Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label blocking unauthorized access. Show all posts

Zello Urges Password Resets Amid Potential Security Incident

 

Zello, a widely used push-to-talk mobile service with over 140 million users, has advised customers to reset their passwords if their accounts were created before November 2, 2024. This precautionary measure follows what appears to be a new security concern, though the exact nature of the issue remains unclear. Zello's actions suggest possible unauthorized access to user accounts. 
 

Zello’s Advisory and User Notification 

 
Starting November 15, 2024, users began receiving notifications from Zello recommending password changes. The notification stated: > 

“As a precaution, we are asking that you reset your Zello app password for any account created before November 2nd, 2024. We also recommend that you change your passwords for any other online services where you may have used the same password.” 
 
The notification also provided a link to a support page with instructions on how to reset passwords through the Zello app. 

Potential Causes: Data Breach or Credential Stuffing? 

 
While Zello has yet to provide further clarification, the lack of detailed communication has raised concerns among users. Efforts by media outlets to obtain a response from the company have been unsuccessful. 
 

The timing and scope of the notice suggest two possibilities: 

 
1. A Data Breach – Unauthorized access to Zello’s systems, potentially compromising user data. 
2. Credential Stuffing – A cyberattack method where attackers use stolen login credentials from other platforms to gain access to Zello accounts. 
 
Notably, the advisory affects only accounts created before November 2, 2024, indicating that the security event may have occurred around that date. 


Past Security Incidents 

This is not the first time Zello has faced a security issue. In 2020, the company experienced a data breach that compromised customer email addresses and hashed passwords, prompting a similar password reset. 

The Importance of Cybersecurity for Essential Services 

 
Zello plays a critical role in communication for sectors such as first responders, transportation, and hospitality, making robust security measures essential. The incident underscores the importance of adopting strong cybersecurity practices: 
- Use Unique, Complex Passwords: Avoid reusing passwords across multiple platforms. 
- Enable Two-Factor Authentication (2FA): Adds an additional layer of security and significantly reduces the risk of unauthorized access. 

User Vigilance and the Need for Transparency 


While Zello’s proactive warning is a positive step, users are calling for greater transparency regarding the root cause of the issue and the measures being taken to prevent future incidents. Organizations like Zello, which support essential communication services, have a heightened responsibility to ensure platform integrity and promptly address security vulnerabilities. 
 
In the meantime, users are strongly encouraged to follow Zello’s instructions and reset their passwords immediately. Taking these precautions can help safeguard personal data and reduce exposure to potential cyber threats. 

As cybersecurity threats continue to evolve, both service providers and users must remain vigilant to ensure the safety and security of their digital ecosystems.

Akira Ransomware Adapts to Linux Systems, Incorporates New Tactics and TTPs

 

Arika ransomware, which initially targeted Windows systems, has evolved significantly since its emergence in March. It has now expanded its scope to include Linux servers, employing a diverse set of tactics, techniques, and procedures (TTPs).

A comprehensive report by LogPoint delves into the highly sophisticated nature of Akira ransomware. This malware encrypts victim files, erases shadow copies, and demands a ransom for data recovery. The attack chain actively exploits the CVE-2023-20269 vulnerability, focusing on Cisco ASA VPNs lacking multifactor authentication as an entry point.

As of early September, the group had successfully targeted 110 victims, with a particular emphasis on the US and the UK. A notable recent victim was the British quality-assurance company Intertek. The group also set its sights on manufacturing, professional services, and automotive organizations.

According to a recent report from GuidePoint Security's GRI, educational institutions have borne a disproportionate brunt of Akira's attacks, accounting for eight out of its 36 observed victims.

The ransomware campaign involves multiple strains of malware that carry out distinct steps, including shadow copy deletion, file search, enumeration, and encryption when executed.

Akira employs a double-extortion technique: it steals personal data, encrypts it, and then extorts money from the victims. If payment is refused, the group threatens to release the data on the Dark Web.

Upon gaining access, the group utilizes tools such as AnyDesk and RustDesk for remote desktop access, as well as WinRAR for encryption and archiving. Additionally, the advanced system information tool and task manager PC Hunter assist the group in lateral movement through compromised systems, alongside wmiexc.

The group can also disable real-time monitoring to avoid detection by Windows Defender, and shadow copies are eliminated through PowerShell. Ransom note files are deposited across the victim's system, containing payment instructions and decryption assistance.

Anish Bogati, a security research engineer at Logpoint, highlights that Akira's use of Windows internal binaries (also known as LOLBAS) is particularly concerning. These binaries typically go unnoticed by endpoint protection and are already present in the system, sparing adversaries the need to download them.

Bogati emphasizes that the ability to create a task configuration for encryption parameters without manual intervention shouldn't be underestimated.

Taking Countermeasures
Bogati underscores the need for organizations to implement MFA and restrict permissions to prevent brute-force attacks on credentials. Keeping software and systems up-to-date is crucial in staying ahead of adversaries exploiting newly discovered vulnerabilities.

The report also recommends auditing privileged accounts and providing regular security awareness training. Network segmentation is advised to isolate critical systems and sensitive data, reducing the risk of breaches and limiting lateral movement by attackers.

Bogati suggests organizations should consider blocking unauthorized tunneling and remote access tools, like Cloudflare ZeroTrust, ZeroTier, and TailScale, which are often employed by adversaries to gain covert access to compromised networks.

Changing Landscape of Ransomware

The Akira group, named after a 1988 Japanese anime cult classic, emerged as a significant cyber threat force in April of this year, primarily focusing on Windows systems.

The transition by Akira into Linux enterprise environments mirrors similar moves by more established ransomware groups like Cl0p, Royal, and IceFire. Akira represents a new wave of ransomware actors reshaping the threat landscape, marked by the emergence of smaller groups and new tactics. Established gangs like LockBit are witnessing fewer victims.

Among the newer ransomware groups are 8Base, Malas, Rancoz, and BlackSuit, each with its distinct characteristics and targets.

Bogati warns that, judging by their victim count, Akira is poised to become one of the most active threat actors. They are developing multiple variants of their malware with various capabilities and are poised to exploit unpatched systems at every opportunity.