Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Email Account Compromise. Show all posts
USDoD
Cybersecurity industry Data Breach Data Leak data security Email Account Compromise Email address USDoD

Massive Email Address Exposure: SOCRadar.io Data Scraping Incident

 

A significant security concern has arisen following the exposure of an estimated 332 million email addresses online, allegedly scraped from the security intelligence platform SOCRadar.io. The massive data dump was reportedly posted on a cybercrime forum by a threat actor known as Dominatrix. According to Hackread, the data was initially scraped by another actor, “USDoD,” who has a history of involvement in previous data breaches. The leaked data was extracted from what are described as “stealer logs and combolists,” suggesting that malware infections played a crucial role in the initial data collection. 

This indicates a broader issue involving malware distribution and the exploitation of compromised systems. The data scraping incident reportedly took place in July 2024. Hackread notes that an announcement on the underground hacker forum Breach Forums revealed that a 14GB CSV file containing only email addresses, aggregated from various data breaches, was obtained. The forum user known as USDoD initially attempted to sell the scraped data for $7,000 on July 28, 2024. 

However, Dominatrix, who is alleged to have purchased the data, made it public on August 3, 2024, stating, “Hello BreachForums Community, Today I have uploaded a SocRadar database for you to download, thanks for reading and enjoy! In July 2024, @USDoD scraped socradar.io extracting 332 million emails parsed from stealer logs and combolists. I have purchased the data to share with you all today.” 

Although the incident does not involve passwords, the exposure of email addresses poses several risks. Cybercriminals could use the email list to conduct large-scale phishing campaigns, attempt unauthorized access through brute-force attacks, or perform credential stuffing by comparing the emails with previously leaked data containing passwords. SOCRadar’s Chief Security Officer, Ensar Seker, has disputed the claims that the data was sourced from their platform. According to Seker, there is no evidence proving that the data was collected from SOCRadar. 

Instead, he suggests that the data was likely harvested from Telegram channels and misrepresented as being from SOCRadar. Seker emphasizes that threat actors had impersonated legitimate companies to gather the information. SOCRadar is pursuing legal avenues and cooperating with law enforcement agencies to address the issue. This incident underscores the critical need for strong cybersecurity practices. 

Users are advised to employ unique passwords for different accounts, enable multi-factor authentication (MFA) to add an extra layer of security, and remain vigilant against unsolicited emails, avoiding suspicious links and attachments to mitigate potential threats.
Read more »
User Data
Automotive Industry CNIL Cyber Attacks Data Compromise data security Email Account Compromise Phishing Attack User Data

FIA Confirms Cyberattack Compromising Email Accounts

 

The Fédération Internationale de l’Automobile (FIA), the governing body overseeing Formula 1 and other major motorsports worldwide, recently disclosed a significant cyberattack. This breach resulted from phishing attacks that compromised personal data within two FIA email accounts, exposing vulnerabilities in the organization’s cybersecurity measures. 

In a brief statement, the FIA confirmed the incidents, detailing that swift action was taken to cut off unauthorized access and mitigate the issue. The organization promptly reported the breach to the French and Swiss data protection regulators, the Commission Nationale de l’Informatique et des Libertés (CNIL) and the Préposé Fédéral à la Protection des Données et à la Transparence, respectively. 

However, the FIA did not disclose specific details regarding the nature of the stolen data, the number of affected individuals, or the identity of the attackers. It also remains unclear whether the hackers demanded any ransom for the compromised data. The FIA, when approached for further information, clarified that these incidents were part of a broader phishing campaign targeting the motorsport sector, rather than a direct and targeted attack on the FIA’s systems. Founded in 1904 in Paris, France, the FIA plays a crucial role in governing numerous prestigious auto racing events, including Formula One, the World Rally Championship, the World Endurance Championship, and Formula E. 

In addition to its sports governance role, the FIA is also an advocate for road safety and sustainable mobility through various programs and campaigns. The organization boasts 242 member organizations across 147 countries, emphasizing its global influence and reach. This incident underscores the persistent cybersecurity threats that organizations face globally. Phishing attacks, in particular, remain a significant threat, as they exploit human vulnerabilities to gain unauthorized access to sensitive information. The FIA’s prompt response to this breach demonstrates its commitment to protecting personal data and maintaining the integrity of its operations. 

However, the incident also highlights the need for ongoing vigilance and robust cybersecurity measures. Cybersecurity experts emphasize the importance of comprehensive security protocols, including regular employee training to recognize and respond to phishing attempts. Organizations must also implement advanced security technologies, such as multi-factor authentication and encryption, to safeguard their digital assets. The evolving nature of cyber threats necessitates a proactive approach to cybersecurity, ensuring that organizations remain resilient against potential attacks. As cyber threats continue to evolve, the FIA and other organizations must remain vigilant and proactive in their cybersecurity efforts. 

The lessons learned from this incident will undoubtedly inform future strategies to protect sensitive information and maintain the trust of stakeholders. The FIA’s experience serves as a reminder of the critical importance of cybersecurity in today’s interconnected digital landscape.
Read more »
US Military
Cyber Security Data Leak Email Account Compromise Mali Private Data Russia US Military

Typo Delivers Millions of US Military Emails to Russia's Ally Mali

 

Due to a small typing error, millions of emails from the US military were unintentionally forwarded to Mali, a Russian ally. For years, emails meant for the US military's ".mil" domain have been transmitted to the west African nation with the ".ml" extension. 

According to reports, some of the emails contained private information including passwords, medical information, and high officers' travel schedules. The Pentagon claimed to have taken action to resolve the situation.

The Financial Times, which broke the story, claims that Dutch internet entrepreneur Johannes Zuurbier discovered the issue more than ten years ago. He has held a contract to handle Mali's national domain since 2013 and has apparently collected tens of thousands of misdirected emails in recent months. 

None were tagged as classified, but they included medical data, maps of US military bases, financial records, and planning documents for official trips, as well as some diplomatic letters, according to the newspaper. 

This month, Mr Zuurbier issued a letter to US officials to raise the alarm. He stated that his contract with the Mali government was about to expire, implying that "the risk is real and could be exploited by US adversaries." On Monday, Mali's military administration was set to take control of the domain.

According to current and former US officials, "classified" and "top secret" US military communications are routed through separate IT networks, making it unlikely that they will be accidentally compromised. 

However, Steven Stransky, a lawyer who previously served as senior counsel to the Department of Homeland Security's Intelligence Law Division, believes that even seemingly innocuous material could be beneficial to US adversaries, especially if it includes specifics on individual employees. 

"Those sorts of communications would mean that a foreign actor can start building dossiers on our own military personnel, for espionage purposes, or could try to get them to disclose information in exchange for financial benefit," Mr Stransky explained. "It's certainly information that a foreign government can use." 

Lee McKnight, a Syracuse University professor of information studies, believes the US military was lucky that the issue was brought to its attention and that the emails were directed to a domain used by Mali's government rather than cyber criminals.


He went on to say that "typo-squatting" - a sort of cybercrime that targets individuals who misspell an internet domain - is rampant. "They're hoping that a person will make a mistake, and that they can lure you in and make you do stupid things," he noted. 

Both Mr. McKnight and Mr. Stransky believes that human errors are a major concern for IT professionals working in government and the private sector alike.
Read more »
US Firm
Data Breach Data Leak Email Account Compromise Employee Data US Firm

Data of 2.5 Lakh Customers Sent to Personal Account by CFPB Employee

 

The Wall Street Journal reported that a consumer financial protection bureau (CFPB) employee sent records containing private information to a personal email address that included confidential supervisory information from 45 other financial institutions as well as personal information on roughly 256,000 customers at one financial institution.

The agency, which was already under siege from Republican lawmakers, presented the breach to Congress as a catastrophic incident. 

The emails contained customer information from seven businesses, although the majority of the personal data was linked to customers at one unnamed institution, a CFPB spokeswoman told the Journal. 

The incident was discovered by the agency for the first time in February, and it was revealed to lawmakers on March 21, according to the Journal. The reason the employee, who was later fired, forwarded the emails to a personal account was not disclosed by the CFPB. 

According to the CFPB, the personal information includes two spreadsheets with names and transaction-specific account numbers that were used internally by the financial institution, which downplays the severity of the data theft.

According to the representative, the spreadsheets do not contain the customers' bank account details and cannot be utilised to access a customer's account. As of Wednesday, the former CFPB employee had not complied with a request to erase the emails. Republican lawmakers seized on the data leak and demanded additional information from Director Rohit Chopra in statements they released. 

The CFPB has expanded enforcement efforts against the mortgage industry under Chopra, which has increased compliance expenses.

In October, Mortgage Bankers Association President and CEO Bob Broeksmit described the agency as a "judge, jury, and executioner all rolled into one." 

He urged the government to "establish clear and consistent standards, providing notice and comment when enacting rules." Unfortunately, the Bureau does not often follow this reasonable procedure, announcing new legal responsibilities without formal process or deliberation, enforcing novel and untested legal theories, and making it extremely difficult for businesses to grasp their legal obligations." 

Additionally, the agency is battling constitutional issues on various fronts. The agency's funding structure—by which it is funded by the Fed as opposed to appropriations legislation enacted through Congress—will be decided by the Supreme Court in a case that will be heard there. The agency's financing source was ruled to be illegal in 2022 by a panel of Trump appointees on the Fifth Circuit U.S. Court of Appeals. 

The funding provisions for the CFPB were found to be constitutional in March by the Second Circuit U.S. Court of Appeals, which includes the districts of Connecticut, New York, and Vermont.
Read more »
Security Steps
Cautionary Measures Data Breach Data Breaches 2023 Email Account Compromise Large-scale breaches Security Steps

How Would You Deal with the Inevitable Breaches of 2023?


Large-scale breaches are inevitable in 2023 as a result of cyber criminals speeding up their attacks against businesses today. In the past two months, T-Mobile, LastPass, and the Virginia Commonwealth University Health System have all faced a number of severe breaches. 

In the data breach incident in T-Mobile, around 37 million of the company’s customer record was compromised before being discovered by the US-based wireless carrier, on January 19. Password management platform, LastPass has had a variety of attacks that resulted in the identity of 25 million users being compromised. 

VCU, on the other hand, announced a breach earlier this month wherein information on over 4,000 organ donors and recipients was exposed for more than 16 years. 

Even After Investing in Robust Cybersecurity, Breaches may only Increase in 2023 

Company CEOs and board members tend to invest in advanced cybersecurity systems in order to acquire better risk control and management strategy. According to Evanti’s State of Security Preparedness 2023 report, 71% of CISOs and security experts believe their budgets will rise this year by an average of 11%. 

They added further that a record $261.48 billion will be spent on information and security risk management globally in 2026, up from $167.86 billion in 2021. The unsettling paradox is that despite these constantly rising cyber security and zero-trust budgets, ransomware and other sophisticated assaults continue to be successful. 

Apparently, the power dynamic is in favor of cyber criminals, cybercrime organizations, and advanced persistent threat (APT) attack groups. Cyberattacks are becoming more sophisticated and severe, often studying a business for months prior to attacking it with "low and slow" strategies to escape discovery. The Evanti report predicts this year will be difficult for CISOs and their teams due to the growth in ransomware, phishing, software vulnerabilities, and DDoS attacks. 

Steps Organizations can Work on to Tackle Breaches 

John Kinderwag, an authority in his field and developer of Zero Trust says “Start with a single security surface because this will allow you to segment cyber security into manageable pieces. The best thing about doing this is that it is non-disruptive.” 

 We are listing below more such steps that would further aid in tackling breaches: 

1. Audit all Access Privileges, Remote Irrelevant Accounts, and Toggle Back Administrator Rights

Cyber attackers tend to pool business email breaches, social engineering, phishing, fraudulent multifactor authentication (MFA) sessions, and more in order to lure victims into giving them their passwords. Around 80% of breaches take place following the compromise of such privileged credentials.

Contractors, sales partners, service providers, and support partners from previous years frequently still retain access to portals, internal websites, and applications. Access credentials for invalid accounts and partners must be cleared. 

With MFA, valid accounts are only slightly protected. MFA needs to be enabled right away on all legitimate accounts. It should come as no surprise that in 2022 it will take an average of 277 days, or almost nine months, to find and fix a breach.

 2. Monitor Multifactor Authentication from the User’s Perspective 

Protecting every legitimate identity is standard practice with MFA. Although, making it as unobtrusive and secure as feasible is a challenge. Techniques for contextual risk-based analysis have the potential to enhance the user experience. Despite its adoption issues, CIOs and CISOs tell VentureBeat that MFA is one of their favorite quick wins because of how quantifiably it adds an extra layer of security to an organization's defense against data breaches.

According to Andrew Hewitt, senior analyst at Forrester, the best place to secure one’s identity is “always implementing multi-factor authentication. This can go a long way toward ensuring that enterprise data is secure. From there, it is enrolling devices and maintaining a solid compliance standard with Unified Endpoint Management (UEM) tools.”

Furthermore, Forrester advises enterprises to consider what-you-do (biometric), what-you-do (behavioral biometric), or what-you-have (token) factors for better results in MFA implementation. He recommends organizations consider adding PIN codes or implementing single-factor authentication.

3. Keep Cloud-based Email Security Programs Updated to the Latest Version

Apparently, CISOs are pressuring the providers of email security to improve their anti-phishing tools and implement zero-trust-based controls for URLs that might be harmful and attachment screening. Computer vision is used by the top suppliers in this space to find URLs that need to be quarantined or removed.

Cyber security teams are switching to cloud-based email security suites with integrated email sanitization features. It has also been advised to organizations to consider email-centric security orchestration automation and response (SOAR) tools, like M-SOAR, such as M-SOAR, or Extended Detection and Response (XDR), which include email security in a way to safeguard from attacks pertaining to emails.

Moreover, one of the most effective approaches an organization can implement is by accepting and acknowledging the fact the breach is inevitable and allocating and investing in a well-formulated strategy rather than avoiding the risks. In order to withstand a breach attempt, developing a culture of cyber-resilience is one of the best actions a company may proceed to work on.  

Read more »
Ukraine Websites
APT Group Cyber Security Email Account Compromise Spear Phishing Campaign Ukraine Websites

UNC1151 Targets Ukrainian Armed Forces Personnel with Spear Phishing Campaign

 

The Ukrainian Computer Emergency Response Team (CERT-UA) has issued a warning about an ongoing spear-phishing campaign targeting private email accounts belonging to Ukrainian military personnel. The Ukrainian agency attributes the campaign to the UNC1151 cyber espionage gang, which is linked to Belarus. In mid-January, the Kyiv administration blamed Belarusian APT group UNC1151 for the defacement of tens of Ukrainian government websites. 

“We believe preliminarily that the group UNC1151 may be involved in this attack,” Serhiy Demedyuk, deputy secretary of the national security and defence council, told Reuters. “This is a cyber-espionage group affiliated with the special services of the Republic of Belarus. The defacement of the sites was just a cover for more destructive actions that were taking place behind the scenes and the consequences of which we will feel in the near future.”

The following message was shown on defaced websites in Russian, Ukrainian, and Polish. “Ukrainian! All your personal data has been sent to a public network. All data on your computer is destroyed and cannot be recovered. All information about you stab public, fairy tale and wait for the worst. It is for you for your past, the future, and the future. For Volhynia, OUN UPA, Galicia, Poland, and historical areas.” read a translation of the message. 

Mandiant Threat Intelligence researchers attributed the Ghostwriter disinformation campaign (aka UNC1151) to the government of Belarus in November 2021. FireEye security analysts discovered a misinformation campaign aimed at discrediting NATO in August 2020 by circulating fake news articles on compromised news websites. According to FireEye, the GhostWriter campaign has been running since at least March 2017 and is aligned with Russian security interests. 

GhostWriter, unlike other disinformation campaigns, did not propagate via social media; instead, threat actors behind this campaign employed compromised content management systems (CMS) of news websites or forged email accounts to disseminate bogus news. The attackers were disseminating false content, such as forged news articles, quotations, correspondence, and other documents purporting to be from military authorities and political people in some targeted countries. According to researchers, the campaign particularly targeted people in specific alliance member states such as Lithuania, Latvia, and Poland. 

The phishing messages employed a typical social engineering method to deceive victims into submitting their information in order to prevent having their email accounts permanently suspended. According to Ukraine's State Service of Special Communications and Information Protection (SSSCIP), phishing assaults are also targeting Ukrainian citizens.
Read more »
Phishing Attacks
Cyber Attacks Email Email Account Compromise IKEA phishing Phishing Attacks

IKEA Suffers Phishing Cyberattack, Employees Mail Compromised

 

Once the mail servers are compromised, hackers use them for gaining access to reply to the organization's employee emails in reply-chain attacks. If a message is sent from a company, it saves the hacker from getting caught. Hackers also compromise access to internal company emails, targetting business partners. IKEA warned its employees of an ongoing reply chain phishing attack on internal mailboxes. The compromised emails are also sent from different IKEA organizations and firm partners. The cyberattack targets Inter IKEA mailboxes, and different IKEA companies, business partners and suppliers, that were affected by the same attack.

"The emails originate from the same internal network, appear to be a continuation of a previous discussion between two employees. The attacker did not use tools for lateral movement or execute malware on the Exchange servers to avoid detection. The emails use weaponized Office documents or include a link to them. Upon enabling the content, malicious macros are executing to download and install the malware, such as Qbot, Cobalt Strike, and SquirrelWaffle," reports SecurityAffairs. 

The attack is also sending these malicious emails to employees in users in IKEA organizations. Meaning, the attack might come from emails, it can come from a co-worker, an external company, or a reply thread for an already continued conversation. It is a warning to the employees which hints that fraud messages are difficult to notice because they come from within an organization. Phishing messages containing downloaded links include seven digits at the end, the organization asked employees to bring to notice if they find anything suspicious. 

IKEA also disabled the option of employees sending the emails from quarantine, to avoid the confusion that messages were separated for error by email filters. Security Affairs reports, "recently Trend Micro spotted a malware campaign aimed at Microsoft Exchange servers that exploits ProxyShell and ProxyLogon issues and use stolen internal reply-chain emails to avoid detection."
Read more »
Phishing Campaign
Cyber Security Email Account Compromise Malicious Emails Phishing Campaign

Threat Actors Use Tiny Font Size to Bypass Email Filters in BEC Phishing Campaign

 

A new Business Email Compromise (BEC) campaign targeting Microsoft 365 users employs an array of innovative sophisticated tactics in phishing emails to avoid security protections. 

Researchers at email security firm Avanan first discovered the campaign in September that can fool natural language processing filters through hiding text in a one-point font size within mails. Attackers are also concealing links within the Cascading Style Sheets (CSS) in their phishing emails. This is one more tactic that serves to confuse pure language filters like Microsoft’s Normal Language Processing (NLP), researchers stated in a report. 

According to cybersecurity expert Jeremy Fuchs, the One Font campaign also includes messages with links coded within the font> tag, which destroys the potency of email filters that rely on natural language for analysis.

 “This breaks semantic analysis, which leads many solutions to treat it as a marketing email, as opposed to phishing. Natural language filters see random text; human readers see what the attackers want them to see,” Fuchs explained.

In 2018, researchers uncovered an identical campaign called ZeroFont, which employed similar strategies to move past Microsoft NLP in its Office 365 security protections. That campaign inserted concealed text with the font dimension of zero inside messages to fool email scanners that rely on natural language processing in order to spot malicious e-mails. 

According to Avanan analysts, just like ZeroFont, One Font also targets Office 365 enterprises, an action that can lead to BEC, and finally compromise the firm’s network if the emails aren’t flagged and users are duped into handing over their credentials. 

The moment it reaches mailboxes and makes users believe that is an authentic message, the One Font campaign employs standard phishing social-engineering techniques to capture their attention. Then, the threat actors present what appears to be a password-expiration notification, using urgent messaging to entice the target to click on a malicious link.

The fraudulent link carries victims to a phishing page where they appear to be entering their credentials in order to update their passwords. Instead, threat actors steal their credentials to use them for malicious purposes. 

How to minimize threats? 

According to Jeremy Fuchs, organizations should opt for a multi-tiered security solution that integrates highly developed artificial intelligence and machine learning, as well as static layers like domain and sender reputation. 

Implementing a security architecture that focuses on multiple factors to restrict an email and needing corporate users to verify with an IT department before interacting with any email that requests a password update can also help in mitigating risks.
Read more »
Subscribe to: Posts (Atom)