Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Hackers. Show all posts
Security Vendors
Credentials Cyber Hackers Cyberattacks CyberCrime Cybersecurity CyberThreat Darkweb Data Breach Security Vendors

Credentials of Major Cybersecurity Vendors Found on Dark Web for $10

 


As a result of recent findings on dark web marketplaces, it has been found that many account credentials from major security vendors are being sold. According to Cyble, the rise of information stealers has been largely responsible for this alarming situation, since the credentials of vendors and their clients are compromised. This poses a substantial risk to both vendors and their clients, which makes the need for enhanced cybersecurity measures more urgent than ever before. 

As a result of these credentials, which can be purchased on cybercrime markets for a mere $10, access to internal accounts, customer systems, and cloud-based environments can be acquired. This is alarming because it encompasses internal enterprise accounts of security companies as well as internal development accounts, thereby posing a severe security threat. 

The best solution would have been to protect these accounts by implementing multifactor authentication (MFA). This would have made it much harder for unauthorized individuals to gain access to these accounts in the first place. It is evident from this incident that there are critical vulnerabilities in access management practices when these protections are not in place or fail, further emphasizing the necessity of robust dark web monitoring as a proactive security measure. 

It is important to detect credential leaks early on so that organizations can minimize the risk of such exposures escalating into large-scale cyberattacks. This will prevent operational integrity from being compromised as well as stakeholder trust from being compromised. It is important to remember that even the most well-defended organizations face persistent threats and that continuous vigilance is essential to preventing those threats from happening. This is a very timely report, as Cyble's data focuses on leaks from the current year, highlighting a more urgent threat than old breaches. 

As these accounts are often associated with sensitive management and development interfaces, attackers may be able to use them to conduct reconnaissance, locate sensitive data, and exploit system vulnerabilities, thereby being able to exploit sensitive data. Even multi-factor authentication (MFA) systems are at risk of misuse because of the stolen credentials, which include company email addresses. 

It has been reported that cybersecurity vendors' credentials are becoming increasingly accessible on dark web marketplaces for as little as $10. According to the findings from Cyble, these credentials were likely harvested from information stealer logs and sold in bulk, which indicates that cybercrime targeting sensitive access data has increased significantly in recent years. In a study aimed at examining leaks occurring in 2025, all 14 vendors that were examined had exposed their customers' and internal credentials.

Among these vendors are those that mainly offer enterprise security solutions and cloud security services, as well as consumer security solutions, but Cyble did not reveal the names of the affected vendors because it wanted to protect their identities and emphasize that such a situation poses a serious risk to the integrity of the company as well as client trust. Based on the findings in this study, it is obvious that drastic security measures, as well as comprehensive monitoring, are required to prevent credential theft from occurring in the cybersecurity sector, as the threat of credential theft continues to grow. 

The researchers at Cyble did not attempt to determine whether any credentials were valid. Many of these vulnerabilities were associated with easily accessible web console interfaces, single-sign-on (SSO) logins, and other web-based account access points. The researchers concluded that vulnerabilities likely caused these leaks in potentially critical internal systems, such as password managers, authentication systems, device management platforms, or common internet services, such as Okta, GitHub, Amazon Web Services, Microsoft Online, Salesforce, SolarWinds, Box, WordPress, Oracle, and Zoom. 

There was an incident in which sensitive internal company accounts, including email addresses, developer interfaces, and product accounts of a large vendor, were exposed, posing significant risks depending on the extent of access granted to these accounts. Even if all the exposed accounts were protected by other means, as ideally they should have been, this leak is concerning for another reason. By providing threat actors with insight into how a target's systems operate, including the locations of sensitive data and potential vulnerabilities they can exploit, they can assist in conducting reconnaissance.

Hackers can also expose sensitive information by revealing URLs of management interfaces that are not publicly known, offering attackers further reconnaissance information. Monitoring leaked credentials for essential systems like security tools is necessary to prevent breaches and to hinder hackers from obtaining valuable information about an organization's systems and how to access them. The company stated that, in addition to the direct threats associated with unauthorized access, the exposed credentials could serve as a valuable asset for threat actors as a means of reconnaissance. 

Such access can provide attackers with valuable insights into the systems a potential target relies on, including the location of sensitive data and exploitable vulnerabilities, among other things. Infostealers can also uncover critical information that is not publicly disclosed, thus enhancing an attacker's ability to exploit the target's systems. 

As Cyble highlighted in its analysis, these findings have a broader impact on any organization, since even the largest cybersecurity vendors are susceptible to hacking, making any company vulnerable. Several security measures have been identified in the report, including multi-factor authentication (MFA), zero-trust architecture, effective vulnerability management, and network segmentation, as essential to ensuring the security of an organization. 

Several practices can be implemented to reduce the risk of data breaches, ransomware incidents, or other cyberattacks. This report serves as a stark reminder of the pervasive and ever-evolving nature of cyber threats, making it increasingly imperative to take proactive measures to safeguard both organizational integrity and sensitive data in the future. Finally, dark web monitoring has the potential to play a critical role in the fight against cyber threats. 

It enables the detection of credential leaks that often result in significant incidents, such as breaches of sensitive data and ransomware attacks before they fully materialize Monitoring compromised credentials associated with critical security tools and systems is crucial in preventing unauthorized access and thwarting threat actors from acquiring critical insights into an organization's infrastructure. Such reconnaissance capabilities have been shown to greatly enhance attackers' effectiveness in exploiting vulnerabilities. This study emphasizes that even the largest cybersecurity vendors are vulnerable to infostealer attacks, demonstrating that no organization can be completely protected from cyberattacks. 

To combat these risks, foundational cybersecurity measures are imperative—including multi-factor authentication (MFA), zero-trust architecture, vulnerability management, and network segmentation—to prevent cyber threats from occurring. Such strategies play a pivotal role in minimizing the risk of cyberattacks while effectively mitigating their potential consequences. This highlights the critical need for organizations to adopt a proactive, multi-layered cybersecurity approach. By doing so, they can bolster their resilience and safeguard their assets against the ever-evolving challenges of today’s complex threat environment.
Read more »
Zero-day vulnerability
Cyber Crime Cyber Hackers CyberCrime Cybersecurity CyberThreat Internet Explorer Microsoft North Korea South Korea Zero-day vulnerability

Cyber Threat Alert for South Korea from North Korean Hackers

 


In a recent cyber-espionage campaign targeted at the United States, North Korean state-linked hacker ScarCruft recently exploited a zero-day vulnerability in Internet Explorer to distribute RokRAT malware to targets nationwide. APT37, or RedEyes as it is sometimes called, is one of the most notorious North Korean state-sponsored hacking groups, and its activities are thought to be aimed at cyber espionage. 

There is typically a focus on human rights activists from South Korea, defectors from the country, and political entities in Europe from this group. An unknown threat actor with ties to North Korea has been observed delivering a previously undocumented backdoor and remote access Trojan (RAT) called VeilShell as part of a campaign targeted at Cambodia and potentially other Southeast Asian countries, including Indonesia, Malaysia, and Thailand. 

Known to Securonix as SHROUDED#SLEEP, the activity is believed to have been carried out by APT37, which is also known as InkySquid, Reaper, RedEyes, Ricochet Chollima, Ruby Sleet, and ScarCruft as well as several other names. ScarCruft, also known as APT37, InkySquid, Nickel Foxcroft, Reaper, RedEyes, and Ricochet Chollima, is a state-sponsored cyber-espionage threat group that almost entirely targets South Korean individuals and organizations. 

It uses spear phishing to deliver customized tools via phishing, watering holes, and zero-days for Internet Explorer. It has been reported by AhnLab that APT37 compromised one of the servers of a domestic advertising agency. Hence, the purpose is to push specially crafted 'Toast ads' as a part of an unidentified free software that is widely used by South Koreans. As a result of the CVE-2024-38178 flaw found in the JavaScript 9.dll file (Chakra) of Internet Explorer used for displaying these advertisements, it caused the JavaScript file named 'ad_toast' to trigger remote code execution via CVE-2024-38178 in the JavaScript9.dll file.

There is a deep correlation between the malware that was dropped in this attack and the RokRAT malware, which ScarCruft has been using for years to launch attacks. In essence, RokRATs primary function is to exfiltrate to Yandex cloud instances every 30 minutes file matching 20 extension types (including .doc, .mdb, .xls, .ppt, .txt, .amr) that match these extensions. In addition to keylogging, Keylogger also monitors for changes made to the clipboard and captures screenshots (every three minutes) as well. 

In July 2022, ScarCruft, a North Korean threat actor who operates in North Korean cyberspace, began experimenting with oversized LNK files as a delivery route for RokRAT malware, just a couple of months after Microsoft began blocking macros by default across several Office documents. Check Point has released a new report on its technical analysis of RokRAT that concludes that the malware has not changed significantly over the years, but the deployment method has evolved. RokRAT now uses archives that contain LNK files, resulting in infection chains that move through multiple stages. 

As a result of this round of activity, is another indication of a major trend in the threat landscape, where both APTs, as well as cybercriminals, will try to overcome the restriction on macros coming from untrusted sources. Having made the news in the past few days, a new campaign with the intriguing name "Code on Toast," has raised serious concerns about the vulnerability of software still embedded in widely used systems, even after the retirement of Internet Explorer. According to a joint report by the National Cyber Security Center (NCSC) of South Korea, and AhnLab (ASEC), the incident occurred earlier this year. 

There was a unique way for these malware infections to be spread by using toast pop-up ads as how the campaign was delivered. There is a unique aspect of this campaign that focuses on the way ScarCruft distributes its malware through the use of toast notifications and small pop-ups that appear when antivirus software or free utilities are running. As a result of ScarCruft’s compromise of the server of a domestic ad agency in South Korea, a malicious "toast ad" made by ScarCruft was sent to many South Korean users through a popular, yet unnamed, free piece of software. 

To accomplish ScarCruft’s attack, a zero-day Internet Explorer vulnerability, CVE-2024-38178, with a severity rating of 7.5, must be exploited cleverly. As a consequence of this, Edge users in Internet Explorer mode can potentially execute remote code through a memory corruption bug in the Scripting Engine, which can result in remote code execution. This vulnerability was patched for August 2024 as part of Microsoft's Patch Tuesday update, part of this annual update program. 

By using toast notifications, typically harmless pop-up ads from anti-virus software or utility programs, the group silently delivered malware through a zero-click infection method using a zero-click virus delivery mechanism. As a result, it has become necessary for an attacker to convince a user to click on a URL that has been specially crafted to initiate the execution of malicious code to successfully exploit a vulnerability. 

Having used such advanced techniques, ScarCruft clearly emphasizes the need for South Korea's digital landscape to remain protected from such threats in the future. It is unfortunate that no matter how much effort is put into phasing out outdated systems, security vulnerabilities have caused problems in legacy components like Internet Explorer. Although Microsoft announced it would retire Internet Explorer at the end of 2022, many of the browser's components remain in Windows, or they are being used by third-party products, allowing threat actors to come across new vulnerabilities and exploit them for their purposes. As a result of this campaign, organizations will be reminded of the importance of prioritizing cybersecurity updates and maintaining robust defences against increasingly sophisticated cyber threats backed by governments.
Read more »
T-Mobile
Chinese Cyber Threat CISA Cyber Crime cyber espionage Cyber Hackers Cyber Threats CyberCrime Cybersecurity Seerver T-Mobile

T-Mobile System Intrusion Tied to Chinese Cyber Threat

 


T-Mobile Corporation has confirmed that it has been a victim of cyber-espionage campaigns launched against telecom companies for a long time. T-Mobile is the latest telecommunications company to report being affected by a large-scale cyber-espionage campaign waged by state-sponsored hackers in China. 

There has been some confusion as to whether the breach involves customer data or critical systems. However, T-Mobile has maintained that there has been no significant impact on its customers' data and critical systems. This breach is part of a larger attack on major telecom providers, raising questions regarding the security of critical communications infrastructure around the world. 

It has been reported that the FBI and CISA are pursuing investigations into a massive cyber-espionage campaign perpetrated by Chinese-linked threat actors that targeted U.S. telecommunications, stealing call records and accessing private communications of government officials and political figures by compromising networks. 

It was confirmed by the USA intelligence agencies that Chinese threats had penetrated the private communications of a "limited number" of government officials after several U.S. broadband providers had been compromised. 

A cyber spy stole personal information belonging to the targeted individuals, according to court orders, which were subject to a search warrant by the United States government to gather that information. This attack was conducted by an intrusion team targeting the World Expo scheduled to take place in Osaka, Japan in 2025, as a lure for the intrusion team, according to ESET's APT Activity Report for the period between April and September 2024.

MirrorFace continues to capture the attention of Japanese people and events, despite this new geographical target, proving their dedication to Japan and its related events. MirrorFace, as well as Earth Kasha, is one of the clusters categorized under an umbrella group called APT10, which includes other clusters classified under Earth Tengshe and Bronze Starlight, as well. 

At least since 2018, the company has been targeting Japanese organizations, although its operations have been further expanded to include Taiwan and India with a new campaign observed in early 2023, albeit it is still focused on the Japanese market. During the hacking crew's history, it has evolved from a few backdoor programs, namely ANEL (a.k.a. Uppercut), LODEINFO, and NOOPDOOR (also known as HiddenFace), to an arsenal of infections, which now consists of backdoors and credential thieves, such as MirrorStealer and ANEL. 

Having said that, it's important to note that T-Mobile's cybersecurity practice has recently been subjected to massive criticism since it's experienced a lot of data breaches in recent years. It was part of the company's settlement with the FCC of $31.5 million for previous breaches, of which half was for an improvement of the security infrastructure. The data breaches that have repeatedly targeted T-Mobile, which is owned by Deutsche Telekom Corporation, have been one of the most challenging aspects of the company's recent history. 

According to the company, back in August 2021, 49 million T-Mobile account holders were affected by the data breach, but the hackers claimed that they had stolen data from 100 million users on the network. According to T-Mobile, it is actively monitoring the situation and is working closely with government officials to investigate the breach to prevent any further issues from occurring. Currently, there is no evidence that the company's systems have hurt the privacy, security, or functionality of its customers, but the firm maintains that no harm has been caused. 

The company is paying close attention to this industry-wide attack that is affecting the entire industry. Quite to the contrary, due to the security controls in our network structure, and the diligent monitoring and response of our systems, T-Mobile has not witnessed any significant impact on its data or systems. As far as we are aware, no evidence has been found that the company's customer or other sensitive information has been accessed or exfiltrated as other companies may have done. 

The situation will be closely monitored by industry peers as well as the relevant authorities, and we will work with them to resolve it.” A recent incident at T-Mobile has come at a time when the company is expanding its cyber-security practices to combat these threats. In February of this year, the company settled a $31.5 million lawsuit with the Federal Communications Commission, more than half of which was devoted to improving security infrastructure as a result of its prior breaches. 

The T-Mobile Security breach is a prime example of the unique challenges that face the telecommunications sector, which is classified as critical infrastructure under federal law because of its importance to the nation. As an upstream provider of information and communications, telecommunications companies play a vital role in healthcare, government, and the private sector, allowing everything from emergency services to business transactions to personal connectivity to take place. 

Therefore, these networks are prime targets for state-sponsored cyber campaigns that seek to exploit their role in facilitating sensitive communications by exploiting their vulnerability to state-sponsored cyber campaigns. There has been a shift in how cyber-espionage tactics have been used over the past few years twhichis disturbing. Attackers like Salt Typhoon take advantage of wiretap systems and sensitive communication channels to steal data and compromise the integrity of systems and networks vital to national security efforts. 

As part of a new analysis published on November 19, 2024, Trend Micro discovered that the MirrorFace actor was using the vulnerability of Array AG (CVE-2023-45727), Proself (CVE-2023-45727) and FortiOS/FortiProxy (CVE-2023-45727) for the initial access of its public-facing enterprise products, which enabled the MirrorFace attacker to access the products. It has been reported that they had installed several backdoors within the victim's network after gaining access to achieve persistence on the network," said security researcher Hara Hiroaki. Among these are the 'Cobalt Strike' and 'LODEINFO' programs, as well as the 'NOOPDOOR' program that was discovered last year. 

A sophisticated and complex implant like NOOPDOOR can be decrypted and launched using a shellcode loader named NOOPLDR to install it on the system. It includes built-in functions, in addition to modules that enable the uploading and downloading of files, the running of additional programs, and the communication with a server controlled by an attacker either actively or passively. As a result, Hiroaki noted, both active and passive modes, for the most part, use different encryption algorithms, as well as backdoor commands, respectively, which means that the channels can't be accessed by one another and are completely independent of one another.
Read more »
Wi-fi
APT28 Cyber Hackers CyberCrime Cybersecurity Cyberthreats Data Breach Volexity Wi-fi

Wi-Fi Exploit Enables Russian Hackers to Breach US Business

 


A sophisticated cyberattack was carried out by a Russian state-sponsored group, which is believed to be APT28 (Fancy Bear), which exploited a large U.S. enterprise's Wi-Fi network remotely. This breach was first detected by cybersecurity firm Volexity on February 4, 2022, while it targeted a Washington, DC-based organization whose projects related to Ukraine were being carried out. 

A group of Russian hackers, reportedly linked to Russia's GRU military intelligence, managed to gain access to the wireless network through a password-spraying attack on another service, which allowed them to obtain the credentials needed to connect. The Russian state-sponsored hackers known as "APT28" have exploited a novel attack technique called 'nearest neighbour attack' to penetrate a U.S. company's enterprise WiFi network to spy on employees' activity. 

Although the hackers were thousands of miles away, they could compromise an organization nearby within WiFi range, providing a pivot from where they could reach their destination. Security firm Volexity was able to detect the attacks on February 4, 2022, as it had been monitoring the hackers, codenamed 'GruesomeLarch', as they had been monitoring the attack for many weeks beforehand. 

APT28, which is associated with the General Staff's Main Intelligence Directorate (GRU) and is part of the Russian military's 26165 unit, has been conducting cyber operations since at least 2004 in conjunction with a Russian military unit. Using a hijacked device in a neighbouring building across the street, Russian state-sponsored hackers were able to log into a Wi-Fi network in the United States without ever leaving their country of residence. 

Volexity, a security vendor, documented a rare hacking technique that they call the "Nearest Neighbor Attack." The company discovered the incident in January 2022, when an unnamed customer, calling itself Organization A, suffered a system hack. Initially, the attackers, whom Volexity tracks as GruesomeLarch, gained access to the target's enterprise WiFi network by accessing that service through a password-spraying attack that targeted the victim's public-facing services, as the passwords were flooded. 

Nonetheless, the presence of one-time password (OTP) protection meant that the credentials could not be used to access public web-based services. As far as connecting to the enterprise's WiFi network was concerned, MFA was not required, however, being "thousands of miles away from the victim and behind an ocean" posed a significant inconvenience. It was through this creative use of the hacker's brain that they began looking into buildings nearby that could be potential pivots to the target wireless network, in fact they started to do so. 

APT28 compromised multiple organizations as part of this attack and was able to daisy-chain their connection between these organizations by using legitimate access credentials to connect with them. At the end of the investigation, they discovered a device within a certain range that was capable of connecting to three wireless access points near the windows of a victim's conference room to retrieve their data. 

An unprivileged account used for the remote desktop connection (RDP) allowed the threat actor to move around the target network from one point to another searching for systems of interest and exfiltrating sensitive information from them. Three Windows registry hives were dumped by the hackers: SAM, Security, and System. This hive was compressed into a ZIP archive and then exfiltrated by the hackers using a script named 'servtask.bat'. 

The most common way they collected data while minimizing their footprint was to use native Windows tools. As a result of Volexity's analysis, it was also identified that GruesomeLarch was actively targeting Organization A so that data would be collected from individuals and projects active in Ukraine who have expertise in and experience with those projects. Despite Volexity's initial inability to confirm an association between the attacker and any known threat actors, a subsequent report by Microsoft pointed to certain indicators of compromise (IoCs) that matched the information Volexity had observed, indicating that the Russian threat group was responsible. 

Microsoft's cybersecurity report indicates that it is highly likely that APT28 was able to escalate privileges before launching critical payloads within a victim's network by exploiting the CVE-2022-38028 vulnerability in the Windows Print Spooler service within the victim's network. This is a zero-day vulnerability in Windows. 

APT28, a group that executes targeted attacks using the nearest neighbour technique, successfully demonstrated that close-access operations, which are usually performed at close range, can be executed from a distance, eliminating the risk of identifying or capturing the target physically. Even though internet-facing devices have benefited from increasing security over the past year, thanks to services such as multi-factor authentication and other types of protections that have been added, WiFi corporate networks have largely remained unprotected over the same period.
Read more »
security measures
Cyber Hackers Cyber Security CyberCrime CyberThreat Password Breach security measures

Overly Complex Passwords Could Weaken Security Measures

 


The creation and use of passwords is one of the areas where websites and mobile apps lay down rules for making them as safe as possible. However, a federal agency thinks some of the requirements do more harm than good to the industry. 

A new proposal from the National Institute of Standards and Technology (NIST) has been proposed to protect people's digital identities from fraud by developing some guidelines. One of them is banning password requirements, which cybersecurity experts have long considered obsolete. It is no longer necessary to request special characters, like "%" and "$," for instance, for some type of input. It is also no longer necessary to ask users to identify their children's favourite pet or their first pet as security questions.

First and foremost, it is important to understand why it is not only ineffective to change the password every six months but can make it more difficult to secure users' accounts. When people are forced to change their passwords every few months or so due to security restrictions, they tend to choose the path of least resistance by simply changing a couple of characters within their existing passwords to achieve maximum security. This indeed makes the user's new password easier to remember, however, it also means that hackers who have already accessed a user's system or have run into an existing password they might have used before can easily guess the new password. 

Passwords should be created with a combination of different character types, and they should be changed regularly, these are no longer best practices for password management. It is based on new guidelines that have been released by the United States National Institute of Standards and Technology (NIST), which is charged with developing and releasing guidelines that will assist organizations in keeping their data safe. It was the second public draft of the National Institute of Standards and Technology's Digital Identity Guidelines (SP 800-63-4) that appeared in September of 2024, making these guidelines the latest version that has been published.

For security purposes, it is much better to use strong, unique passwords for each account rather than rotating them as a means of achieving security. There are a variety of letters and numbers that can be used in this system, which means that not just words from the dictionary can be used, which can be picked up by an automated attack program. Furthermore, users should make sure that they don't use any variations on a specific theme in the passwords that they create; don't use variations on a theme (such as "password1" then "password2"). 

It is highly recommended that users always use passphrases instead of traditional passwords if they are really serious about their security. Passphrases are much harder for attackers to guess when compared to traditional passwords. Make sure to check out our blog on how to create a strong password by clicking here. For those who don't want to remember all of their strong unique passwords to keep their online accounts secure, it is recommended to use a password manager like NordPass. 

Because of this, it has become more straightforward to determine whether a password is effective, in comparison to complexity, by measuring its length. Under the guidelines, online services require users to create passwords that are a mix of character types, however, several analyses of breaches of password databases have found that they do not have as great an effect as initially thought. Due to the vast number of online accounts it manages, maintaining a unique password for every single one of them can still be a daunting task, even if users keep their passwords short and memorable at the same time. 

Password managers can play a very important role in preventing this from happening. In addition to this, this type of tool also achieves the goal of archiving all passwords in an encrypted vault that users can access securely, so they don't need to worry about forgetting all their passwords for every account. When a password manager is installed, the user only needs to remember one strong password to access their vault, thus streamlining their online security as well as reducing the risk associated with reusing passwords. 

The password manager is also capable of creating secure, long passwords for the user on their behalf, thereby further enhancing their level of security. It is of course vital to have robust passwords, but they are merely one of the layers of security that must be considered. There are several reasons why two-factor authentication (2FA) may be a viable authentication method. One of these is the fact that it requires a second verification method, such as a code sent to the mobile phone of the user or an authentication app, before giving the user access to their account. 

As long as a hacker has managed to get their hands on the passwords of a user, the 2FA feature is guaranteed to prevent them from gaining access to the user's account even if they manage to obtain the user's passwords. Even though some passwords are compromised, hackers will find it much more difficult to breach users' accounts as a result of this. People tend to make the mistake of selecting easy-to-guess personal information when choosing passwords during the creation process, which is one of the biggest errors they make. 

The information that they disclose could be anything from their name, birth date, or even the name of their favourite sports club they support. Many individuals make the error of using easily accessible personal information in their passwords, such as names, birthdates, or favourite sports teams. This information is often available through social media platforms or public records, making it a convenient target for cybercriminals attempting to gain access to accounts. To minimize this risk, it is highly recommended that personal details be avoided in password creation. 

Instead, users should create complex and unpredictable passwords that are significantly harder for attackers to guess, thereby providing a higher level of security. Another critical mistake is storing passwords in plain text on personal devices. Some individuals may resort to saving passwords in unprotected documents for the sake of convenience, without considering the significant security risks involved. If the device is compromised, these plain text files can be easily accessed, leaving sensitive information vulnerable to unauthorized users. 

A safer alternative is to use password management software, which securely stores passwords while also encrypting them. This adds an essential layer of security and ensures that even if the device is breached, the stored passwords remain protected. It is also crucial for users to pay attention to security notifications issued by websites and online services. These alerts are often triggered by unusual or suspicious activity and serve as an early warning system for potential security breaches. Unfortunately, such warnings are frequently ignored or overlooked, which can leave accounts exposed to further exploitation.

By promptly addressing these notifications, individuals can take immediate action, such as changing passwords or enabling additional security measures, to mitigate the threat before it escalates. Lastly, neglecting to regularly update software and applications can lead to unnecessary security vulnerabilities. Software updates frequently contain critical security patches designed to address newly discovered threats.

By failing to install these updates promptly, individuals leave themselves susceptible to attacks that could have been prevented. Maintaining up-to-date software is an essential practice for ensuring the latest security features are in place, reducing the chances of a successful cyberattack.
Read more »
Technology
Cyber Hackers Cyberattacks CyberCrime Cybersecurity Cyberthreats Datasecurity EPA Cyber Strategy Technology

Urgent Call for EPA Cyber Strategy to Safeguard Water Infrastructure

 


A new watchdog report published by the US government's Environmental Protection Agency says the EPA must develop a comprehensive plan of action to counter the increasing number and sophistication of cybersecurity threats facing the utilities. In the last few years, there have been many cyberattacks against water treatment plants, sewage plants, and other infrastructures across the globe. 

A report by the Government Accountability Office indicates that the entire water industry has found it difficult to deal with the problem through voluntary security initiatives and fought back against new mandates issued by the Environmental Protection Agency. EPA and other government agencies are called upon to do more to assess and identify the full extent of cyber risks that face the water and wastewater sectors, including developing a national strategy and conducting a cyber risk assessment. 

There have been several high-profile hacking incidents that have raised concerns regarding the ability of the country’s drinking water and wastewater treatment industries to maintain their security over the past few years, so the Biden administration has prioritized those industries.  The White House and the Environmental Protection Agency in March urged state officials to provide information on how well-prepared water utilities were dealing with cyber risks that were becoming more prevalent. 

There are still concerns expressed by EPA officials as to how the data will not be integrated into a comprehensive strategy to make this information effective.  When Harry Coker Jr., the National Cyber Director, delivered a speech in May in Washington, D.C., he stated that he planned to increase technical assistance for public water systems by the EPA and that the Department of Agriculture would invest in programs for rural water utilities as part of the water safety reforms.  

A GAO report, released last week, stated that the EPA was working on plans to strengthen federal assistance to the water industry based on the findings of the GAO report. An auditing program for water utilities by the Environmental Protection Agency (EPA) was launched in 2023 to increase their cyber resilience, but the program has now been revoked because a state challenge was filed.  

The Environmental Protection Agency remains committed to providing cybersecurity technical assistance to the water sector, and we will continue to work together with our federal partners to find all the ways we can to better protect the nation's drinking water and wastewater systems, the agency said in a press release.
Read more »
Privacy
Cyber Hackers Cyberbreach CyberCrime Cybersecurity CyberThreat Data Major Breach Password Breach Privacy

Security Nightmare with Hackers Releasing 1,000 Crore Passwords in Major Breach

 


Cyber-security breaches are becoming more and more prevalent and this is causing a lot of concerns amongst the public. The report by Semafor claims that some 10 billion (1,000 crore) passwords have been leaked from a hacking forum online about a file that contains nearly 10 billion (1,000 crore) passwords. The incident that took place on July 4th is regarded as being among the largest cyber-security breaches that have been recorded in history. As a result of the massive leak, a credential stuffing attack could be performed with the help of this massive leak, highlighted the report. 

As a type of cyberattack, credential stuffing involves hackers stealing usernames and passwords from several related data breaches to gain access to other accounts owned by the same individual. A significant increase in cyberattacks and malicious attempts to steal data in the past five years has led to an increase in the probability of financial harm becoming a worldwide problem, not only for individual citizens but also for governments and financial institutions spread around the globe. 

Cybersecurity reports state that around 10 billion passwords belonging to various people have been made public on global forums, whether they represent social media accounts or email accounts owned by individuals. There is no doubt that this was one of the biggest data breaches ever in the history of mankind. 

The Semafor news website reports that a file containing around 10 billion (1,000 crores) passwords was leaked via online hacking forums, which was compiled by an anonymous hacker. Several old and new password breaches were compiled into the compilation, which was uploaded to the internet on July 4 and is one of the largest leaks that anyone has seen to date. According to the SEMAFO report, this massive leak has increased the risk that credential-stuffing attacks will become possible. 

As a result of the leak's nature, as it yields a single searchable file, hackers will have an easier time discovering user data thanks to the single searchable file. An attack called credential stuffing occurs when hackers use an infected password to access multiple accounts connected to the same user as soon as the password has been compromised. In the example below, it is possible to break into user A's bank account by using the email password that they use for their email. 

The cyber-news is reporting that credential stuffing attacks are compromising users across various platforms such as AT&T, Santander Bank, Ticketmaster, 23andMe, and several other companies. It was also noted in the report that related to a report by the International Monetary Fund (IMF) and a study published by Lancet Journal, the number of malicious cyberattacks has doubled globally since 2020, with the financial industry (20,000 cyberattacks since 2020) and health sectors being hit hardest. 

The size of the leak, however, has provided some relief for worried netizens - some analysts have suggested that, as a result of its sheer size, the file may not be able to be accessed. Even though more accounts have been leaked, the report notes that the likelihood of cyberattacks is not heightened just by more passwords being leaked - but of course, it highlights the "glaring holes" in the security systems in place.
Read more »
Velvet Ant
China Hackers Cyber Hackers Cyberattacks CyberCrime Data Breach F5 Devices OPSEC PlugX Velvet Ant

China-Linked Hackers Breach East Asian Firm for 3 Years via F5 Devices

 


The suspected China-based cyber espionage actor has been attributed with a prolonged cyber espionage attack that lasted approximately three years against an unnamed organization based in East Asia, in which the adversary allegedly established persistence using legacy F5 BIG-IP appliances, which served as a command-and-control system for the adversary, to evade defences. As a result of the cyber intrusion in late 2023, cybersecurity company Sygnia has been tracking the activity under Velvet Ant. 

Based on their observations, Velvet Ant has been characterized by being capable of pivoting and adapting their tactics to counter repeated attempts at eradication. Sygnia researchers explained in a blog post on June 17 that F5 Big-IP load balancer appliances are often placed at the perimeter of a network or between the segments of it, which are often trusted. 

To gain access to sensitive data, Velvet Ant was seen utilizing different tools and techniques, including the PlugX remote access trojan (RAT), which is a dormant persistence mechanism that can be deployed in unmonitored systems. As well as hijacking DLL search order, sideloading, phantom DLL loading, as well as tampering with the installed security software, the threat actor is believed to have used DLL search order hijacking, sideloading, and phantom DLL loading to install the PlugX malware. The hacking group had a high level of awareness of operational security (OPSEC) by not installing the malware on a workstation that had been configured to disable security software, showing a high level of operational security (OPSEC) awareness. 

Furthermore, Velvet Ant made use of the open-source software Impacket for remote code execution and lateral tool transfer on compromised machines, as well as the creation of firewall rules to allow the command-and-control server (C&C) to be accessed. When Sygnia identified the threat actor as having been eliminated from the victim's network, it was observed that it was infecting new machines with PlugX samples that were reconfigured to use the internal server as a command and control server and channelling external communication to the malware through the internal server. 

Researchers said attackers can gain considerable control over network traffic if they manage to compromise a device of this kind without raising suspicions.  The researchers said Velvet Ant used a variety of traditional Chinese state-sponsored threat actors' tools and techniques that they were typically associated with. There were several characteristics of the attacks, for example, a clear understanding of what they were about, a focus on network devices, exploiting vulnerabilities, and a toolkit that included Rootkits, Plugs, and the ShadowPad family of malware. 

They also included the use of side-loading methods employing DLLs. It has been suggested by researchers that Velvet Ant can sneak into sensitive data as a result of its cleverness and slippery nature. The threat actor quickly pivoted from one foothold to another after it was discovered and remedied, demonstrating agility and adaptability in evading detection as soon as the existing foothold was eliminated. A detailed understanding of the victim's network infrastructure was also demonstrated by the threat actor, as he exploited various entry points across the victim's network infrastructure, demonstrating that he possessed a comprehensive knowledge of the target." 

Sygnia uncovered a modified version of PlugX during their investigation in which malicious traffic was blended with legitimate network activity to avoid detection. In addition to this variant, another variant with an external command-and-control server for exfiltration was also deployed alongside this version, which targeted only endpoints with direct internet access in addition to other endpoints with network access. Concerning the second variant, it exploited a vulnerability in outdated F5 BIG-IP devices and used a reverse SSH tunnel to maintain communication with an external server, which lacked direct web connectivity, by exploiting vulnerabilities in obsolete F5 BIG-IP devices. 

F5 devices, which had been compromised, were examined forensically and revealed to contain a variety of tools, such as PMCD, which communicated periodically with the threat actor's command-and-control server through PMCD, network packet capture tools, and a SOCKS tunnelling tool called EarthWorm, which has been associated with espionage groups such as Gelsemium and Lucky Mouse in the past. It is still unclear how the attacker was able to gain access to the restricted system, whether through spear-phishing or using security vulnerabilities in internet-exposed devices. 

Following the growth of several China-linked espionage operations, such as Unfading Sea Haze, Operation Diplomatic Specter, and Operation Crimson Palace, all of which focused on sensitive intelligence across Asia, this incident comes as no surprise. The compromised F5 BIG-IP appliances used by the victim organization for firewall, web application firewall (WAF), load balancing, and local traffic management services were directly exposed to the internet and likely hacked through the exploitation of known vulnerabilities. On one of the compromised F5 appliances, the threat actor deployed several tools, including VelvetSting (for receiving commands from the command-and-control server), VelvetTap (to capture network packets), Samrid (the open-source Socks proxy tunneller EarthWorm), and Esrde (with capabilities similar to VelvetSting). Given the targeted organization, the deployment of ShadowPad and PlugX malware, and the use of DLL sideloading techniques, Sygnia assesses that Velvet Ant is a state-sponsored threat actor operating out of China.
Read more »
Subscribe to: Posts (Atom)