Search This Blog

Showing posts with label Credentials Hack. Show all posts

Email Phishing Attack Revealed by American Airlines

Several passengers of American Airlines are being warned that their personal information might have been compromised as a result of threat actors getting access to employee email accounts. 

The airline said that a phishing attempt led to hackers gaining access to the mailboxes of a limited number of employees. The stolen email accounts held some consumers' personal data. The airline noted in notice letters distributed on Friday, September 16th, that there is no proof that the disclosed data was misused.

The hack was detected on July 5th by American Airlines, which then swiftly protected the affected email accounts and recruited a cybersecurity forensics company to look into the security incident.

American Airlines had hired a cybersecurity forensics company to look into the incident. The inquiry revealed that unauthorized actors had obtained the personal information of both customers and workers. Although they did not say how many consumers were impacted, they did say that names, dates of birth, addresses, emails, phone numbers, passport numbers, and even certain medical information could have been exposed.

American Airlines issued the following statement to BleepingComputer by the Manager for Corporate Communications. "American Airlines is aware of a phishing campaign that resulted in a small number of team members' mailboxes being improperly accessed."

A very small amount of customers' and workers' personal information was found in those email accounts, according to American Airlines, which also provided a two-year membership to Experian's IdentityWorks.

With regard to the incident, the company stated "data security is of the utmost importance and we provided customers and team members with precautionary support. We also are actively developing additional technical safeguards to avoid a similar incident from happening in the future, even though we have no proof that any personal information has been misused."

In March 2021, the Passenger Service System (PSS), which is used by many airlines worldwide, including American Airlines, was infiltrated. SITA, a leading provider of air information technology, revealed that hackers broke into its systems.

To help employees recognize targeted phishing attacks, firms must ensure that staff receives adequate security training. Organizations' IT and security departments should explain to staff how communications will be handled. It is crucial to always inform people about how to recognize phishing emails. 

North Orange County Community College District Suffered Ransomware Attack


According to an official filing by the District, on Monday, January 10, 2022, the North Orange County Community College District (NOCCCD or the District) noticed malicious activity on both of the District’s college servers including Cypress College and Fullerton College. 

In response to the attack, the District launched an investigation with the assistance of outside computer forensic specialists to learn more about the attack and determine if any employee or student data was breached. The notifications in which the attack has been reported on their component campus sites revealed that this was a ransomware incident. 

On March 25, 2022, following the attack, the NOCCCD reportedly notified more than 19,000 people about a data security incident. It has begun sending out data breach notification letters to all employees and students whose information was breached due to the data security incident. The District furthermore said that it will send additional security letters if it notices other parties were impacted by the attack. 

The investigation has confirmed that files containing sensitive credential data of employees and students may have been compromised or removed from the District’s network. A copy of the notice was also posted on Fullerton College for International Students. 

While disclosing what types of data might have been compromised, the notice read, “name, and passport number or other unique identification number issued on a government document (such as Social Security number or driver’s license number); financial account information; and/or medical information.” 

The district said that they are also coordinating with the colleges to review and enhance existing policies related to data protection. Besides, they have successfully implemented multi-factor authentication as well as an advanced threat protection and monitoring tool to better security and safeguard data. Additionally, new and advanced cybersecurity training for employees is being implemented throughout the District.

Threat Actors are Using Leaked Stolen Nvidia Certificates to Hide Malware


Malicious actors are using stolen NVIDIA code signing certificates to gain remote access to unsuspecting machines and deploy malicious software in windows. 
Earlier this week, NVIDIA, an American multinational firm suffered a cyberattack that allowed hackers to steal credentials and proprietary data of 71,000 employees.  
The hacking group, known as Lapsus$, claimed that they stole 1TB of data during the attack and began leaking sensitive information online after NVIDIA rejected their ransom demand.  
The exposed data includes two stolen code-signing certificates used by NVIDIA developers to sign their drivers and executable files before rolling them out to the public. It is a more secure way for Windows and prospective users to verify the ownership of the original file. To increase security in Windows, Microsoft also requires kernel-mode drivers to be code signed otherwise the OS will refuse to open the file.  
After Lapsus$ leaked NVIDIA's code-signing certificates, cybersecurity experts quickly discovered that the certificates were being used to sign malware and other tools used by threat actors.  
Certain variations of malware that were signed with the aforementioned Nvidia certificates were discovered on VirusTotal, a malware scanning service. The samples that were uploaded found that they were being used to sign hacking tools and malware, including Cobalt Strike Beacon, Mimikatz, backdoors, and remote access trojans.  
Security researchers Kevin Beaumont and Will Dormann shared that the stolen certificates utilize the following serial numbers:  
Both codes are effectively expired Nvidia signatures, but the operating system will still let them pass just the same. Therefore, using these stolen certificates, threat actors gain the advantage of making their programs look like legitimate NVIDIA programs and allowing malicious drivers to be loaded by Windows.  
“Signing certificates are the keys computers use to verify trust in software,” Casey Bisson, head of product and developer relations at code-security product provider BluBracket, stated. “Validating code signatures is a critical step in securing the global code supply chain, and it protects everybody from average consumers running Windows Updates (where signatures are validated automatically) to developers using software components in larger projects (where signatures are hopefully checked as part of the CI process).”  
To avoid susceptible drivers from being installed in Windows, David Weston, director of enterprise and OS security at Microsoft, tweeted that admins can configure Windows Defender Application Control policies to manage which specific Nvidia driver can be loaded onto the system.

VirusTotal Hacking: Hackers can Access Trove of Stolen Credentials on VirusTotal


By conducting searches on VirusTotal, an online service that analyses suspicious files and URLs, security researchers have discovered a technique to gather large volumes of stolen user credentials. 

The SafeBreach research team used this technique to acquire over a million credentials using a €600 (about $679) VirusTotal licence and a few tools. The purpose was to determine what information a criminal could obtain with a licence for VirusTotal, a Google-owned service that allows users to submit and verify suspected files and links using multiple antivirus engines for free. 

A VirusTotal licenced user can use a mixture of questions to search the service's dataset for file type, file name, submitted data, country, and file content, among other things. Many data thieves gather credentials from various forums, mail accounts, browsers, and other sites, write them to a specific hard-coded file name — for example, "all credentials.txt," and then exfiltrate the file from the victim's device to the attackers' command-and-control server. 

Researchers used VirusTotal tools and APIs like search, VirusTotal Graph, and Retrohunt to locate files containing stolen data using this strategy. 

Tomer Bar, director of security research at SafeBreach stated, "It is quite a straightforward technique, which doesn't require strong understanding in malware. All you need is to choose one of the most common info stealers and read about it online." 

To collect critical data, the researchers used well-known malware such as RedLine Stealer, Azorult, Raccoon Stealer, and Hawkeye, as well as well-known forums like DrDark and Snatch Cloud. They discovered that their strategy worked on a large scale.

RedLine Stealer is a type of malware that may be purchased individually or as part of a subscription on underground forums. It collects information such as saved credentials, autocomplete data, and credit card information across browsers. When malware is installed on a target machine, it creates a system inventory that contains usernames, location data, hardware settings, and security software details. RedLine Stealer can upload and download files as well as run commands.

To begin, the researchers utilized VirusTotal Query to look for binaries that had been classified as RedLine by at least one antivirus engine, which yielded 800 matches. They also looked for files with the name DomainDetects.txt, which is one of the file names used by the malware. Hundreds of files had been exfiltrated as a result of this. 

They then resorted to VirusTotal Graph, a visual exploration tool for licenced VirusTotal customers. The researchers discovered a file from their search results in a RAR file containing exfiltrated data from 500 individuals, including 22,715 passwords to a variety of websites. There were also larger files with more passwords in the other results. 

According to the researchers, several of the URLs were for government-related websites. While there are many different types of data thieves, the researchers chose five of the most popular ones because they had a higher chance of being found in the VirusTotal dataset. 

Researchers wrote in their blog post, "A criminal who uses this method can gather an almost unlimited number of credentials and other user-sensitive data with very little effort in a short period of time using an infection-free approach. We called it the perfect cybercrime, not just due to the fact that there is no risk and the effort is very low, but also due to the inability of victims to protect themselves from this type of activity." 

The researchers informed Google of their discoveries and asked VirusTotal for the files containing personal information. They also suggested screening for and erasing files containing sensitive user data regularly, as well as prohibiting API keys from uploading those files.