Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Threat actors. Show all posts
Threat actors
beIN Sports Cloud Security Cyber Attacks data analysis FFmpeg Hackers Jupyter Notebooks live streaming sports piracy stream ripping Threat actors

Hackers Exploit Jupyter Notebooks for Sports Piracy Through Stream Ripping Tools

 

Malicious hackers are taking advantage of misconfigured JupyterLab and Jupyter Notebooks to facilitate sports piracy through live stream capture tools, according to a report by Aqua Security shared with The Hacker News.

The attack involves hijacking unauthenticated Jupyter Notebooks to gain initial access and execute a series of steps aimed at illegally streaming sports events. This activity was uncovered during an investigation into attacks on Aqua's honeypots.

"First, the attacker updated the server, then downloaded the tool FFmpeg," explained Assaf Morag, director of threat intelligence at Aqua Security. "This action alone is not a strong enough indicator for security tools to flag malicious activity."

Morag noted that the attackers then executed FFmpeg to capture live sports streams, redirecting them to their server. The campaign’s ultimate objective is to download FFmpeg from MediaFire, capture live feeds from Qatari network beIN Sports, and rebroadcast the content illegally via ustream[.]tv. This tactic allows the attackers to misuse compromised Jupyter Notebook servers as intermediaries while profiting from advertising revenues linked to the unauthorized streams.

Although the identity of the hackers remains unclear, one of the IP addresses used (41.200.191[.]23) suggests they may originate from an Arabic-speaking region.

"However, it's crucial to remember that the attackers gained access to a server intended for data analysis, which could have serious consequences for any organization's operations," Morag added.

He warned that the risks extend beyond piracy, potentially leading to denial-of-service attacks, data manipulation, theft, corruption of AI and ML processes, lateral movement within critical systems, and severe financial and reputational harm.
Read more »
Threat actors
Akira Ransomware Cyber Attacks Data Exploit Ransomware Threat actors

Akira Ransomware: The Need for Rapid Response

Akira Ransomware: The Need for Rapid Response

Threat actors wielding the Akira ransomware demonstrated unprecedented efficiency in a recent cyber attack that sent shockwaves through the cybersecurity community. 

Their lightning-fast data exfiltration took just over two hours, representing a dramatic shift in the average time it takes a cybercriminal to go from first access to information exfiltration and leaving organizations scrambling to respond. Let’s delve into the details of this alarming incident.

Attack Overview

The victim in this case was a Latin American airline. The attackers exploited a vulnerability in their infrastructure, emphasizing the importance of robust security measures for critical industries. They gained entry through an unpatched Veeam backup server, leveraging the Secure Shell (SSH) protocol. Veeam servers are attractive targets due to their tendency to store sensitive data and credentials.

The BlackBerry Threat Research and Intelligence Team has revealed a summary of a June Akira ransomware assault against a Latin American airline. According to BlackBerry's anatomy of the attack, the threat actor acquired first access via an unpatched Veeam backup server and promptly began stealing data before installing the Akira ransomware the next day.

Swift Data Exfiltration

Within a remarkably short timeframe, the threat actors exfiltrated data from the Veeam backup folder. This included documents, images, and spreadsheets. The speed of their operation highlights the need for proactive security practices.

The Culprit: Storm-1567

Storm-1567, a notorious user of the Akira ransomware-as-a-service (RaaS) platform, is the likely perpetrator. Known for double-extortion tactics, Storm-1567 has targeted over 250 organizations globally since emerging in March 2023.

Technical Insights

1. Legitimate Tools and Utilities

The attackers demonstrated technical prowess by using legitimate tools and utilities during the attack. These tools allowed them to:

  • Conduct reconnaissance to identify valuable data.
  • Establish persistence within the compromised network.
  • Efficiently exfiltrate sensitive information.
2. Escalation from Initial Access to Data Theft

Storm-1567’s ability to escalate from initial access to data theft in such a short span underscores their expertise. Organizations must prioritize timely patching and secure backup systems to prevent similar incidents.

Key Takeaways

Patch Promptly 

Regularly update and patch all software, especially critical components like backup servers. Vulnerabilities left unaddressed can lead to devastating consequences.

Backup Security Matters

Secure backup systems are essential. They often contain critical data and serve as gateways for attackers. Implement access controls, monitor for suspicious activity, and encrypt backups.

Threat Intelligence and Vigilance

Stay informed about emerging threats and threat actors. Vigilance and proactive defense are crucial in the ever-evolving landscape of cyber threats.


Read more »
Windows 11 Recall
AI-powered feature Cyber Security Cybersecurity Data Encryption data security Microsoft Online Safety Privacy Concerns Threat actors User Privacy Windows 11 Recall

Microsoft's Windows 11 Recall Feature Sparks Major Privacy Concerns

 

Microsoft's introduction of the AI-driven Windows 11 Recall feature has raised significant privacy concerns, with many fearing it could create new vulnerabilities for data theft.

Unveiled during a Monday AI event, the Recall feature is intended to help users easily access past information through a simple search. Currently, it's available on Copilot+ PCs with Snapdragon X ARM processors, but Microsoft is collaborating with Intel and AMD for broader compatibility. 

Recall works by capturing screenshots of the active window every few seconds, recording user activity for up to three months. These snapshots are analyzed by an on-device Neural Processing Unit (NPU) and AI models to extract and index data, which users can search through using natural language queries. Microsoft assures that this data is encrypted with BitLocker and stored locally, not shared with other users on the device.

Despite Microsoft's assurances, the Recall feature has sparked immediate concerns about privacy and data security. Critics worry about the extensive data collection, as the feature records everything on the screen, potentially including sensitive information like passwords and private documents. Although Microsoft claims all data remains on the user’s device and is encrypted, the possibility of misuse remains a significant concern.

Microsoft emphasizes user control over the Recall feature, allowing users to decide what apps can be screenshotted and to pause or delete snapshots as needed. The company also stated that the feature would not capture content from Microsoft Edge’s InPrivate windows or other DRM-protected content. However, it remains unclear if similar protections will apply to other browsers' private modes, such as Firefox.

Yusuf Mehdi, Corporate Vice President & Consumer Chief Marketing Officer at Microsoft, assured journalists that the Recall index remains private, local, and secure. He reiterated that the data would not be used to train AI models and that users have complete control over editing and deleting captured data. Furthermore, Microsoft confirmed that Recall data would not be stored in the cloud, addressing concerns about remote data access.

Despite these reassurances, cybersecurity experts and users remain skeptical. Past instances of data exploitation by large companies have eroded trust, making users wary of Microsoft’s claims. The UK’s Information Commissioner's Office (ICO) has also sought clarification from Microsoft to ensure user data protection.

Microsoft admits that Recall does not perform content moderation, raising significant security concerns. Anything visible on the screen, including sensitive information, could be recorded and indexed. If a device is compromised, this data could be accessible to threat actors, potentially leading to extortion or further breaches.

Cybersecurity expert Kevin Beaumont likened the feature to a keylogger integrated into Windows, expressing concerns about the expanded attack surface. Historically, infostealer malware targets databases stored locally, and the Recall feature's data could become a prime target for such malware.

Given Microsoft’s role in handling consumer data and computing security, introducing a feature that could increase risk seems irresponsible to some experts. While Microsoft claims to prioritize security, the introduction of Recall could complicate this commitment.

In a pledge to prioritize security, Microsoft CEO Satya Nadella stated, "If you're faced with the tradeoff between security and another priority, your answer is clear: Do security." This statement underscores the importance of security over new features, emphasizing the need to protect customers' digital estates and build a safer digital world.

While the Recall feature aims to enhance user experience, its potential privacy risks and security implications necessitate careful consideration and robust safeguards to ensure user data protection.
Read more »
Threat actors
Cyber Security Cybersecurity Deceptive npm packages malware installation North Korean social engineering campaign Software Developers Threat actors

Deceptive npm Packages Employed to Deceive Software Developers into Malware Installation

 

A persistent scheme aimed at software developers involves fraudulent npm packages disguised as job interview opportunities, with the intention of deploying a Python backdoor onto their systems.

Securonix, a cybersecurity company, has been monitoring this campaign, dubbed DEV#POPPER, which they attribute to North Korean threat actors. 

"During these fraudulent interviews, the developers are often asked to perform tasks that involve downloading and running software from sources that appear legitimate, such as GitHub," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said. "The software contained a malicious Node JS payload that, once executed, compromised the developer's system."

Details of this campaign surfaced in late November 2023, when Palo Alto Networks Unit 42 revealed a series of activities known as Contagious Interview. Here, the threat actors masquerade as employers to entice developers into installing malware such as BeaverTail and InvisibleFerret during the interview process.

Subsequently, in February of the following year, Phylum, a software security firm, uncovered a collection of malicious npm packages on the registry. These packages delivered the same malware families to extract sensitive information from compromised developer systems.

It's important to distinguish Contagious Interview from Operation Dream Job, also linked to North Korea's Lazarus Group. The former targets developers primarily through fabricated identities on freelance job platforms, leading to the distribution of malware via developer tools and npm packages.

Operation Dream Job, on the other hand, extends its reach to various sectors like aerospace and cryptocurrency, disseminating malware-laden files disguised as job offers.

The attack sequence identified by Securonix begins with a GitHub-hosted ZIP archive, likely sent to the victim during the interview process. Within this archive lies an apparently harmless npm module housing a malicious JavaScript file, BeaverTail, which serves as an information thief and a loader for the Python backdoor, InvisibleFerret, retrieved from a remote server. This implant can gather system data, execute commands, enumerate files, and log keystrokes and clipboard activity.

This development underscores the continued refinement of cyber weapons by North Korean threat actors, as they update their tactics to evade detection and extract valuable data for financial gain.

Securonix researchers emphasize the importance of maintaining a security-conscious mindset, particularly during high-pressure situations like job interviews, where attackers exploit distraction and vulnerability.
Read more »
Vulnerabilities and Exploits
CVE-2024-3400 Cyber Cybersecurity Palo Alto Networks PAN-OS firewall Remote Code Execution Threat actors Volexity Vulnerabilities and Exploits

Zero-Day Exploitation of Palo Alto Networks Firewall Allows Backdoor Installation

 

Suspected state-sponsored hackers have exploited a zero-day vulnerability in Palo Alto Networks firewalls, identified as CVE-2024-3400, since March 26. These hackers have utilized the compromised devices to breach internal networks, pilfer data, and hijack credentials.

Palo Alto Networks issued a warning on the active exploitation of an unauthenticated remote code execution flaw in its PAN-OS firewall software. Patch updates are slated for release on April 14. Given the ongoing exploitation, Palo Alto Networks opted to disclose the vulnerability and provide interim mitigations for customers until patches are fully deployed.

Further insights into the zero-day exploitation emerged from a subsequent report by Volexity, the entity that discovered the flaw. According to Volexity, hackers have been exploiting the vulnerability since March, employing a custom backdoor dubbed 'Upstyle' to infiltrate target networks and execute data theft. The activity, tracked under the designation UTA0218, is strongly suspected to be orchestrated by state-sponsored threat actors.

Volexity's investigation traced the zero-day exploitation to April 10, primarily targeting the GlobalProtect feature of Palo Alto Networks PAN-OS. The subsequent deployment of identical exploitation methods at another customer site underscored the severity of the situation. Despite the exploitation period starting as early as March 26, payloads were not deployed until April 10.

The 'Upstyle' backdoor, facilitated by a Python script, enables remote command execution on compromised devices. The backdoor leverages a path configuration file to execute commands, allowing threat actors to operate stealthily within compromised environments.

In addition to the 'Upstyle' backdoor, Volexity observed the deployment of additional payloads, including reverse shells, PAN-OS configuration data exfiltration tools, and the Golang tunneling tool 'GOST.' In some instances, threat actors pivoted to internal networks to steal sensitive files, such as Active Directory databases and browser data from specific targets.

Volexity recommends two methods for detecting compromised Palo Alto Networks firewalls: generating Tech Support Files to analyze forensic artifacts and monitoring network activity for specific indicators of compromise.

This incident underscores the increasing targeting of network devices by threat actors, as demonstrated by previous campaigns exploiting vulnerabilities in Fortinet, SonicWall, Cisco, TP-Link, and Barracuda devices.
Read more »
Windows SmartScreen
Bypass Flaw Cybersecurity DarkGate RAT Exploited malware Malware Campaign Threat actors Windows SmartScreen

Exploitation of Windows SmartScreen Bypass Flaw Facilitates Deployment of DarkGate RAT

 


The operators behind the DarkGate malware have been taking advantage of a recently patched flaw in Windows SmartScreen through a phishing scheme. This campaign involves circulating counterfeit Microsoft software installers to spread the malicious code.

Researchers from Trend Micro, along with others, uncovered a vulnerability earlier this year, known as CVE-2024-21412, which allowed attackers to bypass security measures in Internet Shortcut Files. Microsoft addressed this issue in its February Patch Tuesday updates, but not before threat actors like Water Hydra and DarkGate seized the opportunity to exploit it. Trend Micro's Zero Day Initiative (ZDI) reported that DarkGate also utilized this flaw in a mid-January attack, enticing users with PDFs containing Google DoubleClick Digital Marketing (DDM) redirects, ultimately leading to compromised websites hosting the malware-laden installers.

According to Trend Micro researchers Peter Girnus, Aliakbar Zahravi, and Simon Zuckerbraun, the attackers manipulated Google-related domains using open redirects in conjunction with CVE-2024-21412 to circumvent Microsoft Defender SmartScreen protections, facilitating malware infections. They emphasized the effectiveness of combining fake software installers with open redirects in propagating infections.

DarkGate, described as a remote-access Trojan (RAT), has been advertised on Russian-language cybercrime forums since at least 2018 and is considered one of the most sophisticated and active malware strains. It offers various functionalities, including process injection, information theft, shell command execution, and keylogging, while employing multiple evasion techniques.

The DarkGate campaign observed by Trend Micro leverages Google Open Redirects, exploiting a previously patched SmartScreen vulnerability, CVE-2023-36025, affecting all supported Windows versions. By utilizing open redirects in Google DDM technologies, threat actors can execute malicious code when combined with security bypasses.

To defend against DarkGate's exploitation of CVE-2024-21412, Windows system administrators are advised to apply Microsoft's patch promptly. Additionally, organizations should prioritize employee training to raise awareness about the risks of installing software from untrusted sources. Continuous monitoring of the cyber environment, including identifying vulnerabilities and potential attack vectors, is crucial for effective cybersecurity defense.

In conclusion, proactive measures are necessary for both businesses and individuals to safeguard their systems against evolving threats like DarkGate and similar malware campaigns.
Read more »
Vulnerability management
China Cyber Security Cyber Threats Cybersecurity Dutch intelligence espionage FortiGate devices Malware Detection RAT Threat actors Vulnerability management

China Caught Deploying Remote Access Trojan Tailored for FortiGate Devices

 

The Military Intelligence and Security Service (MIVD) of the Netherlands has issued a warning regarding the discovery of a new strain of malware believed to be orchestrated by the Chinese government. Named "Coathanger," this persistent and highly elusive malware has been identified as part of a broader political espionage agenda, targeting vulnerabilities in FortiGate devices.

In a recent advisory, MIVD disclosed that Coathanger was employed in espionage activities aimed at the Dutch Ministry of Defense (MOD) in 2023. Investigations into the breach revealed that the malware exploited a known flaw in FortiGate devices, specifically CVE-2022-42475.
Coathanger operates as a second-stage malware and does not exploit any novel vulnerabilities. 
Unlike some malware that relies on new, undisclosed vulnerabilities (zero-day exploits), Coathanger operates as a second-stage malware and does not exploit any novel vulnerabilities. However, the advisory emphasizes that it could potentially be used in conjunction with future vulnerabilities in FortiGate devices.

Described as stealthy and resilient, Coathanger evades detection by concealing itself through sophisticated methods, such as hooking system calls to evade detection. It possesses the capability to survive system reboots and firmware upgrades, making it particularly challenging to eradicate.

According to Dutch authorities, Coathanger is just one component of a larger-scale cyber espionage campaign orchestrated by Chinese state-sponsored threat actors. These actors target various internet-facing edge devices, including firewalls, VPN servers, and email servers.

The advisory issued by Dutch intelligence underscores the aggressive scanning tactics employed by Chinese threat actors, who actively seek out both disclosed and undisclosed vulnerabilities in edge devices. It warns of their rapid exploitation of vulnerabilities, sometimes within the same day they are made public.

Given the popularity of Fortinet devices as cyberattack targets, businesses are urged to prioritize patch management. Recent reports from Fortinet highlighted the discovery of two critical vulnerabilities in its FortiSIEM solution, emphasizing the importance of prompt patching.

To mitigate the risk posed by Coathanger and similar threats, intelligence analysts recommend conducting regular risk assessments on edge devices, restricting internet access on these devices, implementing scheduled logging analysis, and replacing any hardware that is no longer supported.
Read more »
vulnerability patch
active exploitation CISA advisory Cyber Security file transfer security Fortra GoAnywhere MFT software exploitation Threat actors vulnerability patch

Fortra's GoAnywhere MFT Software Faces Exploitation, No Evidence of Active Exploitation Detected

 

Reports on the exploitation of Fortra's GoAnywhere MFT file transfer software raised concerns due to the potential development of exploit code from a publicly released Proof of Concept (PoC). As of Thursday afternoon, there was no evidence of active exploitation.

Researchers from Shadowserver, in a post dated January 25, noted over 120 instances of exploits based on the publicly released PoC code. However, they suggested that widespread success for attackers is unlikely due to the limited exposure of admin portals (only 50) and the majority being patched.

The vulnerability, identified as CVE-2024-0204 with a CVSSv3 score of 9.8, enables hackers to remotely create a new admin user through the software’s administration portal. This issue emerged a year after the Clop ransomware gang exploited a GoAnywhere MFT zero-day vulnerability, compromising over 130 organizations. Fortra responded by releasing a patch on January 22, urging immediate action from security teams. The company had notified customers on December 4 and released the patch on December 7.

Ashley Leonard, CEO at Syxsense, emphasized the critical nature of the CVE, stating that the vulnerability allows unauthorized users to bypass authentication and create a new admin account remotely.

Despite the lack of active exploitation, the Cybersecurity and Infrastructure Security Agency (CISA) has not included the vulnerability in its Known Exploited Vulnerabilities (KEV) catalog. CISA defines "active exploitation" based on real-time success demonstrated by threat actors in the wild.

Ransomware groups have historically utilized file transfer software in their tactics, with examples like REvil using GoAnywhere MFT for deploying malware and exfiltrating sensitive data. Though REvil is no longer active, similar tactics persist, and groups like LockBit are known to exploit new vulnerabilities swiftly. Security experts advise organizations leveraging the software to patch immediately, considering the potential threat.

Callie Guenther, senior manager of cyber threat research at Critical Start, highlighted the relative ease of exploiting the Fortra GoAnywhere MFT vulnerability, described as a "1998 style" path traversal flaw. With the PoC available and the simplicity of exploitation, there are concerns that threat actors might start scanning for vulnerable instances of GoAnywhere MFT to exploit the flaw. While it's uncertain if CISA will include this flaw in the KEV catalog, they have previously issued advisories for similar vulnerabilities and added a remote code injection issue in Fortra's GoAnywhere MFT (CVE-2023-0669) to the catalog.
Read more »
Victoria Court System
Cyber Security Judiciary Ransomware Threat actors Victoria Court System

Records of Crucial Cases May Have Been Compromised by a Cyberattack on Victoria's Court System


Ransomware used to assault Victoria's court system

An independent expert believes that ransomware was used to assault Victoria's court system and that the attack was coordinated by Russian hackers.

According to a representative for Court Services Victoria (CSV), hackers gained access to a portion of the audio-visual archive of the court system. This would imply that hearing records including witness testimony from extremely private situations might have been obtained or pilfered.

To alert those whose court appearances were compromised by hackers, CSV is currently setting up a contact center for those who think they might have been impacted.

Though some hearings from before November may have also been impacted, the recordings came from hearings held between November 1 and December 21. 

Before Christmas break, on December 21, staff members' laptops were locked and warnings stating "YOU HAVE BEEN PWND" were displayed on displays. This was the first indication that the attack had taken place.

Court employees received a message that linked them to a text file with threats from hackers on the publication of files taken from the court system. The message also included instructions on how to retrieve the files from the address on the dark web.

Records from the County Court spanning nearly two months were retrieved.

County Court cases have been most badly impacted, according to a Tuesday morning report from CSV.

All criminal and civil proceedings that were uploaded to the network between November 1 and December 21 might have been viewed, including at least two instances of past and present child sex abuse.

Recordings from the Criminal Division, the Practice Court, the Court of Appeal, and two regional proceedings in November may have been accessed, severely impacting the Supreme Court as well.

One October hearing from the Children's Court might have persisted on the network, but none of the sessions from November or December have been compromised.

Expert: The attack was most likely the product of Russian hackers

Having reviewed the evidence of the attack, independent cyber security expert Robert Potter concluded that the court system was most likely the target of a Russian phishing attack that used Qilin, a commercial ransomware.


Read more »
Windows 11
Cyber Security DLL Search Order Hijacking Exploitation Malicious Code Privilege Escalation Security Bypass Security Joes Threat actors Windows 10 Windows 11

New DLL Search Order Hijacking Variant Evades Windows 10 and 11 Protections

 

Security researchers have outlined a fresh variant of a dynamic link library (DLL) search order hijacking technique, potentially enabling threat actors to circumvent security measures and execute malicious code on computers running Microsoft Windows 10 and Windows 11.

The new method, disclosed in a report by cybersecurity firm Security Joes and exclusively shared with The Hacker News, exploits executables commonly present in the trusted WinSxS folder, utilizing the classic DLL search order hijacking technique. By doing so, adversaries can avoid the need for elevated privileges when attempting to run malicious code on a compromised system, introducing potentially vulnerable binaries into the attack chain.

DLL search order hijacking involves manipulating the search order used to load DLLs, allowing the execution of malicious payloads for purposes such as defense evasion, persistence, and privilege escalation. This technique targets applications that do not specify the full path to required libraries, relying on a predefined search order to locate DLLs on disk.

Threat actors exploit this behavior by relocating legitimate system binaries into non-standard directories that contain malicious DLLs, named after legitimate ones. This tricks the system into loading the attack code-containing library instead of the authentic one.

The unique aspect introduced by Security Joes focuses on files within the trusted "C:\Windows\WinSxS" folder. WinSxS, short for Windows side-by-side, is a crucial Windows component used for OS customization and updates to ensure compatibility and integrity.

According to Ido Naor, co-founder and CEO of Security Joes, the discovery diverges from traditional cyber attack methods, providing a more subtle and stealthy exploitation technique. The strategy involves identifying vulnerable binaries in the WinSxS folder and combining them with DLL search order hijacking methods. This entails strategically placing a custom DLL with the same name as a legitimate DLL into an actor-controlled directory, triggering code execution when executing a vulnerable file in the WinSxS folder.

Security Joes emphasized the potential for additional binaries in the WinSxS folder susceptible to this DLL search order hijacking, urging organizations to take precautions. They recommended examining parent-child relationships between processes, particularly focusing on trusted binaries, and closely monitoring activities performed by binaries in the WinSxS folder, including network communications and file operations.
Read more »
Threat actors
Consumer Data Data Breach Digital Identity Financial Fraud Personal Information Sensitive Data Leak Server Threat actors

Mr. Cooper Data Breach: 14 Million Customers Exposed

A major data breach at mortgage giant Mr. Cooper compromised the personal data of an astounding 14 million consumers, according to a surprising disclosure. Sensitive data susceptibility in the digital age is a worry raised by the occurrence, which has shocked the cybersecurity world.

Strong cybersecurity procedures in financial institutions are vital, as demonstrated by the breach, confirmed on December 18, 2023, and have significant consequences for the impacted persons. The hackers gained access to Mr. Cooper's networks and took off with a wealth of private information, including social security numbers, names, addresses, and other private information.

TechCrunch reported on the incident, emphasizing the scale of the breach and the potential consequences for those impacted. The breach underscores the persistent and evolving threats faced by organizations that handle vast amounts of personal information. As consumers, it serves as a stark reminder of the importance of vigilance in protecting our digital identities.

Mr. Cooper has taken swift action in response to the breach, acknowledging the severity of the situation. The company is actively working to contain the fallout and assist affected customers in securing their information. In a statement to Help Net Security, Mr. Cooper reassured customers that it is implementing additional security measures to prevent future breaches.

The potential motives behind the attack, emphasize the lucrative nature of stolen personal data on the dark web. The breached information can be exploited for identity theft, financial fraud, and other malicious activities. This incident underscores the need for organizations to prioritize cybersecurity and invest in advanced threat detection and prevention mechanisms.

"The Mr. Cooper data breach is a sobering reminder of the evolving threat landscape," cybersecurity experts have stated. To safeguard their consumers' confidence and privacy, businesses need to invest heavily in cybersecurity solutions and maintain a watchful eye."

In light of the growing digital landscape, the Mr. Cooper data breach should be seen as a wake-up call for companies and individuals to prioritize cybersecurity and collaborate to create a more secure online environment.
Read more »
Threat actors
Cyber Attacks Huntress SMB Report Malware Free Attacks RMM Software SMBs Threat actors

SMBs Witness Surge in ‘Malware Free’ Attacks


According to the first-ever SMB Threat Report from Huntress, a company that offers security platforms and services to SMBs and managed service providers (MSPs), the most common threats that small and medium businesses (SMBs) faced in Q3 2023 were "malware free" attacks, attackers' growing reliance on legitimate tools and scripting frameworks, and BEC scams.

“Malware Free” Attacks on the Rise

In 44% of cyberattack incidents, attackers tend to deploy malware. However, in the remaining 56% of events, scripting frameworks (like PowerShell) and remote monitoring and management (RMM) software were used along with "living off the land" binaries (LOLBins).

The increased use of RMM software has turned out to be a concerning trend that is challenging to reverse.

“At the SMB level, LOLBin use is especially concerning given the state of monitoring and review for many organizations. Many critical entities—from local school districts to medical offices—may find themselves at best leveraged for cryptomining or botnet purposes, and at worst, the victims of disruptive ransomware,” the researchers noted.

The researchers notes that in over 65% of security incidents, threat actors utilize RMM software as their methods for persistence or remote access mechanisms following the initial access to the victim user's system.

Since RMM tools are largely used as legitimate software, in case they are used for any intrusion purpose, they can readily evade anti-malware security and blend in with the environment when employed for infiltration purposes. Additionally, few small businesses audit the use of RMM tools.

“In some cases, Huntress has observed adversaries diversifying among several RMM tools, such as using a combination of commercial and open-source items, to ensure redundant access to victim environments,” the researchers noted. “Therefore, monitoring RMM tool use and deployment within defended or managed environments is an increasingly important security hygiene measure to ensure owners and operators can identify potential malicious installations.”

Additional Findings

Affiliates of ransomware and operators of business email compromise (BEC) persist in their targeting of end users through the use of phishing.

Notably, malicious forwarding or other inbox rules were engaged in 64% of identity-focused assaults that SMBs faced in Q3 2023, while logins from strange or suspect places were linked to 24% of these attacks.

“While the ultimate goal of such activity remains, in most cases, BEC, defensive visibility and adversary kill-chain dependencies mean these actions are largely caught at the account takeover (ATO) phase of operations,” the experts concluded.

In 2023, Qakbot-related cybersecurity incidents have declined, with this downward trend anticipated to continue.

The findings further note that 60% of ransomware incidents were caused by uncategorized, unknown or "defunct" ransomware strains. This demonstrates a variation in the kind of ransomware frequently observed in corporate settings, where "known-variant ransomware deployments" are the primary target.

“Whether for monetization purposes through ransomware or BEC, or potentially even state-directed espionage activity, SMBs remain at risk from a variety of entities,” the researchers added. 

The researchers further raised concerns towards the adversaries that are exploiting the gaps in  users’ visibility and awareness over evading security controls. While spam filtering and a solid anti-malware program used to be enough for a small business to "get by," the current threat landscape makes these straightforward efforts inadequate.


Read more »
Threat actors
Cyber Security Cyber Threats Cybersecurity Cybersecurity measures cybersecurity trends Data Breach Data protection malware Online Security ransomware attacks Threat actors

Report: September Sees Record Ransomware Attacks Surge

 

In September, a notable surge in ransomware attacks was recorded, as revealed by NCC Group's September Threat Pulse. Leak sites disclosed details of 514 victims, marking a significant 153% increase compared to the same period last year. This figure surpassed the previous high set in July 2023 at 502 attacks.

Among the fresh wave of threat actors, LostTrust emerged as the second most active group, accounting for 10% of all attacks with a total of 53. Another newcomer, RansomedVC, secured the fourth spot with 44 attacks, making up 9% of the total. LostTrust, believed to have formed in March of the same year, mirrors established threat actors' tactics of employing double extortion.

Notably, well-established threat actors remained active in September. Lockbit maintained its lead from August, while Clop's activity diminished, responsible for only three ransomware attacks in September.

In line with previous trends, North America remained the primary target for ransomware attacks, experiencing 258 incidents in September.

Europe followed as the second most targeted region with 155 attacks, trailed by Asia with 47. Nevertheless, there was a 3% rise in attacks on North America and a 2% increase on Europe, while Asia saw a 6% decrease from the previous month. This indicates a shifting focus of threat actors towards Western regions.

Industrials continued to bear the brunt of attacks, comprising 40% (19) of the total, followed by Consumer Cyclicals at 21% (10), and Healthcare at 15% (7). The sustained focus on Industrials is unsurprising, given the allure of Personally Identifiable Information (PII) and Intellectual Property (IP) for threat actors. 

The Healthcare sector witnessed a notable surge, experiencing 18 attacks, marking an 86% increase from August. This trend aligns with patterns observed earlier in the year, suggesting that August's dip was an anomaly. The pharmaceutical industry's susceptibility to ransomware attacks continues due to the potential financial impact.

The surge in ransomware attacks can be attributed in part to the emergence of new threat actors, notably RansomedVC. Operating similarly to established organizations like 8Base, RansomedVC also functions as a penetration testing entity. 

However, their approach to extortion incorporates compliance with Europe's General Data Protection Regulation (GDPR), pledging to report any vulnerabilities discovered in the target's network. This unique approach intensifies pressure on victims to meet ransom demands, as GDPR allows for fines of up to 4% of a victim's annual global turnover.

RansomedVC garnered attention by claiming responsibility for the attack on Sony, a major Japanese electronics company, on September 24th. In this incident, RansomedVC compromised the company's systems and offered to sell stolen data. This successful targeting of a global giant like Sony highlights the significant impact RansomedVC is exerting, indicating its continued activity in the months ahead.

Matt Hull, Global Head of Threat Intelligence at NCC Group, commented on the situation, noting that the surge in attacks in September was somewhat anticipated for this time of year. However, what sets this apart is the sheer volume of these attacks and the emergence of new threat actors playing a major role in this surge. Groups like LostTrust, Cactus, and RansomedVC stand out for their adaptive techniques, putting extra pressure on victims. 

The adoption of the double extortion model and the embrace of Ransomware as a Service (Raas) by these new threat actors signify an evolving landscape in global ransomware attacks. Hull predicts that other groups may explore similar methods in the coming months to increase pressure on victims.
Read more »
Threat actors
Artificial Intelligence Cyber Defence Cyber Security Cyberspace Global Economy International Cooperation Malicious actor Military Intelligence Threat actors

Cyber Militarization: Navigating the Digital Battlefield

Technology and the internet are now ubiquitous, creating vulnerabilities and enabling the militarization of cyberspace. This trend poses a number of threats to global security, including accidental or deliberate conflict between states, empowerment of non-state actors, and new arms races. The international community must cooperate to address this issue, developing norms and rules, building trust, and investing in cybersecurity.

Cyberspace once considered a relatively neutral domain for communication and information sharing, is now increasingly becoming a battlefield where nation-states vie for power and influence. The articles linked in this discussion shed light on the complex issue of militarization in cyberspace.

Kaspersky, a leading cybersecurity company, delves into the subject in their blog post, "How to Deal with Militarizing Cyberspace." They emphasize the growing concerns about the use of cyberspace for military purposes, such as cyberattacks and espionage. This article emphasizes the need for international cooperation and cybersecurity measures to address the challenges posed by this evolving landscape.

In the blog post from EasyTech4All, titled "The Inevitability of Militarization of CyberAI," the focus is on the convergence of artificial intelligence and cyber warfare. It highlights the significant role AI plays in enhancing military capabilities in cyberspace. This shift underlines the need for discussions and regulations to govern the use of AI in military operations.

Additionally, the document from the Cooperative Cyber Defence Centre of Excellence (CCDCOE) titled "The Militarization Of Cyberspace" offers an in-depth examination of the historical context and evolution of militarization in cyberspace. It explores the various facets of this phenomenon, from the development of offensive cyber capabilities to the establishment of cyber commands in military structures.

The militarization of cyberspace raises critical questions about the use of cyber tools for aggressive purposes, the potential for escalation, and the importance of international agreements to prevent cyber warfare. The interconnectedness of the global economy and critical infrastructure further amplifies the risks associated with cyber warfare.

To address these challenges, a multi-faceted approach is essential. This includes the development of international norms and regulations governing cyber warfare, cooperation between nations, investment in cybersecurity, and continuous monitoring of cyber threats.

Cyberspace militarization is a complex and evolving issue that requires our attention. By exploring the articles and materials provided, we gain a glimpse into the many facets of this challenge, from its historical roots to the use of AI in warfare. As technology advances, it becomes increasingly important to use cyberspace in an ethical and responsible manner. It is up to us all to ensure that the digital realm remains a force for good and progress, rather than a catalyst for instability and conflict.

Read more »
Threat actors
critical infrastructures Cyber Attacks Cyber Warfare Data Hacktivists Israel-Palestine tensions Safety Security Threat actors

Pro-Palestinian Hacktivists Reportedly Employ Crucio Ransomware

 

In a recent development, a newly emerged pro-Palestine hacking collective identifying itself as the 'Soldiers of Solomon' has claimed responsibility for infiltrating more than 50 servers, security cameras, and smart city management systems located within the Nevatim Military area.

According to the group's statement, they employed a ransomware strain dubbed 'Crucio,' hinting at a possible utilization of Ransomware-as-a-Service. Additionally, they assert to have gained access to an extensive cache of data amounting to a staggering 25 terabytes.

In an unconventional public relations move, the Soldiers of Solomon disseminated this information via email to multiple threat intelligence firms, including Falconfeeds, alongside other influential entities actively engaged on Twitter.

To substantiate their claims, the group supplied visual evidence obtained from the breached CCTV systems, as well as images showcasing altered desktop wallpapers bearing their statement, as per Falconfeeds.

The year 2023 has witnessed a resurgence of hostilities between Israel and Palestine, culminating in a full-scale armed conflict. The longstanding discord between the two nations, which traces back to the early 20th century, has witnessed significant escalations since 2008. 

Reports indicate that while the 2014 conflict was marked by unprecedented devastation, the 2023 altercation raises concerns about an even higher casualty count.

The conflict zone in Gaza has become a focal point for retaliatory strikes from both hacktivist groups and Threat Actors (TAs), a trend anticipated given similar patterns observed since 2012. 

Cyberattacks have increasingly become complementary strategies within the context of contemporary warfare, a phenomenon noted even prior to the onset of the Russia-Ukraine conflict in early 2022.

Additionally, Cyble Research & Intelligence Labs (CRIL) has been meticulously curating intelligence amidst the fog of cyber-attacks, monitoring the activities of hacktivists and various threat actors to discern noteworthy developments in the cyber theatre. They have observed a diverse array of malicious techniques being employed by hacktivists and threat actors to exploit vulnerabilities in critical infrastructures and disrupt their operations.
Read more »
Threat actors
Cisco Talos Data Stealer malware Malware Capabilties malware versions SapphireStealer Threat actors

SaphhireStealer: New Malware in Town, Possess More Capabilities


A new malware called ‘SapphireStealer’ has been observed by Cisco Talos researchers. The malware came to light in December 2022 in Cisco’s public release, where they witnessed it frequently in public malware repositories, stealing browser credential databases and files containing sensitive user information. 

Researchers observed a rise in sales (and offers for rent) of the new stealer on different underground forums and illicit marketplaces. 

Cisco Talos threat researcher Edmund Brumaghin is certain with his observation that SapphireStealer possesses numerous entities that are modifying its code base, in order to accommodate additional data exfiltration processes, leading to the formation of many variations.

According to Brumaghin, the freshly compiled versions of the malware began "being uploaded to public malware repositories beginning in mid-January 2023, with consistent upload activity being observed through the first half of 2023."

Researchers say that several malware versions are already in use by multiple threat actors, amplifying their efficiency and effectiveness in their operations over time. 

Capabilities of SapphireStealer

Apparently, the malware is designed to steal sensitive information from targeted systems. This information may include host information, screenshots, cached browser credentials and files stored on the system that match a predefined list of file extensions. Also, it is capable of determining the presence of credential databases for browser applications including Chrome, Yandex, Edge and Opera.

On execution, the malware creates a working directory and launches a file grabber that searches the victim's Desktop folder for files with the following file extensions: .txt, .pdf, .doc,.docx, .xml, .img, .jpg, and.png.

Subsequently, the malware compiles all of the logs into a compressed package called log.zip, which it then sends to the attacker over Simple Mail Transfer Protocol "using credentials defined in the portion of code responsible for crafting and sending the message." 

After the logs are successfully exfiltrated, the malware deletes the working directory it had previously created and stops running.

Moreover, the malware operators are said to have released a malware downloader – FUD-Loader – which uses HTTP/HTTPS communications to retrieve more executables from infrastructure under the control of the attacker. It then saves the retrieved content to disk and executes it to continue the infection process.

"In most of the cases where this loader was used, it retrieved the SapphireStealer binary payloads being hosted on the infrastructure described in the next section, allowing us to attribute those samples to the same threat actor," the researchers said.

"One of the byproducts of readily available and open-source malware codebases is that the barrier to entry into financially motivated cybercrime has continued to decrease over time," the researchers added.

The researchers further explained how stealers make it possible for attackers with less operational skill to launch an attack, which may be quite harmful to corporate environments because the data obtained is frequently used for more attacks that are followed.  

Read more »
Threat actors
CISA & FBI CrowdStrike cryptocurrency hack Cyber Attacks IT Companies JumpCloud Labyrinth Collima North Korea Hackers Threat actors

North Korea-Backed Hackers Breach US Tech Company to Target Crypto Firms


A North Korean state-sponsored hacking group has recently breached a US IT management company, in a bid to further target several cryptocurrency companies, cybersecurity experts confirmed on Thursday. 

The software company – JumpCloud – based in Louisville, Colorado reported its first hack late in June, where the threat actors used their company’s systems to target “fewer than 5” of their clients. 

While the IT company did not reveal the identity of its affected customers, cybersecurity firms CrowdStrike Holding and Alphabet-owned Mandiant – managing JumpCloud and its client respectively – claims that the perpetrators are known for executing heists targeting cryptocurrency. 

Moreover, two individuals that were directly connected to the issue further confirmed the claim that the JumpCloud clients affected by the cyberattack were in fact cryptocurrency companies. 

According to experts, these North Korea-backed threat actors, who once targeted firms piecemeal are now making efforts in strengthening their approach, using tactics like a “supply chain attack,” targeting companies that could provide them wider access to a number of victims at once.

However, Pyongyang’s mission to the UN did not respond to the issue. North Korea has previously denied claims of it being involved in cryptocurrency heists, despite surplus evidence claiming otherwise.

CrowdStrike has identified the threat actors as “Labyrinth Collima,” one of the popular North Korea-based operators. The group, according to Mandiant, works for North Korea’s Reconnaissance General Bureau (RGB), its primary foreign intelligence agency.

However, the U.S. cybersecurity agency CISA and the FBI did not confirm the claim. 

Labyrinth Chollima is one of North Korea’s most active hackers, claiming responsibility for some of the most notorious and disruptive cyber threats in the country. A staggering amount of funds has been compromised as a result of its cryptocurrency theft: An estimated $1.7 billion in digital currency was stolen by North Korean-affiliated entities, according to data from blockchain analytics company Chainalysis last year.

JumpCloud hack first came to light earlier this month when an email from the firm reached its customers, mentioning how their credentials would be changed “out of an abundance of caution relating to an ongoing incident.”

Adam Meyers, CrowdStrike’s Senior Vice President for Intelligence further warns against Pyongyang’s hacking squads, saying they should not be underestimated. "I don't think this is the last we'll see of North Korean supply chain attacks this year," he says.  

Read more »
Threat actors
Cyber Security Gmail Gmail checkmark system Google Security Feature Security flaw Threat actors

Google: Gmail Users Warned of a Security Flaw in its New Feature


Google has recently issued a warning to its 1.8 billion Gmail users following a security flaw that was discovered in one of its latest security functions.

The feature, Gmail checkmark system was introduced to assist users distinguish between certified businesses and organizations and legitimate emails from potential scammers. This is made possible through a blue checkmark, included in the function.

However, threat actors were able to take advantage of this feature, raising questions about the general security of Gmail.

Chris Plummer, a cybersecurity expert, found that cybercriminals could deceive Gmail into thinking their bogus businesses were real. This way, they shattered the trust Gmail users were supposed to have in the checkmark system.

"The sender found a way to dupe @gmail's authoritative stamp of approval, which end users are going to trust. This message went from a Facebook account to a UK netblock, to O365, to me. Nothing about this is legit," says Plummer.

Prior to these findings, Google dismissed the claims, calling this to be “intended behavior.” But after the issue gained a significant response following Plummer’s tweet related to the flaw, Google finally acknowledged the error.

Later, Google admitted its mistake and conducted a proper investigation into the matter. The flaw’s security was acknowledged, with Google labeling it as a ‘P1’ fix, which indicates it to be in the topmost priority status.

"After taking a closer look we realized that this indeed doesn't seem like a generic SPF vulnerability. Thus we are reopening this and the appropriate team is taking a closer look at what is going on […] We apologize again for the confusion and we understand our initial response might have been frustrating, thank you so much for pressing on for us to take a closer look at this! We'll keep you posted with our assessment and the direction that this issue takes," Google said in a statement.

Google’s warning serves as a caution to online users that security features too are vulnerable to flaws, regardless of how much advancement they may attain. Thus it is important to have a vigilant outlook on the ‘safety’ features. Users must also be careful when involving themselves with email communication.  

Read more »
Varonis Threat Lab
Data Breach deactivated sites DNS Hacking Ghost sites Salesforce Threat actors Varonis Threat Lab

Ghost Sites: Attackers are now Exposing Data From Deactivated Salesforce Sites


Varonis Threat Lab researchers recently discovered that Salesforce ‘ghost sites,’ that are no longer in use, if improperly deactivated and unmaintained may remain accessible and vulnerable of being illicitly used by threat actors. They noted how by compromising the host header, a hacker may gain access to sensitive PII and business data.

With the help of Salesforce Sites, businesses can build specialized communities where partners and clients could work collaboratively.

But when these communities are no longer required, they are frequently preserved rather than shut down. These sites aren't examined for vulnerabilities since they aren't maintained, and the administrators don't update the security measures in accordance with contemporary guidelines.

Apparently, Varonis Threat Labs on its recent findings discovered that since these ghost sites were not properly deactivated, they were easily accessible to attackers who were using them to put illicit data, exploiting the sites.

They added that the exposed data did not only consist of the old data of the sites, but also fresh records that were disclosed to guest user, who shared configuration in the Salesforce environment.

Salesforce Ghost Sites

According to Varonis Threat Labs, Salesforce ghost sites are created when a company, instead of using unappealing internet URLs uses a custom domain name. This is done so that the organization’s partners could browse the sites. . “This is accomplished by configuring the DNS record so that ‘partners.acme.org’ [for example] points to the lovely, curated Salesforce Community Site at “partners.acme.org. 00d400.live.siteforce.com[…]With the DNS record changed, partners visiting “partners.acme.org” will be able to browse Acme’s Salesforce site. The trouble begins when Acme decides to choose a new Community Site vendor,” the researchers said.

Companies might switch out a Salesforce Experience Site for an alternative, just like they would with any other technology. Varonis Threat Labs stated, "Acme subsequently updates the DNS record of 'partners.acme.org' to link toward a new site that might function in their AWS environment." The Salesforce Site is no longer present from the users' perspective, and a new Community page is now accessible. The new page may not be functioning in the environment or connected to Salesforce in any way, and no blatant integrations are visible.

However, the study found that a lot of businesses only modify DNS entries. “They do not remove the custom domain in Salesforce, nor do they deactivate the site. Instead, the site continues to exist, pulling data and becoming a ghost site,” a researcher said.

Attackers exploit these sites simply by changing the host header. They mislead Salesforce into believing that the site was accessed as https://partners.acme.org/ making the sites accessible to the attackers.

Although these sites can also be accessed through their whole internal URLs, an intruder would find it difficult to recognize these URLs. However, locating ghost sites is significantly simpler when utilizing tools that index and archive DNS information, like SecurityTrails and comparable technologies.

What is the Solution

Varonis Threat Labs advised that the sites that are no longer in use should be properly deactivated. They also recommended to track all Salesforce sites and their respective users’ permissions, involving both community and guest users. Moreover, the researchers created a guide on ‘protecting your active Salesforce Communities against recon and data theft.’ 

Read more »
Threat actors
Backups Black Basta Cyber Attacks Cyberattack Encryption Ransomware attack Threat actors

Rheinmetall Hit by BlackBasta Ransomware: Disruption to Arms Production

Arms manufacturer Rheinmetall has recently confirmed that it fell victim to a ransomware attack orchestrated by the BlackBasta ransomware group. The cyberattack has caused significant disruption to the company's operations, including its arms production capabilities.

Rheinmetall, a prominent German defense contractor, specializes in manufacturing a wide range of military and security equipment. The attack on such a high-profile player in the defense industry underscores the growing threat of ransomware attacks targeting critical infrastructure and sensitive sectors.

The BlackBasta ransomware group, known for its aggressive tactics and targeting of large organizations, has been identified as the perpetrator of the attack. The group employs sophisticated techniques to infiltrate and encrypt the victim's systems, demanding a ransom payment in exchange for the decryption keys.

Rheinmetall has not disclosed the specific ransom amount demanded by the attackers or whether it has chosen to engage in negotiations. However, the incident highlights the potentially devastating impact that ransomware attacks can have on crucial industries, potentially leading to operational disruptions and financial losses.

The immediate consequences of the attack have been felt within Rheinmetall's production facilities, causing delays and interruptions to ongoing arms manufacturing processes. The company has initiated an extensive investigation to assess the extent of the breach and mitigate any potential long-term damage to its operations and reputation.

In response to the attack, Rheinmetall has taken immediate measures to contain the breach and secure its systems. It has engaged external cybersecurity experts to assist in the recovery process and strengthen its defenses against future threats. Additionally, the company has implemented stringent security protocols and is enhancing employee training on cybersecurity best practices.

The incident involving Rheinmetall serves as a stark reminder to organizations across all sectors of the critical importance of maintaining robust cybersecurity measures. Ransomware attacks continue to evolve in sophistication and scale, targeting both public and private entities. The consequences of a successful attack can be severe, ranging from financial losses to reputational damage and even threats to national security.

Organizations must adopt a proactive approach to cybersecurity, including regular system updates, robust backup procedures, and comprehensive incident response plans. By prioritizing cybersecurity measures, organizations can minimize the risk of falling victim to ransomware attacks and other cyber threats.
Read more »
Subscribe to: Posts (Atom)