Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Remote Access Software. Show all posts

TeamViewer's Corporate Network Compromised in Suspected APT Hack

 

iTeamViewer, a remote access software company, has announced that its corporate environment was compromised in a cyberattack. According to the company, the breach was detected on Wednesday, June 26, 2024, and is believed to have been carried out by an advanced persistent threat (APT) hacking group.

"On Wednesday, June 26, 2024, our security team detected an irregularity in TeamViewer’s internal corporate IT environment," TeamViewer stated in a post on its Trust Center. "We immediately activated our response team and procedures, started investigations together with a team of globally renowned cybersecurity experts, and implemented necessary remediation measures."

TeamViewer assured that its internal corporate IT environment is entirely separate from its product environment. They emphasized that there is no evidence suggesting that the product environment or customer data has been affected. The company continues to investigate and is focused on maintaining the integrity of its systems.

Despite their commitment to transparency, the "TeamViewer IT security update" page includes a <meta name="robots" content="noindex"> HTML tag, preventing search engines from indexing the document and making it harder to find.

TeamViewer is widely used for remote access, allowing users to control computers remotely as if they were physically present. The software is currently used by over 640,000 customers worldwide and has been installed on over 2.5 billion devices since its launch.

While TeamViewer has stated there is no evidence of a breach in its product environment or customer data, the extensive use of their software in both consumer and corporate settings makes any breach a significant concern, potentially granting full access to internal networks.

In 2019, TeamViewer confirmed a 2016 breach linked to Chinese threat actors through the Winnti backdoor. At the time, the company did not disclose the breach as no data was stolen.

News of the latest breach was first reported on Mastodon by IT security professional Jeffrey, who shared parts of an alert from the Dutch Digital Trust Center. This web portal is used by the government, security experts, and Dutch corporations to share information about cybersecurity threats.

"The NCC Group Global Threat Intelligence team has been made aware of significant compromise of the TeamViewer remote access and support platform by an APT group," warned an alert from cybersecurity firm NCC Group. "Due to the widespread usage of this software, the following alert is being circulated securely to our customers."

Another alert from Health-ISAC, a community for healthcare professionals to share threat intelligence, warned that TeamViewer services were allegedly being targeted by the Russian hacking group APT29, also known as Cozy Bear, NOBELIUM, and Midnight Blizzard.

"On June 27, 2024, Health-ISAC received information from a trusted intelligence partner that APT29 is actively exploiting TeamViewer," reads the Health-ISAC alert shared by Jeffrey. "Health-ISAC recommends reviewing logs for any unusual remote desktop traffic. Threat actors have been observed leveraging remote access tools. TeamViewer has been observed being exploited by threat actors associated with APT29."

APT29 is a Russian advanced persistent threat group linked to Russia's Foreign Intelligence Service (SVR). The group is known for its cyberespionage capabilities and has been involved in numerous attacks, including breaches of Western diplomats and a recent compromise of Microsoft's corporate email environment.

Although TeamViewer disclosed the incident at the same time as the alerts from NCC Group and Health-ISAC, it is unclear if they are directly related. TeamViewer's and NCC's alerts address the corporate breach, while the Health-ISAC alert focuses on targeting TeamViewer connections.

BleepingComputer reached out to TeamViewer for comments on the attack but was informed that no further information would be provided during the ongoing investigation. NCC Group also told BleepingComputer that they had nothing further to add beyond the alert issued to their clients.

On June 28, 2024, TeamViewer informed BleepingComputer that they had removed the noindex tag from their Trust Center, and the page should soon be indexed by search engines.

New Ransomware Threat Hits Hundreds of Organisations Worldwide

 


In a recent joint report by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), a new ransomware gang named Black Basta has been identified as breaching over 500 organisations globally between April 2022 and May 2024. This group has targeted various sectors, including healthcare, spanning across North America, Europe, and Australia.

Black Basta, coming through as a Ransomware-as-a-Service (RaaS) operation in April 2022, has quickly gained notoriety by attacking numerous high-profile victims such as Rheinmetall, Hyundai, Capita, and the American Dental Association, among others. Believed to have connections to the former Conti cybercrime syndicate, Black Basta operates with sophistication and a steady stream of initial access to its targets.

One of the key tactics employed by Black Basta involves stealing corporate data before encrypting a company's devices. This stolen data is then used in double-extortion attacks, where victims have demanded a ransom to prevent the publishing of their sensitive information. The gang's data leak site, 'Black Basta Blog' or 'Basta News,' lists victims and progressively releases data to pressure them into paying the ransom.

Technical analysis reveals that Black Basta utilises the ChaCha20 encryption algorithm to encrypt files, rendering them inaccessible without the decryption key. Victims are left with a custom extension appended to their encrypted files (.basta), along with a ransom note providing instructions on how to negotiate with the threat actors.

Responding to this spreading threat, federal agencies advise organisations to maintain up-to-date operating systems, employ phishing-resistant Multi-Factor Authentication (MFA), and train users to identify and report phishing attempts. Moreover, securing remote access software and implementing recommended mitigations are essential steps in blocking the risks posed by Black Basta and similar ransomware attacks.

Healthcare organisations are particularly vulnerable, given their size, technological reliance, and access to sensitive patient information. CISA and the FBI have suggested adhering to the StopRansomware Guide in order to dodge potential attacks in the healthcare sector.

Recent incidents, including an attack on healthcare giant Ascension, accentuate the urgency of addressing the threat posed by Black Basta. With the gang's ability to readily expand its victim pool and employ coercive tactics, organisations must remain particularly careful and implement robust cybersecurity measures to mitigate the risk of falling victim to ransomware attacks.

Considering the course of events, cybersecurity experts emphasise the importance of ardent measures, including regular backups, system updates, and employee training, to strengthen defences against ransomware threats like Black Basta. This calls for collective efforts to combat the growing menace of ransomware and protect critical infrastructure from malicious actors.


Sophisticated Dutch Bank Helpdesk Scam Unveils Database with Over 7 Million Email Addresses

 

In January, authorities in Amsterdam made six arrests as part of a significant cybercrime inquiry, leading to the unearthing of a database containing 7.3 million email addresses, with around 5 million linked to Dutch residents. The investigation initially targeted a bank helpdesk scam, wherein the perpetrators operated with a high level of professionalism akin to a call center.

Investigators stumbled upon the email lists on a laptop belonging to one of the suspects. They caution the public about the broader risks associated with phishing emails, as this extensive list has been circulated within the cybercriminal community for potential reuse in various fraudulent activities.

The case unfolded when approximately 30 individuals fell victim to a scheme where impostors, posing as bank representatives, deceived them into believing they were corresponding with other legitimate organizations. After victims responded to these emails, they were subsequently contacted by individuals masquerading as bank employees. These perpetrators employed psychological tactics, including feigning concern over the victims' involvement in a scam, to gain their trust.

Victims were then coerced into installing a remote access software called 'Anydesk,' which allowed the criminals to manipulate their computers from afar, ultimately siphoning off substantial sums of money through online banking. In some instances, the perpetrators even went as far as visiting victims in person to collect debit cards and valuables.

Following the arrests on January 24, which occurred in Amsterdam, Almere, and Heemskerk, authorities seized laptops, mobile phones, and debit cards. One suspect was subsequently released. Notably, one of the confiscated laptops contained the aforementioned email database.

Despite the apprehension of the suspects, authorities emphasize that the danger persists, as such lists continue to be traded and utilized by cybercriminals. They urge individuals to verify if their email addresses have been compromised and to exercise caution when encountering suspicious communications.

To combat such threats, the police have launched websites where individuals can ascertain if their email addresses have been compromised and verify the legitimacy of links received through various channels. Additionally, they advise individuals to hang up on anyone claiming to represent a bank and to independently verify such claims by contacting the bank's official customer service line.

Furthermore, the public is urged never to allow anyone to collect their debit cards or install programs on their computers. It's essential to educate vulnerable individuals, such as the elderly, about these fraudulent practices to prevent further victimization.

Security Breach at AnyDesk: Production Servers Hacked, Password Reset

 

AnyDesk, a widely used remote desktop application, is currently grappling with a significant security breach that has raised alarm among its user base. The company recently disclosed that malicious actors successfully infiltrated its production servers, gaining unauthorized access to sensitive information and triggering a large-scale password reset for its users. 

AnyDesk functions as a remote desktop solution, allowing users to access and control their computers from anywhere in the world. Renowned for its user-friendly interface, high performance, and cross-platform compatibility, AnyDesk has become a popular choice for both personal and professional remote connectivity. 

However, the recent security incident sheds light on the inherent vulnerabilities in remote desktop software, particularly in ensuring robust security measures. Despite encryption and authentication protocols in place, hackers often exploit weaknesses in these systems to gain unauthorized access. The breach of AnyDesk's production servers indicates a potential lapse in the platform's security infrastructure. 

The extensive user base of AnyDesk, consisting of millions relying on the platform for remote work and other activities, makes it an attractive target for cybercriminals. The breach not only allowed unauthorized access to user accounts but also led to a mass password reset, creating additional challenges for users and emphasizing the significant impact of such security compromises. 

In response to the breach, AnyDesk promptly acknowledged the incident and urged users to reset their passwords immediately. The company is actively investigating the extent of the compromise and is committed to enhancing its security measures to prevent future breaches. AnyDesk reassures its users that measures are being taken to safeguard the integrity of the platform. 

The forced password reset has left AnyDesk users facing potential disruptions to their remote work and personal activities. As a precautionary measure, users are advised to regularly update their passwords, enable two-factor authentication where available, and remain vigilant for any suspicious activities on their accounts. 

The AnyDesk security breach underscores the ongoing challenges faced by remote desktop software providers in maintaining the security of user data. In an era where remote connectivity has become the norm, ensuring the safety of personal and professional information must be a top priority. Users are encouraged to adopt best cybersecurity practices, stay informed about security updates, and take proactive measures to enhance their overall online security.

Decoy Dog Malware Toolkit: A New Cybersecurity Threat

 

A new cybersecurity threat has been discovered that could potentially put millions of people at risk. According to a report from Bleeping Computer, researchers have found a new malware toolkit called 'Decoy Dog' after analyzing 70 billion DNS queries. The malware toolkit was discovered by a team of researchers who were looking for new ways to protect against cyber attacks.

The Decoy Dog malware toolkit is an advanced cyber attack tool that allows hackers to access and control computer systems remotely. It is a modular tool that can be customized to fit the specific needs of an attacker. The malware is also capable of evading traditional security measures such as firewalls and antivirus software.

The researchers found that the Decoy Dog malware toolkit is being distributed through various channels such as email, social media, and file-sharing sites. Once the malware is installed on a victim's computer, it can be used to steal sensitive information such as login credentials, financial data, and personal information.

One of the ways that the Decoy Dog malware toolkit is able to evade detection is through the use of a tool called Pupy. Pupy is a remote access tool that is used to control compromised systems. It is designed to be stealthy and can operate undetected by antivirus software.

The researchers warn that the Decoy Dog malware toolkit is a serious threat and that users should take steps to protect themselves. They recommend that users keep their software up-to-date and avoid opening suspicious emails or downloading files from untrusted sources. They also suggest that users should use reputable antivirus software and regularly scan their systems for malware.

The Decoy Dog malware toolset poses a significant risk to cybersecurity, to sum up. It is an effective weapon for cybercriminals due to its modular design and capacity to bypass conventional security measures. Users must be on the lookout for these hazards online and take precautions to safeguard themselves.

Devious Phishing Tactic Circumvents MFA Using Remote Access Software

 

As per a new phishing technique,adversaries can defeat multi-factor authentication (MFA) by having victims connect to their accounts directly on attacker-controlled servers using the VNC screen sharing system.

Bypassing multi-factor authentication (MFA) configured on the intended victim's email accounts is one of the most difficult barriers to successful phishing attempts. Even if threat actors can persuade users to input their credentials on a phishing site, if the account is protected by MFA, completely breaching the account requires the victim's one-time passcode. 

Phishing kits have been upgraded to employ reverse proxies or other means to obtain MFA codes from unwitting victims to get access to a target's MFA-protected accounts. Companies, on the other hand, are becoming aware of this technique and have begun implementing security measures that prevent logins or cancel accounts when reverse proxies are found. VNC is here to help. 

Mr.d0x, a security researcher, attempted to create a phishing attack on the client's employees to get corporate account credentials while conducting a penetration test for a customer. Mr.d0x put up a phishing assault utilising the Evilginx2 attack framework, which operates as a reverse proxy to steal credentials and MFA codes because all of the accounts were configured with MFA. 

The researcher discovered that when reverse proxies or man-in-the-middle (MiTM) attacks were detected, Google blocked logins. According to Mr.d0x, this was a new security feature installed by Google in 2019 precisely to avoid these types of attacks. 

Websites like LinkedIn, according to the researcher, identify man-in-the-middle (MiTM) assaults and delete accounts following successful logins. To get around this, Mr.d0x devised a cunning new phishing technique that employs the noVNC remote access software and browsers in kiosk mode to display email login prompts that are hosted on the attacker's server but shown in the victim's browser. 

VNC is a remote access software that allows users to connect to and control the desktop of a logged-in user. Most people use dedicated VNC clients to connect to a VNC server, which opens the remote desktop in a similar way to Windows Remote Desktop. 

An application called noVNC, on the other hand, allows users to connect to a VNC server directly from within a browser by merely clicking a link, which is where the researcher's new phishing method comes into play. 

A new report by Mr.d0x on his new phishing technique explained, "So how do we use noVNC to steal credentials & bypass 2FA? Setup a server with noVNC, run Firefox (or any other browser) in kiosk mode and head to the website you’d like the user to authenticate to (e.g. accounts.google.com)."   

"Send the link to the target user and when the user clicks the URL they’ll be accessing the VNC session without realizing. And because you’ve already set up Firefox in kiosk mode all the user will see is a web page, as expected." 

A threat actor can use this configuration to send targeted spear-phishing emails with links that launch the target's browser and log into the attacker's remote VNC server. These links are highly customisable, allowing the attacker to make links that do not appear to be suspicious VNC login URLs.  

Since the attacker's VNC server is set up to run a browser in kiosk mode, which displays the browser in full-screen mode, when the victim clicks on a link, they will be taken to a login screen for the targeted email provider, where they can log in as usual. 

However, because the attacker's VNC server is displaying the login prompt, all login attempts will be made directly on the remote server. Once a user logs into the account, an attacker can utilise a variety of tools to obtain passwords and security tokens, according to Mr.d0x. 

Even more dangerous, since the user enters the one-time passcode directly on the attacker's server, authorising the device for future login attempts, this technique bypasses MFA. If the attack was limited to a few people, merely entering into their email account using the attacker's VNC session would grant the device permission to connect to the account in the future. Because VNC allows many individuals to monitor the same session, an attacker might disconnect the victim's connection after the account was logged in and reconnect later to gain access to the account and all of its email. 

While this attack is yet to be observed in the open, the researcher told BleepingComputer that he believes it will be used in the future. Every phishing advice remains the same when it comes to safeguarding from these types of attacks: do not click on URLs from unknown senders, scan embedded links for strange domains, and take all email as suspect, especially when it asks you to log in to your account.