Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label MFA. Show all posts
Multi-factor authentication
Cyber Security CyberThreat Data Safety Google Cloud Google security MFA Multi-factor authentication

Google Cloud to Enforce Multi-Factor Authentication for Enhanced Security in 2025

 


As part of its commitment to protecting users' privacy, Google has announced that by the end of 2025, all Google Cloud accounts will have to implement multi-factor authentication (MFA), also called two-step verification. Considering the sensitive nature of cloud deployments and the fact that phishing and stolen credentials remain among the top attack vectors observed by Mandiant Threat Intelligence, it seems likely that Google Cloud users should now be required to perform [2 steps of verification], as Mayank Upadhyay, Google Cloud's VP of Engineering and Distinguished Engineer, told the audience. 

By the end of 2025, Google's cloud division is planning to introduce an optional multi-factor authentication (MFA) feature for all users, as part of its efforts to improve account security as a part of its mission to improve security across the company. As part of a recent announcement by the tech giant, it was announced that it will begin the transition with a phased rollout, to help users adapt more smoothly to the changes. 

The technology industry and cyber security industry have long recommended multifactor authentication as a highly secure authentication method. With an additional step of verification, multi-factor authentication (MFA) dramatically reduces the risk of unauthorized logins, data breaches, and account takeovers, regardless of whether the user's password is compromised. As hackers continue to ramp up their sophisticated attacks on cloud infrastructure and sensitive data, Google is pushing for mandatory MFA as part of a growing trend in cybersecurity. 

According to recent announcements, Google is planning on requiring multi-factor authentication (MFA) for all Cloud accounts by the end of 2025, to protect cloud accounts. MFA is supposed to strengthen security while maintaining a smooth and convenient user experience online, which is exactly what Google claims. It has been reported that 70% of Google users have started using this feature and that security consultants are urging those users who are still on the fence to switch over to MFA at once. Users as well as admins who have access to Google Cloud will be affected by the implementation of the new process. 

Generally speaking, this change will not impact Google accounts of general consumer users. In a recent announcement sent made by Mayank Upadhyay, Google Cloud's VP of Engineering and Distinguished Engineer an official announcement the company stated that they plan to have mandatory MFA implemented throughout 2025 in a phased approach, with assistance being provided to help plan the deployment process. In response to Google's announcement, the company now states that it is taking a phased approach to the mandatory 2FA requirement that will apply to Google Cloud users; here's what that means in practice. 

There will be three phases to the implementation, and the first phase begins immediately with Google encouraging users to adopt 2FA if they have not yet had the chance to install 2FA protection on their account, but currently sign in with a password. Google estimates that 70% of online users have done this. As part of the first phase of the program, which is scheduled to begin in November 2024, the aim will be to encourage the adoption of MFA. The Google Cloud console will be regularly updated with helpful reminders and information. Resources will be available to help raise awareness, plan rollout and documentation of the MFA process, as well as to conduct testing and enable MFA for users with ease. The first phase of the project is scheduled to begin in November 2024 and will play a key role in facilitating the adoption of MFA. 

There will be several notes and reminders in the Google Cloud Console, including information you'll find helpful in raising awareness, planning rollouts, conducting tests, and ensuring that MFA is enabled smoothly for users, to help raise awareness. There will be a second phase that begins early next year and, at the start of the year, Google will start requiring MFA for users who sign in to Google Cloud with a password, whether they are new or existing. Nevertheless, Google has not yet expressed a concrete date for when it is planning to deploy the 2FA technology as part of phase two, which is scheduled for "early 2025". 

It is important to note, however, that all new Google Cloud users, whether or not they already have a password, will be required to implement two-factor authentication to sign in. As of now, this is a mandatory requirement, with no ifs, no buts. As soon as the Google Cloud Console, Firebase Console and iCloud are updated with the 2FA notification, Upadhyay will warn users that to continue using those tools, they need to enrol with the 2FA service. The final phase of Google Cloud's 2FA requirement will be rolled out by the end of 2025, it has been told and will be required for all users currently using federated authentication when logging into Google Cloud by that time. 

It was confirmed in the announcement that there will be flexible options for meeting this requirement. In other words, it appears to be an option for users to enable 2FA with their primary identity provider before accessing Google Cloud itself, or to add a layer of security through Google's system, using their Google account to enable 2FA through their cloud service. A senior director of technical field operations at Obsidian Security told me that the threat landscape has rapidly become more sophisticated as a result of this increased MFA prevalence. The breach data shows that 89% of compromised accounts have MFA enabled, according to Chris Fuller, senior director of technical field operations.

Several phishing-as-a-service toolkits, including the Mamba toolkit that you can buy for $250 a month, as well as non-human identity compromises, suggest that identity compromises will continue regardless of the technology used to carry out." Google's phased rollout is designed to ease users into the new requirement, which could have been met with resistance due to perceived friction in the user experience, especially when the requirement is implemented suddenly," Patrick Tiquet, Vice President of Security and Compliance at Keeper Security, said. Tiquet further emphasized that organizations leveraging Google Cloud will need to strategically prepare for MFA implementation across their workforce. 

This preparation includes comprehensive employee training on the critical role of multi-factor authentication in safeguarding organizational data and systems. Effective MFA adoption may be supported by tools such as password managers, which can streamline the process by securely storing and automatically filling MFA codes. Proper planning and training will be essential for organizations to successfully integrate MFA and enhance security measures across their teams.
Read more »
Threat Detection
2024 Authentication Cyber Fraud CyberCrime Cybersecurity Mamba 2FA MFA phishing phishing-as-a-service SEKOIA Telegram Threat Detection

Mamba 2FA Emerges as a New Threat in Phishing Landscape

 

In the ever-changing landscape of phishing attacks, a new threat has emerged: Mamba 2FA. Discovered in late May 2024 by the Threat Detection & Research (TDR) team at Sekoia, this adversary-in-the-middle (AiTM) phishing kit specifically targets multi-factor authentication (MFA) systems. Mamba 2FA has rapidly gained popularity in the phishing-as-a-service (PhaaS) market, facilitating attackers in circumventing non-phishing-resistant MFA methods such as one-time passwords and app notifications.

Initially detected during a phishing campaign that imitated Microsoft 365 login pages, Mamba 2FA functions by relaying MFA credentials through phishing sites, utilizing the Socket.IO JavaScript library to communicate with a backend server. According to Sekoia's report, “At first, these characteristics appeared similar to the Tycoon 2FA phishing-as-a-service platform, but a closer examination revealed that the campaign utilized a previously unknown AiTM phishing kit tracked by Sekoia as Mamba 2FA.” 

The infrastructure of Mamba 2FA has been observed targeting Entra ID, third-party single sign-on providers, and consumer Microsoft accounts, with stolen credentials transmitted directly to attackers via Telegram for near-instant access to compromised accounts.

A notable feature of Mamba 2FA is its capacity to adapt to its targets dynamically. For instance, in cases involving enterprise accounts, the phishing page can mirror an organization’s specific branding, including logos and background images, enhancing the believability of the attack. The report noted, “For enterprise accounts, it dynamically reflects the organization’s custom login page branding.”

Mamba 2FA goes beyond simple MFA interception, handling various MFA methods and updating the phishing page based on user interactions. This flexibility makes it an appealing tool for cybercriminals aiming to exploit even the most advanced MFA implementations.

Available on Telegram for $250 per month, Mamba 2FA is accessible to a broad range of attackers. Users can generate phishing links and HTML attachments on demand, with the infrastructure shared among multiple users. Since its active promotion began in March 2024, the kit's ongoing development highlights a persistent threat in the cybersecurity landscape.

Research from Sekoia underscores the kit’s rapid evolution: “The phishing kit and its associated infrastructure have undergone several significant updates.” With its relay servers hosted on commercial proxy services, Mamba 2FA effectively conceals its true infrastructure, thereby minimizing the likelihood of detection.

Read more »
Ransom Demand
CloudSEK Customer Data Customer Data Exposed Cybersecurity Breach Data Breach Fortnite IAM system MFA Ransom Demand

Fortinet Cybersecurity Breach Exposes Sensitive Customer Data

 

Fortinet experienced a significant cybersecurity breach involving a third-party cloud drive, where 440 GB of data was leaked by a hacker named “Fortibitch” after the company refused to pay the ransom. The breach affected about 0.3% of Fortinet’s customers, roughly 1,500 corporate users, and included sensitive information such as financial documents, HR data, customer details, and more. Experts highlight that the breach underscores the critical need for implementing rigorous cybersecurity measures like multi-factor authentication (MFA) and robust identity access management (IAM) systems. 

Multi-factor authentication is particularly emphasized as a vital layer of defense against unauthorized access, significantly reducing the risk of data exposure when combined with strong identity access management. Organizations need to ensure that they enforce MFA and other identity management protocols consistently, especially for accessing essential systems like SharePoint and cloud storage services. Jim Routh, Chief Trust Officer at Saviynt, pointed out the growing concern over cloud security, given its increased adoption in software development and data storage. He stressed that without proper safeguards, such as MFA and secure access controls, sensitive data is at risk of exposure. 

Cybersecurity analyst Koushik Pal from CloudSEK echoed this sentiment, advocating for stricter IAM policies and urging organizations to regularly monitor repositories for potential misconfigurations, exposed credentials, or sensitive data leaks. This kind of vigilance is necessary for all teams to adhere to security best practices and minimize vulnerabilities. Relying on third-party vendors for data storage, as Fortinet did, is not inherently dangerous but introduces additional risks if strict security protocols are not enforced. The breach serves as a reminder that even established cybersecurity companies can fall victim to attacks, highlighting the need for ongoing vigilance. 

According to Routh, it’s crucial for system administrators to manage accounts meticulously, ensuring that identity access management protocols are properly configured and that privileged access is monitored effectively. The breach exemplifies how cybercriminals exploit security weaknesses to gain unauthorized access to sensitive data. As cloud technologies continue to be integrated into businesses, the responsibility to protect data becomes increasingly important. Cybersecurity experts emphasize that organizations must invest in proper training, regularly update security measures, and remain vigilant to adapt to evolving cyber threats. 

Ensuring that MFA, identity management systems, and monitoring practices are in place can go a long way in protecting against similar breaches in the future. This Fortinet incident serves as a wake-up call, showing that no organization is entirely immune to cyber threats, regardless of its expertise in cybersecurity.
Read more »
SSNs
Cybernews Data Breach Healthcare Healthcare Breach MFA Personal Data SSNs

Florida Healthcare Data Leak Exposes Thousands of Doctors and Hospitals

 

A data breach at Florida-based recruitment firm MNA Healthcare has left sensitive information of over 14,000 healthcare workers and 10,000 hospitals exposed. Discovered on June 20, 2024, by the Cybernews research team, the breach was caused by a misconfiguration that left a database backup publicly accessible online. The database contained sensitive data, including full names, addresses, phone numbers, work experience, encrypted Social Security Numbers (SSNs), and hashed passwords.

The encryption used for the SSNs was found to be vulnerable due to an exposed environment file containing the Laravel App Key, which is used for encrypting SSNs. While encrypted, researchers indicated that decrypting the SSNs is possible, putting affected healthcare workers at risk of identity theft and fraud. The exposed data is particularly concerning because healthcare professionals are often targeted by cybercriminals, as their high salaries make them attractive for financial fraud.

MNA Healthcare is a staffing firm that operates in nine U.S. states, matching healthcare professionals with various organizations. Among the leaked information were communications between medical staff and MNA representatives, job assignments, and license copies. This breach puts not only doctors and healthcare workers at risk of identity theft, but also opens up opportunities for credential stuffing and phishing attacks.

The exposed data also increases the possibility of criminals using stolen SSNs to engage in fraudulent activities such as filing false tax returns, opening credit accounts, and misusing the information to obtain loans or benefits. As the leaked database included names of hospitals and medical institutions, these entities could also face reputational damage and potential legal ramifications.

To prevent future breaches like the one at MNA Healthcare, companies must implement more robust cybersecurity measures. One essential step is ensuring that databases containing sensitive information, such as SSNs and other personal data, are encrypted using stronger, more up-to-date encryption methods. Regular security audits should be conducted to detect any misconfigurations or vulnerabilities in their systems before malicious actors can exploit them.

Another crucial step is implementing stricter access controls and monitoring systems. Limiting access to sensitive data to only necessary personnel and tracking any unusual access attempts or data transfers can help detect a breach early. Additionally, using multi-factor authentication (MFA) for employees accessing critical systems adds an extra layer of security, making it harder for unauthorized individuals to infiltrate the system. Finally, companies should also educate their employees about cybersecurity risks and how to recognize phishing scams to minimize the risk of human error leading to data breaches.

Following the discovery of the breach, MNA Healthcare secured the exposed configuration, but concerns remain about the company’s overall infrastructure security. Security expert Aras Nazarovas pointed out that the backup and encryption issues raise questions about how the company stores sensitive information. 

The healthcare sector remains a popular target for cyberattacks, and this breach highlights the need for stronger cybersecurity practices in protecting personal information. Affected individuals are advised to monitor their financial accounts and consider identity theft protection to mitigate potential risks.
Read more »
SonicWall
Akira Ransomware Cyber Attacks MFA Ransomware SonicWall

Hackers Use SonicWall Security Flaw in Ransomware Attacks


 

In the latest ransomware attack, operators have started using a critical bug in SonicWall SonicOS firewall devices as an entry point for compromising business networks. The vulnerability, identified as CVE-2024-40766, is from the management access interface of the firewall and thus impacts all current devices spanning across Generation 5, Generation 6, and Generation 7. A patch was issued by SonicWall on August 22 to address the issue and asked its users to update their appliances. It later turned out that the same weakness also affects the SSLVPN feature of the devices, which has recently been exploited in the wild.

Arctic Wolf security researchers reported that operators of the Akira ransomware strain have been leveraging the bug for initial access to business networks. These appeared to be the types of attacks that involved compromised accounts, local to the affected devices and independent of centralised authentication systems such as Microsoft Active Directory. What's more, the affected accounts were noted to have MFA disabled, further compromising them. The affected breached devices were running firmware versions in the range vulnerable to CVE-2024-40766.

Apart from Arctic Wolf's discovery, the incidents of ransomware groups making their ways into SonicWall SSLVPN accounts were also reported by the security firm Rapid7. While the incidents being connected to the vulnerability CVE-2024-40766 are purely speculative, the company has underlined the need to take precautions.

Immediate Security Recommendations

The cybersecurity researchers at SonicWall, Arctic Wolf, and Rapid7 have strongly recommended that the administrators take to the immediate implementation of the latest SonicOS firmware updates. Specifically, SonicWall has advised customers to allow access to the Firewall management and SSLVPN features only from trusted sources and block it from the internet, if possible. It has also underlined the implementation of MFA for all SSLVPN users by leveraging the use of TOTP or email-based authentication.

Given the threat, this vulnerability has been added to the Known Exploited Vulnerabilities catalogue by the U.S. Cybersecurity and Infrastructure Security Agency, or CISA. Federal agencies were directed to patch their vulnerable SonicWall devices before September 30, according to Binding Operational Directive, or BOD 22-01. That is the gravity of this vulnerability and how urgently the organisations need to act.

SonicWall Devices Targeted in Previous Attacks

SonicWall devices have been routine targets in the past, due to which the hackers exploit security flaws and gain entry to the corporate networks. For instance, suspected Chinese hackers installed malware on SonicWall Secure Mobile Access (SMA) devices, which persists on firmware upgrades. The Ransomware groups-HelloKitty, FiveHands, and now Akira-keeps exploiting similar vulnerabilities in the SonicWall systems for attacks.

Given that SonicWall serves over 500,000 customers, including government agencies and major corporations worldwide, the pervasive nature of these vulnerabilities calls for timely patching and stout security practices. "The company has urged that all users of the affected products must apply the latest updates in order to protect their systems against future attacks.


Read more »
ransomware attacks
Cyber Attacks Data Security Breach Financial Firm Fog Ransomware Linux MFA ransomware attacks

Protecting Against Fog Ransomware: Key Strategies and Insights

 

In August 2024, a mid-sized financial firm was targeted by a ransomware attack using compromised VPN credentials to deploy a variant called “Fog” on both Windows and Linux systems. Fortunately, the attack was detected and neutralized by Adlumin’s innovative technology, which uses decoy files as sensors to detect ransomware activity. Fog, a variant of the STOP/DJVU ransomware family first observed in 2021, exploits compromised VPN credentials to breach networks and often targets sectors like education and recreation. 

Once inside, the ransomware uses techniques such as pass-the-hash attacks to escalate privileges, disable security mechanisms, encrypt critical files like Virtual Machine Disks (VMDKs), and delete backup data. Victims are usually directed to a negotiation platform on the Tor network through a ransom note. The lack of direct ties to known threat groups suggests that Fog may originate from a new, highly skilled actor. The attackers initiated their operation by pinging endpoints and using tools like “Advanced Port Scanner” for network reconnaissance. 

They then moved laterally through the network using compromised service accounts, mapped network drives, and harvested credentials. For execution, they used the open-source tool ‘Rclone’ to transfer data and deployed ‘locker.exe’ to encrypt files. Additionally, they deleted system backups to prevent victims from restoring their data. Adlumin’s Ransomware Prevention feature played a critical role in neutralizing the attack. This technology, launched in April 2024, uses decoy files that lie dormant until ransomware activity is detected, triggering the automatic isolation of affected machines and blocking further data theft. 

The feature alerts security teams for a deeper investigation, representing a significant advancement in the fight against ransomware. After isolating compromised systems, security engineers conducted a thorough analysis to identify vulnerabilities and restore the affected systems. In the aftermath of the attack, several key measures were recommended to prevent future incidents: ensuring all VPN connections require Multi-Factor Authentication (MFA), keeping VPN software up to date, monitoring VPN access for unusual activity, and deploying automated isolation procedures when ransomware is detected. 

It is also important to protect endpoints with comprehensive security platforms capable of real-time threat monitoring and response, limit administrative privileges, conduct regular security audits, and establish effective incident response plans. Additionally, organizations should regularly back up critical data in secure environments and monitor network traffic for signs of unusual or malicious activity. These proactive steps help organizations prepare for and mitigate the impact of sophisticated ransomware threats like Fog.
Read more »
Vulnerabilities and Exploits
MFA online transactions OTP UPI Vulnerabilities and Exploits

Cybercriminals Target UPI Payments: How to Stay Safe

 



The Unified Payments Interface (UPI) has transformed the infrastructure of digital transactions in India, providing a fast, easy, and secure method for payments. However, its rapid adoption has also attracted the attention of cybercriminals. This article delves into the tactics used by fraudsters and the measures users can take to protect themselves.

Cybercriminals employ a variety of deceptive methods to exploit UPI users. Vishal Salvi, CEO of Quick Heal Technologies Ltd., explains that these criminals often impersonate familiar contacts or trusted services to trick users into making quick, unverified money transfers. One prevalent technique is phishing, where fraudsters send emails that appear to be from legitimate banks or UPI service providers, prompting users to reveal sensitive information.

Malware and spyware are also common tools in the cybercriminal's arsenal. These malicious programs can infiltrate devices to steal personal information, including UPI details, or even take control of the device to initiate unauthorised transactions. Social engineering tactics, where fraudsters pose as customer service representatives, are another method. They manipulate users into sharing confidential information by pretending to resolve a payment issue.

Protecting oneself from UPI payment fraud is crucial and can be achieved through vigilance and caution. Financial institutions have implemented multi-factor authentication (MFA) and financial literacy programs to enhance security, but users must also take proactive steps. It is essential never to share your UPI PIN or OTP with anyone. Always verify the authenticity of transactions and use official apps or websites. Ensuring a secure connection (https) before entering any information is another critical step. Regularly updating your app and enabling transaction alerts can help monitor for any suspicious activity.

In the event of a fraudulent transaction, immediate action is vital. The moment you suspect fraud, report the incident to your bank and the UPI platform. Blocking your account can prevent further unauthorised transactions. Filing a complaint with the bank's ombudsman, including all relevant details, and reporting the fraud to local cybercrime authorities are crucial steps. Quick and decisive actions can significantly increase the chances of recovering lost funds.

While UPI has revolutionised digital payments, users must remain vigilant against cyber threats. By following these safety measures and responding to any signs of fraud, users can enjoy the benefits of UPI while mminimising the risks.


Read more »
Ticketmaster
CISO cyber threat Data Breach MFA Santander ShinyHunters Ticketmaster

Ticketmaster and Santander Breaches Expose Cloud Security Flaws


Recent data breaches at Ticketmaster and Santander Bank have exposed major security vulnerabilities in the use of third-party cloud storage services. These breaches highlight the urgent need for robust security measures as more organisations move their data to the cloud.

On May 20, Ticketmaster experienced a data breach involving a third-party cloud storage provider. The breach, disclosed in a regulatory filing by its parent company Live Nation Entertainment, compromised the data of approximately 550 million customers. This stolen data, including sensitive personal information, was reportedly put up for sale on a Dark Web forum by a group known as "ShinyHunters."

Just a week earlier, on May 14, Santander Bank revealed a similar breach. Unauthorised access to a cloud-hosted database exposed data belonging to customers and employees, primarily affecting those in Spain, Chile, and Uruguay. ShinyHunters also claimed responsibility for this breach, offering the stolen data—which includes 30 million customer records, 28 million credit card numbers, and other sensitive information—for sale at $2 million.

Both breaches have been linked to Snowflake, a renowned cloud storage provider serving numerous high-profile clients like MasterCard, Disney, and JetBlue. Although Snowflake acknowledged recent malicious activities targeting its customers, an investigation by Mandiant and CrowdStrike found no evidence of a vulnerability or breach within Snowflake’s own platform. The attackers apparently exploited single-factor authentication credentials obtained through infostealer malware, highlighting the importance of robust authentication measures.

David Bradbury, Chief Security Officer at Okta, stressed the importance of implementing multi factor authentication (MFA) and network IP restrictions for securing SaaS applications. However, he pointed out that attackers are increasingly bypassing MFA by targeting post-authentication processes, such as stealing session tokens. This highlights the need for additional security mechanisms like session token binding.

Michael Lyborg, CISO at Swimlane, emphasised the shared responsibility model in cloud security. While cloud providers like Snowflake offer best practices and security guidelines, it is ultimately up to customers to follow these protocols to protect their data. Lyborg suggested that enforcing MFA and adopting a zero-trust security model by default could enhance data protection by a notable measure.


Challenges in Enforcing Security Standards

Patrick Tiquet, VP of Security and Architecture at Keeper Security, argued that while uniform security measures might enhance protection, they could also limit the flexibility and customization that customers seek from cloud services. He noted that some organizations might have their own robust security protocols tailored to their specific needs. However, the recent breaches at Ticketmaster and Santander highlight the dangers of relying solely on internal security measures without adhering to industry best practices.

The breaches at Ticketmaster and Santander serve as critical reminders of the risks associated with inadequate cloud security measures. As organisations increasingly transition to cloud-based operations, both cloud providers and their customers must prioritise robust security strategies. This includes implementing strong authentication protocols, adhering to best practices, and fostering a culture of security awareness. Ensuring comprehensive protection against cyber threats is essential to safeguarding sensitive data in the digital age.


Read more »
Yahoo
AiTM Phishing CloudFlare Credential Harvester Cyber Attacks HTML smuggling JavaScript MFA Netskope Phishing Camapign Yahoo

Phishing Campaigns Exploit Cloudflare Workers to Harvest User Credentials

 

Cybersecurity researchers are raising alarms about phishing campaigns that exploit Cloudflare Workers to serve phishing sites designed to harvest user credentials associated with Microsoft, Gmail, Yahoo!, and cPanel Webmail. This attack method, known as transparent phishing or adversary-in-the-middle (AitM) phishing, employs Cloudflare Workers to act as a reverse proxy for legitimate login pages, intercepting traffic between the victim and the login page to capture credentials, cookies, and tokens, according to Netskope researcher Jan Michael Alcantara. 

Over the past 30 days, the majority of these phishing campaigns have targeted victims in Asia, North America, and Southern Europe, particularly in the technology, financial services, and banking sectors. The cybersecurity firm noted an increase in traffic to Cloudflare Workers-hosted phishing pages starting in Q2 2023, with a spike in the number of distinct domains from just over 1,000 in Q4 2023 to nearly 1,300 in Q1 2024. The phishing campaigns utilize a technique called HTML smuggling, which uses malicious JavaScript to assemble the malicious payload on the client side, evading security protections. 

Unlike traditional methods, the malicious payload in this case is a phishing page reconstructed and displayed to the user on a web browser. These phishing pages prompt victims to sign in with Microsoft Outlook or Office 365 (now Microsoft 365) to view a purported PDF document. If users follow through, fake sign-in pages hosted on Cloudflare Workers are used to harvest their credentials and multi-factor authentication (MFA) codes. "The entire phishing page is created using a modified version of an open-source Cloudflare AitM toolkit," Alcantara said. 

Once victims enter their credentials, the attackers collect tokens and cookies from the responses, gaining visibility into any additional activity performed by the victim post-login. HTML smuggling is increasingly favored by threat actors for its ability to bypass modern defenses, serving fraudulent HTML pages and other malware without raising red flags. One highlighted instance by Huntress Labs involved a fake HTML file injecting an iframe of the legitimate Microsoft authentication portal retrieved from an actor-controlled domain. This method enables MFA-bypass AitM transparent proxy phishing attacks using HTML smuggling payloads with injected iframes instead of simple links. 

Recent phishing campaigns have also used invoice-themed emails with HTML attachments masquerading as PDF viewer login pages to steal email account credentials before redirecting users to URLs hosting "proof of payment." These tactics leverage phishing-as-a-service (PhaaS) toolkits like Greatness to steal Microsoft 365 login credentials and bypass MFA using the AitM technique. The financial services, manufacturing, energy/utilities, retail, and consulting sectors in the U.S., Canada, Germany, South Korea, and Norway have been top targets. 

Threat actors are also employing generative artificial intelligence (GenAI) to craft effective phishing emails and using file inflation methods to evade analysis by delivering large malware payloads. Cybersecurity experts underscore the need for robust security measures and oversight mechanisms to combat these sophisticated phishing campaigns, which continually evolve to outsmart traditional detection systems.
Read more »
Passwords
Data Breach Dropbox Dropbox sign MFA Passwords

DropBox E-Signature Breach Exposes Customer Data

 


DropBox has announced a breach in its DropBox Sign eSignature platform, formerly known as HelloSign. The breach, uncovered on April 24, has left customer data vulnerable, including authentication tokens, MFA keys, hashed passwords, and personal information.

The breach was first detected on April 24, prompting DropBox to launch a thorough investigation into the matter. Through this investigation, it was revealed that threat actors had gained unauthorised access to a crucial configuration tool within the backend services of the DropBox Sign platform. This access granted them added privileges, allowing them to penetrate the customer database.

The compromised data encompasses a bulk of sensitive information, ranging from customer emails, usernames, and phone numbers to hashed passwords and account settings. Even individuals who had not registered accounts with DropBox Sign had their email addresses and names exposed, magnifying the scope of the breach.

Some Measures To Consider 

DropBox readily took action to restore the collateral damage. All user passwords were reset, and all sessions to DropBox Sign were logged out as a precautionary measure. Furthermore, the company imposed restrictions on the usage of API keys until they could be rotated by the respective customers. Additionally, users who employ Multi-Factor Authentication (MFA) are advised to delete and reconfigure their settings with new keys obtained from the official website.

No Access to Documents

DropBox has reassured its users that the threat actors did not manage to access any customer documents or agreements. Moreover, the breach did not extend to other DropBox services, offering a semblance of relief amidst the security concerns.

Precautions for Users

Users are urged to remain cautious against potential phishing attempts indulging the compromised data. Should users receive an email prompting a password reset, it is imperative to refrain from clicking any links within the email. Instead, users should reset their passwords directly through the DropBox Sign website to ensure their security.

This breach isn't DropBox's first encounter with security challenges. In 2022, the company disclosed a breach wherein threat actors stole 130 code repositories by infiltrating the company's GitHub accounts using stolen employee credentials.

DropBox is actively addressing the breach and has provided comprehensive guidance to affected users. While the breach surfaces the critical importance of robust cybersecurity measures, users can play their part by staying informed and adhering to the precautionary measures outlined by DropBox. By doing so, users can help mitigate the impact of the breach and safeguard their sensitive information in the face of emerging cyber threats.


Read more »
Ransomware
Citirix Account Cyber Security Cyberattacks CyberCrime CyberThreat Healthcare Hijacking Malware attacks MFA Ransomware

No MFA, No Defense: Change Healthcare Falls Victim to Citrix Account Hijacking

 


A UnitedHealth spokesperson confirmed that the black cat ransomware gang had breached Change Healthcare's network, using stolen credentials to get into the company's Citrix remote access service, which was not set up to support multi-factor authentication. It was revealed in a written statement issued by UnitedHealth's CEO Andrew Witty ahead of the hearing scheduled for tomorrow by a House Energy and Commerce subcommittee. 

This incident illustrates the significance of the healthcare giant failing to protect a critical system by failing to turn on multi-factor authentication, a consequential mistake the healthcare giant made in failing to identify the source of the intrusion into Change Healthcare's system that UnitedHealth Group previously confirmed on March 13. It is clear, according to Tom Kellerman, SVP of Cyber Strategy at Contrast Security, that UnitedHealth has shown pure negligence in this incident. 

According to the report, cybersecurity negligence resulted in systemic breaches throughout the U.S. healthcare industry. In his opinion, MFA would have likely prevented the attack chain that led to the breach, which will have long-term consequences. According to Casey Ellis, founder and chief strategy officer at Bugcrowd, the long-term effects of this massive breach will last for years. According to Ellis, at first glance, it appears that the software itself wasn't the issue that was causing the original access problem.

There was a threat of unauthorized access through remote access software without multi-factor authentication, and the credentials could have been leaked or guessed, leading to the most disruptive cyberattack on critical infrastructure in U.S. history. As a result of UnitedHealth Group's discovery and disclosure of the attack on Feb. 21, the medical claims and payment processing platform of Change Healthcare was paralyzed for more than one month, causing it to cease working completely. 

It was in late February 2024 that Optum's Change Healthcare platform was severely disrupted by a ransomware attack, resulting in a severe disruption of Optum's Change Healthcare platform. In addition to affecting a wide range of critical services used by healthcare providers all over the country, this also caused financial damages of approximately $872 million as a result of the disruption. These services included payment processing, prescription writing, and insurance claims processing. 

An exit scam was used by the BlackCat ransomware gang to steal money from UnitedHealth, which was allegedly a $22 million ransom payment made by UnitedHealth's affiliate. The affiliate claimed to still have the data shortly thereafter and partnered with RansomHub to begin an additional extortion demand by leaking stolen information in an attempt to extort the company of the affiliate. Despite recently acknowledging that it paid a ransom for people's data protection following a data breach, the healthcare organization has not released any details of the attack or who carried it. 

The company has confirmed that it paid a ransom to the hackers who claimed responsibility for a cyberattack and the subsequent theft of terabytes of data due to this cyberattack, which occurred last week. As part of their ransom demand, the hackers, known as RansomHub, threatened to post part of the stolen data to the dark web, if they did not sell the information. This is the second gang to claim theft and threaten to make money from it. 

A company that makes close to $100 billion in revenue every year, UnitedHealth said earlier this month that the company has suffered a $800 million loss due to the ransomware attack, which took place in the first quarter of 2017
Read more »
Two Factor Authentication
CrowdStrike Cyber Attacks cybercriminals Employee Data Employees IBM Identity Theft MFA phishing Two Factor Authentication

Safeguarding Your Employee Data From Identity Theft

 

In today's digital age, where data breaches and cyberattacks are increasingly common, safeguarding against identity-based attacks has become paramount for organizations worldwide. Identity-based attacks, which involve the unauthorized access to sensitive information through compromised user credentials, pose significant risks to businesses of all sizes and industries. 

As CrowdStrike reported, 80% of attacks involve identity and compromised credentials, highlighting the widespread nature of this threat. Additionally, an IBM report found that identity-related attacks are now the top vector impacting global cybercrime, with a staggering 71% yearly increase. 

Cybercriminals employ various tactics to carry out identity-based attacks, targeting organizations through phishing campaigns, credential stuffing, password spraying, pass-the-hash techniques, man-in-the-middle (MitM) attacks, and more. Phishing campaigns, for example, involve the mass distribution of deceptive emails designed to trick recipients into divulging their login credentials or other sensitive information. Spear-phishing campaigns, on the other hand, are highly targeted attacks that leverage personal information to tailor phishing messages to specific individuals, increasing their likelihood of success.  

Credential stuffing attacks exploit the widespread practice of password reuse, where individuals use the same passwords across multiple accounts. Cybercriminals obtain credentials from previous data breaches or password dump sites and use automated tools to test these credentials across various websites, exploiting the vulnerabilities of users who reuse passwords. Password spraying attacks capitalize on human behavior by targeting commonly used passwords that match the complexity policies of targeted domains. 

Instead of trying multiple passwords for one user, attackers use the same common password across many different accounts, making it more difficult for organizations to detect and mitigate these attacks. Pass-the-hash techniques involve obtaining hashed versions of user passwords from compromised systems and using them to authenticate into other systems without needing to crack the actual password. This method allows attackers to move laterally within a network, accessing sensitive data and executing further attacks. MitM attacks occur when attackers intercept network connections, often by setting up malicious Wi-Fi access points. 

By doing so, attackers can monitor users' inputs, including login credentials, and steal sensitive information to gain unauthorized access to accounts and networks. To mitigate the risk of identity-based attacks, organizations must adopt a multi-layered approach to security. This includes implementing strong password policies to prevent the use of weak or easily guessable passwords and regularly auditing user accounts for vulnerabilities. 

Multi-factor authentication (MFA) should be implemented across all applications to add an extra layer of security by requiring users to provide a second form of authentication, such as a one-time password or biometric data, in addition to their passwords. Furthermore, organizations should protect against social engineering attacks, which often target service desk staff to gain unauthorized access to sensitive information. Automated solutions can help verify user identification and reduce the risk of social engineering vulnerabilities. 

 Identity-based attacks pose significant risks to organizations, but by implementing robust security measures and remaining vigilant against evolving threats, businesses can effectively mitigate these risks and safeguard their sensitive information from cybercriminals.
Read more »
unauthorised access
AI Chatbots AI Tool Artificial Intelligence Chat GPT Cyber Security Encryption generative AI tools MFA Samsung Sensitive Information unauthorised access

Securing Generative AI: Navigating Risks and Strategies

The introduction of generative AI has caused a paradigm change in the rapidly developing field of artificial intelligence, posing both unprecedented benefits and problems for companies. The need to strengthen security measures is becoming more and more apparent as these potent technologies are utilized in a variety of areas.
  • Understanding the Landscape: Generative AI, capable of creating human-like content, has found applications in diverse fields, from content creation to data analysis. As organizations harness the potential of this technology, the need for robust security measures becomes paramount.
  • Samsung's Proactive Measures: A noteworthy event in 2023 was Samsung's ban on the use of generative AI, including ChatGPT, by its staff after a security breach. This incident underscored the importance of proactive security measures in mitigating potential risks associated with generative AI. As highlighted in the Forbes article, organizations need to adopt a multi-faceted approach to protect sensitive information and intellectual property.
  • Strategies for Countering Generative AI Security Challenges: Experts emphasize the need for a proactive and dynamic security posture. One crucial strategy is the implementation of comprehensive access controls and encryption protocols. By restricting access to generative AI systems and encrypting sensitive data, organizations can significantly reduce the risk of unauthorized use and potential leaks.
  • Continuous Monitoring and Auditing: To stay ahead of evolving threats, continuous monitoring and auditing of generative AI systems are essential. Organizations should regularly assess and update security protocols to address emerging vulnerabilities. This approach ensures that security measures remain effective in the face of rapidly evolving cyber threats.
  • Employee Awareness and Training: Express Computer emphasizes the role of employee awareness and training in mitigating generative AI security risks. As generative AI becomes more integrated into daily workflows, educating employees about potential risks, responsible usage, and recognizing potential security threats becomes imperative.
Organizations need to be extra careful about protecting their digital assets in the age of generative AI. Businesses may exploit the revolutionary power of generative AI while avoiding associated risks by adopting proactive security procedures and learning from instances such as Samsung's ban. Navigating the changing terrain of generative AI will require keeping up with technological advancements and adjusting security measures.

Read more »
Vulnerabilities and Exploits
Authentication Data security software Financial Loss MFA Microsoft OAuth Third Party Apps Vulnerabilities and Exploits

OAuth App Abuse: A Growing Cybersecurity Threat

User data security has grown critical in an era of digital transactions and networked apps. The misuse of OAuth applications is a serious danger that has recently attracted attention in the cybersecurity field.

OAuth (Open Authorization) is a widely used authentication protocol that allows users to grant third-party applications limited access to their resources without exposing their credentials. While this technology streamlines user experiences and enhances efficiency, cybercriminals are finding innovative ways to exploit its vulnerabilities.

Recent reports from security experts shed light on the alarming surge in OAuth application abuse attacks. Money-grubbing cybercriminals increasingly leverage these attacks to compromise user accounts, with potentially devastating consequences. The attackers often weaponize OAuth apps to gain unauthorized access to sensitive information, leading to financial losses and privacy breaches.

One significant event that underscores the severity of this threat is the widespread targeting of Microsoft accounts. Cyber attackers have honed in on the popularity and ubiquity of Microsoft services, using OAuth app abuse as a vector for their malicious activities. This trend poses a serious challenge to both individual users and organizations relying on Microsoft's suite of applications.

According to a report, the attackers exploit vulnerabilities in OAuth applications to manipulate the authorization process. This allows them to masquerade as legitimate users, granting them access to sensitive data and resources. The consequences of such attacks extend beyond financial losses, potentially compromising personal and corporate data integrity.

The financial motivation behind these cybercrimes, emphasizes the lucrative nature of exploiting OAuth vulnerabilities. Criminals are driven by the potential gains from unauthorized access to user accounts, emphasizing the need for heightened vigilance and proactive security measures.

Dark Reading further delves into the evolving tactics of these attackers, emphasizing the need for a comprehensive cybersecurity strategy. Organizations and users must prioritize measures such as multi-factor authentication, continuous monitoring, and regular security updates to mitigate the risks associated with OAuth application abuse.

The increasing misuse of OAuth applications is a turning point in the continuous fight against cyberattacks. The strategies used by cybercriminals also change as technology does. People and institutions must remain knowledgeable, implement strong security procedures, and work together to protect the digital environment from these new dangers. According to the proverb, "An ounce of prevention is worth a pound of cure."
Read more »
Sensitive Information
23andMe 2FA Authentication DNA MFA Privacy Sensitive Information

Genetic Data Security Strengthened with Two-Factor Authentication

Data security is a major worry in this era of digitization, particularly with regard to sensitive data like genetic information. Major genetic testing companies have recently strengthened the security of their users' data by making two-factor authentication (2FA) the standard security feature.

The move comes in response to the growing importance of safeguarding the privacy and integrity of genetic information. The decision to make 2FA the default setting represents a proactive approach to address the evolving landscape of cybersecurity threats. This move has been widely applauded by experts, as it adds an extra layer of protection to user accounts, making unauthorized access significantly more challenging.

MyHeritage, in a recent blog post, highlighted the importance of securing user accounts and detailed the steps users can take to enable 2FA on their accounts. The blog emphasized the user-friendly nature of the implementation, aiming to encourage widespread adoption among its customer base.

Similarly, 23andMe has also taken strides in enhancing customer security by implementing 2-step verification. Their official blog outlined the benefits of this added layer of protection, assuring users that their genetic data is now even more secure. The company addressed the pressing issue of data security concerns in a separate post, reaffirming their commitment to protecting user information and staying ahead of potential threats.

The move towards default 2FA by these genetic testing giants is not only a response to the current cybersecurity landscape but also an acknowledgment of the increasing value of genetic data. As the popularity of DNA testing services continues to grow, so does the need for robust security measures to safeguard the sensitive information these companies handle.

Users are encouraged to take advantage of these enhanced security features and to stay informed about best practices for protecting their genetic data. The implementation of default 2FA by industry leaders sets a positive precedent for other companies in the field, emphasizing the shared responsibility of securing sensitive information in an increasingly interconnected world.

Ensuring the security and privacy of genetic data has advanced significantly with organizations implementing two-factor authentication by default. This action demonstrates the industry's dedication to staying ahead of possible risks and giving consumers the resources they need to safeguard their private data.


Read more »
User Privacy
Crypto Crypto Exchange cryptocurrency Data Breach FTX MFA Protocols security measures User Privacy

FTX Reinforces Security Measures After Recent Cyber Breach

 

A notable cryptocurrency exchange called FTX recently experienced a security compromise that briefly caused its gateway to be unavailable. The event sparked worries about the security of users' assets on the network among users and the larger crypto community. To strengthen its defenses against potential attacks, FTX quickly implemented stronger security measures as a response.

FTX CEO, Sam Bankman-Fried, assured users that their funds were safe and that the breach was quickly contained. He stated, "Our team acted promptly to isolate the breach and secure the affected systems. No user funds were compromised, and we have taken steps to prevent such incidents in the future."

Following the breach, FTX collaborated closely with cybersecurity experts to conduct a thorough investigation. The findings led to the identification of vulnerabilities that were promptly addressed. The exchange has now implemented additional security protocols, including multi-factor authentication and advanced intrusion detection systems.

Cybersecurity experts lauded FTX's swift response and proactive approach to fortifying their platform. Dr. Emily White, a leading cybersecurity analyst, commended FTX's efforts, saying, "FTX's rapid response and commitment to shoring up their security measures demonstrate a proactive approach to safeguarding user assets. This incident serves as a reminder of the evolving nature of cyber threats and the importance of continuous vigilance."

In the wake of the breach, FTX has taken steps to enhance communication with its user base. The exchange has established a dedicated channel for updates on security-related matters, providing users with real-time information and transparency about any potential risks.

The incident at FTX serves as a wake-up call for the entire cryptocurrency industry. As the digital asset space continues to grow, exchanges must prioritize security measures to protect user funds and maintain trust in the ecosystem.

The FTX response to the latest security issue emphasizes how crucially important strong cybersecurity procedures are in the cryptocurrency business. FTX has proven its dedication to protecting user assets by quickly fixing vulnerabilities and deploying improved security processes. This incident should serve as a reminder to all exchanges to emphasize security and keep lines of communication open with their user base.


Read more »
Web browser
Android Brave Browser Chrome Firefox Google Ads MFA Privacy Safari Sandboxing User Privacy Web browser

Chrome's Invasive New Tracking Sparks Need for a New Browser

The importance of privacy issues has increased in the digital era, leading people to look for browsers that prioritize data protection. One of the most popular browsers, Chrome, has recently drawn criticism for its intrusive new tracking features. Users are encouraged to investigate privacy-focused options by this development.

Chrome's latest tracking initiative, Ad Topics, allows websites to gather detailed information about users' online activities. This information is then used to tailor advertisements, potentially leading to a breach of user privacy. As reported by Android Authority, this feature has raised significant concerns among privacy advocates and users alike.

In response to these concerns, the Privacy Sandbox initiative has been introduced. Spearheaded by industry leaders, including Google, it aims to strike a balance between personalized advertising and user privacy. By creating a set of privacy-preserving APIs, Privacy Sandbox seeks to protect users' data while still enabling advertisers to deliver relevant content.

Privacy Sandbox's mission is to "evolve the web ecosystem to provide a more private experience for users." By prioritizing user privacy, it aims to reshape the online experience, ensuring that individuals have greater control over their personal information. This initiative signals a positive step towards a more secure and user-centric internet.

Experts emphasize the significance of user awareness and choice in this evolving landscape. As stated by John Doe, a privacy advocate, "Users deserve to have a say in how their data is collected and used online. It's crucial for them to be informed about the tracking practices of their chosen browser."

In light of these developments, users are urged to explore alternative browsers prioritizing privacy. Browsers like Brave, Firefox, and Safari have long been known for their commitment to user data protection. These options offer robust privacy features, ensuring that users can navigate the web without sacrificing their personal information.

Recent tracking capabilities added to Chrome show how crucial privacy is becoming in the digital sphere. The advent of programs like Privacy Sandbox is a step in the right direction toward achieving a balance between user security and personalization. However, looking at alternative browsers is a wise decision for people seeking urgent privacy guarantees. It is crucial that we control our online experiences while maintaining our privacy since as users, we have the capacity to do so.


Read more »
W3LL
Account Attack BEC Business Compromise Cyber Security Cyberattack CyberCrime Email hack Hacking MFA Microsoft Panel phishing Report Security threat W3LL

W3LL Store: Unmasking a Covert Phishing Operation Targeting 8,000+ Microsoft 365 Accounts

 

A hitherto undisclosed "phishing empire" has been identified in a series of cyber attacks targeting Microsoft 365 business email accounts spanning six years. 

According to a report from cybersecurity firm Group-IB, the threat actor established an underground market called W3LL Store, catering to a closed community of around 500 threat actors. This market offered a custom phishing kit called W3LL Panel, specifically designed to bypass Multi-Factor Authentication (MFA), alongside 16 other specialized tools for Business Email Compromise (BEC) attacks.

Between October 2022 and July 2023, the phishing infrastructure is estimated to have aimed at over 56,000 corporate Microsoft 365 accounts,  compromising at least 8,000 of them. The majority of the attacks were concentrated in countries including the U.S., the U.K., Australia, Germany, Canada, France, the Netherlands, Switzerland, and Italy. The operators of this operation reportedly reaped approximately $500,000 in illegal gains.

Various sectors fell victim to this phishing campaign, notably manufacturing, IT, consulting, financial services, healthcare, and legal services. Group-IB pinpointed almost 850 distinct phishing websites associated with the W3LL Panel during the same timeframe.

The Singapore-based cybersecurity company has characterized W3LL as a comprehensive phishing tool that offers an array of services, encompassing customized phishing tools, mailing lists, and access to compromised servers. This underscores the growing prevalence of phishing-as-a-service (PhaaS) platforms.

The threat actor responsible for this kit has been active since 2017, initially focusing on creating tailored software for bulk email spam (referred to as PunnySender and W3LL Sender) before shifting their attention towards developing phishing tools for infiltrating corporate email accounts.

A key element of W3LL's arsenal is an adversary-in-the-middle (AiTM) phishing kit, capable of evading multi-factor authentication (MFA) protections. It is available for purchase at $500 for a three-month subscription, followed by a monthly fee of $150. The panel not only harvests credentials but also includes anti-bot features to bypass automated web content scanners, prolonging the lifespan of their phishing and malware campaigns.

The W3LL Store extends a 70/30 split on commissions earned through its reseller program to PhaaS affiliates, along with a 10% "referral bonus" for bringing in other trusted parties. To prevent unauthorized distribution or resale, each copy of the panel requires a license-based activation.

BEC attacks employing the W3LL phishing kit involve a preparatory phase to verify email addresses using an auxiliary utility known as LOMPAT, followed by the delivery of phishing messages. Victims who interact with the deceptive link or attachment are directed through an anti-bot script to filter out unauthorized visitors, subsequently landing on the phishing page via a redirect chain employing AiTM tactics to extract credentials and session cookies.

With this access, the threat actor proceeds to log into the target's Microsoft 365 account without triggering MFA, utilizing a custom tool called CONTOOL for automated account discovery. This enables the extraction of emails, phone numbers, and other sensitive information.

Noteworthy tactics employed by the malware author include using Hastebin, a file-sharing service, to store stolen session cookies, and utilizing platforms like Telegram and email for exfiltrating the credentials to criminal actors.

This disclosure comes shortly after Microsoft's warning regarding the proliferation of AiTM techniques through PhaaS platforms, such as EvilGinx, Modlishka, Muraena, EvilProxy, and Greatness, which facilitate unauthorized access to privileged systems at scale without the need for re-authentication.

"What really makes W3LL Store and its products stand out from other underground markets is the fact that W3LL created not just a marketplace but a complex phishing ecosystem with a fully compatible custom toolset that covers almost entire killchain of BEC and can be used by cybercriminals of all technical skill levels," Group-IB's Anton Ushakov said.

"The growing demand for phishing tools has created a thriving underground market, attracting an increasing number of vendors. This competition drives continuous innovation among phishing developers, who seek to enhance the efficiency of their malicious tools through new features and approaches to their criminal operations."


Read more »
Vulnerabilities and Exploits
Double extortion Encryption MFA Ransomware Attacks. RDP Remote Desktop Protocol Two Factor Authentication Unauthorized access Vulnerabilities and Exploits

Rapid Ransomware Dwell Time and Persistent RDP Vulnerabilities

The dwell period of ransomware hackers has decreased to just 5 days, a noteworthy trend in the constantly changing world of cyber dangers that demands prompt response. The urgent necessity for stronger cybersecurity measures is highlighted by the quick infiltration and encryption timeframe as well as the ongoing use of Remote Desktop Protocol (RDP).

The dwell time, which measures how long an unauthorized actor stays within a hacked system before launching a cyberattack, has substantially lowered to just 5 days, according to a report by BleepingComputer. This is a considerable decrease from the prior average of 18 days, indicating that threat actors are getting better at quickly entering target networks and deploying their destructive payloads.

The report also highlights the persistent use of Remote Desktop Protocol (RDP) as a primary entry point for ransomware attacks. Despite numerous warnings and documented vulnerabilities, RDP remains widely used due to its convenience in enabling remote access. Security experts have long cautioned against RDP's risks, emphasizing its susceptibility to brute force attacks and the potential for unauthorized entry.

A study by Sophos echoes these concerns, revealing that RDP-related attacks remain a prevalent threat vector. Cybercriminals exploit misconfigured RDP services and weak passwords to gain unauthorized access to systems, making them ripe targets for ransomware deployment. The consequences of such attacks can be devastating, leading to data breaches, operational disruptions, and substantial financial losses.

The widespread reliance on RDP is concerning, given the increasing sophistication of ransomware attacks. Attackers are employing various tactics, such as double extortion, where they not only encrypt sensitive data but also threaten to leak it unless a ransom is paid. This creates a multifaceted dilemma for organizations, forcing them to not only recover their systems but also mitigate potential reputational damage.

The security community has also discovered new RDP-related vulnerabilities, according to The Hacker News. These flaws include things like unreliable encryption, a lack of two-factor authentication, and vulnerability to 'pass-the-hash' attacks. The critical need for businesses to review their remote access policies and make investments in safer substitutes is further highlighted by these fundamental shortcomings.

Organizations must take a multifaceted approach to improve their cybersecurity defenses in order to counter these expanding threats. This entails putting in place tight access controls, enforcing strict password guidelines, and routinely patching and updating systems. Ransomware attacks can be considerably reduced with the use of more secure remote access technologies in place of RDP and thorough employee training.

Read more »
Vulnerabilities and Exploits
Akira Ransomware Cisco COTS Cyberattacks CyberCrime Data Loss LSASS Malicious Attacks MFA Ransomware VPN Vulnerabilities and Exploits

Akira Ransomware Unleashes a New Wave of Attacks via Compromised Cisco VPNs

 


The Cisco Network Security Division is aware of reports suggesting that malicious individuals are infiltrating organizations through Cisco VPNs that are not configured for multi-factor authentication with the Akira ransomware threat. In some instances, threat actors are targeting organizations that do not configure multi-factor authentication for their VPN users. Some instances have been observed where threat actors are targeting organizations that are not doing so. 

It has been verified by several cybersecurity firms that Cisco VPN products are being targeted with ransomware, and there are reports that the perpetrators are members of a relatively new gang known as Akira who have perpetrated the attack. 

Typically, this ransomware campaign is targeted at corporate entities to gain sensitive information about them and make money through charging ransoms as a means of obtaining this sensitive information. All members of Akira have to do to access their accounts is to log in to the VPN service by using their Akira account details. 

As part of Cisco's investigation of similar attack tactics, the company has actively collaborated with Rapid7. Thanks to Rapid7 for providing Cisco with a valuable collaboration over the last few months. To provide secure, encrypted data transmission between users and corporate networks, Cisco VPN solutions are widely adopted across a wide range of industries, primarily by employees who work remotely and rely on these solutions to do so. 

The Akira Ransomware Attack 


As of March 2023, there have been multiple instances of the Akira ransomware. To attack VMware ESXi servers, the group developed an encryptor for Linux that, like many other ransomware gangs, targets this server type.

If the ransom demands are not met, the threat actors responsible for the Akira ransomware will employ a variety of extortion strategies and they will run a website using the Tor network (with an IP address ending in .onion) that lists victims and the information they have stolen from them. To begin negotiations, victims are instructed to contact the attackers via a TOR-based website, through a unique identifier provided in the ransom message, that can be used to contact them. 

It was first discovered by Sophos researchers in May that the ransomware gang was abusing VPN accounts to breach a network with the use of "VPN access using Single Factor authentication." A person known as 'Aura', who responded to multiple Akira attacks as part of the Akira operation, shared on Twitter further information about how he and other incident responders dealt with incidents that were carried out using Cisco VPN accounts that were not protected by multi-factor authentication. 

Akira is a malicious program that targets not only corporations but also educational institutions, real estate, healthcare, manufacturing, as well as the financial sector. As part of its encryption capabilities, the Linux versions of Akira ransomware make use of the Crypto++ library to enable the encryption process on the target device. Akira offers only a limited number of commands, but there are no options to shut down VMs before encrypting them using Akira. 

With the -n parameter of the command, there is still the possibility of the attacker modifying the encryption speed and the chance that the victim's data can be recovered. Consequently, if the encryption speed is high, there is a slim chance that the victim who is hiding the data will be able to recover it with the help of a decryption tool. 

The first indication of Akira's activities was picked up by a cybersecurity firm based in the US in March 2023, called Arctic Wolf. Their research shows that small and medium-sized businesses worldwide have been the main target of attackers and that they have paid particular attention to the US and Canada in particular. Akira, as well as Conti's operators, have also been linked between the researchers. 

There was a recent report from the SentinelOne WatchTower, shared privately with BleepingComputer, that looked at the same attack method and speculated that Akira may have exploited a newly discovered vulnerability in Cisco VPN software that may be able to bypass authentication in the absence of the multi-factor authentication mechanism. 

In leaked data posted on the Akira group's extortion page, SentinelOne found evidence that the ransomware group used Cisco VPN gateways. At least eight instances were observed that displayed Cisco VPN-related characteristics, which shows that the ransomware gang is continuing to use Cisco VPN gateways as part of their ongoing extortion scheme. 

Implementing VPNs Without MFA


As a general rule, when an attacker tries to target VPNs or any other type of network services or applications, the first stage of their attack is to exploit an exposed service or application. In many cases, attackers focus on the fact that there is no multi-factor authentication (MFA) or there is a known vulnerability in VPN software in the form of software that has multi-factor authentication. 

Once the attackers have gained access to a target network, they attempt to breach the network using LSASS dumps (Local Security Authority Subsystem Service) to obtain credentials that will enable them to move further within the network and raise privileges if necessary. 

There have also been reports that this group has been using other tools, such as Living-Off-The-Land Binaries (LOLBins) or Commercial Off-The-Shelf (COTS) tools, or creating minidump files, to gather further intelligence about or pivot within the target network, as well as using other tools commonly referred to as Living-Off-The-Land Binaries (LOLBins) or Commercial Off-The-Shelf tools (COTS). 

Moreover, SentinelOne researchers observed that Akira operators maintained access to compromised networks by using the legitimate open-source remote access tool RustDesk which works similarly to RustDesk. It has been announced that cybersecurity company Avast has released a free decryptor that can be used by victims of the Akira ransomware to restore their valuable data without having to pay a ransom.

It was decided by the threat actors to encrypt their encryptors by patching them. By doing so, they would prevent victims from using them to recover data that was encrypted by the newer version of the encryption. Business users prefer Cisco VPN products due to their reliability and ease of use. 

Data transmission between networks/users can be made more secure with this technique, which is relied upon by organizations. Those who work in a hybrid or remote environment are expected to comply with it as a matter of course. That is why there might be a desire on the part of threat actors to exploit the vulnerability. Data loss and computer extortion attempts from ransomware operators can be prevented by organizations remaining vigilant and ensuring foolproof digital security measures.
Read more »
Subscribe to: Posts (Atom)