Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Credential Theft. Show all posts
Russia
Amazon AWS Cloud Security Credential Theft Cyber Attacks GRU Russia

Amazon Says It Has Disrupted GRU-Linked Cyber Operations Targeting Cloud Customers

 



Amazon has announced that its threat intelligence division has intervened in ongoing cyber operations attributed to hackers associated with Russia’s foreign military intelligence service, the GRU. The activity targeted organizations using Amazon’s cloud infrastructure, with attackers attempting to gain unauthorized access to customer-managed systems.

The company reported that the malicious campaign dates back to 2021 and largely concentrated on Western critical infrastructure. Within this scope, energy-related organizations were among the most frequently targeted sectors, indicating a strategic focus on high-impact industries.

Amazon’s investigation shows that the attackers initially relied on exploiting security weaknesses to break into networks. Over multiple years, they used a combination of newly discovered flaws and already known vulnerabilities in enterprise technologies, including security appliances, collaboration software, and data protection platforms. These weaknesses served as their primary entry points.

As the campaign progressed, the attackers adjusted their approach. By 2025, Amazon observed a reduced reliance on vulnerability exploitation. Instead, the group increasingly targeted customer network edge devices that were incorrectly configured. These included enterprise routers, VPN gateways, network management systems, collaboration tools, and cloud-based project management platforms.

Devices with exposed administrative interfaces or weak security controls became easy targets. By exploiting configuration errors rather than software flaws, the attackers achieved the same long-term goals: maintaining persistent access to critical networks and collecting login credentials for later use.

Amazon noted that this shift reflects a change in operational focus rather than intent. While misconfiguration abuse has been observed since at least 2022, the sustained emphasis on this tactic in 2025 suggests the attackers deliberately scaled back efforts to exploit zero-day and known vulnerabilities. Despite this evolution, their core objectives remained unchanged: credential theft and quiet movement within victim environments using minimal resources and low visibility.

Based on overlapping infrastructure and targeting similarities with previously identified threat groups, Amazon assessed with high confidence that the activity is linked to GRU-associated hackers. The company believes one subgroup, previously identified by external researchers, may be responsible for actions taken after initial compromise as part of a broader, multi-unit campaign.

Although Amazon did not directly observe how data was extracted, forensic evidence suggests passive network monitoring techniques were used. Indicators included delays between initial device compromise and credential usage, as well as unauthorized reuse of legitimate organizational credentials.

The compromised systems were customer-controlled network appliances running on Amazon EC2 instances. Amazon emphasized that no vulnerabilities in AWS services themselves were exploited during these attacks.

Once the activity was detected, Amazon moved to secure affected instances, alerted impacted customers, and shared intelligence with relevant vendors and industry partners. The company stated that coordinated action helped disrupt the attackers’ operations and limit further exposure.

Amazon also released a list of internet addresses linked to the activity but cautioned organizations against blocking them without proper analysis, as they belong to legitimate systems that had been hijacked.

To mitigate similar threats, Amazon recommended immediate steps such as auditing network device configurations, monitoring for credential replay, and closely tracking access to administrative portals. For AWS users, additional measures include isolating management interfaces, tightening security group rules, and enabling monitoring tools like CloudTrail, GuardDuty, and VPC Flow Logs.

Read more »
User Privacy
Android Spyware Cellik Credential Theft malware User Privacy

Cellik Android Spyware Exploits Play Store Trust to Steal Data

 

Recently found in the Android platform, remote access trojan named Cellik has been recognized as a serious mobile threat, using the Google Play integration feature to mask itself within legitimate applications to evade detection by security solutions.

Cellik is advertised as a malware-as-a-service (MaaS) in the cybercrime forums, with membership rates beginning at approximately $150 a month. One of the most frightening facets of the malware is the fact that it allows malicious payloads to be injected into legitimate Google Play applications, which can be easily installed. 

Once it is installed, Cellik provides complete control over the target device for the attacker. Operators can remotely stream the target device’s screen live, as well as access all files, receive notifications, and even use a stealthy browser to surf websites and enter form data without the target’s awareness. The malware also comes equipped with an app inject functionality that enables attackers to superimpose login screens on normal applications such as bank or email apps and harvest login and other sensitive data. 

Cellik Play Store integration also includes an automated APK builder, so the perpetrators of this crimeware can now browse the store for apps, choose popular apps, and pack them with the Cellik payload in one click bundling it together with the cellik payload. The perpetrators of this attack claim that this allows them to bypass Google Play Protect and other device-based security scanners, but Google has not independently verified this. 

Android users should heed the words of security experts and not sideload APKs from unknown sources, keep Play Protect enabled at all times, be very judicious about app permissions, and keep an eye out for anything strange on their phones that might be harmful. Since Cellik is a groundbreaking new development in Android malware, both users and the security community should be vigilant to ensure their sensitive data and device integrity are not compromised.
Read more »
Windows Security
Credential Theft Lumma Stealer malware malware infection National Cyber Security Centre New Zealand Cyber Security Online fraud Windows Security

Malicious Software Compromises 26000 Devices Across New Zealand


Thousands of devices have been infected with malware through New Zealand's National Cyber Security Center, showing the persistent risk posed by credential-stealing cybercrime, which has been causing New Zealand's National Cyber Security Center to notify individuals after an exposure. 

About 26,000 people have been notified by the agency that it is sending an email advising them to visit the Own Your Online portal for instructions on how to remove malicious software from their accounts and strengthen their account security. 

As NCSC Chief Operating Officer Michael Jagusch informed me, the alerts were related to Lumma Stealer, which is a highly regarded strain of malware targeting Windows-based devices. There is a danger that this malware can be used to facilitate identity theft or fraud by covertly harvesting sensitive data like email addresses and passwords. 

Officials noted that Lumma Stealer and other information-stealing tools are still part of an international cybercrime ecosystem that continues to grow, and so users should be vigilant and take proactive security measures in order to protect themselves. It has been reported that the National Cyber Security Centre of the Government Communications Security Bureau has conducted an assessment and found that it is possible that the malicious activity may have affected approximately 26,000 email addresses countrywide. 

As detailed in its statement published on Wednesday, the U.S. Department of Homeland Security has warned that the malware involved in the incident, dubbed Lumma Stealer, is specifically designed to be able to steal sensitive data, including login credentials and other personally identifiable information, from targeted systems.

As noted by the NCSC, this threat primarily targets Windows-based devices, and cybercriminals use this threat to facilitate the fraud of personal information and financial fraud. Thus, it highlights the continued exposure of everyday users to sophisticated campaigns aimed at stealing personal data. 

The issue was discovered by the National Cyber Security Centre's cyber intelligence partnerships, after the agency first worked with government bodies and financial institutions in order to alert a segment of those affected before expanding the effort to notify the entire public. Introducing the NCSC Chief Operating Officer, Michael Jagusch, he said the center has now moved to a broader direct-contact approach and this is its first time undertaking a public outreach of this sort on such a large scale. 

A step he pointed out was that the notifications are genuine and come from the official email address no-reply@comms.ncsc.govt.nz, which helps recipients distinguish between the legitimate and fraudulent ones. It is noteworthy that a recent BNZ survey indicates similar exposure across small and medium businesses, which is in line with the current campaign, which is targeted at households and individuals. 

The research reveals that 65% of small and medium-sized businesses believe scam activity targeting their businesses has increased over the past year; however, 45% of these businesses do not place a high priority on scam awareness or cyber education, despite the fact that their employees routinely handle emails, payment information and customer information. 

There were approximately half of surveyed SMEs who reported that they had been scammed in the last 12 months and many of them had been scammed by clicking links, opening attachments, or responding to misleading messages. According to BNZ fraud operations head Margaret Miller, criminals are increasingly exploiting human behavior as a means of committing fraud rather than exploiting technical flaws, targeting business owners and employees who are working on a daily basis. 

A substantial number of small business owners reported business financial losses following breaches, with 21% reporting business financial losses, 26% a personal financial loss and 30% experiencing data compromise, all of which had consequences beyond business accounts. According to Miller, the average loss was over $5,000, demonstrating that scammers do not only attempt to steal company funds, but also to steal personal information and sensitive business data in the form of financial fraud. 

It is the country's primary authority for helping individuals and companies reduce their cyber risk, and it is housed within the Government Communications Security Bureau.

The National Cyber Security Centre offers help to individuals and organisations and is a chief authority on cyber security. It has three core functions that form the basis of its work: helping New Zealanders make informed decisions about their digital security, ensuring strong cyber hygiene is embedded within essential services and in the wider cyber ecosystem in collaboration with key stakeholders, and using its statutory mandate to combat the most serious and harmful cyber threats through the deployment of its specialist capability. 

Own Your Online, a central part of this initiative, provides practical tools, guidance and resources designed to make cybersecurity accessible for householders, small businesses, and nonprofit organizations, as well as clear advice on prevention and what to do when an incident occurs. In particular, the NCSC owns the Own Your Online platform, which provides practical tools, guidance, and resources. 

There is no doubt that the incident serves as a timely reminder of the increasing sophistication and reach of modern cybercrime, as well as the shared responsibility that must be taken to limit its effects on society. Many experts continue to emphasize the importance of maintaining a safe system, including the use of strong, unique passwords, and the use of multi-factor authentication whenever possible. They advise maintaining your operating system and software up to date as well as using the proper passwords. 

Furthermore, users are advised to remain cautious of any unexpected emails or messages they receive, even if they appear to have come from trusted sources. Likewise, users should exclusively communicate through official channels to avoid any confusion. 

The focus continues to remain on raising awareness and improving resilience among individuals and organisations with the aim of improving digital awareness and improving collaboration between the authorities and the business and financial sector. 

A new approach has been adopted by agencies to encourage early detection, clear communication, and practical guidance that are aimed at reducing immediate harm while also fostering long-term confidence among New Zealanders in navigating an increasingly complex online world.
Read more »
Fake Apps
Android Android Banking Trojan Android Trojans Banking Trojan Credential Theft Cyber Attacks Fake Apps

Datzbro Android Banking Trojan Targets Seniors With Device-Takeover Attacks

 

Researchers have uncovered a previously undocumented Android banking trojan, dubbed Datzbro, that is being used in device-takeover campaigns aimed squarely at older adults. ThreatFabric, a Dutch mobile security firm, first tied the activity to a social-engineering network in August 2025 after reports emerged of Facebook groups in Australia advertising “active senior trips” that were in fact recruitment channels for the scam. The operation has been observed in multiple countries, including Singapore, Malaysia, Canada, South Africa and the U.K., and relies on community-focused messaging to build trust before delivering malware. 

The attackers create convincing Facebook groups and AI-generated posts promoting local events for seniors. When a target shows interest, operators move the conversation to Facebook Messenger or WhatsApp and push a link to download a so-called community app—usually an APK hosted on a fraudulent domain. Those sites promise event registration and networking features but deliver an installer that either installs Datzbro directly or drops a secondary loader built with an APK-binding service called Zombinder, which helps bypass protections introduced in Android 13 and later. Some evidence suggests the fraudsters are preparing iOS TestFlight lures as well, indicating cross-platform ambitions. 

Analysts have cataloged multiple malicious app package names used to distribute the trojan, from innocuous-sounding “Senior Group” and “Lively Years” to variants masquerading as popular Chinese apps or tools. Once installed, Datzbro grants itself extensive permissions and weaponizes Android accessibility services to perform actions on behalf of the attacker. It can record audio, capture photos, harvest files, log keystrokes and overlay semi-transparent screens to hide malicious activity from victims. A distinctive feature is its “schematic remote control” mode, which reports screen layout, element positions and content back to operators so they can reconstruct interfaces remotely and direct the device as if they were looking over the victim’s shoulder. 

The trojan also filters accessibility event logs for bank or wallet package names and scans for text resembling PINs, passwords or transaction codes. If it finds credentials in cookies or other storage, Datzbro exfiltrates them to the attackers’ back end; it can even steal lock-screen PINs and compromise popular Chinese payment apps such as Alipay and WeChat. ThreatFabric noted Chinese debug strings and a Chinese-language desktop command-and-control application tied to the campaign, suggesting the authors are Chinese-speaking. A compiled C2 client reportedly leaked to public malware repositories, which may accelerate wider abuse by other criminals. 

Datzbro’s discovery comes amid broader mobile-banking malware activity. IBM X-Force has described a related AntiDot campaign called PhantomCall that similarly abuses Android features and sideloaded droppers to bypass modern OS protections, while PRODAFT has documented MaaS-style offerings for actors aiming at global banks. Together, these trends reflect a sustained move toward targeted social engineering that exploits community trust to coax vulnerable users into installing powerful remote-control malware. 

The rapid evolution of these threats underscores the need for heightened public awareness—especially among seniors—tighter app-distribution controls, and stronger defenses around accessibility permissions and sideloaded software.
Read more »
User Privacy
Credential Theft Cyber Fraud Data Leak Netflix Job Scam User Privacy

Fake Netflix Job Offers Target Facebook Credentials in Real-Time Scam

 

A sophisticated phishing campaign is targeting job seekers with fake Netflix job offers designed to steal Facebook login credentials. The scam specifically focuses on marketing and social media professionals who may have access to corporate Facebook business accounts. 

Modus operandi 

The attack begins with highly convincing, AI-generated emails that appear to come from Netflix's HR team, personally tailored to recipients' professional backgrounds. When job seekers click the "Schedule Interview" link, they're directed to a fraudulent career site that closely mimics Netflix's official page. 

The fake site prompts users to create a "Career Profile" and offers options to log in with Facebook or email. However, regardless of the initial choice, victims are eventually directed to enter their Facebook credentials. This is where the scam becomes particularly dangerous. 

Real-time credential theft 

What makes this attack especially sophisticated is the use of websocket technology that allows scammers to intercept login details as they're being typed. As Malwarebytes researcher Pieter Arntz explains, "The phishers use a websocket method that allows them to intercept submissions live as they are entered. This allows them to try the credentials and if your password works, they can log into your real Facebook account within seconds". 

The attackers can immediately test stolen credentials on Facebook's actual platform and may even request multi-factor authentication codes if needed. If passwords don't work, they simply display a "wrong password" message to maintain the illusion. 

While personal Facebook accounts have value, the primary goal is accessing corporate social media accounts. Cybercriminals seek marketing managers and social media staff who control company Facebook Pages or business accounts. Once compromised, these accounts can be used to run malicious advertising campaigns at the company's expense, demand ransom payments, or leverage the organization's reputation for further scams.

Warning signs and protection

Security researchers have identified several suspicious email domains associated with this campaign, including addresses ending with @netflixworkplaceefficiencyhub.com, @netflixworkmotivation, and @netflixtalentnurture.com. The fake hiring site was identified as hiring.growwithusnetflix[.]com, though indicators suggest the operators cleared their tracks after the scam was exposed. 

Job seekers should be cautious of unsolicited job offers, verify website addresses carefully, and remember that legitimate Netflix recruitment doesn't require Facebook login credentials. The campaign demonstrates how scammers exploit both job market anxiety and the appeal of working for prestigious companies to execute sophisticated credential theft operations.
Read more »
Vulnerabilities and Exploits
Clickjacking Attacks Credential Theft Password Manager User Security Vulnerabilities and Exploits

Major Password Managers Leak User Credentials in Unpatched Clickjacking Attacks

 

Six popular password managers serving tens of millions of users remain vulnerable to unpatched clickjacking flaws that could allow cybercriminals to steal login credentials, two-factor authentication codes, and credit card information. 

Modus operandi

Security researcher Marek Tóth, who presented these findings at DEF CON 33, demonstrated how attackers exploit these vulnerabilities by running malicious scripts on compromised websites. 

The attack works by using opacity settings and overlays to hide password manager autofill dropdown menus while displaying fake elements like cookie banners or CAPTCHA prompts. When users click on these decoy elements, they unknowingly trigger autofill actions that expose sensitive data. 

Tóth developed multiple exploitation variants, including DOM element manipulation techniques and a method where the user interface follows the mouse cursor, making any click trigger data autofill. The researcher created a universal attack script that can identify which password manager a target is using and adapt the attack in real-time. 

Impacted password managers

The vulnerable password managers include: 
  • 1Password 8.11.4.27 
  • Bitwarden 2025.7.0 
  • Enpass 6.11.6 
  • iCloud Passwords 3.1.25
  • LastPass 4.146.3 
  • LogMeOnce 7.12.4 
These services collectively have approximately 40 million users. 

Vendor responses 

Vendor responses have been mixed. 1Password dismissed the report as "out-of-scope/informative," arguing that clickjacking is a general web risk users should mitigate themselves. Similarly, LastPass initially marked the report as "informative" before later acknowledging they're working on fixes. 

Bitwarden downplayed the severity but claims to have addressed the issues in version 2025.8.0. However, LogMeOnce initially failed to respond to any communication attempts, though they later released an update. Several vendors have successfully implemented fixes, including Dashlane, NordPass, ProtonPass, RoboForm, and Keeper.

Safety measures 

Until patches are available, Tóth recommends that users disable autofill functionality in their password managers and rely on manual copy-paste operations instead. This significantly reduces the attack surface while maintaining password manager security benefits. 

The research highlights ongoing challenges in balancing user convenience with security in password management tools, particularly regarding browser extension vulnerabilities.
Read more »
Phishing Attacks
Artificial Intelligence Credential Theft Cyber Attacks Cybercrime Infrastructure Cybersecurity awareness Gmail Security Multi-Layered Deception Phishing Attacks

New Gmail Phishing Attack Exploits Login Flow to Steal Credentials

 


Despite today's technologically advanced society, where convenience and connectivity are the norms, cyber threats continue to evolve at an alarming rate, making it extremely dangerous to live in. It has recently been reported that phishing attacks and online scams are on the rise among U.S. consumers, warning that malicious actors are increasingly targeting login credentials to steal personal and financial information from their customers. Those concerns are echoed by the Federal Bureau of Investigation (FBI), which revealed that online scams accounted for a staggering $16.6 billion in losses last year—a jump of 33 per cent compared with the year prior.

The extent to which the problem is increasing has been highlighted in surveys that have revealed more than 60 per cent of Americans feel scam attempts are increasing, and nearly one in three have experienced a data breach regularly. Taking these figures together, it is apparent that fortifying digital defences against an ever-expanding threat landscape is of utmost importance. 

Phishing itself is not new; however, its evolution has been dramatic over the past few decades. Previously, such scams could be easily detected due to their clumsy emails that contained spelling errors and awkward greetings like "Dear User." Today's attacks are much more sophisticated. In this latest Gmail phishing campaign, Google's legitimate login process is accurately mimicked with alarming accuracy, deceiving even tech-savvy users. 

It has been documented by security researchers that thousands of Gmail accounts have been compromised, with stolen credentials opening the door to a broad range of infiltrations, including banking, retail, and social networking sites. A breach like this is compared to an intruder entering one's digital home with the key to the rightful owner. 

A breach of this kind can cause long-lasting damage both financially and personally because it extends well beyond inconvenience. Investigations have shown that this campaign is based on deception and abuse of trusted infrastructures. Fraudulent "New Voice Notification" emails are a way for scammers to get victims by phoning them with fake sender information and making them listen to their voicemails. This attack begins with a legitimate Microsoft Dynamics marketing platform, which lends instant credibility to it, thereby enabling it to bypass many standard security controls. 

A CAPTCHA page on horkyrown[.]com, which can be traced to Pakistan, then redirects victims to a fake login page that looks exactly like Gmail's login page, which makes them feel like they're being hacked before giving them the real thing. When credentials are exfiltrated in real time, the account can be taken over almost immediately. Adding more complexity to this problem is the advent of artificial intelligence in phishing operations. 

Cybercriminals are now making perfect emails, mimicking writing styles, and even making convincing voice calls impersonating trusted figures, utilising advanced language models. According to security companies, artificial intelligence-driven phishing attempts are just as effective as human-crafted ones - if not more so - showing a 55 per cent increase between 2023 and 2025 in success rates. 

With the use of techniques such as metadata spoofing and "Open Graph Spoofing," attackers can further disguise malicious links, essentially making them almost indistinguishable from safe ones with the help of these techniques. In this new wave of phishing, which has become increasingly personalised, multimodal, and distributed at unprecedented scales, it is becoming increasingly difficult to detect. 

The FBI, as well as the Cybersecurity and Infrastructure Security Agency (CISA), have already issued warnings regarding artificial intelligence-enhanced phishing campaigns that target Gmail accounts. There was one case in which Ethereum developer Nick Johnson told of receiving a fraudulent “subpoena” email that passed Gmail's authentication checks and appeared to be just like a legitimate security alert. In similar attacks, phone calls and email have been used to harvest recovery codes, enabling full account takeover. 

Additionally, analysts found that attackers stole session cookies, enabling them to bypass login screens and bypass the entire process. Although Google's filters are now blocking nearly 10 million malicious emails per minute, experts warn that attackers are adapting faster, making stronger authentication measures and user vigilance essential. 

According to the technical analysis of the attack, it has been discovered that the (purpxqha[.]ru) Russian servers used to redirect traffic and perform cross-site requests should be responsible for the attack, while the primary domain name infrastructure was registered in Karachi, Pakistan. 

Using the malicious system, multiple layers of security within Gmail are bypassed, allowing hackers to not only collect email addresses and password combinations, but also two-factor authentication codes, Google Authenticator tokens, backup recovery keys, and even responses to security questions, enabling the attackers to completely take control of victims' accounts before they are aware that they have been compromised. Security experts have made several recommendations to organisations, including blocking identified domains, strengthening monitoring, and educating users about these evolving attack vectors. It must be noted that the Gmail phishing craze reflects a broader reality: cybersecurity is no longer a passive discipline but is a continuous discipline that must adapt to the speed of innovation as it evolves. 

There is no doubt that cultivating digital scepticism is a priority for individuals—they should question every unexpected email, voicemail, or login request, and they should reinforce their accounts with two-factor authentication or hardware security keys to ensure their accounts remain secure. A company’s responsibilities extend further, as they invest in employee awareness training, conduct mock phishing exercises, and implement adaptive tools capable of detecting subtle changes in behaviour. 

A cross-government collaboration between industry leaders, governments, and security researchers will be crucial to the dismantling of criminal infrastructure that exploits global trust. The need for vigilance in an environment where deception is becoming increasingly sophisticated each day has become more than an act of precaution, but a form of empowerment. This allows individuals and businesses alike to protect their digital identities from increasingly sophisticated threats while simultaneously protecting their digital identities.
Read more »
Malware Threat
Browser Credential Theft Cyber Attacks CyberThreat Data Theft Information Security Infostealer Infostealer Malware Malicious Browsers Malware Attack Malware Threat

Shuyal Malware Targets 19 Browsers with Advanced Data Theft and Evasion Capabilities

 

A newly discovered infostealing malware named “Shuyal” has entered the cyber threat landscape, posing a serious risk to users by targeting a wide range of web browsers and deploying sophisticated evasion methods. Identified by researchers at Hybrid Analysis, Shuyal is capable of stealing credentials and sensitive information from 19 different browsers, including lesser-known privacy-focused options like Tor and Brave. 

The malware is named after identifiers found in its code path and represents a new generation of data stealers with expanded surveillance capabilities. Unlike traditional malware that only focuses on login credentials, Shuyal goes deeper—harvesting system-level information, capturing screenshots, monitoring clipboard activity, and sending all of it to cybercriminals using a Telegram bot-controlled infrastructure. 

In his analysis, Vlad Pasca from Hybrid Analysis highlighted that Shuyal performs extensive system reconnaissance. Once it infects a device, it disables the Windows Task Manager to prevent users from detecting or ending the malware’s process. It also hides its tracks by removing evidence of its activities through self-deleting mechanisms, including batch scripts that erase runtime files once the data has been exfiltrated. 

Among the browsers targeted by Shuyal are mainstream options such as Chrome and Edge, but it also compromises more obscure browsers like Waterfox, OperaGx, Comodo, Falko, and others often marketed as safer alternatives. This wide reach makes it particularly concerning for users who believe they are using secure platforms. 

Shuyal collects technical details about the system, including hard drive specifications, connected input devices like keyboards and mice, and display configurations. It compresses all collected data using PowerShell into a temporary folder before transmitting it to the attackers. This organized method of data collection and transfer demonstrates the malware’s highly stealthy design. 

The malware also ensures it remains active on compromised machines by copying itself into the Startup folder, allowing it to launch each time the system is rebooted. 

Although researchers have not yet pinpointed the exact methods attackers use to distribute Shuyal, common delivery vectors for similar malware include phishing emails, malicious social media posts, and deceptive captcha pages. Experts caution that infostealers like Shuyal often serve as precursors to more serious threats, including ransomware attacks and business email compromises. 

Hybrid Analysis encourages cybersecurity professionals to study the published indicators of compromise (IOCs) associated with Shuyal to strengthen their defense strategies. As cyber threats evolve, early detection and proactive protection remain essential.
Read more »
Software
Android BadBox threat Credential Theft FBI malware Software

FBI Issues Urgent Warning: Millions of Android Devices Compromised by Malware Operation

 


A dangerous malware campaign known as BadBox 2.0 has infected more than 10 million Android-powered devices, according to a recent alert from the FBI and major cybersecurity researchers. Users are being advised to immediately disconnect any suspicious smart devices connected to their home networks.

This large-scale cyberattack targets a range of low-cost electronics, such as smart TVs, tablets, digital picture frames, car infotainment systems, and streaming boxes, many of which are manufactured by lesser-known brands and sold at discounted prices. Authorities warn that these products may already be infected before leaving the factory.


How Are Devices Getting Infected?

Investigators say that the malware is often pre-installed into the system’s firmware, meaning it’s embedded into the device itself. In some cases, users unknowingly allow the malware in when accepting software updates or installing apps from unofficial sources.

Once active, the malware can silently take over the infected device, turning it into part of a global botnet. These infected devices are then used by cybercriminals for illegal activities like online ad fraud, credential theft, and hiding internet traffic through proxy networks.

The LAT61 Threat Intelligence Team at Point Wild helped trace how the malware operates. They discovered that the malware secretly converts devices into residential proxy nodes, making it hard to detect while still carrying out harmful actions behind the scenes.


What Are Google and the FBI Doing?

In response to the threat, Google has taken legal action against the individuals behind BadBox 2.0 and has updated its Google Play Protect system to block apps associated with the malware. The FBI, through alert I-060525-PSA, has also issued a detailed warning and urged users to take caution, especially with devices from unverified brands.

The team at Human Security, which first exposed the malware operation, confirmed that multiple hacker groups contributed to building and maintaining the botnet infrastructure. Their CEO praised the collaboration between cybersecurity firms, law enforcement, and tech companies to take down the threat.


A New Threat Also Detected

Meanwhile, researchers from GreyNoise have reported signs of another emerging cyber threat, this time involving VoIP (Voice over Internet Protocol) devices. Their investigation revealed a spike in activity where hackers are attempting to gain access to poorly secured systems using default or weak passwords. These devices are often older, rarely updated, and left exposed to the internet, making them easy targets.


What Should You Do?

The FBI advises users to look out for the following red flags:

1. Devices requiring you to turn off Google Play Protect

2. Gadgets that offer “fully unlocked” or “free streaming” features

3. Unfamiliar or generic brand names

4. Apps from third-party app stores

5. Unexpected internet activity from your devices


If you notice any of these signs, disconnect the device from your network immediately and consider replacing it with a trusted brand.

Read more »
phishing
Business Security cloud hosting cookie theft Credential Theft Cybersecurity Data Breach fake alerts Meta OTP phishing

Meta Mirage” Phishing Campaign Poses Global Cybersecurity Threat to Businesses

 

A sophisticated phishing campaign named Meta Mirage is targeting companies using Meta’s Business Suite, according to a new report by cybersecurity experts at CTM360. This global threat is specifically engineered to compromise high-value accounts—including those running paid ads and managing brand profiles.

Researchers discovered that the attackers craft convincing fake communications impersonating official Meta messages, deceiving users into revealing sensitive login information such as passwords and one-time passcodes (OTP).

The scale of the campaign is substantial. Over 14,000 malicious URLs were detected, and alarmingly, nearly 78% of these were not flagged or blocked by browsers when the report was released.

What makes Meta Mirage particularly deceptive is the use of reputable cloud hosting services—like GitHub, Firebase, and Vercel—to host counterfeit login pages. “This mirrors Microsoft’s recent findings on how trusted platforms are being exploited to breach Kubernetes environments,” the researchers noted, highlighting a broader trend in cloud abuse.

Victims receive realistic alerts through email and direct messages. These notifications often mention policy violations, account restrictions, or verification requests, crafted to appear urgent and official. This strategy is similar to the recent Google Sites phishing wave, which used seemingly authentic web pages to mislead users.

CTM360 identified two primary techniques being used:
  • Credential Theft: Victims unknowingly submit passwords and OTPs to lookalike websites. Fake error prompts are displayed to make them re-enter their information, ensuring attackers get accurate credentials.
  • Cookie Theft: Attackers extract browser cookies, allowing persistent access to compromised accounts—even without login credentials.
Compromised business accounts are then weaponized for malicious ad campaigns. “It’s a playbook straight from campaigns like PlayPraetor, where hijacked social media profiles were used to spread fraudulent ads,” the report noted.

The phishing operation is systematic. Attackers begin with non-threatening messages, then escalate the tone over time—moving from mild policy reminders to aggressive warnings about permanent account deletion. This psychological pressure prompts users to respond quickly without verifying the source.

CTM360 advises businesses to:
  • Manage social media accounts only from official or secure devices
  • Use business-specific email addresses
  • Activate Two-Factor Authentication (2FA)
  • Periodically audit security settings and login history
  • Train team members to identify and report suspicious activity
This alarming phishing scheme highlights the need for constant vigilance, cybersecurity hygiene, and proactive measures to secure digital business assets.
Read more »
identity-based attacks
AI-driven cyberattacks Credential Theft Cyber Attacks Cybercrime economy Cybersecurity Threats identity-based attacks

Data Reveals Identity-Based Attacks Now Dominate Cybercrime

 

Cyberattacks are undergoing a significant transformation, shifting away from malware-driven methods toward identity exploitation. According to the CrowdStrike 2024 Global Threat Report, three out of four cyberattacks now leverage valid credentials instead of malicious software.

This change is fueled by the expanding cybercrime economy, where stolen identities are becoming as valuable as exploitable system vulnerabilities. A booming underground market for credentials, combined with AI-powered deception and automated phishing, is rendering traditional security measures ineffective.

“You may have really locked down environments for untrusted external threats, but as soon as you look like a legitimate user, you’ve got the keys to the kingdom,” said Elia Zaitsev, CTO at CrowdStrike. This shift presents a pressing challenge for enterprises: if attackers no longer need malware to infiltrate networks, how can they be stopped?

The CrowdStrike report also highlights the speed at which attackers escalate privileges once inside a network. The fastest recorded eCrime breakout time—the duration between initial access and lateral movement—was just 2 minutes and 7 seconds.

Traditional security models that focus on malware detection or manual threat investigation are struggling to keep up. In identity-driven attacks, there are no suspicious payloads to analyze—just adversaries impersonating authorized users. This has led to a rise in living-off-the-land techniques, where attackers use built-in system tools to evade detection. Instead of deploying custom malware, they exploit legitimate credentials and remote monitoring tools to blend seamlessly into network activity.

A key challenge outlined in the 2024 Global Threat Report is the expansion of identity attacks beyond a single environment. Cybercriminals now utilize stolen credentials to move laterally across on-premises, cloud, and SaaS environments, making detection even more difficult.

Jim Guinn, a cybersecurity leader at EY, explained this evolving strategy: “You have to get in, and you have to be able to laterally move throughout the network, which means you have some level of access. And access requires identity.”

Guinn also emphasized the growing role of nation-state actors, who infiltrate networks months or even years in advance, waiting for the right moment to launch an attack.

For companies that still treat endpoint security, cloud security, and identity protection as separate entities, this shift presents a major challenge. Attackers increasingly pivot between these environments, making detection and prevention even more complex.

“The moment that man created AI, he also created a way for bad actors to use AI against you,” Guinn noted. “They're creating a quicker way to get to a set of targets that cybercriminals can use, and they're creating code bases and ways to manipulate users' credentials faster than the human can think about it.”

With identity-based attacks outpacing traditional security defenses, organizations are rethinking their cybersecurity strategies.

One crucial change is the adoption of continuous identity verification. Historically, authentication has been a one-time process, where users log in and remain trusted indefinitely. However, as attackers increasingly impersonate legitimate users, companies are implementing real-time behavioral monitoring to detect anomalies.

Another key adaptation is just-in-time privileges, where employees are granted administrative access only when required—and revoked immediately afterward—to minimize risk.

“We're bringing all that to bear,” Zaitsev explained. “We are taking that cross-domain, multi-domain visibility approach, unifying it all, and then, of course, also focusing heavily on continuous detection, prevention, and response.”

Guinn shared a compelling example of an organization recognizing the importance of identity security. “One of their senior executives said, ‘I think the only reason we haven’t really had a breach—like a significant breach—is because we have multi-factor authentication for our user credentials.’”

The CrowdStrike 2024 Global Threat Report underscores a fundamental shift in cybersecurity: identity, not malware, is the new battleground. Attackers no longer rely on complex exploits or hidden backdoors when they can buy access credentials, phish an employee, or manipulate AI-driven authentication systems.

Simply put, without access to valid credentials, cybercriminals are powerless. This makes identity security the core of modern cybersecurity strategies.

As organizations adapt to this evolving threat landscape, one thing is clear: failing to prioritize identity security leaves businesses vulnerable to adversaries who no longer need to break in—they already have the keys.
Read more »
Ransomware
Credential Theft Cyber Attacks Healthcare Ransomware

Healthcare Sector Faces Highest Risk in Third-Party Cyber Attacks

 



Cybersecurity experts have identified the healthcare industry as the most frequently targeted sector for third-party breaches in 2024, with 41.2% of such incidents affecting medical institutions. This highlights a critical need for improved security measures across healthcare networks.


The Growing Threat of Unnoticed Cyber Breaches  

A recent cybersecurity study warns of the increasing risk posed by “silent breaches.” These attacks remain undetected for extended periods, allowing hackers to infiltrate systems through trusted third-party vendors. Such breaches have had severe consequences in multiple industries, demonstrating the dangers of an interconnected digital infrastructure.

Research from Black Kite’s intelligence team examined cybersecurity incidents from regulatory disclosures and public reports, revealing an alarming rise in sophisticated cyber threats. The findings emphasize the importance of strong third-party risk management to prevent security lapses.


Why Healthcare is at Greater Risk  

Several factors contribute to the vulnerability of healthcare institutions. Medical records contain highly valuable personal and financial data, making them prime targets for cybercriminals. Additionally, the healthcare sector relies heavily on external vendors for essential operations, increasing its exposure to supply chain weaknesses. Many institutions also struggle with outdated security infrastructures, further amplifying risks.

Encouragingly, the study found that 62.5% of healthcare vendors improved their security standards following a cyber incident. Regulatory requirements, such as HIPAA compliance, have played a role in compelling organizations to enhance their cybersecurity frameworks.


Major Findings from the Report

The study highlights key security challenges that organizations faced in 2024:

1. Unauthorized Access to Systems: More than half of third-party breaches involved unauthorized access, underscoring the need for stronger access control measures.

2. Ransomware Attacks on the Rise: Ransomware remained a leading method used by cybercriminals, responsible for 66.7% of reported incidents. Attackers frequently exploit vendor-related weaknesses to maximize impact.

3. Software Vulnerabilities as Entry Points: Cybercriminals took advantage of unpatched or misconfigured software, including newly discovered weaknesses, to infiltrate networks.

4. Credential Theft Increasing: About 8% of attacks involved stolen or misused credentials, highlighting the necessity of robust authentication methods, such as multi-factor authentication.

5. Targeting of Software Vendors: A major 25% of breaches were linked to software providers, reflecting an increased focus on exploiting weaknesses in the software supply chain.


With organizations becoming increasingly reliant on digital tools and cloud-based systems, cyber risks continue to escalate. A single vulnerability in a widely used platform can trigger large-scale security incidents. 

To mitigate risks, businesses must adopt proactive strategies, such as continuous monitoring, prompt software updates, and stricter access controls. Strengthening third-party security practices is essential to minimizing the likelihood of breaches and ensuring the safety of sensitive data.

The healthcare sector, given its heightened exposure, must prioritize comprehensive security measures to reduce the impact of future breaches.



Read more »
MITRE ATT&CK
Credential Theft Cyber Security Info-stealing malware Cybersecurity Malware Threats MITRE ATT&CK

Credential-Stealing Malware Surges, Now a Top MITRE ATT&CK Threat

 

Cybersecurity researchers have uncovered a sharp rise in credential-stealing malware, with 25% of over a million malware samples analyzed in 2024 targeting user credentials. This marks a threefold increase from 2023, propelling credential theft from password stores into the MITRE ATT&CK framework's top 10 techniques. These attacks accounted for 93% of all malicious cyber activities last year.

According to "The Red Report 2025" by Picus Security, threat actors are shifting towards multi-stage, sophisticated attacks, leveraging a new breed of malware. Researchers have labeled this emerging trend "SneakThief," emphasizing its focus on stealth, persistence, and automation. 

Cybercriminals are refining these malware strains to execute highly evasive operations, aiming to carry out "the perfect heist" with built-in capabilities to bypass defenses and extract sensitive data.

Despite growing concerns over AI-driven threats, researchers found no evidence of AI-powered malware in 2024. However, malware samples analyzed were capable of executing an average of 14 malicious actions, with data exfiltration and stealth techniques responsible for 11.3 million cyber incidents last year.

"Focusing on the Top 10 MITRE ATT&CK techniques is the most viable way to stop the kill chain of sophisticated malware strains as early as possible," said Volkan Ertürk, CTO and co-founder of Picus Security. "SneakThief malware is not an exception; enterprise security teams can stop 90% of malware by focusing on just 10 of MITRE's entire library of techniques."
Read more »
SharePoint
Credential Theft Cyber Fraud Cyber Threats Microsoft 365 login Microsoft visio Phishing Attack Phishing Campaigns SharePoint

New Two-Step Phishing Attack Exploits Microsoft Visio and SharePoint

 

A novel two-step phishing strategy is targeting Microsoft Visio files (.vsdx) and SharePoint, signaling a new trend in cyber deception, according to experts. Researchers at Perception Point have noted a significant rise in attacks leveraging these previously uncommon .vsdx files.

These files act as delivery tools, directing victims to phishing pages that replicate Microsoft 365 login portals, aiming to steal user credentials.

The two-step phishing attacks employ layered techniques to evade detection. Rather than delivering harmful content directly, these campaigns use trusted platforms like Microsoft SharePoint to host files that appear legitimate. Attackers embed URLs within Visio files, which redirect victims to malicious websites when clicked, bypassing traditional email security systems.

Microsoft Visio, a popular tool for professional diagram creation, has now become a phishing vector. Cybercriminals send emails with Visio files from compromised accounts, often mimicking urgent business communications such as proposals or purchase orders. This tactic encourages recipients to act quickly, increasing the likelihood of success.

Since the emails come from stolen accounts, they often pass authentication checks and evade recipient security filters. In some cases, attackers include .eml files within the emails, embedding additional malicious URLs linked to SharePoint-hosted files.

The Visio files typically contain a clickable button labeled "View Document." Victims are instructed to press the Ctrl key while clicking the button to access the malicious URL. This step, requiring manual interaction, bypasses automated security systems that cannot simulate such behaviors.

Perception Point advises organizations to strengthen their defenses against sophisticated phishing campaigns by adopting advanced threat detection solutions. Suggested measures include:

  • Dynamic URL analysis to identify harmful links.
  • Object detection models to flag suspicious files.
  • Enhanced authentication mechanisms to reduce the impact of compromised accounts.
Read more »
secure email gateways
Credential Theft Cyber Security Cyber Threats cybersecurity breaches Group-IB report Phishing Campaign phishing techniques secure email gateways

Group-IB Unveils Sophisticated Phishing Campaign Targeting Global Organizations

 


A recent report by Group-IB has exposed a highly advanced phishing campaign targeting employees from 30 companies across 15 jurisdictions. Using trusted domains and cutting-edge personalization techniques, attackers have bypassed Secure Email Gateways (SEGs) and exploited victims in critical sectors such as finance, government, aerospace, and energy.

Advanced Obfuscation and Multi-Layered Deception

The investigation, initiated in July 2024, uncovered the attackers' use of:

  • Over 200 phishing links hosted on legitimate platforms like Adobe’s InDesign cloud service and Google AMP.
  • Techniques to bypass detection systems that typically block suspicious or unknown domains.

“Nine out of ten cyberattacks start with a phishing email, making it the most common entry point for threat actors,” the report emphasized.

Phishing Emails That Mimic Trusted Brands

The attackers used professionally designed phishing emails that impersonated well-known brands, including:

  • DocuSign, prompting victims to sign fake contracts.
  • Adobe-hosted links, disguising fraudulent login pages as critical documents.

These emails featured professional formatting, familiar logos, and dynamically personalized elements. For example, by extracting a victim’s email domain, the attackers matched logos and page titles to the targeted organization, enhancing credibility.

“Scammers use a technique that dynamically pulls company logos from the official website to make the phishing links look legitimate,” the report noted.

Exploitation of APIs for Realistic Branding

The attackers leveraged APIs like https://logo.clearbit.com/[company domain] to integrate authentic logos into phishing sites. This seamless branding approach increased user trust and made phishing attempts harder to detect.

Concealing Operations with URL Redirection and Encoding

To evade detection, attackers used:

  • URL redirections via Google AMP to create complex trails.
  • Encoded parameters to obscure the attack path.

Victims were redirected to phishing pages that appeared legitimate, with pre-filled email addresses further enhancing the illusion of authenticity. Once users entered their credentials, the stolen data was sent to Command-and-Control (C2) servers or Telegram bots via API endpoints.

Advanced Data Exfiltration Techniques

The phishing sites contained JavaScript snippets that transmitted stolen credentials using Base64 encoding, effectively hiding the data during analysis. Group-IB analysts observed: “The JSON response from Telegram’s API confirms that the stolen credentials were successfully sent to a private chat controlled by the attacker.”

Ongoing Evolution in Phishing Tactics

Group-IB warns that these techniques signify a continuous evolution in phishing methodologies: “Threat actors are quickly adapting, constantly refining and improving their techniques to bypass security measures and exploit vulnerabilities.”

Conclusion: A Growing Need for Vigilance

This campaign serves as a stark reminder of the ever-evolving nature of cyber threats. Organizations must strengthen their defenses and educate employees to identify and respond to increasingly sophisticated phishing attempts.

Read more »
malware
Akira Ransomware Black Basta Ransomware Credential Theft malware

Black Basta Ransomware: New Tactics and Growing Threats

 


The Black Basta ransomware group, an offshoot of the now-defunct Conti group, has adapted its attack strategies by integrating sophisticated social engineering techniques. Recent trends include email bombing, malicious QR codes, and credential theft, showcasing the group’s commitment to exploiting vulnerabilities in organizational defenses. 
 
The group begins its operations with email bombing—flooding a target's inbox with subscription-based messages from various mailing lists. This overload often leads victims to seek assistance, creating an opportunity for attackers to impersonate IT staff or support teams. Since August 2024, impersonation tactics have extended to platforms like Microsoft Teams, where attackers persuade victims to install legitimate remote access tools such as AnyDesk, TeamViewer, or Microsoft’s Quick Assist. Microsoft has identified the misuse of Quick Assist by threat actors labeled "Storm-1811." 
 
Malicious QR codes are another tool in the group’s arsenal. Victims are sent codes via chats, claiming to link trusted mobile devices. These QR codes redirect users to malicious websites, enabling attackers to harvest credentials. Cybersecurity experts have noted that attackers sometimes use OpenSSH clients to open reverse shells, providing deeper system access. 
  
Malware Delivery and Payload Objectives 
 
After gaining initial access, Black Basta deploys malicious payloads designed to escalate the attack. Key malware tools include:
  • Zbot (ZLoader): Credential-harvesting malware.
  • DarkGate: Multi-purpose malware for executing subsequent attacks.
These tools allow attackers to steal sensitive information, such as user credentials and VPN configurations, which they use to bypass multi-factor authentication (MFA) and infiltrate organizational systems. Black Basta’s proprietary tools further enhance its effectiveness:
  • KNOTWRAP: Executes payloads directly in memory, bypassing traditional detection methods.
  • KNOTROCK: Specialized utility for deploying ransomware.
  • PORTYARD: Facilitates secure connections with command-and-control servers.
Emerging Ransomware Trends 
 
Black Basta’s innovations align with broader trends in ransomware development. New groups, like Akira and Rhysida, are also leveraging advanced techniques. Akira, developed in Rust, uses pre-built libraries to enhance efficiency, while Rhysida employs tactics like fake software websites and SEO poisoning to spread malware. These trends highlight the growing sophistication of ransomware operations. 
 
 
Defensive Measures for Organizations 
 

The Black Basta group exemplifies the evolution of cybercrime, combining email bombing, impersonation, and advanced malware tools in hybrid attack models. To counter these threats, organizations must:
  • Regularly update security systems to address vulnerabilities.
  • Implement robust training programs to help employees identify social engineering tactics.
  • Strengthen multi-factor authentication and endpoint protection measures.
As cybercriminals continue to adapt, proactive defense and vigilance remain essential to safeguarding organizational systems from these evolving threats.
Read more »
voice API
AI Security bank transfer fraud ChatGPT-4o Credential Theft cybercriminals Deepfake financial scams OpenAI Technology text-to-speech tools voice API

UIUC Researchers Expose Security Risks in OpenAI's Voice-Enabled ChatGPT-4o API, Revealing Potential for Financial Scams

 

Researchers recently revealed that OpenAI’s ChatGPT-4o voice API could be exploited by cybercriminals for financial scams, showing some success despite moderate limitations. This discovery has raised concerns about the misuse potential of this advanced language model.

ChatGPT-4o, OpenAI’s latest AI model, offers new capabilities, combining text, voice, and vision processing. These updates are supported by security features aimed at detecting and blocking malicious activity, including unauthorized voice replication.

Voice-based scams have become a significant threat, further exacerbated by deepfake technology and advanced text-to-speech tools. Despite OpenAI’s security measures, researchers from the University of Illinois Urbana-Champaign (UIUC) demonstrated how these protections could still be circumvented, highlighting risks of abuse by cybercriminals.

Researchers Richard Fang, Dylan Bowman, and Daniel Kang emphasized that current AI tools may lack sufficient restrictions to prevent misuse. They pointed out the risk of large-scale scams using automated voice generation, which reduces the need for human effort and keeps operational costs low.

Their study examined a variety of scams, including unauthorized bank transfers, gift card fraud, cryptocurrency theft, and social media credential theft. Using ChatGPT-4o’s voice capabilities, the researchers automated key actions like navigation, data input, two-factor authentication, and following specific scam instructions.

To bypass ChatGPT-4o’s data protection filters, the team used prompt “jailbreaking” techniques, allowing the AI to handle sensitive information. They simulated interactions with ChatGPT-4o by acting as gullible victims, testing the feasibility of different scams on real websites.

By manually verifying each transaction, such as those on Bank of America’s site, they found varying success rates. For example, Gmail credential theft was successful 60% of the time, while crypto-related scams succeeded in about 40% of attempts.

Cost analysis showed that carrying out these scams was relatively inexpensive, with successful cases averaging $0.75. More complex scams, like unauthorized bank transfers, cost around $2.51—still low compared to the potential profits such scams might yield.

OpenAI responded by emphasizing that their upcoming model, o1-preview, includes advanced safeguards to prevent this type of misuse. OpenAI claims that this model significantly outperforms GPT-4o in resisting unsafe content generation and handling adversarial prompts.

OpenAI also highlighted the importance of studies like UIUC’s for enhancing ChatGPT’s defenses. They noted that GPT-4o already restricts voice replication to pre-approved voices and that newer models are undergoing stringent evaluations to increase robustness against malicious use.
Read more »
Stolen Credentials
Credential Theft Cyber Security Cyber Threats initial access breaches Malware attacks Password Security Stolen Credentials

Rising Threat of Stolen Credentials and Initial Access Breaches

 

Weak or reused passwords continue to pose significant risks for organizations, as criminals increasingly exploit stolen credentials to access user accounts. This trend has fueled a thriving market for stolen credentials and the initial access they provide. The ENISA Threat Landscape 2023 report highlights a year-over-year growth in the Initial Access Broker (IAB) market, with credentials being the primary commodity for sale.

Stealer malware frequently infiltrates victim machines through social engineering tactics, primarily phishing, and sometimes through paid distribution schemes using the Emotet and Qakbot botnets. Other campaigns entice users to download seemingly legitimate software via malvertising.

ENISA anticipates that future social engineering campaigns will adapt to new defensive measures aimed at protecting credentials from abuse.

Increasing Challenges with Stolen Credentials
Organizations face growing challenges with stolen credentials. The Verizon 2024 Data Breach Investigation Report (DBIR) reveals a 180% increase in attacks exploiting vulnerabilities to initiate breaches compared to the previous year. Stolen credentials were the leading initial action in breaches, accounting for 24%, just ahead of ransomware at 23%.

Fraudsters employ various methods to steal credentials, including malware that steals passwords and sells them on the dark web. Popular tools for this purpose include Redline, Vidar, and Raccoon Stealer. The FBI has warned of cybercriminals using search engine advertisements to impersonate brands and direct users to malicious sites that host ransomware to steal login credentials.

Credentials can also be compromised through brute force attacks, where cybercriminals use tools to test password combinations until the correct one is found. These methods range from simple trial and error to more sophisticated dictionary attacks, exploiting common password choices.

Potential for Major Breaches
The Solarwinds attack, described by Microsoft Corp President Brad Smith as "the largest and most sophisticated attack the world has ever seen," exemplifies the potential danger of stolen credentials. A compromised SolarWinds password was discovered on a private Github repository, where an intern had set the password "solarwinds123" on an account with access to the company's update server.

Other notable examples include the Dropbox breach, which impacted millions of users. A Dropbox employee reused a password from a LinkedIn breach, where millions of passwords were accessed by thieves.

ENISA notes that while abusing valid accounts for initial access is not a new technique, it remains effective for cybercriminals. Misconfigured accounts and those with weak passwords are particularly vulnerable. Although multi-factor authentication (MFA) can prevent many attacks, it is not foolproof, with actors intercepting MFA codes and harassing users with push notifications.

ENISA expects credentials to remain a focal point for cybercrime actors despite technical protective measures, as these actors continually find ways around them.

Cybersecurity experts recognize the danger of stolen credentials and the necessity of strong security measures. However, complacency is not an option. The threat posed by stolen credentials is constantly evolving, necessitating ongoing adaptation.

Organizations must enforce the creation of strong passwords resistant to brute force attacks and other forms of exploitation. Specops Password Policy can help build robust password policies by:

  • Generating personalized dictionary lists to prevent the use of commonly used words within the company.
  • Providing immediate and interactive updates to users when changing passwords.
  • Restricting the use of usernames, display names, certain words, consecutive characters, incremental passwords, and repeating parts of previous passwords.
  • Applying these features to any GPO level, computer, individual user, or group within the organization.
  • Continuously scanning for and blocking over 4 billion compromised passwords, ensuring that breached passwords are found daily.
Increasing overall password security, enforcing good password hygiene, and eliminating weak passwords enhance the security of Active Directory environments and privileged accounts. Organizations must prepare their defenses by scanning for password vulnerabilities in Active Directory to detect weak and compromised passwords.
Read more »
Malicious Campaign
CISA Credential Theft Data Breach Data Leak Malicious Campaign

Hackers Reveal Their Strategy of Stealing Snowflake's Ticketmaster Data

 

Ticketmaster and other organisations' Snowflake accounts were said to have been accessed by a ShinyHunters hacker via a breach of software engineering firm EPAM Systems, validating a Mandiant report attributing some of the intrusions to third-party contractor hacks, Wired reported. 

According to the hacker, information-stealing malware and a remote access trojan deployed against one of EPAM Systems' Ukraine-based employees allowed ShinyHunters to gain access to unencrypted credentials used by the employee to access the firm's customers' Snowflake accounts, which were then used to infiltrate the Snowflake accounts, including the one owned by Ticketmaster. 

EPAM ruled out the ShinyHunters hacker's claims, but independent security researcher "Reddington" discovered an infostealer-harvested data repository online, including the internal EPAM URL to Ticketmaster's Snowflake account and the credentials employed by the EPAM worker to access Ticketmaster's account. 

"This means that anyone that knew the correct URL to [Ticketmaster’s] Snowflake could have simply looked up the password, logged in, and stolen the data" noted Reddington. 

In the hacking campaign targeting Snowflake's clients, nearly 165 customer accounts were potentially compromised, but only a few of these have been identified thus far. In addition to Ticketmaster, the banking corporation Santander has recognised that their data was stolen but has neglected to name the account from which it was taken. 

However, a local media outlet has confirmed that it was a Snowflake account; the stolen data included bank account information for 30 million customers, including 6 million account numbers and balances, 28 million credit card numbers, and human resources information about employees, according to a post published by the hackers. Lending Tree and Advance Auto Parts have also confirmed that they could possibly be victims of this campaign. 

In a notice published earlier this week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged that organisations follow Snowflake's recommendations to look for signals of odd behaviour and take precautions to prevent unauthorised access. A similar advice issued by the Australian Signals Directorate's Australian Cyber Security Centre (ACSC) warned of "successful compromises of several companies using Snowflake environments.”
Read more »
Subscribe to: Comments (Atom)