Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label CyberCrime. Show all posts
insurance
CyberCrime Cybersecurity Cyberthreats Data Breach data security HDFC insurance

HDFC Life Responds to Data Leak, Engages Cybersecurity Experts

 


According to HDFC Life Insurance, the company recently reported a cyberattack resulting in stolen confidential customer data. Cybercriminals allegedly accessed sensitive policyholder information and demanded extortion from the insurance company, so the company submitted a complaint to the South Region Cyber Police. As per the complaint, there was a breach of security at the company between November 19 and November 21, 2024. 

The cybercriminals, operating under the alias of bsdqwasdg@gmail.com and using a WhatsApp account to send unencrypted communications, managed to steal the

personal data of HDFC Life's clients. In a news release on Monday, HDFC Life Insurance Company, the country's second-largest private insurer by premiums, reported that customer information had been stolen from their system. 

In recent months, there has been a second major data breach within the insurance sector following thee leak of many gallons of personal information by Star Health & Allied Insurance a few months ago. Star Health and Allied Insurance had previously been subject to a cyberattack, as well as a forensic investigation conducted by independent cybersecurity experts, into the incident.

The data breach that occurred at Star Health's servers reportedly resulted in the sale of sensitive information about 31 million customers - an amount of 7.24 terabytes estimated - on the messaging network Telegram as part of the breach.  In its article, the Insurance Regulatory and Development Authority of India (IRDAI), which controls the insurance industry in India, had indicated that, even though insurers have not been named, it takes security breaches very seriously and is committed to continuing its engagement with the companies to ensure the interests of policyholders are protected fully. 

There was a lot of personal information leaked, including names, addresses, phone numbers, tax details, and sometimes even medical records of the insurance policyholders. It was reported that Star Health's chief information security officer (CISO), Amarjeet Khanuja, had sold the company's data for $150,000 after a hacker allegedly accessed the data through the company's network. There was another incident involving the loss of data at Tata AIG as well. 

A few days after the presidential election, HDFC Life Insurance received several emails claiming to have been sent by an anonymous sender who claimed to have stolen the sensitive information of its customers. A hacker attached data to the email that included the names, policy numbers, addresses, and phone numbers of 99 of his victims. 

As outlined in the email, unless negotiations are conducted, the data of the company will be leaked or sold to third parties. According to the hacker, the company has two days to respond to the threat and its reputation could be jeopardized. A series of messages had been sent over the weekend of November 20 and 21 by the extortionist, warning the company that if they failed to negotiate, a massive leak would occur. As stated in one of the messages, the company will have to suffer losses of "hundreds of billions of rupees" if the transaction goes through, along with a damaged reputation and regulatory pressure from the government. 

It was requested by the hacker that he pay money in exchange for preventing the exposure of the information. A security expert examined the breach and verified its authenticity with the help of HDFC Life Insurance, which then decided to engage the police and inform the appropriate authorities of the breach. 

As a result, the company has given its customers the assurance that it is taking all possible measures to ensure their information is protected and that the impact of the data theft is minimized. It was decided to file a case under sections 308(3) (extortion) as well as 351(4) (criminal intimidation) of the Bharatiya Nyaya Sanhita, 2023 along with the relevant provisions of the Information Technology Act, 2000, for the commission of the offence. 

There was a statement from HDFC Life that stated the company is committed to safeguarding the interest of its customers and will take swift action to resolve this matter. In recent months, other insurers, including Star Health Insurance and Tata AIG, have also admitted to data breaches as a result of intrusions into their systems. 

It is because of these incidents that IRDAI is constantly monitoring insurers' data security frameworks and ensuring that the necessary corrective actions are being taken as soon as possible. A growing number of cyber threats are posing serious risks to the privacy of customers and the accountability of organizations in the insurance sector. 

HDFC Life's proactive measures reflect the industry's recent push to enhance cybersecurity measures continuously to ensure that the risk of these breaches in the future is diminished. A number of cybersecurity measures have been put in place by the IRDAI to ensure that data protection is robust and that millions of policies are protected
Read more »
Technology
cryptocurrency Cyberattacks CyberCrime CyberThreat Manhattan Project Simulations Supercomputers Technology

Fastest Supercomputer Advances Manhattan Project Simulations

 


Over the last few decades, the cryptocurrency industry has been afraid of the day when computers will have the capability of cracking blockchains, and taking down networks like Bitcoin and Ethereum. However, this day may be closer than they think, but even at the current speeds of supercomputers, only quantum computers could possess the capability. 

Scientists from Lawrence Livermore National Laboratory have announced that their latest supercomputer, El Capitan, can complete 2.79 quadrillion calculations in one second, making it the fastest supercomputer in the world. This is a magnitude of 2.79 followed by 15 zeroes for you to grasp its magnitude. To put El Capitan's performance into perspective, more than a million iPhones or iPads would need to be working at the same time on one calculation to equal what El Capitan is capable of in a second, according to Jeremy Thomas of the Lawrence Livermore National Laboratory. 

"That stack of phones is over five miles high. That is an enormous amount of phones." There was a big announcement made on Monday during the annual SC Conference in Atlanta, Georgia, a conference that focuses on high-performance computing and focuses on the very latest developments related to it. Among the top 500 most powerful supercomputers in the world, El Capitan has been named among the top 100 in the Top 500 Project's bi-annual list of the 500 most powerful supercomputers. 

Lawrence Livermore National Laboratory, which is located in Livermore, California, developed El Capitan in collaboration with Hewlett-Packard Enterprise, AMD and the Department of Energy, among other companies. Obviously, supercomputers are geared towards running complex tasks such as simulations, artificial intelligence development, research, and development while operating at much higher speeds than an average computer, as the name implies. 

A computer such as El Capitan, for example, is capable of performing 2.7 quadrillion operations per second, which is up to 5.4 million times faster than the average home computer, which performs a few operations a second. Thomas compared the computational power of the El Capitan supercomputer to a staggering human effort, estimating that it would require the combined work of over 8 billion people operating simultaneously for eight years to achieve what El Capitan accomplishes in a single second. 

The extraordinary capabilities of El Capitan have sparked discussions about its potential implications for industries reliant on robust cryptographic systems, particularly blockchain technology. The blockchain ecosystem, which depends heavily on secure encryption methods, has raised concerns about whether such a powerful machine could undermine its foundational security principles. 

Despite these apprehensions, experts in blockchain encryption have reassured that the fears are largely unfounded. Yannik Schrade, CEO and co-founder of Arcium explained to Decrypt that overcoming the security of blockchain systems would require an overwhelming computational feat. “An attacker would need to brute-force every possible private key,” Schrade noted. 

To put it into perspective, with a private key length of 256 bits, an attacker attempting to compromise transactions would need to exhaustively test all 256-bit key combinations. This level of computation, even with the power of El Capitan, remains practically unachievable within a reasonable timeframe, reaffirming the resilience of blockchain cryptographic systems against potential threats from even the most advanced technologies. 

These insights emphasize the sophistication and continued reliability of cryptographic standards in safeguarding blockchain security, even as computational technologies advance to unprecedented levels.
Read more »
Privacy
CyberCrime CyberThreat Datasecurity Dating App Military Concerns Privacy

Data Privacy Issue Emerges on Popular Military Dating App

 


In the course of exploring the Internet, it was discovered that the general public may access an online database belonging to Forces Penpals, a platform that caters to armed forces personnel from the US and UK. A cybersecurity researcher, Jeremiah Fowler, discovered and reported a leak of an unsecured database to vpnMentor. This exposed over 1.1 million sensitive records, such as images of users and proof of service documents, raising privacy and security concerns among military members and supporters alike. 

An independent cybersecurity researcher has discovered a publicly exposed database on a popular dating app that may have been containing user data that wasn't encrypted or protected by passwords, making it a potential threat to service members today. According to Jeremiah Fowler of vpnMentor, nearly 1.2 million U.S. and UK military personnel using Forces Penpals, a social networking site and dating service, compromised their personal information. 

No, we are not talking about just the data of 1.2 million people you have access to. A date range is not provided for the duration of the database's exposure, nor is it known if any unauthorized individuals have accessed the information. The problem was brought to the attention of Fowler, who notified Forces Penpals, which has since restricted public access to the website. The platform, which was launched in 2002 as a letter-writing service for the British military, has since grown to be used by service members from the U.S. and UK. 

However, the platform contains sensitive information about individual service members, including their details and addresses. He found that the data he encountered during his research included images of users and copies of sensitive proof of service documents that contained names, addresses, Social Security numbers, and National Insurance Numbers of individuals from the UK. 

During the discovery of this publicly available database, it was found that it had neither password protection nor encryption. The database contained 1,187,296 documents in total. Based on a limited sampling of the document samples, it appears that the vast majority of the documents are images created by users, while some of the documents include potentially sensitive proofs of service. As part of these documents, there were full names (first names, middle names, and last names), postal addresses, Social Security Numbers (US), National Insurance Numbers, and Service Numbers (UK), as well as personal details such as addresses and telephone numbers. 

There is also a lot of sensitive data on these websites, such as ranks, branches of service, dates, locations, and other details that should have never been made accessible to the general public. Upon further investigation, it transpired that the records had in fact been associated with Forces Penpals, a dating service and social networking community for military service members and their family members. It was subsequently decided to restrict public access to the database two days after a responsible disclosure of the information. 

Consider the possibility that the United States or the United Kingdom enact a member verification system in the future. Typically, Fowler's report mentions that most of the documents were images of individuals, but a portion of those images were also of highly sensitive records related to military activities. From a technically speaking standpoint, there is no way of filtering through and searching text in images to determine the exact number," Fowler, added that this is not possible.

Following Fowler's discovery, Forces Penpals was promptly notified of the responsible disclosure notice, and subsequent restrictions on public access to the database were put in place on the same day. An acknowledgement of the issue was made by Forces Penpals, which explained that it was caused by a coding error, which misrouted documents to an insecure storage directory. There is no issue regarding the photos being public anyway, as they are already public, however, there is a problem when it comes to the documents being public. 

The extent of the database exposure, or whether unauthorized parties have had access to the information, is currently unclear, as well as the duration of the exposure. A forensic audit would be required to determine the extent of the breach and identify any suspicious activities that were taking place in the background. In the wake of the recent data breach, it is clear that inadequate cybersecurity measures can pose a serious risk to sensitive information, especially when these platforms are used to handle sensitive information.

There has been an exponential increase in cyberattacks targeted at military personnel and allied organizations over the past few years, illustrating that the threat landscape is rapidly changing. According to the FBI, in October 2024, a hacking group that was linked to Russian intelligence tried to infiltrate systems including those belonging to Western think tanks, journalists, and former military officials, which illustrated the real-world dangers of data exposure and potential exploits in the future. 

Even though no evidence has been found to suggest that Forces Penpals users were specifically targeted as a result of the breach, this incident is nonetheless an important lesson for organizations that handle personal and sensitive data to learn from. Security expert Fowler stresses the importance of establishing robust measures to keep information safe and secure as he discussed cybersecurity. 

It is highly recommended to implement enhanced access controls and multi-factor authentication, separate sensitive data by segmenting it, conduct regular security audits and penetration testing, and develop comprehensive incident response plans that will help address breaches as quickly as possible.
Read more »
Ethereum
cryptocurrency Cyber Heist Cyber Security Cyberattacks CyberCrime CyberThreat Ethereum

North Korea Implicated in $50M Upbit Cyber Heist

 


According to South Korean investigators, the Upbit cryptocurrency heist that resulted in the theft of $50 million worth of Ethereum in 2019 was carried out by North Korean hacker groups Lazarus and Andariel, which are related to the Reconnaissance General Bureau, the leading intelligence organization within the DPRK. There are three months left until the 5th anniversary of the attack on Upbit, one of the world's leading crypto exchanges in South Korea. 

An amount of 342,000 Ethereum, valued at approximately $147 per ether, was stolen from the exchange's hot wallet during the incident. Taking into account the current exchange rate, the stolen stash would have been worth around 1.47 trillion won today, or about $1.04 billion. A hot wallet, which is constantly connected to the internet as part of its operational function, is more at risk of cyberattacks than cold wallets because of this connection. 

To evade detection, hackers frequently use multiple blockchain wallets to store stolen assets, which is a common method they use to obscure a trail of stolen information. It was immediately suspended removals and deposits, the exchange's remaining funds were secured, and users were reassured for their losses that they would receive full compensation from the company. 

A recent Upbit hack has highlighted the important role that international collaboration plays in reducing state-sponsored cybercrime in the cryptocurrency sector and addressing the issue at hand. The government, industry leaders, and cybersecurity firms need to get together and establish a global framework for the protection of digital assets and the pursuit of those who seek to harm them. 

In the summer of 2018, hackers were successful in infiltrating Upbit's hot wallet and transferred approximately 342,00( ETH (at the time worth 8.5 billion won or around USD 7 million) to a wallet known to them. In the wake of this breach, the security of centralized exchanges and the protocols they use for protecting the digital assets of their users has been raised immediately as a concern. Despite their convenience for instant transactions, hot wallets are more vulnerable to cyberattacks because they are connected to the Internet. 

The incident at Upbit made it apparent how dangerous these storage solutions can be in the long run. After recognizing the hack and moving the remaining user funds to cold walletsomfine storage solutions that are considerably more difficult to breach, Upbit swiftly responded and immediately acted upon the discovery of the hack. As a result of this proactive action, there were no further losses and a demonstration that the exchange is prepared for situations like this. 

Upbit has taken steps to protect its users from further loss as soon as the breach was detected, providing a detailed account of the extent of the loss and the steps being taken to resolve the matter. Users' trust needed to be maintained during the crisis by maintaining transparency. Several investigative agencies, including the National Intelligence Service (NIS) of South Korea and other intelligence agencies, have confirmed that North Korea has been involved in the attack after an extensive investigation. 

It appears that the hackers infiltrated Upbit's systems using sophisticated phishing tactics, social engineering, and advanced malware techniques to compromise its sensitive data. The Lazarus Group, also known as LG Group, is one of the most infamous cybercrime groups linked to North Korea. With at least ten years of cyber experience, the group has gained notoriety for a wide array of activities, including hacking, data theft, and espionage. 

To circumvent international sanctions, it is believed that this group is financing North Korea's nuclear and weapons programs through the activities it performs. There is a strong suspicion that the breach was caused by North Korea's Lazarus Group, which is notorious for its cyber espionage and financial theft operations. One of the most high-profile attacks in recent months has been the WannaCry ransomware attack in 2017 and the Bangladesh Bank heist in 2016. 

The group has been linked to several high-profile hacking attacks. Five-sevenths (57%) of the stolen Ethereum has been sold at a discount of 2.5% on three exchanges that are run by the North Korean government, with the remainder of the stolen Ethereum being laundered through 51 overseas exchanges of this type. Cryptocurrency exchanges in Switzerland have been storing some of the stolen Ethereum in the form of Bitcoin. 4.8 Bitcoin, valued at nearly 600 million won, were found by the South Korean authorities after four years of legal proceedings. 

The Bitcoins were returned to Upbit in October 2024 after a four-year legal procedure. A copycat crime may be prevented by police withholding details of the North Korean hacking operation's techniques because of the risk of copycats, but police emphasize that the operation was unprecedented in scope and sophistication. At the same time, the Financial Intelligence Unit (FIU) of the Republic of Korea is investigating Upbit's operations in light of issues related to possible non-compliance with KYC regulations.

Reports suggest that there were 500.000 to 600,000 cases in which the exchange failed to verify customer identity due to problems with identification documents and incomplete information provided by the customer. If regulators discover these lapses, they may take action against the company. As a result of years of experience and ongoing research, the Lazarus Group and similar outfits have refined their method to target prominent crypto platforms across the globe. 

An instance of the group's involvement was linked to the hacking of the Indian exchange WazirX, in which $230 million had been stolen. Even though international sanctions have been placed on the North Korean government and efforts have been made to shut down the country's operations, there is a persistent effort to exploit crypto vulnerabilities through various techniques. 

The accounts of these groups have been estimated to have stolen over $7 billion in crypto over the past seven years, a great deal of which was used to fund North Korea's nuclear weapons program. .ANdariel is another group of cybercriminals operating under the aegis of North Korea's Reconnaissance General Bureau that operates as a subdivision of the notorious Lazarus Group, known for its high level of sophistication.  In addition to financial cyberattacks, Andariel is also known for hacking banks, ATMs, cryptocurrency platforms, and other online platforms. 

The group's operations in North Korea are considered a major part of the country’s illicit revenue generation efforts, with most of the activities focused on circumventing international sanctions. Using advanced malware and hacking techniques, the group has penetrated networks and stolen financial assets. In contrast to the Lazarus Group, which is recognized for its large-scale cyber campaigns often tied to political agendas, Andariel follows a more precise and profit-driven approach. 

Rather than pursuing widespread disruption or ideological objectives, Andariel focuses on carefully selected targets to maximize financial rewards. Their operations are characterized by calculated tactics designed to exploit specific weaknesses for economic gain. This differentiation underscores the varied methodologies employed by cyber actors, even within the same network, each aligning their activities to distinct priorities and outcomes.
Read more »
T-Mobile
Chinese Cyber Threat CISA Cyber Crime cyber espionage Cyber Hackers Cyber Threats CyberCrime Cybersecurity Seerver T-Mobile

T-Mobile System Intrusion Tied to Chinese Cyber Threat

 


T-Mobile Corporation has confirmed that it has been a victim of cyber-espionage campaigns launched against telecom companies for a long time. T-Mobile is the latest telecommunications company to report being affected by a large-scale cyber-espionage campaign waged by state-sponsored hackers in China. 

There has been some confusion as to whether the breach involves customer data or critical systems. However, T-Mobile has maintained that there has been no significant impact on its customers' data and critical systems. This breach is part of a larger attack on major telecom providers, raising questions regarding the security of critical communications infrastructure around the world. 

It has been reported that the FBI and CISA are pursuing investigations into a massive cyber-espionage campaign perpetrated by Chinese-linked threat actors that targeted U.S. telecommunications, stealing call records and accessing private communications of government officials and political figures by compromising networks. 

It was confirmed by the USA intelligence agencies that Chinese threats had penetrated the private communications of a "limited number" of government officials after several U.S. broadband providers had been compromised. 

A cyber spy stole personal information belonging to the targeted individuals, according to court orders, which were subject to a search warrant by the United States government to gather that information. This attack was conducted by an intrusion team targeting the World Expo scheduled to take place in Osaka, Japan in 2025, as a lure for the intrusion team, according to ESET's APT Activity Report for the period between April and September 2024.

MirrorFace continues to capture the attention of Japanese people and events, despite this new geographical target, proving their dedication to Japan and its related events. MirrorFace, as well as Earth Kasha, is one of the clusters categorized under an umbrella group called APT10, which includes other clusters classified under Earth Tengshe and Bronze Starlight, as well. 

At least since 2018, the company has been targeting Japanese organizations, although its operations have been further expanded to include Taiwan and India with a new campaign observed in early 2023, albeit it is still focused on the Japanese market. During the hacking crew's history, it has evolved from a few backdoor programs, namely ANEL (a.k.a. Uppercut), LODEINFO, and NOOPDOOR (also known as HiddenFace), to an arsenal of infections, which now consists of backdoors and credential thieves, such as MirrorStealer and ANEL. 

Having said that, it's important to note that T-Mobile's cybersecurity practice has recently been subjected to massive criticism since it's experienced a lot of data breaches in recent years. It was part of the company's settlement with the FCC of $31.5 million for previous breaches, of which half was for an improvement of the security infrastructure. The data breaches that have repeatedly targeted T-Mobile, which is owned by Deutsche Telekom Corporation, have been one of the most challenging aspects of the company's recent history. 

According to the company, back in August 2021, 49 million T-Mobile account holders were affected by the data breach, but the hackers claimed that they had stolen data from 100 million users on the network. According to T-Mobile, it is actively monitoring the situation and is working closely with government officials to investigate the breach to prevent any further issues from occurring. Currently, there is no evidence that the company's systems have hurt the privacy, security, or functionality of its customers, but the firm maintains that no harm has been caused. 

The company is paying close attention to this industry-wide attack that is affecting the entire industry. Quite to the contrary, due to the security controls in our network structure, and the diligent monitoring and response of our systems, T-Mobile has not witnessed any significant impact on its data or systems. As far as we are aware, no evidence has been found that the company's customer or other sensitive information has been accessed or exfiltrated as other companies may have done. 

The situation will be closely monitored by industry peers as well as the relevant authorities, and we will work with them to resolve it.” A recent incident at T-Mobile has come at a time when the company is expanding its cyber-security practices to combat these threats. In February of this year, the company settled a $31.5 million lawsuit with the Federal Communications Commission, more than half of which was devoted to improving security infrastructure as a result of its prior breaches. 

The T-Mobile Security breach is a prime example of the unique challenges that face the telecommunications sector, which is classified as critical infrastructure under federal law because of its importance to the nation. As an upstream provider of information and communications, telecommunications companies play a vital role in healthcare, government, and the private sector, allowing everything from emergency services to business transactions to personal connectivity to take place. 

Therefore, these networks are prime targets for state-sponsored cyber campaigns that seek to exploit their role in facilitating sensitive communications by exploiting their vulnerability to state-sponsored cyber campaigns. There has been a shift in how cyber-espionage tactics have been used over the past few years twhichis disturbing. Attackers like Salt Typhoon take advantage of wiretap systems and sensitive communication channels to steal data and compromise the integrity of systems and networks vital to national security efforts. 

As part of a new analysis published on November 19, 2024, Trend Micro discovered that the MirrorFace actor was using the vulnerability of Array AG (CVE-2023-45727), Proself (CVE-2023-45727) and FortiOS/FortiProxy (CVE-2023-45727) for the initial access of its public-facing enterprise products, which enabled the MirrorFace attacker to access the products. It has been reported that they had installed several backdoors within the victim's network after gaining access to achieve persistence on the network," said security researcher Hara Hiroaki. Among these are the 'Cobalt Strike' and 'LODEINFO' programs, as well as the 'NOOPDOOR' program that was discovered last year. 

A sophisticated and complex implant like NOOPDOOR can be decrypted and launched using a shellcode loader named NOOPLDR to install it on the system. It includes built-in functions, in addition to modules that enable the uploading and downloading of files, the running of additional programs, and the communication with a server controlled by an attacker either actively or passively. As a result, Hiroaki noted, both active and passive modes, for the most part, use different encryption algorithms, as well as backdoor commands, respectively, which means that the channels can't be accessed by one another and are completely independent of one another.
Read more »
Wi-fi
APT28 Cyber Hackers CyberCrime Cybersecurity Cyberthreats Data Breach Volexity Wi-fi

Wi-Fi Exploit Enables Russian Hackers to Breach US Business

 


A sophisticated cyberattack was carried out by a Russian state-sponsored group, which is believed to be APT28 (Fancy Bear), which exploited a large U.S. enterprise's Wi-Fi network remotely. This breach was first detected by cybersecurity firm Volexity on February 4, 2022, while it targeted a Washington, DC-based organization whose projects related to Ukraine were being carried out. 

A group of Russian hackers, reportedly linked to Russia's GRU military intelligence, managed to gain access to the wireless network through a password-spraying attack on another service, which allowed them to obtain the credentials needed to connect. The Russian state-sponsored hackers known as "APT28" have exploited a novel attack technique called 'nearest neighbour attack' to penetrate a U.S. company's enterprise WiFi network to spy on employees' activity. 

Although the hackers were thousands of miles away, they could compromise an organization nearby within WiFi range, providing a pivot from where they could reach their destination. Security firm Volexity was able to detect the attacks on February 4, 2022, as it had been monitoring the hackers, codenamed 'GruesomeLarch', as they had been monitoring the attack for many weeks beforehand. 

APT28, which is associated with the General Staff's Main Intelligence Directorate (GRU) and is part of the Russian military's 26165 unit, has been conducting cyber operations since at least 2004 in conjunction with a Russian military unit. Using a hijacked device in a neighbouring building across the street, Russian state-sponsored hackers were able to log into a Wi-Fi network in the United States without ever leaving their country of residence. 

Volexity, a security vendor, documented a rare hacking technique that they call the "Nearest Neighbor Attack." The company discovered the incident in January 2022, when an unnamed customer, calling itself Organization A, suffered a system hack. Initially, the attackers, whom Volexity tracks as GruesomeLarch, gained access to the target's enterprise WiFi network by accessing that service through a password-spraying attack that targeted the victim's public-facing services, as the passwords were flooded. 

Nonetheless, the presence of one-time password (OTP) protection meant that the credentials could not be used to access public web-based services. As far as connecting to the enterprise's WiFi network was concerned, MFA was not required, however, being "thousands of miles away from the victim and behind an ocean" posed a significant inconvenience. It was through this creative use of the hacker's brain that they began looking into buildings nearby that could be potential pivots to the target wireless network, in fact they started to do so. 

APT28 compromised multiple organizations as part of this attack and was able to daisy-chain their connection between these organizations by using legitimate access credentials to connect with them. At the end of the investigation, they discovered a device within a certain range that was capable of connecting to three wireless access points near the windows of a victim's conference room to retrieve their data. 

An unprivileged account used for the remote desktop connection (RDP) allowed the threat actor to move around the target network from one point to another searching for systems of interest and exfiltrating sensitive information from them. Three Windows registry hives were dumped by the hackers: SAM, Security, and System. This hive was compressed into a ZIP archive and then exfiltrated by the hackers using a script named 'servtask.bat'. 

The most common way they collected data while minimizing their footprint was to use native Windows tools. As a result of Volexity's analysis, it was also identified that GruesomeLarch was actively targeting Organization A so that data would be collected from individuals and projects active in Ukraine who have expertise in and experience with those projects. Despite Volexity's initial inability to confirm an association between the attacker and any known threat actors, a subsequent report by Microsoft pointed to certain indicators of compromise (IoCs) that matched the information Volexity had observed, indicating that the Russian threat group was responsible. 

Microsoft's cybersecurity report indicates that it is highly likely that APT28 was able to escalate privileges before launching critical payloads within a victim's network by exploiting the CVE-2022-38028 vulnerability in the Windows Print Spooler service within the victim's network. This is a zero-day vulnerability in Windows. 

APT28, a group that executes targeted attacks using the nearest neighbour technique, successfully demonstrated that close-access operations, which are usually performed at close range, can be executed from a distance, eliminating the risk of identifying or capturing the target physically. Even though internet-facing devices have benefited from increasing security over the past year, thanks to services such as multi-factor authentication and other types of protections that have been added, WiFi corporate networks have largely remained unprotected over the same period.
Read more »
telecommunications
AI Scams AI tools Cyber Security CyberCrime Fake Documents financial scams Fraud Online fraud SE Asia SIM telecommunications

Tamil Nadu Police, DoT Target SIM Card Fraud in SE Asia with AI Tools

 

The Cyber Crime Wing of Tamil Nadu Police, in collaboration with the Department of Telecommunications (DoT), is intensifying efforts to combat online fraud by targeting thousands of pre-activated SIM cards used in South-East Asian countries, particularly Laos, Cambodia, and Thailand. These SIM cards have been linked to numerous cybercrimes involving fraudulent calls and scams targeting individuals in Tamil Nadu. 

According to police sources, investigators employed Artificial Intelligence (AI) tools to identify pre-activated SIM cards registered with fake documents in Tamil Nadu but active in international locations. These cards were commonly used by scammers to commit fraud by making calls to unsuspecting victims in the State. The scams ranged from fake online trading opportunities to fraudulent credit or debit card upgrades. A senior official in the Cyber Crime Wing explained that a significant discrepancy was observed between the number of subscribers who officially activated international roaming services and the actual number of SIM cards being used abroad. 

The department is now working closely with central agencies to detect and block suspicious SIM cards.  The use of AI has proven instrumental in identifying mobile numbers involved in a disproportionately high volume of calls into Tamil Nadu. Numbers flagged by AI analysis undergo further investigation, and if credible evidence links them to cybercrimes, the SIM cards are promptly deactivated. The crackdown follows a series of high-profile scams that have defrauded individuals of significant amounts of money. 

For example, in Madurai, an advocate lost ₹96.57 lakh in June after responding to a WhatsApp advertisement promoting international share market trading with high returns. In another case, a government doctor was defrauded of ₹76.5 lakh through a similar investment scam. Special investigation teams formed by the Cyber Crime Wing have been successful in arresting several individuals linked to these fraudulent activities. Recently, a team probing ₹38.28 lakh frozen in various bank accounts apprehended six suspects. 

Following their interrogation, two additional suspects, Abdul Rahman from Melur and Sulthan Abdul Kadar from Madurai, were arrested. Authorities are also collaborating with police in North Indian states to apprehend more suspects tied to accounts through which the defrauded money was transacted. Investigations are ongoing in multiple cases, and the police aim to dismantle the network of fraudsters operating both within India and abroad. 

These efforts underscore the importance of using advanced technology like AI to counter increasingly sophisticated cybercrime tactics. By addressing vulnerabilities such as fraudulent SIM cards, Tamil Nadu’s Cyber Crime Wing is taking significant steps to protect citizens and mitigate financial losses.
Read more »
Youtube
Amazon Audible ClearFake Cyber Security CyberCrime Cyberhackers CyberThreat Google Youtube

Amazon and Audible Face Scrutiny Amid Questionable Content Surge

 


The Amazon online book and podcast services, Amazon Music, and Audible have been inundated by bogus listings that attempt to trick customers into clicking on dubious "forex trading" sites, Telegram channels, and suspicious links claiming to offer pirated software for sale. It is becoming increasingly common to abuse Spotify playlists and podcasts to promote pirated software, cheat codes for video games, spam links, and "warez" websites. 

To spam Spotify web player results into search engines such as Google, threat actors can inject targeted keywords and links in the description and title of playlists and podcasts to boost SEO for their dubious online properties. In these listings, there are playlist names, podcast description titles, and bogus "episodes," which encourage listeners to visit external links that link to places that might cause a security breach. 

A significant number of threat actors exploit Google's Looker Studio (formerly Google Data Studio) to boost the search engine ranking of their illicit websites that promote spam, torrents, and pirated content by manipulating search engine rankings. According to BleepingComputer, one of the methods used in the SEO poisoning attack is Google's datastudio.google.com subdomain, which appears to lend credibility to the malicious website. 

Aside from mass email spam campaigns, spammers are also using Audible podcasts as another means to spread the word about their illicit activities. Spam can be sent to any digital platform that is open to the public, and no digital platform is immune to that. In cases such as those involving Spotify or Amazon, there is an interesting aspect that is, one would instinctively assume that the overhead associated with podcasting and digital music distribution would deter spammers, who would otherwise have to turn to low-hanging fruit, like writing spammy posts to social media or uploading videos that have inaccurate descriptions on YouTube. 

The most recent instance of this was a Spotify playlist entitled "Sony Vegas Pro 13 Crack...", which seemed to drive traffic to several "free" software sites listed in the title and description of the playlist. Karol Paciorek, a cybersecurity enthusiast who spotted the playlist, said, "Cybercriminals exploit Spotify for malware distribution because Spotify has become a prominent tool for distributing malware. Why? Because Spotify's tracks and pages are easily indexed by search engines, making it a popular location for creating malicious links.". 

The newest business intelligence tool from Google, Looker Studio (formerly, Google Data Studio) is a web-based tool that allows users to make use of data to create customizable reports and dashboards allowing them to visualize and analyze their data. A Data Studio application can, and has been used in the past, to track and visualize the download counts of open source packages over some time, such as four weeks, for a given period. There are many legitimate business cases for Looker Studio, but like any other web service, it may be misused by malicious actors looking to host questionable content on illegal domains or manipulate search engine results for illicit URLs. 

Recent SEO poisoning campaigns have been seen targeting keywords related to the U.S. midterm election, as well as pushing malicious Zoom, TeamViewer, and Visual Studio installers to targeted sites.  In advance of this article's publication, BleepingComputer has reached out to Google to better understand the strategy Google plans to implement in the future.

Firstory is a new service launched in 2019 that enables podcasters to distribute their shows across the globe, and even connect with audiences, thereby empowering them to enjoy their voice! Firstory is open to publishing podcasts on Spotify, but it acknowledges that spam is an ongoing issue that it is increasingly trying to address, as it focuses on curtailing it as much as possible. 

Spam accounts and misleading content remain persistent challenges for digital platforms, according to Stanley Yu, co-founder of Firstory, in a statement provided to BleepingComputer. Yu emphasized that addressing these issues is an ongoing priority for the company. To tackle the growing threat of unauthorized and spammy content, Firstory has implemented a multifaceted approach. This includes active collaboration with major streaming platforms to detect and remove infringing material swiftly. 

The company has also developed and employed advanced technologies to scan podcast titles and show notes for specific keywords associated with spam, ensuring early identification and mitigation of potential violations. Furthermore, Firstory proactively monitors and blocks suspicious email addresses commonly used by malicious actors to infiltrate and disrupt digital ecosystems. By integrating technology-driven solutions with strategic partnerships, Firstory aims to set a higher standard for content integrity across platforms. 

The company’s commitment reflects a broader industry imperative to protect users and maintain trust in an ever-expanding digital landscape. As digital platforms evolve, sustained vigilance and innovation will be essential to counter emerging threats and foster a safer, more reliable online environment.
Read more »
Wi-fi
Cyber Hacking Cyberattacks CyberCrime Cybersecurity Cyberthrears Passwords Privacy Routers Wi-fi

The Hidden Dangers of Compromised Wi-Fi Routers

 


Cybercriminals who attack routers are swift and precise, spending countless hours studying network vulnerabilities to compromise sensitive data and then taking advantage of those vulnerabilities to compromise the router. The term "router hacking" refers to taking control of a user's router without their consent by a cybercriminals.

The Wi-Fi hacker, like other types of hackers, relies on security measures that a user may have implemented to protect themselves against the hack - often the administrator password for their router or an unpatched vulnerability in their system. The hacker has a variety of tricks that he can use if he wants to hack into a router successfully. 

There is a risk that a hacker will be able to gain access to a router in minutes if the user has not set a strong password for their router. The hacker can take control of users' router after they have gained access, and even change the settings or install malicious software on users' router after they have gained control. These are all signature signs that users have been hit by a black-hat hacker, as opposed to their more altruistic white-hat cousins. 

Approximately one in 16 internet-connected home Wi-Fi routers can be remotely accessed by attackers using the manufacturer's default admin password. Getting continually kicked off users' home networks can be super annoying, but that's what some hackers will do. A hacker may use a de-authentication attack to target network devices. To do so, a hacker does not even need administrative access to the user router; they only need to find the router and device users' using. They can do this by using a tool such as Aircrack-ng. After doing so, they craft a command that uses the users' router's authentication protocol to deauthenticate users, thus kicking them off the network. 

A Forbes study found that 86% of users never change their default credentials. As default credentials are easily found online, all hackers must do a perfunctory Google search to find the information they need to log into users' routers. If they do, they can change things like the password and SSID. Changing the password will kick users off their network, and changing the SSID will change their network name. They could also hide users' networks entirely after kicking them off and changing the name, making it difficult to get back online. Scammers employ various methods to hack into Wi-Fi networks, exploiting vulnerabilities and poor security practices.

One common technique is brute-forcing Wi-Fi passwords, where hackers systematically attempt numerous password combinations to gain access. Once successful, they can lock users out by changing the password and taking control of the router. Another method involves using the router’s default credentials, often left unchanged by users. Cybercriminals can exploit these factory-set admin passwords to alter router settings, emphasizing the importance of creating a unique password and SSID (wireless network name) for enhanced security. 

Unpatched firmware vulnerabilities also present significant risks. Attackers can exploit outdated software to infiltrate a router's internal systems. For instance, in June 2023, Asus issued critical firmware updates to protect against remote code execution attacks. One of the most severe vulnerabilities, CVE-2018-1160, dating back to 2018, carried a high severity rating of 9.8 on the Common Vulnerability Scoring System (CVSS). 

Furthermore, cybercriminals can execute Domain Name Server (DNS) hijacking by altering a router’s DNS settings and redirecting users to malicious phishing websites. These examples underscore the importance of updating router firmware regularly, using strong passwords, and proactively securing Wi-Fi networks. Understanding the signs of a hacked router is essential for safeguarding users' networks. Altered DNS settings are a major indicator of a breach, as hackers may manipulate these settings to redirect users' internet traffic without their knowledge, potentially launching devastating pharming attacks. 

Users can check their router’s DNS settings in the admin menu to ensure they have not been tampered with. Another red flag is an inability to access the router using the user's admin password. If the credentials no longer work, it could mean a hacker has changed them. In such cases, perform a factory reset immediately and create a new, strong password. Unexpectedly slow internet can also hint at a router hack, especially when accompanied by other suspicious activities. Hackers may exploit users' bandwidth, causing noticeable performance drops. Additionally, strange software or malware on users' devices can result from a router breach, as hackers often use this method to infiltrate connected devices. While malware can spread through various means, its presence alongside other signs of hacking is a cause for concern. 

Monitoring users' networks for unrecognized devices is another critical security measure. Tools like AVG AntiVirus FREE can detect when unfamiliar devices join users' Wi-Fi, issuing alerts that prompt further investigation. While unauthorized devices don’t always indicate a router hack, their presence could lead to one, emphasizing the need for continuous network monitoring. Using reliable security software is vital to protecting users' devices and networks. AVG AntiVirus FREE offers comprehensive cybersecurity features, including real-time malware detection, phishing defence, ransomware protection, and tools to secure users' Wi-Fi networks from potential router hackers. Staying vigilant and equipped with robust security measures ensures a safe online experience.

Hackers can easily carry out this kind of attack even if they do not have administrative access to the user's router; they only need to identify the router and the device that users use to do so. An aircraft-ng tool, which is available online, can be used to accomplish this task. As a result, they craft a command that uses the authentication protocol of the users' router to deauthenticate them, which means they are kicked off of the network once more. The study by Forbes found that 86% of users do not change their default credentials despite being notified about it. 

The default credentials for routers can readily be found online, so it is only a matter of a quick Google search before hackers can discover the credentials they need to access the routers of their targeted victims. In that case, they can change things such as the password and the SSID of the network. By changing a user's password, they will be kicked off their network, and by changing their SSID, their network name will be changed. It's possible that they could also hide the users' networks entirely after they have been kicked off and changed their names, which would make it difficult for them to return to the network. Using a variety of methods, scammers can hack into Wi-Fi networks by exploiting the vulnerabilities and unfavourable security practices that exist. 

There is no doubt that the most common method of hacking Wi-Fi passwords in today's world is through brute-force attacks, which involve scanning many different combinations of passwords too to discover someone's password by scanning all of the combinations simultaneously. When they are successful in taking control of the router, they can lock users out of their accounts by changing their passwords. A second method involves the use of the router's default credentials, often left unchanged by users when they set up the router. These factory-provided admin passwords can be vulnerable to abuse by cybercriminals, highlighting the importance of using a unique password and SSID (wireless network name) for enhanced security when setting up users' routers. 

As a result of firmware vulnerabilities that remain unpatched, there are significant risks involved. There are several ways in which attackers can compromise the internal operating systems of a router by exploiting outdated software. Asus's most recent firmware upgrade for its laptops was released in June 2023, preventing remote code execution attacks against the device. On the Common Vulnerability Scoring System (CVSS), which calculates the severity of vulnerabilities based on their association with security incidents and their impact, CVE-2018-1160, dated back to 2018, had a severity rating of 9.8. A further method of executing Domain Name Server (DNS) hijacking is to alter a router's DNS settings, redirecting the user to malicious phishing sites by altering the DNS settings of a router. 

As a result of these examples, router firmware must be updated regularly, strong passwords are used, and wi-fi networks are carefully secured proactively. Recognizing the signs of a hacked router is crucial for protecting users' networks. Altered DNS settings often indicate a breach, as hackers can manipulate these to redirect users' internet traffic and launch phishing or pharming attacks. Regularly reviewing users' routers' DNS settings in the admin menu can help prevent such risks. Similarly, being unable to access the router with their admin password may mean hackers have taken control. In such cases, a factory reset followed by setting a strong new password is essential. 

A sudden drop in internet speed, especially when combined with other suspicious activity, could point to unauthorized bandwidth usage by hackers. Additionally, unexpected malware or unfamiliar software on users' devices might result from a router breach. Monitoring for unrecognized devices on users' networks is equally important, as these can indicate unauthorized access and potential hacking attempts. 

Investing in robust security tools is a key step in safeguarding users' digital environments. Comprehensive solutions like AVG AntiVirus FREE provide 24/7 protection against malware, phishing, ransomware, and other threats while keeping users' network secure from unauthorized access. Staying proactive with these measures is the best defense for ensuing their online safety.
Read more »
Technology
Android Cyberattacks CyberCrime Cyberhackers Cybersecurity Cyberthreats Google GPS Technology

Improving GPS Technology with Insights from Android Phones

 


The effect of navigation apps drifting off course may be caused by a region 50-200 miles overhead called the ionosphere, which is a region of the Earth’s atmosphere that is responsible for such drifts. There are various levels of free electrons in this layer that, under certain conditions, can be extremely concentrated, thereby slowing down the processing of GPS signals when they are travelling between satellites and devices. 

A delay, like a delay that would occur from navigating through a crowded city street without being able to get to your place of work on time, is a major contributor to navigation system errors. As reported in Nature this week, a team of Google researchers demonstrated they had been able to use GPS signal measurements collected from millions of anonymous Android mobile devices to map the ionosphere by using GPS data from those devices. 

There are several reasons why a single mobile device signal cannot tell researchers so much about the ionosphere with only one device, but this problem is minimized when there are many other devices to compare with. Finally, the researchers have been able to use the vast network of Android phones to map out the ionosphere in an extremely precise way, matching or exceeding the accuracy of monitoring stations, using the huge network of Android phones. This technique was far more accurate in areas like India and Central Africa, compared to the accuracy of listening stations alone, where the Android technique was used. 

The total electron content (TEC) referred to as ionospheric traffic is a measure of the number of electrons in the ionosphere used within a cellular telephone network. Satellites and ground stations are used to measure this amount of electrons in the ionosphere. These detection tools are indeed effective, but they are also relatively expensive and difficult to build and maintain, which means that they are not used as commonly in developing regions of the world. 

The fact that monitoring stations are not accessible equally leads to disparities in the accuracy of the global ionospheric maps. However, Google researchers did not address one issue. They chose to use something that more than half of the world's population already possessed: mobile phones. In an interview with Popular Science, Google researcher Brian Williams discussed how changes in the ionosphere have been hindering GPS capabilities when working on Android products.

If the ionosphere were to change shortly, this may undermine GPS capabilities. Aside from contributing to scientific advances, he sees this project as an opportunity to improve accuracy and provide a more useful service to mobile device users regularly.  Rather than considering ionosphere interference with GPS positioning as an obstacle, the right thing to do is to flip the idea and imagine that GPS receiver is an instrument to measure the ionosphere, not as an obstacle," Williams commented.

The ionosphere can be seen in a completely different light by combining the measurements made by millions of phones, as compared to what would otherwise be possible." Thousands of Android phones, already known as 'distributed sensor networks', have become a part of the internet. GPS receivers are integrated into most smartphones to measure radio signals beamed from satellites orbiting approximately 1,200 miles above us in medium Earth orbit (MEO).

A receiver determines your location by calculating the distance from yourself to the satellite and then using the distance to locate you, with an accuracy of approximately 15 feet. The ionosphere acts as a barrier that prevents these signals from travelling normally through space until they reach the Earth. In terms of GPS accuracy errors, many factors contribute to the GPS measurement error, including variables like the season, time of day, and distance from the equator, all of which can affect the quality of the GPS measurement. 

There is usually a correctional model built into most phone receivers that can be used to reduce the estimated error by around half, usually because these receivers provide a correctional model.  Google researchers wanted to see if measurements taken from receivers that are built into Android smartphones could replicate the ionosphere mapping process that takes place in more advanced monitoring stations by combining measurements taken directly from the phone. 

There is no doubt that monitoring stations have a clear advantage over mobile phones in terms of value per pound. The first difference between mobile phones and cellular phones is that cellular phones have much larger antennas. Also, the fact that they sit under clear open skies makes them a much better choice than mobile phones, which are often obscured by urban buildings or the pockets of the user's jeans.

In addition, every single phone has a customized measurement bias that can be off by several microseconds depending on the phone. Even so, there is no denying the fact that the sheer number of phones makes up for what they are lacking in individual complexity.  As well as these very immediate benefits, the Android ionosphere maps are also able to provide other less immediate benefits. According to the researchers, analyzing Android receiving measurements revealed that they could detect a signal of electromagnetic activity that matched a pair of powerful solar storms that had occurred earlier this year. 

According to the researchers, one storm occurred in North America between May 10 and 11, 2024. During the time of the peak activity, the ionosphere of that area was measured by smartphones and it showed a clear spike in activity followed by a quick depletion once again. The study highlights that while monitoring stations detected the storm, phone-based measurements of the ionosphere in regions lacking such stations could provide critical insights into solar storms and geomagnetic activity that might otherwise go unnoticed. This additional data offers a valuable opportunity for scientists to enhance their understanding of these atmospheric phenomena and improve preparation and response strategies for potentially hazardous events.

According to Williams, the ionosphere maps generated using phone-based measurements reveal dynamics in certain locations with a level of detail previously unattainable. This advanced perspective could significantly aid scientific efforts to understand the impact of geomagnetic storms on the ionosphere. By integrating data from mobile devices, researchers can bridge gaps left by traditional monitoring methods, offering a more comprehensive understanding of the ionosphere’s behaviour. This approach not only paves the way for advancements in atmospheric science but also strengthens humanity’s ability to anticipate and mitigate the effects of geomagnetic disturbances, fostering greater resilience against these natural occurrences.
Read more »
Vulnerabilities and Exploits
CISA Issues CyberCrime Cybersecurity Cyberthreats Palo Alto Threats Exploitations Vulnerabilities and Exploits

CISA Issues Alert on Ongoing Exploitation of Palo Alto Networks Bugs

 


A report released by the Cybersecurity and Infrastructure Security Agency, a nonprofit organization that monitors and analyzes threats to the nation's infrastructure, found that Palo Alto Networks' firewall management software was actively exploited in the wild on Thursday. These attacks followed last week's attacks that exploited flaws in similar software. Attackers can exploit the unauthenticated command injection vulnerability (CVE-2024-9463) and the SQL injection vulnerability (CVE-2024-9465) to gain access to unpatched systems running the company's Expedition migration tool. 

This tool allows users to migrate configurations from Checkpoint, Cisco, and other supported vendors to new systems. CVE-2024-9463 is a vulnerability that allows attackers to run arbitrary commands as root on a PAN-OS firewall system, revealing usernames, cleartext passwords, device configurations, and device API keys. Secondly, a second vulnerability can be exploited to gain access to Expedition database contents (including password hashes, usernames, device configurations, and device API keys) and create or read arbitrary files on vulnerable systems by exploiting this vulnerability. 

There is important information in CVE-2024-9474 that could lend itself to a chained attack scenario, potentially resulting in a high level of security breach. It should be noted that Palo Alto Networks has publicly acknowledged the CVE, but has not yet provided detailed technical information on the vulnerability's mechanics. This leaves room for speculation regarding what is causing the vulnerability.

A spokesperson for Palo Alto Networks (PAN) confirmed patches were available to address these security vulnerabilities, and stated the company is "monitoring a limited set of exploit activities" and is working with external researchers, business partners, and customers to share information in a timely fashion. It was reported to CISA that CVE-2024-5910 had been added to the KEV catalog on Nov. 7 but the software vendor had originally disclosed the bug back in July. 

To exploit this vulnerability, there needs to be authentication within the firewall deployment and management software. Without authentication, an administrator account can be taken over by getting access to the network. There is a CVSS score of 9.3 for the vulnerability, and it is also reported to Palo Alto Networks as PAN-SA-2024-0015, as well. As a result, Palo Alto Networks has continuously monitored and worked with customers to identify and minimize the very few PAN-OS devices that have management web interfaces that are exposed to the Internet or other untrusted networks," the company stated in a separate report describing indicators of compromise for attacks that are targeting the vulnerability. 

Although the company claims these zero-days are only impacting a "very small number" of firewalls, threat monitoring platform Shadowserver reported on Friday that it monitors more than 8,700 outside management interfaces for the PAN-OS operating system. A Palo Alto Networks security advisory from early October states, "Several vulnerabilities have been identified in Palo Alto Networks Expedition that allow unauthorized access to the Expedition database and the arbitrary files on the system, as well as the ability to write arbitrary files to temporary storage locations." 

In addition, the advisory stated that the firewall, Panorama, Prisma Access, and Cloud NGFW products are not affected by these vulnerabilities. Even though the two vulnerabilities have been added to CISA's Known Exploited Vulnerabilities Catalog, a binding operational directive (BOD 22-01) has compelled federal agencies to patch Palo Alto Networks Expedition servers on their networks within three weeks, by December 5, to comply with the binding directive. 

Earlier this week, CISA issued a warning about yet another Expedition security hole that is capable of allowing threat actors to reselect and reset the credentials for application administrators. The security flaw (CVE-2024-5910) was patched in July and has been actively exploited in attacks. In a proof-of-concept exploit released by Horizon3.ai researcher Zach Hanley last month, he demonstrated that CVE-2024-5910 can be chained with an additional command injection vulnerability (CVE-2024-9464), that was patched in October, to allow an attacker to execute arbitrary commands on vulnerable Expedition servers that are exposed to the Internet. 

It has been noted that CVE-2024-9464 is linked to other Expedition security vulnerabilities that were also addressed last month. This may allow firewall admins to take over unpatched PAN-OS firewalls if they have not yet been patched. As of now, there seems to be a hotfix available for those who are concerned about being exploited, and those who are concerned should upgrade their Expedition tool to version 1.2.96, or higher. 

It has been recommended by Palo Alto Networks that, those users who are unable to install the Expedition patch immediately, should restrict access to the Expedition network to approved hosts and networks. It is crucial to note that when a vulnerability is added to KEV, not only does it introduce the possibility of an attack that exploits that vulnerability, but also that federal agencies have a deadline to either patch it or stop utilizing the flawed solution entirely. 

There is usually a deadline for that, which is 21 days from the time the bug is added to the bug-tracking system. There has recently been an addition to KEV of CVE-2024-5910, a bug that is described as being missing for crooks who have access to networks. This is Palo Alto Networks Expedition, a tool designed to simplify and automate the complexity of using Palo Alto Networks' next-generation firewalls by optimizing security policies that apply to them. In addition to making it easier for users to migrate from legacy firewall configurations to Palo Alto Networks' security platforms, users can also minimize errors and manual efforts. 

The Palo Alto Networks (PAN) management interface has recently been redesigned to provide a more secure experience for users. A report claiming an unverified remote code execution vulnerability via the PAN-OS management interface prompted the company to release an information bulletin. Those interested in knowing more about hardening network devices are urged to review PCA's recommendations for hardening network devices, and PCA's instructions for gaining access to scan results for the Organization's internet-facing management interfaces are discouraged from following them.
Read more »
Privacy
Cyberattacks CyberCrime Cyberhackers Cybersecurity CyberThreat Data Leak Microsoft Power Pages Misconfiguration Privacy

Data Leak Reported Due to Power Pages Misconfiguration


 

The Power Pages platform from Microsoft offers users an easy-to-use, low-code platform that enables them to build data-driven websites with only a little bit of programming knowledge or experience. In both the public and private sectors, companies large and small rely on this tool to facilitate the collection and analysis of data that can assist them with all manner of problems that may arise from customers or citizens seeking information to solve a problem. 

There may be other issues regarding these web pages, such as the possibility of leaks of sensitive information for their respective organizations as well if the settings for these web pages are not set up properly.  According to cybersecurity researchers, a new vulnerability has been discovered in Microsoft Power Pages that stems from misconfigured access controls within websites built with this platform that can expose sensitive data. 

If the vulnerability resulted in millions of sensitive business records being exposed to unauthorized users, this could pose a serious security risk for affected organizations as a result. It is an application service platform, that is based on the Power Platform, and offers developers a low-code platform that can be used to build externally facing websites on top of Microsoft's infrastructure without a lot of coding. 

To guarantee a layer of access control, the Power Pages system uses a layered approach when it comes to writing a custom website. A site's permissions can be configured from a table level, a column level, or a column-level. Despite these risks, misconfigurations of these settings can unintentionally expose sensitive data to the public internet when businesses misconfigure these settings.  Organizers can expose more columns to the Web API than are necessary, thereby increasing the potential attack surface of their applications. 

According to Aaron Costello, AppOmni's chief of SaaS security research, Power Pages users have to pay more attention to the software's security settings to ensure their information is protected, especially given the product's popularity. It was announced earlier this year that websites that are created using Power Pages have over 250 million users every month, according to a statement from Microsoft.  Several AppOmni and Microsoft 365 customers are now using AppOmni Insights to assist with the detection of these kinds of exposures and to provide subsequent remediation guidance if such exposures are found. 

For a detailed understanding of how these kinds of vulnerabilities can arise, it is worthwhile to first understand the platform's RBAC model and how Power Pages are constructed. In contrast to traditional custom web development, Power Pages has the following main advantages: out-of-the-box (OOB) role-based access control (RBAC), the option of using Microsoft's Dataverse as the database automatically and the ease of a drag-and-drop interface, which is made possible by prebuilt components, which greatly reduces the need for custom code in the design of the web site. 

Affording too many permissions to roles like "Anonymous Users" (non-authenticated visitors) and "Authenticated Users" (authenticated visitors) may expose an organization to potential data leaks, which may not have been anticipated. It is worth noting that Microsoft's customers have the option of easily deploying these data-driven web applications. However, if these applications are mismanaged from a security perspective, they may have a heavy cost to pay for their security. This data is primarily made up of internal organization files as well as sensitive personal information regarding both users from inside the organization and those who register on the website and are registered to either organization. 


PII was recovered from most of these cases and consisted of full names, email addresses, phone numbers, and addresses for the home, in the majority of cases.  The information of over 1.1 million NHS employees was leaked by a large shared business service provider to the NHS, with many parts of the data including email addresses, telephone numbers, and even the addresses of the employees' homes, and this was being done without the employee's knowledge. 

In this particular case, the findings were fully disclosed responsibly and have been resolved since then. A lack of understanding of the access controls in Power Pages, as well as insecure custom code implementations are the main reasons for these data leaks. With excessive permissions given to unauthenticated users, any user may be able to extract records from the database if they have access to the readily available Power Page APIs available on the web. 

A Power Pages site also allows users to generate accounts and become authenticated with the help of APIs once they have registered. Users from outside of the company can also be granted global access for reading operations on the system. Researchers identified that the absence of column-level security in Microsoft Power Pages could enable unauthorized individuals to access sensitive data without restrictions. Additionally, it was noted that users often fail to replace sensitive information with masked strings, further exacerbating security vulnerabilities. 

In response, Microsoft has implemented multiple safeguards within the backend of Power Pages and Power Platform Apps. These measures include warning banners across all Power Platform admin console pages, as well as prominent alerts and warning icons on the table permissions configuration page of Power Pages. These updates aim to help administrators identify and address potentially risky configurations. This incident underscores the importance of proactive security practices in safeguarding sensitive data. Organizations utilizing Power Pages are encouraged to review and strengthen their configurations to mitigate risks and enhance overall security.
Read more »
CyberThreat
Black Friday Consumer Protection Cyber Security CyberCrime Cyberhackers CyberThreat

Consumer Protection in Focus Amid Black Friday in South Africa

 


November 29 is the date when Black Friday offers will be available, marking the beginning of the Christmas shopping season for many consumers. There is a lot of speculation that scammers will increase their game in the coming days, which gives it even more reason to be aware of the signs of threatening phoney texts. As the critical Black Friday and festive season periods approach, the retail industry in South Africa is showing signs of resilience, according to the latest State of the Retail Nation report produced by NIQ South Africa. 

The report examines the industry's expectations over the upcoming period. A recent warning from Standard Bank alerted South Africans to the fact that scams are on the rise as Black Friday approaches, with criminals increasingly using persuasive tactics to attract people's attention.  Even though there have been no studies on how Black Friday will affect the local economy, it appears to have the potential to generate R88 billion of economic activity in South Africa in 2024.  

Based on Capital Connect's findings, South Africa's wholesale, retail, and fuel sectors will contribute a total of R88 billion in additional economic value to the economy in November 2024. The Bureau of Market Research has conducted a study that shows that the Black Friday sales in South Africa will spur R22 billion in increased direct sales this year, with a further R28 billion in indirect economic impact on the country. 

There is expected to be an additional economic value of over R88 billion for the South African economy due to the growing interest of customers in Black Friday sales taking place in November 2024 in this country's wholesale, retail, and fuel sectors. Based on the results of a research report published by the Bureau of Market Research on behalf of fintech Capital Connect. 

During the holiday shopping season this year, retailers in South Africa will likely produce R22 billion in additional direct revenue as a result of Black Friday, and R28 billion in indirect economic impacts as a result of it. Further, the wholesale industry is expected to gain additional sales of R32.1 billion, while fuel sales are expected to increase by R6.2 billion as well.  

As a result of the study, consumers seem to be more interested in Black Friday in 2024 than in the previous three years (2021-2023). The result of this is expected to push retail sales in November 2024 to a value of approximately R136 billion, up 17.3% when calculated in nominal terms from the R116.1 billion of retail sales recorded in November 2023. 

After a long period of economic stagnation and retail stagnation, the positive outlook for Black Friday 2024 suggests that the tide is turning for South African retailers after a long period of economic stagnation and retail stagnation," said Steven Heilbron, CEO of Capital Connect, which is part of Lesaka Technologies, a Nasdaq- and JSE-listed company.  Several factors have contributed to a better economic outlook, including a marked reduction in load-shedding, the introduction of the Two-Pot Retirement System, a reduction in interest rates, and a decrease in inflation. 

There is a rising trend in consumer confidence that will give an advantage to innovative retailers with the right product mix and promotions."  In this year's challenging retail climate, Black Friday sales will provide a welcome boost to retailers who have struggled to operate. The formal retail sector, on the other hand, is predicted to show real growth of only 1.4% in 2024 with an increase of just 0.6%. In a study conducted by Standard Bank, it was revealed that scams are widespread in Gauteng, where 38% of cases were reported. KwaZulu-Natal had 18%, while the Western Cape had 15%.  

In his statement, Rathogwa noted that the bank has begun noticing some concerning trends around Black Friday, including an increase in the amount of social media fraud, which has been particularly persuasive.  It is still a significant threat that deceptive emails are sent by fraudsters purporting to be emails from legitimate companies, such as retailers, streaming services, and banks, to mislead users.  Several emails contain links to fake websites that are designed to collect sensitive information, such as login details and passwords.  

The scammers also make use of luring strategies to entice the recipient into clicking on links that they believe are malicious, as well as offering rewards to the first few buyers. As well as this particular tactic, more and more fraudsters are also using social media accounts to promote offers that are heavily discounted, and sometimes even free. This type of scam is increasingly common.  A scam artist creates a page on Facebook, builds a fan base, and posts false reviews trying to entice the public to buy.

Upon engaging an interested buyer, the conversation switches to WhatsApp to discuss details about the buyer's bank account, courier service, and so on.  Upon making the payment and providing proof to the police, the victim's social media pages and phone numbers will have disappeared from the Internet. Whenever a deal seems too good to be true, it most likely is. Be careful if someone puts a lot of pressure on users to make a quick payment to secure a deal. Rathogwa also warned customers to watch out for fake websites that often look exactly like legitimate retailers" he added.  

To protect against Black Friday scams, experts advise consumers to take several precautions while shopping online or in-store. Shoppers should confirm the authenticity of a purchase before proceeding by buying only from trusted and verified sources. Carefully reviewing transaction details and ensuring that any One-Time Pin (OTP) generated corresponds to the specific transaction is critical. Verifying beneficiary account details before making electronic transfers is also recommended, with tools such as Standard Bank’s Account Verification Service offering an added layer of security. 

It is equally important for individuals to manage the security of their devices. Any unused, sold, lost, or stolen devices should be delinked from online banking profiles immediately, and banks should be notified without delay if a device is misplaced. Furthermore, shoppers are encouraged to report any suspicious activity to their financial institutions. 

Rathogwa emphasizes the importance of scrutinizing web addresses for typos or subtle alterations, as scammers frequently create fraudulent websites that mimic legitimate retailers. Such vigilance can help safeguard personal and financial information during the shopping season.
Read more »
Subscribe to: Posts (Atom)