Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label User Security. Show all posts

Five Common Cybersecurity Errors and How to Avoid Them

 

In the cultural mishmash of modern tech-savvy consumers, the blue screen of death looms large. The screen serves as a simple reminder informing the user that the device is unable to resolve the issue on its own. A computer crash can indicate that your CPU is degrading after years of use, but a cybersecurity compromise can also cause hardware to malfunction or operate unexpectedly. 

A significant portion of the total amount of theft and illegal conduct that impacts people today is carried out by cybercriminals. According to the FBI's 2023 Internet Crime Report, cybercrime complaints resulted in losses above $12.5 billion. The numbers showed a 10% increase in complaints and a 22% increase in financial losses.

As defenders, we must constantly look for what we have missed and how we can get better. Five common cybersecurity errors are listed below, along with tips on how to prevent them: 

Using simple password:  Employing strong passwords to safeguard your sensitive data is a vital part of any effective cybersecurity plan. Strong passwords can make it difficult for hackers to access your credentials. These passwords must include capital letters, symbols, and broken words, if any. Nearly everyone is aware of this aspect of internet use, and many online systems require users to include these security features in their profiles. However, 44% of users hardly ever change their passwords (though over a third of internet users participate in monthly refreshes), and 13% of Americans use the same password for every online account they create. 

Underestimating the human element: This is a fatal error because you would be overlooking a significant contributor to 74% of data breaches. According to the Ponemon Cost of a Data Breach 2022 Report, the top attack vector last year was stolen or compromised credentials; it appears that many of us are falling for scams and disclosing critical information. That's why black hats keep coming back: we provide a consistent, predictable source of funds. To tighten those reigns, implement an employee Security Awareness Training (SAT) program and follow the principle of least privilege. 

Invincible thinking:  Small firms frequently fall into this attitude, believing they have nothing of value to an outside attacker. If all attackers were pursuing billions of money and governmental secrets, this could be accurate. But they aren't. There are innumerable black hats who profit from "small" payments, compounded dividends, and the sale of credential lists. Any company having users and logins can find what they're looking for. This same approach can and should be applied to organisations of all sizes. Combat the "it can't happen to me" mentality with regular risk assessments, pen tests, SAT training, and red teaming to prepare your organisation; because it can. 

Not caring enough:   This is exactly where fraudsters want you: clueless and "I don't care." This can happen all too easily when SOCs become overwhelmed by the 1,000-plus daily notifications they receive, let alone attempting to stay ahead of the game with proactive preventive measures (or even strategy). Threat actors take advantage of teams that are overburdened. If your resources are stretched thin, the correct investment in the right area might alleviate some of the stress, allowing you to do more with less. 

Playing a defensive game:   We've all heard that the best defence is a good offence. And that is true. Cybersecurity frequently receives a solely defensive rap, which unfairly underestimates its value. Cybercriminals are continuously catching organisations off guard, and all too often, SOCs on the ground have never dealt with anything like them before. They patched vulnerabilities. They dodged phishing emails. However, an APT, advanced threat, or even a true red-alert cyber incursion might all be new territory. Prepare your digital and people nervous systems for an attack by instilling offensive security techniques such as penetration testing and red teaming in them before day zero.

AI-Powered Dark Patterns: What's Up Next?

 

The rapid growth of generative AI (artificial intelligence) highlights how urgent it is to address privacy and ethical issues related to the use of these technologies across a range of sectors. Over the past year, data protection conferences have repeatedly emphasised AI's expanding role in the privacy and data protection domains as well as the pressing necessity for Data Protection Officers (DPOs) to handle the issues it presents for their businesses. 

These issues include the creation of deepfakes and synthetic content that could sway public opinion or threaten specific individuals as well as the public at large, the leakage of sensitive personal information in model outputs, the inherent bias in generative algorithms, and the overestimation of AI capabilities that results in inaccurate output (also known as AI hallucinations), which often refer to real individuals. 

So, what are the AI-driven dark patterns? These are deceptive UI strategies that use AI to influence application users into making decisions that favour the company rather than the user. These designs employ user psychology and behaviour in more sophisticated ways than typical dark patterns. 

Imagine getting a video call from your bank manager (created by a deepfake) informing you of some suspicious activity on your account. The AI customises the call for your individual bank branch, your bank manager's vocal patterns, and even their look, making it quite convincing. This deepfake call could tempt you to disclose sensitive data or click on suspicious links. 

Another alarming example of AI-driven dark patterns may be hostile actors creating highly targeted social media profiles that exploit your child's flaws. The AI can analyse your child's online conduct and create fake friendships or relationships that could trick the child into disclosing personal information or even their location to these people. Thus, the question arises: what can we do now to minimise these ills? How do we prevent future scenarios in which cyber criminals and even ill-intentioned organisations contact us and our loved ones via technologies on which we have come to rely for daily activities? 

Unfortunately, the solution is not simple. Mitigating AI-driven dark patterns necessitates a multifaceted approach that includes consumers, developers, and regulatory organisations. The globally recognised privacy principles of data quality, data collection limitation, purpose specification, use limitation, security, transparency, accountability, and individual participation are universally applicable to all systems that handle personal data, including training algorithms and generative AI. We must now test these principles to discover if they can actually protect us from this new, and often thrilling, technology.

Prevention tips 

First and foremost, we must educate people on AI-driven dark trends and fraudulent techniques. This can be accomplished by public awareness campaigns, educational tools at all levels of the education system, and the incorporation of warnings into user interfaces, particularly on social media platforms popular with young people. Cigarette firms must disclose the risks of their products, as should AI-powered services to which our children are exposed.

We should also look for ways to encourage users, particularly young and vulnerable users, to be critical consumers of information they come across online, especially when dealing with AI systems. In the twenty-first century, our educational systems should train members of society to question (far more) the source and intent of AI-generated content. 

Give the younger generation, and even the older ones, the tools they need to control their data and customise their interactions with AI systems. This might include options that allow users or parents of young users to opt out of AI-powered suggestions or data collection. Governments and regulatory agencies play an important role to establish clear rules and regulations for AI development and use. The European Union plans to propose its first such law this summer. The long-awaited EU AI Act puts many of these data protection and ethical concerns into action. This is a positive start.

Meet Daisy, the AI Grandmother Designed to Outwit Scammers

 

The voice-based AI, known as Daisy or "dAIsy," impersonates a senior citizen to engage in meandering conversation with phone scammers.

Despite its flaws, such as urging people to eat deadly mushrooms, AI can sometimes be utilised for good. O2, the UK's largest mobile network operator, has implemented a voice-based AI chatbot to trick phone scammers into long, useless talks. Daisy, often known as "dAIsy," is a chatbot that mimics the voice of an elderly person, the most typical target for phone scammers. 

Daisy's goal is to automate "scambaiting," which is the technique of deliberately wasting phone fraudsters' time in order to keep them away from potential real victims for as long as possible. Scammers employ social engineering to abuse the elderly's naivety, convincing them, for example, that they owe back taxes and would be arrested if they fail to make payments immediately.

When a fraudster gets Daisy on the phone, they're in for a long chat that won't lead anywhere. If they get to the point when the fraudster requests private data, such as bank account information, Daisy will fabricate it. O2 claims that it is able to contact fraudsters in the first place by adding Daisy's phone number to "easy target" lists that scammers use for leads. 

Of course, the risk with a chatbot like Daisy is that the same technology can be used for opposite ends—we've already seen cases where real people, such as CEOs of major companies, had their voices deepfaked in order to deceive others into giving money to a fraudster. Senior citizens are already exposed enough. If they receive a call from someone who sounds like a grandchild, they will very certainly believe it is genuine.

Finally, preventing fraudulent calls and shutting down the groups orchestrating these frauds would be the best answer. Carriers have enhanced their ability to detect and block scammers' phone numbers, but it remains a cat-and-mouse game. Scammers use automated dialling systems, which allow them to phone numbers quickly and only alert them when they receive an answer. An AI bot that frustrates fraudsters by responding and wasting their time is preferable to nothing.

Data Aggregator Breach Exposes Data of 122 Million Users

 

Pure Incubation, currently known as DemandScience, allegedly experienced a data breach earlier this year, resulting in the theft of critical data, including contact information. 

The impacted entity is a B2B demand-generation and data aggregator that collects, collates, and organises data from public sources to create a comprehensive dataset that digital marketers and advertisers can use to create rich "profiles" for lead generation or marketing material. 

Furthermore, this organisation gathered data from public and third-party sources, including full names, physical addresses, email addresses, phone numbers, employment titles and positions, and social media links. 

The alleged cause of the data breach is an unsecured system on Pure Incubation, which allowed a threat actor known as 'KryptonZambie' to sell around 132.8 million documents on BreachForums starting last February.

On the other side, the data aggregator persisted on one of the enquiries, stating that there was no evidence of a hack. However, a follow-up email asking if the leaked data samples belonged to them went unanswered.

Furthermore, the senior director of corporate communications stated that a post from a black hat hacker criminal website triggered them to activate their security and incident response systems. The company also stated that its systems are completely working and that its first investigation did not find any sign of a hack or data breach. Still, it assured every concerned party that it constantly monitored the issue. 

On August 15, 2024, KryptonZambie made the dataset available for eight credits, which is equivalent to a few dollars. This disclosure forced the company to verify the data's legitimacy. However, the confirmation stated that anyone who was exposed to the DemandScience leak did so through a system that had been discontinued two years ago. 

The 122 million unique email addresses from the stolen dataset have been added to Have I Been Pwned, and impacted subscribers will be notified of the incident. Therefore, the individuals who may have been affected by the data leak should be vigilant of any unsolicited contacts, since threat actors can already carry out targeted phishing operations.

Hot Topic Data Breach Exposes Private Data of 57 Million Users

 

Have I Been Pwned warns that an alleged data breach compromised the private data of 56,904,909 Hot Topic, Box Lunch, and Torrid users. Hot Topic is an American retail franchise that specialises in counterculture-themed clothes, accessories, and licensed music merchandise. 

The firm has approximately 640 stores in the United States and Canada, mostly in shopping malls, with a large customer base.

According to HIBP, the exposed information includes full names, email addresses, birth dates, phone numbers, physical addresses, transaction history, and partial credit card data for Hot Topic, Box Lunch, and Torrid users. 

On October 21, 2024, a threat actor known as "Satanic" claimed responsibility for the security incident on BreachForum. The threat actor claims to have siphoned 350 million user records from Hot Topic and its subsidiaries, Box Lunch and Torrid. 

"Satanic" attempted to sell the database for $20,000 while also demanding a $100,000 ransom from Hot Topic to remove the ad from the forums. According to a HudsonRock report published on October 23, the intrusion could be the result of an information stealer malware infection that acquired credentials for Hot Topic's data unification service. 

While Hot Topic has stayed silent, and no notifications have been issued to potentially impacted users, data analytics firm Atlas Privacy revealed last week that the 730GB database impacts 54 million users. Atlas further highlighted that the collection contains 25 million credit card numbers encrypted with a poor cypher that can be easily broken by current computers. 

Although Atlas is not positive that the database belongs to Hot Topic, it did note that approximately half of all email addresses had not been seen in previous breaches, adding to the authenticity of the threat actor's claims. According to Altas, the hack appears to have occurred on October 19, with data ranging from 2011 until that date. 

The company has set up a website where Hot Topic consumers can see if their email address or phone number was compromised in the data breach. Meanwhile, the threat actor continues to offer the database, albeit for a lower cost of $4,000. Potentially impacted Hot Topic consumers should be wary of phishing attacks, keep track of their financial accounts for strange activity, and change their passwords on all platforms where they use the same credentials.

FBI Cautioned Gmail Users Regarding Cookie Theft

 

The FBI has warned users of popular email providers such as Gmail, Outlook, Yahoo, and AOL regarding a surge in online criminal activity that compromises email accounts, including those secured by multifactor authentication (MFA). 

Online criminals lure people into visiting suspicious websites or clicking on phishing links, which then download malicious applications onto their computers. One of the most common tactics they employ to gain access to email accounts is cookie theft. 

These session or security cookies, often known as "remember me" cookies, store login information to make it easier to access frequently visited websites and accounts. Cookie theft enables attackers to access users' accounts without requiring their username, password, or MFA. The FBI claims that this strategy works especially well when a user selects the "Remember this device" checkbox during login.

“This problem affects all email platforms with web logins, although Gmail, Outlook, Yahoo, and AOL are the largest targets,” notes cybersecurity expert Zak Doffman. “It also impacts other types of accounts such as shopping sites and financial platforms.” Google has been warning users about cookie theft and developing new ways to prevent it. However, the threat remains significant, as fraudsters develop new techniques. 

FBI warn users

The FBI advises users to take the following precautions to secure their accounts: 

  • Clear your internet browser's cookies on a regular basis. 
  • When logging into websites, avoid choosing the "Remember Me" checkbox.
  • Do not access unsecured websites or click on dubious links.
  • Check your account settings for recent device login history on a regular basis.

Despite the flaws identified in their warning, the FBI emphasises that MFA remains one of the best actions users can take to secure their accounts. Google agrees, describing security cookies as "fundamental to the modern web" because of their utility, but conceding that they are a tempting target for hackers. 

Organisations should also implement MFA on all platforms. Amazon just executed MFA to its workplace email service, WorkMail. Though it took a long time to implement, it is a positive step towards better safety. Finally, any type of multi-factor authentication is preferable to simply typing a password. 

Users should take all necessary precautions to safeguard their accounts by combining the newest security tools with sound security practices. Report cybercrime to the FBI's Internet Crime Complaint Centre (IC3) if you believe you have been a victim. The official FBI website has more thorough advice on how to safeguard your online safety.

The Growing Concern Regarding Privacy in Connected Cars

 

Data collection and use raise serious privacy concerns, even though they can improve driving safety, efficiency, and the whole experience. The automotive industry's ability to collect, analyse, and exchange such data outpaces the legislative frameworks intended to protect individuals. In numerous cases, car owners have no information or control over how their data is used, let alone how it is shared with third parties. 

The FIA European Bureau feels it is time to face these challenges straight on. As advocates for driver and car owners' rights, we are calling for clearer, more open policies that restore individuals' control over their data. This is why, in partnership with Privacy4Cars, we are hosting an event called "Driving Data Rights: Enhancing Privacy and Control in Connected Cars" on November 19th in Brussels. The event will bring together policymakers, industry executives, and civil society to explore current gaps in legislation and industry practices, as well as how we can secure enhanced data protection for all. 

Balancing innovation with privacy 

A recent Privacy4Cars report identifies alarming industry patterns, demonstrating that many organisations are not fully compliant with GDPR laws. Data transparency, security, and consent methods are often lacking, exposing consumers to data misuse. These findings highlight the critical need for reforms that allow individuals more control over their data while ensuring that privacy is not sacrificed in the sake of innovation.

The benefits of connected vehicle data are apparent. Data has the potential to alter the automotive industry in a variety of ways, including improved road safety, predictive maintenance, and enhanced driving experiences. However, this should not be at the expense of individual private rights. 

As the automobile sector evolves, authorities and industry stakeholders must strike the correct balance between innovation and privacy protection. Stronger enforcement of existing regulations, as well as the creation of new frameworks that suit the unique needs of connected vehicles, are required. Car owners should have a say in how their data is utilised and be confident that it is managed properly. 

Shaping the future of data privacy in cars 

The forthcoming event on November 19th will provide an opportunity to dig deeper into these concerns. Key stakeholders from the European Commission, the automotive industry, and privacy experts will meet to discuss the present legal landscape and what else can be done to protect persons in this fast changing environment. 

The agenda includes presentations from Privacy4Cars on the most recent findings on automotive privacy practices, a panel discussion with automotive industry experts, and case studies demonstrating real-world examples of data misuse and third-party access. 

Connected cars are the future of mobility, but it must be founded on confidence and transparency. By giving individuals authority over their personal data, we can build a system that benefits everyone—drivers, manufacturers, and society as a whole. The FIA European Bureau is committed to collaborating with all parties to make this happen.

Advanced Persistent Teenagers: A Rising Security Threat

 

If you ask some of the field's top cybersecurity executives what their biggest concerns are, you might not expect bored teenagers to come up. However, in recent years, this totally new generation of money-motivated hackers has carried out some of the biggest hacks in history and shows no signs of slowing. 

Meet the "advanced persistent teenagers," as stated by the security community. These are skilled, financially motivated attackers, such as Lapsus$ and Scattered Spider, who have proven capable of digitally breaching into hotel companies, casinos, and tech behemoths.

The hackers can deceive unsuspecting employees into giving over their company passwords or network access by using strategies such as believable email lures and convincing phone calls posing as a company's support desk. 

These attacks are extremely effective, have resulted in massive data breaches impacting millions of individuals, and have resulted in large ransoms paid to make the hackers vanish. By displaying hacking capabilities previously limited to only a few nation states, the threat from idle teenagers has forced numerous companies to confront the reality that they don't know if the personnel on their networks are who they say they are, and not a sneaky hacker. Has the threat posed by idle teens been understated, according to two respected security veterans? 

“Maybe not for much longer,” noted Darren Gruber, technical advisor in the Office of Security and Trust at database giant MongoDB, during an onstage panel at TechCrunch Disrupt. “They don’t feel as threatened, they may not be in U.S. jurisdictions, and they tend to be very technical and learn these things in different venues.”

Plus, a key automatic advantage is that these threat groups also have a lot of time on their hands. “It’s a different motivation than the traditional adversaries that enterprises see.” Gruber has dealt with a few of these threats directly. There was no evidence of access to client systems or databases, however an intrusion at the end of 2023 in MongoDB resulted in the theft of certain metadata, such as customer contact information. 

According to Gruber, the attack mirrored Scattered Spider's strategies, and the vulnerability was reportedly minimal. "The attackers posed to be employees and used a phishing lure to get into MongoDB's internal network," he claimed.

Malvertising Campaign Hijacks Facebook Accounts to Propagate SYS01stealer

 

A new malvertising effort is using Meta's advertising network to disseminate the SYS01 infostealer, a cybersecurity issue known to Meta and specifically Facebook users for collecting personal information. 

What distinguishes this attack is that it targets millions of people worldwide, primarily men aged 45 and up. It successfully disguises itself as advertisements for popular software, games, and online services. This campaign, discovered in September 2024, stands out for its imitation tactics and the popular brands it exploits. 

Instead of zeroing in on a single lure, the perpetrators impersonate a wide range of well-known brands, including productivity tools like Office 365, creative software like Canva and Adobe Photoshop, VPN services like ExpressVPN, streaming platforms like Netflix, messaging apps like Telegram, and even popular video games like Super Mario Bros Wonder. 

Modus operandi 

According to Bitdefender's blog article, malicious adverts frequently lead to MediaFire links that offer direct downloads of seemingly legitimate software. These zip-archived downloads contain a malicious Electron program. 

When executed, this application drops and runs the SYS01 infostealer, frequently while presenting a fake app that replicates the advertised software. This deceitful strategy makes it harder for victims to recognise that they have been compromised. 

An Electron application is a desktop software that uses web technologies such as HTML, CSS, and JavaScript. Electron is an open-source framework built by GitHub that enables developers to build cross-platform programs that run on Windows, macOS, and Linux using a single codebase. 

However, in this attack, the Electron app employs obfuscated Javascript code and a standalone 7zip application to extract a password-protected archive containing the core malware components. This bundle contains PHP scripts used to install the infostealer and establish persistence on the victim's PC. The malware also includes anti-sandbox tests to circumvent detection by security experts. 

The primary goal of the SYS01 infostealer is to acquire Facebook credentials, particularly those associated with business accounts. These compromised accounts are then used in subsequent assaults or frauds. 

What's worse, the assault takes advantage of the hijacked accounts' advertising capabilities, allowing attackers to produce new malicious ads that appear more authentic and easily evade security filters. This sets up a self-sustaining loop in which stolen accounts are used to propagate the malware even further. The stolen credentials are likely to be sold on underground marketplaces, enriching the crooks even more.

New Tool Circumvents Google Chrome's New Cookie Encryption System

 

A researcher has developed a tool that bypasses Google's new App-Bound encryption cookie-theft defences and extracts saved passwords from the Chrome browser. 

Alexander Hagenah, a cybersecurity researcher, published the tool, 'Chrome-App-Bound-Encryption-Decryption,' after noticing that others had previously identified equivalent bypasses. 

Although the tool delivers what several infostealer operations have already done with their malware, its public availability increases the risk for Chrome users who continue to store sensitive information in their browsers. 

Google launched Application-Bound (App-Bound) encryption in July (Chrome 127) as a new security feature that encrypts cookies using a Windows process with SYSTEM rights. 

The goal was to safeguard sensitive data against infostealer malware, which operates with the logged user's access, making it impossible to decrypt stolen cookies without first achieving SYSTEM privileges and potentially setting off security software alarms. 

"Because the App-Bound service is running with system privileges, attackers need to do more than just coax a user into running a malicious app," noted Google in July. "Now, the malware has to gain system privileges, or inject code into Chrome, something that legitimate software shouldn't be doing.” 

However, by September, several infostealer thieves had discovered ways to circumvent the new security feature, allowing their cybercriminal customers to once again siphon and decrypt sensitive data from Google Chrome. 

Google previously stated that the "cat and mouse" game between info-stealer developers and its engineers was to be expected, and that they never assumed that its defence measures would be impenetrable. Instead, they believed that by introducing App-Bound encryption, they could finally set the groundwork for progressively constructing a more robust system. Below is Google's response from the time:

"We are aware of the disruption that this new defense has caused to the infostealer landscape and, as we stated in the blog, we expect this protection to cause a shift in attacker behavior to more observable techniques such as injection or memory scraping. This matches the new behavior we have seen. 

We continue to work with OS and AV vendors to try and more reliably detect these new types of attacks, as well as continuing to iterate on hardening defenses to improve protection against infostealers for our users.”

Microsoft: Healthcare Sector Sees 300% Surge in Ransomware Assaults

 

A Microsoft investigation published earlier this week revealed that ransomware attacks on the healthcare sector are rising and threatening lives. 

The report, which uses both internal corporate data and external data, shows a 300% spike in ransomware attacks on the health sector since 2015, as well as an increase in stroke and cardiac arrest cases at hospitals receiving patients from nearby facilities that have been paralysed by similar assaults.

It all amounts to a worrisome pattern that began during the peak of the COVID-19 pandemic, when certain ransomware gangs pledged not to attack the healthcare industry. 

“That [pledge has] been shoved off the table, unfortunately, and we are seeing a broader targeting of everything that has to do with health care, from hospital systems to clinics to doctors’ offices — really, anything where patient care can be impacted,” Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, stated. “Threat actors know people’s lives are at stake, and therefore the organization is more likely to pay.” 

According to Microsoft's second-quarter 2024 data, health care is one of the top ten most targeted sectors, with an average payment of $4.4 million reported in a survey of health care organisations. Additionally, Microsoft analysts believe Iranian gangs are mostly targeting healthcare organisations. 

A research published last year discovered that ransomware attacks on hospitals have a spillover effect, with unaffected institutions seeing an increase in patients, resulting in stroke cases soaring by 113% and cardiac arrest cases reaching 81%. Those cardiac arrest instances also had lower survival rates. 

“We know that these types of incidents have impacts on many of the technologies, such as CT scanners or laboratory machines that are used to take care of patients suffering from things like heart attack, stroke or sepsis,” Jeff Tully, co-director and of the University of California San Diego Center for Healthcare Cybersecurity and co-author of that study, noted. “And we know that there are delays in our ability to care for these patients during these types of down times.” 

Tully stated that the centre was working on developing a ransomware response playbook for health care organisations, but DeGrippo emphasised the need of creating resilience to survive an assault when it occurs.

Cisco Investigates Data Breach After Hacker Claims Sale of Data

 

Cisco has acknowledged that it is investigating reports of a data breach after a hacker began offering allegedly stolen firm data for sale on a hacking platform. As per a report in a local media outlet, the investigation was launched following claims made by a well-known hacker identified as “IntelBroker.”

“Cisco is aware of reports that an actor is alleging to have gained access to certain Cisco-related files,” a Cisco spokesperson stated. “We have launched an investigation to assess this claim, and our investigation is ongoing.” 

The allegations surfaced after IntelBroker claimed, along with two others designated as "EnergyWeaponUser" and "zjj," that they infiltrated Cisco's servers on June 10, 2024, and obtained a large amount of developer-related data.

IntelBroker's post on a hacking forum showed that the data would include "GitHub projects, GitLab projects, SonarQube projects, source code, hard-coded credentials, certificates, customer SRCs, Cisco confidential documents, Jira tickets, API tokens, AWS private buckets, Cisco technology SRCs, Docker builds, Azure storage buckets, private and public keys, SSL certificates, Cisco premium products, and more." The hacker uploaded samples of a database, client information, multiple files, and screenshots of customer management interfaces. 

According to a recent update from IntelBroker, the breach also involves the theft of sensitive data from other major global companies such as Verizon, AT&T, and Microsoft. The stolen data is now allegedly being offered for sale on the cybercrime platform Breach Forums, with IntelBroker specifying that the transaction would take place in exchange for Monero (XMR), a cryptocurrency known for its anonymity properties. 

The hacker expressed a willingness to use an intermediary to facilitate the sale, assuring anonymity for both the buyer and seller. This technique is often used by hackers to evade detection by authorities. 

IntelBroker, which is known for high-profile data thefts, has already claimed responsibility for compromising other prominent firms. In June 2024, IntelBroker reported that they had infiltrated Apple, taking source code for internal tools, as well as Advanced Micro Devices (AMD), stealing employee and product information. In May 2024, IntelBroker claimed to have hacked Europol, which the organisation later confirmed.

IntelBroker did not provide any specific details on the techniques employed to acquire the data. The stolen data originated from a third-party managed services provider that specialises in software development and DevOps, according to sources knowledgeable with the breaches who spoke with BleepingComputer. It's still unclear if the earlier June incidents and the recent Cisco hack are linked.

New Yunit Infostealer Bypasses Windows Defender and Steals Sensitive Data

 

A new information-stealing malware has been discovered that is capable of exfiltrating a large amount of sensitive information while also disabling antivirus products to create persistence on target endpoints.

CYFIRMA cybersecurity researchers have published a detailed investigation of the infostealer known as Yunit Stealer. Yunit Stealer employs JavaScript to include system utility and cryptography modules, enabling it to do activities such as system information retrieval, command execution, and HTTP queries. It persists on the target device by altering the registry, adding jobs via batch and VBScript, and, finally, by setting exclusions in Windows Defender.

When it comes to infostealing, Yunit is just as effective as any other malware. It can steal system information, browser data (passwords, cookies, autofill information, etc.), and bitcoin wallet information. In addition to passwords, it can keep credit card information that is kept in the browser. 

Once the malware has gathered all of the data it deems useful, it will attempt to exfiltrate it via Discord webhooks or into a Telegram channel. It will also upload it to a remote site and provide a download link for future use. The URL will also include screenshots, allowing the threat actor to access the information while remaining anonymous and evading discovery. Accessing data using encrypted communication channels is also beneficial.

The fact that the Telegram channel was only established on August 31, 2024, and that it only has 12 subscribers, according to CYFIRMA, serves as further evidence that Yunit is a fledgling infostealer that has not yet proven its mettle. As an alternative, the Discord account isn't operational right now. 

Prevention tips 

Keep your systems updated: Regularly updating your operating system and software can help defend against known vulnerabilities that Yunit Stealer could exploit. 

Use trustworthy antivirus software: While Yunit Stealer can disable some antivirus products, choosing a reputable and often updated security solution provides an extra degree of protection. 

Avoid dubious links and downloads. Phishing attacks are frequently the starting point for malware infections. Use caution while opening email attachments or clicking on unexpected URLs. 

Monitor your accounts: Check your online accounts on a regular basis for strange behaviour, particularly those that store sensitive data such as passwords and credit card information.

Apple Patches VoiceOver Flaw That Could Read Passwords Aloud

 

Recently, Apple fixed a serious flaw in its VoiceOver feature that caused privacy concerns for users of iPhones and iPads. The bug, known as CVE-2024-44204, allowed the VoiceOver accessibility tool to read saved passwords aloud, a serious concern for users who rely on this ability to use their devices without visual assistance. 

The flaw was identified in Apple's native password management tool, introduced in iOS 18.0. It impacted multiple models, including iPhones from the XS series and later, as well as some iPads. This issue was especially alarming for customers who kept sensitive information in their password manager. 

Although the VoiceOver feature is turned off by default, users who enabled it for accessibility reasons were at risk. Fortunately, Apple addressed the issue in the iOS 18.0.1 update by enhancing the logic that governs how VoiceOver interacts with saved passwords. 

In addition to the VoiceOver issue, Apple addressed another issue (CVE-2024-44207) with audio messages, in which iPhone 16 series devices might begin recording audio before users were aware, providing an additional privacy concern. While neither vulnerability was remotely exploitable, they were significant enough to warrant quick patches to safeguard user data. 

Cybersecurity experts have complimented Apple for quickly fixing the issues and emphasising the significance of updating devices to the most recent software versions to avoid any misuse of these vulnerabilities. Users are recommended to apply the iOS 18.0.1 update as soon as possible to prevent any potential risks. 

These updates highlight how crucial it is for companies and individuals using iPhones for sensitive work to stay up-to-date with security upgrades, especially since accessibility capabilities can occasionally be exploited in unintended ways.

Healthcare Cybersecurity: Taking a Proactive Route

 

Cyberattacks in healthcare are growing more common and can disrupt an organization's operations. Healthcare organisations handle a lot of sensitive data, including financial information, patient health records, and identifying data, making them prime targets for cybercriminals. 

This vulnerability is exacerbated by the sector's sophisticated systems and the widespread dissemination of electronic health records across networks. Healthcare's economic model, with large volumes and poor margins, makes it particularly susceptible to attacks. 

Furthermore, the stakes are especially high in healthcare, where a breach or hack can have serious ramifications ranging from compromising patient privacy to life-threatening disruptions in medical services. Cybercriminals can shut down a whole healthcare system for weeks or even months, delaying critical patient treatment. They're also employing new tools like generative AI to develop sophisticated and difficult-to-detect cyberattacks. 

In 2023, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) received a record 725 reports of large healthcare security breaches. Healthcare security breaches are twice as common as they were seven years ago, with two major breaches recorded each day on average in 2023. Cybercrime expenses (estimated by some to reach $8 trillion by 2025) are anticipated to rise, highlighting the growing financial risks. 

According to Accenture research, leaders across industries recognise the importance of cybersecurity, yet only a tiny minority believe they are adequately equipped to deal with cyberattacks. Healthcare organisations are acutely aware of the changing cyberthreat landscape and are concerned about their ability to prevent or mitigate harm from a cyberattack. 

Changing nature of cyber attacks 

Patient identity theft has long been a common target of hackers in healthcare. However, recent trends indicate a shift towards more complex techniques in which attackers attempt to paralyse operations in order to extract ransoms. Protecting patient data remains critical, and organisations must continue to improve data security and network segmentation to mitigate the risk. However, ensuring the continuity of operations is as critical. 

Online criminals are increasingly targeting healthcare organisations with hacks that encrypt critical operating data and systems, rendering them inaccessible to medical professionals. Interestingly, not all breaches result in instant attacks. Once cybercriminals have gained access to a healthcare system, they can choose when to launch an assault. 

Researchers believe traditional cybersecurity techniques, which mainly focus on perimeter defence, are no longer sufficient given the sophistication of attacks. The healthcare industry requires a more robust strategy. In addition to continuing to work to prevent breaches and secure data, researchers advise healthcare businesses to shift focus to continuity initiatives so that when an assault inevitably occurs, they can restore operations promptly to minimize downtime and disruption.

Complicated Passwords Make Users Less Secure, Security Experts Claim

 

Using a variety of character types in your passwords and changing them on a regular basis are no longer considered best practices for password management.

This is according to new standards published by the United States National Institute of Standards and Technology, which develops and publishes guidelines to assist organisations in safeguarding their information systems.

The new guidelines were published in September 2024 as part of NIST's second public draft of SP 800-63-4, the most recent iteration of its Digital Identity guidelines. 

Change in password recommendations

Over the years, conventional wisdom recommended having complex passwords that included upper and lower case characters, numbers, and symbols. This complexity was intended to make passwords difficult to guess or crack using brute force assaults. 

However, these complex requirements frequently resulted in users developing bad habits, such as repeating passwords or selecting too basic ones that barely fit the rules, such as "P@ssw0rd123." Over time, NIST discovered that this emphasis on complexity was counterproductive, compromising security in practice. 

In its most recent guidelines, NIST has shifted away from enforcing complexity limits and towards encouraging longer passwords. There are a number of causes for this shift: 

Customer behaviour 

According to research, users frequently fail to remember complicated passwords, prompting them to reuse passwords across several sites or rely on easily guessable patterns, such as substituting letters with similar-looking numbers or symbols. The necessity by many organisations to change your password every sixty to ninety days—a practice that NIST no longer advises—further encouraged this behaviour. 

Password entropy 

Password strength is frequently tested using entropy, a measure of unpredictability. In other words, the total number of possible password combinations. The greater the number of potential options, or entropy, the more difficult it is for cybercriminals to crack the password using brute-force or guessing techniques. 

While complexity can contribute to entropy, length has a far greater impact. A lengthier password with more characters offers an exponentially greater number of possible combinations, making it more difficult for attackers to guess, even if the characters are simple. 

Human element

Long passwords that are easy to remember, such as passphrases composed of multiple basic words. For example, "big dog small rat fast cat purple hat jelly bat" in password form is "bigdogsmallratfastcatpurplehatjellobat" without the spaces, which is both secure and user-friendly. 

A password like this provides a balance between high entropy and convenience of use, preventing users from engaging in risky behaviours such as writing down passwords or reusing them.

What is a Zero-Day Attack And How You Can Safeguard Against It?

 

The cyberthreats that are still unknown to us are the most severe. The majority of cyberdefenses rely on having prior knowledge of the attack's nature. We just don't know what zero days are, which is why they are so lethal. 

A zero-day attack occurs when cybercriminals abuse a software or hardware flaw that is totally unknown to developers and the larger cybersecurity community. Because no one is aware of the issue, no defences have been designed against it, making systems vulnerable. This implies that even if you're using top-tier cybersecurity software, such as the finest VPN or antivirus, you may still be vulnerable to zero-day assaults.

The term "zero-day" refers to the fact that security firms had zero days to repair or patch a vulnerability. Zero-day attacks are particularly dangerous because they are frequently leveraged by sophisticated hackers or nation-state groups to access highly guarded networks. These attacks can go undetected over an extended length of time, making them incredibly tough to defend against. 

In this article, I will explain what zero-day attacks are, how they work, and how you can safeguard yourself or your business from these hidden threats.

What are zero-day attacks? 

A zero-day attack is when a hacker exploits a previously unknown flaw. These vulnerabilities are defects or weaknesses in programming that allow for unintended actions, such as unauthorised network access. Once a hacker has identified a vulnerability, they can use it to access a network, install malware, steal data, or do other types of damage.

Zero-day exploits

This leads us nicely into the concept of zero-day exploits. Zero-day exploits are coded by hackers to cause a system to perform something it would not normally do by exploiting a vulnerability. This is the hacker's hidden weapon, allowing them to breach systems while remaining undetected. A hacker group may keep a large number of zero-day exploits on hand, ready to be used when the need arises.

These exploits are used to launch a zero-day assault. In most cases, a zero-day assault occurs when the public becomes aware of a vulnerability. Once the attack is identified, the race is on to remedy the vulnerability and avoid further abuse. 

Prevention tips

Install updates: It should go without saying that updating your software is essential. Upon the identification of a flaw and the release of a patch, it is imperative to promptly implement the update. Even while a zero-day attack may start with a very small number of targets, hackers can quickly create their own exploits once the larger security community is made aware of a vulnerability. 

Stay updated: Threat intelligence services also help you stay up to date on the latest emerging threats. These feeds provide real-time information on new vulnerabilities, exploits, and attack methodologies, allowing you to mitigate the risk by modifying your defences to resist them. 

Bolster the overall security of the network: Remember that a zero-day is not a skeleton key. It's a particular specific issue that enables a hacker to bypass a specific defence in your system. The more safeguards you put in place, such as two-factor authentication, antivirus, and antimalware, the better your chances of stopping a hacker in their tracks.

Here’s Why UltraAV Replaced Kaspersky Antivirus Software

 

Late last week, cybersecurity firm Kaspersky began deleting its anti-malware software from PCs in the United States. As a replacement, the company downloaded antivirus software from UltraAV. 

If you use Kaspersky antivirus software, you may be aware that the Russian firm was added to the US government's Entity List early this year, resulting in a restriction on sales and upgrades in the US. As a result, the company informed BleepingComputer in July that it was closing its U.S. operations and laying off its American staff.

Although these developments are not a secret, it cannot be said that everyone was aware of them. Thus, many were taken aback by Kaspersky's abrupt and poorly justified decision to delete its software automatically. 

Customers were notified via email at the beginning of September that the company had partnered with UltraAV to offer security for them even after Kaspersky left the US. However, it was not made apparent in the emails that their computers would be automatically updated to include this ongoing security. The shift was even more of a surprise to those who, for whatever reason, missed the email.

Users on Reddit and other forums have expressed uncertainty about the situation, as well as distrust in the new UltraAV software. One poster was concerned that their desktop had been compromised when they woke to find their Kaspersky antivirus software gone and UltraAV in its place. 

This distrust is unsurprising given that nothing is known about the corporation other than its affiliation with other VPN companies such as UltraVPN, Hotspot Shield, and Betternet. According to online user reviews, many individuals are removing UltraAV because of this — and because it appeared on the devices in such a disruptive way. 

Following its withdrawal from the market, Kaspersky released an official statement in which it stated that it had taken this measure to ensure that its clients “would not experience a gap in protection.” The statement continued by stating that UltraAV's comparable features and product offerings to Kaspersky's led the organisation to select it. Users of Kaspersky's VPN service, for example, also had UltraVPN installed on their devices.

For many users, the explanation comes too late and is unlikely to stop them from replacing UltraAV with a more well-known antivirus software product.

Here's How to Remove Malware From Your Chromebook

 

Imagine this: your Chromebook fails just before you click "Save" after spending hours working on your project. Let's imagine you want to watch a series, but it keeps crashing, making it impossible for you to get the most out of your favourite program. If these situations sound familiar to you, malware may have infected your Chromebook. 

Malware on your Chromebook can have detrimental effects, such as compromising your financial information, forcing you to lose work productivity, and compromising personal information. It is imperative that you take quick action if you think your Chromebook is infected. 

In this article, we'll walk you through the process of identifying whether your Chromebook is infected and give you the simplest method for virus removal: a reputable antivirus software. We'll also go over key precautions you should take to protect your Chromebook from future malware threats. 

Can malware infect Chromebooks ? 

As Chromebooks become more popular, fraudsters hunt for new ways to infect them and steal sensitive information for financial gain or identity theft. And, while Google's sophisticated ecosystem actively protects its users, no system is completely immune to cyber-attacks. 

Viruses, for example, are a popular sort of malware on the internet that adds malicious code to otherwise normal downloads. They are active when you download a malicious file, and they can also download and install automatically if you click on a link. Once the virus is installed on your system, it can cause damage and prevent you from using your device or network.

The positive news is that it is nearly impossible to become infected by an actual virus on Chrome OS. Because it does not enable the installation of any executable software, it is one of the most secure operating systems available today. 

The bad news is that Chromebooks are still vulnerable to some forms of malware, such as search hijackers (search redirection), malicious browser extensions, adware, spyware, phishing schemes, and downloads from unverified websites. 

Prevention tips

Chromebooks are vulnerable to several forms of malware, even though viruses rarely affect them, as mentioned above. Google recommends the following best practices to maintain a secure Chromebook experience: 

Stay updated: Keep your Chrome OS and applications up to date. Regular updates often have critical security patches. 

Use caution with extensions and apps: Read reviews and only use reliable browser extensions and apps from the Chrome Web Store or Google Play. 

Avoid phishing scams: Exercise caution while accessing suspicious websites or emails that ask for personal information. 

Consider security software: Although Chromebooks have built-in security safeguards, adding an extra layer of protection with reputable security software can provide additional peace of mind. 

As Chromebooks gain popularity as a low-cost and efficient alternative to traditional laptops, it is critical to understand their risks, particularly those related to malware. Chrome OS, with its web-based applications and regular updates, offers strong security, but it is still vulnerable to different types of malware such as search hijackers, adware, and spyware.

TrickMo Android Trojan Abuses Accessibility Services for On-Device Financial Scam

 

Cybersecurity experts discovered a new form of the TrickMo banking trojan, which now includes advanced evasion strategies and the ability to create fraudulent login screens and steal banking credentials. 

This sophisticated malware employs malicious ZIP files and JSONPacker to obstruct analysis and detection efforts. TrickMo, discovered by CERT-Bund in September 2019, has a history of targeting Android smartphones, with a special focus on German users, in order to acquire one-time passwords (OTPs) and other two-factor authentication (2FA) credentials for financial fraud. The trojan is believed to be the work of the now-defunct TrickBot e-crime gang, which is known for constantly enhancing its obfuscation and anti-analysis features. 

Screen recording, keystroke logging, SMS and photo harvesting, remote control for on-device fraud, and exploiting Android's accessibility services API for HTML overlay attacks and device gestures are some of the main capabilities of the TrickMo version. In addition, the malware could automatically accept permissions, handle notifications to steal or conceal login codes, and intercept SMS messages.

A malicious dropper app that mimics the Google Chrome web browser is used to spread the malware. Users are prompted to upgrade Google Play Services upon installation. In the case that the user agrees, an APK with the TrickMo payload is downloaded and set up pretending to be "Google Services." Next, the user is prompted to allow this program to use accessibility features, which gives them full control over the device. 

TrickMo can use accessibility services to disable critical security features, stop system upgrades, and hinder app uninstallation. Misconfigurations in the malware's command-and-control (C2) server made 12 GB of sensitive data, including credentials and photos, available without authentication. 

This exposed data is vulnerable to exploitation by other threat actors for identity theft, unauthorised account access, financial transfers, and fraudulent transactions. The security breakdown highlights a severe operational security failure by the threat actors, increasing the risk to victims. The exposed private data can be utilised to create convincing phishing emails, resulting in additional information disclosure or malicious acts.