Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Cyber Attack Exploit. Show all posts

37% of Third-party Applications have High-risk Permissions

Recent data analysis reveals a significant increase in the integration of third-party apps with email platforms. This trend underscores the rapid expansion of a new avenue of vulnerability that cybercriminals are exploiting, demonstrating their ongoing evolution in attack strategies. 

The presence of software-as-a-service (SaaS) applications is continuously growing within enterprises worldwide. Staff members are providing permissions to external apps, allowing them to access fundamental SaaS platforms such as Microsoft 365 (M365) and Google Workspace. 

This trend introduces security vulnerabilities. Simultaneously, security personnel and organizations are struggling to monitor the number of interconnected applications or assess the extent of the security threats stemming from these apps. Throughout the initial six months of 2023 (spanning January to June), there was a steady upward trajectory in the integration of third-party applications. 

Concurrently, Abnormal noted a consistent escalation in instances of business email compromise (BEC) and vendor email compromise (VEC) attacks. This pattern of growth has remained consistent over the preceding five years. Abnormal's findings revealed that, on average, organizations now incorporate 379 third-party applications with their email systems. This reflects a substantial surge of 128% since the year 2020. 

In the case of sizable corporations employing over 30,000 individuals, the integration of third-party apps rises dramatically to an average of 3,973. These apps encompass a broad spectrum of functionalities, spanning collaboration, productivity, development, social networking, security, and various other domains. 

Among the third-party applications that have been integrated, approximately 37% come with permissions that pose high risks. These permissions include the capability to generate and erase emails or users, and even to reset user passwords. 

Vendor Email Compromise (VEC) falls under the category of Business Email Compromise (BEC), a significant subset of cyber assaults. These attacks entail the falsification or imitation of a corporate email address, with the intention of deceiving the organization, its staff, clients, or associates for fraudulent purposes. 

Business Email Compromise attacks manifest in diverse manners, with Vendor Email Compromise representing a particularly advanced variant within this spectrum. The report also indicated an upswing in BEC and VEC attacks during the initial half of 2023. 

BEC attacks demonstrated a rise of 55% over the preceding six months, with 48% of all entities experiencing at least one VEC attack within the same period. Further insights gleaned from the initial half of the year highlight a 34% surge in VEC attacks when contrasted with the previous two halves. 

Notably, there was a shift in the attack landscape, with BEC attacks surpassing malware instances, a departure from the trends seen in the preceding half. Particularly vulnerable are larger organizations those with over 5,000 mailboxes face a probability exceeding 90% of experiencing at least one BEC attack weekly, alongside a 76% likelihood of encountering a VEC attack. 

Among targeted sectors, the technology industry attracts the highest concentration of BEC attacks, while advertising/marketing is the primary focus for VEC attacks. Other sectors frequently subjected to BEC attacks include construction, finance, transportation, and media/entertainment.

Mysterious Threats of ‘Dark Data’ in Organizations

 

Data security is becoming costlier for organizations worldwide and the threats of cyber attacks added pressure on organizations from customers to protect their sensitive information. As a result, several organizations have already invested in new processes to safeguard their ‘data.’ 

However, we should not miss anything related to a dark part of databases that is lingering beneath the surface that might come back to haunt organizations. 

Along with structured data, a huge amount of unstructured data, known as dark data, also occupies the storage of every organization often as a result of a user’s daily digital interactions. This could include data of previous employees, customer information, financial transaction, confidential emails, messages and video call transcripts, and other sensitive information. 

Companies store a vast amount of unstructured or semi-structured data in log files or data archives for future utilization. The mysterious nature of dark data makes it hard to protect, and also creates a sense of insecurity what if threat actors get access to this data? 

Because of the availability of online services, data is being produced at a very rapid pace; it becomes very difficult for organizations to quantify their dark data. As per a recent survey, more than half of an organization’s data is unavailable for analysis. 

Nevertheless, shocking that unstructured data is rising at a rate of 55-65% per annum (1.7 MB of data is created for each of the 7.3 billion people every minute of a day). This means by 2025 organizations will be having more than 163 trillion gigabytes of data worldwide, 80% of which will be unstructured data, and 90% of that will never be analyzed or used in regular business activities. 

Now the question is what organizations could possibly do to protect the data? The first and most important step organizations should take is processing and discovering what data is sensitive and exposed. To accomplish this, security teams should be aware of where dark data resides, and who has access to it. 

Furthermore, organizations should seek independent consultants from a data expert who can review a data environment and conduct in-depth reviews of unstructured data. Once an organization reviewed its dark data, it can then identify what data has business value and protect that data accordingly. However, it can not assure companies full protection from bad actors, and a record 35% of all consumers do not trust any industry to protect their data adequately.

Another Singlet Subsidiary Faces Cyber Attack, Weeks after Optus Data Breach

 

Weeks after the data breach at the Australian telcom giant, Optus, Singapore Telecommunication Ltd, Singlet recently confirmed that its unit, Dialog has faced a cyber-attack. The attack has reportedly affected 1,000 of the company’s current and former employees and about 20 clients. 
 
A similar case of a data breach at Optus, the Australian subsidiary of Singlet took place late this September. The data breach reportedly compromised the personal data of up to 10 million customers, including present and former employees. 
 
Days after the breach, the threat actors withdrew a ransom demand of $1 million from the telecom company, describing there were “too many eyes” on the hacked data. The hackers nonetheless went ahead and leaked customer records of more than 10,000 customers, in order to prove that they actually have access to the data. 
 
“On Saturday 10 September 2022, we detected unauthorized access on our servers, which were then shut down as a preventive measure. Within two business days, our servers were restored and fully operational. We contracted a leading cyber security specialist to work within our IT Team to undertake a deep forensic investigation and continuous monitoring of the Dark Web. Our ongoing investigation showed no evidence of unauthorized downloading of the data[…]On Friday 7 October 2022 we became aware that a very small sample of Dialog’s data, including some employees’ personal information, was published on the Dark Web.” states Dialog regarding the data breach. 
 
Dialog mentioned how its systems were completely independent of Optus and IT unit NCS while assuring that there was in fact no evidence of any link between the data breaches at Dialog and Optus.  
 
"With this being the third large breach impacting the company in the last few years, it sounds like it is time to review the company's cybersecurity program because something is clearly not working," states O'Toole. 
 
"Everyone knows employees are the number one target for criminals looking to steal and compromise an organization's data, so addressing this risk must be the priority," she added. 
 
As per the CEO, one of the prominent solutions to tackle the risk is by deploying encrypted network access and segmentation tools, which encrypt employee credentials and other information so they cannot be hacked or stolen. "This closes doors on attackers, and it will significantly improve Singtel's security defenses against data breaches in the future," she added.

Chinese Hackers Target Energy Firms Across The Globe

The team of cyber threat security intelligence has discovered a brand new cyber espionage campaign that is victimizing energy and manufacturing agencies around the world. It has been reported by the US-based cyber-security firm Proofpoint and PwC Threat Intelligence that the Chinese APT known as TA423, Red Ladon, APT40, and Leviathan is behind this cyberespionage campaign. 

The operators of this campaign are primarily targeting firms across Australia, Malaysia, and Europe as well as the entities that operate in the South China Sea including organizations involved in an offshore wind farm in the Taiwan Strait. 

The Australian targets included the federal government, military academic institutions, and defense and public health sectors. The Malaysian targets included global marketing and finance companies, offshore drilling, and deep-water energy exploration firms. The campaign has been noticed working in three different phases – the latest from April 2022 to mid-June 2022. 

As per the data, the group has been active since 2013 and previously this group has been found targeting defense contractors, universities, manufacturers, government agencies, foreign companies involved with Australasian policy or South China Sea operations, and legal firms involved in diplomatic disputes. 

"TA423/Red Ladon is a China-based, espionage-motivated threat actor that has been active since 2013, targeting a variety of organizations in response to political events in the Asia-Pacific region, with a focus on the South China Sea," the company said in a blog post. 

According to a report drafted by cybersecurity firm Proofpoint, working in collaboration with PwC, it noted that in its latest campaign the group used malicious emails impersonating Australian media organizations designed to lure victims including the fake Australian Morning News, to deliver ScanBox malware for reconnaissance and exploitation framework. The malware was initially discovered by AlienVault in 2014. 

Further, the researchers also uncovered the phishing campaign targeting media companies, governmental agencies, South China Sea wind turbine operators, and a European manufacturer supplying equipment for the Yunlin Offshore Windfarm in the Taiwan Strait. 

Overall, the Chinese-backed cyber hacking group "continues pursuing its intelligence-gathering and espionage mission primarily targeting countries in the South China Sea, as well as further intrusions in Australia, Europe, and the United States,” the blog post reads.

Hackers Using 'Brute Ratel C4' Red-Teaming Tool to Evade Detection

 

Palo Alto Networks’ Unit 42 security researchers have uncovered that Russian state-sponsored hackers are compromising the latest Brute Ratel C4 or BRc4 red-teaming and adversarial simulation/penetration software in their latest and active attacks in an attempt to stay under the radar and evade detection.

Following the attack, Palo Alto Networks Unit  42 reported that a malware sample was uploaded to the VirusTotal database on May 19, 2022, in which they found a payload associated with Brute Ratel C4, a relatively new advanced toolkit that is designed to avoid detection and response (EDR) and antivirus (AV) capabilities. 

“The sample contained a malicious payload associated with Brute Ratel C4 (BRc4), the newest red-teaming and adversarial attack simulation tool to hit the market. While this capability has managed to stay out of the spotlight and remains less commonly known than its Cobalt Strike brethren, it is no less sophisticated. Instead, this tool is uniquely dangerous in that it was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities. Its effectiveness at doing so can clearly be witnessed by the aforementioned lack of detection across vendors on VirusTotal,” said the network in their blog. 

Cyber intelligence at the network believes that malicious actors are targeting entities worldwide, however, they are making their primary targets in South and North America. 

The researchers issued a warning in which they urged the cybersecurity fraternity to investigate the attack and look in-depth for any sign of malware, including the BRc4 tool. 

Researchers have found that the malicious payloads indicate the involvement of the Advanced Persistent Threat group 29,  The Dukes, or Cozy Bear as the tactics employed were similar to this group. CozyBear is a Russian state-sponsored malicious group that was previously involved in the devastating Solar Winds attacks in 2020.

This commercial software was released in 2020 and has since gained over 480 licenses across 350 customers. BRc4 is equipped with a wide variety of features, it provides process injection, capturing screenshots, automating adversary TTPs, uploading and downloading files, support for multiple command-and-control channels, and it also has the ability to keep memory artifacts concealed from anti-malware engines.

NASA Director Parimal Kopardekar Twitter Handle hacked

 

The Powerful Greek Army group has compromised the Twitter handle of NASA Director Parimal Kopardekar. A spokesperson from the organization said that they reached out to the group who hacked the handle to inquire as to why they targeted the director of NASA, the attackers denied any political motivation to be there behind the attack, saying that the security incident was merely for 'fun'. As per the attackers, Kopardekar was chosen on the basis of his 'professional association' with NASA. 

The director asked the group that how did they hack the handle and the group explained that they detected an exploit that allows them to take over Twitter accounts. They further told that they are hacking for fun to demonstrate that “that nobody is safe online.” 

After getting in touch with the hacker group, Paganini reported that the group had no intention of doing anything malicious with the NASA director’s handle and it could be concluded that it was merely an experiment to test security flaws.

In April 2020, the Powerful Greek Army group breached the Twitter handle of the vice-speakers of the Greek Parliament and KINAL MP, Odysseas Konstantinopoulosening. 

“Government we have warned you. Do not lie to your own people again” states one of the messages published by the compromised account, while in another message he posted, he said: “To clarify something. We do NOT have an issue with this one, with the one with whom we have a big issue is the government and its moves. Friendship”. 

The list of victims who have been attacked includes the Nigerian Ministry of Foreign Affairs and Ministry of Finance, Bank of Nigeria, Ministry of Defence Of Azerbaijan, and The National Bank of North Macedonia.

Parimal Kopardekar holds a senior position at NASA as the Air Transportation Systems and is a principal investigator for the Unmanned Aircraft Systems Traffic Management project at the NASA Ames Research Centre. 

Experts Detail Logging Tool of DanderSpritz Framework Used by Equation Group Hackers

 

Researchers have provided a detailed look at a system called DoubleFeature, which is dedicated to logging the various stages of post-exploitation resulting from the Equation Group's deployment of DanderSpritz, a full-featured malware architecture. 

DanderSpritz was discovered on April 14, 2017, when a hacker group known as the Shadow Brokers published a report titled "Lost in Translation" that included the exploit tool and others. EternalBlue, a cyberattack exploit created by the US National Security Agency (NSA) that allowed threat actors to carry out the NotPetya ransomware attack on unpatched Windows PCs, was also included in the leaks. 

The tool is a modular, covert, and fully functioning framework for post-exploitation activities on Windows and Linux that depends on dozens of plugins. One of them is DoubleFeature, which serves as a "diagnostic tool for victim machines carrying DanderSpritz," according to Check Point researchers in a new paper released Monday. 

The Israeli cybersecurity firm added, "DoubleFeature could be used as a sort of Rosetta Stone for better understanding DanderSpritz modules, and systems compromised by them. It's an incident response team's pipe dream." 

DoubleFeature is a Python-based dashboard that doubles as a reporting utility to exfiltrate logging information from an infected system to an attacker-controlled server. It's designed to keep track of the types of tools that could be deployed on a target machine. A specific executable named "DoubleFeatureReader.exe" is used to interpret the output. 

Data Breach Prevention 

Some of the plugins monitored by DoubleFeature include remote access tools called UnitedRake (aka EquationDrug) and PeddleCheap, a stealthy data exfiltration backdoor dubbed StraitBizarre, an espionage platform called KillSuit (aka GrayFish), a persistence toolset named DiveBar, a covert network access driver called FlewAvenue, and a validator implant named MistyVeal that verifies if the compromised system is indeed an authentic victim machine and not a research environment. 

The researchers stated, "Sometimes, the world of high-tier APT tools and the world of ordinary malware can seem like two parallel universes." 

"Nation-state actors tend to [maintain] clandestine, gigantic codebases, sporting a huge gamut of features that have been cultivated over decades due to practical need. It turns out we too are still slowly chewing on the 4-year-old leak that revealed DanderSpritz to us, and gaining new insights."