Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label multifactor authentication. Show all posts
multifactor authentication
Account Takeover Atlantis AIO Credential Stuffing Cyber Crime multifactor authentication

Malicious Actors Employ Atlantis AIO to Target 140+ Platforms

 

A new cybercrime platform dubbed 'Atlantis AIO' provides automatic credential stuffing against 140 internet platforms, including email, e-commerce, banking, and VPNs. Atlantis AIO includes pre-configured modules for performing brute force assaults, bypassing CAPTCHAs, automating account recovery operations, and monetising stolen credentials/accounts. 

Credential stuffing and automation 

Credential stuffing is a type of cyberattack in which attackers utilise a list of credentials (usernames and passwords) stolen or acquired via leaked data breaches to gain access to accounts on sites.

If the credentials match and the account is not safeguarded by multi-factor authentication, they can take over the account, shut out the legitimate owner, and then abuse or resell it to others. This type of attack is common and ubiquitous, with major credential-stuffing attacks happening every day. 

Over time, these attacks have had an impact on businesses and services such as Okta, Roku, Chick-fil-A, Hot Topic, PayPal, PetSmart, and 23andMe. Credential stuffing assaults are regularly carried out by malicious actors using free tools such as Open Bullet 2 and SilverBullet, as well as prepackaged "configs" available on cybercrime forums. 

Credential stuffing as a service 

Atlantis AIO is a new Credential Stuffing as a Service (CSaaS) platform that enables attackers to pay for a membership and automate such operations

Abnormal Security identified the cybercrime service Atlantis AIO, which says that it can target over 140 online services globally. Hotmail, AOL, Mail.ru, Mail.com, Gmx, Wingstop, Buffalo Wild Wings, and Safeway are among the services being targeted. Atlantis AIO is a modular tool that allows cybercriminals to launch targeted assaults. Its three major modules are: 

  • Email account testing: Automates brute-force and takeover efforts on popular email services such as Hotmail, Yahoo, and Mail.com, allowing cybercriminals to take control of accounts and access inboxes for phishing or data theft. 
  • Brute force assaults: Rapidly cycles through common or weak passwords on targeted platforms in order to breach accounts with poor password management. 
  • Account recovery: Account recovery processes are exploited (for example, on eBay and Yahoo), CAPTCHAs are bypassed, and takeovers are automated using programs such as "Auto-Doxer Recovery" for faster and more efficient credential exploitation.

When cybercriminals gain access to accounts, they frequently sell them in bulk, posting hundreds or even thousands of compromised accounts for sale on underground forums. Other threat actors set up stores to sell stolen accounts for as little as $0.50 per account. 

Prevention tips 

You can prevent credential stuffing attacks by using multi-factor authentication and strong, one-of-a-kind passwords on all websites where you have accounts. Even if credentials are compromised, threat actors will be unable to log in without also acquiring the MFA information, which is why multi-factor authentication is so important. 

If online services notify you of odd logins from odd places or unexpected emails requesting a password reset, you should look into if your credentials were compromised right away. Websites can help prevent these attacks by introducing rate limitation and IP throttling, utilising complex CAPTCHA puzzles, and monitoring for unusual behaviour patterns.
Read more »
Tycoon
Gmail malware MFA Bypass Microsoft 365 multifactor authentication phishing kit Safety Security Tycoon

'Tycoon' Malware Kit Bypasses Microsoft and Google Multifactor Authentication

 

An emerging phishing kit called "Tycoon 2FA" is gaining widespread use among threat actors, who are employing it to target Microsoft 365 and Gmail email accounts. This kit, discovered by researchers at Sekoia, has been active since at least August and received updates as recent as last month to enhance its evasion techniques against multifactor authentication (MFA).

According to the researchers, Tycoon 2FA is extensively utilized in various phishing campaigns, primarily aimed at harvesting Microsoft 365 session cookies to bypass MFA processes during subsequent logins. The platform has amassed over 1,100 domain names between October 2023 and late February, with distribution facilitated through Telegram channels under different handles such as Tycoon Group, SaaadFridi, and Mr_XaaD.

Operating as a phishing-as-a-service (PhaaS) platform, Tycoon 2FA offers ready-made phishing pages for Microsoft 365 and Gmail accounts, along with attachment templates, starting at $120 for 10 days, with prices varying based on the domain extension. Transactions are conducted via Bitcoin wallets managed by the "Saad Tycoon Group," suspected to be the operator and developer of Tycoon 2FA, with over 1,800 recorded transactions as of mid-March.

The phishing technique employed by Tycoon 2FA involves an adversary-in-the-middle (AitM) approach, utilizing a reverse proxy server to host phishing webpages. This method intercepts user inputs, including MFA tokens, allowing attackers to bypass MFA even if credentials are changed between sessions.

Despite the security enhancements provided by MFA, sophisticated attacks like Tycoon 2FA pose significant threats by exploiting AitM techniques. The ease of use and relatively low cost of Tycoon 2FA make it appealing to threat actors, further compounded by its stealth capabilities that evade detection by security products.

Sekoia researchers outlined a six-stage process used by Tycoon 2FA to execute phishing attacks, including URL redirections, Cloudflare Turnstile challenges, JavaScript execution, and the presentation of fake authentication pages to victims.

The emergence of Tycoon 2FA underscores the evolving landscape of phishing attacks, challenging the effectiveness of traditional MFA methods. However, security experts suggest that certain forms of MFA, such as security keys implementing WebAuthn/FIDO2 standards, offer higher resistance against phishing attempts.

To assist organizations in identifying Tycoon 2FA activities, Sekoia has published a list of indicators of compromise (IoCs) on GitHub, including URLs associated with Tycoon 2FA phishing campaigns.
Read more »
Security
blocking unauthorized access countermeasures Cyber Attacks Data multifactor authentication network segmentation new ransomware actors Safety Security

Akira Ransomware Adapts to Linux Systems, Incorporates New Tactics and TTPs

 

Arika ransomware, which initially targeted Windows systems, has evolved significantly since its emergence in March. It has now expanded its scope to include Linux servers, employing a diverse set of tactics, techniques, and procedures (TTPs).

A comprehensive report by LogPoint delves into the highly sophisticated nature of Akira ransomware. This malware encrypts victim files, erases shadow copies, and demands a ransom for data recovery. The attack chain actively exploits the CVE-2023-20269 vulnerability, focusing on Cisco ASA VPNs lacking multifactor authentication as an entry point.

As of early September, the group had successfully targeted 110 victims, with a particular emphasis on the US and the UK. A notable recent victim was the British quality-assurance company Intertek. The group also set its sights on manufacturing, professional services, and automotive organizations.

According to a recent report from GuidePoint Security's GRI, educational institutions have borne a disproportionate brunt of Akira's attacks, accounting for eight out of its 36 observed victims.

The ransomware campaign involves multiple strains of malware that carry out distinct steps, including shadow copy deletion, file search, enumeration, and encryption when executed.

Akira employs a double-extortion technique: it steals personal data, encrypts it, and then extorts money from the victims. If payment is refused, the group threatens to release the data on the Dark Web.

Upon gaining access, the group utilizes tools such as AnyDesk and RustDesk for remote desktop access, as well as WinRAR for encryption and archiving. Additionally, the advanced system information tool and task manager PC Hunter assist the group in lateral movement through compromised systems, alongside wmiexc.

The group can also disable real-time monitoring to avoid detection by Windows Defender, and shadow copies are eliminated through PowerShell. Ransom note files are deposited across the victim's system, containing payment instructions and decryption assistance.

Anish Bogati, a security research engineer at Logpoint, highlights that Akira's use of Windows internal binaries (also known as LOLBAS) is particularly concerning. These binaries typically go unnoticed by endpoint protection and are already present in the system, sparing adversaries the need to download them.

Bogati emphasizes that the ability to create a task configuration for encryption parameters without manual intervention shouldn't be underestimated.

Taking Countermeasures
Bogati underscores the need for organizations to implement MFA and restrict permissions to prevent brute-force attacks on credentials. Keeping software and systems up-to-date is crucial in staying ahead of adversaries exploiting newly discovered vulnerabilities.

The report also recommends auditing privileged accounts and providing regular security awareness training. Network segmentation is advised to isolate critical systems and sensitive data, reducing the risk of breaches and limiting lateral movement by attackers.

Bogati suggests organizations should consider blocking unauthorized tunneling and remote access tools, like Cloudflare ZeroTrust, ZeroTier, and TailScale, which are often employed by adversaries to gain covert access to compromised networks.

Changing Landscape of Ransomware

The Akira group, named after a 1988 Japanese anime cult classic, emerged as a significant cyber threat force in April of this year, primarily focusing on Windows systems.

The transition by Akira into Linux enterprise environments mirrors similar moves by more established ransomware groups like Cl0p, Royal, and IceFire. Akira represents a new wave of ransomware actors reshaping the threat landscape, marked by the emergence of smaller groups and new tactics. Established gangs like LockBit are witnessing fewer victims.

Among the newer ransomware groups are 8Base, Malas, Rancoz, and BlackSuit, each with its distinct characteristics and targets.

Bogati warns that, judging by their victim count, Akira is poised to become one of the most active threat actors. They are developing multiple variants of their malware with various capabilities and are poised to exploit unpatched systems at every opportunity.
Read more »
Subscribe to: Posts (Atom)