Okta, GitHub, Amazon Web Services, Microsoft Online, Salesforce, SolarWinds, Box, WordPress, Oracle, and Zoom. 

There was an incident in which sensitive internal company accounts, including email addresses, developer interfaces, and product accounts of a large vendor, were exposed, posing significant risks depending on the extent of access granted to these accounts. Even if all the exposed accounts were protected by other means, as ideally they should have been, this leak is concerning for another reason. By providing threat actors with insight into how a target's systems operate, including the locations of sensitive data and potential vulnerabilities they can exploit, they can assist in conducting reconnaissance.

Hackers can also expose sensitive information by revealing URLs of management interfaces that are not publicly known, offering attackers further reconnaissance information. Monitoring leaked credentials for essential systems like security tools is necessary to prevent breaches and to hinder hackers from obtaining valuable information about an organization's systems and how to access them. The company stated that, in addition to the direct threats associated with unauthorized access, the exposed credentials could serve as a valuable asset for threat actors as a means of reconnaissance. 

Such access can provide attackers with valuable insights into the systems a potential target relies on, including the location of sensitive data and exploitable vulnerabilities, among other things. Infostealers can also uncover critical information that is not publicly disclosed, thus enhancing an attacker's ability to exploit the target's systems. 

As Cyble highlighted in its analysis, these findings have a broader impact on any organization, since even the largest cybersecurity vendors are susceptible to hacking, making any company vulnerable. Several security measures have been identified in the report, including multi-factor authentication (MFA), zero-trust architecture, effective vulnerability management, and network segmentation, as essential to ensuring the security of an organization. 

Several practices can be implemented to reduce the risk of data breaches, ransomware incidents, or other cyberattacks. This report serves as a stark reminder of the pervasive and ever-evolving nature of cyber threats, making it increasingly imperative to take proactive measures to safeguard both organizational integrity and sensitive data in the future. Finally, dark web monitoring has the potential to play a critical role in the fight against cyber threats. 

It enables the detection of credential leaks that often result in significant incidents, such as breaches of sensitive data and ransomware attacks before they fully materialize Monitoring compromised credentials associated with critical security tools and systems is crucial in preventing unauthorized access and thwarting threat actors from acquiring critical insights into an organization's infrastructure. Such reconnaissance capabilities have been shown to greatly enhance attackers' effectiveness in exploiting vulnerabilities. This study emphasizes that even the largest cybersecurity vendors are vulnerable to infostealer attacks, demonstrating that no organization can be completely protected from cyberattacks. 

To combat these risks, foundational cybersecurity measures are imperative—including multi-factor authentication (MFA), zero-trust architecture, vulnerability management, and network segmentation—to prevent cyber threats from occurring. Such strategies play a pivotal role in minimizing the risk of cyberattacks while effectively mitigating their potential consequences. This highlights the critical need for organizations to adopt a proactive, multi-layered cybersecurity approach. By doing so, they can bolster their resilience and safeguard their assets against the ever-evolving challenges of today’s complex threat environment.
Read more »
Windows
Bugs Credentials cyber threat malware RAT Windows

QWIXXRAT: A Fresh Windows RAT Emerges in the Threat Landscape

 

In early August 2023, the Uptycs Threat Research team uncovered the presence of a newly identified threat, the QwixxRAT, also referred to as the Telegram RAT. This malicious software was being promoted and distributed via platforms such as Telegram and Discord.

The QwixxRAT operates as a remote access trojan, capable of surreptitiously gathering sensitive information from targeted systems.

This ill-gotten data is then surreptitiously transmitted to the attacker's Telegram bot, granting them unauthorized access to the compromised user's confidential details. The process is facilitated by the threat actors who can manipulate and oversee the RAT's activities through the same Telegram bot.

“Once installed on the victim’s Windows platform machines, the RAT stealthily collects sensitive data, which is then sent to the attacker’s Telegram bot, providing them with unauthorized access to the victim’s sensitive information.”reads a new report published by security firm Uptycs.

“To avoid detection by antivirus software, the RAT employs command and control functionality through a Telegram bot. This allows the attacker to remotely control the RAT and manage its operations.” 

Experts have identified the QwixxRAT as a meticulously engineered threat, specifically crafted to extract a wide spectrum of sensitive data. Its repertoire includes the theft of browser histories, credit card particulars, screenshots, keystrokes, FTP credentials, messenger conversations, and data linked to the Steam platform.

Uptycs, the cybersecurity company behind the discovery, underscored that the QwixxRAT is available for purchase on the criminal market. Interested parties can acquire a weekly subscription for 150 rubles or opt for a lifetime subscription priced at 500 rubles. Additionally, a limited free version has been noted by the researchers.

Technically, the QwixxRAT is coded in C# and takes the form of a compiled binary, functioning as a 32-bit executable tailored for CPU operations. With a total of 19 distinct functions, the malware exhibits a diverse set of capabilities.

In order to evade scrutiny, the malware incorporates various anti-analysis features and evasion tactics. Notably, the RAT employs a sleep function to introduce delays, serving as a mechanism to detect potential debugging activities. Furthermore, the malicious code performs checks to ascertain if it is running within a sandbox or virtual environment.

The QwixxRAT establishes persistence by creating a scheduled task tied to a concealed file located at "C:\Users\Chrome\rat.exe". Additionally, the malware possesses a self-destruct mechanism that can be triggered for the C# program's termination.

A unique characteristic of the QwixxRAT is its incorporation of a clipper code, enabling the capture of data copied to the clipboard. This technique is adeptly employed to extract cryptocurrency wallet information pertaining to Monero, Ethereum, and Bitcoin.

The researchers have taken a proactive step by publishing a YARA detection rule tailored to identify this particular threat.
Read more »
ToolKit
Credentials Cyber Security Safety Security ToolKit

This New AlienFox Toolkit Steals Credentials for 18 Cloud Services

 

Threat actors can use a new modular toolkit called 'AlienFox' to scan for misconfigured servers and steal authentication secrets and credentials for cloud-based email services. The toolkit is sold to cybercriminals through a private Telegram channel, which has become a common transaction channel for malware authors and hackers. 

According to SentinelLabs researchers who examined AlienFox, the toolset targets common misconfigurations in popular services such as online hosting frameworks such as Laravel, Drupal, Joomla, Magento, Opencart, Prestashop, and WordPress. Analysts discovered three versions of AlienFox, indicating that the toolkit's author is actively developing and improving the malicious tool.

AlienFox is after your secrets

AlienFox is a modular toolset made up of a variety of custom tools and modified open-source utilities created by various authors. It is used by threat actors to collect lists of misconfigured cloud endpoints from security scanning platforms such as LeakIX and SecurityTrails.

Then, AlienFox searches the misconfigured servers for sensitive configuration files commonly used to store secrets, such as API keys, account credentials, and authentication tokens, using data-extraction scripts.

1and1, AWS, Bluemail, Exotel, Google Workspace, Mailgun, Mandrill, Nexmo, Office365, OneSignal, Plivo, Sendgrid, Sendinblue, Sparkpostmail, Tokbox, Twilio, Zimbra, and Zoho are among the cloud-based email platforms targeted. Separate scripts are also included in the toolkit to establish persistence and escalate privileges on vulnerable servers.

According to SentinelLabs, the first version discovered in the wild is AlienFox v2, which focuses on web server configuration and environment file extraction. The malware then parses the files for credentials and attempts to SSH using the Paramiko Python library on the targeted server.

AlienFox v2 also includes a script (awses.py) that automates the sending and receiving of messages on AWS SES (Simple Email Services) as well as the application of elevated privilege persistence to the threat actor's AWS account. Finally, AlienFox 2.0 includes an exploit for CVE-2022-31279, a deserialization vulnerability in the Laravel PHP Framework.

AlienFox v3 added automated key and secret extraction from Laravel environments, and stolen data now included tags indicating the harvesting method. The third version of the kit, in particular, improved performance by including initialization variables, Python classes with modular functions, and process threading.

AlienFox v4 is the most recent version, which includes improved code and script organisation as well as targeting scope expansion. The fourth version of the malware, in particular, includes WordPress, Joomla, Drupal, Prestashop, Magento, and Opencart targeting, an Amazon.com retail site account checker, and an automated cryptocurrency wallet seed cracker for Bitcoin and Ethereum.

The new "wallet cracking" scripts indicate that AlienFox's developer wishes to broaden the toolset's clientele or enhance its capabilities in order to secure subscription renewals from existing customers.

Administrators must ensure that their server configuration is set with the proper access controls, file permissions, and the removal of unnecessary services to protect against this evolving threat.Furthermore, implementing MFA (multi-factor authentication) and monitoring for any unusual or suspicious activity on accounts can aid in the early detection of intrusions.



Read more »
Theft
Credentials Cyber Fraud Fraud Safety Scammers Scams Security Theft

How to Prevent Corporate Login Credential Theft?

 

Expenditure on enterprise cybersecurity is growing rapidly. According to the most recent estimates, the average figure for 2021 will be more than $5 million. Despite this, US organizations reported a record number of data breaches in the same year. 

So, what's the problem? Static passwords, user errors, and phishing attacks continue to undermine security efforts. Threat actors benefit greatly from easy access to credentials. And user training alone will not be enough to restore the balance. A strong credential management strategy is also required, with multiple layers of protection to ensure credentials do not fall into the wrong hands.

During the first half of this year, nearly half of all reported breaches involved stolen credentials. Once obtained, these credentials allow threat actors to disguise themselves as legitimate users in order to deploy malware or ransomware or move laterally through corporate networks. Extortion, data theft, intelligence gathering, and business email compromise (BEC) can all be carried out by attackers, with potentially huge financial and reputational consequences. Breaches caused by stolen or compromised credentials cost an average of $4.5 million in 2021, and they are more difficult to detect and contain (327 days).

It may come as no surprise that the cybercrime underground is rife with stolen credentials. In fact, 24 billion were in circulation in 2021, a 65% increase over 2020. Poor password management is one factor.  Since password reuse is common, these credential hauls can be fed into automated software to unlock additional accounts across the web, a technique known as credential stuffing. They are quickly put to use once they are in the hands of hackers. 

As per one study, cybercriminals gained access to almost a quarter (23%) of accounts immediately after the compromise, most likely through automated tools designed to quickly validate the credibility of the stolen credential.

Phishing is a particularly serious enterprise threat that is becoming more sophisticated. Unlike the error-ridden spam of yesteryear, some efforts appear so genuine that even a seasoned pro would have difficulty detecting them. Corporate logos and typefaces are accurately reproduced. Domains may use typosquatting to appear identical to legitimate domains at first glance.

They may even use internationalized domain names (IDNs) to imitate legitimate domains by replacing Roman alphabet letters with lookalikes from non-Latin alphabets. This enables fraudsters to register phishing domains that look exactly like the original.

The same holds true for the phishing pages that cybercriminals direct employees to. These pages are intended to be convincing. URLs will frequently use the same tactics mentioned above, such as letter substitution. They also intend to imitate logos and fonts. These techniques make pages appear to be the "real deal." To trick users, some login pages display fake URL bars that display the real website address. This is why you can't expect employees to know which sites are legitimate and which are attempting to dupe them.

This means that user awareness programs must be updated on a regular basis to account for specific hybrid-working risks as well as constantly changing phishing tactics. Short, bite-sized lessons with real-world simulation exercises are required. Creating a culture in which reporting attempted scams is encouraged is also important.

But be aware that there is no silver bullet, and user education alone will not reliably prevent credential theft. Bad actors only need to be fortunate once. And there are numerous ways for them to contact their victims, including email, social media, and messaging apps. It is unrealistic to expect every user to detect and report these attempts. Education must use technology and solid processes.

Credential management should be approached in layers by organizations. The goal is to reduce the number of sites where users must enter passwords. Single sign-on (SSO) should be implemented by organizations for all reputable necessary work applications and websites. SSO should be supported by all SaaS providers.

In the meantime, a password manager would be useful if there are logins that require different credentials. This also allows employees to determine whether a login page can be trusted, as the password manager will not provide credentials for a site it does not recognize. To secure logins, organizations should also enable multi-factor authentication (MFA).

FIDO2 is also gaining popularity. It will provide a more robust solution than traditional authenticator apps, though those apps will still be superior to text-message codes. Not everything is foolproof, and risky login pages may slip through the cracks. Employees should only be flagged for risky login pages as a last resort. 

This can be accomplished by analyzing threat intelligence metrics, webpage similarities, domain age, and how users arrived at a log in page in real-time. This rating can then be used to either block high-risk login pages or warn users to check again for less-risky ones. Importantly, because this technology only intervenes at the last second, security appears transparent to the user and does not make them feel watched.

A layered approach to credential management, when combined with an architectural approach to security across the entire stack, can help reduce the attack surface and mitigate risk from an entire class of threat.
Read more »
Vidar Stealer
attackers CopperStealer Credentials malware Password Software Vidar Stealer

This Malware is Spreading Via Fake Cracks

 

An updated sample of the CopperStealer malware has been detected, infecting devices via websites providing fraudulent cracks for applications and other software.

Cyber attackers employ these bogus apps to perform a range of assaults. The hackers in this assault operation took advantage of the desire for cracks by releasing a phoney cracked programme that actually contained malware. 

The infection starts with a website or Telegram channel offering/presenting false cracks for downloading and installing the needed cracks. The downloaded archive files include a password-protected text file and another encrypted archive. 

The decrypted archive displays the executable files when the password specified in the text file is typed. There are two files in this sample: CopperStealer and VidarStealer. 

What are the impacts of Copper Stealer and Vidar Stealer on the systems? 

CopperStealer and Vidar stealer can cause many system infections, major privacy problems, financial losses, and identity theft. 
  • CopperStealer: The primary function of CopperStealer is to steal stored login information - usernames and passwords - as well as internet cookies from certain browsers. Mostly focuses on the login details for business-oriented Facebook and Instagram accounts. CopperStealer variants also seek login credentials for platforms and services such as Twitter, Tumblr, Apple, Amazon, Bing, and Apple. The malware can steal Facebook-related credentials from browsers such as Google Chrome, Microsoft Edge, Mozilla Firefox, Opera, and Yandex.
  • Vidar stealer: The most common ways for this malware to propagate are through pirated software and targeted phishing efforts. Vidar stealer is capable of stealing credit cards, usernames, passwords, data, and screenshots of the user's desktop. The malware steals data from a range of browsers and other system apps. It can also steal cryptocurrency wallets such as Bitcoin and Ethereum. 
Safety first

Attackers can utilise data stealers like CopperStealer to steal sensitive information for more illegal reasons. Users can stay secure by taking the following precautions: 
  • Downloading cracks from third-party websites should be avoided. 
  • Keep the systems up to date with the newest patches. 
  • It is highly advised that security detection and prevention technologies be enabled to safeguard systems from attacks.
Read more »
Personal Data
attacks Christmas Credential Stuffing Attacks Credentials Cyber Attacks data security Financial Data Personal Data

Watch out for Christmas 2021 Credential Stuffing Attacks!

 

As per Arkose Labs' research, there were over two billion credential stuffing attacks (2,831,028,247) in the last 12 months, with the number increasing exponentially between October 2020 to September 2021. 

This form of online fraud has increased by 98 percent over the previous year, and it is projected to spike during the Christmas shopping season. Credential stuffing attacks in 2021 accounted for 5% of all web traffic in the first half of 2021. 

Credential stuffing is the most recent cyber-attack technique used by online criminals to obtain unauthorized access to users' financial and personal accounts. Cybercriminals take control of real user accounts and monetize them in a variety of ways. These include draining money from compromised accounts, collecting and reselling personal information, selling databases of the known verified username and password combinations, and exploiting compromised accounts to launder money obtained from other illegal sources. People who reuse the same username/password combination across various sites are frequently targeted by cybercriminals. 

The anti-fraud community has highlighted credential stuffing as an increasing problem in recent years. However, due to the jump in internet activity in the pandemic and the growth of online purchasing, it has risen in recent months. Credential stuffing increased 56 percent during the Christmas and New Year shopping season last year, according to research analysts, with forecasts that the same period in 2021 will witness up to eight million attacks on consumers every day. 

The Arkose Labs network detected and blocked 285 million credential stuffing assaults in the first half of 2021, with spikes of up to 80 million in a single week. In just one week, one intensively targeted social media organization experienced 1.5 million credential stuffing attacks. 

Kevin Gosschalk, CEO at Arkose Labs stated, “The global e-commerce landscape is more connected than ever before and personal information has become the currency of fraudsters. Credential stuffing is prolific. It’s become an enormous concern to online businesses and is fast overtaking other well-known attack tactics, such as ransomware, as THE cyber attack to watch out for.” 

“Fraudsters are compelled to this type of cybercrime as the low barrier to entry makes it easy to deploy and online criminals can generate profits with just one successful compromised account. Their volumetric approach can come on abruptly, quickly overloading businesses’ servers and putting customers at risk.” 

Other key information 

According to the research team's newest findings, 
  • The top attacked industries by sector include gaming, digital and social media, and financial services. 
  • Credential stuffing assaults accounted for over half of all attacks aimed at the gaming industry. 
  • The United Kingdom was also named as one of the top three regions that carried out the most credential stuffing attacks against the rest of the world. 
  • Alongside, Asia and North America, both demonstrated massive amounts of fraudulent activity emanating from their respective regions.
  • During the first half of 2021, mobile-based attacks accounted for approximately one-quarter of all attacks.
Read more »
Subscribe to: Posts (Atom)