Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Email Account Compromise. Show all posts
USDoD
Cybersecurity industry Data Breach Data Leak data security Email Account Compromise Email address USDoD

Massive Email Address Exposure: SOCRadar.io Data Scraping Incident

 

A significant security concern has arisen following the exposure of an estimated 332 million email addresses online, allegedly scraped from the security intelligence platform SOCRadar.io. The massive data dump was reportedly posted on a cybercrime forum by a threat actor known as Dominatrix. According to Hackread, the data was initially scraped by another actor, “USDoD,” who has a history of involvement in previous data breaches. The leaked data was extracted from what are described as “stealer logs and combolists,” suggesting that malware infections played a crucial role in the initial data collection. 

This indicates a broader issue involving malware distribution and the exploitation of compromised systems. The data scraping incident reportedly took place in July 2024. Hackread notes that an announcement on the underground hacker forum Breach Forums revealed that a 14GB CSV file containing only email addresses, aggregated from various data breaches, was obtained. The forum user known as USDoD initially attempted to sell the scraped data for $7,000 on July 28, 2024. 

However, Dominatrix, who is alleged to have purchased the data, made it public on August 3, 2024, stating, “Hello BreachForums Community, Today I have uploaded a SocRadar database for you to download, thanks for reading and enjoy! In July 2024, @USDoD scraped socradar.io extracting 332 million emails parsed from stealer logs and combolists. I have purchased the data to share with you all today.” 

Although the incident does not involve passwords, the exposure of email addresses poses several risks. Cybercriminals could use the email list to conduct large-scale phishing campaigns, attempt unauthorized access through brute-force attacks, or perform credential stuffing by comparing the emails with previously leaked data containing passwords. SOCRadar’s Chief Security Officer, Ensar Seker, has disputed the claims that the data was sourced from their platform. According to Seker, there is no evidence proving that the data was collected from SOCRadar. 

Instead, he suggests that the data was likely harvested from Telegram channels and misrepresented as being from SOCRadar. Seker emphasizes that threat actors had impersonated legitimate companies to gather the information. SOCRadar is pursuing legal avenues and cooperating with law enforcement agencies to address the issue. This incident underscores the critical need for strong cybersecurity practices. 

Users are advised to employ unique passwords for different accounts, enable multi-factor authentication (MFA) to add an extra layer of security, and remain vigilant against unsolicited emails, avoiding suspicious links and attachments to mitigate potential threats.
Read more »
User Data
Automotive Industry CNIL Cyber Attacks Data Compromise data security Email Account Compromise Phishing Attack User Data

FIA Confirms Cyberattack Compromising Email Accounts

 

The Fédération Internationale de l’Automobile (FIA), the governing body overseeing Formula 1 and other major motorsports worldwide, recently disclosed a significant cyberattack. This breach resulted from phishing attacks that compromised personal data within two FIA email accounts, exposing vulnerabilities in the organization’s cybersecurity measures. 

In a brief statement, the FIA confirmed the incidents, detailing that swift action was taken to cut off unauthorized access and mitigate the issue. The organization promptly reported the breach to the French and Swiss data protection regulators, the Commission Nationale de l’Informatique et des Libertés (CNIL) and the Préposé Fédéral à la Protection des Données et à la Transparence, respectively. 

However, the FIA did not disclose specific details regarding the nature of the stolen data, the number of affected individuals, or the identity of the attackers. It also remains unclear whether the hackers demanded any ransom for the compromised data. The FIA, when approached for further information, clarified that these incidents were part of a broader phishing campaign targeting the motorsport sector, rather than a direct and targeted attack on the FIA’s systems. Founded in 1904 in Paris, France, the FIA plays a crucial role in governing numerous prestigious auto racing events, including Formula One, the World Rally Championship, the World Endurance Championship, and Formula E. 

In addition to its sports governance role, the FIA is also an advocate for road safety and sustainable mobility through various programs and campaigns. The organization boasts 242 member organizations across 147 countries, emphasizing its global influence and reach. This incident underscores the persistent cybersecurity threats that organizations face globally. Phishing attacks, in particular, remain a significant threat, as they exploit human vulnerabilities to gain unauthorized access to sensitive information. The FIA’s prompt response to this breach demonstrates its commitment to protecting personal data and maintaining the integrity of its operations. 

However, the incident also highlights the need for ongoing vigilance and robust cybersecurity measures. Cybersecurity experts emphasize the importance of comprehensive security protocols, including regular employee training to recognize and respond to phishing attempts. Organizations must also implement advanced security technologies, such as multi-factor authentication and encryption, to safeguard their digital assets. The evolving nature of cyber threats necessitates a proactive approach to cybersecurity, ensuring that organizations remain resilient against potential attacks. As cyber threats continue to evolve, the FIA and other organizations must remain vigilant and proactive in their cybersecurity efforts. 

The lessons learned from this incident will undoubtedly inform future strategies to protect sensitive information and maintain the trust of stakeholders. The FIA’s experience serves as a reminder of the critical importance of cybersecurity in today’s interconnected digital landscape.
Read more »
US Military
Cyber Security Data Leak Email Account Compromise Mali Private Data Russia US Military

Typo Delivers Millions of US Military Emails to Russia's Ally Mali

 

Due to a small typing error, millions of emails from the US military were unintentionally forwarded to Mali, a Russian ally. For years, emails meant for the US military's ".mil" domain have been transmitted to the west African nation with the ".ml" extension. 

According to reports, some of the emails contained private information including passwords, medical information, and high officers' travel schedules. The Pentagon claimed to have taken action to resolve the situation.

The Financial Times, which broke the story, claims that Dutch internet entrepreneur Johannes Zuurbier discovered the issue more than ten years ago. He has held a contract to handle Mali's national domain since 2013 and has apparently collected tens of thousands of misdirected emails in recent months. 

None were tagged as classified, but they included medical data, maps of US military bases, financial records, and planning documents for official trips, as well as some diplomatic letters, according to the newspaper. 

This month, Mr Zuurbier issued a letter to US officials to raise the alarm. He stated that his contract with the Mali government was about to expire, implying that "the risk is real and could be exploited by US adversaries." On Monday, Mali's military administration was set to take control of the domain.

According to current and former US officials, "classified" and "top secret" US military communications are routed through separate IT networks, making it unlikely that they will be accidentally compromised. 

However, Steven Stransky, a lawyer who previously served as senior counsel to the Department of Homeland Security's Intelligence Law Division, believes that even seemingly innocuous material could be beneficial to US adversaries, especially if it includes specifics on individual employees. 

"Those sorts of communications would mean that a foreign actor can start building dossiers on our own military personnel, for espionage purposes, or could try to get them to disclose information in exchange for financial benefit," Mr Stransky explained. "It's certainly information that a foreign government can use." 

Lee McKnight, a Syracuse University professor of information studies, believes the US military was lucky that the issue was brought to its attention and that the emails were directed to a domain used by Mali's government rather than cyber criminals.


He went on to say that "typo-squatting" - a sort of cybercrime that targets individuals who misspell an internet domain - is rampant. "They're hoping that a person will make a mistake, and that they can lure you in and make you do stupid things," he noted. 

Both Mr. McKnight and Mr. Stransky believes that human errors are a major concern for IT professionals working in government and the private sector alike.
Read more »
US Firm
Data Breach Data Leak Email Account Compromise Employee Data US Firm

Data of 2.5 Lakh Customers Sent to Personal Account by CFPB Employee

 

The Wall Street Journal reported that a consumer financial protection bureau (CFPB) employee sent records containing private information to a personal email address that included confidential supervisory information from 45 other financial institutions as well as personal information on roughly 256,000 customers at one financial institution.

The agency, which was already under siege from Republican lawmakers, presented the breach to Congress as a catastrophic incident. 

The emails contained customer information from seven businesses, although the majority of the personal data was linked to customers at one unnamed institution, a CFPB spokeswoman told the Journal. 

The incident was discovered by the agency for the first time in February, and it was revealed to lawmakers on March 21, according to the Journal. The reason the employee, who was later fired, forwarded the emails to a personal account was not disclosed by the CFPB. 

According to the CFPB, the personal information includes two spreadsheets with names and transaction-specific account numbers that were used internally by the financial institution, which downplays the severity of the data theft.

According to the representative, the spreadsheets do not contain the customers' bank account details and cannot be utilised to access a customer's account. As of Wednesday, the former CFPB employee had not complied with a request to erase the emails. Republican lawmakers seized on the data leak and demanded additional information from Director Rohit Chopra in statements they released. 

The CFPB has expanded enforcement efforts against the mortgage industry under Chopra, which has increased compliance expenses.

In October, Mortgage Bankers Association President and CEO Bob Broeksmit described the agency as a "judge, jury, and executioner all rolled into one." 

He urged the government to "establish clear and consistent standards, providing notice and comment when enacting rules." Unfortunately, the Bureau does not often follow this reasonable procedure, announcing new legal responsibilities without formal process or deliberation, enforcing novel and untested legal theories, and making it extremely difficult for businesses to grasp their legal obligations." 

Additionally, the agency is battling constitutional issues on various fronts. The agency's funding structure—by which it is funded by the Fed as opposed to appropriations legislation enacted through Congress—will be decided by the Supreme Court in a case that will be heard there. The agency's financing source was ruled to be illegal in 2022 by a panel of Trump appointees on the Fifth Circuit U.S. Court of Appeals. 

The funding provisions for the CFPB were found to be constitutional in March by the Second Circuit U.S. Court of Appeals, which includes the districts of Connecticut, New York, and Vermont.
Read more »
Security Steps
Cautionary Measures Data Breach Data Breaches 2023 Email Account Compromise Large-scale breaches Security Steps

How Would You Deal with the Inevitable Breaches of 2023?


Large-scale breaches are inevitable in 2023 as a result of cyber criminals speeding up their attacks against businesses today. In the past two months, T-Mobile, LastPass, and the Virginia Commonwealth University Health System have all faced a number of severe breaches. 

In the data breach incident in T-Mobile, around 37 million of the company’s customer record was compromised before being discovered by the US-based wireless carrier, on January 19. Password management platform, LastPass has had a variety of attacks that resulted in the identity of 25 million users being compromised. 

VCU, on the other hand, announced a breach earlier this month wherein information on over 4,000 organ donors and recipients was exposed for more than 16 years. 

Even After Investing in Robust Cybersecurity, Breaches may only Increase in 2023 

Company CEOs and board members tend to invest in advanced cybersecurity systems in order to acquire better risk control and management strategy. According to Evanti’s State of Security Preparedness 2023 report, 71% of CISOs and security experts believe their budgets will rise this year by an average of 11%. 

They added further that a record $261.48 billion will be spent on information and security risk management globally in 2026, up from $167.86 billion in 2021. The unsettling paradox is that despite these constantly rising cyber security and zero-trust budgets, ransomware and other sophisticated assaults continue to be successful. 

Apparently, the power dynamic is in favor of cyber criminals, cybercrime organizations, and advanced persistent threat (APT) attack groups. Cyberattacks are becoming more sophisticated and severe, often studying a business for months prior to attacking it with "low and slow" strategies to escape discovery. The Evanti report predicts this year will be difficult for CISOs and their teams due to the growth in ransomware, phishing, software vulnerabilities, and DDoS attacks. 

Steps Organizations can Work on to Tackle Breaches 

John Kinderwag, an authority in his field and developer of Zero Trust says “Start with a single security surface because this will allow you to segment cyber security into manageable pieces. The best thing about doing this is that it is non-disruptive.” 

 We are listing below more such steps that would further aid in tackling breaches: 

1. Audit all Access Privileges, Remote Irrelevant Accounts, and Toggle Back Administrator Rights

Cyber attackers tend to pool business email breaches, social engineering, phishing, fraudulent multifactor authentication (MFA) sessions, and more in order to lure victims into giving them their passwords. Around 80% of breaches take place following the compromise of such privileged credentials.

Contractors, sales partners, service providers, and support partners from previous years frequently still retain access to portals, internal websites, and applications. Access credentials for invalid accounts and partners must be cleared. 

With MFA, valid accounts are only slightly protected. MFA needs to be enabled right away on all legitimate accounts. It should come as no surprise that in 2022 it will take an average of 277 days, or almost nine months, to find and fix a breach.

 2. Monitor Multifactor Authentication from the User’s Perspective 

Protecting every legitimate identity is standard practice with MFA. Although, making it as unobtrusive and secure as feasible is a challenge. Techniques for contextual risk-based analysis have the potential to enhance the user experience. Despite its adoption issues, CIOs and CISOs tell VentureBeat that MFA is one of their favorite quick wins because of how quantifiably it adds an extra layer of security to an organization's defense against data breaches.

According to Andrew Hewitt, senior analyst at Forrester, the best place to secure one’s identity is “always implementing multi-factor authentication. This can go a long way toward ensuring that enterprise data is secure. From there, it is enrolling devices and maintaining a solid compliance standard with Unified Endpoint Management (UEM) tools.”

Furthermore, Forrester advises enterprises to consider what-you-do (biometric), what-you-do (behavioral biometric), or what-you-have (token) factors for better results in MFA implementation. He recommends organizations consider adding PIN codes or implementing single-factor authentication.

3. Keep Cloud-based Email Security Programs Updated to the Latest Version

Apparently, CISOs are pressuring the providers of email security to improve their anti-phishing tools and implement zero-trust-based controls for URLs that might be harmful and attachment screening. Computer vision is used by the top suppliers in this space to find URLs that need to be quarantined or removed.

Cyber security teams are switching to cloud-based email security suites with integrated email sanitization features. It has also been advised to organizations to consider email-centric security orchestration automation and response (SOAR) tools, like M-SOAR, such as M-SOAR, or Extended Detection and Response (XDR), which include email security in a way to safeguard from attacks pertaining to emails.

Moreover, one of the most effective approaches an organization can implement is by accepting and acknowledging the fact the breach is inevitable and allocating and investing in a well-formulated strategy rather than avoiding the risks. In order to withstand a breach attempt, developing a culture of cyber-resilience is one of the best actions a company may proceed to work on.  

Read more »
Ukraine Websites
APT Group Cyber Security Email Account Compromise Spear Phishing Campaign Ukraine Websites

UNC1151 Targets Ukrainian Armed Forces Personnel with Spear Phishing Campaign

 

The Ukrainian Computer Emergency Response Team (CERT-UA) has issued a warning about an ongoing spear-phishing campaign targeting private email accounts belonging to Ukrainian military personnel. The Ukrainian agency attributes the campaign to the UNC1151 cyber espionage gang, which is linked to Belarus. In mid-January, the Kyiv administration blamed Belarusian APT group UNC1151 for the defacement of tens of Ukrainian government websites. 

“We believe preliminarily that the group UNC1151 may be involved in this attack,” Serhiy Demedyuk, deputy secretary of the national security and defence council, told Reuters. “This is a cyber-espionage group affiliated with the special services of the Republic of Belarus. The defacement of the sites was just a cover for more destructive actions that were taking place behind the scenes and the consequences of which we will feel in the near future.”

The following message was shown on defaced websites in Russian, Ukrainian, and Polish. “Ukrainian! All your personal data has been sent to a public network. All data on your computer is destroyed and cannot be recovered. All information about you stab public, fairy tale and wait for the worst. It is for you for your past, the future, and the future. For Volhynia, OUN UPA, Galicia, Poland, and historical areas.” read a translation of the message. 

Mandiant Threat Intelligence researchers attributed the Ghostwriter disinformation campaign (aka UNC1151) to the government of Belarus in November 2021. FireEye security analysts discovered a misinformation campaign aimed at discrediting NATO in August 2020 by circulating fake news articles on compromised news websites. According to FireEye, the GhostWriter campaign has been running since at least March 2017 and is aligned with Russian security interests. 

GhostWriter, unlike other disinformation campaigns, did not propagate via social media; instead, threat actors behind this campaign employed compromised content management systems (CMS) of news websites or forged email accounts to disseminate bogus news. The attackers were disseminating false content, such as forged news articles, quotations, correspondence, and other documents purporting to be from military authorities and political people in some targeted countries. According to researchers, the campaign particularly targeted people in specific alliance member states such as Lithuania, Latvia, and Poland. 

The phishing messages employed a typical social engineering method to deceive victims into submitting their information in order to prevent having their email accounts permanently suspended. According to Ukraine's State Service of Special Communications and Information Protection (SSSCIP), phishing assaults are also targeting Ukrainian citizens.
Read more »
Phishing Attacks
Cyber Attacks Email Email Account Compromise IKEA phishing Phishing Attacks

IKEA Suffers Phishing Cyberattack, Employees Mail Compromised

 

Once the mail servers are compromised, hackers use them for gaining access to reply to the organization's employee emails in reply-chain attacks. If a message is sent from a company, it saves the hacker from getting caught. Hackers also compromise access to internal company emails, targetting business partners. IKEA warned its employees of an ongoing reply chain phishing attack on internal mailboxes. The compromised emails are also sent from different IKEA organizations and firm partners. The cyberattack targets Inter IKEA mailboxes, and different IKEA companies, business partners and suppliers, that were affected by the same attack.

"The emails originate from the same internal network, appear to be a continuation of a previous discussion between two employees. The attacker did not use tools for lateral movement or execute malware on the Exchange servers to avoid detection. The emails use weaponized Office documents or include a link to them. Upon enabling the content, malicious macros are executing to download and install the malware, such as Qbot, Cobalt Strike, and SquirrelWaffle," reports SecurityAffairs. 

The attack is also sending these malicious emails to employees in users in IKEA organizations. Meaning, the attack might come from emails, it can come from a co-worker, an external company, or a reply thread for an already continued conversation. It is a warning to the employees which hints that fraud messages are difficult to notice because they come from within an organization. Phishing messages containing downloaded links include seven digits at the end, the organization asked employees to bring to notice if they find anything suspicious. 

IKEA also disabled the option of employees sending the emails from quarantine, to avoid the confusion that messages were separated for error by email filters. Security Affairs reports, "recently Trend Micro spotted a malware campaign aimed at Microsoft Exchange servers that exploits ProxyShell and ProxyLogon issues and use stolen internal reply-chain emails to avoid detection."
Read more »
Phishing Campaign
Cyber Security Email Account Compromise Malicious Emails Phishing Campaign

Threat Actors Use Tiny Font Size to Bypass Email Filters in BEC Phishing Campaign

 

A new Business Email Compromise (BEC) campaign targeting Microsoft 365 users employs an array of innovative sophisticated tactics in phishing emails to avoid security protections. 

Researchers at email security firm Avanan first discovered the campaign in September that can fool natural language processing filters through hiding text in a one-point font size within mails. Attackers are also concealing links within the Cascading Style Sheets (CSS) in their phishing emails. This is one more tactic that serves to confuse pure language filters like Microsoft’s Normal Language Processing (NLP), researchers stated in a report. 

According to cybersecurity expert Jeremy Fuchs, the One Font campaign also includes messages with links coded within the font> tag, which destroys the potency of email filters that rely on natural language for analysis.

 “This breaks semantic analysis, which leads many solutions to treat it as a marketing email, as opposed to phishing. Natural language filters see random text; human readers see what the attackers want them to see,” Fuchs explained.

In 2018, researchers uncovered an identical campaign called ZeroFont, which employed similar strategies to move past Microsoft NLP in its Office 365 security protections. That campaign inserted concealed text with the font dimension of zero inside messages to fool email scanners that rely on natural language processing in order to spot malicious e-mails. 

According to Avanan analysts, just like ZeroFont, One Font also targets Office 365 enterprises, an action that can lead to BEC, and finally compromise the firm’s network if the emails aren’t flagged and users are duped into handing over their credentials. 

The moment it reaches mailboxes and makes users believe that is an authentic message, the One Font campaign employs standard phishing social-engineering techniques to capture their attention. Then, the threat actors present what appears to be a password-expiration notification, using urgent messaging to entice the target to click on a malicious link.

The fraudulent link carries victims to a phishing page where they appear to be entering their credentials in order to update their passwords. Instead, threat actors steal their credentials to use them for malicious purposes. 

How to minimize threats? 

According to Jeremy Fuchs, organizations should opt for a multi-tiered security solution that integrates highly developed artificial intelligence and machine learning, as well as static layers like domain and sender reputation. 

Implementing a security architecture that focuses on multiple factors to restrict an email and needing corporate users to verify with an IT department before interacting with any email that requests a password update can also help in mitigating risks.
Read more »
Virginia
Cyber Attacks Email Account Compromise Marketo Virginia

Virginia Defense Force Email Accounts Hit by a Cyber Attack

 

In July, a hacker invaded the email accounts of the Virginia Military Department and the Virginia Defense Force, told a representative from the Virginia National Guard. 

The attack "impacted" the e-mail reports of the Virginia Department of Military Assistance as well as the Virginia Department of Defense, but still, no proof of violations has been identified. Joint investigation with the State and Federal cyber security and law enforcement officials have made all these revelations. 

The Virginia National Guard's Chief of Public Affairs, A. A. Puryear, stated that the organization was alerted in July of potential cyber threats to the Virginia Defense Force and started investigating instantly in synchronization with state and federal cyber security officials and law enforcement to ascertain what all was affected by the severe cyber-attack. 

The National Guard of Virginia comprises the Virginia Army National Guard and the Virginia Air National Guard. It's a component of the Virginia government, the federal state has largely financed the Virginia National Guard throughout the United States. The National Guard is the only military organization authorized by the United States to operate as a state. The Virginia Defense Force is the Virginia National Guard's all-voluntary reserve and "serves as a force multiplier" in all domestic activities of the National Guard. 

"The investigation determined the threat impacted VDF and Virginia Department of Military Affairs email accounts maintained by a contracted third party, and there are no indications either VDF or DMA internal IT infrastructure or data servers were breached or had data taken," Puryear said. 

"There are no impacts on the Virginia Army National Guard or Virginia Air National Guard IT infrastructure. The investigation is ongoing with continued coordination with state and federal partners to determine the full impact of the threat and what appropriate follow-up actions should be taken." 

However, on the 20th of August, a treasure dataset obtained from the Virginia military department was published on Marketo - marketplace for stolen information. They argued to have 1GB of data that was available for sale. 

Findings have suggested that although administrators of Marketo are not sellers, certain data on their website is believed to have been collected and advertised which compelled victims to pay ransom during ransomware attacks. 

Earlier Marketo used to be in the headlines for selling the Japanese tech firm Fujitsu's data. Digital Shadows published in July an article about this group that was established in April 2021 and frequently publishes its stolen information on Twitter via an account. The organization has often argued that it was an "informational marketplace" and not a ransomware group. 

"They have taken the same route that Babuk did and are all 'data leaks.' To the best of our knowledge, they don't claim to steal the data themselves and instead, they offer a public outlet to groups who do, whether they are ransomware or not," Allan Liska, member of the computer security incident response team at Recorded Future said. 

Threat analyst and ransomware specialist, Brett Callow from Emsisoft stated that it is still not obvious exactly how Marketo obtains the data they sell, and also that their responsibilities for hacking or simply act as commission-based brokers aren't really clear. He said that certain victims on Marketo's leak site have lately been affected by attacks from ransomware, such as the X-Fab attack that the Maze ransomware attack in July 2020 and the Nefiliim ransomware attacks of Luxottica in September. 

"That said, at least some of the data the gang has attempted to sell may be linked to ransomware attacks, some of which date back to last year. Leaked emails can represent a real security risk, not only to the organization from which they were stolen but also to its customers and business partners," Callow said. 

Recently, the group has identified hundreds of institutions, including the US Defense Department, and normally leaks a new one weekly and mostly sells data from companies in the US and Europe.
Read more »
Email scam
Brute Force Attacks Business Email Compromise Credential Phishing Cyber Attacks Email Account Compromise Email scam

Credential Phishing and Brute Force Attacks Continue to Surge



Financial and reputational aspects of organizations across the globe are taking a severe hit as they witness advanced email threats from unprecedented email attacks that continue to escalate, as per a recent report by Abnormal Security. Unsuspecting victims fall prey to the schemes which are devised to make the malicious emails land directly into their inboxes evading security mechanisms. 

As threat actors continue to work around various phishing techniques, cyber-attacks via credential phishing and brute force continue to remain effective attack vectors. Advanced email threats such as 'Business Email Compromise' attacks are designed to safely bypass secure email gateways and other conventional security infrastructure allowing the operators to steal in billions each year.  

After gaining access to email accounts, attackers can leverage these accounts to target other associated employees including business partners, vendors, and co-workers. Consequently, it allows them to infiltrate other parts of the compromised organization. Cybercriminals use these credential phishing and brute force attacks to obtain sensitive information such as usernames, passwords, and passphrases. 

The report enlists in its key findings that 5% of all organizations fell prey to brute force attacks in early June 2021, while 73% of all sophisticated threats were credential phishing attacks. 

Since Q4 2020, business email compromise attacks underwent a rise by 22% whereas 61% of companies witnessed a vendor email compromise attack this quarter. Alongside, the experts also made a prediction that there is a 60% probability of an account takeover attack being successful each week for firms having over 50,000 employees. 

While commenting on the matter, Evan Reiser, CEO, Abnormal Security, said, “Socially-engineered attacks are dramatically rising within enterprises worldwide, creating unprecedented financial and reputational risks. These never-before-seen attacks are becoming more sophisticated with every passing day. They don’t contain indicators of compromise, such as links, attachments, and reputational risks, so they evade secure email gateways and other traditional email infrastructure, landing in inboxes where unsuspecting employees fall victim to their schemes, which include ransomware. To effectively protect against these attacks, we can no longer rely only upon established threat intelligence. To baseline good behavior, we need to look further to comprehensively understand employee and vendor identities and their relationships, all with deep context, including content and tone. Any subtle deviations from this baseline expose the possibility of a threat or attack.” 

Furthermore, the report highlights the rise of impersonation, and how cybercriminals are employing it to trick users into submitting sensitive data. Experts remark that the impersonation of internal systems namely IT Support and IT Help Desk has risen 46% in the last two quarters. 

Socially engineered credential phishing and account takeover attacks are surfacing as a major concern for enterprises worldwide because these attacks could potentially provide the access required to carry out other ransomware and malware-based attacks.
Read more »
US
Cyber Security Email Account Compromise Email Hacking EU Microsoft US

EU Banking Regulator Suffers Cyberattack in a Microsoft Email Breach

A significant EU financial regulator, the EU Banking Authority said that it suffered a cyberattack where its Microsoft email systems were hacked. The US company is putting the blame on a Chinese threat actor. Recently, Microsoft said that a Chinese state-sponsored hacking group was exploiting earlier unknown security vulnerabilities in Microsoft's exchange email services to hijack government and user data. The list of victims counts to as many as tens of thousands. Microsoft earlier this week said that "Hafnium attacks were in no way connected to the separate SolarWinds-related attacks." 

Threat actor "Hafnium" is highly skilled and sophisticated, says Microsoft. Hafnium has earlier attacked companies based in the US that include cybersecurity firms, law firms, defense contractors, think tanks, defense agencies, NGOs, and universities. The EBA (EU Banking Authority) said in a statement that the inquiries have not revealed any data theft as of now. Presently, the EBA e-mail infrastructure is safe and the investigation concludes that there has been no data breach, says the statement. 

There's no evidence to suggest that the breach affected anything more than email servers.  The company says that the investigation is still in process and security measures have been set up to restore the functionality of e-mails. EBA in a statement issued on Sunday said that it had shut down its systems as a preventive measure, observing that hackers may have got access to personal data in the emails. The company has issued updates to fix the security issues. It is very much likely that the hackers may want to take the advantage of the unpatched systems, says Tom Burt, Microsoft executive. 

In this regard, Security Week reported, "Beijing typically rejects US hacking charges out of hand and last year berated Washington following allegations that Chinese hackers were attempting to steal coronavirus research. In January, the US said Russia was probably behind the massive SolarWinds hack that hit large swathes of the government and private sectors, and which experts say may constitute an ongoing threat."  
Read more »
email security
Business Email Compromise Data Breach Email Account Compromise email security

Remote Working Susceptible to Data Risks, 83% of Organizations at Suffer Email Breaches


As per the report by Egress, 95% of cybersecurity experts believe company and client data in e-mails is at risk. Besides this, a massive 83% of firms have been targets of data breaches through these attacks in the last twelve months. Human error is the primary cause of almost a quarter of these incidents, around 24% caused by an empty who shared data by mistake. For instance, forwarding an email that consists of important information to the wrong recipient or sending a wrong attachment. The report enquired 500 IT leaders and 3000 work from home employees in the US and UK across various vertical sectors consisting financial sector, legal, and healthcare. 

The downside of remote working 

Work from home culture has left employees highly dependent on working with emails, especially using them for sharing sensitive data. Since the start of the Covid-19 pandemic, 85% workforce has confirmed sending more emails. It has exposed the user to more risks and attacks involving outbound email data breaches. The report also revealed that around 60% of team members work in an environment that is usually buzzing with distractions and noise. These generally include communal spaces and shared home offices. 

Besides the problems related to confidentiality, these distractions that employees face in the work environment often lead to more risks of a data breach. The risk is intensified more by work stress and fatigue, report shows around 73% of employees said that they feel low due to the pandemic. The blend of home and work life resulted in many employees working for long hours in an overwhelming environment, while both of these factors increasing the chances of a data breach. 

Tony Pepper, CEO, Egress said "it's clear to see that legacy DLP tools are no longer fit for purpose; they’re difficult to use and because they can’t take people’s behavior into consideration, they’re limited in their ability to mitigate the rising tide of email data breaches in this new world of remote working. He further said, "employees continue to work in challenging environments, and the lines between work and home life have been blurred. All of this contributes to the likelihood that a costly mistake might be made."
Read more »
Yandex Security
Cyber Security Email Account Compromise Russia Yandex Security

Yandex Suffers Data Breach, Exposes Email Accounts

 

Russian internet and search organization Yandex declared on Friday that one of its system administrators had enabled unapproved access to a huge number of client mailboxes. The organization found the breach internally, during a standard check of its security team. The investigation uncovered that the employee’s activities prompted the compromise of almost 5,000 Yandex email inboxes. This employee was one of three system administrators, who had the access privileges to offer technical support for mailboxes, said Yandex.

“A thorough internal investigation of the incident is under way, and Yandex will be making changes to administrative access procedures,” said Yandex’s Friday security advisory. “This will help minimize the potential for individuals to compromise the security of user data in future. The company has also contacted law enforcement.” 

As indicated by Verizon's 2020 Data Breach Investigations Report (DBIR), internal actors were behind 30% of breaches (with the dominant part, or 70%, coming from external actors). An insider threat could leave organizations spiraling from financial or brand damage – but additionally an absence of ensuing trust from clients. In a recent January case, for example, a former ADT employee was found adding his own email address to the accounts of attractive women, so he could have around-the-clock access to their most private moments. In December, a former Cisco Systems employee was condemned to two years in prison, subsequent to hacking into the networking company’s cloud infrastructure and deleting 16,000 Webex Teams accounts in 2018. Furthermore, in October, Amazon fired an employee who shared clients' names and email addresses with a third party. 

“Yandex’s security team has already blocked unauthorized access to the compromised mailboxes,” the organization says, adding that the proprietors have been cautioned of the breach and that they need to change their account passwords. Because of the occurrence, Yandex will make changes to the administrative access procedure to expand the security of client information. As indicated by the organization, payment details have not been affected. While this information breach deserves serious scrutiny, Yandex confronted a graver threat in the past, when Western intelligence agencies compromised their systems with Regin malware. 

The assault occurred between October and November 2018, and it targeted technical information regarding user account authentication, Reuters learned at that point. Yandex recognized the assault and said that it was detected and neutralized before it brought on any harm.
Read more »
Email Hacking
Aeronautical Aeronautical Development Agency Business Email Compromise Email Email Account Compromise Email Hacking

Aeronautical agency’s email account hacked

The official email account of the Aeronautical Development Agency (ADA) was recently hacked and data manipulated, allegedly by a private aerospace engineering company.

The hackers breached into the TAN login and even changed a mobile number linked the certain account and unauthorised online corrections were made to manipulate tax returns of a private aerospace engineering company in Bengaluru.

Rangarajan S (58), a senior executive with the ADA, filed a complaint with the cybercrime police of the Criminal Investigation Department (CID) seeking legal action against unknown hackers on June 4. Based on the complaint, the police registered a case under various sections of the Information Technology Act and are probing.

In his complaint, Rangarajan said the hackers not only accessed details of financial transactions, but also made changes in the TDS for 2017-18. In addition to this, the hackers also allegedly changed the password, email ID and mobile IDs, and updated the PAN details of the company they belonged to. The police said the fraud might have occurred between March and May this year and come to light recently during the verification of official accounts.

“On March 31, an amount of Re 1 has been remitted to ADA’s TAN number. Also, some unknown person has filed 27EQ return of 4th quarter FY 2018-19 offline on May 7 (possibly at TIN-FC centre). ADA’s TDS Reconciliation and Correction Enabling Systems user ID and login password have been accessed unauthorisedly on May 14.”

Confirming the account’s hacking, senior ADA officials said that though there has been a breach in the account, there is no security concern. “This is not a serious issue as the account was in the open domain. No data pertaining to the agency has been compromised,” an officer said.

The cybercrime police are trying to ascertain the motive behind the hacking.
Read more »
Saint Ambrose Catholic Parish
cyber attack Email Account Compromise Saint Ambrose Catholic Parish

Hacker stole $1.75 million from church





The hackers have successfully stolen $1.75 million from the church Saint Ambrose Catholic Parish  using a successful BEC(Business Email Compromise) in which hackers trick email users to send the money in wrong banks. The attack was discovered on April 17 after contractor  of Vision 2020 project inquired church for not receiving monthly installment .

BEC which is also known as Email Account Compromise (EAC)  are very common among hackers where not much technical skills are required, it just rely on tricking people into wiring money to trusted bank while bank accounts are usually controlled by the hackers.

The Parish’s website posted, “With 16,000 members made up of 5,00 families, Saint Ambrose is the second largest church in the Diocese of Cleveland and the largest church in Brunswick, Ohio."

Pastor Father Bob Stec sent a letter to the Parish saying “On Wednesday, Marous Brothers called inquiring as to why we had not paid our monthly payment on the project for the past two months totaling approximately $1,750,000. This was shocking news to us, as we have been very prompt on our payments every month and have received all the appropriate confirmations from the bank that the wire transfers of money to Marous were executed/confirmed.”

After  an FBI investigation of the cyber attack  incident, it was found that the hackers hacked the  the parish's email system through phishing attack and were able to trick the staff   convincing them that the contractor had changed their bank account and making them transfer money to the fraudulent bank  account.

According to the investigation only email system of the Parish was hacked while the database that is "stored in a secure cloud-based system. This allows for many layers of security/protection of our parish database information."

According to the reports of  cleveland.com, Father Stec's letter also states “We are now working closely with the Diocese, legal counsel, the insurance program, and the FBI to investigate the situation further and file the appropriate insurance claims. At the same time, we brought in information technology consultants to review the security and stability of our system, change all passwords, and verify the integrity of our databases and other pertinent information. They have determined the breach was limited to only two email accounts. “.

The parish has  submitted an insurance claim to pay to the contractor in timely manner for the project 2020.

Read more »
Subscribe to: Posts (Atom)