Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Email Attacks. Show all posts
USA
cyber attack Email Attacks email spam Fake Emails FBI USA

FBI Investigates Thousands of Fake Emails Warning of Cyber Threat You Must Do 1 Thing

 

Over the weekend, an alarming incident unfolded as thousands of fake emails flooded in, purportedly from the US Department of Homeland Security. The messages, titled "Urgent: Threat actor in systems," raised concerns about a cyber threat allegedly posed by a group called the Dark Overlord. According to reports, recipients were warned of a sophisticated chain attack targeting them, adding to the sense of urgency and anxiety. 

What made matters worse was the apparent authenticity of these emails, originating from FBI infrastructure. The scale of the operation was staggering, with over 100,000 of these deceptive emails sent out, causing widespread disruption and confusion among recipients. 

Additionally, it was discovered that the North Korean military intelligence agency, along with a hacking group called APT43 or Kimsuky, carried out a sophisticated cyber attack. They tricked people into giving away important information by pretending to be journalists, researchers, or academics through fake emails. To protect against this, experts suggest updating email security settings, like DMARC, which can help prevent such attacks. 

Let’s Understand Everything About DMARC

DMARC, DKIM, and SPF are like a triple defense system for emails. They work together to stop bad guys from pretending to send emails from places they should not. It is like having three guards at the gate, making sure only the right people get through. Picture your email as a package you are sending out into the world. DKIM and SPF are like seals of approval on the package, showing it is genuine and not tampered with. 

Now, DMARC is your extra security measure. It is like a set of instructions you attach to your package, telling the delivery person what to do if something seems fishy. "If the seal is broken, handle with care!" If you do not have DKIM, SPF, and DMARC set up properly, it is like sending out your package without those stamps and instructions. It might get lost, or worse, someone might try to copy your package and send out fake ones. 

So, by having these protections in place, you ensure your emails are delivered safely and are not mistaken for spam. This warning is a way to stop APT43 from stealing more data and giving it to North Korea. It is important for everyone to act fast and secure their email systems. These steps are crucial because cyber threats like this are always changing and can be really damaging. So, it is essential to stay alert and protect yourself from these kinds of attacks. 

Despite the gravity of the situation, the FBI has remained tight-lipped about further details, leaving many questions unanswered. As investigations unfold, concerns persist about the potential ramifications of such a large-scale deception. The incident serves as a stark reminder of the ever-present threat of cyber attacks and the importance of remaining vigilant in the face of such challenges. Stay tuned for updates as the investigation progresses.
Read more »
SVG
Cyber Campaigns Cyber Fraud Cyberattacks CyberCrime Cybersecurity CyberThreat Email Attacks Malware Campaigns Phising SVG

Cybercriminals Employ Obfuscation in Invoice Phishing Malware Campaigns

 


An array of cunning cyberattack campaigns utilizing seemingly innocuous invoices to deliver malware attacks have been uncovered by cybersecurity researchers. In this deceptive campaign, malicious Scalable Vector Graphics (SVG) file attachments are embedded in phishing emails that have been crafted to pose as malicious content. 

There is a risk that an intricate infection sequence will unfold once the victim opens the attachment, potentially releasing the victim's computer with various types of malware strains. Using this invoice-themed phishing scheme, FortiGuard Labs at Fortinet, a leading cybersecurity research team, identified a variety of malware. 

The malicious payloads included RATs such as Venom RAT, Remcos RAT, NanoCore RAT, and XWorm, as well as other Remote Access Trojans (RATs) that are known to have been exploited by hackers. Furthermore, the attack arsenal has incorporated a cryptocurrency wallet stealer that allows attackers to steal digital currencies from users without their knowledge of it. 

In a technical report published by Fortinet FortiGuard Labs, a technical report said that the emails include Scalable Vector Graphics files (SVG) that activate infection sequences when clicked. It is of particular note that the modus operandi uses BatCloak's malware obfuscation engine and ScrubCrypt to deliver malware as obfuscated batch scripts via the BatCloak malware obfuscation engine. 

A tool known as BatCloak, which was offered for sale to other threat actors in late 2022, has its roots in Jlaive, a tool that was developed by the organization. Essentially, it serves to load a next-stage payload by circumventing traditional detection mechanisms by loading it in a layered manner. The complexity of the attack lies in its multilayered approach. 

It is the SVG attachments that serve as triggers, initiating the infection process once the target opens them up. The BatCloak malware obfuscation engine is also extensively used to perform obfuscation techniques. In late 2022, cybercriminals were able to purchase a tool called Jlaive, a descendant of another obfuscation tool known as Jlaive, which has been available since then. 

In addition to masking the subsequent stages of malware, BatCloak's main function is to make it difficult for security software to detect the subsequent stages of malware. This variant of the Quasar RAT gives attackers the ability to seize control of compromised systems, collect sensitive data, and execute commands from command and control (C2) servers once they have taken control of a compromised system. 

In addition, it allows a multitude of plugins to be deployed for different kinds of malicious activities, including Remcos RAT, which is distributed via obfuscated VBS scripts, ScrubCrypt, and Guloader PowerShell scripts. The plugin system also allows a stealer module to be deployed to collect information from crypto wallets and applications like Atomic Wallet, Electrum, Ethereum, and others and send that stolen information to a remote server via the plugin system. 

In addition to obfuscating the malware, ScrubCrypt is one more layer that adds to this elaborate attack. It encrypts the malicious code, making it even more difficult to detect and prevent infection from security systems. A malware payload typically arrives in the form of encoded batch scripts as soon as the layers are peeled back. Once the scripts have been downloaded and executed onto the compromised system, the malware payload will be able to be detected. 

According to the cybersecurity firm that analyzed the latest campaign, the SVG file served as a conduit for dropping a ZIP archive which contained a batch script that probably was created using BatCloak. After the ScrubCrypt batch file has been unpacked, the Venom RAT is eventually executed, but not before establishing persistence on the host, bypassing ETW and AMSI protections, and setting up persistence on the host. 

The evolution of the tactics employed by cybercriminals has demonstrated the importance of the evolving threat landscape. A very important aspect of the sophistication of these online threats is the fact that attackers are strategically using readily available obfuscation tools, alongside malware that targets cryptocurrency. 

Researchers have stressed to users the importance of remaining vigilant, especially when it comes to unsolicited email attachments, even when they seem to be invoices or other documents that seem to come from a legitimate source. Several security measures should also be implemented by businesses, including comprehensive email filtering systems in addition to employee training programs targeted at recognizing warning signs of phishing attempts, which are recommended as part of these measures.
Read more »
Weak Password
Cyber Security Data Encryption Data Theft Email Attacks Multi-Factor Authentication (MFA) NSA and CISA Phishing Attacks VPNS Weak Password

Top 10 Cybersecurity Misconfigurations by NSA and CISA

Protecting your organization's data is more important than ever in an era where digital dangers are pervasive and cyberattacks are increasing in frequency and sophistication. Recognizing the pressing need for heightened cybersecurity, the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have joined forces to release a comprehensive list of the 'Top 10 Cybersecurity Misconfigurations.' As identified by the two agencies, these misconfigurations represent common vulnerabilities that malicious actors often exploit to infiltrate systems, steal data, or disrupt operations.

  • Weak Passwords: Passwords serve as the first line of defense against unauthorized access. Weak or easily guessable passwords are a major vulnerability.
  • Inadequate Access Controls: Failing to implement proper access controls can lead to unauthorized individuals gaining access to sensitive information.
  • Outdated Software and Patch Management: Neglecting software updates and patches can leave known vulnerabilities unaddressed, making systems susceptible to exploitation.
  • Misconfigured Cloud Storage: In the age of cloud computing, misconfigured cloud storage solutions can inadvertently expose sensitive data to the public internet.
  • Improperly Configured VPNs: Virtual Private Networks are vital for secure remote access. Misconfigurations can lead to unauthorized access or data leaks.
  • Lack of Multi-Factor Authentication (MFA): Relying solely on passwords is no longer sufficient. Implementing MFA adds an extra layer of security.
  • Neglecting Security Event Monitoring: Without proper monitoring, suspicious activities may go unnoticed, allowing potential threats to escalate.
  • Inadequate Email Security: Email remains a common vector for cyber attacks. Misconfigurations in email security settings can lead to phishing attacks and malware infections.
  • Insufficient Data Backups: Failing to regularly backup critical data can result in significant data loss during a cyber incident.
  • Unencrypted Data Transmission: Failing to encrypt data in transit can expose it to interception by malicious actors.
Organizations should take a proactive approach to cybersecurity in order to reduce these risks. This entails carrying out frequent security audits, putting in place strict access controls, and keeping up with the most recent cybersecurity risks and best practices.

Programs for employee awareness and training are also essential. An organization's overall security posture can be significantly improved by training personnel on the value of using strong passwords, spotting phishing attempts, and reporting suspicious activity.

Misconfigured cybersecurity poses a serious risk in today's digital environment. Organizations may strengthen their defenses against cyber threats and protect their digital assets by resolving the top 10 misconfigurations identified by the NSA and CISA. Keep in mind that the best kind of defense in the world of cybersecurity is frequently prevention.

Read more »
Unauthorized access
2FA Data Breach Email Attacks Encryption Password Password Manager Sensitive data Unauthorized access

Freecycle Data Breach: Urgent Password Update Required

Freecycle, a well-known website for recycling and giving away unwanted stuff, recently announced a huge data breach that has affected millions of its users. This news has shocked the internet world. Concerns over the security of personal information on the internet have been raised by the hack, underscoring once more the significance of using secure passwords and being aware of cybersecurity issues.

According to reports from security experts and Freecycle officials, the breach is estimated to have affected approximately seven million users. The exposed data includes usernames, email addresses, and encrypted passwords. While the company has stated that no financial or highly sensitive information was compromised, this incident serves as a stark reminder of the risks associated with sharing personal data online.

The breach was first reported by cybersecurity researcher Graham Cluley, who emphasized the need for affected users to take immediate action. Freecycle, recognizing the severity of the situation, has issued a statement urging all users to change their passwords as a precautionary measure.

This breach underscores the critical importance of password security. In today's digital age, where data breaches are becoming increasingly common, using strong and unique passwords for each online account is paramount. Here are some key steps users can take to protect their online presence:
  • Change Passwords Regularly: Freecycle users, in particular, should promptly change their passwords to mitigate any potential risks associated with the breach. Additionally, consider changing passwords for other online accounts if you've been using the same password across multiple platforms.
  • Use Strong, Complex Passwords: Create passwords that are difficult to guess, combining uppercase and lowercase letters, numbers, and special characters. Avoid easily guessable information like birthdays or common words.
  • Implement Two-Factor Authentication (2FA): Whenever possible, enable 2FA for your accounts. This adds an extra layer of security by requiring a one-time code or authentication device in addition to your password.
  • Password Manager: Consider using a reputable password manager to generate and store complex passwords securely. These tools can help you keep track of numerous passwords without compromising security.
  • Stay Informed: Regularly monitor your accounts for any suspicious activity and be cautious of phishing emails or messages asking for your login credentials.

Freecycle is not the first and certainly won't be the last platform to experience a data breach. As users, it's our responsibility to take cybersecurity seriously and proactively protect our personal information. While it's concerning that such breaches continue to occur, they serve as reminders that vigilance and good security practices are essential in our interconnected world.
Read more »
Phishing Attacks
Cyber Security Email Attacks Email Breach email security Firefox Malicious actor Phishing Attacks

Firefox Browser Enhances Email Security with New Built-in Tools

Mozilla Firefox, a well-known web browser, has significantly improved the protection of users' email addresses in an age where internet privacy and security have elevated worries. The addition of additional built-in technologies has made Firefox even more capable of protecting your online identity.

The latest feature, known as 'Email Masks,' is designed to keep your email address safe from prying eyes and potential phishing attacks. This innovation has been widely welcomed by the online community and security experts alike.

Email Masks work by allowing users to generate a unique and temporary email address, often referred to as an alias or a mask. Instead of using your primary email address for online services, you can create a disposable one within Firefox. This means that even if a website you've registered with gets hacked or sells your data, your actual email address remains hidden and secure.

To use this feature, simply right-click on the email field when signing up for a new service or website, and Firefox will offer the option to generate an Email Mask. You can then choose an alias that suits the purpose, and all emails sent to this alias will be forwarded to your primary inbox.

What makes Email Masks even more impressive is their flexibility. You can easily disable or delete a mask if you no longer wish to receive emails from a particular source. This ensures that you have complete control over your digital identity and who can reach your primary email address.

Furthermore, Firefox has integrated its popular Relay service into the browser. Firefox Relay helps you manage these Email Masks efficiently and provides an additional layer of security by forwarding only the legitimate emails while filtering out spam and potential threats.

This move aligns with Mozilla's commitment to prioritizing user privacy and security. By offering these tools natively within the browser, Firefox makes it more convenient for users to protect themselves against phishing attempts and data breaches.

The strategies used by cybercriminals change as the internet does. These new features highlight Mozilla's pro-active approach to user protection and show their commitment to staying ahead of these dangers.

Read more »
Yahoo
Cryptography Cyber Crime Email Attacks Encryption Gmail Outlook Protonmail User Privacy Yahoo

Is Data Safeguarded by an Encrypted Email Service?

Email is the primary form of communication in both our personal and professional lives. Users might be surprised to hear that email was never intended to be secure due to our dependency on it. Email communication carries some risks, but you may still take precautions to protect your inbox. 

What is encryption in email?

One of the most important applications for practically any organization nowadays is email. Additionally, it's among the primary methods for malware to infect businesses.

Email encryption is the process of encrypting email communications to prevent recipients other than the intended ones from seeing the content. Authentication may be included in email encryption.

Email is vulnerable to data exposure since it is usually sent in clear text rather than encryption. Users beyond the intended receivers can read the email's contents using tools like public-key cryptography. Users can issue a public key that others can use to encrypt emails sent to them, while still holding a private key that they can use to decrypt those emails or to electronically encrypt and verify messages they send.

Impacts of an Encrypted Email Service

1. Safeguards Private Data 

It is crucial to ensure that only intended recipients view the material sent via email as it frequently contains sensitive data and business secrets. It is also vital that cyber criminals are unable to decrypt the data being transmitted between people. 

Services for encrypted email are created in a way that protects user privacy rather than invading it. Not simply because they are run by very small teams, but also because their platforms were created with security in mind, encrypted email services are intrinsically more secure. To begin with, the majority employ zero-access encryption, which ensures that only the user has access to confidential data.

2. Cost-effective 

It is not necessary to buy additional hardware whenever the server which hosts the email service currently includes encryption. Many firms have invested in their own servers although it might not be essential.  A reliable third-party service is substantially less expensive.

3. Barrier Against Government Monitoring 

One can learn everything you need to know about Gmail and Yahoo from the fact that no major whistleblower, activist, dissident, or investigative reporter trusts them to transmit sensitive information, at least in terms of government surveillance. Google, for instance, makes it very plain on its official website that it reserves the right to accede to requests from the government and provide useful information.ProtonMail is founded in Switzerland, a country with some of the world's strongest privacy rules.

4. Prevents Spam

Spam attachments frequently contain malware, ensuring that hackers gain access. When you or another person uses encrypted email to deliver attachments, the email includes a digital signature to verify its authenticity. No individual will accept spoofed emails this way. 

Establish strong digital practices to prevent exposing oneself vulnerable. Update your hardware and software. We must improve internet security measures as our reliance on technology increases. Services for secure, encrypted email provide everything that caters to your privacy needs. 

Read more »
Spam
Cyber Security Email Email Attacks Fraud Mails Phishing and Spam Phishing Attacks Spam

Snowshoeing: How the Tactic can Spam Through Your E-mails

 

Cybercriminals employ a wide array of fraudulent techniques to entice users into falling for their email traps. One such infamous technique that draws attention while we speak of various scamming methods, is ‘Spam Emails’. 
 
Spam emails are one of the various pitfalls for netizens. These emails come with a multitude of capacities and can have numerous impacts on a user, even leading to severe scams. One of the spamming tactics used by spammers is 'Snowshoeing', which we will be discussing today. What is Snowshoeing? Snowshoeing is essentially spamming on a very large scale. In a snowshoeing campaign, the spammer may use multiple IP addresses in order to spread spam emails over various internet domains.  
 
Snowshoeing technique derives its name from how 'snow shoes' spread across a large surface area. If you use a regular shoe on snow, it will most likely result in you sinking or slipping on the ice. With snow shoes, a person's weight spreads out more evenly, they are designed to have that effect.  
 
Similarly, in Snowshoeing spamming, the attacker makes use of multiple IP addresses, rather than one, in order to consequently spread the spam load across various domains. This way, Snowshoeing spam could comparatively be very dangerous to its targets than many other spamming tactics. 
 

What Does Snowshoe Spamming Mean? 


Snowshoe spamming is a strategy in which spam is propagated over several domains and IP addresses to weaken reputation metrics and avoid filters. The increasing number of IP addresses makes recognizing and capturing spam difficult, which means that a certain amount of spam reaches their destination email inboxes. Specialized spam trapping organizations are often hard-pressed to identify and trap snowshoe spamming via conventional spam filters.  
 
The strategy of snowshoe spamming is similar to actual snowshoes that distribute the weight of an individual over a wide area to avoid sinking into the snow. Likewise, snowshoe spamming delivers its weight over a wide area to steer clear of filters, expertly navigating them.  

 
How does Snowshoeing work? 

 
Snowshoeing differs from other solicited bulk mail and criminal spams, as in Snowshoeing, the attacker leverages several fraudulent business names and fake identities than just one, changing voice-mails and postal drops on a regular basis.  
 
While a reputable mailer put a good effort to garner trust from an audience, and to develop a brand reputation by using legitimate business addresses, identified domains, and small, static, and easily identifiable selection of IPs, in order to present the audience with a legitimate identity. On the other hand, Snowshoe spammers make use of anonymous and unidentified "whois" records. 
 
To further spread the spam load, snowshoe spammers frequently utilise domain assortments, which may be connected to many providers and servers.   
 
Snowshoe spammers use anonymous domains, which makes it nearly impossible to track down the owner and report the spam. 
 

How to tackle Snowshoeing spam? 

 
In order to mitigate Snowshoe spamming, administrators may follow certain steps, such as applying policies hierarchically at the organization, group, or mailbox level. One may as well rewrite addresses. For complex, multi-domain environments, one may rewrite both inbound and outgoing addresses. 
 
Read more »
User Privacy
airline industry America Credentials Hack Data Breach Email Attacks Phishing Attacks User Privacy

Email Phishing Attack Revealed by American Airlines

Several passengers of American Airlines are being warned that their personal information might have been compromised as a result of threat actors getting access to employee email accounts. 

The airline said that a phishing attempt led to hackers gaining access to the mailboxes of a limited number of employees. The stolen email accounts held some consumers' personal data. The airline noted in notice letters distributed on Friday, September 16th, that there is no proof that the disclosed data was misused.

The hack was detected on July 5th by American Airlines, which then swiftly protected the affected email accounts and recruited a cybersecurity forensics company to look into the security incident.

American Airlines had hired a cybersecurity forensics company to look into the incident. The inquiry revealed that unauthorized actors had obtained the personal information of both customers and workers. Although they did not say how many consumers were impacted, they did say that names, dates of birth, addresses, emails, phone numbers, passport numbers, and even certain medical information could have been exposed.

American Airlines issued the following statement to BleepingComputer by the Manager for Corporate Communications. "American Airlines is aware of a phishing campaign that resulted in a small number of team members' mailboxes being improperly accessed."

A very small amount of customers' and workers' personal information was found in those email accounts, according to American Airlines, which also provided a two-year membership to Experian's IdentityWorks.

With regard to the incident, the company stated "data security is of the utmost importance and we provided customers and team members with precautionary support. We also are actively developing additional technical safeguards to avoid a similar incident from happening in the future, even though we have no proof that any personal information has been misused."

In March 2021, the Passenger Service System (PSS), which is used by many airlines worldwide, including American Airlines, was infiltrated. SITA, a leading provider of air information technology, revealed that hackers broke into its systems.

To help employees recognize targeted phishing attacks, firms must ensure that staff receives adequate security training. Organizations' IT and security departments should explain to staff how communications will be handled. It is crucial to always inform people about how to recognize phishing emails. 












Read more »
Supply Chain Attack
Cyber Attacks Email Attacks Microsoft 365 Phishing Attacks Supply Chain Attack

Email Threat Report for 2022 via Abnormal Security

The premier AI-based cloud-native email security platform, Abnormal Security, today published its H2 2022 Email Threat Report. The study examines the state of the email threat landscape. It provides data on the most recent events in email attack methods, such as the emergence of brand impersonation in credential phishing and the expansion of business email compromise.

According to the report, email attacks have increased by 48% in the last six months, and 68.5% of them have links that steal credentials. In 15% of phishing emails, fraudsters impersonated well-known companies in addition to internal staff and executives, relying on the familiarity and goodwill of the brands to persuade employees to divulge their login information. Microsoft items and social networks were the two 265 brands that were most frequently impersonated in these attacks.

"Most cybercrime nowadays is successful because it preys on the individuals using the computer. By compromising individuals rather than networks, attackers may more easily get beyond standard security precautions" stated Crane Hassold, head of threat intelligence at Abnormal Security.

LinkedIn was perhaps the most frequently impersonated brand, although 20% of all attacks also included Outlook, OneDrive, and Microsoft 365. Since employee email accounts are frequently hacked through phishing emails, these attacks are hazardous. By gaining Microsoft login information, fraudsters can gain access to the entire range of linked goods, access sensitive information, and use the account to launch business email compromise attacks. 

Findings from the report entail:
  • The target of more than a third of brand-impersonation-based credential phishing attacks was a school or a place of worship.
  • BEC attacks rose by 150% year over year, proving the growing risk of these truly severe threats to financial stability. 
  • BEC attacks target every area, but advertising and marketing organizations continue to be the most vulnerable, with an 83% weekly chance of being the target.
  • Nearly every level of business is being targeted by financial supply chain hacks, with 89% of major enterprises experiencing at least one vendor assault each week.
"We generally understand that email attacks target businesses of all sizes and in all sectors, but these findings just serve to confirm our suspicions. Since the most sophisticated attacks are very difficult to distinguish from a genuine email from that brand, brand impersonation is particularly concerning for cybersecurity leaders," according to Mike Britton, a chief information security officer at Abnormal Security.

Abnormal Security has also introduced Abnormal Intelligence, a research and data hub devoted to offering insight into emerging new threats across the threat landscape, in support of its objective to shield enterprises from cybercrime. 

This portal, which showcases some of the most inventive assaults targeting Abnormal consumers, is made to assist firms in staying informed of new trends and attacks. The website offers threat intelligence content in the form of blog entries, downloadable materials, and webinars in addition to the daily feed of actual attacks. 
Read more »
User Privacy
Cyber Attacks Email Attacks German Cyber Security IT Systems Russian Hackers User Privacy

14 Account's Email System Targeted the Green Party of Germany

 

The foreign minister Annalena Baerbock and the economy minister Robert Habeck's email accounts were both compromised last month, according to the German Green party, which is a member of the coalition government of the nation. 

The party acknowledged a revelation published on Saturday by the German magazine Der Spiegel, but claimed that the two had stopped using official party accounts since January.

According to a report on a German magazine Der Spiegel on Thursday, the Green Party said that a total of 14 accounts, including the party's co-leaders' Omid Nouripour and Ricarda Lang, were also hacked and that certain messages were sent to other servers. The article further read that the attack also had an impact on the party's "Grüne Netz" intranet IT system, where private information is exchanged.

The party declined to acknowledge Der Spiegel's claim that an electronic trace suggested the cyberattack may have originated in Russia because of the current investigation by German authorities.

"More than these email accounts are affected," the party official claimed. The topic concerns emails using the domain "@gruene.de." The representative stated that it was yet unknown who had hacked in. The first indication of the attack came on May 30 and since June 13, when specialists determined that there had been a breach, access to the system has been restricted. 

Authorities blamed the unauthorized access on Russian state-sponsored hackers. Baerbock has consistently taken a harsh approach in response to Russia's abuse of human rights and aggression against Ukraine. Since taking office in December, Habeck has been in charge of Germany's initiatives to wean itself off of Russian energy sources.

Network logs, according to the Greens, did not reflect any signs of the increased traffic levels that would indicate the theft of a significant amount of data.
Read more »
Zimbra
Chinese Actors CVE Cyber Security Email Attacks IMAP Microsoft Exchange SQL XSS Flaw Zimbra

Zimbra Memcached Injection Bug Patched

According to SonarSource, an open-source alternative to email servers and collaboration platforms such as Microsoft Exchange. Since May 10, 2022, a patch has been released in Zimbra versions ZCS 9.0.0 Patch 24.1 and ZCS 8.8.15 Patch 31.1. Zimbra is utilized by organizations, governments, and financial institutions throughout the world. 

Unauthenticated attackers might contaminate an unwary victim's cache, according to Simon Scannell, a vulnerability researcher at Swiss security firm Sonar. The vulnerability has been assigned the number CVE-2022-27924 (CVSS: 7.5), and it has been described as a case of "Memcached poisoning with unauthorized access," which might allow an attacker to inject malicious commands and steal sensitive data. 

Since newline characters (\r\n) in untrusted user input were not escaped, attackers were able to inject arbitrary Memcached instructions into a targeted instance, causing cached entries to be overwritten. Memcached servers keep track of key/value pairs that may be created and retrieved using a simple text-based protocol and analyze data line by line. A malicious actor might alter the IMAP route entries for a known username by sending a specially crafted HTTP request to the susceptible Zimbra server, according to the researchers. When the genuine user logs in, the Nginx Proxy in Zimbra will send all IMAP communication, including the credentials in plain text, to the attacker. 

Knowing the victim's email address, and utilizing an IMAP client makes it easier for the attacker to abuse the vulnerability. A second attack technique allows users to circumvent the aforesaid constraints and steal credentials for any user with no involvement or knowledge of the Zimbra instance. This is accomplished through "Response Smuggling," a different approach that makes use of a web-based Zimbra client. Cross-site scripting (XSS) and SQL injection issues caused by a lack of input escaping "are well known and documented for decades," as per Scannell, but "other injection vulnerabilities can occur that are less well known and can have a catastrophic consequence." 

As a result Scannell, advises programmers to "be cautious of special characters that should be escaped when coping with technology where there is less documentation and research regarding potential vulnerabilities." The bug was discovered four months after Zimbra provided a hotfix for an XSS flaw that was exploited in a series of sophisticated spear-phishing efforts attributed to an undisclosed Chinese threat group.
Read more »
User Security
Calendar app Cyber Attacks Email Attacks Phishing Attacks User Security

Threat Actors Abuse Calendly App to Steal Account Credentials

 

Cyber criminals have unearthed a new vector of assault to utilize during phishing campaigns. Calendly, a free scheduling app, permits malicious actors to use email to lure the victim to a meeting with the title and link they choose. This increases the authenticity of the phishing email as it seems to come from a legitimate firm. 

Earlier this year in February, security analysts at INKY, an email monitoring firm, discovered specific instances where the phishing actors titled the meeting "You have received a new fax document" with an embedded link to "preview" the document. The link instead brought victims to a webpage that looked like a Microsoft site but actually was set up to steal Microsoft account credentials. 

The webpage also contained a common methodology employed by attacker in newer phishing campaigns to ensure credentials are free of typos, in which the victim is lured to enter their credentials twice, due to the credentials being "invalid.” 

The victim is then sent to the domain of their email address to minimize the likelihood of realizing the compromise and reporting it as phishing. According to INKY, majority of the methodologies employed in this campaign are standard, the use of Calendly has not been previously spotted. 

“The app is committed to protecting users against phishing attacks with built-in security tools such as a next-gen web application firewall, anomalous traffic pattern alerts as well as fraudulent IP tracking capabilities,” the Calendly spokesperson stated. 

“In this instance, a malicious link was inserted into a customized booking page. Phishing attacks violate our Terms of Service and accounts are immediately terminated when found or reported. We have a dedicated team that constantly enhances our security techniques, and we will continue to refine and stay vigilant to protect our users and combat such attacks.”

Calendly has also detailed a couple of steps that should help users improve their security. The company advises reviewing the sender’s email address and display name. In the attack described by INKY, the email claimed to be sent by Microsoft but came from a non-Microsoft domain. Another red flag would be prompting a user for credentials to copy and send back to their command-and-control (C2) infrastructure. 

To protect against credential harvesting, another option is to use a password manager. The use of password manager is a simple method to avoid entering credentials into malicious phishing websites, due to the phishing domain not being the same as the impersonated websites. A password manager will not autofill the password, and will alert the users that the website they're on is not authentic.
Read more »
UK
Cyber Attacks Data hack Email Attacks Email Hacking ICO Phishing emails Privacy Security Spam Emails UK

ICO Struck by 2650% Rise in Email Attacks in 2021

 

The UK's Information Commissioner's Office (ICO) reported a whopping 2650% spike in email attacks in 2021, as per official numbers acquired by the Parliament Street think tank following a Freedom of Information request, 

Email attacks on the UK's privacy and data protection regulator increased from 150,317 in January to 4,135,075 in December, according to the findings. For each month last year, the data refers to the volume of phishing emails discovered, malware detected and prevented, and spam detected and blocked by the ICO. 

The majority of the attacks were caused by spam emails, which increased by 2775 % from January to December. During this time, the number of phishing emails climbed by 20%, while malware increased by 423 percent. 

In December, the statistics revealed a significant increase in email attacks, with 4,125,992 spam messages, 7886 phishing emails, and 1197 malware cases. This increase is likely to be linked to the Omicron variant's rapid spread in the UK at the end of the year, with threat actors able to use issues like testing and immunizations as bait. This is in addition to the Christmas scams that proliferate in the build-up to the holidays. 

Edward Blake, area vice president EMEA of Absolute Software, commented: “Cyber-attacks are targeting organizations across the globe at an alarming rate, once again reminding businesses of the need to re-evaluate and revamp their security protection if it is not up to scratch. Cybersecurity is not just about protecting endpoints via anti-malware or email cybersecurity solutions. While these are important, there are now a variety of access points for cyber-criminals to capitalize on that IT leaders need to be aware of. These include vulnerable unpatched applications and network vulnerabilities, stolen or illegally purchased log-in credentials or even by hacking unprotected smart devices.” 

Barracuda Networks' manager, Steven Peake, expressed similar concerns, saying: “The pandemic continues to be a catalyst for opportunistic cyber-criminals to try and prey on unsuspecting, vulnerable people. Our recent research showed a 521% surge in COVID-19 test-related phishing attacks, so it is hardly surprising to see major organizations, such as the ICO, hit by such a high volume of threats as they represent lucrative targets. Phishing emails, malware, and spam, in particular, account for a large proportion of the threats these organizations face, so they need to implement measures to protect themselves. These cyber-attackers aren’t going anywhere anytime soon.” 

As part of its plans to reform the country's data sector, the UK government announced plans to revamp the ICO's structure last year.
Read more »
Subscribe to: Posts (Atom)