Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Threat actor. Show all posts
URL
APT Cyber Attacks fake Iranian Malicious Camapign Proofpoint Threat actor URL

Iranian Threat Actor TA453 Targets Jewish Figure with Fake Podcast Invite in Malicious Campaign

 

A recent cyber campaign by the Iranian threat actor TA453 has drawn significant attention following their targeting of a prominent Jewish religious figure with a fake podcast interview invitation. The campaign, which began in July 2024, involved a series of deceptive emails promoting a supposed podcast titled “Exploring Jewish Life in the Muslim World.” The attackers masqueraded as representatives of the Institute for the Study of War (ISW), a legitimate American non-profit think tank focused on military and foreign affairs research. 

On July 22, 2024, TA453 initiated contact with the target by sending an email from an address claiming to represent ISW’s Research Director. The email invited the recipient to participate in the podcast, a lure that successfully engaged the target. After initial correspondence, TA453 sent a DocSend URL containing a password-protected text file with a legitimate ISW podcast link. Researchers from Proofpoint believe this initial interaction was intended to build trust with the target, making them more likely to click on malicious links in future communications. 

Following the initial lure, TA453 escalated their attack by sending a Google Drive URL that led to a ZIP archive. This archive contained a malicious LNK file, which, when opened, deployed the BlackSmith toolset, including the AnvilEcho PowerShell trojan. AnvilEcho is a sophisticated malware capable of intelligence gathering and data exfiltration. It employs encryption and network communication techniques to evade detection, integrating multiple capabilities within a single PowerShell script. The trojan’s command-and-control (C2) infrastructure is hosted on a domain linked to previous TA453 operations. 

AnvilEcho continuously fetches and executes commands from the remote server via its “Do-It” function, which handles various tasks, including network connectivity, file manipulation, screenshot capture, and audio recording. The “Redo-It” function, located at the end of the malware’s code, orchestrates these commands while also collecting system reconnaissance data such as antivirus status, operating system details, and user information. According to researchers, the activities of TA453 are likely aimed at supporting intelligence collection for the Iranian government, specifically the Islamic Revolutionary Guard Corps’ Intelligence Organization. 

The tactics employed in this campaign bear a strong resemblance to those used by the Charming Kitten advanced persistent threat (APT) group, another Iranian cyber espionage unit. This operation is a classic example of multi-persona impersonation, where threat actors leverage legitimate links to build trust with victims before launching more harmful attacks.
Read more »
Trend Micro
Africa APT41 Cyber Security Cybersecurity Earth Baku Europe malware Middle East sophisticated attacks Threat actor Trend Micro

China-Backed Earth Baku Broadens Cyber Assaults to Europe, Middle East, and Africa

 

The China-backed threat actor Earth Baku has diversified its targeting footprint beyond the Indo-Pacific region to include Europe, the Middle East, and Africa starting in late 2022. Newly targeted countries include Italy, Germany, the U.A.E., and Qatar, with suspected attacks also detected in Georgia and Romania. Governments, media and communications, telecoms, technology, healthcare, and education sectors are among those singled out as part of the intrusion set.

Trend Micro researchers Ted Lee and Theo Chen, in an analysis published last week, noted that Earth Baku has updated its tools, tactics, and procedures (TTPs) in more recent campaigns. The group utilizes public-facing applications such as IIS servers as entry points for attacks, subsequently deploying sophisticated malware toolsets on the victim's environment. The findings build upon recent reports from Zscaler and Google-owned Mandiant, which also detailed the threat actor's use of malware families like DodgeBox (aka DUSTPAN) and MoonWalk (aka DUSTTRAP). Trend Micro has assigned them the monikers StealthReacher and SneakCross.

Earth Baku, a threat actor associated with APT41, has been known for its use of StealthVector as far back as October 2020. Their attack chains involve the exploitation of public-facing applications to drop the Godzilla web shell, which is then used to deliver follow-on payloads. StealthReacher has been classified as an enhanced version of the StealthVector backdoor loader, responsible for launching SneakCross, a modular implant and a likely successor to ScrambleCross that leverages Google services for its command-and-control (C2) communication.

The attacks are further characterized by the use of other post-exploitation tools such as iox, Rakshasa, and a Virtual Private Network (VPN) service known as Tailscale. Sensitive data exfiltration to the MEGA cloud storage service is accomplished by means of a command-line utility dubbed MEGAcmd. "The group has employed new loaders such as StealthVector and StealthReacher to stealthily launch backdoor components, and added SneakCross as their latest modular backdoor," the researchers stated.

"The persistence of Earth Baku is notable," said the researchers. "Their tactics show a sophisticated understanding of public-facing applications, allowing them to infiltrate various sectors with precision." They further explained that the group's post-exploitation tools are customized to fit specific operational needs, with iox and Rakshasa playing significant roles in maintaining prolonged access and stealth. Tailscale, the VPN service, ensures the attackers can manage their operations without detection, while MEGAcmd allows for efficient data exfiltration.

The continued evolution of Earth Baku's methods, including the introduction of new malware like SneakCross, highlights the growing complexity and threat posed by this actor. The group’s ability to adapt and refine their TTPs makes them a formidable adversary in the cyber landscape.
Read more »
UAE
Data Breach Data Expose Data Leak Threat actor UAE

Hackers Claim Biggest Attack On UAE in History

Hackers Claim Biggest Attack On UAE in History

The United Arab Emirates government was the target of a significant data breach attack that has the cybersecurity industry on edge. The attacker, who goes by the username "UAE," has not been recognized. Unless a ransom of 150 bitcoins (about USD 9 million) is paid, the threat actor threatened to disclose the data from the purported UAE hack in a post on BreachForums.

Major UAE government organizations including the Executive Council of Dubai, the Federal Authority for Nuclear Regulation, the Telecommunications and Digital Government Regulatory Authority, and important government programs like Sharik.ae and WorkinUAE.ae are among the victims of the purported attack. The UAE Space Agency, Ministry of Finance, and Ministry of Health and Prevention are among the other ministries impacted.

The threat actor released a few samples, claiming to have access to personally identifiable information (PII) belonging to different government personnel. These samples included the roles, genders, and email addresses of high-ranking individuals.

Hackers exposed samples from the UAE attack

The threat actor purportedly posted screenshots of internal data from multiple prominent government agencies in the United Arab Emirates. The threat actor displayed samples of personally identifiable information (PII) including names, roles, and contact data, claiming to have obtained access to PII of high-ranking government personnel.

The threat actor's purported possession of samples raises questions about the safety of government employees and the integrity of national activities. The hacker's sudden appearance complicates the situation and raises questions about the accuracy of the statements made, but it may also point to a high-risk situation.

Such a compromise might have serious repercussions for public safety, national security, and the UAE's economic stability. The world's cybersecurity community is keeping a careful eye on the events and highlighting the necessity of a prompt and forceful government probe to determine the full scope of the hack and minimize any possible harm.

Experts advise to be cautious with UAE attacks

The hacker's sudden rise to prominence and lack of past experience or evidence of similar actions raises questions about the veracity of the claims.

There hasn't been any independent confirmation of the breach, nor have the UAE government or the impacted agencies addressed these allegations as of yet. For further details on the attacks, the Cyber Express team has gotten in touch with the Telecommunications and Digital Government Regulatory Authority (TDRA) in Dubai.

The vast number of impacted organizations and the type of purportedly stolen data point to a very sophisticated and well-planned operation, which is inconsistent with the image of a lone, inexperienced hacker.

Read more »
Threat actor
CD Projekt data Cisco breach Cyber Security Cybersecurity Dark Web Data Leak digital decryption keys HelloGookie rebrand HelloKitty ransomware Threat actor

HelloKitty Ransomware Renames to 'HelloGookie,' Unveils CD Projekt and Cisco Data

 

The operator behind the HelloKitty ransomware has rebranded it as 'HelloGookie,' with passwords for previously leaked CD Projekt source code, Cisco network data, and decryption keys from earlier attacks being released.

Identified as 'Gookee/kapuchin0,' the threat actor claims to be the original creator of the now-defunct HelloKitty ransomware, coinciding the rebranding with the launch of a new dark web portal for HelloGookie. To mark the occasion, four private decryption keys were disclosed, enabling the recovery of files from previous attacks, alongside internal data stolen from Cisco in 2022 and passwords for leaked CD Projekt source code.

Developers have already utilized the leaked Witcher 3 source code to compile the game, showcasing screenshots and videos of development builds. The leaked source code contains binaries to launch a developer build of Witcher 3, with efforts underway to compile the game from the source.

HelloKitty, initially launched in November 2020, garnered attention for targeting corporate networks, encrypting systems, and stealing data. Notably, the ransomware group breached CD Projekt Red in February 2021, encrypting servers and pilfering source code, including for Witcher 3.

In 2022, Yanluowang's data leak site was allegedly hacked, revealing conversations linking the group closely to the HelloKitty developer. Gookee/kapuchin0 subsequently leaked the HelloKitty builder and source code, signaling the end of operations. However, rebranded as HelloGookie, the threat actor has not disclosed new victims or evidence of recent attacks but released stolen data from prior breaches.

The leaked data includes NTLM hashes from Cisco's breach, indicating a closer relationship between HelloGookie and Yanluowang. Cisco acknowledged the incident, referring to a 2022 blog post by Cisco Talos detailing the security breach.

The future success and notoriety of HelloGookie remain uncertain, contrasting with the operational achievements of HelloKitty.
Read more »
Threat actor
Commonwealth of Independent States Cybersecurity Dark Web Exfiltration Lazy Koala malware password stealer malware Phishing Attacks PT ESC Telegram Threat actor

Lazy Koala: New Cyber Threat Emerges in CIS Region

 

Cybersecurity researchers at Positive Technologies Expert Security Center (PT ESC) recently uncovered a new threat actor they've named Lazy Koala. Despite lacking sophistication, this group has managed to achieve significant results.

The report reveals that Lazy Koala is targeting enterprises primarily in Russia and six other Commonwealth of Independent States countries: Belarus, Kazakhstan, Uzbekistan, Kyrgyzstan, Tajikistan, and Armenia. Their victims belong to government agencies, financial institutions, and educational establishments. Their primary aim is to acquire login credentials for various services.

According to the researchers, nearly 900 accounts have been compromised so far. The purpose behind the stolen information remains unclear, but it's suspected that it may either be sold on the dark web or utilized in more severe subsequent attacks.

The modus operandi of Lazy Koala involves simple yet effective tactics. They employ convincing phishing attacks, often using native languages to lure victims into downloading and executing attachments. These attachments contain a basic password-stealing malware. The stolen files are then exfiltrated through Telegram bots, with the individual managing these bots being dubbed Koala, hence the group's name.

Denis Kuvshinov, Head of Threat Analysis at PT ESC, describes Lazy Koala's approach as "harder doesn't mean better." Despite their avoidance of complex tools and tactics, they manage to accomplish their objectives. Once the malware establishes itself on a device, it utilizes Telegram, a preferred tool among attackers, to exfiltrate stolen data.

PT ESC has notified the victims of these attacks, warning that the stolen information is likely to be sold on the dark web.
Read more »
U.S. targets
Agent Raccoon Backdoor Hacking malware Online Security Threat actor U.S. targets

Hackers Use This New Malware to Backdoor Targets in Middle East, Africa and U.S

 

Various entities in the Middle East, Africa, and the United States have fallen victim to an unidentified threat actor orchestrating a campaign involving the dissemination of a recently discovered backdoor named Agent Racoon. According to Chema Garcia, a researcher at Palo Alto Networks Unit 42, the malware is crafted using the .NET framework and exploits the domain name service (DNS) protocol to establish a covert communication channel, facilitating diverse backdoor functionalities.

The targeted organizations hail from a range of sectors, including education, real estate, retail, non-profit, telecommunications, and government. Despite the lack of attribution to a specific threat actor, the campaign is suspected to be state-sponsored due to discernible victimology patterns and the utilization of sophisticated detection and defense evasion techniques. Palo Alto Networks is monitoring this threat cluster under the label CL-STA-0002. The exact method of infiltration and the timeline of the attacks remain unclear at this point.

The adversary employs additional tools alongside Agent Racoon, such as a customized version of Mimikatz named Mimilite and a novel utility known as Ntospy. The latter utilizes a custom DLL module implementing a network provider to pilfer credentials for a remote server. Notably, while Ntospy is employed across the affected organizations, Mimilite and Agent Racoon are specifically found in the environments of non-profit and government-related organizations.

Agent Racoon, executed through scheduled tasks, enables the execution of commands, uploading and downloading of files, all while camouflaging itself as Google Update and Microsoft OneDrive Updater binaries. The command-and-control (C2) infrastructure linked to the implant dates back to at least August 2020, with the earliest sample of Agent Racoon uploaded to VirusTotal in July 2022.

Unit 42's investigation revealed instances of successful data exfiltration from Microsoft Exchange Server environments, resulting in the theft of emails matching various search criteria. The threat actor has also been observed harvesting victims' Roaming Profile. Despite these findings, the tool set associated with this campaign has not been definitively linked to a specific threat actor and appears to extend beyond a single cluster or campaign, according to Garcia.
Read more »
Wall Street Market
China Data Breach Financial Data Financial Sector ICBC cyberattack Ransomware Attacks. servers Threat actor Wall Street Market

Ransomware Shakes ICBC: Global Financial Markets on High Alert

In a startling turn of events, Wall Street was rocked by a devastating ransomware attack that affected China's Industrial and Commercial Bank of China (ICBC), the country's biggest lender. The attack disrupted trade and brought attention to the growing threat of cybercrime in the financial sector.

The attack, which targeted ICBC, was not only a significant blow to the bank but also had far-reaching implications on the global financial landscape. Wall Street, closely intertwined with international markets, experienced a temporary halt in trade as the news of the cyber assault reverberated across financial news outlets.

The ransomware attack on ICBC serves as a stark reminder of the vulnerability of even the most robust financial institutions to sophisticated cyber threats. The attackers, exploiting weaknesses in ICBC's cybersecurity infrastructure, managed to compromise critical systems, causing widespread disruptions and raising concerns about the broader implications for the global financial ecosystem.

As information about the attack unfolded, reports indicated that ICBC struggled to contain the breach promptly. The incident prompted regulatory bodies and financial institutions worldwide to reevaluate their cybersecurity measures, recognizing the urgent need for robust defenses against evolving cyber threats.

The consequences of such attacks extend beyond financial disruptions. They underscore the importance of collaborative efforts among nations and private enterprises to strengthen global cybersecurity frameworks. The interconnected nature of the modern financial system demands a united front against cyber threats, with a focus on information sharing, technological innovation, and proactive defense strategies.

In the aftermath of the ICBC attack, financial markets witnessed increased scrutiny from regulators, urging institutions to fortify their cybersecurity postures. This incident serves as a wake-up call for the industry, emphasizing the need for continuous investment in cybersecurity measures, employee training, and the adoption of cutting-edge technologies to stay ahead of evolving threats.

The broader implications of the ICBC ransomware attack are not limited to the financial sector alone. They underscore the need for a collective and proactive approach to cybersecurity across industries, as cyber threats continue to grow in scale and sophistication. As nations and businesses grapple with the aftermath of this attack, it becomes increasingly evident that cybersecurity is a shared responsibility that transcends borders and industries.

Read more »
User Privacy
Google Play Store malware Threat actor User Privacy

Malware Surge in Google Play: A Threat to Millions

Smartphone users, supposing some degree of security, largely rely on app stores to download software in an era dominated by digital innovations. But new information has revealed an increasingly serious issue: malware has been infiltrated into the Google Play Store, endangering millions of users.

According to a report by Kaspersky, over 600 million malicious app downloads were recorded in 2023 alone, exposing the vulnerability of one of the world's largest app marketplaces. The malware, often disguised as seemingly harmless applications, has successfully bypassed Google's security protocols, raising questions about the effectiveness of current preventive measures.

The malware threat is not new, but the scale and audacity of recent attacks are alarming. Cybercriminals are exploiting popular and common apps to spread malware, as highlighted in a detailed investigation by The Hindu. By injecting malicious code into seemingly innocuous apps, these cybercriminals trick users into downloading and installing malware unknowingly, leading to potential data breaches, identity theft, and other serious consequences.

Google's response to this issue has come under scrutiny, especially considering its claim to have stringent security measures in place. The tech giant's inadvertent approval of malware-infected apps has been dubbed a "goof-up" by experts. Firstpost reported that Google's failure to detect and remove these malicious apps in a timely manner has allowed them to accumulate a staggering number of downloads.

The implications of this cybersecurity lapse extend beyond individual users to corporations and organizations relying on Google Play Store for distributing enterprise applications. The potential for malware to infiltrate corporate networks through compromised devices is a significant threat that cannot be ignored.

Users and tech businesses alike have a responsibility to put cybersecurity first as we navigate an increasingly digital world. When downloading apps, users should be cautious and watchful, making sure to confirm the legitimacy of the developers and carefully reviewing the permissions of each app. To protect their users, digital companies must simultaneously make investments in stronger security measures, evaluate apps carefully, and take prompt action to eliminate any threats that are found.

The rise in malware within the Google Play Store serves as a stark reminder that no digital platform is immune to cyber threats. It is imperative for the tech industry to collaborate and innovate continuously to stay ahead of cybercriminals, ensuring the safety and security of the ever-expanding digital ecosystem. The onus is on all stakeholders to collectively address this escalating challenge and fortify the defenses of our digital future.

Read more »
Threat actor
Cobalt Strike Beacon FTP malware Python-based Malware TA866 Tatar-language users Threat actor

TA866 Threat Actor: Python Malware Targets Tatar-language Users


Cybersecurity researchers have discovered a new Python malware that has been targeting Tatar language-speaking users. Tatar is a Turkish native language, spoken mostly by Tatars, an ethnic group based in Russia and its neighbouring nations. 

The Cyble-based Python malware is designed such that it can capture screenshots on the targeted systems and transfer them to a remote server through FTP (File Transfer Protocol).

FTP enables files and folders to be transferred from a host (targeted system) to another host via a TCP-based network, like the Internet. 

The threat actors behind the campaign are the notorious TA866, which has a history of targeting Tatar language speakers and utilizing Python malware to conduct their operations. 

How Does TA866 Use Python Malware? 

The Tartar Republic Day coincided with the use of this new Python malware by the threat actor TA866, according to CRIL. Up until the end of August, these attacks coincided with the Tartar Republic Day.

The report claims that the threat actor known as TA866 uses a PowerShell script "responsible for taking screenshots and uploading them to a remote FTP server."

Phishing emails are used by threat actors to select victims for the Python malware attack. These emails have a malicious RAR file encoded within them.

The file includes two innocuous files: a video file and a Python-based executable masquerading as an image file with a dual extension.

  • After being executed, the loader starts a chain of events. It downloads a zip file from Dropbox that contains two PowerShell scripts and an additional executable file.
  • These scripts make it easier to create a scheduled activity that will allow the malicious executable to run.

According to Proofpoint, the threat actor’s operations lead them to a financially motivated activity called “Screentime.” 

TA866 Threat Actors and Their Use of Custom Hacking Tools

The hackers are able to conduct these complex attacks because of their successful attempts to develop their own sophisticated tools and services. Notably, the financially motivated threat actor TA866 has connected similar operations targeting German and American organizations.

CRIL claims that the threat actor infects the victim's computers with the Python tool via the RAR file. However, it must first travel through a chain of infections before it can launch the final payload. This includes making use of Tatar-language filenames to hide. 

The threat actor employs a malicious application that shows the victims a message while covertly running PowerShell scripts to take screenshots and send them to an FTP site. 

The subsequent step of TA866 involves the deployment of further malicious software, which may include the Cobalt Strike beacon, RATs (Remote Access Trojans), stealers, and other harmful programs.

Considering the sophisticated payloads and malware used in the attacks, it can be concluded that it is definitely not a rookie organization, but a group of skilled cybersecurity personnel, including experts in designing advanced malware strains and payloads.  

Read more »
Unauthorized access
CISA Cyber Crime Phishing Attacks Sensitive data Threat actor Unauthorized access

Mass Layoffs and Corporate Security Risks

 

Mass layoffs have become increasingly common in recent years as companies look to cut costs and remain competitive. While these layoffs can provide short-term financial benefits, they can also create new risks for corporate security.

One of the key vulnerabilities of mass layoffs is that they can lead to disgruntled employees who may be motivated to engage in malicious activity. This can include stealing sensitive information or launching cyber attacks against their former employer.

Another potential risk of mass layoffs is that they can lead to a loss of institutional knowledge. When key employees are let go, they may take critical knowledge and expertise with them. This can make it difficult for companies to maintain their security posture and respond effectively to new threats.

To mitigate these risks, it is important for companies to have robust security measures in place before conducting mass layoffs. This can include implementing access controls and monitoring systems to detect and prevent unauthorized access to sensitive data.

In addition, companies should provide training and resources to remaining employees to help them identify and respond to potential security threats. This can include educating employees about phishing scams, social engineering tactics, and other common methods used by cyber criminals.

The Cybersecurity and Infrastructure Security Agency (CISA) has also been pressuring tech vendors to ship secure software out of the box. This can help to reduce the risk of security vulnerabilities in software products that may be used by companies during mass layoffs.

It is important for companies to carefully consider the potential security risks associated with mass layoffs and take proactive steps to mitigate those risks. By implementing robust security measures and providing ongoing training and resources, companies can help to protect their sensitive data and maintain their security posture in the face of new threats.



Read more »
Vulnerabilities and Exploits
PAM Security Loopholes Threat actor Unauthorized access Vulnerabilities and Exploits

Managing Privileges is Essential Security Strategy

In order to stop increasingly sophisticated hacker assaults, having a system that regulates privileged access is crucial. Therefore, one must integrate privilege removal into their cyber strategy to ensure secure protection without loopholes.

Privileged access: What Is It?

Privileged access occurs when a system's technical maintenance, changes, or privileged emergency outages are carried out by an entity using an administrative account or a credential with boosted permissions. This could happen on-site or in the cloud. Technical privileges are separate from high-risk entitlements connected to business operations in this context. For all essential use instances, PAM controls ensure that privileges, including any related mechanisms like privileged accounts or credentials, are used in permitted target systems.

According to several institutions, safeguarding administrator passwords in a password vault entails securing privileged identities. In reality, a comprehensive plan that addresses what qualifies as a privileged action is required.

Eliminating privileges will safeguard one against attacks

Around 80% of breaches include violation of privileges, according to Verizon's Data Breach Investigations Report 2022.

Hackers use linked devices, local repositories, and more to access privileged passwords. As a result, every company's defensive plan should include reducing privilege. A hacker must complete several steps in order to carry out a cyber-attack. To begin with, they hack into the system of the business and then attempt to escalate privileges or move laterally in their investigation process until they find new privileges that offer more access. And finally, when they carry out the attack.

Hence, robbing a hacker of their privileges through PAM stops them from moving on to the next stage. No matter how they entered, if they are unable to pass through, the attack fails. Employing privilege elimination will also defend against a variety of attacks.




Read more »
Threat actor
Cyberattack Cybersecurity Data Breach Threat actor

After a Vendor Hack, FanDuels Warns of a Data Breach

 


A security breach has been detected at FanDuel's sportsbook and betting site, which exposed customers' names, email addresses, and payment information. This occurred in January 2023, when MailChimp's security was breached. A security advisory urges users to be wary of phishing emails and stay vigilant against them. 

An employee's credentials were stolen by hackers using a social engineering attack on MailChimp's website on January 13th, according to an announcement from the company. 

To steal the "audience data" of 133 users, the threat actors used these credentials to log in to an internal MailChimp tool and access customer support and administration information. 

It is imperative to note that MailChimp customers receive different audience data. However, generally, it contains the names and email addresses of customers, or potential customers, who receive marketing emails about the products and services they are interested in. 

During the MailChimp breach, FanDuel sent an email to its customers last Thursday informing them that they were the victims of a cyberattack by threat actors. 

According to an email received by FanDuel from an outside technology vendor that sends transactional emails on behalf of its clients, such as FanDuel, the vendor had recently experienced a security breach that affected several of its clients due to a security breach within their system, reads a report published by FanDuel titled 'Notice of Third-Party Vendor Security Incident.' 

FanDuel's vendor confirmed on Sunday evening that unauthorized individuals gained access to the names and email addresses of customers registered on FanDuel's site. No passwords for individual accounts or financial information were leaked in this incident. 

According to FanDuel, the breach was not a breach of their servers or the personal information of FanDuel users, and the hackers did not acquire any "passwords, financial account information, or other sensitive information" as a result of the breach. 

Even though the notification to BleepingComputer did not specify which third-party vendor had been breached, FanDuel has confirmed that MailChimp was the source of the breach to BleepingComputer. 

As a result of the recent data breach by FanDuel, the company is encouraging its customers to "remain vigilant" against phishing attacks and attempts to take over their accounts. 

A FanDuel security incident email warns, "Be aware that emails that claim to be from FanDuel may pose a problem with your account that requires you to provide unique or personal information to resolve it." People should remain vigilant against email "phishing" attempts. 

There is no way for FanDuel to send direct emails to customers and ask for personal information to resolve a dispute. 

As well as warning customers about the importance of updating their passwords frequently, FanDuel also wants customers to know that they should enable multi-factor authentication (MFA) on their accounts and avoid clicking on links within password reset attempts that don't originate from them. 

The stolen MailChimp data has not yet been used in an attack. There are no indications that it will be used in such an attack. However, in the past, malicious actors have abused this type of stolen data in phishing attacks. 

There was a security breach of MailChimp in April 2022, which led to threat actors stealing marketing email data for the Trezor smart wallet, a hardware wallet.  

To steal cryptocurrency wallets, these data were then used in a phishing campaign. In this campaign, malicious software was instructed to push malicious software to be shown on the browser by claiming to be fake data breach notifications. 

Furthermore, FanDuel accounts are increasingly becoming a target of credential stuffing attacks, with threat actors actively targeting the account of customers through this method [1,2,3]. 

A cybercrime marketplace can sell these accounts for as little as $2 or as much as $7. This depends on the account's balance or the payment information it has been linked to. 

It would be more difficult to steal an account if you enabled multi-factor authentication with an authentication app on your FanDuel account. Even though an identity hacker may get access to the credentials of a customer, this is still the case. 

In many cases of account compromises, the login credentials for other sites are used in the compromise of one's account and then the data of the user is stolen. Once these credentials have been obtained, a threat actor uses them to log into other websites and attempt to access their accounts. 

For this reason, you should use a password manager to store all your passwords. You should also create a unique password for every site where you log in. This will ensure that a breach on one website does not affect you on another.
Read more »
WiFi
Android DNS Flaw Domain malware Threat actor WiFi

 Roaming Mantis Virus Features DNS Setups


Malicious actors linked to the Roaming Mantis attack group were seen distributing an updated variation of their patented mobile malware called Wroba to compromise Wi-Fi routers and perform Domain Name System (DNS) theft.

Kaspersky found that the threat actor behind Roaming Mantis only targets routers made by a well-known South Korean network equipment manufacturer that is situated in that country.

Researchers have been tracking the Roaming Mantis malware distribution and credential theft campaign since September 2022. This malware uses an updated version of the Android malware Wroba. o/XLoader to identify susceptible WiFi routers based on its model and modify their DNS.

All Android devices connected to the WiFi network will now experience a redirect to the malicious landing page and a request to install the malware as a result of the router's DNS settings having been altered. Consequently, there is a steady flow of infected devices that can penetrate secure WiFi routers on national public networks that serve a huge number of users.

The attacks use smishing messages as their primary intrusion vector to deliver a booby-trapped URL that, depending on the mobile device's operating system, either provides a malicious APK or directs the user to phishing URLs.

Even though there are no landing pages for American targets and Roaming Mantis does not seem to be specifically targeting American router models, Kaspersky's telemetry reveals that 10% of all XLoader victims are in the United States.

Additionally, the feature was set up to primarily target WiFi routers in South Korea, according to security researchers. Roaming Mantis victims have also been spotted in France, Japan, Germany, the US, Taiwan, Turkey, and other countries.

Kaspersky experts advise consulting one's router's user manual to ensure that its DNS settings have not been modified or contacting your ISP for assistance to safeguard the internet connection from such a virus. Furthermore, updating your router's firmware regularly from the official source is advised, as is changing the router's default login and password for the admin web interface. Avoid using a third-party repository and do not install router firmware from outside sources.
Read more »
US
Alert Cyber Attacks Evil Corp Healthcare Karakurt Ransomware Threat actor US

HHS Warns, Karakurt Ransomware Group Targeting Healthcare Providers

 

The US Department of Health and Human Services Cybersecurity Coordination Center (HC3) recently issued a warning about rising Karakurt activities against the healthcare centre. The department has now issued a new warning about Evil Corp attacks. 

According to the alert, Evil Corp is supposedly obtaining intellectual property from the United States healthcare sector on behalf of the Russian government. Evil Corp's Dridex trojan is competent in compromising the confidentiality and accessibility of operational systems and data, including financial and health data. 

The threat actor has constantly changed its tactics in order to avoid sanctions imposed by the US government, causing millions of dollars in damage.

Evil Corp has a plethora of tools and techniques at its disposal, which are frequently combined with commodity malware and off-the-grid tactics. Furthermore, HC3 is concerned because nation-state-sponsored threat actors, such as Evil Corp, see data exfiltration as a cost-effective way to steal intellectual property. 

In addition to the aforementioned, Evil Corp makes no distinction between large and small organisations, preferring to target wherever there is an opportunity. Karakurt has at least compromised an assisted living facility, a healthcare provider, a hospital, and a dental clinic, according to HC3. The group even transformed its leak site into a searchable database, making it easier to locate victims.

The healthcare sector has long been a favourite target of cybercriminals, and this has only increased since the pandemic's onslaught. On a regular basis, various threat groups target the sector. As a result, putting in place the necessary security measures is advised.
Read more »
Threat actor
AiTM Phishing Authentication Cyber Fraud Fraud phishing Proxy Server Scam Threat actor

Microsoft: Large-Scale AiTM Phishing Attacks Against 10K+Organizations

 

More than 10,000 companies were targeted in a large-scale phishing campaign that used adversary-in-the-middle (AiTM) phishing sites. Microsoft identified a large-scale phishing effort that employed adversary-in-the-middle (AiTM) phishing sites to steal passwords, hijack a user's sign-in session, and circumvent authentication even when the victim had activated MFA. 

Threat actors utilise AiTM phishing to set up a proxy server between a target user and the website the user desires to access, which is the phishing site controlled by the attackers. The proxy server enables attackers to intercept communications and steal the target's password and a session cookie. 

Threat actors started business email compromise (BEC) attacks against other targets after obtaining the credentials and session cookies needed to access users' mails. Since September 2021, Microsoft specialists think the AiTM phishing effort has targeted over 10,000 companies. 

Phishing using AITM 

By impersonating the Office online authentication page, the landing sites utilised in this campaign were meant to attack the Office 365 authentication process. Microsoft researchers discovered that the campaign's operators utilise the Evilginx2 phishing kit as its AiTM infrastructure. Threat actors utilised phishing emails with an HTML file attachment in several of the attacks seen by the experts. The message alerted recipients that they had a voice message in order to deceive them into opening the file.
 
The analysis published by Microsoft states, “This redirector acted as a gatekeeper to ensure the target user was coming from the original HTML attachment. To do this, it first validated if the expected fragment value in the URL—in this case, the user’s email address encoded in Base64—exists. If the said value existed, this page concatenated the value on the phishing site’s landing page, which was also encoded in Base64 and saved in the “link” variable.”

“By combining the two values, the succeeding phishing landing page automatically filled out the sign-in page with the user’s email address, thus enhancing its social engineering lure. This technique was also the campaign’s attempt to prevent conventional anti-phishing solutions from directly accessing phishing URLs.” 

After capturing the session cookie, the attackers inserted it into their browser to bypass the authentication procedure, even if the receiver had activated MFA for his account. Microsoft advises organisations to use systems that enable Fast ID Online (FIDO) v2.0 and certificate-based authentication to make their MFA deployment "phish-resistant."

Microsoft also advises establishing conditional access controls if an attacker attempts to utilise a stolen session cookie and monitoring for suspicious or anomalous activity, such as sign-in attempts with suspicious features and odd mailbox operations. 

“This AiTM phishing campaign is another example of how threats continue to evolve in response to the security measures and policies organisations put in place to defend themselves against potential attacks. While AiTM phishing attempts to circumvent MFA, it’s important to underscore that MFA implementation remains an essential pillar in identity security. MFA is still very effective at stopping a wide variety of threats; its effectiveness is why AiTM phishing emerged in the first place," concludes the report.
Read more »
Zoho
APT27 Backdoor Bugs Flaws Hacking Group malware Threat actor Zoho

US Defense Contractors Struck by SockDetour Windows backdoor

 

SockDetour, a new custom malware discovered on US defence contractor computers, has been utilised as a backup backdoor to sustain access to hijacked networks. 

The malicious payload was discovered by Unit 42 security researchers, who believe its administrators kept it hidden for a long time because it has been utilised in the open since at least July 2019. The fact that SockDetour "operates filelessly and socketlessly" on compromised Windows servers by hijacking network connections explains its stealthiness, making it much difficult to identify at the host and network levels. 

The connection hijacking is carried out with the help of the official Microsoft Detours library package, which is used for monitoring and instrumenting Windows API calls.

Unit 42 explained, “With such implementation, SockDetour [..] serves as a backup backdoor in case the primary backdoor is detected and removed by defenders." 

The threat actors utilised a very precise delivery server in one of the attacks, QNAP network-attached storage (NAS) device commonly used by small businesses that had earlier been infected with QLocker ransomware — they most likely utilised the same security vulnerability (the CVE-2021-28799 remote code execution bug) to acquire access to the server. 

On July 27, 2021, the researchers discovered the malware on the Windows server of at least one US defence contractor, which led to the identification of three additional defence organisations being attacked by the same group with the same backdoor. 

"Based on Unit 42’s telemetry data and the analysis of the collected samples, we believe the threat actor behind SockDetour has been focused on targeting U.S.-based defence contractors using the tools. Unit 42 has evidence of at least four defence contractors being targeted by this campaign, with a compromise of at least one contractor," researchers explained. 

What is SockDetour?

The SockDetour backdoor was earlier linked to attacks exploiting various vulnerabilities in Zoho products, including ManageEngine ADSelfService Plus (CVE-2021-40539) and ServiceDesk Plus (CVE-2021-44077), by an APT activity cluster tracked by Unit 42 as TiltedTemple. While Unit 42 analysts suspected in November that the TiltedTemple campaign was the work of a Chinese-sponsored threat group known as APT27, the firm did not link the SockDetour malware to a specific hacking group. 

The partial attribution is based on techniques and harmful tools that match APT27's earlier activities, as well as similar cyber espionage targeting of the same industries (e.g., defence, technology, energy, aerospace, government, and manufacturing). TiltedTemple attacks targeting Zoho vulnerabilities resulted in the compromise of critical infrastructure organisations' networks. 

In three separate campaigns in 2021, TiltedTemple assaults targeting Zoho vulnerabilities resulted in the penetration of networks belonging to critical infrastructure organisations around the world, using: 
• an ADSelfService zero-day exploit between early-August and mid-September, 
• an n-day AdSelfService exploit until late October, 
• and a ServiceDesk one starting with October 25.
Read more »
Threat actor
Cyber Security Microsoft Phishing Campaign sensitive credential Threat actor

PDC Discovered a Phishing Campaign that Spoofs Power BI Emails to Harvest Microsoft Credentials

 

The Cofense Phishing Defense Center (PDC) has discovered a new phishing effort that impersonates Power BI emails in order to steal Microsoft credentials. Power BI is a business intelligence-focused interactive data visualisation programme developed by Microsoft. It's a component of the Microsoft Power Platform. 

Power BI is a set of software services, apps, and connectors that work together to transform disparate data sources into coherent, visually immersive, and interactive insights. Data can be read directly from a database, a webpage, or structured files like spreadsheets, CSV, XML, and JSON. Power BI offers cloud-based BI (business intelligence) services known as "Power BI Services," as well as a desktop interface known as "Power BI Desktop."

It provides data warehouse functionality such as data preparation, data discovery, and interactive dashboards. Microsoft added a new service called Power BI Embedded to its Azure cloud platform in March 2016. The ability to import custom visualisations is a key differentiator of the product. 

The email appears to be a genuine Microsoft notification. There are a couple of reasons how this happens. Threat actors have grown accustomed to using authentic Microsoft notifications into their phishing designs. Researchers also saw them use stolen credentials to generate a legitimate-looking notification from a legitimate Microsoft instance. They noticed that the threat actor in this email employed a common theme to entice the recipient to click on the links. 

After clicking the link in the email, the user is taken to a website that appears to be a legitimate Microsoft log-in page. The first sign that anything is wrong with the page, aside from the lack of conventional imagery, is that the URL does not look anything like what is specified in the email or linked with Microsoft services. 

Following the recipient's input of their credentials, the attack concludes with an error message indicating that there was a problem with the account verification. This is yet another Microsoft spoof used by the threat actor to divert the recipient's attention away from the fact that they were not routed to the Power BI report they anticipated to view. This makes the recipient less likely to suspect that they have just given away their credentials. 

"Cofense continues to observe credential phishing as a major threat to organizations. This is why it’s critical to condition users to identify and report suspicious messages to the security operations team. Attacks such as this one are effective at eluding common email security controls, and are – by design — overlooked by end users," the company said.
Read more »
Threat actor
Baltimore Cyber Crime Email Hacking Phishing Attack Threat actor

Baltimore City was Duped Out of $376K

 

A new report from the Office of the Inspector General (OIG) reveals that a cyber-criminal posing as a vendor duped Baltimore city out of hundreds of thousands of dollars last year. In October 2021, the OIG initiated an investigation after obtaining information from Baltimore's Bureau of Accounting and Payroll Services (BAPS) about an alleged fraudulent Electronic Funds Transfer (EFT). The Mayor's Office of Children and Family Success (MOCFS) issued the Vendor with EFT payment funds.

BAPS and MOCFS were contacted by email on December 22, 2020 and January 7, 2021, from an email address linked with an employee of the Vendor firm, asking for a change to its EFT remittance details. On December 16, 2020, the email linked with the Vendor Employee sent BAPS a Vendor Payment & Electronic Funds Transfer Form. 

The OIG later determined that the Vendor Employee's email account had been hacked by a malicious actor who had set up rules within the Vendor Employee's email account as a result of a phishing assault. As a result, the malicious actor was able to correspond with City workers without the Vendor's awareness. 

On January 5, 2021, the fraudster contacted MOCFS and BAPS once more, this time requesting that the funds be transferred to a new account at a third financial institution. As verification, the fraudster sent a bank letter and a copy of a voided check with the same details as the third account. BAPS paid $376,213.10 into the third account on January 7, 2021, believing the fraudster's assertions. 

The OIG discovered that BAPS employees do not have access to a list of authorized signatories for vendors and must rely on the information given by representatives from City agencies. Furthermore, instead of independently validating information and requests, BAPS relied on MOCFS to assist the request and accepted an incoming phone call from someone pretending to be the Vendor's Chief Financial Officer. 

In his response to this report, Director of Finance Henry Raymond notified the OIG that new protocols had been implemented requiring Department of Finance (DOF) workers to independently verify bank changes with an executive-level employee. DOF has also devised processes to exclude City agencies from vendor accounting procedures.
Read more »
User Security
Cyber Security Data Theft Personal Information Threat actor User Security

68K People Who Received Services from Advocates were Affected by Data Theft

 

Approximately 68,000 Advocates clients are being alerted that their personal and protected health information was stolen during a four-day incident in September 2021. Advocates also notified certain employees whose data was stolen during the hacking incident. 

Advocates, Inc. ("Advocates") is a non-profit organization established in Massachusetts that provides a wide range of services to people facing life issues such as addiction, aging, autism, brain damage, intellectual disabilities, mental health, and behavioral health. 

On October 1, 2021, Advocates was notified that an unauthorized actor had copied data from its digital environment. When Advocates discovered this activity, they took action to secure their digital environment. They also hired a top cybersecurity firm to help with the investigation to discover whether personal information was accessed or acquired without authorisation as part of the attack. The research indicated that between September 14, 2021 and September 18, 2021, an unknown person got access and collected data from the Advocates network.

The incident may have involved the following personal and protected health information: name, address, Social Security number, date of birth, client identification number, health insurance information, and medical diagnosis or treatment information. 

Following the inquiry, Advocates began gathering contact information to notify possibly affected individuals. Advocates also alerted the Federal Bureau of Investigation and stated that they will provide whatever assistance is required to hold the criminals accountable, if at all feasible. Advocates take the security and privacy of service recipient information extremely seriously and have taken additional precautions to prevent a similar incident from happening in the future. 

Advocates is not aware of any proof of any information being misused in this incident. However, commencing on January 3, 2022, Advocates distributed notice of this incident to possibly affected persons. Advocates gave information about the incident as well as recommendations that potentially impacted individuals can do to protect their information in this notification letter. Individuals were also given free credit monitoring and identity protection services through IDX, according to Advocates. 

 To answer questions about the incident and address related concerns, Advocates set up a toll-free call centre. Advocates advise users to report their financial institution promptly if they see any suspicious behaviour on any of their accounts, such as unlawful transactions or new accounts opened in their name that they do not recognise. They should also report any fraudulent behaviour or suspected occurrences of identity theft to the appropriate law enforcement authorities as soon as possible.
Read more »
Threat actor
Credential stealing Cyber Attacks Germany Phishing Campaign Threat actor

A Phishing Campaign in Germany is Attempting to Steal Banking Credentials

 

Credential phishing attacks aimed at obtaining German banking credentials have become more widespread, according to Proofpoint researchers. Proofpoint analysts have identified multiple high-volume operations imitating large German institutions, such as Volksbank and Sparkasse, employing customized, actor-owned landing sites, since August 2021. Hundreds of organizations are affected by the activity, which is still ongoing.

The commercials were aimed at a variety of industries, with a focus on German companies and foreign workers in Germany. Each campaign, which included tens of thousands of letters, had an influence on hundreds of organizations. Account administration information is included in the phishing emails, but they also contain links or QR codes that lead to a geo-fenced credential harvesting website. Targeted information includes banking branch details, login identity, and PIN. The threat actor used a number of URL redirection tactics to spread the infected URLs. In various efforts, the threat actor used hacked WordPress websites to redirect users to phishing landing pages. 

To spread malicious URLs for phishing and malware assaults, threat actors regularly use WordPress plugins and websites built using WordPress software. Feedproxy URLs and QR codes were also identified being exploited to redirect to phishing pages. Only German visitors are directed to the phishing website. The threat actor's employment of geofencing measures is to blame. Threat actors are utilising IP geolocation checks to determine the location of a target, according to Proofpoint. If the user is not in Germany, they are directed to a website clone ostensibly providing tourist information for Dusseldorf's Rhine Tower. If the user is in Germany, they will be directed to a website that resembles a bank's website. 

Using identical domain naming conventions, the actor hosts these pages on their own actor-controlled infrastructure. Sparkasse credential phishing URLs, for example, frequently begin with "spk-," whereas Volksbank clones begin with "vr-." Some samples of the domains used by this threat actor are, vr-mailormular[.]com/Q20EBD6QLJ, vr-umstellungssystem-de[.]com/FLBSEKZ9S3, spk-security-spk[.]com/P84OZ3OIS2, spk-systemerneuerung-spk[.]com/CJ4F6UFR0T. 

This campaign cannot be linked to a known threat group, according to Proofpoint. However, registrant information linked to several domains found in some of this activity has been linked to over 800 phoney websites, the majority of which imitate banks or financial institutions. This perpetrator may have been targeting users of Spanish banks early this year, according to domain registration. Banking credential theft and fraudulent financial activity cybercriminal threat actors are opportunistic and target huge numbers of victims.
Read more »
Subscribe to: Posts (Atom)