Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label IBM Security. Show all posts

New Web Injection Malware Campaign Steals Bank Data of 50,000 People


In a new finding, it has been revealed that the malware campaign that first came to light in March 2023 has used JavScript web injections in an attempt to steal data from over 50 banks, belonging to around 50,000 used in North America, South America, Europe, and Japan. 

The malware was first discovered by IBM’s security team, where the researchers noted that the threat actors have been preparing for the campaign since December 2022, after buying the malicious domains.

The attacks used scripts that were loaded from the attacker's server to intercept user credentials and one-time passwords (OTPs) by focusing on a particular page structure that is shared by numerous institutions.

The attackers can access the victim's bank account, lock them out by altering security settings, and carry out illicit transactions by obtaining the aforementioned information.

A Stealthy Attack Chain

The attack begins when the threat actors infect the victim’s device with the malware. While IBM’s report did not specify the details of this stage, it is more likely that this is done through malvertizing, phishing emails, etc. 

The malicious software inserts a new script tag with a source ('src') property pointing to an externally hosted script once the victim visits the malicious websites of the attackers. 

On the victim's browser, the malicious obfuscated script is loaded to change the content of webpages, obtain login credentials, and intercept one-time passcodes (OTP).

IBM found this extra step unusual since most malware can perform web injections directly on the web page.

It is also noteworthy to mention that the malicious script uses names like cdnjs[.]com and unpkg[.]com to mimic authentic JavaScript content delivery networks (CDNs) in an attempt to avoid detection. Moreover, the script verifies the existence of particular security products before execution. 

Also, the script tends to continuously mend its behaviour to the command and control server’s instructions, sending updates and receiving specific outputs that guide its activity on the victim’s device. 

A "mlink" flag set by the server controls its various operational states, which include injecting phone number or OTP token prompts, displaying error warnings, or mimicking page loading as part of its data-stealing tactic. 

IBM notes that nine “mlink” variable values can be combined to instruct the script to carry out certain, distinct data exfiltration activities, indicating how a wide range of commands is being supported. 

According to IBM, this campaign is still a work in progress, thus the firm has urged online users to use online banking portals and apps with increased caution.  

Johnson & Johnson Reveals: IBM Data Breach Compromised Customer Data


Johnson & Johnson Health Care Systems (Janssen) recently informed their CarePath customers of a third-party data breach involving IBM, that has resulted in the compromise of their sensitive information.

IBM is a technology service provider for Janssen. In particular, it oversees the administration of the CarePath application and database.

CarePath is a software program created to assist patients in obtaining Janssen medications, provide discounts and cost-saving tips on prescriptions, explain insurance eligibility, and provide drug refiling and administration reminders.

The pharmaceutical company learned about an undocumented technique that could provide unauthorized individuals access to the CarePath database, according to the notification on Janssen's website.

Later, the company informed the issue to IBM that swiftly took action in patching the security gap and conducted an internal investigation to see whether the bug had been exploited by anyone.

The investigation wrapped up in August 2nd, 2023, and revealed that unauthorized persons had access to the following CarePath user details, that are as follows: 

  • Full name 
  • Contact information 
  • Date of birth 
  • Health insurance information 
  • Medication information 
  • Medical condition information 

Users of CarePath who signed up for Janssen's online services before July 2nd, 2023, are affected by the exposure, which may be a sign that the breach happened on that date or that the compromised database was a backup.

Since social security numbers and financial account data was not involved in the database that was breached, critical details have not been revealed.

The company further revealed that the breach did not affect Janssen's Pulmonary Hypertension patients.

Given the significance of medical data, there is a strong likelihood that the leaked data will be sold for a premium on darknet markets. The compromised data could support very effective phishing, scamming, and social engineering attacks.

Also, IBM published an announcement in regards to the incident claiming that there are no signs that indicate that the stolen data has been exploited. However, it advises Janssen CarePath users to keep a sharp eye out for any unusual activity on their account statements./ The tech giant is now providing affected people with a free one-year credit monitoring to help shield them against fraud.

Both announcements include toll-free phone numbers that customers and providers can use to ask inquiries about the incident or get assistance signing up for credit monitoring services.

IBM is one of the hundreds of companies that were compromised by Clop ransomware earlier this year, when the notorious threat actors employed a zero-day vulnerability on the MOVEit Transfer software used by various organizations globally.

However, an IBM spokesperson on being asked if the recent attacks are related to the MOVEit attack confirmed that the two are in fact separate incidents caused by different threat actors.  

Raspberry Robin Worm Threats Uncovered by Microsoft

According to Microsoft Security Threat Intelligence analysts, threat actors have continued to target Raspberry Robin virus victims, indicating that the worm's creators have sold access to the infected devices to other ransomware gangs.

Raspberry Robin is malware that infects Windows systems via infected USB devices. It is also known as QNAP Worm due to the usage of compromised QNAP storage servers for command and control.

The malware loader Bumblebee, the Truebot trojan, and IdedID also known as BokBot, a banking trojan, have all been distributed using Raspberry Robin. Microsoft analysts claim that hackers also instructed it to launch the LockBit and Clop ransomware on hijacked computers.

The FakeUpdates malware, which resulted in DEV-0243 activity, was installed on Raspberry Robin-infected devices in July 2022, according to a report from Microsoft. DEV-0243 is a ransomware-focused threat actor with ties to EvilCorp that is also thought to have used the LockBit ransomware in some campaigns.

A malicious payload associated with Raspberry Robin has reportedly been the subject of at least one alert on almost 3,000 devices across 1,000 companies, according to data gathered by Microsoft's Defender for Endpoint product over the past 30 days.

When Raspberry Robin-infected devices were updated with the FakeUpdates backdoor earlier in July, Microsoft analysts discovered Evil Corp's pre-ransomware behavior on those networks. The activity was linked to the access broker monitored as DEV-0206, and it was seen during that time period.

In September, IBM's Security X-Force discovered additional linkages between Raspberry Robin and Dridex, including structural and functional parallels between a Raspberry Robin DLL and a malware loader used by Dridex.

Microsoft further speculated that the hackers of such malware operations linked to Raspberry Robin are funding the worm's operators for payload distribution, allowing them to stop using phishing as a method of acquiring new victims. According to Microsoft, the malware is anticipated to develop into a threat that is severe.

Responding to Cyberattacks Within 72 Hours is Essential to Taming the Chaos

 


Despite the widespread lack of breach preparedness and adequate incident response practices in organizations, cybersecurity professionals who are tasked with responding to attacks experience stress, burnout, and mental health issues which are aggravated by a lack of breach preparedness and inadequate incident response practices.

IBM Security has sponsored a study this week that has found that two-thirds (67%) of incident responders experience stress and anxiety at least sometimes during their engagements. In response to the Morning Consult survey conducted by Morning Consult, 44% of those surveyed sacrificed their relationships for their well-being and 42% suffer burnout. According to the survey, 68% of incident responders have been operating two or more incidents at the same time. This results in them being stressed every time they are working on incidents, according to the survey results.

In an organization where incident responders, employees, and executives of the company face a wide range of incidents, such as a fire, an explosion, or a major event, John Dwyer, head of IBM Security's X-Force response team, says that organizing and practicing how to handle such incidents can reduce the level of stress amongst incident responders, employees, and executives.

Organizers are failing to effectively establish their response strategies that are geared toward responding to emergencies with the responders in mind - "the response process does not have to be as stressful as it is today," he stressed. Responders often have to handle organizations during an incident. This is because these organizations are not prepared for the crisis that occurs when these kinds of attacks happen every single day. Therefore, the responders are usually responsible for managing those organizations.

The IBM Security-funded study underscores why cybersecurity organizations are increasingly focusing on the mental health of their members. About half (51%) of cybersecurity defenders have suffered burnout or extreme stress in the past year, according to a VMware survey released in August 2021. According to cybersecurity executives, the threat of an attack affecting the community and companies' ability to retain skilled workers can have a significant impact.

A study sponsored by IBM Security provides support for why the cybersecurity community has been focusing increasingly on the mental health of its members as the field has evolved. It has been reported that about half of cybersecurity defenders have suffered burnout or extreme stress during the past year. This is according to a VMware survey released in August 2021 which surveyed 3,000 cybersecurity professionals. The issue of cybersecurity retention has also been highlighted by executives in the security field as one that impacts the whole community. This impacts providers' ability to attract and retain skilled workers.

Based on findings from the IBM survey of incident responders based in the US, it was found that 62% sought mental health assistance as a result of doing their job, but that 82% of US employers had put in place an adequate program and services to handle this situation.

"I've worked on some really big incidents in the past with clients who were very prepared, and I found that to be a very satisfying experience to do so," explains Dwyer about what he has done in the past. During the past few years, several incidents have occurred when the incident response processes of the company lacked the readiness to deal with these situations, which caused me to have to deal with a great deal of stress during these times."

The survey found that incident response professionals have three main reasons for choosing the profession, which may explain their decision to pursue it. A study by the American Management Association found that 36 percent of respondents indicated their motivation for joining the company was a sense of duty of protection. In addition, 19% said they were interested in solving problems. Furthermore, 19% said they joined because they wanted continuous learning opportunities.

As a result of the survey, half of those surveyed cited managing expectations from multiple stakeholders as a top-three stressor, and 48% cited their sense of responsibility toward their client or business as another top-three stressor. According to the survey, one of the most striking findings is that incident responders are very dedicated to their roles, with almost one-third (34%) working 13 or more hours a day in the most stressful periods of the incident response process, which in turn strengthens the dedication to their jobs.

According to Dwyer, the general public does not seem to realize how long these men and women are working to ensure that people's lives and businesses are not disrupted because they work long hours.