Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label MFA. Show all posts
Password Manager
Credentials cyber attack Cybersecurity Digital Security Hacking Infostealer malware MFA Password Manager

Cybercriminals Intensify Attacks on Password Managers

 

Cybercriminals are increasingly setting their sights on password managers as a way to infiltrate critical digital accounts.

According to Picus Security’s Red Report 2025, which analyzed over a million malware samples from the past year, a quarter (25%) of all malware now targets credentials stored in password managers. Researchers noted that this marks a threefold surge compared to the previous year.

“For the first time ever, stealing credentials from password stores is in the top 10 techniques listed in the MITRE ATT&CK Framework,” they said. “The report reveals that these top 10 techniques accounted for 9Beyond the growing frequency of attacks, hackers are also deploying more advanced techniques. 3% of all malicious actions in 2024.”

Advanced Hacking Techniques

Dr. Suleyman Ozarslan, co-founder and VP of Picus Labs, revealed that cybercriminals use sophisticated methods like memory scraping, registry harvesting, and breaching both local and cloud-based password stores to extract credentials.

To counter this rising threat, Ozarslan emphasized the importance of using password managers alongside multi-factor authentication (MFA). He also warned against password reuse, particularly for password.

Beyond the growing frequency of attacks, hackers are also deploying more advanced techniques. Picus Security highlighted that modern cybercriminals are now favoring long-term, multi-stage attacks that leverage a new generation of malware. These advanced infostealers are designed for stealth, persistence, and automation.

Researchers compared this evolution in cyber threats to “the perfect heist,” noting that most malware samples execute over a dozen malicious actions to bypass security defenses, escalate privileges, and exfiltrate data.

A password manager is a cybersecurity tool that securely stores, generates, and auto-fills strong passwords across websites and apps. By eliminating the need to remember multiple passwords, it strengthens security and reduces the risk of breaches. Experts consider it an essential component of cybersecurity best practices.
Read more »
Microsoft
ADFS Cyber Security Lateral Phishing MFA Microsoft

Sophisticated Phishing Campaign Circumvents Microsoft's Multi Factor Authentication

 

A help desk phishing campaign uses spiofed login pages to target Microsoft Active Directory Federation Services (ADFS) within an organisation in order to obtain credentials and get around multi-factor authentication (MFA) protections. The campaign's main targets, as reported by Abnormal Security, are government, healthcare, and educational institutions; at least 150 targets were chosen in the attack. 

These assaults aim to infiltrate corporate email accounts to disseminate messages to additional victims within the organisation or launch financially driven attacks such as business email compromise (BEC), wherein payments are redirected to the perpetrators' accounts. 

Microsoft Active Directory Federation Services (ADFS) is an authentication system that enables users to log in once and then access various apps and services without having to enter their credentials again. It is often employed in large companies to enable single sign-on (SSO) for internal and cloud-based services. 

The perpetrators send emails to targets impersonating their company's IT team, requesting that they log in to update security settings or adopt new policies. When victims click on the embedded button, they are redirected to a phishing site that looks identical to their organization's actual ADFS login page. The phishing page prompts the victim to input their username, password, and MFA code or tricked them into approving the push notification. 

"The phishing templates also include forms designed to capture the specific second factor required to authenticate the targets account, based on the organizations configured MFA settings," reads Abnormal Security's report. "Abnormal observed templates targeting multiple commonly used MFA mechanisms, including Microsoft Authenticator, Duo Security, and SMS verification.” 

Once the victim has entered all of their information, they are sent to the real sign-in page, which reduces suspicion and gives the impression that the procedure was completed successfully. Meanwhile, the hackers use the stolen details to gain access into the victim's account, steal any valuable data, set up new email filter rules, and attempt lateral phishing.

According to Abnormal, the attackers in this campaign utilised Private Internet Access VPN to hide their location and assign an IP address that was closer to the organisation. Abnormal recommends that organisations move to modern and more secure solutions, such as Microsoft Entra, as well as add additional email filters and suspicious behaviour detection methods, to prevent phishing attempts.
Read more »
Privacy
Authentication CyberCrime Cybersecurity CyberThreat Hackers MFA Privacy

The Evolving Role of Multi-Factor Authentication in Cybersecurity

 


In recent years, the cybersecurity landscape has faced an unprecedented wave of threats. State-sponsored cybercriminals and less experienced attackers armed with sophisticated tools from the dark web are relentlessly targeting weak links in global cybersecurity systems. End users, often the most vulnerable element in the security chain, are frequently exploited. As cyber threats grow increasingly sophisticated, multi-factor authentication (MFA) has emerged as a critical tool to address the limitations of password-based security systems.

The Importance of MFA in Modern Cybersecurity

Passwords, while convenient, have proven insufficient to protect against unauthorized access. MFA significantly enhances account security by adding an extra layer of protection, preventing account compromise even when login credentials are stolen. According to a Microsoft study, MFA can block 99.9% of account compromise attacks. By requiring multiple forms of verification—such as passwords, biometrics, or device-based authentication—MFA creates significant barriers for hackers, making unauthorized access extremely difficult.

Regulations and industry standards are also driving the adoption of MFA. Organizations are increasingly required to implement MFA to safeguard sensitive data and comply with security protocols. As a cornerstone of modern cybersecurity strategies, MFA has proven effective in protecting against breaches, ensuring the integrity of digital ecosystems, and fostering trust in organizational security frameworks.

However, as cyber threats evolve, traditional MFA systems are becoming increasingly inadequate. Many legacy MFA systems rely on outdated technology, making them vulnerable to phishing attacks, ransomware campaigns, and sophisticated exploits. The advent of generative AI tools has further exacerbated the situation, enabling attackers to create highly convincing phishing campaigns, automate complex exploits, and identify security gaps in real-time.

Users are also growing frustrated with cumbersome and inconsistent authentication processes, which undermine adherence to security protocols and erode organizational defenses. This situation underscores the urgent need for a reevaluation of security strategies and the adoption of more robust, adaptive measures.

The Role of AI in Phishing and MFA Vulnerabilities

Artificial intelligence (AI) has become a double-edged sword in cybersecurity. While it offers powerful tools for enhancing security, it also poses significant threats when misused by cybercriminals. AI-driven phishing attacks, for instance, are now virtually indistinguishable from legitimate communications. Traditional phishing indicators—such as typographical errors, excessive urgency, and implausible offers—are often absent in these attacks.

AI enables attackers to craft emails and messages that appear authentic, cleverly designed to deceive even well-trained users. Beyond mere imitation, AI systems can analyze corporate communication patterns and replicate them with remarkable accuracy. Chatbots powered by AI can interact with users in real-time, while deepfake technologies allow cybercriminals to impersonate trusted individuals with unprecedented ease. These advancements have transformed phishing from a crude practice into a precise, calculated science.

Outdated MFA systems are particularly vulnerable to these AI-driven attacks, exposing organizations to large-scale, highly successful campaigns. As generative AI continues to evolve at an exponential rate, the potential for misuse highlights the urgent need for robust, adaptive security measures.

Comprehensive Multi-Factor Authentication: A Closer Look

Multi-Factor Authentication (MFA) remains a cornerstone of cybersecurity, utilizing multiple verification steps to ensure that only authorized users gain access to systems or data. By incorporating layers of authentication, MFA significantly enhances security against evolving cyber threats. The process typically begins with the user providing credentials, such as a username and password. Once verified, an additional layer of authentication—such as a one-time password (OTP), biometric input, or other pre-set methods—is required. Access is only granted after all factors are successfully confirmed.

Key forms of MFA authentication include:

  1. Knowledge-Based Authentication: This involves information known only to the user, such as passwords or PINs. While widely used, these methods are vulnerable to phishing and social engineering attacks.
  2. Possession-Based Authentication: This requires the user to possess a physical item, such as a smartphone with an authentication app, a smart card, or a security token. These devices often generate temporary codes that must be used in combination with a password.
  3. Biometric Authentication: This verifies a user's identity through unique physical traits, such as fingerprints or facial recognition, adding an extra layer of security and personalization.
  4. Location-Based Authentication: This uses GPS data or IP addresses to determine the user's geographical location, restricting access to trusted or authorized areas.
  5. Behavioral Biometrics: This tracks and monitors unique user behaviors, such as typing speed, voice characteristics, or walking patterns, providing an adaptive layer of security.

The combination of these diverse approaches creates a robust defense against unauthorized access, ensuring superior protection against increasingly sophisticated cyberattacks. As organizations strive to safeguard sensitive data and maintain security, the integration of comprehensive MFA solutions is essential.

The cybersecurity landscape is evolving rapidly, with AI-driven threats posing new challenges to traditional security measures like MFA. While MFA remains a critical tool for enhancing security, its effectiveness depends on the adoption of modern, adaptive solutions that can counter sophisticated attacks. By integrating advanced MFA methods and staying vigilant against emerging threats, organizations can better protect their systems and data in an increasingly complex digital environment.

Read more »
North Korea
Cyber Crime Lazarus hacking group MFA North Korea

North Korean Hackers Exploit RID Hijacking to Gain Full Control Over Windows Systems

 


A North Korean cybercriminal group, Andariel, has been found using a stealthy hacking technique called RID hijacking to gain full control over Windows systems. This method allows attackers to manipulate a computer’s security settings, turning a low-privilege user account into an administrator account and granting them hidden control over the system.

What is RID Hijacking and How Does It Work?

Windows assigns each user account a Security Identifier (SID), which includes a Relative Identifier (RID) that defines the account’s access level. Key RIDs include:

  • 500 – Default administrator account
  • 501 – Guest account
  • 1000+ – Regular user accounts

Hackers exploit this system by modifying the RID of a normal user account to match that of an administrator. Since Windows determines permissions based on RID values, the system unknowingly grants higher-level access to what appears to be a low-privilege account. However, this attack requires deep access to the system’s core security files, specifically the Security Account Manager (SAM) registry, where user login details are stored.

Researchers from AhnLab Security Intelligence Center (ASEC) have linked these attacks to Andariel, a North Korean hacking group that is part of Lazarus, a well-known state-sponsored cybercrime organization. Andariel typically gains initial access by exploiting software vulnerabilities or tricking users into downloading malware. Once inside, they use hacking tools like PsExec and JuicyPotato to obtain SYSTEM-level privileges, the highest level of access on a Windows machine.

However, SYSTEM-level access has limitations, such as the inability to log in remotely, lack of persistence after a system restart, and high visibility to security systems. To overcome these, Andariel creates a hidden user account using the Windows "net user" command, adding a "$" symbol at the end of the username to make it invisible in regular user lists. They then modify its RID to that of an administrator, granting it full control over the system while remaining undetected.

How to Defend Against RID Hijacking

To protect against RID hijacking, organizations and IT administrators can take the following steps:

  1. Monitor User Login Activity: Use the Local Security Authority (LSA) Subsystem Service to track unusual logins or permission changes.
  2. Secure Critical System Files: Restrict unauthorized modifications to the SAM registry, where login credentials are stored.
  3. Block Hacking Tools: Prevent tools like PsExec and JuicyPotato from running, as they are commonly used for privilege escalation.
  4. Implement Multi-Factor Authentication (MFA): Require an extra authentication step for all accounts, even low-level ones, to prevent unauthorized access.
  5. Regularly Audit User Accounts: Check for hidden or suspicious accounts, especially those with "$" symbols or unusual RID values.

RID hijacking has been known since 2018, when cybersecurity researchers first demonstrated it as a way to maintain persistent access on Windows systems. However, its recent use by North Korean state-sponsored hackers highlights the growing sophistication of cyberattacks. By making small, undetectable changes to Windows user settings, hackers can silently maintain control over a compromised system, making it much harder for security teams to remove them.

The use of RID hijacking by North Korean hackers underscores the importance of proactive cybersecurity measures. Organizations must monitor user accounts, detect hidden activity, and secure critical system files to defend against such stealthy attacks. By staying vigilant and implementing robust security practices, businesses can better protect their systems from advanced threats like RID hijacking.

Read more »
Security Keys
Cyber Security Data protection Hardware MFA online account security online accounts Online attacks Security Keys

Why Securing Online Accounts is Critical in Today’s Cybersecurity Landscape

 

In an era where cybercriminals are increasingly targeting passwords through phishing attacks, data breaches, and other malicious tactics, securing online accounts has never been more important. Relying solely on single-factor authentication, such as a password, is no longer sufficient to protect sensitive information. Multi-factor authentication (MFA) has emerged as a vital tool for enhancing security by requiring verification from multiple sources. Among the most effective MFA methods are hardware security keys, which provide robust protection against unauthorized access.

What Are Hardware Security Keys?

A hardware security key is a small physical device designed to enhance account security using public key cryptography. This method generates a pair of keys: a public key that encrypts data and a private key that decrypts it. The private key is securely stored on the hardware device, making it nearly impossible for hackers to access or replicate. Unlike SMS-based authentication, which is vulnerable to interception, hardware security keys offer a direct, offline authentication method that significantly reduces the risk of compromise.

Hardware security keys are compatible with major online platforms, including Google, Microsoft, Facebook, GitHub, and many financial institutions. They connect to devices via USB, NFC, or Bluetooth, ensuring compatibility with a wide range of hardware. Popular options include Yubico’s YubiKey, Google’s Titan Security Key, and Thetis. Setting up a hardware security key is straightforward. Users simply register the key with an online account that supports security keys. For example, in Google’s security settings, users can enable 2-Step Verification and add a security key.

Once linked, logging in requires inserting or tapping the key, making the process both highly secure and faster than receiving verification codes via email or SMS. When selecting a security key, compatibility is a key consideration. Newer devices often require USB-C keys, while older ones may need USB-A or NFC options. Security certifications also matter—FIDO U2F provides basic security, while FIDO2/WebAuthn offers advanced protection against phishing and unauthorized access. Some security keys even include biometric authentication, such as fingerprint recognition, for added security.

Prices for hardware security keys typically range from $30 to $100. It’s recommended to purchase a backup key in case the primary key is lost. Losing a security key does not mean being locked out of accounts, as most platforms allow backup authentication methods, such as SMS or authentication apps. However, having a secondary security key ensures uninterrupted access without relying on less secure recovery methods.

Maintaining Strong Online Security Habits

While hardware security keys provide excellent protection, maintaining strong online security habits is equally important. This includes creating complex passwords, being cautious with email links and attachments, and avoiding oversharing personal information on social media. For those seeking additional protection, identity theft monitoring services can offer alerts and assistance in case of a security breach.

By using a hardware security key alongside other cybersecurity measures, individuals can significantly reduce their risk of falling victim to online attacks. These keys not only enhance security but also ensure convenient and secure access to their most important accounts. As cyber threats continue to evolve, adopting advanced tools like hardware security keys is a proactive step toward safeguarding your digital life.

Read more »
Security Keys
Cyber Defenses Cyber Security FCC Login Security MFA Passwords Public Key Cryptography Security Keys

T-Mobile Enhances Cybersecurity with Yubikey Security Keys

 

T-Mobile has taken a significant step in enhancing its cybersecurity by adopting Yubikey security keys for its employees. The company purchased over 200,000 security keys from Yubico, deploying them across all staff, vendors, and authorized retail partners. The rollout, which began in late 2023, was completed in under three months, with T-Mobile reporting positive results within the first year of implementation.

Jeff Simon, T-Mobile’s chief security officer, highlighted the rapid deployment and the impact of the security keys. He emphasized their effectiveness in strengthening the company’s defenses against cyber threats. These hardware-based keys address vulnerabilities associated with digital passwords, such as phishing, malware, and brute-force attacks.

Security keys leverage public-key cryptography to securely authenticate users without exposing login credentials to potential attackers. The keys generate and store a private authentication key for online services directly on the physical device. This method ensures that even if hackers attempt to phish for login details, they cannot gain unauthorized access without the physical key.

Starting at around $20, these keys are an affordable and viable option for both individuals and businesses looking to bolster their cybersecurity. Tech giants such as Google, Apple, Facebook, and Coinbase have already adopted similar solutions to protect employees and customers.

T-Mobile’s decision to adopt security keys comes after a history of data breaches, including phishing attacks that compromised login credentials and internal systems. In response to an FCC investigation into these breaches, T-Mobile initially considered implementing multi-factor authentication (MFA) for all employee accounts. However, concerns about sophisticated hackers intercepting MFA codes via compromised smartphones led the company to choose a more secure hardware-based solution.

Enhanced Authentication with Yubico FIDO2 Keys

According to T-Mobile’s senior cybersecurity manager, Henry Valentine, the implementation of Yubico’s FIDO2 security keys has eliminated the need for employees to remember passwords or input one-time passcodes (OTP). Instead, employees authenticate their identity passwordlessly using their YubiKeys, enhancing both security and convenience.

While these security keys provide robust protection against phishing and credential theft, T-Mobile remains vigilant against other cybersecurity threats.

Despite the strengthened security measures, T-Mobile continues to face threats from advanced cyber adversaries. Notably, the Chinese hacking group “Salt Typhoon” has targeted US carriers, including T-Mobile, through software vulnerabilities. However, T-Mobile’s adoption of Yubikeys has helped prevent unauthorized access attempts.

The adoption of Yubikey security keys marks a proactive step in T-Mobile’s ongoing commitment to safeguarding its systems and data. By investing in hardware-based authentication, the company aims to stay ahead of evolving cyber threats and ensure a secure digital environment for its employees and customers.


Read more »
PKI
Cyber Security Cyberattacks Cyberencryption Cyberhackers CyberThreat MFA PKI

Why MFA Failures Signal Greater Cybersecurity Challenges

 


In the current cybersecurity era, multi-factor authentication (MFA) is widely recommended and often mandated across several sectors, making it one of the most popular security measures that are available. As stated by the Cybersecurity and Infrastructure Security Agency (CISA), implementing MFA is an easy-to-follow method for safeguarding organizations and reducing the risk of account compromise attacks significantly, thereby ensuring the organization's security. 

Several key guidelines and regulations emphasize the importance of multi-factor authentication (MFA) for improving security protocols in several ways, for example, NIST Special Publication (NIST SP) 800-63-3 stipulates that multi-factor authentication is a requirement for systems requiring authentication assurance levels two and three (AAL). 

As an additional measure of security, Executive Order 14028 directs all government agencies in the United States to adopt multi-factor authentication. Several industry standards, including the Payment Card Industry Data Security Standard (PCI DSS) and the Service Organization Control 2 (SOC 2), also require MFA to secure sensitive data environments, to ensure compliance with these standards, and even though MFA has been widely endorsed, emerging concerns over its vulnerabilities are prompting experts to examine its limitations and potential risks in light of those concerns. As the traditional mechanisms of multi-factor authentication (MFA), which have been widely considered a cornerstone of cybersecurity for many years, are struggling to keep pace with the advancing threats, they are coming under more scrutiny. 

It is becoming increasingly evident that legacy multifactor authentication systems are being circumvented with alarming effectiveness as a result of phishing campaigns, ransomware attacks, and advanced exploitation techniques. MFA has become increasingly vulnerable to sophisticated cyberattacks and these developments raise serious concerns about its reliability as a protection measure. Authentication by multiple factors (MFA) has been a cornerstone of cybersecurity for decades.

It has proven to be a very effective method of strengthening security perimeters against unauthorized access. However, with the relentless evolution of cyber threats, it is imperative that organizations continually evaluate whether it is effective. Emerging vulnerabilities in traditional MFA approaches emphasize the importance of adjusting and evolving the security perimeters. 

As a result, the use of SIM swapping techniques, in which attackers hijack mobile phone numbers to intercept SMS codes, has become increasingly prevalent, resulting in significant financial losses. In addition, authentication fatigue is also a growing challenge, since users who are overwhelmed with frequent prompts may adopt risky behaviors, such as sharing codes or circumventing security protocols, that can lead to significant financial losses. 

Moreover, new forms of exploitation of biometric authentication are becoming available because of advances in artificial intelligence and deep-fake technology. As a result of push notification hijacking and sophisticated account takeover techniques, legacy MFA systems remain vulnerable to exploitation. The vulnerability highlights the need to diversify authentication factors, incorporate risk-based assessments, and leverage advanced threat detection tools to enhance security against these threats. 

A crucial part of modern cybersecurity strategies remains Multi-factor authentication (MFA), but it is not immune from failure; organizations should take proactive measures to strengthen their defenses and educate their users about the threats they are facing. In today's rapidly changing threat landscape, it is imperative to maintain an adaptive and dynamic authentication approach to maintain a resilient security posture. 

Insurers are advised to consider the importance of multi-factor authentication (MFA) when insuring businesses because it directly impacts the level of risk incurred by the business. Providing another layer of security to sensitive systems besides passwords makes MFA a very effective security measure that significantly reduces the likelihood of unauthorized access to sensitive systems. In turn, this reduces the risk of cyberattacks, phishing attempts, account takeovers, and credential stuffing, among other cyber threats. 

As insurers, it is important to know if a company has implemented MFA as well as how effectively it is used so that the overall risk profile can be assessed. Insurance companies can price policies accurately based on this knowledge, ensuring that the policies reflect a company's true security posture. A company's liability liability may be misjudged if insurers do not receive this critical information, leaving them at risk of inadequate coverage or increased claims exposure. The use of multi-factor authentication has been a key way of preventing unauthorized access for years, but it is no longer immune to evolving threats as it has been for years. 

As the frequency of tactics such as SIM swapping increases, the risk of hackers intercepting SMS codes has increased, resulting in significant financial losses for the company. Additionally, authentication fatigue is still a concern, as users may bypass security measures or share MFA codes if they become overwhelmed by constant prompts. As artificial intelligence and deepfake technologies continue to rise, biometric systems are becoming more vulnerable. 

Moreover, push notifications hijacking and account takeover methods illustrate the limitations of legacy multi-factor authentication systems. To deal with these challenges, a variety of authentication factors must be used, dynamic risk assessments must be conducted, and advanced threat detection tools be incorporated. While Multi-factor authentication remains a cornerstone of cybersecurity, organizations should continue to strengthen their defenses and adapt their strategies to stay ahead of emerging threats even though MFA remains a cornerstone. 

Today's increasingly complex technological landscape has made biometric authentication an increasingly challenging process, despite being once hailed as a breakthrough in securing systems where passwords failed to work. As far as fingerprints, facial recognition, and retinal scanners were concerned, they were once considered unique and practically impenetrable, but now deepfake technology has disrupted the perception that these systems are secure. As deepfakes have become more sophisticated, they have been revealing critical flaws in biometric systems that can mimic voices, facial features, and even expressions in real-time.

It is warned that as deepfakes become more common in the business world, organizations will need to adopt additional verification procedures to keep their business environment secure, particularly when conducting sensitive transactions. Approximately one-third of businesses may abandon facial recognition technology altogether by the year 2026, signaling an erosion of trust in biometrics as a whole. In light of the increasing threats from insecure biometrics, organizations must reevaluate their dependence on these technologies and implement robust countermeasures to address them. When stakes continue to rise in cyberspace, it will be imperative to safeguard sensitive systems against exploitation by adapting strategies and implementing layered defenses. 

A significant advancement has been achieved in the field of digital security in the form of the integration of Public Key Infrastructure (PKI) into Multi-Factor Authentication (MFA) systems. In the process of verifying identities through digital certificates, a PKI provides a secure framework for the authentication of users. As cybersecurity threats continue to evolve, PKI's role in enhancing multifactor authentication is gaining prominence. 

PKI guarantees ethe encryption of data transmission and employs digital signatures to guarantee the integrity and authenticity of the data. Based on a study by Orbis Market Reports, it has been projected that PKI will continue to grow in the authentication market, indicating its increasing adoption. Organizations are making progress towards a safer digital environment by combining PKI with adaptive authentication and artificial intelligence. As an integral part of cybersecurity, multifactor authentication plays a critical role, but it is not sufficient by itself to address every risk associated with cybercrime. 

Companies must integrate multifactor authentication with advanced threat detection, ongoing monitoring, and other proactive security measures to build a robust security framework. Layered approaches are essential for combating evolving threats and ensuring comprehensive protection for their systems.
Read more »
Technology
Cloud Security Cryptojacking Cybersecurity Threats Google Cloud MFA Raccoon Stealer Ransomware Technology

TRIPLESTRENGTH Targets Cloud for Cryptojacking, On-Premises Systems for Ransomware Attacks

 

Google unveiled a financially driven threat actor, TRIPLESTRENGTH, targeting cloud environments for cryptojacking and on-premise ransomware operations.

"This actor engaged in a variety of threat activity, including cryptocurrency mining operations on hijacked cloud resources and ransomware activity," Google Cloud noted in its 11th Threat Horizons Report.

TRIPLESTRENGTH employs a three-pronged attack strategy: unauthorized cryptocurrency mining, ransomware deployment, and offering cloud platform access—spanning services like Google Cloud, AWS, Azure, Linode, OVHCloud, and Digital Ocean—to other attackers. The group's primary entry methods involve stolen credentials and cookies, often sourced from Raccoon Stealer logs. Compromised environments are used to create compute resources for mining cryptocurrency using tools like the unMiner application and the unMineable mining pool, optimized for both CPU and GPU algorithms.

Interestingly, TRIPLESTRENGTH has concentrated its ransomware efforts on on-premises systems, deploying lockers such as Phobos, RCRU64, and LokiLocker.

"In Telegram channels focused on hacking, actors linked to TRIPLESTRENGTH have posted advertisements for RCRU64 ransomware-as-a-service and also solicited partners to collaborate in ransomware and blackmail operations," Google Cloud disclosed.

One notable incident in May 2024 involved initial access through Remote Desktop Protocol (RDP), followed by lateral movement and antivirus evasion to execute ransomware across several systems. TRIPLESTRENGTH also regularly advertises access to compromised servers on Telegram, targeting hosting providers and cloud platforms.

To counteract such threats, Google has introduced multi-factor authentication (MFA) and improved logging for detecting sensitive billing actions.

"A single stolen credential can initiate a chain reaction, granting attackers access to applications and data, both on-premises and in the cloud," Google warned. 

"This access can be further exploited to compromise infrastructure through remote access services, manipulate MFA, and establish a trusted presence for subsequent social engineering attacks."
Read more »
Subscribe to: Posts (Atom)