Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label IT Service. Show all posts
Visual Studio Code
CyberCrime cybercriminals Cyberespionage Operation Cyberhackers CyberThreat Data Breach IT Service Operation Digital Eyes Visual Studio Code

Operation Digital Eye Reveals Cybersecurity Breach

 


It has been recently reported that a Chinese group of Advanced Persistent Threats (APTs) has carried out a sophisticated cyberespionage operation dubbed "Operation Digital Eye" against the United States.  Between the end of June and the middle of July 2030, a campaign targeting large business-to-business (B2B) IT service providers in southern Europe between late June and mid-July 2024 was reported by Aleksandar Milenkoski, Senior Threat Researcher at SentinelLabs, and Luigi Martire, Senior Malware Analyst at Tinexta Cyber. 

Several threats are targeting business-to-business IT service providers in southern Europe, according to Tinexta Cyber and SentinelLabs, both of which have been tracking these activities. As a result of assessing the malware, infrastructure, techniques used, victimology, and timing of the activities, it has been concluded that there is a high likelihood that a cyberespionage actor of the China nexus conducted these attacks. 

A group of Chinese hackers has been observed utilizing Visual Studio Code (VSCode) tunnels to maintain persistent remote access to compromised systems at large IT service providers in Southern Europe. There is no information regarding which hacker group aligned with China is behind the attacks at this time, which is complicated by the fact that many of those aligned with the East Asian nation share a multitude of toolsets and infrastructure. 

VS Code is the latest version of Microsoft's code editor that is optimized for building and debugging modern web and cloud applications that utilize modern web technologies. VS Code is a lightweight but feature-rich source code editor that runs on your desktop and is available for Windows, Mac OS X, and Linux clients. It is available on most major platforms. In addition to these built-in support technologies, it also comes with a rich ecosystem of extensions that can be used with other languages and runtimes, including JavaScript, TypeScript, and Node.js. According to companies, most breaching chains that firms observe entail using SQL injections as a first point of access for breaching systems connected to the internet, such as web applications and databases. 

To inject code into the target computer, a legitimate penetration testing tool called SQLmap was used. This tool made it possible to detect and exploit SQL injection flaws automatically. Following gaining access to the system, PHPsert was deployed, which was a PHP-based web shell that would allow them to execute commands remotely or to introduce additional payloads once they fully established access. To move laterally, the attackers used RDP and pass-the-hash attacks to migrate from one target to another, specifically using a custom version of Mimikatz ('bK2o.exe') in addition to RDP. 

Using the 'WINSW' tool, the hackers installed a portable, legitimate version of Visual Studio Code on the compromised computers ('code.exe') and set it up as a persistent Windows service to make sure it would run on every device. VSCode was configured with the tunnel parameter, enabling remote development access on the machine, and then the tunnel parameter was configured to be enabled by default. Visual Studio Code tunnels are a feature of Microsoft's Remote Development feature. 

This feature allows VSCode developers to select files on remote systems for editing and working via Visual Studio Code's remote servers. As a powerful development tool, RemoteDeveloper allows developers to run commands and access the file systems of remote devices, which makes it a viable option for developers. With the use of Microsoft Azure infrastructure for the tunnel creation and the signing of executables, trustworthy access to the network can be assured. 

"Operation Digital Eye" illustrates the concept of lateral movement using techniques linked to a single vendor or a "digital quartermaster" operating within the Chinese APT ecosystem in the form of lateral movement. During the study, the researchers discovered that the attackers used Visual Studio Code and Microsoft Azure for command-and-control (C2) to evade detection, which they considered to be a matter of good judgment. 

There has never been an observation of a suspected Chinese APT group using Visual Studio Code for C2 operations before, signalling a significant change in what China is doing about APTs. According to recent research conducted by Unit 42, it has been discovered that Stately Taurus has been abusing popular web development software Visual Studio Code in its espionage operations targeting government organizations in Southeast Asia. Defending the Chinese government from attacks by Stately Taurus, a group of advanced persistent threats (APTs) involved in cyber espionage. It seems that this threat actor relied on Microsoft's Visual Studio Code embedded reverse shell feature to gain an entry point into the target network. 

An expert in the field of security discovered this technique as recently as 2023, which is relatively new. Even though European countries and China have complex ties, there is also a great deal of cooperation, competition, and undercurrent tension in areas like trade, investment, and technology, due to the complex relationships between them. China-linked cyber espionage groups target public and private organizations across Europe sporadically to gather strategic intelligence, gain competitive advantages, as well as advance the geopolitical, economic, and technological interests of China. 

In the summer of 2024, a coordinated attack campaign dubbed Operation Digital Eye was carried out by Russian intelligence services, lasting approximately three weeks from late June to mid-July 2024. As a result of the targeted organizations' capabilities to manage data, infrastructure, and cybersecurity for a wide range of clients across various industries, they are prime targets for cyberespionage activities.

As part of Operation Digital Eye, researchers highlight how Chinese cyberespionage groups continue to pose an ongoing threat to European entities, with these actors continuing to use high-value targets as targets of espionage. Even though the campaign emphasizes the strategic nature of this threat, it is important to realize that when attackers breach organizations that provide data, infrastructure, and cybersecurity services to other industries, they gain access to the digital supply chain, allowing them to extend their influence to downstream companies. 

This exploit relies on SSH and Visual Studio Code Remote Tunnels, which were used by the attackers to execute remote commands on their compromised endpoints by using their GitHub accounts as authentication credentials and connections. By using the browser-based version of Visual Studio Code ("vscode[.]dev"), they were able to access the compromised endpoints. Despite this, it remains unclear whether the threat actors used freshly created GitHub accounts to authenticate their access to the tunnels or if they had already compromised GitHub accounts. 

In addition to mimicking, several other aspects point to a Chinese presence, including the presence of simplified Chinese comments within PHPsert, the fact that M247 provides the infrastructure for this server, and the fact that Visual Studio Code is being used as a backdoor, the last of which has been attributed to the actor who portrayed Mustang Panda. The investigation uncovered that the threat actors associated with Operation Digital Eye demonstrated a notable pattern of activity within the networks of targeted organizations. 

Their operations were predominantly aligned with conventional working hours in China, spanning from 9 a.m. to 9 p.m. CST. This consistent timing hints at a structured and deliberate approach, likely coordinated with broader operational schedules. One of the standout features of this campaign was the observed lateral movement within compromised environments. This capability was traced back to custom modifications of Mimikatz, a tool that has been leveraged in earlier cyberespionage activities. 

These tailored adjustments suggest the potential involvement of centralized entities, often referred to as digital quartermasters or shared vendors, within the ecosystem of Chinese Advanced Persistent Threats (APTs). These centralized facilitators play a pivotal role in sustaining and enhancing the effectiveness of cyberespionage campaigns. 

By providing a steady stream of updated tools and refined tactics, they ensure threat actors remain adaptable and ready to exploit vulnerabilities in new targets. Their involvement underscores the strategic sophistication and collaborative infrastructure underlying such operations, highlighting the continuous evolution of capabilities aimed at achieving espionage objectives.
Read more »
UK Government
Data Breach Data Privacy Electoral Commission ICO IT Service Software UK Government

Hackers Exploit Security Flaws to Access Millions of UK Voters' Details

 


The UK's data privacy watchdog has found that the personal details of millions of UK voters were left exposed to hackers due to poor security practices at the Electoral Commission. The breach occurred because passwords were not changed regularly and software updates were not applied.

The cyber-attack began in August 2021 when hackers gained access to the Electoral Registers, containing details of millions of voters, including those not publicly available. The Information Commissioner's Office (ICO) has formally reprimanded the Electoral Commission for this security lapse. The Electoral Commission expressed regret over the insufficient protections and stated that they have since improved their security systems and processes.

No Evidence of Data Misuse

Although the investigation did not find any evidence of personal data misuse or direct harm caused by the attack, the ICO revealed that hackers had access to the Electoral Commission's systems for over a year. The breach was discovered only after an employee reported spam emails being sent from the commission's email server, and the hackers were eventually removed in 2022.

Accusations and Denials

The UK government has accused China of being behind the attack on the Electoral Commission. However, the Chinese embassy has dismissed these claims as "malicious slander."

Basic Security Failures

The ICO’s investigation surfaced that the Electoral Commission failed to implement adequate security measures to protect the personal information it held. Hackers exploited known security weaknesses in the commission's software, which had not been updated despite patches being available for months. Additionally, the commission did not have a policy to ensure employees used secure passwords, with 178 active email accounts still using default or easily guessable passwords set by the IT service desk.

Preventable Breach

ICO deputy commissioner Stephen Bonner emphasised that the data breach could likely have been prevented if the Electoral Commission had taken basic security steps. By not promptly installing the latest security updates, the commission's systems were left vulnerable to hackers.

This incident serves as a striking reminder of the importance of regular software updates and strong password policies to protect sensitive data from cyber-attacks.


Read more »
Social Media
cyber threat Cyberattacks CyberCrime Cybersecurity Data Theft data threat IAK IT Service Social Media

Guarding the Gate: How to Thwart Initial Access Brokers' Intrusions

 


The term "Access-as-a-service" (AaaS) refers to a new business model in the underground world of cybercrime in which threat actors sell one-time methods to gain access to networks to infiltrate networks for as little as one dollar. 

One group of criminals, which are known as access brokers, initial access brokers, and initial access traders (IABs), are stealing credentials of enterprise users and selling them to other groups of attackers. There are also encryption tools that can be used by these buyers to secretly exfiltrate your personal information from the target organization using malware-as-a-service (MaaS) or ransomware-as-a-service (RaaS). 

Cybercrime-as-a-service (CaaS) is a growing trend that is increasingly being used as a platform for committing crimes. A significant portion of the evolution of ransomware attacks over the last decade has taken place at both the technological level and organizational level as threat actors have attempted to expand the scope and profitability of their operations. 

A pivotal factor behind the widespread increase in the frequency and complexity of ransomware attacks can be attributed to the provision of ransomware as a service (RaaS). RaaS, which operates much like SaaS, and involves the creation of ransomware capabilities and selling or leasing them to buyers, has lowered the barrier to entry for the extortion business and provided a simpler and more accessible model. 

There are now a number of operators working together in unison to orchestrate the attacks in order to achieve the goal, including Users, Affiliates, and Initial Access Brokers, who act as a cohesive team. According to the recent report, "Rise of Initial Access Brokers", these intermediaries, which are the first to get access to cyberattack victims, are playing a key role at the top of the kill-chain funnel of cyberattacks. 

An independent analysis bureau (IAB) can be defined as a de facto intermediary whose business model is exactly what their name suggests: they breach the networks of as many companies as they are able to. Upon accessing victims, they then sell to the highest bidders at the highest prices. There is a tendency for ransomware groups to buy the ransomware from the buyers. 

A growing number of independent advisory boards have been formed recently mainly as a result of the pandemic and the ensuing migration to work from home. As a result of workers log in remotely and connecting to untrustworthy Wi-Fi networks, untrustworthy Wi-Fi networks can be exploited to allow attackers to gain access to systems.

There is a growing trend among cybercriminals of scanning at scale for vulnerabilities that will allow them to access remote systems, such as virtual private networks (VPNs) and selling this access to their victims. Once the details of a vulnerability are made public, the Information Assurance Business deploys info stealers to gather keystrokes, session cookies, credentials, screenshots and video recordings, local information, browser history, bookmarks, and clipboard material from the compromised device as soon as the details are made public. 

As soon as an information stealer is installed in an organization or system, a remote access Trojan (RAT) will begin to collect raw log files to log information. As a result, these logs are manually reviewed to identify usernames and passwords that may be used to sell or monetize identities on the Dark Web. This means that IABs are seeking login credentials to access virtual private networks (VPNs), remote desktop protocols (RDPs), Web applications, and email servers that will aid in the recruitment of spear phishing scammers and potential business email compromise schemes. Occasionally, some brokers have direct contact with system administrators or end users who may be willing to sell access to their systems directly through them. 

Threat groups have been advertising (on the Dark Web) in recent months for administrators and end users who are willing to share their credentials with them in exchange for large amounts of cryptocurrency in exchange for sharing credentials for a few minutes. 

Threat groups have contacted employees from specific organizations to obtain access to their systems in exchange for larger payments. It is safe to say that initial access brokers have taken the spotlight in the past year because they have demonstrated a significant ability to facilitate network intrusions by ransomware affiliates and operators, and they have been very successful at it. As the cybercrime underground ecosystem becomes more active and popular, these initial access brokers ("IABs") will continue to gain popularity as the cybercrime underground ecosystem grows. 

A Guide to Defending Against Access Brokers 


Users should identify their attack surface and develop a plan to address it, to close security gaps, security teams must gain an outside-in perspective on their entire enterprise attack surface. Empower user security teams to map their assets, visualize attack paths, and define plans to address them so that they can close the gaps.  

Identity protection should be considered a priority, today, plenty of malware-free attacks, social engineering, and similar attempts have been made to steal and use credentials, making it crucial that strong identity protection is implemented. Employees need to be taught about social media, not just how to use it. 

Avoid announcing department closures or IT service changes on social media, and remind them to refrain from sharing private information on social media. Users should train their staff not to share credentials over support calls, emails, or support tickets. 

Finally, users should avoid publishing executive or IT contact information on their company's website — it might facilitate impersonation attempts on their behalf. 

To protect the cloud, a strong cloud protection strategy is required. There have been increasing attacks on cloud infrastructure and attackers have been employing a variety of tactics, techniques, and procedures to compromise cloud-based data and applications that are critical to businesses. 

The role of IABs in the realm of RaaS (Ransomware-as-a-Service) is continuously evolving. By understanding and keeping up with their shifting tactics, methods, and trends, organizations can better prepare themselves to effectively mitigate the risk and impact of ransomware attacks. As IABs continually remodel and refine their strategies, it becomes increasingly crucial for organizations to adopt and implement robust security measures. 

Strengthening the security of the supply chain, implementing multi-factor authentication across all systems and platforms, deploying advanced threat-hunting solutions to proactively detect and prevent attacks, and conducting regular and comprehensive training sessions for employees are key steps that organizations should take to effectively mitigate the growing threat posed by IABs.
Read more »
Zero Day Attack
CVE vulnerability Data Breach IT Service Ransomware attack Software Zero Day Attack

SysAid Ransomware: Unveiling the Zero-Day Menace

A zero-day ransomware attack has recently been reported on, affecting SysAid, a well-known provider of IT service management and help desk services. The cybersecurity community has been shaken by the occurrence, which has prompted swift response and a careful examination of the scope and nature of the intrusion.

The attack, orchestrated by the infamous hacking group known as 'Lace Tempest,' leveraged a zero-day vulnerability in SysAid's on-premise software. This vulnerability allowed the attackers to exploit weaknesses in the system, gaining unauthorized access and compromising sensitive information. The severity of the situation has been highlighted by cybersecurity experts, as SysAid plays a crucial role in managing IT services for numerous organizations.

The zero-day ransomware attack was first brought to light by cybersecurity researchers who discovered the breach and reported it on various platforms, including Dark Reading. According to the information provided, the attackers targeted SysAid's software, exposing a vulnerability that was promptly exploited for unauthorized access and data compromise.

SysAid has acknowledged the security breach and has released a notification regarding the on-premise software security vulnerability on its official blog. The company is actively working to address the issue and has urged its users to take immediate action by applying patches and updates to mitigate the risk of exploitation. The urgency is further emphasized by the fact that the vulnerability has already been exploited by Lace Tempest, as reported by cybersecurity firm Profero.

The CVE-2023-47246 SysAid zero-day vulnerability is being keenly watched by security researchers, and Rapid7 has published a thorough blog post breaking down the details. The article highlights how crucial it is for businesses to continue being watchful and proactive in protecting their IT infrastructure while also shedding light on the technical underpinnings of the attack.

Organizations that depend on SysAid's services are urged to keep up with the latest developments during the investigation and to swiftly put recommended security measures into place. The SysAid security incident highlights the necessity of ongoing awareness and strong cybersecurity procedures in today's digital environment by serving as a sobering reminder of the sophisticated and ever-evolving nature of cyber threats.

Read more »
Security Risk
Cyber Attacks Cybersecurity Agencies IT Service Security Alert Security Risk

Five Eyes Agencies Warn Managed Service Providers of Cyber Attacks

 

The Five Eyes alliance of cybersecurity authorities from the United States, the United Kingdom, Australia, New Zealand, and Canada last week published a joint advisory warning of threats targeting managed service providers (MSPs) and their customers. 

The advisory recommends customers of MSPs in the member nations on how to guard sensitive details and reassess security posture and contractual agreements with their service providers based on individual risk tolerance. MSPs are a prime target for cybercriminals and nation-state actors–because attacking an MSP can lead to additional downstream victims (as we witnessed with Kaseya and the SolarWinds assaults.)

"As this advisory makes clear, malicious cyber actors continue to target managed service providers, which is why it's critical that MSPs and their customers take recommended actions to protect their networks," Jen Easterly, director of US's Cybersecurity and Infrastructure Security Agency (CISA) stated. 

"We know that MSPs that are vulnerable to exploitation significantly increase downstream risks to the businesses and organizations they support. Securing MSPs are critical to our collective cyber defense, and CISA and our interagency and international partners are committed to hardening their security and improving the resilience of our global supply chain," she added. 

The alert is the result of a collaborative effort among the Cybersecurity and Infrastructure Security Agency, the National Security Agency, and the Federal Bureau of Investigation in the U.S.; the National Cyber Security Centers in the United Kingdom and New Zealand; the Australian Cyber Security Center; and the Canadian Center for Cyber Security. 

Mitigation tips 

In the advisory issued on the second day of the NCSC's Cyber UK conference, where several senior figures from the cybersecurity agencies have met to discuss the issue of global cyber threats, the authorities recommend that MSP customers ensure that their MSPs implement the following measures and controls: 

• To counter initial assault, enhance the security of vulnerable devices, protect internet-facing services and defend against brute-force and phishing attacks. 
• Improve monitoring and logging processes for the delivery infrastructure activities used to provide services to the customer. 
• Enable multifactor authentication across all customer services and products. 
• Periodically erase obsolete accounts and infrastructure and apply updates to the infrastructure whenever available and necessary. 
• Develop incident response and recovery plans. 
• Understand and proactively manage supply chain risk. 
• Adopt transparent processes and, at the same time, manage account authentication and authorization.
Read more »
Subscribe to: Posts (Atom)