Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Global Firms. Show all posts

BBC, British Airways Among High Profile Victims in Global Supply-Chain Hack

 

A rising number of organisations, including the BBC, British Airways, Boots, and Aer Lingus, are being impacted by a widespread attack.

Staff members have received warnings that personal information, including social security numbers and, in some circumstances, bank information, may have been stolen.

The hackers used a well-known piece of software as a gateway to access numerous businesses simultaneously. There are no reports of money being taken or requests for ransom.

One of the impacted businesses in the UK is the payroll services provider Zellis, which reported that data from eight of its customer organisations had been stolen. 

Organisations are notifying employees on their own, though it wouldn't give names. The BBC informed the staff via email that the stolen data contained staff ID numbers, dates of birth, residential addresses, and national insurance numbers. 

British Airways employees have been told that some of their bank information may have been stolen. The National Cyber Security Centre of the UK stated that it was keeping an eye on the situation and recommended businesses using the affected software to apply security updates.

The attack was initially made public last week when US business Progress Software said that hackers had discovered a way to access its MOVEit Transfer application. The majority of MOVEit's users are in the US, although the programme is well-known throughout the world for safely moving sensitive files.

When the exploit was found, according to Progress Software, it immediately informed its clients and made a security update available for download. 

A company spokeswoman stated that the company is collaborating with the police to "combat increasingly sophisticated and persistent cybercriminals intent on maliciously exploiting vulnerabilities in widely used software products".

Businesses using MOVEit were advised to download a security patch on Thursday by the US Cybersecurity and Infrastructure Security Agency to prevent further breaches. 

However, security researcher Kevin Beaumont claimed that because many impacted companies had not yet installed the remedy, internet scans revealed that thousands of company datasets may still be exposed.

Experts predicted that instead of extorting money from individuals, cybercriminals would try to do so from businesses. Although no public ransom demands have been made as of yet, it is anticipated that cybercriminals will start emailing impacted firms to demand payment. They'll probably threaten to release the info online for other hackers to browse. 

Victim organisations caution personnel to be alert for any dubious communications that could result in additional cyberattacks. Microsoft stated that it felt the perpetrators were connected to the infamous Cl0p ransomware organisation, which is thought to have its base of operations in Russia, despite the fact that no official attribution had been established.

The US tech giant claimed in a blog post that it was attributing assaults to Lace Tempest, a ransomware operator and owner of the Cl0p extortion website where victim data is exposed. According to the business, the hackers who were behind the attack have previously used similar methods to extort victims and steal data. 

"This latest round of attacks is another reminder of the importance of supply chain security," stated John Shier, from cyber security company Sophos. "While Cl0p has been linked to this active exploitation it is probable that other threat groups are prepared to use this vulnerability as well."

'Greatness' Phishing Tool Abuses Microsoft 365 Credentials

 

The 'Greatness' phishing-as-a-service (PhaaS) platform has experienced an increase in activity as it targets organisations using Microsoft 365 in the United States, Canada, the United Kingdom, Australia, and South Africa. 

The Microsoft 365 cloud-based productivity tool is used by many organisations globally, making it a lucrative target for cybercriminals looking to steal data or credentials for use in network breaches.

Researchers at Cisco Talos describe how the Greatness phishing platform started operating in the middle of 2022, with a surge in activity in December 2022 and then again in March 2023. 

Most victims are based in the United States, and many of them are employed in industries like manufacturing, healthcare, technology, education, real estate, construction, finance, and business services.

Modus operandi 

The Greatness Phishing-as-a-Service includes everything a would-be phishing actor needs to run a successful campaign. To conduct an assault, the service user logs into the 'Greatness' admin panel with their API key and a list of target email addresses. 

The PhaaS platform allocates the required infrastructure, such as the server that will host the phishing website and generate the HTML attachment. The affiliate then creates the email's content, offers any additional information, and makes any necessary adjustments to the preset settings.

The victims then receive an email from the service containing a phishing attachment in HTML. When this attachment is opened, the browser runs obfuscated JavaScript code to establish a connection with the 'Greatness' server and retrieve the phishing page that will be shown to the user. 

As Greatness pre-fills the proper email to provide the impression of validity, the victim just enters their password on the convincing phishing page. In order to secure a valid session cookie for the target account, the phishing platform now manages the authentication flow between the victim's browser and the genuine Microsoft 365 login page.

'Greatness' will urge the victim to enter it if the account is two-factor authenticated while initiating a request on the genuine Microsoft service to send the one-time code to the target's device. 

Following the entry of the MFA code, Greatness will log in as the victim on the genuine Microsoft platform and send the authenticated session cookie to the affiliate via a Telegram channel or the service's web panel. 

"Authenticated sessions usually time out after a while, which is possibly one of the reasons the telegram bot is used - it informs the attacker about valid cookies as soon as possible to ensure they can reach quickly if the target is interesting," stated Cisco.

The attackers can then access the victim's email, files, and data in Microsoft 365 services via this session cookie. Frequently, the stolen credentials are also used to break into business networks, resulting in even riskier activities like the distribution of ransomware.