Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label hack. Show all posts
Tips
Cyber Security Cybersecurity Defense hack Microsoft Prevention proactive Protection safeguard security measures Tips

Protect Yourself: Tips to Avoid Becoming the Next Target of a Microsoft Hack

 

The realm of cybersecurity, particularly within the Microsoft 365 environment, is in a constant state of evolution. Recent events involving major tech firms and cybersecurity entities underscore a crucial truth: grasping security best practices for Microsoft 365 isn't synonymous with effectively putting them into action.

According to Kaspersky, 2023 witnessed a significant 53% surge in cyber threats targeting documents, notably Microsoft Office documents, on a daily basis. Attackers increasingly employed riskier tactics, such as surreptitiously infiltrating systems through backdoors. 

For instance, in one scenario, a non-production test account lacking multifactor authentication (2FA/MFA) fell victim to exploitation, while in another case, a backdoor was implanted into a file, initiating a supply chain attack. These incidents serve as stark reminders that even seemingly low-risk accounts and trusted updates within Microsoft 365 can serve as conduits for security breaches if not adequately safeguarded and monitored.

Despite the profound expertise within organizations, these targeted entities succumbed to advanced cyberattacks, highlighting the pressing need for meticulous implementation of security protocols within the Microsoft 365 realm.

The domain of artificial intelligence (AI) has experienced exponential growth in recent years, permeating nearly every aspect of technology. In this era dominated by AI and large language models (LLMs), sophisticated AI models can enhance cloud security measures. AI is rapidly becoming standard practice, compelling organizations to integrate it into their frameworks. By fine-tuning AI algorithms with specialized domain knowledge, organizations can gain actionable insights and predictive capabilities to preemptively detect and address potential security threats. These proactive strategies empower organizations to effectively safeguard their digital assets.

However, the proliferation of AI also heightens the necessity for robust cloud security. Just as ethical practitioners utilize AI to advance technological frontiers, malicious actors leverage AI to unearth organizational vulnerabilities and devise more sophisticated attacks. Open-source LLM models available online can be utilized to orchestrate intricate attacks and enhance red-team and blue-team exercises. Whether wielded for benevolent or malevolent purposes, AI significantly influences cybersecurity today, necessitating organizations to comprehend its dual implications.

Ways to Enhance Your Security

As digital threats grow increasingly sophisticated and the ramifications of a single breach extend across multiple organizations, the imperative for vigilance, proactive security management, and continuous monitoring within Microsoft 365 has never been more pronounced.

One approach involves scrutinizing access control policies comprehensively. Orphaned elements can serve as goldmines for cybercriminals. For example, a departing employee's access to sales-related data across email, SharePoint, OneDrive, and other platforms must be promptly revoked and monitored to prevent unauthorized access. Regular audits and updates of access control policies for critical data elements are indispensable.

Moreover, reviewing delegations and managing permissions consistently is imperative. Delegating authentication credentials is vital for onboarding new programs or personnel, but these delegations must be regularly assessed and adjusted over time. Similarly, ensuring segregation of duties and deviations is crucial to prevent any single individual from wielding excessive control. Many organizations grapple with excessive permissions or outdated delegations, heightening the risk of cybersecurity breaches. Emphasizing delegation and segregation of duties fosters accountability and transparency.

Maintaining oversight over the cloud environment is another imperative. Solutions supporting cloud governance can enforce stringent security policies and streamline management processes. When selecting a cloud governance provider, organizations must exercise discernment as their chosen partner will wield access to their most sensitive assets. Security should be viewed as a layered approach; augmenting layers enhances governance without compromising productivity or workflows.

Given the alarming frequency of security breaches targeting Microsoft 365, it's evident that conventional security paradigms no longer suffice. Gone are the days when basic antivirus software provided ample protection; technological advancements necessitate significant enhancements to our defense mechanisms.

Implementing rigorous security measures, conducting regular audits, and upholding governance can markedly fortify an organization's defense against cyber threats. By remaining vigilant and proactive, it's feasible to mitigate security risks and shield critical data assets from potential breaches before they inflict harm on organizations or their clientele.
Read more »
TransUnion
Data Breach Financial Data hack N4ughtySecTU Group Personal Data Ransomware Groups SABRIC South Africa data breach TransUnion

Hackers Threaten to Leak South Africa’s Private Financial Data, Demand R1.1 Billion Ransom


In a recent cyber threat, hackers have threatened to release all of South Africa’s private financial data unless TransUnion and Experian, the two biggest consumer credit reporting companies in the country, agree to pay ransom of R1.1 billion.  

The companies – TransUnion and Experian – were the ones that were hit by the cybercrime attack. 

According to Times Live, the hackers, the Brazil-based N4ughtySecTU Group, who had previously breached TransUnion's security and firewalls, claimed to have successfully evaded the safeguards of the company once again, following which they stole the data.  

Apparently, the hackers have demanded $30m [about R565m] from TransUnion and $30m from Experian.

The hackers, in a message sent to the managers and directors of the impacted companies, stated: “Ensure your response teams contact us on Session [a private communication platform] for payment instructions.”

While acknowledging the demands, TransUnion and Experian refuted the group's allegations of an ongoing hack on their systems.

“Following recent media coverage, TransUnion South Africa confirms it is aware of a financial demand from a threat actor asserting they have accessed TransUnion South Africa’s data. We have found no evidence that our systems have been inappropriately accessed or that any data has been exfiltrated,” TransUnion said.

“We’ve likewise seen no change to our operations and systems in South Africa related in any way to this claim. We are continuing to monitor closely. We treat matters regarding our information security seriously, and data security remains our top priority,” they continued. 

Not the First Attempt to Hack

Previously, in March 2022, N4ughtysecTU claimed responsibility for targeting TransUnion in their ransomware campaign. 

TransUnion South Africa later confirmed the hack, confirming that at least 3 million individuals were affected.  

Apparently, the threat actors gained access to the personal data of over 54 million people, which included information about their dates of birth, ID numbers, gender, marital status, and other sensitive facts. 

Experian also suffered a data breach in August 2020, reported by the South African Banking Risk Centre (SABRIC). The data breach compromised the personal information of around 24 million individuals and several business entities to a fraudster. 

Karabo Phungula, an Experian data fraudster, was given a 15-year prison sentence in March by the Specialized Commercial Crimes Court for obtaining the dataset under false pretence.   

Read more »
Security Breach
Cryptopolitan Cyber Attacks DeFi DeFi Platforms GitHub hack Security Breach

Hackers Steal Assets Worth $484,000 in Ledger Security Breach


Threat actors responsible for attacking Ledger’s connector library have stolen assets valued at approximately $484,000. This information was given by the blockchain analysis platform Lookonchain. Ledger has said that the security breach might have a large effect, possibly totalling hundreds of thousands of dollars, even if they are yet to confirm the actual valuation. 

Direct Impact of the Hack

According to a report by Cryptopolitan, the breach happened when malicious code was added to Ledger's Github repository for Connect Kit, an essential component that is required by several DeFi protocols in order to communicate with hardware wallets for cryptocurrencies. Every application that used the Connect Kit had issues with its front end due to the malicious code. Notable protocols affected by this security flaw were Sushi, Lido, Metamask, and Coinbase.

In regards to the incident, Ledger informed that one of its employees had fallen victim to a phishing attack, resulting in the unauthorized leak of a compromised version of the Ledger Connect Kit. The leaked code revealed the name and email address of the former employees. It is important to note that the developer was first believed to be behind the exploit by the cryptocurrency community. Ledger subsequently stated, nevertheless, that the incident was the consequence of a former employee falling for a phishing scheme.

Ledger, after acknowledging the incident, identified and removed the exploited version of the software. However, despite the swift response, the damage was already done, since the software was left vulnerable for at least two hours, in the course of which the threat actors had already drained the funds. 

The company acted promptly, identifying and removing the harmful version of the software. However, despite Ledger’s quick response, the damage had already been done in approximately two hours, during which the hackers drained funds.

Broader Implications for the DeFi Community

This incident has raised major concerns regarding the security infrastructure of decentralized applications. DeFi protocols frequently rely on code from multiple software providers, including Ledger, which leaves them vulnerable to multiple potential points of failure.

This incident has further highlighted the significance of boosting security protocols across the DeFi ecosystem.

The victims who were directly affected by the attack included users of services such as revoke.cash. Also, the service normally used in withdrawing permissions from DeFi protocols following security breaches was compromised. Users who were trying to protect their assets were unintentionally sent to a fraudulent token drainer, which increased the extent of the theft.  

Read more »
W3LL
Account Attack BEC Business Compromise Cyber Security Cyberattack CyberCrime Email hack Hacking MFA Microsoft Panel phishing Report Security threat W3LL

W3LL Store: Unmasking a Covert Phishing Operation Targeting 8,000+ Microsoft 365 Accounts

 

A hitherto undisclosed "phishing empire" has been identified in a series of cyber attacks targeting Microsoft 365 business email accounts spanning six years. 

According to a report from cybersecurity firm Group-IB, the threat actor established an underground market called W3LL Store, catering to a closed community of around 500 threat actors. This market offered a custom phishing kit called W3LL Panel, specifically designed to bypass Multi-Factor Authentication (MFA), alongside 16 other specialized tools for Business Email Compromise (BEC) attacks.

Between October 2022 and July 2023, the phishing infrastructure is estimated to have aimed at over 56,000 corporate Microsoft 365 accounts,  compromising at least 8,000 of them. The majority of the attacks were concentrated in countries including the U.S., the U.K., Australia, Germany, Canada, France, the Netherlands, Switzerland, and Italy. The operators of this operation reportedly reaped approximately $500,000 in illegal gains.

Various sectors fell victim to this phishing campaign, notably manufacturing, IT, consulting, financial services, healthcare, and legal services. Group-IB pinpointed almost 850 distinct phishing websites associated with the W3LL Panel during the same timeframe.

The Singapore-based cybersecurity company has characterized W3LL as a comprehensive phishing tool that offers an array of services, encompassing customized phishing tools, mailing lists, and access to compromised servers. This underscores the growing prevalence of phishing-as-a-service (PhaaS) platforms.

The threat actor responsible for this kit has been active since 2017, initially focusing on creating tailored software for bulk email spam (referred to as PunnySender and W3LL Sender) before shifting their attention towards developing phishing tools for infiltrating corporate email accounts.

A key element of W3LL's arsenal is an adversary-in-the-middle (AiTM) phishing kit, capable of evading multi-factor authentication (MFA) protections. It is available for purchase at $500 for a three-month subscription, followed by a monthly fee of $150. The panel not only harvests credentials but also includes anti-bot features to bypass automated web content scanners, prolonging the lifespan of their phishing and malware campaigns.

The W3LL Store extends a 70/30 split on commissions earned through its reseller program to PhaaS affiliates, along with a 10% "referral bonus" for bringing in other trusted parties. To prevent unauthorized distribution or resale, each copy of the panel requires a license-based activation.

BEC attacks employing the W3LL phishing kit involve a preparatory phase to verify email addresses using an auxiliary utility known as LOMPAT, followed by the delivery of phishing messages. Victims who interact with the deceptive link or attachment are directed through an anti-bot script to filter out unauthorized visitors, subsequently landing on the phishing page via a redirect chain employing AiTM tactics to extract credentials and session cookies.

With this access, the threat actor proceeds to log into the target's Microsoft 365 account without triggering MFA, utilizing a custom tool called CONTOOL for automated account discovery. This enables the extraction of emails, phone numbers, and other sensitive information.

Noteworthy tactics employed by the malware author include using Hastebin, a file-sharing service, to store stolen session cookies, and utilizing platforms like Telegram and email for exfiltrating the credentials to criminal actors.

This disclosure comes shortly after Microsoft's warning regarding the proliferation of AiTM techniques through PhaaS platforms, such as EvilGinx, Modlishka, Muraena, EvilProxy, and Greatness, which facilitate unauthorized access to privileged systems at scale without the need for re-authentication.

"What really makes W3LL Store and its products stand out from other underground markets is the fact that W3LL created not just a marketplace but a complex phishing ecosystem with a fully compatible custom toolset that covers almost entire killchain of BEC and can be used by cybercriminals of all technical skill levels," Group-IB's Anton Ushakov said.

"The growing demand for phishing tools has created a thriving underground market, attracting an increasing number of vendors. This competition drives continuous innovation among phishing developers, who seek to enhance the efficiency of their malicious tools through new features and approaches to their criminal operations."


Read more »
USB Attacks
attackers attacks Cyber Attackers Data Data Safety data security hack Hackers Malicious Campaigns malware Safety Security USB Attacks

Sharp Increase in Malware Attacks via USB Flash Drives

 

Instances of cybercriminals employing USB drives for malware attacks have seen a significant rise. According to security researchers from Mandiant, there has been a three-fold increase in malware attacks via USB drives aimed at stealing sensitive information during the first half of 2023. These researchers have disclosed details regarding two specific attack campaigns.

One of the attack campaigns, attributed to the China-linked cyberespionage group TEMP.Hex, targeted both public and private organizations in Europe, Asia, and the U.S. The attackers utilized USB flash drives to introduce the SOGU malware into compromised systems and extract valuable data. 

The flash drives contained multiple malicious software and employed a DLL hijacking technique to download the final payload into the memory of the compromised systems. Once executed, the SOGU malware carried out various actions such as capturing screenshots, recording keystrokes, establishing reverse shell connections, and enabling remote desktop connections for executing additional files. 

The stolen data was sent to the attackers' command and control (C2) server using a custom binary protocol over TCP, UDP, or ICMP. Industries targeted by this attack campaign included construction, engineering, government, manufacturing, retail, media, and pharmaceutical sectors.

In an attack campaign, victims were enticed to click on a file that appeared to be a legitimate executable file found in the root folder of a USB drive. Upon executing this file, an infection chain was triggered, leading to the download of a shellcode-based backdoor named SNOWYDRIVE.

The malware not only copied itself to removable drives connected to infected systems but also performed various other operations, such as writing or deleting files, initiating file uploads, and executing reverse shell commands.

Recently, the Check Point Research Team uncovered a new USB-based attack campaign attributed to a China-based group called Camaro Dragon. 

The campaign specifically targeted a healthcare institution in Europe and involved the deployment of several updated versions of malware toolsets, including WispRider and HopperTick. It was reported that Camaro Dragon effectively utilized USB drives to launch attacks in Myanmar, South Korea, Great Britain, India, and Russia.

Organizations are strongly advised to prioritize access restrictions on USB devices and conduct comprehensive scans for malicious files before connecting them to their networks. 

Additionally, it is crucial for organizations to enhance their awareness and understanding of such attack campaigns in order to proactively defend against threats from the outset. It can be achieved by implementing a robust and automated Threat Intelligence Platform (TIP) that provides real-time tactical and technical insights into attacks.
Read more »
Security
attackers attacks CryptoLabs Cyber Fraud Data Data Safety data security hack Hackers Investors Safety Scam Scammers Security

CryptosLabs Scam Ring Preys on French-Speaking Investors, Amasses €480 Million

 

A group of cybersecurity researchers has uncovered the inner workings of a fraudulent organization known as CryptosLabs. This scam ring has allegedly generated illegal profits amounting to €480 million by specifically targeting individuals who speak French in France, Belgium, and Luxembourg since April 2018.

According to a comprehensive report by Group-IB, the scam ring's modus operandi revolves around elaborate investment schemes. They impersonate 40 prominent banks, financial technology companies, asset management firms, and cryptocurrency platforms. The scam infrastructure they have established includes over 350 domains hosted on more than 80 servers.

Group-IB, headquartered in Singapore, describes CryptosLabs as an organized criminal network with a hierarchical structure. The group comprises kingpins, sales agents, developers, and call center operators. These individuals are recruited to lure potential victims by promising high returns on their investments.

"CryptoLabs made their scam schemes more convincing through region-focused tactics, such as hiring French-speaking callers as 'managers' and creating fake landing pages, social media ads, documents, and investment platforms in the French language," Anton Ushakov, deputy head of Group-IB's high-tech crime investigation department in Amsterdam, stated.

"They even impersonated French-dominant businesses to resonate with their target audience better and be successful in exploiting them."

The scam begins by enticing targets through advertisements on social media, search engines, and online investment forums. The scammers masquerade as the "investment division" of the impersonated organization and present attractive investment plans, aiming to obtain the victims' contact details.

Once engaged, the victims are contacted by call center operators who provide them with additional information about the fraudulent platform and the credentials needed for trading. After logging into the platform, victims are encouraged to deposit funds into a virtual balance. They are then shown fabricated performance charts, enticing them to invest more in pursuit of greater profits. However, victims eventually realize they cannot withdraw any funds, even if they pay the requested "release fees."

"After logging in, the victims deposit funds on a virtual balance," Ushakov said. "They are then shown fictitious performance charts that trigger them to invest more for better profits until they realize they cannot withdraw any funds even when paying the 'release fees.'"

Initially, the victims are required to deposit around €200-300. However, the scam is designed to manipulate victims into depositing larger sums by presenting them with false evidence of successful investments.

Group-IB initially uncovered this large-scale scam-as-a-service operation in December 2022. Their investigation traced the group's activities back to 2015 when they were experimenting with various landing pages. CryptosLabs' involvement in investment scams became more prominent in June 2018 after a preparatory period of two months.

A key aspect of the fraudulent campaign is the utilization of a customized scam kit. This kit enables the threat actors to execute, manage, and expand their activities across different stages of the scam, ranging from deceptive social media advertisements to website templates used to facilitate the fraud.

The scam kit also includes auxiliary tools for creating landing pages, a customer relationship management (CRM) service that allows the addition of new managers to each domain, a leads control panel used by scammers to onboard new customers to the trading platform, and a real-time VoIP utility for communicating with victims.

"Analyzing CryptosLabs, it is evident that the threat group has given its activities a well-established structure in terms of operations and headcount, and is likely to expand the scope and scale of its illicit business in the coming years," Ushakov said.
Read more »
Security
attackers attacks Cyber Attacks DDOS Attacks hack Hackers Imperva Security

Extended DDoS Attack With 25.3B+ Requests Thwarted

 

On June 27, 2022, the cybersecurity firm Imperva mitigated a DDoS attack with over 25.3 billion requests. The attack, according to experts, sets a new record for Imperva's application DDoS mitigation solution. The attack, which targeted an unnamed Chinese telecommunications company, was notable for its duration, lasting more than four hours and peaking at 3.9 million RPS. 

“On June 27, 2022, Imperva mitigated a single attack with over 25.3 billion requests, setting a new record for Imperva’s application DDoS mitigation solution” reads the announcement. “While attacks with over one million requests per second (RPS) aren’t new, we’ve previously only seen them last for several seconds to a few minutes. On June 27, Imperva successfully mitigated a strong attack that lasted more than four hours and peaked at 3.9 million RPS.”

The Chinese telecommunications company had previously been targeted by large attacks, and experts added that two days later, a new DDoS attack hit its website, albeit for a shorter period of time. This record-breaking attack had an average rate of 1.8 million RPS. To send multiple requests over individual connections, threat actors used HTTP/2 multiplexing or combining multiple packets into one.

The attackers' technique is difficult to detect and can bring down targets with a limited number of resources.

“Since our automated mitigation solution is guaranteed to block DDoS in under three seconds, we estimate that the attack could have reached a much greater rate than our tracked peak of 3.9 million RPS.” continues Imperva.

This attack was launched by a botnet comprised of nearly 170,000 different IP addresses, including routers, security cameras, and compromised servers. The compromised devices can be found in over 180 countries, with the majority of them in the United States, Indonesia, and Brazil.

Akamai mitigated the largest DDoS attack ever against one of its European customers on Monday, September 12, 2022. The malicious traffic peaked at 704.8 Mpps and appears to be the work of the same threat actor as the previous record, which Akamai blocked in July and hit the same customer.
Read more »
US
Cyber Attacks Cyber Safety data security Education Educational Institutes hack Schools Students Data US

Cyberattack Compels Albuquerque Public Schools to Close 144 Schools

 

Following a cyberattack that attacked the district's attendance, communications, and transportation systems, all 144 Albuquerque Public Schools are closed for the remainder of this week, according to APS's announcement on mid-day Thursday. 

APS is one of the 50 largest school districts in the country, with around 74,000 students. 

District IT staff discovered the problem on Wednesday, and APS posted a statement on its website and Twitter account that afternoon stating, “All Albuquerque Public Schools will be closed Thursday, Jan. 13, due to a cyberattack that has compromised some systems that could impact teaching, learning, and student safety. … The district is working with contracted professionals to fix the problem.” 

"The district continues to examine a cyberattack that affected the student information system used to take attendance, contact families in emergencies, and ensure that students are picked up from school by authorised people," APS stated online on Thursday afternoon and cancelled classes for Friday. 

APS said it will reopen schools on Tuesday, Jan. 18, after being closed on Monday for Martin Luther King Jr. Day, specifying that administrative offices stayed open. The attack was detected Wednesday morning when instructors attempted to enter onto the student information system and were unable to obtain access to the site, according to APS Superintendent Scott Elder in a brief statement uploaded to the district's APS Technology YouTube page. 

Elder further stated, “APS is working with local and national law enforcement as well as teams of cyber specialists to as quickly as possible limit our exposure to this attack, to protect all systems in our network and ensure a safe environment to return to school and business as usual.” 

He noted that the district's IT department had been "mitigating attacks" in recent weeks. A spokeswoman told the Albuquerque Journal she was sceptical about what kind of attack it was and said she didn’t know whether those responsible had demanded a ransom.
Read more »
Subscribe to: Posts (Atom)