Search This Blog

Showing posts with label Breach. Show all posts

Hackers Used Fake LinkedIn Job Offer to Steal $625M

 

Earlier this year, Ronin Network (RON), the blockchain network behind the popular crypto games Axie Infinity and Axie DAO, experienced the greatest crypto attack against a decentralised financial network ever reported. 

The United States issued advice in May 2022, stating that highly competent hackers from North Korea were attempting to get work by posing as IT freelancers. The Axie Infinity attack was socially engineered, with the North Korean government-backed hacker organisation Lazarus into Sky Mavis' network by giving one of the company's workers a PDF file carrying malware. Lazarus' participation in such a high-profile breach should come as no surprise. 

In January 2022, analysts from several crypto security organizations concluded that North Korean hackers had stolen $1.3 billion from cryptocurrency exchanges throughout the world, with the famed Lazarus group as their top suspect. 

Axie Infinity Hack 

The employee, an ex-senior engineer at the firm, fell for the trap and opened the PDF, believing it was a high-paying job offer from another company. However, this firm did not exist in reality.

During the recruitment process, the ex-employee disclosed sensitive personal information that attackers utilised to steal from the organisation. Sky Mavis' staff are regularly threatened by sophisticated spear-phishing attempts on multiple social networks, according to the company. In this case, one person, who does not even work at Sky Mavis, was duped. 

How was Ronin hacked? 

According to The Block, at the time of the attack, Axie Infinity had nine validators from its proof-of-authority, an Ethereum-based sidechain Ronin. 

“The attacker managed to leverage that access to penetrate Sky Mavis IT infrastructure and gain access to the validator nodes,” Sky Mavis stated.

To get access to the company's networks, the attacker needed to seize five out of nine validators. The spyware-laced PDF allowed the attacker to gain control of four validators and get entry to the community-run Axie DAO (Decentralized Autonomous Organization), from which they gained control of the fifth validator. After breaching the network, the attackers took $25 million in USDC stablecoin and 173,600 ether (about $597 million) from Axie Infinity's treasury, totaling $625 million in crypto. 

Nonetheless, the Ronin sidechain upped the number of validators to 11 to improve security, and Sky Mavis is reimbursing Axie Players who lost crypto as a result of the hack. In April 2022, the company raised $150 million in funding. 

The US administration alleges that the assault was carried out by the renowned North Korean hacking organisation Lazarus. This organisation specialises in such attacks. This is hardly Lazarus' first foray into the blockchain sector. However, Lazarus using social engineering to infiltrate a company's networks is unusual. In reality, the Slovak internet security company ESET notified LinkedIn users in June 2020 about Lazarus' involvement in a complex LinkedIn recruiting fraud targeting military and aerospace industries.

Lazarus Group Responsible For $100M Crypto-Heist


Cyber security researchers have found Lazarus Group responsible for stealing $100m worth of crypto via Harmony's Horizon Bridge, a California-based company. Lazarus group is a popular North Korean state-sponsored hacking group that was also behind $620 million worth of crypto theft from the Ronin exchange in March. 

Following the incident, the Harmony cybersecurity team was warned of the attack last week by blockchain forensics company Elliptic that the institution has been attacked by a cross-chain bridge. 

“There are strong indications that North Korea’s Lazarus Group may be responsible for this theft, based on the nature of the hack and the subsequent laundering of the stolen funds,” Elliptic wrote. 

Additionally, Reuters reported that Chainalysis, a blockchain firm is also investigating with Harmony; it claims that the attack style is similar to previous attacks attributed to North Korea-linked actors.

“On Thursday, June 23, 2022, the Harmony Protocol team was notified of a malicious attack on our proprietary Horizon Ethereum Bridge. At 5:30 AM PST, multiple transactions occurred that compromised the bridge with 11 transactions that extracted tokens stored in the bridge,” the company said in its blog. 

As the name suggests, Blockchain bridges allow users to transfer their crypto assets from one blockchain to another. The malicious actors stole $100 million in crypto assets, including Ethereum (ETH), Binance Coin, Tether, USD Coin, EOS, and Dai. 

Elliptic said that the hack was carried out by compromising the cryptographic keys of a multi-signature wallet, a technique that is popularly used by the suspected groups. 

“Lazarus Group tends to focus on APAC-based targets, perhaps for language reasons referring to the Asia-Pacific region. Although Harmony is based in the US, many of the core team has links to the APAC region,” Elliptic added. 

Further, the report suggests that after two days of attack Harmony offered to pay a $1 million bounty to the group for the return of Horizon bridge funds. Also, researchers reported that they have found the offenders behind the $100 million hack.

All Organisations Must Report Cybersecurity Beaches Within 6 Hours: CERT-In

 

CERT-In, India's computer, and emergency response team released new guidelines on Thursday that mandate that service providers, intermediaries, data centres, and government institutions disclose cybersecurity incidents, including data breaches, within six hours.

The government said in a release, "Any service provider, intermediary, data center, body corporate and Government organization shall mandatorily report cyber incidents [...] to CERT-In within six hours of noticing such incidents or being brought to notice about such incidents."

Compromise of critical systems, targeting scanning, unauthorised access to computers and social media accounts, website defacements, malware deployments, identity theft, DDoS attacks, data breaches and leaks, rogue mobile apps, and attacks against servers and network appliances such as routers and IoT devices are among the types of incidents covered.

The government stated  it was taking these steps to ensure that the required indicators of compromise (IoC) associated with security events are easily accessible to "carry out the analysis, investigation, and coordination as per the process of the law”

Concerned organisations are also required to synchronise ICT system clocks to the National Informatics Centre (NIC) or National Physical Laboratory (NPL) Network Time Protocol (NTP) Server, maintain ICT system logs for a rolling period of 180 days, and necessitate VPN service providers to maintain data such as names, addresses, phone numbers, emails, and IP addresses of subscribers for a minimum of five years, according to the guidelines.

The guidelines also require virtual asset service, exchange, and custodian wallet providers to preserve records on Know Your Customer (KYC) and financial transactions for a period of five years, starting in 60 days.

India's Ministry of Electronics and Information Technology (MeitY) said in a statement, "These directions shall enhance overall cyber security posture and ensure safe and trusted Internet in the country."

Swedish Camera Giant Axis Still Recovering From Cyberattack

 

Recently Camera maker Axis has reported to the public that the company is still struggling with a cyberattack that severely disrupted its IT systems on February 20th. 

The Swedish camera giant has released a statement on its official website and said that the organization was notified from its cybersecurity and intrusion detection system on Sunday before it shut down all its public-facing facilities globally in the wake of the cyberattack. 

Following the incident, the organization has reported that in their ongoing investigation they did not witness any information regarding an attack on their customer and partner data. 

"Our ongoing investigation of the attack has come a long way but is not entirely finalized. So far, we have no indication that any customer and partner data whatsoever has been affected. As far as the investigation currently shows, we were able to stop the attack before it was completed, limiting the potential damage," Axis said on Thursday. 

Furthermore, the company added that the external services of the company have been successfully recovered from the attack, and they are working towards restoring the remaining services.

“Most prioritized external services have now been restored. Restoring the remaining services is our highest priority, together with doing it in a way that does not jeopardize security. The time of disconnected services and limited possibilities to communicate with Axis has been an unfortunate but necessary consequence. Our gradual entry into a post-attack normal is based on changes that help us avoid similar future situations,” the company added. 

The company declared the outages on Twitter handle however it did not entertain requests for further comments. On its status site Friday afternoon, the company said its Case Insight tool in the US and the Camera Station License System were dealing with partial outages.

Hacker Hacked Multiple High-profile FIFA 22 Accounts by Phishing EA Support Agents

 

Electronic Arts (EA) has cited "human error" within its customer experience team for a recent wave of high-profile FIFA Ultimate Team account takeovers, with some individuals falling victim to a socially engineered phishing attack. 

EA initiated an inquiry after several top traders in FIFA's Ultimate Team game complained that their accounts had been taken over and emptied of points and thousands of dollars in-game currency last week. Phishers were able to hack less than 50 top trader accounts by "exploiting human error" among EA's customer care employees, according to a post on the company's website on Tuesday. 

The company stated, “Utilizing threats and other ‘social engineering’ methods, individuals acting maliciously were able to exploit human error within our customer experience team and bypass two-factor authentication to gain access to player accounts.” 

Ultimate Team is an online soccer game in which players create virtual squads of real-life competitive players and compete against other online teams. Top traders acquire a substantial amount of in-game currency and points by exchanging individuals and forming diverse teams. 

EA eventually identified was a situation described online by traders who posted screenshots of unusual account behaviour, such as attackers calling EA's customer service via the live chat feature and demanding that an account's email address be altered. While many of these requests were ignored, at least one customer service representative eventually gave in to pressure and altered an account holder's email address. This necessitated the staffer circumventing security processes that require extra verification from account owners, according to a Twitter user and Ultimate Team trader called FUT Donkey, who stated his account had been hacked. 

Response & Impact: 

In response to the incident, EA will require "EA advisors and individuals who assist with the service of EA accounts" to get individual re-training, as well as additional team training primarily focused on security, practices, and phishing techniques, according to the company. 

EA will also add stages to the account ownership verification procedure in FIFA Ultimate Team, including "mandatory managerial permission for all email change requests," according to the company. 

According to the company's article, it will also upgrade its customer experience software to clearly evaluate and identify suspicious behavior and at-risk accounts to further restrict the potential for human mistakes in the account update process. 

The incident should serve as a warning to other gaming platforms: Hackers that attack these sites will continue to show off their skills, just as top traders compete for accolades and currency within the game, according to another security specialist in an email to Threatpost. 

Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify stated, “Gamers and streamers are a massive global trend across social media platforms, capturing the attention of millions who want to know their secret techniques on how they get to the next level.” 

“Hacking is now also becoming a glorified streamed event with the world’s top hackers streaming their hacking skills online, showing off new techniques and methods on how to bypass security and get the initial foothold.” 

Unfortunately for gaming platforms, he noted in his email that this new trend will "certainly grow and manifest in the year ahead."

Global Telecom Firm Syniverse Secretly Reveals 5-Year Data Breach

 

Telecom giant Syniverse secretly revealed to the Securities and Exchange Commission last week that attackers have been inside its systems over the past five years, impacting hundreds of business clients and potentially millions of users globally. 

Syniverse handles nearly 740 billion text messages every year, and some of its customers include major firms such as Airtel, China Mobile, AT&T, Verizon, Vodafone, and T-Mobile. 

The world’s largest companies and nearly all mobile carriers rely on Syniverse’s global network to seamlessly bridge mobile ecosystems and securely transmit data, enabling billions of transactions, conversations, and connections [daily],” Syniverse wrote in a recent press release. 

Syniverse disclosed in a filing on September 27 with the U.S. Security and Exchange Commission that hackers had access to its data for years. The private records of more than 200 customers were compromised due to a security flaw that impacted its database. 

Following the discovery, the telecom giant started an internal investigation in order to determine the scope of the attack. The investigation revealed that that unauthorized access to the company’s system has been ongoing since May 2016; the breach went undetected until May 2021. 

“The results of the investigation revealed that the unauthorized access began in May 2016. Syniverse’s investigation revealed that the individual or organization gained unauthorized access to databases within its network on several occasions, and that login information allowing access to or from its Electronic Data Transfer (“EDT”) environment was compromised for approximately 235 of its customers,” the company stated in its SEC filing.

According to a source who works at Syniverse, the attackers could have gained access to call records and message data, such as call length and cost, caller and receiver’s numbers, the location of the calling parties, the content of SMS text messages, and more. 

“Syniverse is a common exchange hub for carriers around the world passing billing info back and forth to each other. So, it inevitably carries sensitive info like call records, data usage records, text messages, etc. […] The thing is—I don’t know exactly what was being exchanged in that environment. One would have to imagine though it easily could be customer records and [personal identifying information] given that Syniverse exchanges call records and other billing details between carriers,” an industry insider told Motherboard.

FireEye: Transportation and Telecom Firms Being Hit in Chinese Espionage

 

According to security firm FireEye, a massive Chinese espionage operation against US and European government entities includes four new hacking tools and reaches more commercial sectors than previously reported. 

Two China-linked gangs — as well as additional hackers that investigators did not name — have used virtual private network software in breaches affecting the transportation and telecommunications industries. The breaches had previously only been identified as affecting the defense, banking, and government sectors, according to the firm. 

The intruders are using Pulse Connect Secure, a popular VPN product, to break into networks and steal critical data. According to Mandiant, FireEye's incident response arm, many of the hacked firms "operate in verticals and industries aligned with Beijing's strategic objectives" specified in the Chinese government's latest "Five Year Plan" for economic growth. 

According to Sarah Jones, senior principal analyst at Mandiant Threat Intelligence, most of the breaches have been carried out by a group called UNC2630, which appears to work on behalf of the Chinese government. Four other pieces of malware are being used by the alleged Chinese hackers to collect data and cover their tracks. 

In a blog post published Thursday, Mandiant analysts said, “Chinese cyber-espionage activity has shown a larger tolerance for risk and is less restrained by diplomatic considerations than previously characterized.” 

In a separate incident disclosed by Microsoft in March, alleged Chinese spies used vulnerabilities in the Exchange Server software to steal email inboxes from U.S. firms. Some researchers said that the intrusions were unethical because the malicious code left on victims' systems could have been exploited by a variety of financially motivated criminals. 

On Thursday, a request for comment on Mandiant's findings was not immediately answered by a representative for the Chinese Embassy in Washington, D.C. Beijing consistently denies carrying out cyberattacks. Responding to the alleged Chinese attacks as well as a suspected Russian operation that used SolarWinds software has been a time-consuming process for US officials. 

Pulse Connect Secure is used by at least 24 federal entities, with some national-security-focused research laboratories openly announcing the use of the software. According to a representative from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the Pulse Connect Secure cyberattack may have compromised at least five civilian agencies.  

According to the security firm, the claimed Chinese spies covered up traces of many of their hacks in some of the Pulse Connect breaches as Mandiant prepared to reveal the operation last month.

“The greater ambition and risk tolerance demonstrated by Chinese policymakers since 2019 indicate that the tempo of Chinese state-sponsored activity may increase in the near future and that the Chinese cyber threat apparatus presents a renewed and serious threat to U.S. and European commercial entities,” the Mandiant analysts alerted.

US Cybersecurity Company FireEye Hacked by 'Nation-Backed' Threat Actors


On Tuesday, one of the leading cybersecurity firms, FireEye said that it has been attacked by "highly sophisticated" state-sponsored hackers who stole the company's valuable hacking tools used for testing customers' security and computer networks. The attack was heavily customized to breach FireEye's systems. 
 
The breach substantiated the biting reality that the most advanced security vendors out there, primarily to protect others from intrusions can also be targeted and consequently hacked. Notably, the attacker mainly sought data of some government customers, using an unprecedented combination of tactics, according to the firm. CEO Kevin Mandia in his blogpost characterized the attack as a 'highly targeted cyberattack', a kind never witnessed before. So far, no customer data seem to be accessed by the attackers. 
 
There are a number of speculations about who might have performed the attack, however, the firm gave no clarity about the origins of the attackers and is investigating the matter along with the FBI. In a similar context, Mandia indicated in his blog post that the nation responsible for the attack is someone with world-class offensive capabilities as the unfamiliarity of the attack speaks volumes about the top-notch capabilities tailor-made to attack FireEye.  
 
On the basis of his 25 years of experience in cybersecurity, Mr. Mandia further said in his Saturday's blog that this attack was “different from the tens of thousands of incidents we have responded to throughout the years,” and “used a novel combination of techniques not witnessed by us or our partners in the past.” 
 
“These tools mimic the behavior of many cyber threat actors and enable FireEye to provide essential diagnostic security services to our customers,” the company said in the filing. “Consistent with our goal to protect the community, we are proactively releasing methods and means to detect the use of our stolen Red Team tools.” 
 
While giving insights, a CISA spokesperson told, "As details are made available we are working to share and implement countermeasures across the federal networks and with our private sector partners," 
 
Meanwhile, FireEye has been said to have a "ringside seat" for some of the most advanced intrusions carried out globally by Mike Chapple, a former NSA official who's currently working at the University of Notre Dame as a cybersecurity expert.

33.4 Billion Records Exposed In Breaches Due To Cloud Misconfigurations?


With the rise in the number of records ‘exposed’ by cloud misconfigurations year after year from 2018 to 2019 by 80%, there is an evident ascent in the total cost to organizations related with those lost records. As organizations keep on embracing cloud services quite swiftly however they neglect to implement legitimate cloud security measures, sadly, specialists anticipate that this upward trend would remain.


Charles “C.J.” Spallitta, Chief Product Officer at eSentire says, “The rush to adopt cloud services has created new opportunities for attackers – and attackers are evolving faster than companies can protect themselves. The fact that we have seen a 42% increase from 2018 to 2019 in cloud-related breaches attributed to misconfiguration issues proves that attackers are leveraging the opportunity to exploit cloud environments that are not sufficiently hardened. This trend is expected to continue as more organizations move to the cloud,”

“Additionally, common misconfiguration errors that occur in cloud components expand and advance the attacker workflow. Real-time threat monitoring in cloud assets is critical, given the unprecedented rate of scale and nature of cloud services. Organizations should seek-out security services that distill the noise from on-premise and cloud-based security tools while providing broad visibility to enable rapid response when threats are found,” Spallitta concluded.


Key report findings: 
  1. 81 breaches in 2018; 115 in 2019 – a 42% increase
  2. Tech companies had the most data breaches at 41%, followed by healthcare at 20%, and government at 10%; hospitality, finance, retail, education, and business services all came in at under 10% each
  3. 68% of the affected companies were founded prior to 2010, while only 6.6% were founded in 2015 or later
  4. 73 (nearly 42%) of known affected companies experienced a merger or acquisition (M&A) transaction between 2015 and 2019, which indicates cloud security is an area of risk for companies involved in merging disparate IT environments
  5. Elasticsearch misconfigurations accounted for 20% of all breaches, but these incidents accounted for 44% of all records exposed
  6. The number of breaches caused by Elasticsearch misconfigurations nearly tripled from 2018 to 2019
  7. S3 bucket misconfigurations accounted for 16% of all breaches, however, there were 45% fewer misconfigured S3 servers in 2019 compared to 2018 
  8. MongoDB misconfigurations accounted for 12% of all incidents, and the number of misconfigured MongoDB instances nearly doubled YoY


Imperva Firewall Breached: Users API keys, SSL Certificates Exposed



Imperva, a leading security vendor, disclosed a security breach which exposed API keys, SSL certificates, scrambled passwords and email addresses for a subset of its customers using the Cloud Web Application Firewall (WAF) product.

Previously known as, Incapsula, the Cloud WAF examines the incoming requests into applications and obstructs any kind of malicious activity.

The breach was made known to the California based firm by a third party on August 20 and the details of the disclosure are yet to be made public.

In conversation with the Threatpost, Chris Morales, Head of Security Analytics at Vectra, said, “Losing SSL certificates and API access to an enterprise network is concerning. Secure web gateways, firewalls, intrusion detection, and prevention systems, and data loss prevention (DLP) products all perform some form of SSL intercept and decryption to perform DPI,”

“While we often point to lack of maturity of security operations or misconfiguration of cloud systems as to why a company would miss an attack, it is even more unfortunate when a security vendor who builds a cloud security product is compromised that should have the skills and capabilities to detect and respond to cyberattacks,” He further told.

Referencing from the writings of CEO, Chris Hylen, “We want to be very clear that this data exposure is limited to our Cloud WAF product… Elements of our Incapsula customer database through September 15, 2017, were exposed. These included: email addresses; hashed and salted passwords. And for a subset of the Incapsula customers through September 15, 2017: API keys and customer-provided SSL certificates.”

Assuring the users, he told, “We continue to investigate this incident around the clock and have stood up a global, cross-functional team.”

As a remedial measure, Imperva brought into force password resets and 90-day password expiration for the product which notably is a key component of the company's leading application security solution.








Major Breach of Biometric Systems Exposes Information of More Than 1 Million People



In a vulnerability found by Israeli security researchers there occurred a rather major breach of biometric systems that left data of more than 1 million individuals 'exposed' in an openly accessible database.

The frameworks influenced were said to have been utilized by the UK Metropolitan police, defence contractors, and banks, for fingerprint and facial recognition purposes.
It all started when the researchers found that the biometric data on 'Suprema's web-Biostar 2 platform' that controls access to secure facilities, was unprotected and 'mostly unencrypted.'

The affected database included 27.8 million records, totalling 23 gigabytes of data. A small and simple manipulation of the URL search criteria enabled access to the data as well as allowed room for some changes.

Purportedly, the researchers have now been searching for familiar IP blocks to further use these in order to discover holes in company’s frameworks that could conceivably prompt data breaches.
We were able to find plain-text passwords of administrator accounts. The access allows first of all seeing millions of users are using this system to access different locations and see in real time which user enters which facility or which room in each facility, even. We [were] able to change data and add new users,” – Rotem and Locar, the security researchers.

Despite the fact that the vulnerability has been fixed, be that as it may, it is still in the news as the size of the breach was disturbing because the affected service is currently in use in approximately 1.5 million areas over the world.