News Items

  • news

    Visible to the public "Enterprise Healthcare Providers Warned of Lorenz Ransomware Threat"

    The Department of Health and Human Services Cybersecurity Coordination Center (HC3) has issued a warning to larger, enterprise healthcare organizations about the Lorenz ransomware threat group. The human-operated campaign is well-known for going after larger organizations, and it has claimed victims in both the healthcare and public health sectors. The alert comes after a warning about the serious threat that Hive ransomware actors pose to healthcare organizations. HC3 also issued a brief earlier this month on the relatively new Venus ransomware group, which has claimed at least one US healthcare entity since its inception in August. Venus primarily targets Windows devices with exposed Remote Desktop Services (RDS). While open-source reports indicate that Venus' ransom demands start at 1 BTC, or less than $20,000, the Lorenz group operates on a much larger scale, with demands ranging from $500,000 to $700,000. The actors also sell access to the victim's network. Lorenz has been active for at least two years and runs a data leak site, as is typical of an extortion group. The group's tactics are far more malicious, as HC3 warns that when they become frustrated with a victim's refusal to pay, they will first sell the stolen data to other threat actors or competitors. If that does not work, Lorenz will release password-protected RAR archives of the victim's data. If those efforts do not yield monetary rewards, the group then releases the password for the entire archive, making it publicly accessible to anyone. In a situation similar to the recent attack, extortion attempt, and subsequent data leak of files associated with MediBank, Australia's largest health insurer, the model could have serious consequences. Furthermore, Lorenz targets victims with customized executable code that is specifically tailored to the targeted organization. The tactic implies that the actors will maintain persistent access for reconnaissance for an extended period of time before deploying the ransomware payload, according to HC3. The typical pattern begins with initial access, followed by reconnaissance and lateral movement to connected devices, all to locate a Windows domain controller and obtain administrator credentials. Their code also allows multiple program threads to share resources while preventing multiple Lorenz instances from running at the same time. Each ransomware-encrypted file employs a randomly generated password, and its encryption key is generated using the CryptDeriveKey function. This article continues to discuss warnings of the Lorenz ransomware threat to enterprise healthcare providers.

    SC Magazine reports "Enterprise Healthcare Providers Warned of Lorenz Ransomware Threat"

  • news

    Visible to the public "MITRE's MDR Stress-Test Winners Combine Human Intelligence and AI for Stronger Cybersecurity"

    Cyberattacks have succeeded by exploiting gaps in corporate Information Technology (IT) environments, endpoints, and identities through social engineering and spear-phishing. They often immediately launch persistent threats and then steal credentials to move laterally across networks undetected. This breach sequence was chosen by MITRE for its first-ever closed-book titled "MITRE ATT&CK Evaluations for Security Service Providers." The ATT&CK evaluation is designed to assess providers' cybersecurity effectiveness. In order to keep evaluations open and fair, MITRE Engenuity ATT&CK evaluations are based on a knowledge base of tactics, techniques, and sub-techniques. The most widely used framework for evaluating enterprise systems and software security is MITRE's ATT&CK Matrix for Enterprise. Historically, MITRE ATT&CK evaluations have informed security vendors, prior to active testing, about the intrusion and breach attempts that will be tested and why. Vendors have been known to game evaluations with that advance information, resulting in inaccurate results. In a closed-book evaluation, vendors are unaware of the threats they will face during the test. "MITRE ATT&CK Evaluations for Security Service Providers" is the first closed-book evaluation designed to put vendors' Managed Services or Managed Detection and Response (MDR) solutions through a stress test. Closed-book assessments provide the most accurate picture of a security vendor's performance in a customer environment. According to Michael Sentonas, CrowdStrike's CTO, the closed book test provides an opportunity to demonstrate how security platforms operate against adversary tradecraft in a real-world setting because vendors have no prior knowledge to guide their actions. MITRE's assessment of MDRs is especially pertinent given that chronic cybersecurity skills shortages put organizations at greater risk of breach. The MITRE Security Service Providers evaluation lasted five days and had a reporting window of 24 hours. Sixteen MDR vendors who took part in the program had no prior knowledge of the adversary or its tactics, techniques, or procedures (TTPs). They were graded on a scale of 10 steps, each consisting of 76 events, including 10 unique ATT&CK tactics and 48 unique ATT&CK techniques. This article continues to discuss MITRE's first-ever closed-book MITRE Security Service Providers evaluation, combining human intelligence with Artificial Intelligence (AI) and Machine Learning (ML) in delivering the best results, and the importance of AI-assisted threat intelligence for an MDR.

    VB reports "MITRE's MDR Stress-Test Winners Combine Human Intelligence and AI for Stronger Cybersecurity"

  • news

    Visible to the public "Experts Warn Threat Actors May Abuse Red Team Tool Nighthawk"

    Security researchers at Proofpoint warn that a new red-teaming tool dubbed "Nighthawk" may soon be leveraged by threat actors. Created in late 2021 by MDSec, the tool is best described as an advanced C2 framework, which functions like Cobalt Strike and Brute Ratel as a commercially distributed remote access trojan (RAT) designed for legitimate use. The researchers noted that, like the latter two tools, it could soon be co-opted by those with nefarious intent. For example, the researchers claim to have recorded a 161% increase in the malicious use of Cobalt Strike between 2019 and 2020. The researchers stated that other tools like Sliver and Brute Ratel found their way into malicious campaigns within months of their release. The researchers noted that historically, threat actors have integrated legitimate tools into their arsenal for various reasons, such as complicating attribution, leveraging specific features such as endpoint detection evasion capabilities, or simply due to ease of use, flexibility, and availability. The researchers stated that Nighthawk implements a technique that can prevent endpoint detection products from receiving notifications for newly loaded DLLs in the current process context via callbacks that were registered with LdrRegisterDllNotificatiom. This technique is enabled by the clear-dll-notifications option. The researchers stated that Nighthawk also features several types of self-encryption that can be configured to evade process memory scans, including "no-stub-rop," which uses "return oriented programming" to implement the encryption logic. The researchers noted that security vendors should take note of the new capabilities in order to deliver effective protection to their customers. The researchers are unaware of the adoption of Nighthawk in the wild by attributed threat actors, but it would be incorrect and dangerous to assume that this tool will never be appropriated by threat actors with a variety of intents and purposes.

    Infosecurity reports: "Experts Warn Threat Actors May Abuse Red Team Tool Nighthawk"

  • news

    Visible to the public "Complex M&A Deals Pave Way for Security Gaps"

    IronNet researchers discovered a likely China-based threat actor that had infiltrated a US software company using legacy infrastructure from a previous company acquisition. Before deploying the Shack2 and China Chopper web shells, the threat actor used compromised Virtual Private Network (VPN) credentials to gain initial access to a compartmentalized segment of the business. This segment, which included unpatched legacy systems such as file servers, data repositories, and consumer and transaction databases, belonged to a company acquired by the unnamed targeted organization in 2014. According to researchers, the attackers were on the networks for weeks or even months, staging activity for future exploitation with the possible end goal of stealing data or finding a pivot point to access production environments. The incident highlights the inherent security risks in corporate merger and acquisition (M&A) activity, which has continued at a rapid pace since the pandemic, with volumes increasing by 64 percent year-on-year in 2021. According to security experts, any type of change makes a company particularly vulnerable to cyberattacks, but the inherent complexity, speed, and secrecy across the acquisitions process makes this landscape particularly lucrative for threat actors. According to Jason Button, Cisco's director of Security and Trust M&A, the M&A space is a high-value target. Acquisitions made by large corporations usually garner front-page attention, which can turn the acquired company into a target. The parent and acquired companies prematurely connect their networks and/or share sensitive data. If the acquired company's security is lax, it could serve as an easy entry point to the parent company for much more valuable information. The impact of cybersecurity weaknesses or incidents at organizations is becoming more important during the M&A process, according to a 2019 Forescout survey, which found that 81 percent of Information Technology (IT) and business decision-makers were more focused on the acquisition target's cybersecurity posture than in the past. More than half of respondents said they had encountered a critical security issue or incident during an M&A transaction that jeopardized the deal, indicating that security flaws are having an impact on deals themselves. This article continues to discuss how M&A activity can pose a security risk.

    Decipher reports "Complex M&A Deals Pave Way for Security Gaps"

  • news

    Visible to the public "Over 1,500 Apps Found Leaking API Keys and Potentially Exposing User Data"

    More than 1,500 apps have been discovered to be leaking the Algolia Application Programming Interface (API) key and application ID, potentially exposing user data. Researchers at CloudSEK discovered 32 applications with hard-coded critical admin secrets, with 57 unique admin keys discovered so far. The Algolia API is used to implement search functionality on websites and in applications. Every month, the search API powers billions of queries for thousands of companies, including Stripe, Slack, Medium, and Zendesk. The admin API key, according to the researchers, can be used to access various pre-defined Algolia API keys, such as the search-only API key, monitoring API key, usage API key, and analytics API key. Threat actors may be able to read users' personal information, modify and delete information, access IP addresses, and view a user's app with this access. Although the researchers did not name the 32 apps that had admin secrets hard-coded, they did say that they were from shopping, education, lifestyle, business, and medical companies. It should be noted that the problem is not with Algolia or other similar services, but with app developers mishandling API keys. Developers should remove all exposed keys, generate new ones, and securely store them. Companies that exposed data were notified of the problem before the report was published. This is the latest in a long line of reports demonstrating how common the storage of API keys is in mobile apps, according to David Stewart, CEO of the mobile app protection company Approov. The problem is that developers are not using simple mitigations to counteract the underlying threats. In the case of third-party APIs such as Algolia, mobile app developers could simply use just-in-time delivery mechanisms to provide API keys only to genuine app instances and only when API calls are required. This would prevent any attempts to use and abuse any API keys that had 'leaked' from the app via scripts. This article continues to discuss the discovery of over 1,500 apps leaking API keys and potentially exposing user data.

    SiliconANGLE reports "Over 1,500 Apps Found Leaking API Keys and Potentially Exposing User Data"

  • news

    Visible to the public "Leaked Algolia API Keys Exposed Data of Millions of Users"

    Security researchers at CloudSEK have recently identified thousands of applications leaking Algolia API keys and tens of applications with hardcoded admin secrets, which could allow attackers to steal the data of millions of users. The researchers noted that organizations can use Algolia's API to incorporate into their applications functions such as search, discovery, and recommendations. The API is used by over 11,000 companies, including Lacoste, Slack, Medium, and Zendesk. CloudSEK says it has identified 1,550 applications that leaked Algolia API keys, including 32 apps that had hardcoded admin secrets, providing attackers with access to pre-defined Algolia API keys. The researchers say that the offending 32 apps had more than 2.5 million downloads, potentially exposing the data of their users to malicious attacks. The researchers noted that a threat actor could exploit these weaknesses to read user information, including IP addresses, access details, and analytics data, and delete user information. The researchers stated that while this is not a flaw in Algolia or other such services that provide integrations, it is evidence of how API keys are mishandled by app developers. So, it is up to individual companies to address the security concerns associated with payment gateways, AWS services, and open firebases. The researchers noted that the Algolia API requires that the Application ID and API key are passed via two headers to use services such as search, browse index, add records/delete records, list/update indexes, read/update index settings, and to retrieve logs and information from APIs. An attacker with access to the leaked API keys could access any of these features and read the information they should not have access to. CloudSEK points out that organizations should revoke the leaked API keys and generate new ones that are stored securely and that authenticated endpoints should be used to communicate with sensitive, external APIs to prevent the leak of secrets. The company has informed Algolia and the affected organizations of the hardcoded API keys.

    SecurityWeek reports: "Leaked Algolia API Keys Exposed Data of Millions of Users"

  • news

    Visible to the public "BMC Firmware Vulnerabilities Expose OT, IoT Devices to Remote Attacks"

    Security researchers at Nozomi Networks have discovered more than a dozen vulnerabilities in baseboard management controller (BMC) firmware. BMC is a specialized processor that allows administrators to remotely control and monitor a device without having to access the operating system or applications running on it. The researchers noted that the BMC can be used to reboot a device, install an operating system, update the firmware, monitor system parameters, and analyze logs. Many BMC vulnerabilities have been found in the past years, with researchers warning that exploitation of these flaws can allow a remote attacker to compromise and even damage the targeted server. However, much of the research has focused on IT servers. Nozomi Networks' study targeted a BMC that is used for operational technology (OT) and IoT devices. The researchers analyzed IAC-AST2500A, an expansion card that enables BMC functionality on network appliances made by Lanner, a Taiwan-based company that specializes in the design and manufacturing of network appliances and rugged applied computing platforms. The firmware running on the affected card is based on BMC remote management firmware from AMI, which is used by tech giants such as Asus, Dell, HP, Lenovo, Gigabyte, and Nvidia. The researchers noted that the Lanner expansion card comes with a web application that allows users to take full control of the host and the BMC itself. An analysis of this web interface by Nozomi researchers led to the discovery of 13 vulnerabilities, including five critical security holes that can be exploited for arbitrary code execution. The researchers have detailed how two of the 13 vulnerabilities, a medium-severity broken access control issue and a critical-severity command injection flaw, could be chained by an unauthenticated attacker to achieve remote code execution with root privileges on the BMC. The researchers stated that Lanner has created patches that should address the 13 vulnerabilities but noted that they discovered other flaws as well during its analysis, and those are still in the process of being fixed.

    SecurityWeek reports: "BMC Firmware Vulnerabilities Expose OT, IoT Devices to Remote Attacks"

  • news

    Visible to the public "Cyberattacks Cost Enterprises $1,200 per Employee per Year"

    Every year, organizations pay $1,197 per employee to address successful cyber incidents involving email services, cloud collaboration apps or services, and web browsers. According to a new Osterman Research survey for Perception Point, a 500-employee company spends an average of $600,000 annually. A successful email-based cyber incident takes an average of 86 hours to resolve. As a result, with no support, one security professional can only handle 23 email incidents per year, at a direct cost of $6,452 per incident in time alone. Attacks on cloud collaboration apps or services are only marginally less expensive to mitigate. They take 71 hours to resolve on average, implying that one professional can handle 28 incidents per year at a cost of $5,305 per incident. This is also a threat vector that is not going away, as 80 percent of respondents said new channels, such as cloud collaboration apps and web browsers, will be important or extremely important for employee productivity by 2024. Threat actors have shifted their attacks to the new apps and services businesses have adopted. Malicious incidents against these new cloud-based apps and services are already occurring at 60 percent of the frequency with which they happen on email-based services, with some attacks, such as those involving malware installed on an endpoint, occurring at 87 percent of the frequency with which they occur on email-based services. According to the report, all organizations intend to deploy at least one new security tool to combat threats in the coming year, with 69 percent planning to deploy three or more. Half of all organizations use six or more communication and collaboration tools, with 19 percent using nine. Using such diverse tools expands the number of vectors that attackers can exploit. Over the next two years, more than 70 percent of respondents expect the frequency of security threats to remain constant or increase. This article continues to discuss key findings from the report on the rise of cyber threats against email, browsers, and emerging cloud-based channels.

    BetaNews reports "Cyberattacks Cost Enterprises $1,200 per Employee per Year"

  • news

    Visible to the public "DOJ Shuts Down 'Pig Butchering' Domains Responsible for $10 Million in Victim Losses"

    The Department of Justice (DOJ) announced the seizure of seven domain names used in "pig butchering" schemes, in which cybercriminals develop relationships with victims before exploiting them. According to the US Attorney's Office for the Eastern District of Virginia, five victims collectively lost more than $10 million between May and August 2022. Each domain pretended to be affiliated with the Singapore International Monetary Exchange. The scams involved deceiving victims into believing that web addresses or emails were associated with the exchange when, in fact, they were under the control of hackers. According to the DOJ, the scammers convinced the victims that they were investing in a legitimate cryptocurrency opportunity by using the confidence-building techniques described. Pig butchering schemes have become more common in recent years. Scammers find their victims through dating apps, social media sites, and random texts. They typically initiate contact with a victim and gain their trust before pressuring them to make a financial investment or provide account information. The victims are pressured to invest in cryptocurrency as well. Victims are then directed to scammer-controlled websites or platforms where money can be obtained. The FBI issued an advisory on such schemes in October 2022, and the Global Anti-Scam Organization (GASO) reported that the average victim loses nearly $122,000. According to GASO data, approximately two-thirds of victims are women aged 25 to 40. One man lost $1 million in a pig butchering scam perpetrated by hackers posing as an old coworker. Sherrod DeGrippo, VP of threat research and detection at Proofpoint, emphasizes that the pig butchering fraud demonstrates the lengths actors will go to socially engineer a target into falling victim to crime committed by large cybercrime ecosystems. This article continues to discuss the shutdown of pig butchering domains behind the loss of $10 million.

    The Record reports "DOJ Shuts Down 'Pig Butchering' Domains Responsible for $10 Million in Victim Losses"

  • news

    Visible to the public "FBI Arrests Two Estonian Men in $575M Crypto Fraud, Money Laundering Scheme"

    The FBI and Estonian police recently arrested two Estonian citizens for their alleged involvement in a $575 million cryptocurrency fraud scheme. Sergei Potapenko and Ivan Turogin, both 37, are charged with conspiracy to commit wire fraud, 16 counts of wire fraud, and one count of conspiracy to commit money laundering. Prosecutors noted that the men persuaded victims to enter into fraudulent equipment rental contracts with the defendants' cryptocurrency mining service, HashFlare. They also caused victims to invest in a phony virtual currency bank called Polybius Bank, which never paid out dividends. The indictment charges Potapenko and Turogin with conspiring to launder their criminal proceeds by using shell companies, phony contracts, and invoices. The money laundering conspiracy allegedly involved at least 75 real properties, six luxury vehicles, cryptocurrency wallets, and thousands of cryptocurrency mining machines. Assistant Attorney General Kenneth Polite Jr. of the Justice Department's criminal division stated that the size and scope of the alleged scheme is truly astounding. U.S. and Estonian authorities are working to seize and restrain these assets and take the profit out of these crimes. If convicted, Potapenko and Turogin each face a maximum penalty of 20 years in prison. A federal district court judge will determine any sentence after considering U.S. Sentencing Guidelines and other statutory factors.

    Fox Business reports: "FBI Arrests Two Estonian Men in $575M Crypto Fraud, Money Laundering Scheme"

  • news

    Visible to the public "Cybersecurity Speaker Series: 5G Security Impacts National Security"

    The National Security Agency's (NSA) Cybersecurity Collaboration Center has released a video as part of its Cybersecurity Speaker Series on how 5G security relates to national security. Through the Speaker Series, NSA shares insights, lessons, and contributions from its cybersecurity work. Dr. Josiah Dykstra, NSA's Cybersecurity Technical Fellow, talked with NSA's Enduring Security Framework (ESF) Chief Natalie Pittore and Martin Goldberg, NSA's lead for 5G Developing Standards. Fifth-generation (5G) wireless technology represents the next step in the evolution of mobile communications networks, bringing many new connections, capabilities, and services. 5G is revolutionizing the way the world communicates and shares information, from automobiles to mobile phones to warfighting capabilities. Smart homes and buildings, smart cities, and remote medical services are all supported by 5G. 5G technologies also provide support for massive machine-to-machine (M2) communications for industrial automation. These new functionalities and services require a new approach to deploying advanced mobile services and new methods to integrate 5G technologies. 5G is about more than just improving wireless communications. It is about connecting systems that will allow massive amounts of data to be wirelessly processed in real-time anywhere in the world. Standard Development Organizations (SDOs) play an important role in securing 5G-ready products before production begins. The goal of standards is to reach an agreement on emerging technology functionality, features, interoperability, and security. Establishing standards ensures that solutions are available to users and developers across multiple sectors and ecosystems. This article continues to discuss the impact of 5G security on national security.

    NSA reports "Cybersecurity Speaker Series: 5G Security Impacts National Security"

  • news

    Visible to the public "Emotet Is Back and Delivers Payloads Like IcedID and Bumblebee"

    Proofpoint researchers have warned of the return of the Emotet malware, observing a high-volume malspam campaign delivering payloads such as IcedID and Bumblebee in early November. The Emotet banking Trojan has been around since at least 2014, and the botnet is run by a threat actor known as TA542. The banking Trojan was also used to spread other malicious code, such as the Trickbot and QBot Trojans, as well as ransomware, including Conti, ProLock, Ryuk, and Egregor. In response to Microsoft's decision to disable Visual Basic for Applications (VBA) macros by default, operators of the Emotet botnet began testing new attack techniques in April. Proofpoint researchers discovered a new variant of the Emotet bot in June that employs a new module to steal credit card information stored in the Chrome web browser. To stay under the radar, Emotet operators have improved their attack chain over time by employing multiple attack vectors. Between July and November 2022, the Emotet operators were inactive. Threat actors have been observed distributing hundreds of thousands of emails per day, implying that Emotet is resuming its full functionality as a delivery network for major malware families. The experts observed numerous changes to the bot and its payloads, and the operators modified the malware modules, loader, and packer. Proofpoint noticed new Excel attachment visual lures, changes to the Emotet binary, the IcedID loader dropped by Emotet being a light new version of the loader, and reports of Bumblebee being dropped alongside IcedID. The security firm observed a wave of attacks primarily targeting the US, the UK, Japan, Germany, Italy, France, Spain, Mexico, and Brazil. Recent attacks' emails typically included a weaponized Excel attachment or a password-protected ZIP attachment containing an Excel file. The Excel files contain XL4 macros that download the Emotet payload from a set of built-in URLs. The Excel files used in recent campaigns are unique in that they instruct recipients to copy the file to a Microsoft Office Template location and run it from there instead. This location is marked as "trusted," meaning that opening a document in this folder will result in no warnings. This article continues to discuss the reemergence of the Emotet malware.

    Security Affairs reports "Emotet Is Back and Delivers Payloads Like IcedID and Bumblebee"

  • news

    Visible to the public "DUCKTAIL Attacks Costing Victims Hundreds of Thousands of Dollars"

    According to a new analysis, DUCKTAIL, a Vietnam-based cybercrime operation discovered by WithSecure earlier this year, has continued to evolve its operations. DUCKTAIL has been using LinkedIn to target individuals and organizations using Facebook's Ads and Business platform in order to hijack Facebook Business accounts since 2021. However, following a report detailing DUCKTAIL's activities, the group has altered its operations to circumvent defenses and expand its operations. Until now, the operational team behind DUCKTAIL appeared to be small, but that has changed, according to Mohammad Kazem Hassan Nejad, Researcher for WithSecure Intelligence. Recently observed DUCKTAIL activity included several changes to their mode of operation. Its activity includes new channels for spear-phishing targets, such as WhatsApp. The group modified malware capabilities to include a more robust method of retrieving attacker-controlled email addresses and making the malware appear more legitimate by launching dummy documents and video files. It has made ongoing efforts to avoid detection by changing file formats and compilation, as well as countersigning certificates. There has been additional resource development and operational expansion through the establishment of additional fake businesses in Vietnam and the integration of affiliates into the operation. Ransomware attacks receive a lot of attention, but threats like DUCKTAIL can cause significant financial and brand damage and should not be ignored, according to Paolo Palumbo, Vice President of WithSecure Intelligence. With increased activity, new affiliates, and fake businesses, DUCKTAIL-related incidents are expected to rise in the near future. This article continues to discuss findings regarding DUCKTAIL's recent activity.

    Cision reports "DUCKTAIL Attacks Costing Victims Hundreds of Thousands of Dollars"

  • news

    Visible to the public "CISA Seeks Information for Potential Cyber Threat Intelligence Platform"

    On behalf of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), the General Services Administration (GSA) requested information on the availability of Threat Intelligence Enterprise Services (TIES) to the agency in developing Cyber Threat Intelligence (CTI) capabilities. According to CISA, there are existing barriers to the federal cyber ecosystem throughout the CTI lifecycle, such as fragmented threat information, which impairs analysts' ability to make informed decisions about these risks, as well as CTI that is currently distributed across multiple feeds in various data formats. Participants in that intelligence-sharing environment have varying levels of cyber maturity. CISA also stated that the federal cyber ecosystem must improve CTI tools and services, along with their procurement, while also developing CTI maturity assessments and roadmaps. The ecosystem must also raise awareness and centralize CTI requirements. As a result, CISA is collaborating to develop TIES, which will provide customers with CTI services, standards, and guidance on CTI generation, use, and sharing. The Request For Information (RFI) will help the government conduct market research to identify potential offers and gather industry feedback. According to the RFI, the industry would help in the development or configuration of a CTI exchange platform, which would then be integrated with customized CISA applications and a feed for commercial threats. The CTI capabilities will be made available to federal, intelligence community, state, and law enforcement customers as a collection of enterprise services. This article continues to discuss the request that will help CISA develop a platform to address current challenges related to CTI.

    NextGov reports "CISA Seeks Information for Potential Cyber Threat Intelligence Platform"

  • news

    Visible to the public "Microsoft Warns of Rise in Stolen Cloud Tokens Used to Bypass MFA"

    Threat actors are stealing authentication tokens that have already been verified by multi-factor authentication (MFA) in order to compromise organizations' systems. According to a new alert from Microsoft's Detection and Response Team (DART), token theft for MFA bypass is especially dangerous because it requires little technical expertise and is difficult to detect. Most organizations have not considered token theft as part of their incident response plan. Furthermore, as employees increasingly use personal devices to access systems, security controls deteriorate, and malicious activity is hidden from the security team's view. Full visibility into devices reduces the risk of token theft, but DART admits that with so many unmanaged devices accessing the network, this is difficult. They recommend conditional access policies and strict controls for unmanaged devices. As for mitigations, DART noted in its blog post about the MFA workaround that publicly available open-source tools for token theft already exist, and commodity credential theft malware has already been modified to include this method in their arsenal. This article continues to discuss the uptick in token theft from authenticated users, which allows threat actors to bypass MFA protections.

    Dark Reading reports "Microsoft Warns of Rise in Stolen Cloud Tokens Used to Bypass MFA"

  • news

    Visible to the public "90% Of Organizations Have Microsoft 365 Security Gaps"

    A recent study of 1.6 million Microsoft 365 users across three continents discovered that 90 percent of organizations lacked essential security protections. Microsoft 365 administration was found to be difficult. CoreView experts examined the most common issues to determine what companies are doing well and to identify gaps in Information Technology (IT) management strategies. According to the study's findings, many common security procedures are not followed 100 percent of the time, so most organizations' security defenses are weakened as a result. While most businesses have strong documented security policies, the research found that many are not consistently implemented due to reporting challenges and limited IT resources. Ninety percent of businesses had gaps in all four key areas studied: multi-factor authentication (MFA), email security, password policies, and failed logins. Due to their higher access levels, 87 percent of businesses have MFA disabled for some or all of their administrators, which are the most critical accounts to protect. Only 17 percent of businesses had strong password policies that were consistently followed. Almost every organization leaves the door open for cybersecurity threats due to weak credentials, particularly for administrator accounts. In addition to security issues, the study identified key areas for improvement in Microsoft 365 license management. On average, 21.6 percent of licenses were unassigned or "sitting on the shelf." Another 10.2 percent of licenses were inactive, for a total of 31.9 percent of licenses that were not in use. More than 10,000 licenses were unassigned or inactive in 17 percent of companies. This article continues to discuss key CoreView experts' findings from the evaluation of 1.6 million Microsoft 365 users.

    Help Net Security reports "90% Of Organizations Have Microsoft 365 Security Gaps"

  • news

    Visible to the public "Hackers Steal $300,000 in DraftKings Credential Stuffing Attack"

    DraftKings, a sports betting company, has announced that it would refund all customers who were affected by a credential stuffing attack that resulted in losses of up to $300,000. The statement comes after DraftKings tweeted that it was looking into reports of customers having problems with their accounts. The initial $5 deposit appears to be the common denominator for all accounts that were hijacked, followed by the attackers changing the password, enabling two-factor authentication (2FA) on a different phone number, and then withdrawing as much as possible from the victims' linked bank accounts. Some victims have also expressed their dissatisfaction on social media because they were unable to contact anyone at DraftKings while the attackers continued to withdraw money from their bank accounts. According to DraftKings President and Co-founder Paul Liberman, the login information of these customers was compromised on other websites and then used to access DraftKings accounts where they used the same login information. Customers were advised not to use the same password for more than one online service and not to share their credentials with third-party platforms, such as betting trackers and betting apps other than those provided by DraftKings. Customers who have not yet been affected by this credential stuffing campaign should immediately enable 2FA on their accounts and remove any banking details or unlink their bank accounts to prevent fraudulent withdrawal requests. As the FBI recently warned, credential stuffing attacks are rapidly increasing in volume as a result of easily accessible aggregated lists of leaked credentials and automated tools. This article continues to discuss the DraftKings credential stuffing attack that resulted in the theft of $300,000 and the rise of such attacks.

    Bleeping Computer reports "Hackers Steal $300,000 in DraftKings Credential Stuffing Attack"

  • news

    Visible to the public "Researchers Warn of Cyber Criminals Using Go-based Aurora Stealer Malware"

    Aurora Stealer, a new Go-based malware, is increasingly being used in campaigns to steal sensitive information from compromised hosts. These infection chains use phishing pages impersonating legitimate software download pages, such as those for cryptocurrency wallets or remote access tools. Aurora was first advertised as a commodity malware for other threat actors on Russian cybercrime forums in April 2022, describing itself as a multi-purpose botnet with stealing, downloading, and remote access capabilities. In the months since, the malware has been reduced to a stealer capable of stealing files of interest, data from 40 cryptocurrency wallets, and applications such as Telegram. Aurora also includes a loader that can deploy a next-stage payload using a PowerShell command. According to the cybersecurity firm SEKOIA, different cybercrime groups known as traffers, who redirect user traffic to malicious content operated by other actors, have added Aurora to their toolkit, either exclusively or alongside RedLine and Raccoon. This article continues to discuss the findings surrounding the Aurora Stealer malware.

    THN reports "Researchers Warn of Cyber Criminals Using Go-based Aurora Stealer Malware"

  • news

    Visible to the public "The Department of National Defense Awards Concordia Researcher $1M to Develop New Strategies Against Cyberattacks"

    The Royal Canadian Navy's ships are becoming increasingly vulnerable to targeted cyberattacks. These can impact the safety and integrity of assets, as well as the ability of decision-makers to use them. Researchers at Concordia University have received a $1 million grant from Canada's Department of National Defense (DND) to address these concerns. The funding is part of the Innovation for Defense Excellence and Security (IDEaS) program's ongoing investment in developing solutions for its challenge, "Knot Vulnerable: Locking Down Cybersecurity on Naval Vessels." The team behind the project, "Cybersecurity Monitoring, Diagnosis, Mitigation and Resilient Operation of Naval IT/OT/PT Systems Against Malicious Attacks," aims to develop new methodologies that defend against the cybersecurity vulnerabilities of naval vessels. Concordia researchers will collaborate closely with partners from various industries in the project's second phase. CAE, a Montreal-based high-technology company, will be the project's industrial partner in developing an Intrusion Detection System (IDS). According to the partnership agreement, the Centre for Maritime Research and Experimentation, a North Atlantic Treaty Organization (NATO) research entity based in Italy, will support the project with its maritime expertise. This article continues to discuss the DND-supported work aimed at developing new strategies to defend vessels against targeted cyberattacks.

    Concordia University reports "The Department of National Defense Awards Concordia Researcher $1M to Develop New Strategies Against Cyberattacks"

  • news

    Visible to the public "Human Side of Cybersecurity: An Empirical Study"

    A new study published in the International Journal of Business Information Systems examines the human side of cybersecurity. Cybersecurity is typically thought to be primarily about firewalls, antivirus software, spam filters, and Distributed Denial-of-Service (DDoS) detection, but breaches of computer systems and networks are often caused by social engineering and human error instead of sophisticated malware. A team of researchers surveyed professionals, non-professionals, and students in the educational sector. They wanted to examine the relationship between computer security awareness and human behavior. Therefore, they focused on various personality traits to see if there were any links between them and a person's understanding of cybersecurity. While an organization or individual can implement policies and tools to protect against digital intrusion, it is nearly impossible to protect against social engineering without ongoing education of users who may fall victim to the persuasive skills of the confident cybercriminal. The team emphasizes that cybersecurity is a massive global challenge. They examined personality traits such as extroversion, agreeableness, conscientiousness, neuroticism, and openness as well as how they relate to an individual's perception and understanding of cybersecurity in order to determine where there are gaps in knowledge or where a particular personality type may be more susceptible to social engineering than another. This article continues to discuss the study on the relationship between awareness of computer security issues and human behavior.

    Inderscience reports "Human Side of Cybersecurity: An Empirical Study"

  • news

    Visible to the public  "Google Won a Lawsuit Against the Glupteba Botnet Operators"

    Google has announced the successful conclusion of a nearly year-long legal battle with the Glupteba botnet, a highly sophisticated botnet comprised of millions of compromised Windows devices. Glupteba, unlike other botnets, uses cryptocurrency blockchains as a command-and-control (C2) mechanism to make it more resistant to takeover. The Glupteba malware instructs infected computers to look for the addresses of its C2 servers on the Bitcoin blockchain by referencing transactions associated with specific accounts. The blockchain is not centralized, and each transaction is distributed to and viewable by any user on the blockchain. Because of these characteristics, the Glupteba botnet is unusually resistant to disruption. If the botnet's C2 servers are disabled, its operators can simply create new servers and broadcast their addresses to the blockchain. Google won the lawsuit filed against two Russian nationals involved in the botnet's operations. The court's decision establishes an important legal precedent in the fight against cybercrime. The company's Threat Analysis Group (TAG) shared the actions it took to disrupt the Glupteba botnet's operations in December 2021 and announced it had filed a case against its operators in the Southern District of New York. The US District Court set monetary sanctions on both the Russian defendants and their US-based lawyer, and ordered them to pay Google's legal fees. The sentence is considered significant because it demonstrates that criminals can face monetary penalties for engaging in cybercriminal activities such as this one. Google stated that Glupteba operators have resumed operations using platforms and Internet of Things (IoT) devices not operated by Google. However, the company confirmed that its operation reduced the number of infected hosts by 78 percent. This article continues to discuss Google winning a lawsuit against the Glupteba botnet operators

    Security Affairs reports "Google Won a Lawsuit Against the Glupteba Botnet Operators"

  • news

    Visible to the public "Major Security Breach From Business Users' Low-Code Apps Could Come in 2023, Analysts Warn"

    Forrester analysts recently warned of a possible major security breach at a large enterprise in 2023 caused by business users employing low-code/no-code (LCNC). The first part of this prediction is a common industry assumption that it would be unusual to go an entire year without major headline security breaches. The second part, which predicts that business users, also known as citizen developers, will cause this major breach using LCNC, is an attempt to wake up the security community before it is too late. This prediction is powerful because it counters the tendency of some security teams to treat apps built by business users as toys or proof-of-concepts (POCs) rather than critical infrastructure. Forrester warns that this assumption is incorrect and will have disastrous consequences. LCNC has become a reality in the enterprise in recent years, and business users have been creating impactful apps on which large organizations now rely, with or without the security team's knowledge. It is essential to unpack Forrester's underlying assumptions to understand why it is issuing this warning. Consider the factors that contribute to a security breach becoming a major news story. First, there must be a breach, and while this assumption is trivial, it is important to note that it is based on the underlying assumption that hackers are focusing their efforts on LCNC apps and succeeding in breaking them. For hackers to focus on LCNC, the perceived reward must be greater than the perceived difficulty, which means hackers must be convinced that LCNC holds significant business data or facilitates important business workflows for them to be a worthy target. In order to gain control of LCNC apps, hackers must exploit either platform or app-level vulnerabilities. Because business users are not security experts and often lack guidance, this is an easy assumption to make. In one case documented by the Microsoft Detection and Response Team (DART), an Advanced Persistent Threat (APT) group used live-off-the-land tactics on some LCNC to remain hidden and persistent within a multinational organization for over six months while defenders actively attempted to kick them off. Another incident occurred last year when a simple misconfiguration exposed nearly 40 million confidential records to the Internet. This article continues to discuss Forrester analysts' prediction of a major security breach at a large enterprise in 2023 rooted in business users utilizing LCNC.

    Dark Reading reports "Major Security Breach From Business Users' Low-Code Apps Could Come in 2023, Analysts Warn"

  • news

    Visible to the public "Watchdog: Agency Overseeing Cybersecurity for Offshore Energy Falling Short"

    According to a recent report from the Government Accountability Office (GAO), the federal enforcement office that oversees more than 1,600 offshore oil and gas facilities has done little to address growing cybersecurity risks. GAO highlighted that the Department of Interior's Bureau of Safety and Environmental Enforcement (BSEE) has taken "few actions" to address cybersecurity risks since the agency first planned to address the issue in 2015, despite the fact that an attack on an offshore oil and gas rig could be disastrous. According to Chris Grove, director of cybersecurity strategy at Nozomi Networks, a company that works with offshore oil and gas rigs, there could be serious consequences if an offshore oil rig does not operate as intended. Any type of assistance during an incident can be difficult when a facility is miles from land in the ocean, according to Grove, who cites the 2010 BP Deepwater Horizon oil pipeline collapse as an example of a worst-case scenario. GAO also stated that a worst-case scenario could be fatal. These can include deaths and injuries, damaged or destroyed equipment, and pollution of the marine environment, according to BSEE incident investigation documentation. However, in the worst-case Operational Technology (OT) failure scenario, all of these impacts can occur at the same time and on a large scale. BSEE planned to address cybersecurity risks in 2015 and again in October 2020, but no action was taken. According to GAO, in the fiscal year 2023 budget justification, BSEE proposed developing a foundational cybersecurity capability to collaborate with the industry. BSEE hired a cybersecurity specialist to work on the issue in May, but the agency told GAO that the program's development is on hold until that individual is thoroughly familiar with the relevant issues and entities. The GAO says that the OT used to manage those systems are often found to run on legacy systems increasingly connected to the Internet, increasing the potential for cyberattacks. The watchdog recommended that BSEE develop and implement an immediate strategy to address offshore infrastructure risks. This article continues to discuss GAO's warning on cybersecurity for US offshore energy platforms.

    CyberScoop reports "Watchdog: Agency Overseeing Cybersecurity for Offshore Energy Falling Short"

  • news

    Visible to the public "Preparing for Quantum Cryptography, US Air Force Partners up With SandboxAQ"

    As researchers predict that quantum computers will be able to decrypt public key algorithms as early as 2030, organizations are under increasing pressure to develop quantum-resistant algorithms to protect their data from threat actors. The US Air Force is one such organization, having entered into a partnership with Artificial Intelligence (AI) and quantum security provider SandboxAQ, awarding the vendor a Phase 1 Small Business Innovation Research (SBIR) contract. The provider will conduct post-quantum cryptographic inventory analysis and performance benchmarking as part of the contract. The Air Force's collaboration with SandboxAQ demonstrates that the threat of post-quantum computing is not just an abstract, theoretical threat, but a real risk that businesses must prepare for right now. The partnership follows the National Institute of Standards and Technology's (NIST) selection of four post-quantum encryption algorithms for inclusion in its post-quantum cryptographic standard, as well as Google Cloud's announcement that it has deployed a post-quantum cryptographic algorithm to help secure its internal Application Layer Transport Security (ALTS) protocol. Although the post-quantum cryptography momentum may appear speculative at first glance, the risks posed by quantum computing are now visible. Harvest Now, Decrypt Later (HNDL) or Store Now, Decrypt Later (SNDL) attacks, for example, involve nation-state actors and cybercriminals collecting and storing encrypted data today in order to decrypt it later. If successful, these attacks would allow threat actors to decrypt protected data at their leisure. If post-quantum cryptography is not urgently implemented, adversarial nation-states' quantum computers could shatter US national security. SandboxAQ will assist the Air Force in this critical first step in the deployment of post-quantum cryptography across national security systems, which is expected to take years. SandboxAQ is part of the quantum cryptography market, which researchers estimate will grow from $102.34 million in 2021 to $476.83 million by 2030. This article continues to discuss the US Air Force's partnership with SandboxAQ, the mandate for quantum cryptography. as well as the growing quantum cryptography market.

    VB reports "Preparing for Quantum Cryptography, US Air Force Partners up With SandboxAQ"

  • news

    Visible to the public  "Rise of Security Champions: Application Development's Long-Awaited Evolution"

    Application development can be related to Newton's Third Law of Motion, which states that for every action, there is an equal and opposite reaction. Developers want to develop, but it appears that whenever they want to do so, application security teams fire back with concerns about the application's safety, causing tension and slowing development. It is critical to explore ensuring security while maintaining a streamlined development process. A security champion program involves educating employees about best security practices in organizational behavior to reduce overall security risk. Security champions are people who would not normally be involved in security but are given extra training and incentives to represent security on their teams. The rise of security champions arose from a concern that the average developer is not measured on security and thus is not focused on maintaining it. There is a common misconception, particularly among those who use open-source code, that security is not part of the development process because it is not the developer's responsibility to ensure the code is secure, thus relying on the assumption that the code used is reliable. Although security teams are necessary, they are often viewed as bottlenecks in the process, preventing developers from continuously churning out code. This all leads to the formation of security champions on research and development teams who are trained in application security and serve as a bridge between the typical developer and the security team. Security champions are critical in the application development process because they help to reduce tensions between the security team and the developer. There are naturally two opposing forces, with developers eager to create and application security teams tasked with ensuring security standing. A security champion can act as an impartial arbitrator between the development team and the AppSec team, helping to highlight both perspectives so that both parties can comprehend the reasoning and actions of the other. This article continues to discuss the role of security champions in application development.

    BetaNews reports "Rise of Security Champions: Application Development's Long-Awaited Evolution"

  • news

    Visible to the public "A Third of Global Organizations Were Breached Over Seven Times in the Past Year"

    Security researchers at Trend Micro have discovered that 32% of global organizations have had customer records compromised multiple times over the past 12 months as they struggle to profile and defend an expanding attack surface. The researchers published their findings in Trend Micro's semi-annual Cyber Risk Index (CRI) report. The CRI calculates the gap between organizational preparedness and the likelihood of being attacked, with -10 representing the highest level of risk. The researchers found that the global CRI index moved from -0.04 in 2H 2021 to -0.15 in 1H 2022, indicating a surging level of risk over the past six months. The researchers noted that this trend is also reflected elsewhere in the data: the number of global organizations experiencing a "successful" cyberattack increased from 84% to 90% over the same period. Unsurprisingly, the number expected to be compromised over the coming year has also increased from 76% to 85%. Some of the top preparedness risks highlighted by the researchers are related to attack surface discovery capabilities. It is often challenging for security professionals to identify the physical location of business-critical data assets and applications. Overall most organizations rated the following as the top cyber threats in 1H 2022: business email compromise (BEC), clickjacking, fileless attacks, ransomware, and login attacks (credential theft).

    Dark Reading reports: "A Third of Global Organizations Were Breached Over Seven Times in the Past Year"

  • news

    Visible to the public "How One State's Phishing Training Evolves With Threats"

    According to a leading technology official, employee training must continue to evolve to keep up with cybercriminals' new tactics if state governments are to stay ahead of the latest phishing threats. Hemant Jain, CISO at the Indiana Office of Technology (IOT), stated that every month, state employees from over 100 agencies receive phishing and cybersecurity awareness training, which they also receive during their onboarding as new employees. Jain says the state modifies the email templates it uses for employee phishing training to account for the most recent news that may inspire scammers, such as recent announcements about federal student debt relief. The templates are also changed regularly to ensure employees do not become too familiar with them. Furthermore, metrics indicate whether any phishing topic or technique should be the subject of additional training as a result of high user click rates during the exercises. Employee training is also tailored to the various file types that employees encounter daily. Training for those who regularly use PDFs for their jobs, for example, will include many PDFs to show them what they could be exposed to, according to Jain. He added that it is critical to make employee training relevant and contextual to the actual end user. Employees are also subjected to phishing training tests via text message, social media, and other means, as hackers increasingly use these platforms in the same malicious manner as email. Indiana has also worked to strengthen its cyber posture through recent legislation that enhanced cyber incident reporting requirements, requiring local governments to report attacks or suspicious activity to IOT within 48 hours of discovery. Indiana takes a "whole-of-state" cyber approach, encouraging all levels of government to work toward the same security and safety goals. This article continues to discuss Indiana's phishing training and the state's other efforts to improve its cyber posture.

    GCN reports "How One State's Phishing Training Evolves With Threats"

  • news

    Visible to the public "Critical Infrastructure's Open-Source Problem"

    According to Synopsis research, 78 percent of code in codebases is open-source. Of the codebases, 81 percent have at least one vulnerability. When the code is left untouched for two years with no feature updates, that figure rises to 88 percent. Open-source code is critical in computing, the Internet, and the connectivity of critical infrastructure. Many critical infrastructure segments, such as the electric grid and water systems, are also outdated, making them riddled with out-of-date and unchecked code. Open-source software is used in Operational Technology (OT) and Information Technology (IT). It is everywhere now, says Cheri Caddy, director of cyber policy and planning at the Office of the National Cyber Director. When a vulnerability in the open-source supply chain is exploited, it can cause major issues for any industry. When this occurs in critical infrastructure, it has the potential to cause chaos among affected users. Although the open-source community has a reputation for quickly discovering and fixing bugs due to more eyes being on the code, that same ability to see the code can make things easier for potential attackers, according to Mike Parkin, senior technical engineer at Vulcan Cyber. According to Parkin, repairing old hardware with new software can often yield mixed results. While it can help to keep older technology relevant and extend its life, it can also introduce new software vulnerabilities. Because of the Continuous Integration and Continuous Delivery (CI/CD) pipeline, open-source introduces risk. While production environments are hardened and monitored, CI/CD pipelines receive far less security attention, according to John Steven, CTO of ThreatModeler. Attacks on open-source and artifact repositories are external to the organization and, thus, are not monitored or controlled by that enterprise. This article continues to discuss how open-source code poses a risk to security and the protection of critical infrastructure from this risk.

    Security Boulevard reports "Critical Infrastructure's Open-Source Problem"

  • news

    Visible to the public "PoC Code Published for High-Severity macOS Sandbox Escape Vulnerability"

    Security researchers at Trend Micro's Zero Day Initiative (ZDI) have published details and proof-of-concept (PoC) code for a macOS vulnerability that could be exploited to escape a sandbox and execute code within Terminal. Tracked as CVE-2022-26696 (CVSS score of 7.8), the security defect was identified and reported last year, with a patch available since the release of macOS Monterey 12.4 in May. Apple, in an advisory, noted that the flaw allowed a sandboxed process to circumvent sandbox restrictions and that improved environment sanitization resolved the issue. Successful exploitation of the vulnerability would require for the attacker to be able to execute low-privileged code on the target system. The researchers noted that the specific flaw exists within the handling of XPC messages in the LaunchServices component. A crafted message can trigger the execution of a privileged operation. The researchers stated that an attacker able to exploit this vulnerability could "escalate privileges and execute arbitrary code in the context of the current user."

    SecurityWeek reports: "PoC Code Published for High-Severity macOS Sandbox Escape Vulnerability"

  • news

    Visible to the public "Ten Charged in $11m Healthcare BEC Plots"

    Ten individuals have recently been charged with a series of business email compromise (BEC) and money laundering offenses, in which they allegedly defrauded Medicaid, Medicare, and private health insurance programs to the tune of over $11m. The Department of Justice (DoJ) stated that the charges relate to seven individuals from Georgia and South Carolina who would use stolen identities to open bank accounts in the name of shell companies. They would then run schemes to trick employees working for public and private health insurance programs into wiring funds to these accounts, thinking they were hospitals. The DoJ noted that five state Medicaid programs, two Medicare administrative contractors, and two private health insurers were apparently conned in this way. Some funds were used to buy luxury goods and automobiles, while others were laundered by the three remaining defendants via bank accounts registered with stolen or fake identities and set up in the name of additional shell companies. One of the ten indicted individuals, Adewale Adesanya, 39, of Jonesboro, Georgia, pleaded guilty back in June to conspiracy to commit money laundering and use of a false passport. Adesanya was sentenced to four years in prison for laundering more than $1.5m from BEC schemes targeting Medicaid programs, the IRS, the Small Business Administration (SBA), a private company, and two elderly romance scam victims. The DoJ noted that the remaining nine are awaiting trial and, if found guilty, each face a maximum sentence of between 20-30 years behind bars. One, Desmond Nkwenya, 35, of Atlanta, Georgia, also faces a charge relating to receiving $119,000 as a result of an allegedly fraudulent Paycheck Protection Program loan application. Another suspect, Olugbenga Abu, 45, of Atlanta, Georgia, allegedly obtained a fraudulent loan of over $341,000 and then sought an additional $65,000 fraudulently from the SBA.

    Infosecurity reports: "Ten Charged in $11m Healthcare BEC Plots"

  • news

    Visible to the public "ESF Partners, NSA, and CISA Release Software Supply Chain Guidance for Customers"

    "Securing the Software Supply Chain for Customers" guidance has been published by the National Security Agency (NSA) and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA). The Enduring Security Framework (ESF), a public-private cross-sector working group led by NSA and CISA, which provides cybersecurity guidance to address high-priority threats to the nation's critical infrastructure, was used to develop the product. ESF analyzed the events leading up to the SolarWinds attack in order to provide guidance to customers. This study revealed that significant investment was required to develop a set of industry- and government-evaluated best practices centered on the needs of the software customer. Historically, threat actors targeted well-known vulnerabilities that went unpatched. Although this tactic is still used to compromise unpatched customer systems, a new, less visible method jeopardizes software supply chains and undermines trust in systems patching themselves, which has been critical in protecting against legacy attacks. Instead of waiting for publicly disclosed vulnerabilities, threat actors inject malicious code into products legitimately distributed downstream through the global software supply chain. These next-generation software supply chain compromises have increased significantly in recent years for both open-source and commercial software products. When a maliciously injected software package spreads to multiple consumers, it is much more difficult to contain. Therefore, the customer bears a critical role in ensuring the security and integrity of software. They not only acquire the software, but they are also responsible for its deployment. In order to avoid network exploitation, they should conduct Supply Chain Risk Management (SCRM) activities to assess threats and define risk profiles during the security requirements process. This article continues to discuss the release of software supply chain guidance for customers.

    NSA reports "ESF Partners, NSA, and CISA Release Software Supply Chain Guidance for Customers"

  • news

    Visible to the public "Luna Moth Ransomware Group Invests in Call Centers to Target Individual Victims"

    Palo Alto Networks Inc.'s Unit 42 released a new report detailing the rise of a ransomware group that has invested in call centers and infrastructure to target individual victims. Luna Moth, also known as the Silent Ransom Group, has been active since March, beginning with a campaign that compromises organizations through fake subscription renewals. To enable corporate data theft, the group used phishing campaigns that deliver remote-access tools. After stealing confidential information, the group threatens to make the files public unless a ransom is paid. The Unit 42 researchers discovered several common indicators that point to these attacks resulting from a single well-planned campaign. To take their attacks to the next level, Luna Moth has heavily invested in call centers and infrastructure that is unique to each victim. Luna Moth is performing callback phishing, a social engineering attack that requires a threat actor to interact with the target in order to achieve its goals. The attack style requires more resources but is less complex than script-based attacks and has a much higher success rate. Callback phishing, also known as telephone-oriented attack delivery, is not a new method, as it was previously used by the infamous Conti group. However, Luna Moth has evolved in that it no longer employs malware in its attacks, instead relying on legitimate and trusted system management tools to interact directly with a victim's computer to manually exfiltrate data for extortion. Luna Moth can ensure that the activity is not detected as malicious and thus is unlikely to be flagged by traditional security products by using legitimate tools. This article continues to discuss Luna Moth's tools and tactics.

    SiliconANGLE reports "Luna Moth Ransomware Group Invests in Call Centers to Target Individual Victims"

  • news

    Visible to the public "Google Seeks to Make Cobalt Strike Useless to Attackers"

    The intelligence research and applications team at Google Cloud has developed and released a set of 165 YARA rules to help defenders in identifying Cobalt Strike components deployed by attackers. According to Greg Sinclair, a security engineer with the Google Cloud Threat Intelligence (GCTI) team, the goal is to return the tool to the domain of legitimate red teams while making it more difficult for bad actors to abuse. Cobalt Strike, which is a legitimate adversary simulation tool used by penetration testers and cyber red teams, has also become the post-exploitation tool of choice for threat actors. Although some attackers have shifted to using Brute Ratel, DeimosC2, and other similar tools, Cobalt Strike remains a popular choice. The Cobalt Strike vendor employs a vetting process to reduce the possibility of the software being provided to actors who will use it for malicious purposes, but Cobalt Strike has been leaked and cracked over the years. According to Sinclair, these unauthorized versions of Cobalt Strike are just as powerful as their retail counterparts, except they do not have active licenses and thus cannot be easily upgraded. The team examined every cracked version of the tool it could find, looking for unique stagers, attack templates, and beacons that could be used to create precise detection rules. The final YARA rules are available as a collection of community signatures to VirusTotal customers and have been open-sourced so that cybersecurity vendors can use them in their products. This article continues to discuss Google's creation and release of a collection of YARA rules to help defenders flag Cobalt Strike components used by attackers.

    Help Net Security reports "Google Seeks to Make Cobalt Strike Useless to Attackers"

  • news

    Visible to the public "New Ransomware Encrypts Files, Then Steals Your Discord Account"

    In addition to encrypting victims' files and requesting a ransom payment, the new "AXLocker" ransomware family also steals infected users' Discord accounts. Discord sends back a user authentication token saved on the computer when a user logs in with their credentials. This token can be used to log in as the user or to issue Application Programming Interface (API) requests that get information about the associated account. Because they allow them to hijack accounts or use them for additional malicious attacks, threat actors often try to steal these tokens. Since Non-Fungible Token (NFT) platforms and cryptocurrency groups have chosen Discord as their community of choice, threat actors may be able to conduct scams and steal money if they manage to get their hands on a moderator token or those of another verified community member. A recent analysis of a sample of the new AXLocker ransomware by Cyble researchers revealed that it not only encrypts files but also steals the Discord tokens of its victims. The ransomware will target particular file extensions and exclude particular folders when it is activated. Although this ransomware targets consumers rather than businesses, it could still pose a serious threat to sizable communities. Users should change their Discord password if they discover that AxLocker has encrypted their computer because doing so will invalidate the token that the ransomware has stolen. This article continues to discuss findings regarding the new AXLocker ransomware family.

    Bleeping Computer reports "New Ransomware Encrypts Files, Then Steals Your Discord Account"

  • news

    Visible to the public "Google Identifies 34 Cracked Versions of Popular Cobalt Strike Hacking Toolkit in the Wild"

    There are 34 different hacked release versions of the Cobalt Strike tool, the first of which was shipped in November 2012. Google Cloud has revealed that it discovered these versions in the wild. The Google Cloud Threat Intelligence (GCTI) team found that the versions, which range from 1.44 to 4.7, total 275 distinct JAR files. Cobalt Strike 4.7.2 is the most recent version. Red teams often use Cobalt Strike, a well-known adversarial framework created by Fortra, to simulate attack scenarios and evaluate the toughness of their cyber defenses. It consists of a Team Server that serves as the command-and-control (C2) hub for remotely commandeering infected devices, a stager built to deliver the Beacon, the next-stage payload, and a fully functional implant that communicates with the C2 server. Unauthorized versions of the software have increasingly been weaponized by numerous threat actors to advance their post-exploitation activities due to their extensive feature set. This article continues to discuss the identification of 34 different hacked release versions of the Cobalt Strike tool in the wild.

    THN reports "Google Identifies 34 Cracked Versions of Popular Cobalt Strike Hacking Toolkit in the Wild"

  • news

    Visible to the public "SUTD Researchers Developed Phase-Change Key for New Hardware Security"

    As data is increasingly shared and stored digitally, data breaches grow. Scientists are exploring the development of novel methods for securing and protecting data from cyberattacks. Researchers at the Singapore University of Technology and Design (SUTD) used phase-change materials to create a new type of reconfigurable, scalable, low-power hardware security device with high resilience to Artificial Intelligence (AI) attacks. According to Assistant Professor Desmond Loke from SUTD, the novel hardware security device they developed could eventually be used to protect data across sectors and industries. The device, which is a Physical Unclonable Function (PUF), is a new type of phase-change PUF that is more scalable, energy-efficient, and secure against AI attacks than traditional silicon PUFs. This is due to phase-change materials' electrical and physical properties, as well as the fabrication process. The SUTD research team created a set of phase-change devices that can switch reversibly between the glassy amorphous and crystal orderly states. Then they used the variation in the device's electrical conductance to make the PUF because of the inherent randomness that emerges from the manufacturing process. The researchers modeled the actual phase-change devices' characteristics to generate a simulation of more phase-change-based PUFs. To check the PUF's security, Loke and his team used Machine Learning (ML), a technique that enables AI to examine a system and discover fresh patterns. The researchers trained the AI using the phase-change PUF to see if it could use this training to predict the encrypted key and identify system vulnerabilities. The resistance to ML attacks makes the PUF more secure because potential hackers could not use the stolen key to reverse engineer a device for later use. If the key is compromised, the phase-change PUF can also immediately generate a new key through the reconfiguration mode. This article continues to discuss the phase-change key developed by SUTD researchers for hardware security.

    SCIENMAG reports "SUTD Researchers Developed Phase-Change Key for New Hardware Security"

  • news

    Visible to the public "The Feds Warn That Hackers Could Hold Midwestern Harvests Hostage With Ransomware"

    American agriculture increasingly relies on software to maintain the country's position as the world's leading food producer. However, this reliance on code-driven machinery has increased the chances of ransomware attacks, which could be especially devastating during harvest. On a farm or ranch, fewer chores are being completed without access to the Internet. Farmers use data, Artificial Intelligence (AI), and the Global Positioning System (GPS) to decide where and when to water or fertilize their crops, when to inoculate their livestock, and how to manage their feed. This use of technology has pushed the US to the top of the world's agricultural exporters, but it has also made farms more vulnerable to cyberattacks. FBI Special Agent Eugene Kowel, based in Omaha, emphasized that cybercriminals understand that hacking into US agriculture can result in a large payout. The stakes are even higher during the harvest season in the fall, when farmers are under pressure to get crops out of fields as soon as possible and are willing to pay a ransom to get back to work. Hackers take advantage of the time constraint. In 2021, six grain companies were targeted by cyberattacks, including those in Iowa and Nebraska, according to Kowel. Even after harvest, are constantly looking for weaknesses to extort money from farmers, steal their information, or take control of their operations. George Grispos is a cybersecurity professor at the University of Nebraska at Omaha and researches flaws in agricultural machinery. He believes that risks will only increase as technology advances and the industry embraces innovations, such as precision agriculture and self-driving tractors. He says that agricultural equipment was not designed with security in mind, so there is currently nothing preventing someone from hijacking a piece of machinery, steering it, and transporting it somewhere it should not be. Farmers are urged to practice better "cyber hygiene" by updating software, creating strong passwords, and ignoring suspicious messages. This article continues to discuss the need to improve cybersecurity practices in agriculture.

    HPPR reports "The Feds Warn That Hackers Could Hold Midwestern Harvests Hostage With Ransomware"

  • news

    Visible to the public "White House Begins to Push Federal Post-Quantum Cryptography Migration"

    The US White House's Office of Management and Budget (OMB) has issued a new memo outlining the need for federal agencies to begin the transition to post-quantum cryptography before operational quantum computers become available. The OMB recommended preparatory measures, which include federal entities following President Joe Biden's earlier executive order to strengthen the US cyber defense posture. The new memo requires federal agencies to inventory their current cryptographic hardware and software systems, with an emphasis on high-value assets and high-impact systems that need additional cybersecurity protocols. Agency leadership will then be tasked with compiling this information into a report containing their summaries on higher-risk information assets and systems for the Office of the National Cyber Director and the Cybersecurity and Infrastructure Security Agency (CISA) to assist in budgeting, planning, and executing the transition from standard to effective post-quantum cryptography. According to OMB officials, the high-risk systems submitted by agencies will primarily deal with sensitive data that any quantum hacking attempts could exploit. Agencies have until May 4, 2023, to complete OMB's request. They will be tasked with designating a lead for collecting cryptographic system information within 30 days of the memo's release. OMB will continue to issue instructions for gathering system inventory. The transition to post-quantum cryptographic standards will be the most significant to date, and it will take several years. Within a year of the publication of this new memo, CISA will collaborate with the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) to develop new migration strategies. OMB recommended that as federal agencies inventory their information systems, they collaborate with software vendors to identify post-quantum cryptography testing opportunities within their networks, echoing the Biden administration's push for public-private sector collaboration. This article continues to discuss new OMB guidance to start the governmentwide effort to protect digital infrastructure from quantum attacks.

    NextGov reports "White House Begins to Push Federal Post-Quantum Cryptography Migration"

  • news

    Visible to the public "Atlassian Patches Critical Vulnerabilities in Bitbucket, Crowd"

    Atlassian has recently informed customers that it has patched critical vulnerabilities in its Crowd and Bitbucket products. In the Bitbucket source code repository hosting service, Atlassian fixed CVE-2022-43781, a critical command injection vulnerability that affects Bitbucket Server and Data Center version 7 and, in some cases, version 8. Atlassian explained that there is a command injection vulnerability using environment variables in Bitbucket Server and Data Center. An attacker with permission to control their username can exploit this issue to gain code execution and execute code on the system. Patches for the flaw have been released for both BitBucket 7 and 8. Atlassian Cloud sites are not affected. In the case of Crowd, an application security framework that handles authentication and authorization for web-based applications, Atlassian fixed CVE-2022-43782, a critical security misconfiguration issue affecting all versions starting with 3.0.0. Atlassian noted that the vulnerability allows an attacker connecting from IP in the allow list to authenticate as the crowd application through bypassing a password check. Atlassian stated that this would allow the attacker to call privileged endpoints in Crowd's REST API under the usermanagement path. While this security hole has been rated "critical," it can only be exploited by IPs in the Crowd application's allowlist in the Remote Addresses configuration. In addition, it only impacts new installations. Users who have updated their installation from a version prior to 3.0.0 are unaffected. Atlassian noted that there does not appear to be any evidence of malicious exploitation and that indicators of compromise (IoCs) have been made available for CVE-2022-43782. It is not uncommon for threat actors to exploit vulnerabilities in Atlassian products in their attacks.

    SecurityWeek reports: "Atlassian Patches Critical Vulnerabilities in Bitbucket, Crowd"

  • news

    Visible to the public "Intel's New Deepfake Detector Can Spot a Real or Fake Video Based on Blood Flow in Video Pixels"

    Deepfakes have proliferated on the Internet in recent years. Deepfakes are pieces of fabricated media that use an image or video and someone else's face or voice to create a new, fictitious image of people or events. Deepfakes' continued development may reduce the effectiveness of security systems that use facial recognition technologies for authentication. Furthermore, the real-looking characteristics of deepfakes have allowed for the spread of misinformation, hoaxes, and fraud online. In response, Intel announced "FakeCatcher," a new technology that detects deepfake media with a 96 percent accuracy rate. Deepfakes use Machine Learning (ML) and Artificial Intelligence (AI) technology to create accurate impressions of celebrities and politicians doing and saying things they have not. Existing technologies, which use deep learning to investigate signs of digital manipulation, can take hours to dispel web surfers' trust in a deepfake. According to a press release, Intel's FakeCatcher can detect a deepfake in real-time by analyzing what makes humans, which is blood flow, in video pixels. Intel's technology can detect changes in the color of a person's veins as blood circulates through the body. Blood flow signals are then collected from the face and translated by algorithms to determine whether a video is real or a deepfake. In order to avoid negative consequences, it is becoming increasingly important to have software that can help identify deepfakes. Some deepfake videos and images are graphic in nature, while others foster media distrust. Scammers have previously used deepfakes to pose as job seekers in order to gain access to sensitive company information. They have also been used to make inflammatory statements by impersonating prominent political figures. This article continues to discuss the dangers of deepfakes and the technology developed by Intel to detect deepfakes.

    ZDNet reports "Intel's New Deepfake Detector Can Spot a Real or Fake Video Based on Blood Flow in Video Pixels"

  • news

    Visible to the public "Hardware-Assisted Encryption of Data in Use Gets Confidential"

    Data protection is a top priority for organizations responsible for safeguarding their own data and the Personally Identifiable Information (PII) stored and processed on behalf of their business partners and customers. If it is not done correctly, the organization risks losing trust and violating increasingly stringent data protection regulation. Therefore, the question remains as to what can be done to fortify defenses. The Register surveyed its readership on the subject of Confidential Computing to find out. Those who participated indicated that their company deals with customers from various industry verticals, with financial services accounting for 21.5 percent of the poll. Equally as many respondents work with government agencies as they do with customers in the healthcare sector (15.3 percent), followed by education (12.4 percent), and retail (10.7 percent). A little over 10 percent of the respondents work with clients in defense and national security, with 8.5 percent from the manufacturing sector and 6.2 percent from the energy sector. All of these industries will almost certainly collect, store, and process sensitive information from their customers and business partners. After determining the types of organizations that responded, they were asked about the technologies their organization would consider in beefing up security for sensitive data stored in data centers. This was a question that allowed for multiple responses, reflecting the inevitability that cybersecurity is not an either/or proposition, and could include the use of multiple different tools at the same time to protect the information that customers entrust to a company for secure hosting and processing. Encryption of data and applications is the most widely used technology in this regard, with nearly 80 percent of the survey population using it. Given the long history of encryption and the widespread use of Virtual Private Network (VPN), disk encryption, encrypted email, and other device-level tools with embedded symmetric and asymmetric Data Encryption Standard (DES), Advanced Encryption Standard (AES), and Rivest-Shamir-Adleman (RSA) technologies, this is to be expected. This article continues to discuss key findings from the survey on the subject of Confidential Computing.

    The Register reports "Hardware-Assisted Encryption of Data in Use Gets Confidential"

  • news

    Visible to the public "Samba Patches Vulnerability That Can Lead to DoS, Remote Code Execution"

    Samba recently released patches for an integer overflow vulnerability that could potentially lead to arbitrary code execution. Samba is an open-source Server Message Block (SMB) implementation for Linux and Unix systems and can be used as an Active Directory Domain Controller (AD DC). Tracked as CVE-2022-42898 and impacting multiple Samba releases, the newly addressed security defect exists in the Service for User to Proxy (S4U2proxy) handler, which provides "a service that obtains a service ticket to another service on behalf of a user." Samba noted that the feature relies on request and response messages from the Kerberos ticket-granting service (TGS) exchange. Heimdal and MIT Kerberos libraries in Samba ensure Kerberos support and implement the Key Distribution Center (KDC). Samba noted that the affected libraries provide an authentication mechanism by means of tickets that can contain Privilege Attribute Certificates (PACs). The bug can be triggered by sending a specially crafted request to the KDC server. Samba stated that because of this vulnerability, on 32-bit systems, an authenticated attacker can overflow the buffer with 16-byte chunks of attacker-controlled data. Successful exploitation of this bug could lead to a denial-of-service (DoS) condition or possibly remote code execution (RCE). Samba noted that 64-bit systems are not vulnerable. Samba 4.15.12, 4.16.7, and 4.17.3 have been released with patches for this security defect. Heimdal 7.7.1 also addresses this bug. The US Cybersecurity and Infrastructure Security Agency (CISA) has encouraged users and administrators to review Samba's advisory and take action if necessary.

    SecurityWeek reports: "Samba Patches Vulnerability That Can Lead to DoS, Remote Code Execution"

  • news

    Visible to the public "Russian Duo Indicted Over E-Book Piracy"

    Recently, a Russian couple has been indicted for allegedly running one of the world's biggest e-book piracy websites. Anton Napolsky, 33, and Valeriia Ermakova, 27, both of St Petersburg, were arrested on November 3 in Cordoba, Argentina, at the request of the US authorities, according to the Department of Justice (DoJ). The DoJ claimed they ran Z-Library, the self-styled "world's largest library," containing 11 million e-books for download. Online since 2009, the site offered e-books in various file formats stripped of copyright protections, in violation of US law. It also encouraged users to upload their own titles. According to court documents, the Z-Library also operated a complex network of 249 linked web domains, all of which have now been taken offline and seized by the US authorities. The FBI stated that the defendants are alleged to have operated a website for over a decade whose central purpose was providing stolen intellectual property in violation of copyright laws. The FBI noted that intellectual property theft crimes deprive their victims of both ingenuity and hard-earned revenue. The Russian duo has been charged with criminal copyright infringement, wire fraud, and money laundering, which can carry lengthy sentences in the US. The FBI noted that the defendants profited illegally off work they stole, often uploading works within mere hours of publication, and in the process, victimized authors, publishers, and booksellers.

    Infosecurity reports: "Russian Duo Indicted Over E-Book Piracy"

  • news

    Visible to the public "Smart Home Hubs Leave Users Vulnerable to Hackers"

    According to new research from the University of Georgia (UGA) on smart home hubs, convenience may cost personal security. A smart hub is a centralized device that allows users to control their smart devices from one place. These hubs rely on technology to connect to the Internet, but not the user's individual smart devices. In theory, hubs make smart device use safer, but in the past, cybercriminals have hacked into Internet-connected baby monitors or smart cameras, allowing them to track their targets' movements. Hackers cannot infiltrate a device if it is not Wi-Fi enabled. However, UGA researchers created ChatterHub, a system that can successfully reveal the cyber activity of various smart hubs almost 90 percent of the time. According to Kyu Lee, lead author of the study and associate professor in the Franklin College of Arts and Sciences, all traffic to and from a smart home hub is encrypted but the researchers were able to use Machine Learning (ML) technology to determine much of the activity without having to decrypt the information. ChatterHub does not need to be physically close to the system it is attempting to hack. To remotely break into the system, the hacker does not need prior knowledge of the types of smart devices or the hub manufacturer. Smart hubs send and receive information packets to and from individual devices, allowing users to listen to music through an app, check their Ring camera, and more. As the information packets are encrypted, an outsider cannot decipher what they say. For example, when a smart home lock is locked, it sends a packet to the hub, which then forwards it to the server, according to Lee. The actual information that the lock has locked cannot be seen, but it is possible to figure out that information with high accuracy using patterns, packet size, and packet timing. Although the information is encrypted, attackers can still use it. They can figure out homeowners' daily patterns and whether someone is home at a given time, leaving the homeowner vulnerable to a break-in. This article continues to discuss the ChatterHub developed by UGA researchers that can successfully disclose the cyber activity of various smart hubs nearly 90 percent of the time, making users vulnerable to hackers.

    UGA Today reports "Smart Home Hubs Leave Users Vulnerable to Hackers"

  • news

    Visible to the public "Costa Rica State of Emergency Declared After Ransomware Attacks"

    Costa Rica declared a state of emergency in late April, following weeks of major ransomware attacks. This measure, usually reserved for dealing with natural disasters, was taken by newly-elected President Rodrigo Chaves to free up the government to respond more decisively to the incident. The Conti gang, based in Russia, claimed responsibility for the attack. Meanwhile, the US Department of State offered a $10 million reward for information leading to the arrest of anyone with a key leadership role in the Conti gang. The US also offered $5 million for information leading to the arrest or conviction of any individual in any country who was involved in or attempted to participate in a Conti variant ransomware incident. Chaves declared his country was "at war" with the attackers, which could not be far off. Conti reportedly urged Costa Ricans to put pressure on their government to pay a $20 million ransom in a message posted to its darknet blog. Conti warned in another post that it was determined to overthrow the government through a cyberattack. Costa Rica's government refused to pay the ransom and scrambled to restore systems and services. The Costa Rican Treasury informed civil servants that the attack had brought automatic payment services to a halt. Workers were warned that the government would not be able to pay them on time, instead applying for their jobs via email or on paper. The attack also had an impact on the country's foreign trade, disrupting its tax and customs systems, as well as causing import and export logistics to fail. This article continues to discuss the impact of the ransomware attacks on Costa Rica, the Conti gang claiming responsibility for the attacks, and how the Costa Rica government responded.

    Security Intelligence reports "Costa Rica State of Emergency Declared After Ransomware Attacks"

  • news

    Visible to the public "Netflix Phishing Emails Surge 78%"

    Security researchers at Egress are warning that corporate accounts could be at risk after noting a 78% increase in email impersonation attacks spoofing the Netflix brand since October. The researcher warned that if employees use the same credentials for personal accounts like Netflix as their work accounts, campaigns like this may imperil corporate systems and data. The researchers stated that the group behind this particular campaign is using Unicode characters to bypass natural language processing (NLP) scanning in traditional anti-phishing filters. Unicode helps to convert international languages within browsers, but it can also be used for visual spoofing by exploiting international language characters to make a fake URL look legitimate. The researchers noted that Unicode is also used in the sender display names, such as "Netflix" and "help desk." However, the threat actors didn't stop there. Other obfuscation techniques include trying to break up the text with non-identifiable characters, white on white text, and using characters from different languages to break the NLP's perception as much as possible. The researchers stated that the campaign appears to be targeting users in the US and UK primarily.

    Infosecurity reports: "Netflix Phishing Emails Surge 78%"

  • news

    Visible to the public  "China-Based Fangxiao Group Behind a Long-Running Phishing Campaign"

    According to Cyjax researchers, a financially motivated group based in China called Fangxiao has been orchestrating a large-scale phishing campaign since 2017. The sophisticated phishing campaign takes advantage of international brand reputations and targets businesses in various industries, including retail, banking, travel, and energy. More than 400 companies were impersonated, including Emirates, Singapore's Shopee, Unilever, Indomie, Coca-Cola, McDonald's, and Knorr. In order to trick victims into visiting a series of sites owned by advertising agencies, the attackers use financial or physical incentives offered via WhatsApp. In addition, Fangxiao registered over 42,000 fake domains that were used to distribute malicious apps and fake rewards. These landing pages prompt visitors to complete a survey in order to win prizes, and they are instructed to tap a box. The site may require up to three taps for a "win," a high-value gift card. To be eligible for the prize, victims must share the phishing campaign with 5 groups and 20 friends via WhatsApp. In some cases, the Fangxiao landing pages displayed malicious ads that delivered the Triada malware when clicked from an Android device. In regard to iOS users, they are redirected to Amazon via an affiliate link, which generates revenue for every purchase made on the platform. The presence of Mandarin text in a web service associated with "aaPanel," as well as China Standard Time for domain registration, led to the campaign being attributed to a China-linked threat actor. This article continues to discuss the China-based financially motivated group Fangxiao.

    Security Affairs reports "China-Based Fangxiao Group Behind a Long-Running Phishing Campaign"

  • news

    Visible to the public "Microsoft: Royal Ransomware Group Using Google Ads in Campaign"

    According to a new report from Microsoft's Security Threat Intelligence team, the Royal Ransomware group used Google Ads in one of their attack campaigns. The ransomware, which first appeared in September and claimed a number of victims, including one of the most popular motor racing circuits in the UK, is being distributed by multiple threat actors. The researchers said they discovered a "malvertising" campaign in late October in which the hackers, tracked as DEV-0569, used Google Ads to redirect users to a download site with malicious files. Microsoft stated that it reported the traffic distribution system abuse to Google. According to the researchers, DEV-0569 heavily relies on malvertising, phishing links that point to a malware downloader posing as software installers or updates embedded in spam emails, fake forum pages, and blog comments. Microsoft security researchers have noticed changes in the group's delivery methods over the last few months. These changes include the use of contact forms on targeted organizations' websites to deliver phishing links, the hosting of fake installer files on legitimate-looking software download sites and legitimate repositories to make malicious downloads appear authentic to targets, and the expansion of their malvertising technique by using Google Ads in one of their campaigns, effectively blending in with normal ad traffic. According to Microsoft, the methods allow the group to reach more targets and expand its victim base. This article continues to discuss new findings regarding the Royal Ransomware group.

    The Record reports "Microsoft: Royal Ransomware Group Using Google Ads in Campaign"

  • news

    Visible to the public "Hive Ransomware Has Made $100m to Date"

    According to a new joint advisory released by the FBI, the US Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS), the Hive ransomware variant has made its operators and affiliates around $100 million, so far from over 1300 global companies. The estimated profits generated by the ransomware-as-a-service (RaaS) variant come over a period of around 15 months after it was first discovered back in June 2021. The advisory noted that victim organizations have come from various verticals, including government, communications, critical manufacturing, and IT, although the group has a particular focus on healthcare. In the past, the group's affiliates gained initial access to victim networks via phishing emails containing booby-trapped attachments that exploited Microsoft Exchange Server vulnerabilities. They have also focused on remote desktop infrastructure. The advisory warned that Hive actors have been known to reinfect victim networks if organizations restored from backups without making a ransom payment.

    Infosecurity reports: "Hive Ransomware Has Made $100m to Date"

  • news

    Visible to the public "Instagram Impersonators Target Thousands, Slipping by Microsoft's Cybersecurity"

    Cybercriminals used a sophisticated phishing campaign impersonating Instagram to target students at national educational institutions in the US. They used a valid domain to steal credentials, bypassing both Microsoft 365 and Exchange email protections. According to the Armorblox Research Team, the socially engineered attack, which targeted nearly 22,000 mailboxes, used the personalized handles of Instagram users in messages informing would-be victims that there was an "unusual login" on their account. The login lure is nothing new for phishers, but the messages were sent from a legitimate email domain, making it much more difficult for both users and email-scanning technology to flag messages as fraudulent, according to the researchers. They explained that traditional security training advises looking at email domains before responding for any clear signs of fraud. In this case, a quick scan of the domain address would not have alerted the end user of fraudulent activity due to the validity of the domain. Because phishing has been around for so long, attackers know that most people who use email are aware of it and thus know how to spot fraudulent messages. As a result, threat actors have had to become more creative in their tactics to fool users into thinking phishing emails are legitimate. Furthermore, those of university age who use Instagram are likely to be among the most knowledgeable Internet users, having grown up with the technology, which could be why attackers in this campaign were so careful to appear genuine. According to the researchers, the campaign's combination of spoofing, brand impersonation, and a legitimate domain allowed attackers to send messages that successfully passed not only Office 365 and Exchange protections, but also Domain Keys Identified Mail (DKIM), Domain-based Message Authentication Reporting and Conformance (DMARC), and Sender Policy Framework (SPF) alignment email authentication checks. This article continues to discuss the socially engineered campaign using a legitimate domain to send phishing emails to university targets.

    Dark Reading reports "Instagram Impersonators Target Thousands, Slipping by Microsoft's Cybersecurity"