Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Credentials Hack. Show all posts
Technology Threat
Apple Tech Code Hex Credentials Hack Cyber Attacks Cyberthreats Hackers macOS Russian Foreign Intelligence Technology Stealer Technology Threat

New Report Reveals Rising Attacks on macOS Systems

 


A new report published by Intel471 reveals that macOS is increasingly being targeted by threats developing malware specific to the operating system or using cross-platform languages to achieve their goals on macOS computers through malware being developed for Mac operating systems. It is also widely reported that macOS contains more vulnerabilities than other operating systems. There are many ways in which malware and exploits can be used to commit cybercrime and spy on individuals and businesses. 

According to a new report covering the subject, new research shows that macOS vulnerabilities exploited in 2023 increased by more than 30% compared to 2022. Many issues should be addressed as part of the Software Vulnerability Ratings Report 2024 issued by the patch management software company Action1. These include the fact that Microsoft Office programs are becoming easier to exploit and that attackers are increasingly attacking load balancers such as NGINX and Citrix.

According to Action1 analysts, it was possible to gain five insights into the threat landscape between 2022 and 2023 based on data available in both the National Vulnerability Database and CVEdetails.com. This NVD has seen a significant slowdown in the maintenance activity since February, as a large backlog of software and hardware flaws has been submitted to the National Institute of Standards and Technology, which is causing a decline in the number of maintenance activities. 

The NIST has said that the reason for the slowdown is that "the amount of software has increased and, therefore, so has the number of vulnerabilities as well as interagency support has changed.". As a result, they observed that between January 2023 and July 2024, more than 40 malicious actors attacked macOS systems with a variety of malware types, most commonly infostealers and trojans, which were one of the most popular threats. 

In recent years, information theft malware – also known as info stealers – has become increasingly popular and widespread across all operating systems. MacOS, of course, is not exempt from this trend. It has been reported by the cloud security company Uptycs that incidents involving info thieves have doubled in the first quarter of 2023 when compared to the same period of last year. Additionally, cyber security company Group-IB reported that underground sales of macOS infostealers have increased by five times in the last five years. 

Several types of software are utilized by cybercriminals. They use software to steal log-in credentials, session cookies that enable authentication without credentials, and even more sensitive information such as credit card information or cryptocurrency wallet addresses. A lot of companies have also started using this software to acquire legitimate credentials, which are then sold to other criminals, most of whom are buying them from companies instead of individuals. Atomic Stealer, which is also referred to as Atomic MacOS Stealer, or AMOS, has been one of the most popular MacOS data-stealing applications since 2023. 

There is a new security vulnerability in macOS devices and browsers that is designed to steal credentials and cryptocurrency wallet data from them. In addition, there are several other infostealers targeted at macOS that are being operated by cybercriminals or advertised. An anonymous threat actor nicknamed Code Hex advertised a Mac OS info thief known as ShadowVault, which can steal data from multiple Chrome-based browsers, files stored on compromised computers, as well as Bitcoin wallets by stealing information from their data storage. 

The fact that so many spyware providers have sold their services to state-sponsored threat actors in recent years does not mean that all threat actors do not develop malware and tools aimed at macOS as well. Among other threats, the North Korean threat actor BlueNoroff has developed a malware loader known as RustBucket that has been developed specifically for macOS, and which targets financial institutions that are involved in cryptocurrency-related activities. 

In the past, Russian threat actors became known for their use of macOS malware with the attack response team they formed, called APT28, which is part of the Russian General Staff of the Armed Forces, as well as APT29, another part of the Russian Foreign Intelligence Service. In APT29, the Empire cross-platform remote administration and post-exploitation framework was used, which, although no longer supported by Apple, did permit the use of macOS as a target. 

Among other things, the threat actor APT32, based in Vietnam, also released a macOS backdoor that was used to target different organization types. Furthermore, the perception that macOS has a lower amount of malware specific to it than Windows can further support this perception, as there is a relatively lower amount of macOS-specific malware available in comparison to Windows. Among the threat actors identified in the report, more than 40 are actively targeting macOS, with more than 20 actively trying to acquire malicious software crafted specifically for macOS. 

There are several ways in which this happens, including the purchase of pre-existing malware as well as commissioning the creation of new malware. The recent focus on info thieves, which steal sensitive data such as login credentials, session cookies, and credit card numbers, highlights that there is an immediate threat to consumers and businesses alike from these sorts of hackers. In addition to this, independent research also confirms the trend. The renowned security researcher Patrick Wardle reported in 2023 that there were twice as many macOS malicious programs compared to last year based on his observations. 

Similarly,        While different spyware providers have sold their services to state-sponsored threat actors, some of these threat actors do develop malware and tools aimed at macOS. North Korean threat actor BlueNoroff, for example, has developed a malicious loader known as RustBucket, developed for macOS and aimed at targeting financial institutions whose activities are related to cryptocurrencies. 

Russian threat actors APT28, part of the Russian Main Directorate of the General Staff of the Armed Forces, and APT29, part of Russia's Foreign Intelligence Service, have also used macOS malware. APT29 used the no-longer-supported Empire cross-platform remote administration and post-exploitation framework, enabling targeting of macOS. Vietnam-based threat actor APT32 also deployed a macOS backdoor used for targeting different organizations. The perception is further reinforced by the relatively smaller amount of macOS-specific malware compared to Windows, which can make it seem like an easier target. 

The report reveals that over 40 threat actors are actively engaged in targeting macOS, with more than 20 actively seeking to acquire malware specifically designed for the platform, including both the purchase of pre-existing malware and the commissioning of new malware development. The focus on info stealers, which steal sensitive data like login credentials, session cookies, and credit card information, highlights the immediate threat to individual users and businesses alike. The trend is further supported by independent research. 

Patrick Wardle, a renowned security researcher, observed a doubling of new macOS malware in 2023 compared to the previous year. Similarly, Group-IB, a cybersecurity firm, reported a fivefold increase in underground sales related to macOS infostealers. In the short term, infostealers and RATs are expected to remain the most prevalent threats to macOS users. However, the increasing presence of ransomware and other malware families suggests a growing sophistication and diversification of threats. 

The trend, coupled with the increasing number of threat actors targeting macOS, calls for heightened vigilance and proactive security measures. The report concludes with a stark warning: despite the perceived security of Apple products, macOS users should remain vigilant against various threats. The growing sophistication of malware and the increasing number of threat actors seeking to exploit vulnerabilities in the macOS ecosystem underscores the need for robust security measures, including the use of reputable antivirus software, regular software updates, and strong passwords. macOS systems must always be up to date and patched to avoid being affected by common security vulnerabilities. 

Security software should be deployed on systems to detect malware and suspicious activity. Email security solutions should also be used, as many initial breaches are spread via phishing emails. Finally, all employees need to be trained to spot potential social engineering techniques used in emails or instant messaging tools.
Read more »
User Privacy
airline industry America Credentials Hack Data Breach Email Attacks Phishing Attacks User Privacy

Email Phishing Attack Revealed by American Airlines

Several passengers of American Airlines are being warned that their personal information might have been compromised as a result of threat actors getting access to employee email accounts. 

The airline said that a phishing attempt led to hackers gaining access to the mailboxes of a limited number of employees. The stolen email accounts held some consumers' personal data. The airline noted in notice letters distributed on Friday, September 16th, that there is no proof that the disclosed data was misused.

The hack was detected on July 5th by American Airlines, which then swiftly protected the affected email accounts and recruited a cybersecurity forensics company to look into the security incident.

American Airlines had hired a cybersecurity forensics company to look into the incident. The inquiry revealed that unauthorized actors had obtained the personal information of both customers and workers. Although they did not say how many consumers were impacted, they did say that names, dates of birth, addresses, emails, phone numbers, passport numbers, and even certain medical information could have been exposed.

American Airlines issued the following statement to BleepingComputer by the Manager for Corporate Communications. "American Airlines is aware of a phishing campaign that resulted in a small number of team members' mailboxes being improperly accessed."

A very small amount of customers' and workers' personal information was found in those email accounts, according to American Airlines, which also provided a two-year membership to Experian's IdentityWorks.

With regard to the incident, the company stated "data security is of the utmost importance and we provided customers and team members with precautionary support. We also are actively developing additional technical safeguards to avoid a similar incident from happening in the future, even though we have no proof that any personal information has been misused."

In March 2021, the Passenger Service System (PSS), which is used by many airlines worldwide, including American Airlines, was infiltrated. SITA, a leading provider of air information technology, revealed that hackers broke into its systems.

To help employees recognize targeted phishing attacks, firms must ensure that staff receives adequate security training. Organizations' IT and security departments should explain to staff how communications will be handled. It is crucial to always inform people about how to recognize phishing emails. 












Read more »
USA
Credentials Hack Cyber Security data security Data Stolen Data Theft Ransomware attack USA

North Orange County Community College District Suffered Ransomware Attack

 

According to an official filing by the District, on Monday, January 10, 2022, the North Orange County Community College District (NOCCCD or the District) noticed malicious activity on both of the District’s college servers including Cypress College and Fullerton College. 

In response to the attack, the District launched an investigation with the assistance of outside computer forensic specialists to learn more about the attack and determine if any employee or student data was breached. The notifications in which the attack has been reported on their component campus sites revealed that this was a ransomware incident. 

On March 25, 2022, following the attack, the NOCCCD reportedly notified more than 19,000 people about a data security incident. It has begun sending out data breach notification letters to all employees and students whose information was breached due to the data security incident. The District furthermore said that it will send additional security letters if it notices other parties were impacted by the attack. 

The investigation has confirmed that files containing sensitive credential data of employees and students may have been compromised or removed from the District’s network. A copy of the notice was also posted on Fullerton College for International Students. 

While disclosing what types of data might have been compromised, the notice read, “name, and passport number or other unique identification number issued on a government document (such as Social Security number or driver’s license number); financial account information; and/or medical information.” 

The district said that they are also coordinating with the colleges to review and enhance existing policies related to data protection. Besides, they have successfully implemented multi-factor authentication as well as an advanced threat protection and monitoring tool to better security and safeguard data. Additionally, new and advanced cybersecurity training for employees is being implemented throughout the District.
Read more »
User Security
Credentials Hack Cybersecurity Data Leak malware User Security

Threat Actors are Using Leaked Stolen Nvidia Certificates to Hide Malware

 

Malicious actors are using stolen NVIDIA code signing certificates to gain remote access to unsuspecting machines and deploy malicious software in windows. 
 
Earlier this week, NVIDIA, an American multinational firm suffered a cyberattack that allowed hackers to steal credentials and proprietary data of 71,000 employees.  
 
The hacking group, known as Lapsus$, claimed that they stole 1TB of data during the attack and began leaking sensitive information online after NVIDIA rejected their ransom demand.  
 
The exposed data includes two stolen code-signing certificates used by NVIDIA developers to sign their drivers and executable files before rolling them out to the public. It is a more secure way for Windows and prospective users to verify the ownership of the original file. To increase security in Windows, Microsoft also requires kernel-mode drivers to be code signed otherwise the OS will refuse to open the file.  
 
After Lapsus$ leaked NVIDIA's code-signing certificates, cybersecurity experts quickly discovered that the certificates were being used to sign malware and other tools used by threat actors.  
 
Certain variations of malware that were signed with the aforementioned Nvidia certificates were discovered on VirusTotal, a malware scanning service. The samples that were uploaded found that they were being used to sign hacking tools and malware, including Cobalt Strike Beacon, Mimikatz, backdoors, and remote access trojans.  
 
Security researchers Kevin Beaumont and Will Dormann shared that the stolen certificates utilize the following serial numbers:  
 
43BB437D609866286DD839E1D00309F5 
14781bc862e8dc503a559346f5dcc518  
 
Both codes are effectively expired Nvidia signatures, but the operating system will still let them pass just the same. Therefore, using these stolen certificates, threat actors gain the advantage of making their programs look like legitimate NVIDIA programs and allowing malicious drivers to be loaded by Windows.  
 
“Signing certificates are the keys computers use to verify trust in software,” Casey Bisson, head of product and developer relations at code-security product provider BluBracket, stated. “Validating code signatures is a critical step in securing the global code supply chain, and it protects everybody from average consumers running Windows Updates (where signatures are validated automatically) to developers using software components in larger projects (where signatures are hopefully checked as part of the CI process).”  
 
To avoid susceptible drivers from being installed in Windows, David Weston, director of enterprise and OS security at Microsoft, tweeted that admins can configure Windows Defender Application Control policies to manage which specific Nvidia driver can be loaded onto the system.
Read more »
VirusTotal
Credentials Hack Cyber Security Data hack Safety Security Sensitive data. Threat Intelligence VirusTotal

VirusTotal Hacking: Hackers can Access Trove of Stolen Credentials on VirusTotal

 

By conducting searches on VirusTotal, an online service that analyses suspicious files and URLs, security researchers have discovered a technique to gather large volumes of stolen user credentials. 

The SafeBreach research team used this technique to acquire over a million credentials using a €600 (about $679) VirusTotal licence and a few tools. The purpose was to determine what information a criminal could obtain with a licence for VirusTotal, a Google-owned service that allows users to submit and verify suspected files and links using multiple antivirus engines for free. 

A VirusTotal licenced user can use a mixture of questions to search the service's dataset for file type, file name, submitted data, country, and file content, among other things. Many data thieves gather credentials from various forums, mail accounts, browsers, and other sites, write them to a specific hard-coded file name — for example, "all credentials.txt," and then exfiltrate the file from the victim's device to the attackers' command-and-control server. 

Researchers used VirusTotal tools and APIs like search, VirusTotal Graph, and Retrohunt to locate files containing stolen data using this strategy. 

Tomer Bar, director of security research at SafeBreach stated, "It is quite a straightforward technique, which doesn't require strong understanding in malware. All you need is to choose one of the most common info stealers and read about it online." 

To collect critical data, the researchers used well-known malware such as RedLine Stealer, Azorult, Raccoon Stealer, and Hawkeye, as well as well-known forums like DrDark and Snatch Cloud. They discovered that their strategy worked on a large scale.

RedLine Stealer is a type of malware that may be purchased individually or as part of a subscription on underground forums. It collects information such as saved credentials, autocomplete data, and credit card information across browsers. When malware is installed on a target machine, it creates a system inventory that contains usernames, location data, hardware settings, and security software details. RedLine Stealer can upload and download files as well as run commands.

To begin, the researchers utilized VirusTotal Query to look for binaries that had been classified as RedLine by at least one antivirus engine, which yielded 800 matches. They also looked for files with the name DomainDetects.txt, which is one of the file names used by the malware. Hundreds of files had been exfiltrated as a result of this. 

They then resorted to VirusTotal Graph, a visual exploration tool for licenced VirusTotal customers. The researchers discovered a file from their search results in a RAR file containing exfiltrated data from 500 individuals, including 22,715 passwords to a variety of websites. There were also larger files with more passwords in the other results. 

According to the researchers, several of the URLs were for government-related websites. While there are many different types of data thieves, the researchers chose five of the most popular ones because they had a higher chance of being found in the VirusTotal dataset. 

Researchers wrote in their blog post, "A criminal who uses this method can gather an almost unlimited number of credentials and other user-sensitive data with very little effort in a short period of time using an infection-free approach. We called it the perfect cybercrime, not just due to the fact that there is no risk and the effort is very low, but also due to the inability of victims to protect themselves from this type of activity." 

The researchers informed Google of their discoveries and asked VirusTotal for the files containing personal information. They also suggested screening for and erasing files containing sensitive user data regularly, as well as prohibiting API keys from uploading those files.
Read more »
Subscribe to: Posts (Atom)