Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label LummaC2 malware. Show all posts
PowerSchool
AWS Data Breach LummaC2 malware MFA PowerSchool

PowerSchool Data Breach Exposes Millions

 


An American education technology company, PowerSchool, is the latest giant to fall a victim of hacking and data breaches, which probably compromised millions of records of students and teachers in North America. As one of the leading providers of school records management software, PowerSchool serves 18,000 schools who manage data over 60 million students.


How the breach happened

The compromise was discovered on December 28 and was traced to a subcontractor's account. The new report said, however, that another incident of hacking-a compromise of the access of a PowerSchool software engineer-may have had something to do with the breach. Malware infected the engineer's computer and exfiltrated login credentials for internal systems, such as Slack, AWS, and other tools.

According to the logs retrieved by researchers, the infostealing malware known as LummaC2 was used to steal the engineer's passwords. The malware extracted saved passwords and browsing histories from the web browsers of the engineer and uploaded them to a server run by cybercriminals. The stolen credentials were shared in cybercrime groups, which further exposed PowerSchool's systems. 


What Data Was Stolen?

The hackers accessed a range of sensitive personal information, including:  

  • Social Security numbers  
  •  Student grades and demographics  
  •  Medical information  
  •  Parental access details, such as restraining orders  
  •  Records of students’ medication schedules  

School districts impacted by the breach reported that the attackers stole all historical data stored in PowerSchool’s systems.  

The lack of multi-factor authentication (MFA) on a compromised maintenance account was one key vulnerability. PowerSchool has implemented MFA and reset passwords across its customer support portal. Many of the employee credentials discovered were weak and have been exposed in other breaches.

The breach, which has underlined the threats of infostealing malware in hybrid work setups where employees operate company systems using personal devices, has left much to be expected from PowerSchool.


Response and Investigation

PowerSchool, the company concerned, is reportedly working with a cybersecurity firm named CrowdStrike for the investigation into the incident. According to them, no signs of malware have been found neither has any sign of system-layer access. But they are analyzing the stolen data.


Effects on Schools

Many school districts are operating independently to gauge the scope of the breach, relying on collective knowledge from other administrators. As the investigation continues, there are questions about PowerSchool's security measures and how it managed this extensive breach. 

Schools, parents, and educators are urged to be vigilant and ensure additional layers of security are put in place to prevent future incidents.


Read more »
Youtube
Cheatcodes LummaC2 malware malware Piracy Software Updates Youtube

Are YouTube Game Cracks Hiding Malware?


Recently, cybersecurity researchers have unearthed a disturbing trend: threat actors are exploiting YouTube to distribute malware disguised as video game cracks. This alarming course of action poses a significant risk to unsuspecting users, especially those seeking free software downloads.

According to findings by Proofpoint Emerging Threats, cybercriminals are leveraging popular video-sharing platforms to target home users, who often lack the robust defences of corporate networks. The plan of action involves creating deceptive videos offering free access to software and video game enhancements, but the links provided lead to malicious content.

The malware, including variants such as Vidar, StealC, and Lumma Stealer, is camouflaged within seemingly innocuous downloads, enticing users with promises of game cheats or software upgrades. What's particularly troubling is the deliberate targeting of younger audiences, with malicious content masquerading as enhancements for games popular among children.

The investigation uncovered several compromised YouTube accounts, with previously dormant channels suddenly flooded with English-language videos promoting cracked software. These videos, uploaded within a short timeframe, contained links to malware-infected files hosted on platforms like MediaFire and Discord.

One example highlighted by researchers featured a video claiming to enhance a popular game, accompanied by a MediaFire link leading to a password-protected file harbouring Vidar Stealer malware. Similarly, other videos promised clean files but included instructions on disabling antivirus software, further endangering unsuspecting users.

Moreover, cybercriminals exploited the identity of "Empress," a well-known entity within software piracy communities, to disseminate malware disguised as cracked game content. Visual cues provided within the videos streamlined the process of installing Vidar Stealer malware, presenting it as authentic game modifications.

Analysis of the malware revealed a common tactic of bloating file sizes to evade detection, with payloads expanding to approximately 800 MB. Furthermore, the malware utilised social media platforms like Telegram and Discord for command and control (C2) activities, complicating detection efforts.

Research into the matter has again enunciated the need for heightened awareness among users, particularly regarding suspicious online content promising free software or game cheats. While YouTube has been proactive in removing reported malicious accounts, the threat remains pervasive, targeting non-enterprise users vulnerable to deceptive tactics.

As cybercriminals continue to exacerbate their methods, it's imperative for individuals to exercise caution when downloading software from unverified sources. Staying informed about emerging threats and adopting cybersecurity best practices can help combat the risk of falling victim to such schemes.


Read more »
trigonometry evasion
anti-sandbox technique Cyber Threats Cybersecurity financial losse information theft LummaC2 malware MaaS model malware Malware Detection remote access trojans security research. trigonometry evasion

LummaC2 Malware Introduces Innovative Anti-Sandbox Technique Utilizing Trigonometry

 

The LummaC2 malware, also known as Lumma Stealer, has introduced a novel anti-sandbox technique that utilizes trigonometry to avoid detection and steal valuable information from infected hosts. Outpost24 security researcher Alberto Marín highlighted this method, stating that it aims to delay the activation of the malware until human mouse activity is identified.

Originally written in the C programming language, LummaC2 has been available on underground forums since December 2022. Subsequent updates have made it more resistant to analysis through techniques like control flow flattening, and it now has the capability to deliver additional payloads.

In its current iteration (v4.0), LummaC2 mandates the use of a crypter by its customers to enhance concealment and prevent the leakage of its raw form.

A significant enhancement involves the utilization of trigonometry to identify human behavior on the compromised endpoint. Marín explained that this technique observes various cursor positions within a short time frame to effectively detect human activity, thereby thwarting detonation in analysis systems that lack realistic mouse movement emulation.

To achieve this, LummaC2 captures the cursor position five times after a predefined sleep interval of 50 milliseconds. It then checks if each captured position differs from its predecessor, repeating the process until all consecutive cursor positions differ. Once these positions meet the requirements, LummaC2 treats them as Euclidean vectors, calculating the angles formed between two consecutive vectors. If all calculated angles are below 45º, LummaC2 v4.0 perceives it as 'human' mouse behavior and proceeds with execution. If any angle exceeds 45º, the malware restarts the process by ensuring mouse movement in a 300-millisecond period and capturing five new cursor positions.

This development coincides with the emergence of new information stealers and remote access trojans like BbyStealer, Trap Stealer, Predator AI, Epsilon Stealer, Nova Sentinel, and Sayler RAT, designed to extract sensitive data from compromised systems.

Predator AI, a actively maintained project, stands out for its capability to attack popular cloud services like AWS, PayPal, Razorpay, and Twilio. It has also incorporated a ChatGPT API for user convenience, as noted by SentinelOne earlier this month.

Marín emphasized that the malware-as-a-service (MaaS) model remains the preferred method for emerging threat actors to conduct complex and lucrative cyberattacks. Information theft, particularly within the realm of MaaS, poses a significant threat, leading to substantial financial losses for both organizations and individuals.
Read more »
Subscribe to: Posts (Atom)