Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label CERT. Show all posts
Identity Theft
CERT Cyberattack CyberCrime Dark Web Data Breach Digital Vulnerability FBI Hospitality Security Identity Theft

Cybercriminals Steal Thousands of Guest ID Documents from Italian Hotels

 


Thousands of travellers have been left vulnerable to cyberattacks caused by hotel systems that have been breached by a sweeping cyberattack. Identities that have been stolen from hotel systems are now circulating on underground forums. According to the government's Agency for Digital Italy (CERT-AGID), the breach has now become among the most significant data security incidents to have struck the country's tourism industry in recent years due to the breach that has been confirmed by the agency. 

According to an FBI report, a hacker using the alias “mydocs” is suspected of gaining access to hotel reservation platforms from June to August, allowing them to download high-resolution copies of passports, identification cards, and other identity documents obtained during guest check-in. This hacker has been selling a total of over 90,000 documents on well-known cybercrime forums, spread across a number of batches. 

Hotels and Guests Caught Off Guard

A total of ten hotels have been confirmed to have been affected by the theft, but officials warn that this number may increase as the investigation continues. It has been observed that CERT-AGID has already intercepted at least one attempt to resell the data illegally, which suggests that much of the information being offered is genuinely accurate rather than exaggerated, as is often the case within cybercriminal circles. Passports, as well as national identification cards, are of particular value because of their potential for abuse, which means that they are particularly valuable. 

There is a possibility that fraudsters can exploit this information to create false identities, open accounts with banks, or launch sophisticated social engineering attacks in an effort to fool the victim into divulging even more personal information. It is stated in the CERT-AGID public advisory that the possible consequences for those affected are "serious, both legally and financially." 

The Scale of the Breach

Hotels are being questioned about how much information they keep, and for how long, based on the scope of the breach. In spite of the fact that the incidents are believed to have occurred between June and July, investigators can't rule out the possibility that years of archived guest scans were hacked. Several travelers would have been affected beyond the tens of thousands confirmed to have been affected, which is a significant increase in the number of affected travellers. 

There has been a report on the Ca’ dei Conti in Veneto, a four-star hotel in Venice, that was among the properties that were targeted. According to Corriere del Veneto, as many as 38,000 guest records have been gathered at this hotel, which demonstrates just how large the attack has been. It has been reported that stolen data is being offered on the dark web for sale at a price ranging from $937 to $11,714 per tranche, depending on the size and type of the data. 

A Familiar Target for Cybercriminals 

There has been a troubling pattern of attacks in the hospitality sector for some time now. As a result of collecting a combination of financial and identity data from millions of guests each year, hotels have always been a target for hackers. Due to their old IT systems, fragmented digital platforms, and global nature, they are a relatively easy target and high in value. 

In April of this year, CERT-AGID interrupted a separate smishing campaign aimed at stealing Italian citizens' identification documents. It was found that the attackers asked victims to send selfies with their identification cards as a way to increase the value of stolen credentials for fraudulent activity and impersonation schemes. This was done as a result of the fact that multiple, unrelated operations have emerged within the last few months, demonstrating the growing demand for identity data on criminal markets for a variety of reasons. 

How the Data Can Be Abused

It is important to note that cybersecurity experts warn that stolen identity scans can be reused in several ways that travellers might not anticipate. Besides the obvious risks of opening a bank account or applying for a loan, criminals can also use this information to rent properties or commit tax fraud or circumvent identity checks on the web. These documents can form the basis of long-term fraud campaigns when combined with other leaked information, such as email addresses and telephone numbers, that has been leaked. 

The authorities are warning anyone who stayed in an Italian hotel over the summer to keep an eye out for red flags such as credit inquiries, unusual account activity, or unsolicited bank correspondence. It is not uncommon for the first signs of misuse to emerge weeks or even months after the initial breach has taken place. 

Industry Response and Urgency 

It has been urged that hotels and other organisations that handle identity information take immediate steps to strengthen their defences. In the agency's advisory, it was stressed that businesses had to go beyond simply complying with data processing laws, and should adopt robust digital security practices, from encrypted storage to stronger authentication protocols as well as regular audits of their systems. 

The increase in illicit identity document sales confirms that increased awareness and protective measures should be taken by both the organisations that manage them and the citizens themselves, according to a statement released by the agency. Italy, where tourism is a significant part of its national economy, faces both economic and reputational risks as a consequence of the incident. 

There are millions of visitors who each year submit sensitive information to websites in the hope that their privacy will be protected. Experts warn, however, that if breaches of this scale continue, it will have a long-term impact on public trust in the industry. 

A Warning for the Global Hospitality Industry

There is no doubt that the "mydocs" case is a wake-up call for Italy, but it is also a wake-up call for the entire international hotel industry. Hotels around the world have adopted digital check-in tools and automated identification verification tools for the purpose of protecting sensitive data, often without the required security measures to protect them. 

As investigators continue to uncover the extent of this breach, it is becoming increasingly clear that cybersecurity must now take precedence in an industry where efficiency and convenience often dominate. When there is no stronger protection in place, hotels risk becoming prime hunting grounds for identity thieves, leaving guests to pay for their actions long after they have checked out of their hotel. 

Hotel businesses in Italy are facing a breach that is more than a cautionary tale. It is also an opportunity for their approach to digital trust to be reevaluated. The problem with maintaining guests’ confidence has become increasingly important in an age where privacy and security are key components of customer expectations, and hotels and tourism operators face the challenge of complying with regulatory requirements as well. 

Providing a high-quality service to guests must include a strong emphasis on cybersecurity, just as much as comfort and convenience. Investing in stronger encryption systems, secure data storage, periodic penetration testing, and employee awareness programs can considerably reduce risks, while partnering with cybersecurity firms may allow people to add a further layer of protection.

It is also important for guests to take steps to safeguard themselves against misuse of their credit reports by monitoring credit reports, using identity protection services, and limiting the sharing of unnecessary documents during check-in. The headlines of this incident emphasise the alarming reality of stolen identities, but if this incident prompts meaningful change in the future, it is likely to be one of resilience. 

Taking decisive action now could not only enable Italy's hospitality sector to recover from this blow but also be a driving force in setting a new benchmark for digital safety in global tourism in the future.
Read more »
ToolShell
CERT Croatia phishing Ransomware RBI Research ToolShell

Croatia’s Largest Research Institute Hit by Ransomware in Global ToolShell Exploits




The RuÄ‘er BoÅ¡ković Institute (RBI) in Zagreb — Croatia’s biggest science and technology research center has confirmed it was one of thousands of organizations worldwide targeted in a massive cyberattack exploiting Microsoft SharePoint’s “ToolShell” security flaws.

The incident occurred on Thursday, July 31, 2025, and resulted in ransomware being installed on parts of the Institute’s internal network. According to RBI’s statement, the affected systems were linked to its administrative and support operations, with attackers encrypting documents and databases to block access.


Refusing to Pay the Hackers

Unlike some victims, RBI has stated it will not pay the ransom. Instead, the Institute plans to follow strict security protocols, restore affected systems from backups, and upgrade its infrastructure to meet modern cybersecurity standards.

Past reports indicate that ToolShell vulnerabilities have been used to spread two strains of ransomware — Warlock and 4L4MD4R but RBI has not yet confirmed which variant hit its systems.


Restoration Underway

Recovery work is ongoing, with some systems already back online. Email services were restored the Friday after the attack, and the Institute is slowly bringing other parts of its network back into operation. A completely new IT system is also being built to improve defenses and reduce future risks.

The response involves not just RBI’s internal team but also the Ministry of the Interior, Croatia’s national CERT, and other cybersecurity agencies. A detailed forensic investigation is still in progress.


Possible Data Exposure

It’s still unclear whether the attackers accessed personal information. Croatia’s Personal Data Protection Agency has been notified, and the Institute has pledged to act in line with GDPR rules if any breach of personal data is confirmed.

As a precaution, RBI’s data protection officer has already warned staff that some sensitive information, such as personal ID numbers, addresses, financial reimbursements, and other records may have been stolen. Employees were advised to stay alert for phishing emails pretending to be from the Institute or official authorities.


Part of a Global Problem

RBI is one of at least 9,000 institutions worldwide affected by attacks using the same ToolShell vulnerabilities. These flaws in Microsoft SharePoint have become a major cybercrime tool, enabling hackers to infiltrate networks, steal or lock data, and demand large ransom payments.

While the Institute continues its recovery, the attack is a reminder that even highly respected research organizations can be vulnerable, and that refusing to pay ransom demands can be both a security stance and a financial gamble.

Read more »
phishing
AI Deepfakes CERT Cyber Security Fraud phishing

How to Protect Your Small Business from Cyber Attacks

 


It so coincided that October was international cybersecurity awareness month, during which most small businesses throughout Australia were getting ready once again to defend themselves against such malicious campaigns. While all cyber crimes are growing both here and all around the world, one area remains to be targeted more often in these cases: the smaller ones. Below is some basic information any small businessman or woman should know before it can indeed fortify your position.

Protect yourself from Phishing and Scamming.

One of the most dangerous threats that small businesses are exposed to today is phishing. Here, attackers pose as trusted sources to dupe people into clicking on malicious links or sharing sensitive information. According to Mark Knowles, General Manager of Security Assurance at Xero, cyber criminals have different forms of phishing, including "vishing," which refers to voice calls, and "smishing," which refers to text messages. The tactics of deception encourage users to respond to these malicious messages, which brings about massive financial losses.

Counter-phishing may be achieved by taking some time to think before answering any unfamiliar message or link. Delaying and judging if the message appears suspicious would have averted the main negative outcome. Knowles further warns that just extra seconds to verify could have spared a business from an expensive error.

Prepare for Emerging AI-driven Threats Like Deepfakes

The emergence of AI has provided new complications to cybersecurity. Deepfakes, the fake audio and video produced using AI, make it increasingly difficult for people to distinguish between what is real and what is manipulated. It can cause critical problems as attackers can masquerade as trusted persons or even executives to get employees to transfer money.

Knowles shares a case, where the technology was implemented in Hong Kong to cheat a finance employee of $25 million. This case highlights the need to verify identities in this high-pressure situation; even dialling a phone can save one from becoming a victim of this highly sophisticated fraud.

Develop a Culture of Cybersecurity

Even a small team is a security-aware culture and an excellent line of defence. Small business owners will often hold regular sessions with teams to analyse examples of attempted phishing and discuss awareness about recognising threats. Such collective confidence and knowledge make everyone more alert and watchful.

Knowles further recommends that you network with other small business owners within your region and share your understanding of cyber threats. Having regular discussions on common attack patterns will help businesses learn from each other's experiences and build collective resilience against cybercrime.

Develop an Incident Response Plan for Cyber

Small businesses typically don't have dedicated IT departments. However, that does not mean they can't prepare for cyber incidents. A simple incident-response plan is crucial. This should include the contact details of support: trusted IT advisors or local authorities such as CERT Australia. If an attack locks down your systems, immediate access to these contacts can speed up recovery.

Besides, a "safe word" that will be used for communication purposes can help employees confirm each other's identities in such crucial moments where even digital impersonation may come into play.

Don't Let Shyness Get in Your Way

The embarrassment of such an ordeal by cyber crooks results in the likelihood that organisations are not revealing an attack as it can lead the cyber criminals again and again. Knowles encourages any organisation affected to report suspicions of the scam immediately to bankers, government, or experienced advisors in time to avoid possible future ramifications to the firm. Communicating the threat is very beneficial for mitigating damages, but if nothing was said, chances are slim to stop that firm further from getting another blow at that point of time in question.

Making use of the local networks is beneficial. Open communication adds differences in acting speedily and staying well-informed to build more resilient proactive approaches toward cybersecurity.


Read more »
URL Shortener
CERT Critical Flaw cyber security agency DHS DNS attacks Domain Malicious actor Phising Attacks unauthorised access URL URL Shortener

PUMA Network: Unmasking a Cybercrime Empire

A massive cybercrime URL shortening service known as "Prolific Puma" has been uncovered by security researchers at Infoblox. The service has been used to deliver phishing attacks, scams, and malware for at least four years, and has registered thousands of domains in the U.S. top-level domain (usTLD) to facilitate its activities.

Prolific Puma works by shortening malicious URLs into shorter, more memorable links that are easier to click on. These shortened links are then distributed via email, social media, and other channels to unsuspecting victims. When a victim clicks on a shortened link, they are redirected to the malicious website.

Security researchers were able to track Prolific Puma's activity by analyzing DNS data. DNS is a system that translates domain names into IP addresses, which are the numerical addresses of websites and other devices on the internet. By analyzing DNS data, researchers were able to identify the thousands of domains that Prolific Puma was using to deliver its malicious links.

Prolific Puma's use of the usTLD is particularly noteworthy. The usTLD is one of the most trusted TLDs in the world, and many people do not suspect that a link with a usTLD domain could be malicious. This makes Prolific Puma's shortened links particularly effective at deceiving victims.

The discovery of Prolific Puma is a reminder of the importance of being vigilant when clicking on links, even if they come from seemingly trusted sources. It is also a reminder that cybercriminals are constantly developing new and sophisticated ways to attack their victims.

Here are some tips for staying safe from Prolific Puma and other malicious URL shortening services:

  • Be wary of clicking on links in emails, social media posts, and other messages from unknown senders.
  • If you are unsure whether a link is safe, hover over it with your mouse to see the full URL. If the URL looks suspicious, do not click on it.
  • Use a security solution that can detect and block malicious links.
  • Keep your web browser and operating system up to date with the latest security patches.

The security researchers who discovered Prolific Puma have contacted the United States Computer Emergency Readiness Team (US-CERT) and the Department of Homeland Security (DHS) about the service. Both agencies are working to take down Prolific Puma's infrastructure and prevent it from being used to launch further attacks.

Prolific Puma is not the first malicious URL-shortening service to be discovered. In recent years, there have been a number of other high-profile cases of cybercriminals using URL shortening services to deliver malware and phishing attacks.

The discovery of Prolific Puma is a reminder that URL shortening services can be abused for malicious purposes. Users should be cautious when clicking on shortened links, and should take steps to protect themselves from malware and phishing attacks.

Read more »
VMware
CERT CISA & FBI CVE vulnerability Encryption malware Patch Fix Ransomware Attacks. VMware

Ransomware Targeting VMware ESXi Servers Rises

The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have released a joint advisory warning about an ongoing ESXiArgs ransomware campaign targeting unpatched and out-of-service or out-of-date versions of the VMware ESXi hypervisor for virtual machines (VMs).

The OpenSLP service contains a heap overflow bug that can be exploited by unverified threat actors in simple attacks. This security hole is identified as CVE-2021-21974 on the CVE database. 3,800 VMware ESXi servers around the world have reportedly been compromised, potentially rendering any running VMs useless, as per CISA.

Application of the patch as soon as feasible is strongly advised by CERT-FR, but it also says that systems that are not patched should be checked for indicators of compromise.

Although it has since moved to North America, the ESXiArgs ransomware appears to have begun attacking servers in Europe around February 3. Organizations should isolate impacted servers, reinstall ESXi 7. x or ESXi 8. x in a supported version, and apply any patches, according to the French computer emergency response team (CERT).

Updated ESXiArgs Ransomware

On infected ESXi hosts, the ransomware encrypts files with the. vmxf,.vmx,.vmdk,.vmsd, and. nvram extensions and produces a.args file for each encrypted document with metadata.

The research shows that ESXiArgs is based largely on stolen Babuk source code, which has previously been used by other ESXi ransomware attacks, including CheersCrypt and the PrideLocker encryptor from the Quantum/Dagon group. It is unclear whether this is a new variety or simply a shared Babuk codebase because the ransom notes for ESXiArgs and Cheerscrypt are quite similar but the encryption technique is distinct.

CISA and FBI urged owners of VMware ESXi servers to upgrade them to the most recent version, harden ESXi hypervisors by turning off the SLP service and make sure the ESXi hypervisor is not accessible through the open internet.

Read more »
Technology
CERT Cyber Attacks CYBER Research Cybersecurity malware NIC Technology

Defending Data Breaches Through Cybersecurity

 


This year the government has been working on a cybersecurity strategy that aims to thwart the risk of data breaches, which has been considered a top priority since 2020. In light of a series of ransomware attacks concerning critical data that may have been compromised in recent months, experts and officials view these measures as imperative to protect against such attacks. 

There has been a recent breach of Solar India Industries Limited, which is a company that supplies defense-related equipment, and the All India Institute of Medical Sciences (AIIMS), which is a leading research and healthcare organization in the country, that was reported to be the work of attackers in the last couple months. 

One of the strategies is to assess the severity of several vertical segments of data breaches, according to a person familiar with the matter. As part of these mitigation measures, a national threat intelligence exchange is being set up. A malware repository is being created. Baseline audits are being conducted, and awareness events such as Cyber Week are being planned. 

There is a three-pronged strategy centered on people, processes, and technology. A prime example is the people vertical, which entails improving cyber hygiene so that more cybersecurity professionals are trained and increasing cyber hygiene education. 

The document contains recommendations for processes, a plan for managing cybercrime crises, a standard operating procedure, and a privilege system. This is to ensure that users are given the minimum access to the system. 

There is no need for firewalls to be installed, intrusion prevention systems to be installed, behavioral analysis tools to be installed, network segmentation to be created, and offline backups to be configured. 

According to one of the officials mentioned above, some of these investment areas have already been taken on by the government. 

Aside from the National Informatics Centre (NIC), the government is also looking to revamp the Department of Information and Communication Technology, which is responsible for storing most of the government's information, as well as providing IT solutions to the government. 

The Indian National Security Council Secretariat has been conceptualizing a policy for the past two years under the leadership of Lieutenant General Rajesh Pant. He is the head of the National Security Council Secretariat. An emerging threat in the technology sector is being addressed through a policy called the National Cyber Security Strategy, 2021. This policy identifies the need for a legislative framework to address this challenge. 

To better protect data and ensure that data breaches are reported and punished, the federal ministry of electronics and information technology is drafting a digital data protection bill to govern the process of reporting and penalizing data breaches. The former official mentioned above pointed out the need for a system of regular auditing systems to make sure that data breaches are minimized. He also pointed out that an overarching mechanism is in place to ensure this happens. 

Based on a response to a question in parliament, according to the answer to the question, there were 41,378 cyber security incidents in 2017 and 1,267,564 announced in 2022. 

The government also replied to a question in the context of cyberspace being anonymous, and borderless, and now incorporating different types of devices and services into it. It uses technological innovations and innovation to make it even more sophisticated and complex. 

CERT-In is a national nodal agency responsible for incident response in the country as well as collecting information on cyber incidents that occur to Indian users. Any data breach affecting Indian users must be reported to the Indian Computer Emergency Response Team. The ministry of electronics and information technology informed Parliament on November 16 that there were a total of 14, 6, and 22 incidents identified between the years 2020, 2021, and 2022 (until November) according to the information reported to CERT-In and tracked by it. 

It was also reported to Parliament that between June 2018 and March 2022, Indian banks reported 248 data breaches that resulted in the leak of card-related information from their systems. 

There is no single National Cyber Security Strategy that can be effective without the inclusion of robust resilience measures, which is the view of Supreme Court lawyer NS Nappinai, the founder of Cybersaathi. Consequently, it is only this kind of thing that can protect us in the event of a black swan occurring. There have always been and will always be cyber security threats, but what protects against attacks on critical infrastructure is to make sure they are anticipated and avoided and to have a recovery plan that is quick and simple, she explained further.
Read more »
Vulnerabilities and Exploits
CERT CERT-In Cyberattack Cybersecurity Remote Code Execution Vulnerabilities and Exploits

Take Steps to Protect Your Enterprise Against the Risks

 

Earlier this month, the Apache Software Foundation announced that its log4j Java-based logging utility (CVE-2021-44228) had been vulnerable to a remote code execution vulnerability (CVE-2021-4428). It was rated a critical severity vulnerability by MITRE and given a CVSS score of 10 out of 10. After the release of the Log4j patch, the vulnerability in the database was exploited in the wild shortly thereafter.

Consequently, several governmental cybersecurity organizations throughout the world, including the United States Cybersecurity and Infrastructure Security Agency, the Austrian CERT, and the United Kingdom National Cyber Security Centre, issued alerts urging organizations around the globe to instantly patch their systems. 
 
During a discussion with Jonathan Care, Senior Director Analyst at Gartner a better understanding of the security implications of the Log4j vulnerability was given. In his presentation, he discussed how organizations are susceptible to threats arising from this vulnerability. He also discussed what measures they should be taking to ensure their enterprise systems are protected against potential threats arising from the vulnerability. 
 

Are There Any Systems Affected by the Log4j Vulnerability? 
 

In addition to affecting enterprise applications and embedded systems, Log4j's vulnerability is extremely widespread. Thus, it may influence their sub-components, as well as their sub-systems. Java-based applications including Cisco Webex, Minecraft, and FileZilla FTP are all examples of affected programs, but this is by no means an exhaustive list. Ingenuity, a NASA helicopter mission in the Mars 2020 program, uses Apache Log4j's logging API to record events, so the vulnerability affects this mission as well. 
  
There are many resources available on the web which list vulnerable systems in the security community. Nevertheless, it should be noted that these lists are constantly changing, which makes it imperative to keep an eye on them. As a result, do not take a non-inclusion of a particular application or system as an indication that it will not be impacted by the patch. 

There is a high probability that a particular technology stack will be exposed to this vulnerability. The vulnerability is likely to affect key suppliers such as SaaS vendors, cloud hosting providers, and web hosting providers. 
 

Risk to Enterprise Applications and Systems, if the Vulnerability is Exploited

 
This vulnerability can be exploited by attackers if it is left unpatched, thus allowing them to take control of and infiltrate enterprise networks if it is left unpatched. The vulnerability is already being exploited by malware, ransomware, and a wide array of other automated threats that are actively taking advantage of this vulnerability. 
 
This vulnerability can be exploited with a great deal of ease  all an attacker needs to do is enter a simple string into a chat window, which is all that it takes. 
 
It is referred to as a "pre-authentication" exploit, which means that to exploit the vulnerability, the attacker does not have to sign into the vulnerable system. You should be prepared for the possibility of your web server becoming vulnerable. 
 

To Protect Their Enterprises From Cybersecurity Threats, What Should CyberSecurity Leaders Do? 

 
Identifying this vulnerability and remediating it as quickly as possible should be one of the top priorities for cybersecurity leaders. The first thing you should do is conduct a detailed audit of any applications, websites, and systems within your domain of responsibility that are connected to the internet or can be viewed as public-facing on the Internet. 

Consider the importance of protecting sensitive operational data such as customer details and access credentials, which are stored on systems that contain sensitive operational data. 
 
When you have completed the audit of your remote employees, you should turn your attention to the next step. Personal devices and routers that constitute a vital link in the chain of security should be updated by these provisions. An active, involved approach is likely to be required to achieve this. There is no point in simply issuing a list of instructions since this does not suffice. To gain access to a key enterprise application or data repository, vulnerable routers could be a potential entry point. Your IT team needs to support and cooperate with you in this endeavor. 
 
When an organization has created an incident response plan and initiated formal severe incident response actions, now is the appropriate time to implement formal severe incident response measures. A board of directors, the CEO, the CIO, and the entire organization must be involved in this incident as we believe all levels of the organization should be involved. 

Make sure you have informed senior leadership and that they are prepared to answer public questions about this issue. For at least the next 12 months, vigilance will be crucial for preventing the exploitation of this vulnerability and the attack patterns exploiting it. This is because neither is likely to disappear for some time.
Read more »
Malicious actor
"IS that you" Phishing Scam CERT Credential stealing Cyber Attacks Facebook Scams Malicious actor

Facebook :"Is that you?" 500,000 People Were Victims of this Phishing Scam

 

Facebook has often been a favorite hunting ground for cybercriminals who delight in preying on the naive members of the internet community. While addressing a very prevalent fraud known as "Is that you?" cybernews has conducted research. It's a type of video phishing scam in which the attacker delivers a link to a fictitious video in which the victim appears. When you click, the trouble begins as soon as you enter some personal information and log in. 

Researchers were recently rewarded for such diligence when they received a warning from fellow cyber investigator Aidan Raney – who originally contacted them after the original results were released – that malicious links were being sent to users. Upon further investigation, it was discovered that thousands of these phishing links had been circulated via a devious network spanning the social media platform's back channels. If left unchecked, hundreds of thousands of naive social network users might fall prey to the shady connections - the "Is That You?" scam was said to have ensnared half a million victims before researchers discovered it. 

Raney explained, "I worked out what servers did what, where code was hosted, and how I might identify additional servers." "I then used this information, as well as urlscan.io, to seek for more phishing sites with similar features to this one." 

A thorough examination of the servers linked to the phishing links revealed a page that was transmitting credentials to devsbrp. app. A banner believed to be attached to a control panel was discovered with the wording "panelfps by braunnypr" printed on it. A second search using keywords led the study team right to the panel and banner designer, whose email address and password variations were also identified  neatly turning the tables on fraudsters who prey on unwary web users' credentials. 

Cybernews accessed a website which proved to be the command and control hub for most of the phishing assaults linked to the gang, known to include at least 5 threat actors but could have plenty more, using the threat actor's personal details. This gave our brave investigators a wealth of information about the culprits of the Facebook phishing scam, including the likely country of residence  the Dominican Republic.

"We were able to distribute the user list for everyone who has signed up for this panel," the Cybernews researcher explained. "We started unearthing the identities with as many people on the list as we could using the usernames on the list, but there is still more work to be done." Researchers provided the appropriate information to the Dominican Republic's Cyber Emergency Response Team (CERT) at the time, as evidence suggested that the campaign had started there as well.
Read more »
User Privacy
CERT Data Breach IP Address Private Data Russian Hackers User Privacy

Millions of Loan Applicant's Data is Leaked via an Anonymous Server

The security team at SafetyDetectives, led by Anurag Sen, revealed the specifics of a misconfigured Elasticsearch server that exposed the personal information of millions of loan applicants. The information primarily came from individuals who applied for microloans in Ukraine, Kazakhstan, and Russia. 

The server was identified randomly on December 5th, 2021, while monitoring specific IP addresses. Since the anonymous server lacked authentication mechanisms, it was left vulnerable and unprotected, resulting in the loss of over 870 million records and 147GB of data. 

SafetyDetectives couldn't identify the server's host. Customers' logs from a variety of microloans providers' websites were stored on a server, however, the majority weren't financial services like lenders or banks, but rather third-party intermediates who operate as a link between the loan firm and the applicant. The majority of the data in the server's logs were in Russian which led experts to conclude that the server is owned by a Russian corporation. 

Different types of personal information (PII) and sensitive user data were revealed in this leak, according to SafetyDetectives researchers, including details of users' "internal passports" and other types of data. Internal passports are used to substitute for national IDs in Russia and Ukraine. They are only valid within the country's borders. 

The internal passport details revealed in the exposed data include Marital status Gender, Birthdate, location, physical address, full name, including first, middle, and patronymic names. Number of passports, issue/expiration dates, and serial number. Some of the disclosed information, including cities, names, addresses, and issued by places, was written in Cyrillic script, which is generally utilized in Asia and Europe.

This vulnerability is estimated to affect around 10 million users. Most INNs belonged to Ukrainians, but several server logs and passport numbers belonged to Russians. The server was based in the Dutch city of Amsterdam. 

On December 14th, 2021, SafetyDetectives contacted the Russian CERT, and the Dutch CERT on December 30th, 2021. Both, though, declined to assist. On January 13th, 2022, the server's hosting company was informed, and the server was secured the same day. Given the scope and type of the data exposed, the event might have far-reaching consequences.
Read more »
Ransom
CERT Cyber Attacks DDOS Attack New Zealand Ransom

New Zealand Banks and Post Offices Hit by a Cyber Attack

 

On Wednesday, the websites of a number of financial institutions in New Zealand, as well as the country's national postal service, were momentarily unavailable due to a cyber-attack, according to officials. A DDoS (distributed denial of service) attack targeting a number of organizations in the nation has been reported, according to the country's Computer Emergency Response Team (CERT). 

Minister David Clark, who is in charge of the digital economy and communications, said CERT has informed him that "a number" of organizations have been compromised. “At this time, efforts to ascertain the impact of this incident are ongoing. I won’t get ahead of this process,” Clark said, in a statement. “CERT assures me it is actively engaging with affected parties to understand and monitor the situation.” 

CERT's objective is to assist businesses and government agencies on how to respond to and prevent cyber-attacks. It also collaborates with other government institutions and law enforcement, such as the National Cyber Security Centre (NCSC). 

According to local media sources, Australia and New Zealand Banking Group's (ANZ.AX) New Zealand site and NZ Post were among the websites hit by the attack. ANZ informed clients through Facebook that it was aware that some of them were unable to use online banking services. "Our tech team are working hard to get this fixed, we apologize for any inconvenience this may cause," the post said. 

The "intermittent interruptions" on NZ Post's website were caused by a problem with one of its third-party suppliers, according to the company. Several Kiwibank clients took to social media to complain outages at the little institution, which is partially controlled by the New Zealand Post. In a Twitter post, Kiwibank apologized to clients and said it was trying to resolve "intermittent access" to its app, online banking, phone banking, and website. 

A DDoS assault overloads a website with more traffic than it can manage, causing it to fail. While the identity of the attacker and their motivation are unknown in this case, the goal might be to extract a ransom from the victim in order for the assault to be stopped. During the NZX assault, Minister for Intelligence Agencies Andrew Little expressed the government's advice: Don't pay the ransom.
Read more »
Vulnerabilities and Exploits
CERT Linux Microsoft Privilege Escalation Flaw Vulnerabilities and Exploits

New Windows and Linux Flaws: Provide Attackers Highest System Privileges

 

Two new vulnerabilities, one in Windows and the other in Linux, were discovered on Tuesday, allowing hackers with a presence in a vulnerable machine to circumvent OS security limits and access critical resources. 

Microsoft's Windows 10 and upcoming Windows 11 versions have been discovered to be vulnerable to a new local privilege escalation vulnerability that allows users with low-level permissions to access Windows system files, permitting them to decrypt private keys and uncover the operating system installation password. The vulnerability has been named "SeriousSAM".

CERT Coordination Center (CERT/CC) stated in a vulnerability note published, "Starting with Windows 10 build 1809, non-administrative users are granted access to SAM, SYSTEM, and SECURITY registry hive files. This can allow for local privilege escalation (LPE)." 

The operating system configuration files in question are as follows - 

c:\Windows\System32\config\sam 
c:\Windows\System32\config\system 
c:\Windows\System32\config\security 

Microsoft acknowledged the vulnerability, which has been assigned the number CVE-2021-36934 but is yet to offer a patch or provide a timeframe for when a fix will be released. 

The Windows makers explained, "An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” 

However, successful exploitation of the issue implies that the attacker has already gained a foothold and has the capacity to execute code on the target machine. In the meanwhile, users should restrict entry to sam, system, and security files and erase VSS shadow copies of the system disc, according to the CERT/CC. 

Since the release of Patch Tuesday updates on July 13, this is also the third publicly documented unpatched issue in Windows. Apart from CVE-2021-36934, two other vulnerabilities in the Print Spooler component have been identified, leading Microsoft to advise all users to halt and terminate the service to protect their computers from exploitation. 

"Sequoia" privilege escalation flaw affected Linux distros:

Remediations have been issued for a security shortcoming affecting all Linux kernel versions from 2014 that can be exploited by malicious users and malware already deployed on a system to gain root-level privileges. 

The vulnerability, nicknamed "Sequoia" by Qualys researchers, has been issued the identifier CVE-2021-33909 and affects default Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation installations. The issue also affects Red Hat Enterprise Linux versions 6, 7, and 8. 

The vulnerability is a size t-to-int type conversion flaw in the Linux Kernel's "seq file" file system interface, which allows an unprivileged local intruder to generate, install, and delete a deep directory structure with a total path length of more than 1GB, resulting in a privilege escalation on the vulnerable host. 

According to Qualys, unprivileged attackers could use a stack exhaustion denial-of-service vulnerability in the system (CVE-2021-33910) to corrupt the software suite and induce a kernel panic.
Read more »
USA
CERT Cyber Security Cyber Security Index ITU USA

United States Tops ITU's Global Cyber Security Index

 

The United Nations International Telecommunication Union (ITU) released its 2020 Global Cyber Security Index on 29th June 2021, which ranked the United States first overall, with the United Kingdom and Saudi Arabia tied for the second position. 

The index uses 82 questions prepared by a team of experts to rate countries. Members of the ITU are asked to select individuals to take part in the procedure and the organization performs desk research on nations that refuse to participate. The members of the ITU are then ranked on a scale of one to one hundred. 

In essence, the higher the rank, the more dedicated the country is to cybersecurity defense. However, it's a measure of a country's computer security. The report commences with a piece of positive news: the 2020 index's median score is 9.5 percent higher than the 2018 edition. 

Smaller countries fared well, and there were some notable improvements. Estonia, for instance, came in third place. South Korea, Singapore, and Spain tied for fourth place, while Russia, the United Arab Emirates, and Malaysia shared for fifth. Lithuania, Japan, Canada, France, and India made it to the top ten. India moved from 47th to tenth place. 

Another promising result from the Index is that many nations that have established a national computer incident response team (CIRT) have increased by 11% during 2018, implying that nearly half of ITU members now have CIRT or CERT. 

Sixty-four percent have established a new cybersecurity strategy (NCS), up from 58 percent last year, and 70 percent implemented cybersecurity awareness campaigns in 2020, up from 66 percent last year. 

Thirty-eight nations received a score of 90% or above. Individual training programs are also required in several areas, according to the Index. 

Despite a predicted global shortfall of half a million cybersecurity specialists by 2021, the report claims that nations are failing to establish sector-specific training. Over half of those surveyed do not have programs customized to specific sectors or professions, such as law enforcement, legal actors, SMEs, private firms, or government employees. 

Indices ranking national cybersecurity are like buses: none for a long time, then two at once — the International Institute for Strategic Studies, a British think tank, presented its own assessment earlier this week, concluding that the United States is the sole cyber superpower.
Read more »
Zero Click Exploit
CERT ConnMan Tesla Vulnerabilities and Exploits Zero Click Exploit

Tesla Car Hacked Remotely by Drone Via Zero-Click Exploit

 

Two researchers have shown how a Tesla and probably other cars can be remotely hacked without the involvement of the operator. 

Ralf-Philipp Weinmann of Kunnamon and Benedikt Schmotzle of Comsecuris conducted research last year that led to this conclusion. The investigation was conducted for the Pwn2Own 2020 hacking competition, which offered a car and other substantial prizes for hacking a Tesla, but the results were later submitted to Tesla via its bug bounty programme after Pwn2Own organizers planned to temporarily exclude the automotive category due to the coronavirus pandemic. 

TBONE is an attack that includes exploitation of two vulnerabilities in ConnMan, an internet connection manager for embedded devices. An intruder may use these bugs to take complete control of Tesla's infotainment system without requiring any user interaction. 

A hacker who exploits the vulnerabilities may use the infotainment system to perform any normal user task. This involves things like opening doors, adjusting seat positions, playing music, regulating the air conditioning, and changing the steering and acceleration modes. 

The researchers explained, “However, this attack does not yield drive control of the car”. They presented how an intruder could use a drone to launch a Wi-Fi assault on a parked car and open its doors from up to 100 meters away (roughly 300 feet). The exploit, they said, worked on Tesla S, 3, X, and Y models. 

“Adding a privilege escalation exploit such as CVE-2021-3347 to TBONE would allow us to load new Wi-Fi firmware in the Tesla car, turning it into an access point which could be used to exploit other Tesla cars that come into the victim car’s proximity. We did not want to weaponize this exploit into a worm, however,” Weinmann stated. 

Tesla apparently stopped using ConnMan after patching the vulnerabilities with an update released in October 2020. Intel was also notified because it was the original creator of ConnMan, but according to the researchers, the chipmaker believed it was not its responsibility. 

According to the researchers, the ConnMan component is commonly used in the automotive industry, suggesting that similar attacks may be launched against other vehicles as well. Weinmann and Schmotzle sought assistance from Germany's national CERT in informing potentially affected vendors, but it's uncertain if other manufacturers have responded to the researchers' findings. 

Earlier this year, the researchers presented their results at the CanSecWest meeting. A video of them using a drone to hack a Tesla is also included in the presentation. In recent years, several corporations' cybersecurity researchers have shown that a Tesla can be hacked, in most cases remotely.
Read more »
Subscribe to: Posts (Atom)