Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Information Security. Show all posts
Malware attacks
AI generated Deepfake AI tools Cyber Attacks data security Data Theft Fake Apps Information Security Malware attacks

Meeten Malware Targets Web3 Workers with Crypto-Stealing Tactics

 


Cybercriminals have launched an advanced campaign targeting Web3 professionals by distributing fake video conferencing software. The malware, known as Meeten, infects both Windows and macOS systems, stealing sensitive data, including cryptocurrency, banking details, browser-stored information, and Keychain credentials. Active since September 2024, Meeten masquerades as legitimate software while compromising users' systems. 
 
The campaign, uncovered by Cado Security Labs, represents an evolving strategy among threat actors. Frequently rebranded to appear authentic, fake meeting platforms have been renamed as Clusee, Cuesee, and Meetone. These platforms are supported by highly convincing websites and AI-generated social media profiles. 
 
How Victims Are Targeted:
  • Phishing schemes and social engineering tactics are the primary methods.
  • Attackers impersonate trusted contacts on platforms like Telegram.
  • Victims are directed to download the fraudulent Meeten app, often accompanied by fake company-specific presentations.

Key behaviors include:
  • Escalates privileges by prompting users for their system password via legitimate macOS tools.
  • Displays a decoy error message while stealing sensitive data in the background.
  • Collects and exfiltrates data such as Telegram credentials, banking details, Keychain data, and browser-stored information.
The stolen data is compressed and sent to remote servers, giving attackers access to victims’ sensitive information. 
 
Technical Details: Malware Behavior on Windows 

On Windows, the malware is delivered as an NSIS file named MeetenApp.exe, featuring a stolen digital certificate for added legitimacy. Key behaviors include:
  • Employs an Electron app to connect to remote servers and download additional malware payloads.
  • Steals system information, browser data, and cryptocurrency wallet credentials, targeting hardware wallets like Ledger and Trezor.
  • Achieves persistence by modifying the Windows registry.
Impact on Web3 Professionals 
 
Web3 professionals are particularly vulnerable as the malware leverages social engineering tactics to exploit trust. By targeting those engaged in cryptocurrency and blockchain technologies, attackers aim to gain access to valuable digital assets. Protective Measures:
  1. Verify Software Legitimacy: Always confirm the authenticity of downloaded software.
  2. Use Malware Scanning Tools: Scan files with services like VirusTotal before installation.
  3. Avoid Untrusted Sources: Download software only from verified sources.
  4. Stay Vigilant: Be cautious of unsolicited meeting invitations or unexpected file-sharing requests.
As social engineering tactics grow increasingly sophisticated, vigilance and proactive security measures are critical in safeguarding sensitive data and cryptocurrency assets. The Meeten campaign underscores the importance of staying informed and adopting robust cybersecurity practices in the Web3 landscape.
Read more »
Ransomwares
ALPHV ALPHV Blackcat Ransomware Change Healthcare Cyber Attacks cybersecurity in healthcare Information Security Ransomware attack Ransomwares

Change Healthcare Restores Clearinghouse Services After Nine-Month Recovery From Ransomware Attack

 

Change Healthcare has announced the restoration of its clearinghouse services, marking a significant milestone in its recovery from a debilitating ransomware attack by the ALPHV/Blackcat group in February. 

The attack caused unprecedented disruption to one of the U.S.’s most critical healthcare transaction systems, which processes over 15 billion transactions annually and supports payments and communications for hospitals, healthcare providers, and patients. The breach led to widespread financial and operational issues, with the American Hospital Association (AHA) reporting that 94% of U.S. hospitals relying on Change Healthcare were affected. Many hospitals experienced severe cash flow challenges, with nearly 60% reporting daily revenue losses of $1 million or more. These difficulties persisted for months as Change Healthcare scrambled to restore its services and mitigate the attack’s impact. 

In response to the financial strain on healthcare providers, UnitedHealth-owned Optum launched a Temporary Funding Assistance Program in March. This initiative provided over $6 billion in interest-free loans to healthcare providers to address cash flow shortages. As of October, $3.2 billion of the funds had been repaid, reflecting progress in stabilizing the industry. However, some services, such as Clinical Exchange, MedRX, and the Payer Print Communication System, are still undergoing restoration, leaving providers to navigate ongoing challenges. 

The breach also exposed sensitive information of approximately 100 million individuals, making it one of the most significant healthcare data breaches in history. Victims’ full names, email addresses, banking details, and medical claims records were among the data compromised. Change Healthcare’s parent company, UnitedHealth, confirmed that the attackers gained access through stolen credentials used to log into a Citrix portal that lacked multi-factor authentication (MFA). UnitedHealth CEO Andrew Witty testified before Congress, admitting to authorizing a $22 million ransom payment to the attackers. He described the decision as one of the hardest he had ever made, emphasizing the urgent need to minimize further harm to the healthcare system. 

Cybersecurity experts have criticized Change Healthcare for failing to implement basic security protocols, including MFA and robust network segmentation, prior to the attack. The attack’s aftermath has been costly, with remediation expenses exceeding $2 billion as of the most recent UnitedHealth earnings report. Critics have described the company’s lack of preventive measures as “egregious negligence.” Tom Kellermann, SVP of cyber strategy at Contrast Security, highlighted that the company failed to conduct adequate threat hunting or prepare for potential vulnerabilities, despite its critical role in the healthcare ecosystem. 

Beyond the immediate financial impact, the incident has raised broader concerns about the resilience of U.S. healthcare infrastructure to cyberattacks. Experts warn that the sector must adopt stronger cybersecurity measures, including advanced threat detection and incident response planning, to prevent similar disruptions in the future. The restoration of Change Healthcare’s clearinghouse services represents a major step forward, but it also serves as a reminder of the severe consequences of insufficient cybersecurity measures in an increasingly digital healthcare landscape. 

The attack has underscored the urgent need for organizations to prioritize data security, invest in robust safeguards, and build resilience against evolving cyber threats.
Read more »
Security Issues
CISO CVE vulnerability CVEs Cyber Security Hacking News Information Security IT Security Security Issues

Cisco Fixes Critical CVE-2024-20418 Vulnerability in Industrial Wireless Access Points

 

Cisco recently disclosed a critical security vulnerability, tracked as CVE-2024-20418, that affects specific Ultra-Reliable Wireless Backhaul (URWB) access points used in industrial settings. These URWB access points are essential for maintaining robust wireless networks in environments like manufacturing plants, transportation systems, and other infrastructure-intensive industries. The vulnerability allows remote, unauthenticated attackers to perform command injection attacks with root privileges by exploiting the device’s web-based management interface. 

This vulnerability results from inadequate validation of input data within Cisco’s Unified Industrial Wireless Software, specifically affecting the web management interface of URWB access points. By sending specially crafted HTTP requests, attackers could exploit this flaw to execute arbitrary commands with root-level access, potentially leading to unauthorized control over the device. This level of access could compromise critical network infrastructure, posing serious risks to businesses relying on URWB technology for uninterrupted connectivity. The vulnerability specifically impacts Cisco Catalyst models IW9165D, IW9165E, and IW9167E when URWB mode is enabled. 

For users concerned about their device’s security, Cisco advises checking vulnerability status by using the “show mpls-config” command in the command-line interface (CLI). If the command confirms URWB mode is active, the device may be vulnerable to potential attacks. Cisco’s Product Security Incident Response Team (PSIRT) has stated that it is not aware of any instances of this vulnerability being actively exploited in real-world scenarios. However, given the nature of this vulnerability, Cisco urges users to update their devices promptly to mitigate the risk. Currently, Cisco has not issued workarounds for this issue. 

As a result, companies relying on these models are advised to stay alert for firmware updates or patches that Cisco may release to resolve the vulnerability. The lack of a temporary fix underlines the importance of applying any future updates immediately, especially as remote exploitation could have significant consequences for the affected systems. For organizations using these Cisco models, securing network access and strengthening device-level defenses can be critical in mitigating potential risks. Limiting access to the web-based management interface, monitoring device activity, and conducting frequent security audits are some proactive steps administrators can take. These actions may help limit exposure while waiting for Cisco’s permanent fix. This incident serves as a reminder of the evolving threat landscape in industrial and operational technology environments. 

As organizations adopt more wireless technologies to improve operational efficiencies, the need for robust cybersecurity practices is crucial. Regularly updating network devices and addressing vulnerabilities promptly are fundamental to protecting systems from cyber threats. Cisco’s disclosure of CVE-2024-20418 underscores the vulnerabilities that even the most reliable industrial-grade devices can exhibit. It also highlights the critical importance of proactive device management and security measures in preventing unauthorized access. Industrial environments should consider this a timely reminder to prioritize cybersecurity protocols across all network-connected devices.
Read more »
SMB
BlueKeep Botnet Botnet attack CVSS 4.0 Cyber Security Information Security RDP SMB

Prometei Botnet: The Persistent Threat Targeting Global Systems

 

The Prometei botnet, active since at least 2016, continues to pose a persistent threat worldwide by exploiting unpatched software vulnerabilities. First identified in 2020, Prometei has since infected over 10,000 systems across diverse regions, including Brazil, Indonesia, Turkey, and Germany. Its resilience stems from its focus on widely used software gaps, particularly in systems with weak configurations, unmonitored security measures, or outdated patches. The Federal Office for Information Security in Germany has labeled it a medium-impact threat, given its extensive reach and ability to bypass security protocols. Prometei operates by exploiting vulnerabilities in widely used software, spreading particularly through unpatched or poorly configured Exchange servers. 

Critical Start’s Callie Guenther highlights Prometei’s strategy of leveraging regions with inadequate cybersecurity, making it highly effective in targeting various systems regardless of location. One notable aspect is its ability to spread through legacy vulnerabilities, such as the BlueKeep flaw in Remote Desktop Protocol (RDP), which has a critical CVSS score of 9.8. By targeting these known issues, Prometei can quickly access poorly maintained systems that remain unprotected. A Prometei attack often starts with a series of network login attempts, typically originating from locations associated with known botnet infrastructure. Once access is secured, the malware tests various system weaknesses, particularly outdated vulnerabilities like BlueKeep and EternalBlue. If successful, it can propagate through Server Message Block (SMB) systems or use ProxyLogon flaws to exploit Windows environments further. 

Prometei’s use of outdated exploits could be seen as less sophisticated; however, its approach is strategic, focusing on identifying vulnerable, under-maintained systems rather than tackling those with robust security protocols. Once established in a target system, Prometei employs several techniques to maintain control and evade detection. For example, it uses a domain generation algorithm (DGA) to enhance its command-and-control (C2) system, allowing continuous operation even if some domains are blocked. It further manipulates firewall settings to ensure its traffic is not obstructed, enabling it to persist even after system reboots. Among its advanced methods is the use of the WDigest protocol, which stores plaintext passwords in memory. 

Prometei forces systems to store passwords in plaintext, then exfiltrates them while bypassing detection by configuring Windows Defender to ignore specific files. The primary goal of Prometei appears to be cryptojacking, as it harnesses infected systems to mine the Monero cryptocurrency without the owners’ knowledge. Additionally, it installs an Apache web server as a web shell, creating a backdoor for attackers to upload more malicious files or execute commands. Prometei’s presence, according to Trend Micro’s Stephen Hilt, often signals deeper security concerns, as it can coexist with other malicious software, highlighting vulnerabilities that attackers may leverage for various purposes. Interestingly, Prometei avoids certain regions, specifically targeting systems outside former Soviet countries. Its command-and-control servers bypass exit nodes within these nations, avoiding accounts tagged as “Guest” or “Other user” in Russian.

Older versions of Prometei also included Russian-language settings, hinting at a potential connection to Russian-speaking developers. The botnet’s name, “Prometei,” references the Greek titan Prometheus, symbolizing a persistence that echoes the botnet’s own sustained presence in global cyber threats. Prometei exemplifies the persistent and evolving nature of modern botnets. Its success in exploiting well-known but unpatched vulnerabilities underscores the importance of maintaining updated security systems. For organizations worldwide, especially those with legacy systems or lax monitoring, Prometei serves as a critical reminder to reinforce defenses against cyber threats, as outdated security leaves systems vulnerable to malicious actors seeking to exploit any gap available.
Read more »
unauthorized software
ChatGPT risks Cybersecurity Data Leaks Data protection Digital Assets Information Security privacy laws server vulnerabilities Shadow IT Technology unauthorized software

Mitigating the Risks of Shadow IT: Safeguarding Information Security in the Age of Technology

 

In today’s world, technology is integral to the operations of every organization, making the adoption of innovative tools essential for growth and staying competitive. However, with this reliance on technology comes a significant threat—Shadow IT.  

Shadow IT refers to the unauthorized use of software, tools, or cloud services by employees without the knowledge or approval of the IT department. Essentially, it occurs when employees seek quick solutions to problems without fully understanding the potential risks to the organization’s security and compliance.

Once a rare occurrence, Shadow IT now poses serious security challenges, particularly in terms of data leaks and breaches. A recent amendment to Israel’s Privacy Protection Act, passed by the Knesset, introduces tougher regulations. Among the changes, the law expands the definition of private information, aligning it with European standards and imposing heavy penalties on companies that violate data privacy and security guidelines.

The rise of Shadow IT, coupled with these stricter regulations, underscores the need for organizations to prioritize the control and management of their information systems. Failure to do so could result in costly legal and financial consequences.

One technology that has gained widespread usage within organizations is ChatGPT, which enables employees to perform tasks like coding or content creation without seeking formal approval. While the use of ChatGPT itself isn’t inherently risky, the lack of oversight by IT departments can expose the organization to significant security vulnerabilities.

Another example of Shadow IT includes “dormant” servers—systems connected to the network but not actively maintained. These neglected servers create weak spots that cybercriminals can exploit, opening doors for attacks.

Additionally, when employees install software without the IT department’s consent, it can cause disruptions, invite cyberattacks, or compromise sensitive information. The core risks in these scenarios are data leaks and compromised information security. For instance, when employees use ChatGPT for coding or data analysis, they might unknowingly input sensitive data, such as customer details or financial information. If these tools lack sufficient protection, the data becomes vulnerable to unauthorized access and leaks.

A common issue is the use of ChatGPT for writing SQL queries or scanning databases. If these queries pass through unprotected external services, they can result in severe data leaks and all the accompanying consequences.

Rather than banning the use of new technologies outright, the solution lies in crafting a flexible policy that permits employees to use advanced tools within a secure, controlled environment.

Organizations should ensure employees are educated about the risks of using external tools without approval and emphasize the importance of maintaining information security. Proactive monitoring of IT systems, combined with advanced technological solutions, is essential to safeguarding against Shadow IT.

A critical step in this process is implementing technologies that enable automated mapping and monitoring of all systems and servers within the organization, including those not directly managed by IT. These tools offer a comprehensive view of the organization’s digital assets, helping to quickly identify unauthorized services and address potential security threats in real time.

By using advanced mapping and monitoring technologies, organizations can ensure that sensitive information is handled in compliance with security policies and regulations. This approach provides full transparency on external tool usage, effectively reducing the risks posed by Shadow IT.
Read more »
USDoD
Data Breach Data Leak DOD Hackers Information Security Sensitive data Social Security Number USA USDoD

Massive Data Breach Exposes Social Security Numbers of 2.9 Billion People

 


A significant data breach has reportedly compromised the personal information of 2.9 billion people, potentially affecting the majority of Americans. A hacking group known as USDoD claims to have stolen this data, which includes highly sensitive information such as Social Security numbers, full names, addresses, dates of birth, and phone numbers. This development has raised alarm due to the vast scope of the breach and the critical nature of the information involved. The breach was first reported by the Los Angeles Times, which revealed that the hacker group is offering the stolen data for sale. 

The breach allegedly stems from National Public Data, a company that collects and stores personal information to facilitate background checks. The company has not formally confirmed the breach but did acknowledge purging its entire database. According to National Public Data, they have deleted all non-public information, although they stopped short of admitting that the data had been compromised. In April, the hacking group USDoD claimed responsibility for the breach, stating that it had obtained the personal information of billions of people. This led to a class-action lawsuit against National Public Data, as victims sought redress for the potential misuse of their sensitive information. 

The lawsuit has intensified scrutiny on the company’s data security practices, particularly given the critical nature of the information it manages. The potential consequences of this breach are severe. The stolen data, which includes Social Security numbers, could be used for a variety of malicious activities, including identity theft, fraud, and other forms of cybercrime. The scale of the breach also highlights the ongoing challenges in safeguarding personal information, particularly when it is collected and stored by third-party companies. As investigations continue, the breach underscores the urgent need for stronger data protection measures. 

Companies that handle sensitive information must ensure that they have robust security protocols in place to prevent such incidents. The breach also raises questions about the transparency and responsibility of organizations when dealing with personal data. In the meantime, consumers and businesses are on high alert, awaiting further developments and the potential fallout from one of the largest data breaches in history. The incident serves as a stark reminder of the risks associated with data storage and the critical importance of cybersecurity.
Read more »
SSNs
Banking Information customer data compromise Data Breach Data Leak IMS Information Security LockBit LockBit ransomware Ransomware attack SSNs

LockBit Ransomware Attack on Infosys McCamish Systems Exposes Sensitive Data of Over Six Million Individuals

 

Infosys McCamish Systems (IMS) recently disclosed that a LockBit ransomware attack earlier this year compromised sensitive information of more than six million individuals. IMS, a multinational corporation specializing in business consulting, IT, and outsourcing services, primarily serves the insurance and financial services industries. The company has a significant presence in the U.S., catering to large financial institutions such as the Bank of America and seven out of the top ten insurers in the country. 

In February 2024, IMS informed the public about the ransomware attack that occurred in November 2023. Initially, the company reported that the personal data of around 57,000 Bank of America customers had been compromised. LockBit, the group responsible for the attack, claimed to have encrypted 2,000 computers within the IMS network. A recent notification to U.S. authorities revealed that the total number of affected individuals now exceeds six million. The notification outlined the steps taken by IMS, including the involvement of third-party eDiscovery experts, to conduct a thorough review of the compromised data. 

This review aimed to identify the personal information accessed and determine the individuals impacted. The compromised data includes a wide range of sensitive information, such as Social Security Numbers (SSNs), dates of birth, medical records, biometric data, email addresses and passwords, usernames and passwords, driver’s license or state ID numbers, financial account information, payment card details, passport numbers, tribal ID numbers, and U.S. military ID numbers. To mitigate the risks associated with this data exposure, IMS is offering affected individuals a free two-year identity protection and credit monitoring service through Kroll. 

The notification letters provided instructions on how to access these services. IMS has not disclosed the full list of impacted clients, but the notification mentioned Oceanview Life and Annuity Company (OLAC), an Arizona-based provider of fixed and fixed-indexed annuities, as one of the affected organizations. The list of impacted data owners may be updated as more customers request to be named in the filing. 

This breach highlights the critical importance of robust cybersecurity measures and the significant impact such attacks can have on both individuals and large financial institutions. The LockBit ransomware attack on IMS serves as a stark reminder of the vulnerabilities within the digital infrastructure of major corporations and the far-reaching consequences of data breaches.
Read more »
Information Security
Businesses Customer Information Cyber Threats Data Breach Data Storage Information Security

The Role of Immutable Data Storage in Strengthening Cybersecurity


 

In today’s rapidly advancing digital world, how organisations store their data is crucial to their cybersecurity strategies. Whether protecting sensitive customer information, securing intellectual property, or ensuring smooth business operations, effective data storage methods can prominently impact an organisation's defence against cyber threats.

Modern businesses are experiencing a massive increase in data generation. This surge is driven by technological innovation, growing customer interactions, and expanding business operations. As data continues to grow at an exponential rate, organisations must find ways to fully utilise this data while also ensuring its security and availability.

Cyberattacks are becoming more frequent and sophisticated, making data protection a top priority for businesses. Ransomware attacks, in particular, are a major concern. These attacks involve cybercriminals encrypting an organisation’s data and demanding a ransom for its release. According to the Verizon 2023 Data Breach Investigations report, ransomware is involved in over 62% of incidents linked to organised crime and 59% of financially motivated incidents. The consequences of such attacks are severe, with businesses taking an average of 9.9 days to return to normal operations after a ransomware incident. Additionally, 1 in 31 companies worldwide faces weekly ransomware attacks, underscoring the urgent need for robust data protection measures.

Immutable data storage has become a key strategy in bolstering cybersecurity defences. Unlike traditional storage methods, which allow data to be modified or deleted, immutable storage ensures that once data is written, it cannot be altered or erased. This feature is crucial for maintaining data integrity and protecting critical information from tampering and unauthorised changes.

By adopting immutable storage solutions, organisations can significantly reduce the risks associated with cyberattacks, particularly ransomware. Even if attackers manage to penetrate the network, the immutable data remains unchanged and intact, rendering ransom demands ineffective. This approach not only protects sensitive information but also helps maintain business continuity during and after an attack.

As businesses continue to face the growing threat of cybercrime, adopting advanced data storage solutions like immutable storage is essential. By ensuring that data cannot be altered or deleted, organisations can better protect themselves from the devastating impacts of cyberattacks, safeguard critical information, and maintain operations without interruption. In an age where data is both a valuable asset and a prime target, robust storage strategies are indispensable to a comprehensive cybersecurity strategy.



Read more »
Subscribe to: Posts (Atom)