Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label attacks. Show all posts
UK
attacks Businesses Cyber Crime CyberCrime global cooperation guidance insurance Ransomware resilience Security UK

Global Effort Unites Against Ransomware: New Guidance to Strengthen Business Defenses

  

Ransomware attacks continue to pose significant challenges for businesses worldwide, with incidents on the rise. 

In response, the UK, along with 38 other nations and international cyber insurance organizations, has collaborated to release updated guidance aimed at supporting victims and enhancing resilience. This guidance advises against making immediate ransom payments, as recovery of data or malware removal is not guaranteed, and paying ransoms often encourages further criminal activity.

Instead, businesses are urged to create a comprehensive response plan, with policies and contingency measures in place. Organizations that fall victim to ransomware should report the incident to law enforcement and consult security professionals for expert guidance.

Ransomware has become a lucrative venture for cybercriminals, causing an estimated $1 billion in losses in 2023. By removing the incentive for criminals, these new policies aim to weaken the ransomware business model and reduce future attacks.

"International cooperation is crucial in fighting ransomware as cybercrime knows no borders," stated Security Minister Dan Jarvis. He emphasized that this collective effort will hit cybercriminals financially and better protect businesses in the UK and beyond.

The UK is taking a leading role, collaborating with three major insurance organizations—the Association of British Insurers, the British Insurance Brokers' Association, and the International Underwriting Association—to issue co-sponsored guidance. Meanwhile, the UK National Crime Agency has taken steps by sanctioning 16 individuals from the 'Evil Corp' cybercrime group, responsible for over $300 million in theft from critical infrastructure, healthcare, and government sectors.

Jonathon Ellison, Director for National Resilience at the NCSC, highlighted the urgency of addressing ransomware threats: "This guidance, backed by both international bodies and cyber insurance organizations, represents a united front in bolstering defenses and increasing cyber readiness."
Read more »
wireless chargers
Academic attacks Cyber Security electromagnetic interference Researchers Security VoltSchemer Vulnerabilities wireless chargers

Researchers Develop 'VoltSchemer' Assaults Aimed at Wireless Charging Systems

 

A team of researchers from the University of Florida, collaborating with CertiK, a Web3 smart contract auditor, have uncovered potential security threats in wireless charging systems. Their research introduces new attack methods, named VoltSchemer, which exploit vulnerabilities in these systems by manipulating power supply voltages.

The VoltSchemer attacks, outlined in a research paper, target weaknesses in wireless charging setups, allowing attackers to disrupt charging devices, tamper with voice assistants, and override safety mechanisms outlined in the Qi standard. Notably, these attacks utilize voltage fluctuations from the power source, requiring no direct modifications to the chargers themselves.

While wireless chargers are generally considered more secure than wired alternatives due to their reliance on near-field magnetic coupling, the researchers argue that they are still susceptible to manipulation. By tampering with power signals, attackers could potentially compromise communication between the charger and the device being charged, leading to malicious actions.

The underlying issue lies in the susceptibility of wireless chargers to electromagnetic interference (EMI) caused by voltage fluctuations. This interference can modulate the power signals transmitted by the charger, enabling attackers to manipulate the magnetic field produced and issue unauthorized commands to connected devices.

In their experiments, the researchers tested the VoltSchemer attacks on nine commercially available wireless chargers, all of which were found to be vulnerable. By inserting a disguised voltage manipulation device, such as a modified power port, between the power adapter and the charger, the researchers successfully executed the attacks.

The consequences of these attacks were significant, with charging smartphones experiencing overheating and devices such as key fobs, USB drives, SSD drives, and NFC cards being permanently damaged or destroyed. The researchers emphasize that the root cause of these vulnerabilities lies in the lack of effective noise suppression in certain frequency bands within wireless charging systems.

Overall, the findings highlight the potential risks associated with wireless charging technologies and underscore the need for improved security measures, especially in high-power systems like electric vehicle (EV) wireless charging.
Read more »
Security Data
attackers attacks Cyber Attacks Data data security Safety Security Security Data

Espionage Group Suspected of Intruding Asian Nation's Power Grid

 

Earlier this year, cyber attackers targeted an undisclosed Asian country's national power grid using ShadowPad malware, commonly associated with entities linked to the Chinese government, according to cybersecurity experts. 

While Symantec did not explicitly attribute the incident to China, they identified the group as RedFly, who infiltrated the network for up to six months, siphoning credentials and targeting multiple computers. 

ShadowPad, which first emerged in 2017, has also been linked to the APT41 hacking group, which researchers have connected to China's Ministry of State Security and the People's Liberation Army. In recent years, various China-linked groups have employed ShadowPad for cyber-espionage activities.

The attack's initial signs emerged on February 28, when ShadowPad was deployed on a single computer, Symantec reported. The malware reappeared in the network on May 17, indicating that the hackers had maintained access for over three months.

Over the following week, the attackers worked to broaden their access to storage devices, collect system credentials, and conceal their tracks. They utilized the legitimate Windows application oleview.exe to gain insights into the victim's network and move laterally.

Dick O'Brien, principal intelligence analyst at Symantec Threat Hunter, expressed concern about the escalating trend of hackers targeting critical national infrastructure (CNI) with malware. He highlighted that attacks on CNI are particularly worrisome due to the potential for serious disruption, and emphasized that this incident is part of a broader pattern.

Experts warn that the frequency of attacks on CNI organizations has risen over the past year, posing a heightened risk of disruptions to power supplies and essential services during times of heightened political tension.

While Symantec has not observed disruptive actions from RedFly, they acknowledge that such actions have occurred in other regions, underscoring the potential threat.

ShadowPad has been identified in cyberattacks on seven electricity grid management facilities in Northern India, as well as Pakistani government agencies, a state bank, and a telecommunications provider. Critical industries in various countries across Asia and Europe have also been targeted with ShadowPad and other malicious tools.

Designed as a successor to Korplug/PlugX, another popular strain among some Chinese espionage groups, ShadowPad briefly appeared on underground forums, making it challenging for researchers to attribute all instances of its use directly to China-based actors.
Read more »
User Security
attacks Crypto Crypto Apps cryptocurrency Data Breach LastPass Security Breach User Data User Privacy User Safety User Security

LastPass Security Breach Linked to Series of Crypto Heists, Say Experts

 

Security experts allege that some of the LastPass password vaults, which were stolen in a security breach towards the end of 2022, have now been successfully breached, leading to a series of substantial cryptocurrency thefts. 

According to cybersecurity blogger Brian Krebs, a group of researchers has uncovered compelling evidence linking over 150 victims of crypto theft to the LastPass service. The combined value of the stolen cryptocurrency is estimated to be over $35 million, with a frequency of two to five high-value heists occurring each month since December 2022.

Taylor Monahan, the lead product manager at MetaMask, a cryptocurrency wallet company, and a prominent figure in the investigation, noted that the common denominator among the victims was their prior use of LastPass to safeguard their "seed phrase" – a confidential digital key necessary to access cryptocurrency investments. 

These keys are typically stored on secure platforms like password managers to thwart unauthorized access to crypto wallets. Furthermore, the pilfered funds were traced to the same blockchain addresses, further solidifying the connection between the victims.

LastPass, a password management service, experienced two known security breaches in August and November of the previous year. 

During the latter incident, hackers utilized information acquired from the first breach to gain access to shared cloud storage containing customer encryption keys for vault backups. We have contacted LastPass to verify if any of the stolen password vaults have indeed been breached and will provide an update if we receive a response.

LastPass CEO Karim Toubba informed The Verge in a statement that the security breach in November is still under active investigation by law enforcement and is also the subject of pending litigation. The company did not confirm whether the 2022 LastPass breaches are related to the reported crypto thefts.

Researcher Nick Bax, who holds the position of Director of Analytics at crypto wallet recovery company Unciphered, also examined the theft data and concurred with Monahan’s conclusions in an interview with KrebsOnSecurity:

“I’m confident enough that this is a real problem that I’ve been urging my friends and family who use LastPass to change all of their passwords and migrate any crypto that may have been exposed, despite knowing full well how tedious that is.”
Read more »
threats
Advertising attacks Business Cloud CyberCrime Cybersecurity Duckport Ducktail Facebook Hijacking Information Linkedin malware Marketing Scams Security SocialEngineering SocialMedia Tactics threats

Vietnamese Cybercriminals Exploit Malvertising to Target Facebook Business Accounts

Cybercriminals associated with the Vietnamese cybercrime ecosystem are exploiting social media platforms, including Meta-owned Facebook, as a means to distribute malware. 

According to Mohammad Kazem Hassan Nejad, a researcher from WithSecure, malicious actors have been utilizing deceptive ads to target victims with various scams and malvertising schemes. This tactic has become even more lucrative with businesses increasingly using social media for advertising, providing attackers with a new type of attack vector – hijacking business accounts.

Over the past year, cyber attacks against Meta Business and Facebook accounts have gained popularity, primarily driven by activity clusters like Ducktail and NodeStealer, known for targeting businesses and individuals operating on Facebook. 

Social engineering plays a crucial role in gaining unauthorized access to user accounts, with victims being approached through platforms such as Facebook, LinkedIn, WhatsApp, and freelance job portals like Upwork. Search engine poisoning is another method employed to promote fake software, including CapCut, Notepad++, OpenAI ChatGPT, Google Bard, and Meta Threads.

Common tactics among these cybercrime groups include the misuse of URL shorteners, the use of Telegram for command-and-control (C2), and legitimate cloud services like Trello, Discord, Dropbox, iCloud, OneDrive, and Mediafire to host malicious payloads.

Ducktail, for instance, employs lures related to branding and marketing projects to infiltrate individuals and businesses on Meta's Business platform. In recent attacks, job and recruitment-related themes have been used to activate infections. 

Potential targets are directed to fraudulent job postings on platforms like Upwork and Freelancer through Facebook ads or LinkedIn InMail. These postings contain links to compromised job description files hosted on cloud storage providers, leading to the deployment of the Ducktail stealer malware.

The Ducktail malware is designed to steal saved session cookies from browsers, with specific code tailored to take over Facebook business accounts. These compromised accounts are sold on underground marketplaces, fetching prices ranging from $15 to $340.

Recent attack sequences observed between February and March 2023 involve the use of shortcut and PowerShell files to download and launch the final malware. The malware has evolved to harvest personal information from various platforms, including X (formerly Twitter), TikTok Business, and Google Ads. It also uses stolen Facebook session cookies to create fraudulent ads and gain elevated privileges.

One of the primary methods used to take over a victim's compromised account involves adding the attacker's email address, changing the password, and locking the victim out of their Facebook account.

The malware has incorporated new features, such as using RestartManager (RM) to kill processes that lock browser databases, a technique commonly found in ransomware. Additionally, the final payload is obfuscated using a loader to dynamically decrypt and execute it, making analysis and detection more challenging.

To hinder analysis efforts, the threat actors use uniquely generated assembly names and rely on SmartAssembly, bloating, and compression to obfuscate the malware.

Researchers from Zscaler also observed instances where the threat actors initiated contact using compromised LinkedIn accounts belonging to users in the digital marketing field, leveraging the authenticity of these accounts to aid in social engineering tactics. This highlights the worm-like propagation of Ducktail, where stolen LinkedIn credentials and cookies are used to log in to victims' accounts and expand their reach.

Ducktail is just one of many Vietnamese threat actors employing shared tools and tactics for fraudulent schemes. A Ducktail copycat known as Duckport, which emerged in late March 2023, engages in information stealing and Meta Business account hijacking. Notably, Duckport differs from Ducktail in terms of Telegram channels used for command and control, source code implementation, and distribution, making them distinct threats.

Duckport employs a unique technique of sending victims links to branded sites related to the impersonated brand or company, redirecting them to download malicious archives from file hosting services. Unlike Ducktail, Duckport replaces Telegram as a channel for passing commands to victims' machines and incorporates additional information stealing and account hijacking capabilities, along with taking screenshots and abusing online note-taking services as part of its command and control chain.

"The Vietnamese-centric element of these threats and high degree of overlaps in terms of capabilities, infrastructure, and victimology suggests active working relationships between various threat actors, shared tooling and TTPs across these threat groups, or a fractured and service-oriented Vietnamese cybercriminal ecosystem (akin to ransomware-as-a-service model) centered around social media platforms such as Facebook," WithSecure said.
Read more »
Vulnerability
attacks Flaws Openfire Servers Risk Vulnerabilities and Exploits Vulnerability

Recent Vulnerability Puts 3,000 Openfire Servers at Risk of Attack

More than 3,000 instances of Openfire servers have not undergone patching to address a recent vulnerability, leaving them susceptible to potential attacks exploiting a newly discovered exploit, according to a report by VulnCheck, a firm specializing in vulnerability intelligence.

Openfire, developed by Ignite Realtime, functions as a cross-platform real-time collaboration server written in Java. Operating on the XMPP protocol, it allows web interface administration.

The vulnerability, identified as CVE-2023-32315, is classified as high-severity and pertains to Openfire's administration console. It is characterized as a path traversal flaw within the setup environment, enabling unauthorized attackers to gain entry to restricted sections of the admin console.

The root of the problem stems from Openfire's inadequate protection against specific non-standard URL encoding for UTF-16 characters. The webserver's lack of support for these characters allowed the inclusion of the new encoding without an accompanying update to the protection measures.

All iterations of Openfire, starting from version 3.10.0 launched in April 2015 up to versions 4.7.5 and 4.6.8 issued in May 2023 for vulnerability remediation, are impacted by this flaw.

Exploitations of this vulnerability have been observed over a span of more than two months. Cyber threat actors have been establishing fresh user accounts in the admin console to introduce a new plugin. This plugin houses a remote web shell, affording the attackers the ability to execute arbitrary commands and infiltrate server data.

Publicly available exploits targeting CVE-2023-32315 adhere to a uniform pattern. However, VulnCheck asserts the identification of a novel exploit path that doesn't necessitate the creation of an administrative user account.

VulnCheck has identified a total of over 6,300 accessible Openfire servers on the internet. Of these, around half have either been patched against the vulnerability, run non-vulnerable older versions, or are divergent forks that might remain unaffected.

The firm highlights that approximately 50% of externally facing Openfire servers operate on the impacted versions. Despite their relatively small number, the firm underscores the significance of this issue due to the trusted role these servers hold in connection with chat clients.

The vulnerability's implications allow an attacker lacking authentication to access the plugin administration endpoint. This provides the attacker with the capability to directly upload the plugin and subsequently access the web shell, all without authentication.

VulnCheck clarifies that this strategy avoids triggering login notifications in the security audit log, ensuring a discreet operation. The absence of a security audit log entry is notable, as it eliminates evidence of the breach. 

While signs of malicious activity might be present in the openfire.log file, the attacker can exploit the path traversal to eliminate the log through the web shell. This leaves the plugin as the sole compromise indicator, an aspect of the situation that VulnCheck warns about.

“This vulnerability has already been exploited in the wild, likely even by a well-known botnet. With plenty of vulnerable internet-facing systems, we assume exploitation will continue into the future,” VulnCheck concludes.

Read more »
Tactics
attacks Blagging Cyber Security Defenses Impersonation phishing Protection Scams Security Tactics

Understanding Blagging in Cybersecurity: Tactics and Implications

 

Blagging might sound intricate, resembling an elaborate hacking maneuver, yet it is remarkably simpler. Despite its less "high-tech" nature compared to other cybercrimes, blagging can inflict significant harm if businesses are unprepared.

Blagging involves crafty fraudsters attempting to deceive or manipulate individuals into divulging confidential information that should remain off-limits.

These blaggers fabricate convincing stories to coax their targets into revealing data that could fuel illicit activities like identity theft, corporate espionage, or extortion.

So, how does blagging work precisely? Here are some typical blagging tactics:

1. Impersonation: The perpetrator pretends to be someone else, such as a colleague, bank representative, or law enforcement officer. This engenders trust and raises the likelihood of the target sharing confidential information. For instance, they might make a call posing as an IT specialist needing a password to rectify a computer issue.

2. Fabricating Urgency: The scammer employs pressure by framing the request as time-critical. Threats to close accounts or initiate legal action are utilized to extract information swiftly, leaving the target with insufficient time to verify the request's legitimacy.

3. Phishing: Blaggers resort to phishing emails or links infused with malware to breach target systems and pilfer data. These emails are meticulously designed to mimic trustworthy sources, enticing victims to click or download.

4. USB Drop Attack: This stratagem entails leaving malware-laden devices like USB drives in public venues where victims are likely to discover and insert them. Parking lots and elevators serve as popular spots to entice unsuspecting individuals.

5. Name-Dropping: Scammers invoke names of genuine managers, executives, or contacts to create an illusion of authorization for accessing otherwise confidential information. This lends credibility to their dubious appeals.

6. Sympathy Ploys: Fraudsters play on the target's empathy by fabricating emotional narratives to manipulate them. They might claim to be single parents requiring funds in an account to feed their family.

7. Quid Pro Quo: Scammers promise incentives like bonuses, time off, or cash in exchange for information. These are hollow assurances employed to achieve their aims.

8. Tailgating: Blaggers physically tail an employee into a building or restricted area to gain access. They rely on people holding doors open or not questioning their presence.

9. Elicitation: Blaggers engage in friendly conversations to surreptitiously extract information about systems, processes, or vulnerabilities. This innocuous approach is perilous due to its seemingly harmless nature.

The crucial point to remember is that these attackers are adept at deceit and will employ any means necessary to attain their objectives.

Defending Against Blagging Attacks

Given the array of cunning tactics utilized by blaggers, how can individuals and businesses shield themselves from these scams? Here are some essential strategies to counter blagging attacks:

1. Verify Claims: Never take claims at face value—always corroborate stories. If someone claims to be tech support or a colleague in need of information, hang up and call back using an official number to confirm legitimacy. Scrutinize email addresses, names, and contact details closely to ensure they match up.

2. Validate Requests: As an employee, investigate any unusual requests, even if they seem urgent or credible. Consider escalating it to a supervisor or submitting a formal request through established channels. Slow down interactions to allow for thorough investigation before divulging confidential data.

3. Limit Account Access: Employers should grant employees only the minimum access required for their tasks. For instance, customer service representatives likely don't need access to financial systems. This containment strategy mitigates potential damage if an account is compromised.

4. Report Suspicious Activity: If a request appears suspicious or a story doesn't add up, voice your concerns. Alert security or management immediately if you suspect a blagging attempt. Monitor systems and user behavior closely for unusual activity.

5. Security Awareness Training: Well-informed employees are more resistant to blagging attempts. Continuous education fortifies the human defense against social engineering. Real-world scenarios and examples should be integrated into training, including simulated phishing emails and unexpected visitors.

6. Layered Security: Employ multiple overlapping security measures instead of relying on a single point of defense. This encompasses physical security controls, perimeter defenses, endpoint security, email security, access controls, and data loss prevention tools.

7. Remain Vigilant: Blagging targets not only businesses but also individuals. Vigilance is necessary to thwart seemingly innocuous calls or emails from scammers posing as various entities. Recognizing blagging techniques and red flags is paramount.

For business proprietors, comprehensive security awareness training and robust technical defenses are instrumental in neutralizing this threat. With the appropriate safeguards in place, blaggers can be effectively deterred.
Read more »
USB Attacks
attackers attacks Cyber Attackers Data Data Safety data security hack Hackers Malicious Campaigns malware Safety Security USB Attacks

Sharp Increase in Malware Attacks via USB Flash Drives

 

Instances of cybercriminals employing USB drives for malware attacks have seen a significant rise. According to security researchers from Mandiant, there has been a three-fold increase in malware attacks via USB drives aimed at stealing sensitive information during the first half of 2023. These researchers have disclosed details regarding two specific attack campaigns.

One of the attack campaigns, attributed to the China-linked cyberespionage group TEMP.Hex, targeted both public and private organizations in Europe, Asia, and the U.S. The attackers utilized USB flash drives to introduce the SOGU malware into compromised systems and extract valuable data. 

The flash drives contained multiple malicious software and employed a DLL hijacking technique to download the final payload into the memory of the compromised systems. Once executed, the SOGU malware carried out various actions such as capturing screenshots, recording keystrokes, establishing reverse shell connections, and enabling remote desktop connections for executing additional files. 

The stolen data was sent to the attackers' command and control (C2) server using a custom binary protocol over TCP, UDP, or ICMP. Industries targeted by this attack campaign included construction, engineering, government, manufacturing, retail, media, and pharmaceutical sectors.

In an attack campaign, victims were enticed to click on a file that appeared to be a legitimate executable file found in the root folder of a USB drive. Upon executing this file, an infection chain was triggered, leading to the download of a shellcode-based backdoor named SNOWYDRIVE.

The malware not only copied itself to removable drives connected to infected systems but also performed various other operations, such as writing or deleting files, initiating file uploads, and executing reverse shell commands.

Recently, the Check Point Research Team uncovered a new USB-based attack campaign attributed to a China-based group called Camaro Dragon. 

The campaign specifically targeted a healthcare institution in Europe and involved the deployment of several updated versions of malware toolsets, including WispRider and HopperTick. It was reported that Camaro Dragon effectively utilized USB drives to launch attacks in Myanmar, South Korea, Great Britain, India, and Russia.

Organizations are strongly advised to prioritize access restrictions on USB devices and conduct comprehensive scans for malicious files before connecting them to their networks. 

Additionally, it is crucial for organizations to enhance their awareness and understanding of such attack campaigns in order to proactively defend against threats from the outset. It can be achieved by implementing a robust and automated Threat Intelligence Platform (TIP) that provides real-time tactical and technical insights into attacks.
Read more »
Subscribe to: Posts (Atom)