Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Server. Show all posts

Mr. Cooper Data Breach: 14 Million Customers Exposed

A major data breach at mortgage giant Mr. Cooper compromised the personal data of an astounding 14 million consumers, according to a surprising disclosure. Sensitive data susceptibility in the digital age is a worry raised by the occurrence, which has shocked the cybersecurity world.

Strong cybersecurity procedures in financial institutions are vital, as demonstrated by the breach, confirmed on December 18, 2023, and have significant consequences for the impacted persons. The hackers gained access to Mr. Cooper's networks and took off with a wealth of private information, including social security numbers, names, addresses, and other private information.

TechCrunch reported on the incident, emphasizing the scale of the breach and the potential consequences for those impacted. The breach underscores the persistent and evolving threats faced by organizations that handle vast amounts of personal information. As consumers, it serves as a stark reminder of the importance of vigilance in protecting our digital identities.

Mr. Cooper has taken swift action in response to the breach, acknowledging the severity of the situation. The company is actively working to contain the fallout and assist affected customers in securing their information. In a statement to Help Net Security, Mr. Cooper reassured customers that it is implementing additional security measures to prevent future breaches.

The potential motives behind the attack, emphasize the lucrative nature of stolen personal data on the dark web. The breached information can be exploited for identity theft, financial fraud, and other malicious activities. This incident underscores the need for organizations to prioritize cybersecurity and invest in advanced threat detection and prevention mechanisms.

"The Mr. Cooper data breach is a sobering reminder of the evolving threat landscape," cybersecurity experts have stated. To safeguard their consumers' confidence and privacy, businesses need to invest heavily in cybersecurity solutions and maintain a watchful eye."

In light of the growing digital landscape, the Mr. Cooper data breach should be seen as a wake-up call for companies and individuals to prioritize cybersecurity and collaborate to create a more secure online environment.

Google's Ad Blocker Crackdown Sparks Controversy

 

Concerns have been raised by consumers and proponents of digital rights as a result of Google's recent increased crackdown on ad blockers. The move exposes a multifaceted effort that involves purposeful browser slowdowns and strict actions on YouTube, as reported in pieces sources.

According to Channel News, YouTube's ad blocker crackdown has reached new heights. Users attempting to bypass ads on the platform are facing increased resistance, with reports of ad blockers becoming less effective. This raises questions about the future of ad blocking on one of the world's most popular video-sharing platforms.

Google has taken a controversial step by intentionally slowing down browsers to penalize users employing ad blockers. This aggressive tactic, designed to discourage the use of ad-blocking extensions, has sparked outrage among users who rely on these tools for a smoother online experience.

The Register delves deeper into Google's strategy, outlining the technical aspects of how the search giant is implementing browser slowdowns. The article suggests that this move is not only an attempt to protect its advertising revenue but also a way to assert control over the online advertising ecosystem.

While Google argues that these measures are necessary to maintain a fair and sustainable digital advertising landscape, critics argue that such actions limit user freedom and choice. The concern is not merely about the impact on ad-blocker users; it also raises questions about the broader implications for online privacy and the control that tech giants exert over users' online experiences.

As the internet becomes increasingly integral to daily life, the balance between user empowerment and the interests of digital platforms is a delicate one. Google's recent actions are sure to reignite the debate on the ethics of ad blocking and the extent to which tech companies can dictate user behavior.

Google's strong action against ad blockers serves as a reminder of the continuous conflict between user autonomy and the profit-driven objectives of digital titans. These activities have consequences that go beyond the advertising industry and spark a broader conversation about the future of online privacy and the power corporations have over the digital environment.

Nym's Decentralized VPN: A Game-Changer for Online Privacy


Nym, a privacy technology company, is getting ready to introduce a decentralized VPN (Virtual Private Network) that aims to completely change how we safeguard our online data and preserve our privacy in a quickly changing digital environment where online privacy is getting harder to define. An industry game-changer in the field of online security, this breakthrough is scheduled to launch in early 2024.

Nym's ambitious project has garnered significant attention from the tech and cryptocurrency community. With concerns about surveillance, data breaches, and cyberattacks on the rise, the need for robust online privacy solutions is more critical than ever. Traditional VPNs have long been a popular choice for protecting one's online identity and data. However, Nym's decentralized VPN takes privacy to the next level.

One of the key features of Nym's VPN is its decentralized nature. Unlike traditional VPNs that rely on centralized servers, Nym's VPN leverages a decentralized network, making it far more resistant to censorship and government intervention. This feature is particularly important in regions where internet freedom is limited.

Furthermore, Nym's VPN is powered by a privacy-centric cryptocurrency called NYM tokens. Users can stake these tokens to access the VPN service or earn rewards for supporting the network. This innovative approach not only incentivizes network participation but also ensures a high level of privacy and security.

The decentralized VPN is designed to protect users from surveillance and data harvesting by hiding their IP addresses and routing their internet traffic through a network of anonymous servers. This means that users can browse the web, communicate, and access online services without revealing their true identity or location.

In addition to its privacy features, Nym's VPN is being developed with a strong focus on speed and usability. This means that users can enjoy the benefits of online privacy without sacrificing their internet connection's speed and performance.

Since Nym is a big step toward a more secure and private internet, the IT industry is excited about its impending introduction. Users seeking to protect their online activity will have access to a cutting-edge, decentralized solution as 2024 draws near.

Nym's decentralized VPN stands out as a ray of light in a world where threats to internet privacy are omnipresent. Its distinctive approach to privacy, robust security features, and intuitive design have the power to revolutionize the way we safeguard our personal information and identities online. When Nym launches in early 2024, it will surely be a turning point in the continuous struggle to protect internet privacy in a connected society.

Cloud Storage: Is Stored Data Secure ?

 

The popularity of cloud storage is on the rise, both for personal and professional use. However, many people are concerned about the security of their data in the cloud. While some worry about the future-proofing of their cloud storage, others are concerned about the privacy of their personal information. 

Despite these concerns, the advantages of cloud storage in terms of convenience, scalability, and cost-efficiency make it a popular choice. Cloud storage involves storing digital data on remote servers and accessing it through an internet connection. This type of storage is fast, accessible from anywhere, easily scalable, and can serve as a backup in case of disaster. 

Additionally, third-party providers take care of server maintenance and security, freeing up the user's time for other tasks. Although security concerns exist, secure and affordable cloud storage services are available.

Cloud storage is a versatile option that can be utilized by both individuals and organizations. It offers various benefits comparable, and even superior, to traditional physical storage methods. While evaluating the security of cloud storage, it's important to consider its usefulness in providing added safety through features such as backups and the convenience it offers. it is used for:

  • Sharing Your Files With Ease
  • Cloud Disaster Recovery (CDR)
  • Backing Up Your Data
What Makes Your Data Safe in the Cloud?

Data stored on the cloud is generally more secure than stored on your hard drive. After all, cloud servers are housed in very secure cloud data centers that are constantly monitored.

So, how does cloud storage security work? What are the important security procedures in place to protect your data on the cloud?
  • Firewall-as-a-Service (FWaaS)
  • Round-the-Clock Monitoring
  • Encryption from beginning to end
  • AI-Powered Tools and Auto-Patching
While no system is perfect, cloud storage is surprisingly secure and more handy than on-site storage. All your data in the cloud is secured, continuously monitored, and safeguarded against cyber attacks. Even in the event of a disaster, your data will be preserved thanks to redundant servers.

Overall, cloud storage is a rather secure option for storing your data, and it's not going away anytime soon.

 Crucial US military Emails was Publicly Available

A US Department of Defense exposed a server that was leaking private internal military emails online Security researcher Anurag Sen discovered the unprotected server, which was "hosted on Microsoft's Azure federal cloud for Department of Defense customers," according to a TechCrunch report.

The vulnerable server was housed on Microsoft's Azure federal cloud, which is available to Department of Defense clients. Azure uses servers that are physically isolated from other commercial customers so they can be utilized to share private but sensitive government information. The exposed server was a component of an internal mailbox system that included around three terabytes of internal military emails, a lot of them regarding the USSOCOM, the US military organization responsible for carrying out special military operations.

Nevertheless, due to a misconfiguration, the server was left without a password, making it possible for anyone with access to the internet to access the server's IP address and view the server's important mailbox data.

The server was filled with old internal military emails, a few of which contained private information about soldiers. A completed SF-86 questionnaire, which is filled out by government employees seeking a security clearance and contains extremely sensitive personal and health information for screening people prior to being cleared to handle classified information, was included in one of the disclosed files.

As classified networks are unreachable from the internet, TechCrunch's scant data did not appear to be any of it, which would be consistent with USSOCOM's civilian network. In addition to details regarding the applicant's employment history and prior living arrangements, the 136-page SF-86 form frequently includes details about family members, contacts abroad, and psychiatric data.

A government cloud email server which was accessible through the web without a password was made public and the US government was notified about it. Using just a web browser, anyone could access the private email data there.






What's 6G & its Way Forward?

 

Mobile connectivity has come a long way since 1979 when NTT initiated the first generation of cellular networks in Tokyo. 2G and 3G quickly followed 1G. These were voice and text communication networks. The more recent 4G and 5G networks enabled advanced content and massive data consumption. 

By 2023, after more than four decades, mobile operators, telcos, and providers will be back at the design table, shaping the next generation of mobile networks: 6G. The term 6G refers to the sixth generation of mobile networks. Why do networks change? Technology advancements and the amount of data that must be transferred from data centers to devices have increased exponentially. Furthermore, networks improve in more ways than one. They reduce latency or delay as well as energy consumption during data transmissions while improving reliability, security, and performance.

5G networks will be widely available worldwide by 2023. The virtualization of network hardware, which is now operating in the cloud with Open RAN standards, is making deployment easier. However, 5G is expected to become obsolete soon as the digital and physical worlds integrate with virtual and augmented reality. Furthermore, the Internet of Things and Industrial IoT are gaining traction to support the fourth industrial revolution.

These new technologies, as well as the volume of data that must be instantly communicated between devices, necessitate a faster, more reliable, and more robust generation of mobile networks — enter 6G.

6G is still in its early stages of development and, like all mobile networks, will rely on radio transmissions. 6G is also anticipated to improve connectivity in rural and remote areas, thereby affecting populations affected by the digital divide. Because of its high capacity and low cost, the technology has the potential to connect the space and satellite sectors.

To outperform 5G in terms of capacity, latency, and connectivity, 6G will need to use new high-frequency bands, such as sub-terahertz bands above 100 GHz. These radio waves are more sensitive to obstacles, posing technological challenges that must still be addressed.

Antennas, nodes, edge centers, gateways, and Open RAN virtual machines running in the cloud are used to connect devices in engineering network areas. Because radio waves require a direct line of sight for transmission, several factors must be considered, including urban blockage, refraction, diffraction, scattering, absorption, and reflection of radio waves.

To overcome these challenges, the industry intends to build multipath environments in which sensible high-frequency waves can travel without losing strength, consuming too much power, or experiencing latency. AI computing applications will be critical in calculating the shortest and most optimal paths for 6G radio waves.

The Advantages of 6G

1. 6G provides improved connectivity: The most obvious and direct benefit of 6G is that it will boost connectivity by providing instantaneous communications for any device, including smartphones, computers, wearables, robotics, and IoT. 6G will connect industrial IoT devices and drive the fourth industrial revolution with a core structure of automation and intelligence in the industrial sector, which is undergoing digital acceleration by deploying smart factories, production, and distribution systems.

Improved connectivity will benefit every industry. Healthcare, remote and robotic surgery, and telehealth, for example, are expected to be transformed by 6G. Similarly, sectors such as finance, retail, manufacturing, and others that are undergoing significant digitalization and modernization will utilize 6G to continue disruptive transformations.

2. 6G will propel technological advancement: 6G mobile networks are a game changer in terms of innovation. Supercomputers, quantum computing, machine learning, AI, global cloud data centers, the metaverse, and new devices will be able to operate only with 6G connectivity.

3. 6G is low energy and efficient: Low energy consumption and energy efficiency are critical advantages of 6G. Organizations and businesses are aiming for net-zero emission targets and reducing energy consumption for economic and environmental reasons. The 6G energy economy has become appealing to all industries. Low-energy connections are also required to extend the battery life of IoT and mobile devices.

4. 6G has low latency: With its extremely low latency, 6G will benefit society. Latency is the amount of time it takes for a digital system to transfer data. The greater the amount of data, the greater the effort required by the network; thus, the threat of latency uptick. However, thanks to 6G innovation, connectivity should be immediate.
 
Disadvantages of 6G 

1. 6G is still in the early stages of development: 6G technology is currently in the development phase, which is its most significant disadvantage. While Nokia, NTT, and other companies have plans to test small 6G networks, these are only pilot projects. 6G is expected to be available globally by 2030. 

2. The initial investment costs for 6G are high: Another obstacle is demonstrating the value of 6G as a low-cost connectivity technology. In the long run, 6G may lower end-user costs compared to 5G, but the initial investment required globally to get there is massive. Other technical challenges include optimizing terahertz-sensitive frequency paths, stabilizing visible light communication technology, and optimizing the AI, ML, and advanced computing resources required to run these futuristic networks.

3. 6G necessitates a rethinking of traditional cybersecurity: The security of 6G networks is a top priority. With network redesign, cybersecurity and privacy features must be reimagined, strengthened, and adapted. Traditional cybersecurity methods will become obsolete, and developers will need to innovate in areas such as authentication, encryption, access control, communication, and malicious activity.

6G is on the rising trend

The 6G race is well underway, with leading global operators already entering testing phases. Without a doubt, 6G is a foregone conclusion. 6G, on the other hand, is not a one-man show. A diverse range of companies, organizations and developers must collaborate to create the next generation of connectivity.

The PoweRAT Malware Attacks PyPI Users

 

The software supply chain security company Phylum has discovered a malicious assault using the PoweRAT backdoor and an information thief that targets users of the Python Package Index (PyPI). The campaign was initially discovered on December 22, 2022, when PyroLogin, a malicious Python programme made to retrieve code from a remote server and silently execute it, was discovered.

The EasyTimeStamp, Discorder, Discord-dev, Style.py, and PythonStyles packages all had code that was comparable to PyroLogin, and they were all released to PyPI between December 28 and December 31.

The infection chain starts with a setup.py file, which means that the malware is automatically deployed if the malicious packages are installed using Pip. The infection chain involves the execution of numerous scripts and the exploitation of legitimate operating system features.

The execution process was examined by Phylum, who found attempts to avoid static analysis and the usage of obfuscation. While the malicious code is being performed in the background, a message indicating that "dependencies" are being installed is displayed in order to avoid raising the suspicion of the victims.

The infection chain also involves the setup of numerous potentially harmful programs, the placement of malicious code into the Windows starting folder for persistence, and libraries that let the attackers manipulate, monitor, and record mouse and keyboard input.

Once the virus is installed on the victim's computer, it gives the attackers access to sensitive data such as browser cookies and passwords, digital currency wallets, Discord tokens, and Telegram data. A ZIP archive containing the collected data is exfiltrated.

Additionally, the malware tries to download and install Cloudflare. This Cloudflare command-line tunnel client enables attackers to access a Flask app on the victim's machine without changing the firewall, on the victim's computer.

Using the Flask app as a command-and-control (C&C) client, the attackers can run shell commands, download and execute remote files, and even execute arbitrary Python code in addition to extracting information like usernames, IP addresses, and machine specifics.

The malware, which combines the capabilities of an information thief and a remote access trojan (RAT), also has a feature that sends an ongoing stream of screenshots of the victim's screen to the attackers, enabling them to cause mouse clicks and button presses. Phylum named the malware PoweRAT instead of Xrat "because of its early reliance on PowerShell in the attack chain."

Phylum concludes, "This thing is like a RAT on steroids. It has all the basic RAT capabilities built into a nice web GUI with a rudimentary remote desktop capability and a stealer to boot! Even if the attacker fails to establish persistence or fails to get the remote desktop utility working, the stealer portion will still ship off whatever it found.” 

Can you escape Cybersecurity? Maybe No


Suppose you are part of an organization that has any form of an online presence. In that case, you will ultimately have to take initiative to look after the security of the systems, devices, and data. And if driven criminals, who frequently use cyber weaponry initially created by nation-states, do not make you care about your organization’s cybersecurity, regulators will. 

You Are Only as Safe as Your Suppliers 

In today’s interconnected world, many organizations still do not realize how they are intertwined with their suppliers. 

Almost all the software that organisations employ have its storage elsewhere, which is to say they are no longer in their system. These software are either in other servers, data centers, or cloud storages. 

Moreover, as organization’s security is taking a swift shift to the software-as-a-service (SaaS) model, one’s data becomes more vulnerable to unauthorized foreign access, with the endpoint device – that is apparently located in a place, no one possesses control over, posing as a terminal for the access. 

In the wake of the recent trend of supply-chain attacks, or cyberattacks in general, organizations must realize the seriousness of engaging in efficient cybersecurity. 

We are listing below some of the measures an organization can seek, in order to alleviate the risk of malicious cyber activities in their systems: 

1. Recognize The Impact of a Cyberattack on Your Organization 

These are some of the questions an organization must acknowledge answers to.  

  • How can a cyberattack affect the organization’s goal? 
  • How does it impact the outcomes the organization desires? 
  • Can a cyberattack potentially change the outcomes that they aim to achieve on a monthly, quarterly, or annual basis? 
  • What are the risks introduced by the cyberattack? 
  • What are the organizational assets that are at risk?
If the organization does not acknowledge the impact of a cyberattack, it may assume that ticking only a few boxes of “Ways to boost cybersecurity” would be sufficient in keeping the organization safe. It is until some cybercriminal comes to know about the “crown jewel,” which is critical to your organization but is somehow left vulnerable since the organization ignored its security. 

2. Establish A Cybersecurity Training Process 

An organization can be kept secure by design if cybersecurity is included as early as possible in all business processes. Although, cybersecurity training should not be conducted only once. Security awareness training must be integrated into daily work activities for cybersecurity to become ingrained in the employees' mindsets. 

3. Identify The Potential Misuse of Your System 

In the development roadmap of a company, one may include its customers’ needs. While the organization’s own software are taken no notice of. This way, organizations may not realize how their software could in fact be misused. 

The company can further commence the process of eradicating or minimising possible abuses, once it is recognized. Even at the earliest stages of design, threat modeling can be an effective approach for identifying potential misuse. 

4. Prioritize Cyber Security 

While the buzzword is “shift left,” prioritizing cybersecurity in the initial stage of a product’s life cycle would eventually aid in saving an organization’s time and money. 

While the developers are still adding code into their continuous integration/continuous deployment (CI/CD) platforms, analysis of the issues produced by the code and the third-party libraries used can assist in uncovering issues before they are baked in. 

The remaining vulnerabilities will be eliminated by dynamic inspections of security holes in the finished product. Additionally, having a DevSecOps team that is responsible for cybersecurity is essential when issues are found. 

The organizations thus should be in charge of not only establishing and maintaining code but also resolving any problems with cyber security.  

New Windows Server Updates Cause Domain Controller Freezes, Restarts

 

Microsoft is looking into LSASS memory leaks (caused by Windows Server updates released during the November Patch Tuesday) that may result in domain controller freezes and restarts. LSASS (Local Security Authority Subsystem Service) is in charge of enforcing security policies on Windows systems and managing access tokens, password changes, and user logins. 

If this service fails, logged-in users lose access to their Windows accounts on the machine and are presented with a system restart error followed by a system reboot. 

"LSASS might use more memory over time and the DC might become unresponsive and restart," Microsoft explains on the Windows Health dashboard.

"Depending on the workload of your DCs and the amount of time since the last restart of the server, LSASS might continually increase memory usage with the uptime of your server and the server might become unresponsive or automatically restart."

Out-of-band Windows updates pushed out to address authentication issues on Windows domain controllers may also be affected by this known issue, according to Redmond. Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2 are all affected. Microsoft is working on a solution and promises an update in an upcoming release.

Workaround  Available:

Until a fix for this LSASS memory leak issue is available, the company offers a workaround for IT administrators to work around domain controller instability. This workaround requires admins to set the KrbtgtFullPacSignature registry key (used to gate CVE-2022-37967 Kerberos protocol changes) to 0 using the following command: reg add "HKLM\System\CurrentControlSet\services\KDC" -v "KrbtgtFullPacSignature" -d 0 -t REG_DWORD

"Once this known issue is resolved, you should set KrbtgtFullPacSignature to a higher setting depending on what your environment will allow," Microsoft added.

"It is recommended to enable Enforcement mode as soon as your environment is ready. For more information on this registry key, please see KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967."

Redmond addressed another known issue that caused Windows Server domain controller reboots due to LSASS crashes in March. Microsoft fixed domain controller sign-in failures and other authentication issues caused by November Patch Tuesday Windows updates earlier this month with emergency out-of-band (OOB) updates.

Amazon, Microsoft Cloud Leaks Highlight Lingering Misconfiguration Issues

 

A slew of household names has recently been accused of misconfigured cloud storage buckets overflowing with unencrypted data, shedding light on a cybersecurity problem that appears to have no solution. Anurag Sen, a security researcher, revealed just last week that an Amazon server had exposed data on Amazon Prime members' viewing habits. 

During the same time period, Thomson Reuters admitted that three misconfigured servers had exposed 3TB of data via public-facing ElasticSearch databases, according to Cybernews, which first reported the issues. And Microsoft admitted in mid-October that it had left an open misconfigured cloud endpoint that could have exposed customer data such as names, email addresses, email content, and phone numbers.

"The issue was caused by an unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem and was not the result of a security vulnerability," Microsoft said in its statement on the misconfigured server. "We are working to improve our processes to further prevent this type of misconfiguration and performing additional due diligence to investigate and ensure the security of all Microsoft endpoints."

Indeed, rather than bugs, the leaks are driven by a range of misconfigurations, ranging from insecure read-and-write permissions to improper access lists and misconfigured policies, all of which could enable threat actors to access, copy, and potentially alter sensitive data from accessible data stores.

"The main concern with this kind of leak is the high impact, and that is why the threat actors go after misconfigured storage [servers] and buckets," says Ensar Åžeker, CISO at SOCRadar, the cybersecurity firm that discovered the Microsoft issue. "Once they discover [the accessible data], the bucket might ... contain huge amounts of sensitive data for one tenant [or] numerous tenants."

According to Venafi, 81% of organizations have experienced a security incident related to their cloud services in the last 12 months, with nearly half (45%) experiencing at least four incidents. According to Sitaram Iyer, senior director of cloud-native solutions at Venafi, the increase in incidents is due to the increasing complexity of cloud-based and hybrid infrastructure, as well as a lack of visibility into that infrastructure.

"Yes, misconfigured cloud storage is one of the primary reasons for data leaks — I do believe that this is a trend," he says. "The increase in this trend is most often due to misconfiguration related to access controls: While only authorized users need to be allowed access to cloud storage, a simple mistake in configuration often enables [any] authenticated users to gain access."

Companies should monitor their cloud assets on a regular basis to detect when a datastore or storage bucket has been exposed to the public internet. Furthermore, using infrastructure-as-code (IaC) configuration files when deploying cloud storage not only automates deployments but also helps eliminate errors, according to data from Snyk, a maker of security services for the software supply chain.

According to the company, implementing IaC reduces cloud misconfigurations by 70%. The division of responsibilities between cloud providers and business customers remains an issue. While the customer is responsible for configuring cloud assets, Venafi's Iyer believes that the cloud service should make configuring cloud assets as simple as possible.

"Principle of least privilege must be adopted for every aspect of the data," he says. "Access to data must be provided as needed, with proper controls and authorization policies that tie it to a specific user or service account, and proper logging of access and notifications must be implemented."

An Amazon spokesperson told Dark Reading in a statement about the Prime Video case: "A Prime Video analytics server experienced a deployment error. This issue has been resolved, and no account information (including login or payment information) was compromised."

However, misconfiguration is not always the original sin; instead, a worker or developer will deploy a "shadow" server, a container or a storage bucket unknown to the IT department and thus unmanaged by the company.

Misconfigured storage has a long history of compromising security. The issue is frequently ranked among the top ten security issues in the popular Open Web Applications Security Project (OWASP) Top 10 security list. Security Misconfiguration rose to fifth place in 2021, from sixth place in 2017. Verizon Business' annual "Data Breach Investigations Report" also highlights the outsized impact of misconfigured cloud storage: In 2021, human errors accounted for 13% of all breaches.

Microsoft Exchange Online And Outlook Email Service Hit By Outage

 

Microsoft is investigating an ongoing outage affecting Microsoft 365 services after users experienced problems signing into, accessing, and receiving emails via the outlook.com gateway and Exchange Online. 

"We're investigating an issue with users accessing or experiencing degraded functionality when using Exchange Online and http://outlook.com services," Microsoft stated in a tweet via the company's official Twitter account for updates on Microsoft 365 services. 

Admins were also warned that further information about these ongoing issues may be found in the admin centre under EX401976 and OL401977. 

"We suspect there may be unexpected network drops which are contributing to the degraded experience and are reviewing diagnostic logs to understand why," the company added. 

While Redmond did not indicate the scope of the problem, hundreds of reports on DownDetector have been reported in the last 24 hours by Outlook and Exchange Online customers who have been unable or experiencing difficulty while attempting to log in or email. In an update to the Outlook.com online site, Microsoft also noted that Microsoft 365 subscribers may be unable to access the web portal or any of its features. 

Microsoft explained, "Users may be unable to access or use outlook.com services or features. We're reviewing diagnostic information and support case data to understand the cause and establish a fix. We're investigating a potential issue and checking for impact to your organization. We'll provide an update within 30 minutes." 

Another Microsoft 365 outage occurred in June, affecting consumers worldwide who attempted to access Microsoft Teams and Exchange Online. Redmond rerouted traffic to another, healthy traffic management infrastructure and performed targeted infrastructure restarts to restore service access and functioning. On July 1, Microsoft stated it fixed the issue that caused this outage. 

"We identified a section of our network infrastructure that was performing below acceptable thresholds. We've rerouted connections to alternate infrastructure and that confirmed the issue is resolved," Redmond tweeted.

Raccoon Stealer is Back with a New Version

 

Bitdefender researchers recently observed that the RIG exploit kit was replacing Raccoon Stealer with the Dridex trojan as part of a campaign that began in January. The change in strategy came as a result of Raccoon Stealer briefly closing its doors in February. 

However, according to a recent assessment, the Raccoon Stealer is showing signs of life and is poised to make a significant comeback in the information stealer industry. Raccoon Stealer's operations were abruptly halted on March 25, 2022, after previously being sold on underground forums under the Malware-as-a-Service (MaaS) model since early 2019. 

The operations were stopped owing to the loss of a developer in the Russia-Ukraine conflict. At the time, the malware's profile on various forums stated that it is temporarily inaccessible and in the process of being upgraded. 

What is the most recent update? 

SEKOIA.IO investigators identified fresh actions on servers hosting the malware on June 10. They discovered multiple operational servers with a web page titled Raccoon Stealer 2.0 when looking for the stealer's management panels on the Shodan search engine. 

It is thought that the latest version has been available for purchase on Telegram since May 17. Following additional investigation, researchers discovered a new malware family known as RecordBreaker, which resembled RacconStealer v2. 

The malware was spreading in the wild. Raccoon Stealer v2 is built-in C/C++ with the help of WinApi. From its C2 servers, the virus downloads genuine third-party DLLs. The new version inherits many of the prior version's capabilities. 

These include, among other things, gathering browser and system information, taking screenshots, downloading files from drives and memory sticks, and harvesting bitcoin wallet data. 

The reappearance of well-known malware, such as Raccoon Stealer, is not a novel event in the threat environment. 

Despite setbacks, numerous malware families, including Conti and REvil, have previously made a strong return and continue to cause havoc throughout the world. As a result, companies must be aware of the strategies and tactics employed by information hackers in order to prevent assaults.

Darknet Market ‘Versus’ Shutting Down After Critical Exploit Leak

 

The Versus Market, one of the most prominent English-speaking criminal darknet marketplaces, is shutting down after a severe vulnerability was discovered that might have given access to its database and disclosed the IP addresses of its servers. 

Dark web markets must keep their physical assets secret when performing illicit operations online; otherwise, their operators risk being identified and arrested. The same is true for users and vendors who must stay anonymous while utilising these unlawful sites. Anything that undermines their faith in the platform to secure their information makes it exceedingly dangerous. Apparently, after discovering these flaws, the Versus operators opted to pull the plug themselves, considering it too unsafe to continue. Versus debuted three years ago and quickly gained traction in the hacking world, offering drugs, coin mixing, hacking services, stolen payment cards, and exfiltrated databases. 

Versus went offline to undertake a security assessment, as the website claims it has done twice previously, in response to concerns of serious problems or possibly real hacking. Users were concerned that the Versus was executing an exit scam, that the FBI had taken over the site and other common assumptions that follow these sudden moves. However, the platform's operators soon reappeared, announcing the closure of the marketplace. 

The following PGP-signed message was uploaded by a Versus staff member who is one of the major operators: "There is no doubt that there has been a lot of concern and uncertainty regarding Versus in the last few days. Most of you that have come to know us have rightfully assumed that our silence has been spent working behind the scenes to evaluate the reality of the proposed vulnerability. After an in-depth assessment, we did identify a vulnerability which allowed read-only access to a 6+-month-old copy of the database as well as a potential IP leak of a single server we used for less than 30 days. We take any and every vulnerability extremely seriously but we do think that it's important to contend with a number of the claims that were made about us."

"Specifically of importance: there was no server pwn and users/vendors have nothing to worry about as long as standard and basic opsec practices have been utilized (for example, PGP encryption) Once we identified the vulnerability, we were posed with a fork in the road, to rebuild and come back stronger (as we had done before) or to gracefully retire. After much consideration, we have decided on the latter. We built Versus from scratch and ran for 3 years." 

The letter concludes with a note to platform providers, pledging to post a link allowing them to make transactions without time constraints, permitting the return of escrow amounts. 

Versus was revealed for IP breaches in March 2020, and then in July 2020, a large Bitcoin theft from user wallets occurred. In all situations, the platform accepted responsibility for the errors and was extremely open about what occurred. Versus was able to grow and become a significant marketplace in terms of user numbers and transaction volumes as a result of this. 

However, the operators most likely recognised that the risk of exposure was too considerable to continue. It remains to be known if or not personnel of law enforcement has already exploited the current vulnerability in the next weeks/months.

Trend Micro Report on Purple Fox’s Server Infrastructure, Briefed

 

Purple Fox primarily focuses on SQL servers, as opposed to conventional computers, for the former's cryptocurrency-mining operations. This is largely attributable to the more effective hardware design – for both CPU and memory – that servers typically possess. To minimize performance problems, the combination of CPU, memory and disc variables on SQL servers must scale with the database-related processes. 

These computers typically have significantly larger computational power than standard desktop computers, and as such, systems are typically outfitted with hardware such as the Intel Xeon line of CPUs, which generates a considerably higher amount of hash-based calculated values (hash rates), trying to make a server more advantageous to coin mining than a typical desktop computer.

Because SQL databases provide many routes for effectively performing operating system commands, Purple Fox has used the most stealthy way of having a binary stored in the SQL server database which can be performed using TSQL commands. 

Purple Fox used CLR Assemblies, a collection of DLLs that can be imported into a SQL Server, inside its infection chain rather than the more common xp cmdshell, which is monitored closely by cybersecurity experts. After importing the DLLs, they can be connected to stored procedures which can be performed using a TSQL script. This vector's impacted editions begin with SQL Server 2008. 

This approach, which by default needs a system administrator role, runs as a SQL Server service account. An intruder can use this mechanism to build a.NET assembly DLL and then it can be imported into the SQL server.

It can also save an assembly in the SQL Server Table, construct a procedure that maps to a CLR technique, and then run the process. Other groups besides Purple Fox have reportedly used the CLR Assemblies technique in the past, like MrbMiner and Lemon Duck. 

The C&C servers that have been utilized throughout the communication methods were compromised servers that are the components of the botnet that hosts Purple Fox's numerous payloads.

Both initial DNS queries are CNAMEs to subdomains within kozow[.]com, a free dynamic domain service supplied by dynu[.]com. This program can be modified via an API to point to different IP addresses - a strategy used by the attacker to change the IP address frequently. 

Researchers recommend the following procedures if anyone detects any suspicious behaviors connected to the Purple Fox botnet on a SQL server to eliminate any malicious leftovers of the infection. 

Examine all SQL Server Stored Procedures and Assemblies for any questionable assemblies that have not been identified by the DBAs. If any of these assemblies are found, they must be removed. 

Perform the following TSQL script to eliminate the following malicious CLR assembly remains that have been placed into the database: 

USE [master] [fscbd] 
GO 
DROP ASSEMBLY 
GO 

Disconnect all unfamiliar accounts and update all passwords on the database server. 

As a precaution, do not disclose publicly exposed port TCP 1433 to an unknown zone. Furthermore, protect the SQL server hosts with well-protected access controls behind a perimeter firewall in a DMZ. 

Establish correct network micro-segmentation and zoning, as well as a zero-trust policy through your network security measures. 

Limit traffic to and from SQL servers. Because these servers serve a specialized purpose, they should only be allowed to interact with other trustworthy hosts. Access to the internet, both inbound and outbound, should be restricted.

Acer Confirms Breach After Cyber Attack on Indian Servers

 

A hacker group has claimed to have hacked Acer India's servers, with about 60GB of confidential information belonging to several million of the company's customers. 

According to a post on a prominent hacker site noticed by Privacy Affairs researchers, the group known as Desordern claimed to have acquired consumer information, business data, financial data, and information linked to recent company audits. 

According to the hackers, the breach includes information on several million Acer customers, the majority of which are from India. It appears to have happened on October 5, according to the most current date stated in the leaked databases. Desordern also stated that it will provide Acer with access to the database in order to substantiate the data and show the breach is legitimate. 

A sample of the data released for free which included information on over 10,000 people, was confirmed to be accurate and real by Privacy Affairs researchers, who were able to contact some of those impacted. Data belonging to millions more Acer customers will be available for a fee at a later date, as per the group. 

An Acer spokesperson told IT Pro, “We have recently detected an isolated attack on our local after-sales service system in India.” 

“Upon detection, we immediately initiated our security protocols and conducted a full scan of our systems. We are notifying all potentially affected customers in India.” 

The issue has been reported to local law enforcement and the Indian Computer Emergency Response Team, according to the spokesman, and there has been no substantial impact on the company's activities or business continuity. 

In March of this year, Acer was the victim of a $50 million ransomware assault carried out by the notorious ransomware group REvil. The group disclosed the Acer breach on its website, where it displayed photos of allegedly stolen information such as financial spreadsheets, bank communications, and bank balances. The vulnerability was thought to be connected to a Microsoft Exchange cyber-attack conducted by at least 10 hacker groups.