Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Credentials. Show all posts
Telefonica
Credentials cyberattack investigation cybercriminals Cybersecurity Cyberthreats Data Breach Digital Age Digital Defence IT Breach Telefonica

Telefónica Investigates Claims of Major Data Breach by Cybercriminal

 


An investigation has been conducted into a significant cybersecurity incident that occurred in 2025 at Telefónica, a global telecommunications company serving millions across Europe and Latin America. In addition to allegedly obtaining a considerable cache of confidential corporate data from the company's systems, a threat actor has claimed responsibility for a breach of the company's systems. 

Additionally, the hacker claims that sensitive internal information has already been leaked online by the hacker. This has caused heightened alarm within both the cybersecurity community and regulatory bodies worldwide, as both have been concerned about this development. 

Even though the suspected breach has raised concerns that even the most well-established businesses are increasingly vulnerable to cyber threats, it raises urgent questions about the overall resilience of multinational corporations against the increasingly sophisticated cyber threats we face today.

It is still unclear what exactly the extent of the compromise is, but experts warn that such incidents can have far-reaching consequences, not only in terms of operational disruption and financial impact, but also in terms of damaging the reputation of the company's customers. Telefónica is a large and important part of the global communication infrastructure, and any verified exposure of their business reputation, compliance obligations, and customer relationships could be severely affected if the information were disclosed. 

The case, which is being analysed by authorities and cybersecurity specialists to assess whether the hacker's claims are genuine and scope-based, is proving to be an important reminder of how cyber risk continues to evolve in the digital age. As a result of a targeted cyberattack on its internal systems, Telefónica, the multinational telecommunications provider headquartered in Madrid, has been officially informed that its systems have been compromised. This company disclosed that, due to the breach, unauthorised access has been granted to over 236,000 customer data entries. 

A total of approximately half a million Jira development and support tickets have been stolen as a result of the breach, including critical records that are often associated with internal communication, technical workflows, and potentially sensitive information about the company's operations. Based on the type of data exposed, it has been suggested that the attackers may have been able to gain deep insight into Telefónica's internal processes, project management infrastructure, and customer interactions. 

There are serious risks involved not only for those affected, but also for the organisation's operations, security and competitiveness if there is a security breach. There is concern that Jira platforms, which are commonly used for software development and IT service management, may contain detailed information about system configurations, troubleshooting logs, and network vulnerabilities, a feature that makes the breach particularly alarming to cybersecurity researchers. 

Despite early indicators that indicate a sophisticated and well-planned intrusion, forensic investigations continue to indicate that the attacker may have exploited system misconfigurations and weaknesses in user credentials in order to launch the attack. In cyberattacks, adversaries are increasingly trying to steal both data and disrupt long-term strategic goals by exploiting vulnerabilities in their systems. 

The scale and specificity of the data accessed reflect this trend. There is a growing sense that global telecom providers have to strengthen their digital defences and become more transparent when reporting incidents. As a result of emerging reports, it has been confirmed that the data breach occurred after Telefónica's Jira database appeared on a notorious hacker forum, which increased the pressure on them to improve their cybersecurity.

Apparently, the disclosure was made by four individuals using the aliases DNA, Grep, Pryx, and Rey, now associated with Hellcat Ransomware, one of the more active cybercriminal groups that has surfaced recently in recent times. It has been claimed that the intruders have compromised Telefónica's internal ticketing system, which is based on the Jira platform, a common software development, issue tracking, and workflow management platform used by many organisations. 

As of early this week, the attackers were able to gain access to the telecom's internal systems by using compromised employee credentials, which enabled them to penetrate the company's internal systems. After entering, the attackers were able to exfiltrate around 2.3 GB of data, including technical tickets, internal documentation and other documents. 

It appears that some of the data was associated with the customers, though the tickets were submitted through @telefonica.]com addresses, suggesting that employees might have logged the tickets on behalf of clients, rather than the customers themselves. Several new details have emerged indicating that one of the key people responsible for the Telefónica breach, known as “Rey,” is an individual who self-identifies as one of the Hellcat Ransomware group members.

It is important to note that this is not the first time Telefónica has been attacked by the same threat actor. Rey was also responsible for another breach that occurred in January 2025. That breach also used the company's internal Jira ticketing and development server to exploit a similar vulnerability. It seems that the recurring attack indicates that the internal infrastructure of the telecom giant has persistent security weaknesses. 

Rey has claimed in a statement to the cybersecurity report that he has exfiltrated an enormous amount of data from the most recent incident, including 385,311 files totalling 106.3 gigabytes of data in total. It is reported that the data in question includes an array of internal materials, including service tickets, internal emails, procurement documents, system logs, customer records, and personal details related to sensitive employees. 

If this data is verified, it could constitute a substantial breach of operational and personal data based on the volume and sensitivity it reveals. A misconfiguration in Telefónica's Jira environment, which occurred even after the company responded to a similar incident earlier in the year, was attributed to the success of the intrusion that occurred on May 30. A recent revelation has prompted a renewed concern within the cybersecurity community over Telefónica's patch management and remediation processes, especially since the same vulnerability was allegedly exploited twice within the last six months.

It has been noted by industry experts that these kinds of lapses not only compromise data security but also undermine the confidence of customers and compliance with regulations. Repeated targeting by the same group demonstrates that modern cyber threats have evolved and persist for quite a while and that they are exploiting both technical vulnerabilities as well as organisational inertia. 

Security experts continue to emphasise the importance of not only addressing incidents, but also conducting comprehensive audits and hardening of infrastructure as a means of preventing recurrences. Atypically, the perpetrators of ransomware campaigns did not contact Telefónica. They did not issue any demands to the company or attempt extortion before releasing the stolen information publicly. 

Security researchers have expressed concern over the unusual and concerning nature of this approach, suggesting that there may be a motive other than financial gain, such as disrupting or making a name for oneself. The Telefónica team responded to the breach by resetting the credentials of the affected accounts and barring further access via the compromised login information after the breach was identified. 

Although these mitigation measures were enacted swiftly, cybersecurity analysts are warning of the possibility that the leaked data may be wweaponisedin phishing and social engineering attacks in the future. A warning is being issued to individuals and organisations associated with Telefónica to remain vigilant against suspicious communications and attempts to exploit the breach for fraudulent purposes. 

Following the breach, the stolen data was first spread through the use of PixelDrain, a platform for sharing and storing files online. The content, however, was removed within a matter of hours due to legal and policy violations. The threat actor circulated a new download link using Kotizada, an alternative file-hosting service, as a response to the removal. 

A recent study has shown that Kotizada is a potentially dangerous website that has been flagged by Google Chrome, with browser security systems strongly advising that users should stay away from the site or avoid it entirely. The attacker has observed a pattern of evasion and re-hosting to maximise exposure while circumventing takedown efforts. 

In the meantime, Telefónica has not yet released an updated public statement clarifying whether the leaked information is based on newly compromised data or whether it is based on previous incidents. Some popular firms reported that some of the email addresses contained within the leaked files appear to belong to employees who are currently active. This suggests the breach may have involved recent and relevant internal data rather than historic documents. 

As far as this operation is concerned, the threat actor is associated with the Hellcat Ransomware group, a collective infamous for repeatedly targeting Jira servers with its malware. Hellcat has been connected to several high-profile breaches which have affected major global companies. Affinitiv, a marketing technology company, Jaguar Land Rover, Orange Group, Schneider Electric, as well as Ascom, a Swiss company that provides telecommunication and workflow solutions, iareof the companies that have claimed to have been affected by this hack. 

In addition, the group's consistent focus on exploiting Jira platforms indicates that they have developed a strategic, specialised approach to identifying and exploiting specific system misconfigurations in enterprise environments. Analysts warn that this operational pattern is indicative of a larger, industry-wide risk that should be addressed urgently by reevaluating the security configurations and access controls within the platform. 

Even though there are still a few details about the hack that led to the Telefónica breach, the incident serves as a sharp reminder of the evolving threat landscape that even the most fortified organisations are facing in today's digital ecosystem, where perimeter defences alone are not sufficient to protect themselves. 

The cybersecurity environment must be regarded holistically and with zero trust—a strategy that emphasises continuous monitoring, proactive threat intelligence, and robust internal controls. As a key entry point for attackers, human error remains one of the leading factors preventing them from attacking, so companies must cultivate a culture of cybersecurity awareness among employees in addition to technical safeguards. 

Also, the fact that the breach recurred through an already exploited vector underscores the importance of rigorous post-incident remediation, configuration audits, and patch management to prevent recurrences of the attack. Telefónica’s experience is a cautionary case study for industry peers and stakeholders on the consequences of underestimating latent system vulnerabilities as well as the speed with which attackers can re-engage with the system. 

Nevertheless, to minimise systemic risk and maintain public trust in an era of escalating digital exposure, the telecom sector will need to enhance transparency, swift incident disclosure, and collaboration to fight cyberattacks across the sector.
Read more »
WebSockets
Blockchain codebase Credentials Crypto Cybersecurity dataexfiltration dependency devtools Firewall Gmail Hacking malware phishing PyPI python scripts SMTP Spoofing Threatactors WebSockets

Malicious PyPI Packages Exploit Gmail to Steal Sensitive Data

 

Cybersecurity researchers have uncovered a disturbing new tactic involving malicious PyPI packages that use Gmail to exfiltrate stolen data and communicate with threat actors. The discovery, made by security firm Socket, led to the removal of the infected packages from the Python Package Index (PyPI), although not before considerable damage had already occurred.

Socket reported identifying seven malicious packages on PyPI, some of which had been listed for more than four years. Collectively, these packages had been downloaded over 55,000 times. Most were spoofed versions of the legitimate "Coffin" package, with deceptive names such as Coffin-Codes-Pro, Coffin-Codes, NET2, Coffin-Codes-NET, Coffin-Codes-2022, Coffin2022, and Coffin-Grave. Another package was titled cfc-bsb.

According to the researchers, once installed, these packages would connect to Gmail using hardcoded credentials and initiate communication with a command-and-control (C2) server. They would then establish a WebSockets tunnel that leverages Gmail’s email server, allowing the traffic to bypass traditional firewalls and security systems.

This setup enabled attackers to remotely execute code, extract files, and gain unauthorized access to targeted systems.

Evidence suggests that the attackers were mainly targeting cryptocurrency assets. One of the email addresses used by the malware featured terms like “blockchain” and “bitcoin” — an indication of its intent.

“Coffin-Codes-Pro establishes a connection to Gmail’s SMTP server using hardcoded credentials, namely sphacoffin@gmail[.]com and a password,” the report says.
“It then sends a message to a second email address, blockchain[.]bitcoins2020@gmail[.]com politely and demurely signaling that the implant is working.”

Socket has issued a warning to all Python developers and users who may have installed these packages, advising them to remove the compromised libraries immediately, and rotate all sensitive credentials.

The researchers further advised developers to remain alert for suspicious outbound connections:

“especially SMTP traffic”, and warned them not to trust a package just because it was a few years old.
“To protect your codebase, always verify package authenticity by checking download counts, publisher history, and GitHub repository links,” they added.

“Regular dependency audits help catch unexpected or malicious packages early. Keep strict access controls on private keys, carefully limiting who can view or import them in development. Use isolated, dedicated environments when testing third-party scripts to contain potentially harmful code.”
Read more »
Ransomware
AI Akira Credentials Cyber Crime IBM phishing Ransomware

Cybercriminals Are Now Focusing More on Stealing Credentials Than Using Ransomware, IBM Warns

 



A new report from IBM’s X-Force 2025 Threat Intelligence Index shows that cybercriminals are changing their tactics. Instead of mainly using ransomware to lock systems, more hackers are now trying to quietly steal login information. IBM studied over 150 billion security events each day from 130+ countries and found that infostealers, a type of malware sent through emails to steal data, rose by 84% in 2024 compared to 2023.

This change means that instead of damaging systems right away, attackers are sneaking into networks to steal passwords and other sensitive information. Mark Hughes, a cybersecurity leader at IBM, said attackers are finding ways into complex cloud systems without making a mess. He also advised businesses to stop relying on basic protection methods. Instead, companies should improve how they manage passwords, fix weaknesses in multi-factor authentication, and actively search for hidden threats before any damage happens.

Critical industries such as energy, healthcare, and transportation were the main targets in the past year. About 70% of the incidents IBM helped handle involved critical infrastructure. In around 25% of these cases, attackers got in by taking advantage of known flaws in systems that had not been fixed. Many hackers now prefer stealing important data instead of locking it with ransomware. Data theft was the method in 18% of cases, while encryption-based attacks made up only 11%.

The study also found that Asia and North America were attacked the most, together making up nearly 60% of global incidents. Asia alone saw 34% of the attacks, and North America had 24%. Manufacturing businesses remained the top industry targeted for the fourth year in a row because even short outages can seriously hurt their operations.

Emerging threats related to artificial intelligence (AI) were also discussed. No major attacks on AI systems happened in 2024, but experts found some early signs of possible risks. For example, a serious security gap was found in a software framework used to create AI agents. As AI technology spreads, hackers are likely to build new tools to attack these systems, making it very important to secure AI pipelines early.

Another major concern is the slow pace of fixing vulnerabilities in many companies. IBM found that many Red Hat Enterprise Linux users had not updated their systems properly, leaving them open to attacks. Also, ransomware groups like Akira, Lockbit, Clop, and RansomHub have evolved to target both Windows and Linux systems.

Lastly, phishing attacks that deliver infostealers increased by 180% in 2024 compared to the year before. Even though ransomware still accounted for 28% of malware cases, the overall number of ransomware incidents fell. Cybercriminals are clearly moving towards quieter methods that focus on stealing identities rather than locking down systems.


Read more »
Password Manager
Credentials cyber attack Cybersecurity Digital Security Hacking Infostealer malware MFA Password Manager

Cybercriminals Intensify Attacks on Password Managers

 

Cybercriminals are increasingly setting their sights on password managers as a way to infiltrate critical digital accounts.

According to Picus Security’s Red Report 2025, which analyzed over a million malware samples from the past year, a quarter (25%) of all malware now targets credentials stored in password managers. Researchers noted that this marks a threefold surge compared to the previous year.

“For the first time ever, stealing credentials from password stores is in the top 10 techniques listed in the MITRE ATT&CK Framework,” they said. “The report reveals that these top 10 techniques accounted for 9Beyond the growing frequency of attacks, hackers are also deploying more advanced techniques. 3% of all malicious actions in 2024.”

Advanced Hacking Techniques

Dr. Suleyman Ozarslan, co-founder and VP of Picus Labs, revealed that cybercriminals use sophisticated methods like memory scraping, registry harvesting, and breaching both local and cloud-based password stores to extract credentials.

To counter this rising threat, Ozarslan emphasized the importance of using password managers alongside multi-factor authentication (MFA). He also warned against password reuse, particularly for password.

Beyond the growing frequency of attacks, hackers are also deploying more advanced techniques. Picus Security highlighted that modern cybercriminals are now favoring long-term, multi-stage attacks that leverage a new generation of malware. These advanced infostealers are designed for stealth, persistence, and automation.

Researchers compared this evolution in cyber threats to “the perfect heist,” noting that most malware samples execute over a dozen malicious actions to bypass security defenses, escalate privileges, and exfiltrate data.

A password manager is a cybersecurity tool that securely stores, generates, and auto-fills strong passwords across websites and apps. By eliminating the need to remember multiple passwords, it strengthens security and reduces the risk of breaches. Experts consider it an essential component of cybersecurity best practices.
Read more »
Privacy
API AT&T Credentials Google Cloud Privacy

Weak Cloud Credentials Behind Most Cyber Attacks: Google Cloud Report

 



A recent Google Cloud report has found a very troubling trend: nearly half of all cloud-related attacks in late 2024 were caused by weak or missing account credentials. This is seriously endangering businesses and giving attackers easy access to sensitive systems.


What the Report Found

The Threat Horizons Report, which was produced by Google's security experts, looked into cyberattacks on cloud accounts. The study found that the primary method of access was poor credential management, such as weak passwords or lack of multi-factor authentication (MFA). These weak spots comprised nearly 50% of all incidents Google Cloud analyzed.

Another factor was screwed up cloud services, which constituted more than a third of all attacks. The report further noted a frightening trend of attacks on the application programming interfaces (APIs) and even user interfaces, which were around 20% of the incidents. There is a need to point out several areas where cloud security seems to be left wanting.


How Weak Credentials Cause Big Problems

Weak credentials do not just unlock the doors for the attackers; it lets them bring widespread destruction. For instance, in April 2024, over 160 Snowflake accounts were breached due to the poor practices regarding passwords. Some of the high-profile companies impacted included AT&T, Advance Auto Parts, and Pure Storage and involved some massive data leakages.

Attackers are also finding accounts with lots of permissions — overprivileged service accounts. These simply make it even easier for hackers to step further into a network, bringing harm to often multiple systems within an organization's network. Google concluded that more than 60 percent of all later attacker actions, once inside, involve attempts to step laterally within systems.

The report warns that a single stolen password can trigger a chain reaction. Hackers can use it to take control of apps, access critical data, and even bypass security systems like MFA. This allows them to establish trust and carry out more sophisticated attacks, such as tricking employees with fake messages.


How Businesses Can Stay Safe

To prevent such attacks, organizations should focus on proper security practices. Google Cloud suggests using multi-factor authentication, limiting excessive permissions, and fixing misconfigurations in cloud systems. These steps will limit the damage caused by stolen credentials and prevent attackers from digging deeper.

This report is a reminder that weak passwords and poor security habits are not just small mistakes; they can lead to serious consequences for businesses everywhere.


Read more »
Security Vendors
Credentials Cyber Hackers Cyberattacks CyberCrime Cybersecurity CyberThreat Darkweb Data Breach Security Vendors

Credentials of Major Cybersecurity Vendors Found on Dark Web for $10

 


As a result of recent findings on dark web marketplaces, it has been found that many account credentials from major security vendors are being sold. According to Cyble, the rise of information stealers has been largely responsible for this alarming situation, since the credentials of vendors and their clients are compromised. This poses a substantial risk to both vendors and their clients, which makes the need for enhanced cybersecurity measures more urgent than ever before. 

As a result of these credentials, which can be purchased on cybercrime markets for a mere $10, access to internal accounts, customer systems, and cloud-based environments can be acquired. This is alarming because it encompasses internal enterprise accounts of security companies as well as internal development accounts, thereby posing a severe security threat. 

The best solution would have been to protect these accounts by implementing multifactor authentication (MFA). This would have made it much harder for unauthorized individuals to gain access to these accounts in the first place. It is evident from this incident that there are critical vulnerabilities in access management practices when these protections are not in place or fail, further emphasizing the necessity of robust dark web monitoring as a proactive security measure. 

It is important to detect credential leaks early on so that organizations can minimize the risk of such exposures escalating into large-scale cyberattacks. This will prevent operational integrity from being compromised as well as stakeholder trust from being compromised. It is important to remember that even the most well-defended organizations face persistent threats and that continuous vigilance is essential to preventing those threats from happening. This is a very timely report, as Cyble's data focuses on leaks from the current year, highlighting a more urgent threat than old breaches. 

As these accounts are often associated with sensitive management and development interfaces, attackers may be able to use them to conduct reconnaissance, locate sensitive data, and exploit system vulnerabilities, thereby being able to exploit sensitive data. Even multi-factor authentication (MFA) systems are at risk of misuse because of the stolen credentials, which include company email addresses. 

It has been reported that cybersecurity vendors' credentials are becoming increasingly accessible on dark web marketplaces for as little as $10. According to the findings from Cyble, these credentials were likely harvested from information stealer logs and sold in bulk, which indicates that cybercrime targeting sensitive access data has increased significantly in recent years. In a study aimed at examining leaks occurring in 2025, all 14 vendors that were examined had exposed their customers' and internal credentials.

Among these vendors are those that mainly offer enterprise security solutions and cloud security services, as well as consumer security solutions, but Cyble did not reveal the names of the affected vendors because it wanted to protect their identities and emphasize that such a situation poses a serious risk to the integrity of the company as well as client trust. Based on the findings in this study, it is obvious that drastic security measures, as well as comprehensive monitoring, are required to prevent credential theft from occurring in the cybersecurity sector, as the threat of credential theft continues to grow. 

The researchers at Cyble did not attempt to determine whether any credentials were valid. Many of these vulnerabilities were associated with easily accessible web console interfaces, single-sign-on (SSO) logins, and other web-based account access points. The researchers concluded that vulnerabilities likely caused these leaks in potentially critical internal systems, such as password managers, authentication systems, device management platforms, or common internet services, such as Okta, GitHub, Amazon Web Services, Microsoft Online, Salesforce, SolarWinds, Box, WordPress, Oracle, and Zoom. 

There was an incident in which sensitive internal company accounts, including email addresses, developer interfaces, and product accounts of a large vendor, were exposed, posing significant risks depending on the extent of access granted to these accounts. Even if all the exposed accounts were protected by other means, as ideally they should have been, this leak is concerning for another reason. By providing threat actors with insight into how a target's systems operate, including the locations of sensitive data and potential vulnerabilities they can exploit, they can assist in conducting reconnaissance.

Hackers can also expose sensitive information by revealing URLs of management interfaces that are not publicly known, offering attackers further reconnaissance information. Monitoring leaked credentials for essential systems like security tools is necessary to prevent breaches and to hinder hackers from obtaining valuable information about an organization's systems and how to access them. The company stated that, in addition to the direct threats associated with unauthorized access, the exposed credentials could serve as a valuable asset for threat actors as a means of reconnaissance. 

Such access can provide attackers with valuable insights into the systems a potential target relies on, including the location of sensitive data and exploitable vulnerabilities, among other things. Infostealers can also uncover critical information that is not publicly disclosed, thus enhancing an attacker's ability to exploit the target's systems. 

As Cyble highlighted in its analysis, these findings have a broader impact on any organization, since even the largest cybersecurity vendors are susceptible to hacking, making any company vulnerable. Several security measures have been identified in the report, including multi-factor authentication (MFA), zero-trust architecture, effective vulnerability management, and network segmentation, as essential to ensuring the security of an organization. 

Several practices can be implemented to reduce the risk of data breaches, ransomware incidents, or other cyberattacks. This report serves as a stark reminder of the pervasive and ever-evolving nature of cyber threats, making it increasingly imperative to take proactive measures to safeguard both organizational integrity and sensitive data in the future. Finally, dark web monitoring has the potential to play a critical role in the fight against cyber threats. 

It enables the detection of credential leaks that often result in significant incidents, such as breaches of sensitive data and ransomware attacks before they fully materialize Monitoring compromised credentials associated with critical security tools and systems is crucial in preventing unauthorized access and thwarting threat actors from acquiring critical insights into an organization's infrastructure. Such reconnaissance capabilities have been shown to greatly enhance attackers' effectiveness in exploiting vulnerabilities. This study emphasizes that even the largest cybersecurity vendors are vulnerable to infostealer attacks, demonstrating that no organization can be completely protected from cyberattacks. 

To combat these risks, foundational cybersecurity measures are imperative—including multi-factor authentication (MFA), zero-trust architecture, vulnerability management, and network segmentation—to prevent cyber threats from occurring. Such strategies play a pivotal role in minimizing the risk of cyberattacks while effectively mitigating their potential consequences. This highlights the critical need for organizations to adopt a proactive, multi-layered cybersecurity approach. By doing so, they can bolster their resilience and safeguard their assets against the ever-evolving challenges of today’s complex threat environment.
Read more »
Windows
Bugs Credentials cyber threat malware RAT Windows

QWIXXRAT: A Fresh Windows RAT Emerges in the Threat Landscape

 

In early August 2023, the Uptycs Threat Research team uncovered the presence of a newly identified threat, the QwixxRAT, also referred to as the Telegram RAT. This malicious software was being promoted and distributed via platforms such as Telegram and Discord.

The QwixxRAT operates as a remote access trojan, capable of surreptitiously gathering sensitive information from targeted systems.

This ill-gotten data is then surreptitiously transmitted to the attacker's Telegram bot, granting them unauthorized access to the compromised user's confidential details. The process is facilitated by the threat actors who can manipulate and oversee the RAT's activities through the same Telegram bot.

“Once installed on the victim’s Windows platform machines, the RAT stealthily collects sensitive data, which is then sent to the attacker’s Telegram bot, providing them with unauthorized access to the victim’s sensitive information.”reads a new report published by security firm Uptycs.

“To avoid detection by antivirus software, the RAT employs command and control functionality through a Telegram bot. This allows the attacker to remotely control the RAT and manage its operations.” 

Experts have identified the QwixxRAT as a meticulously engineered threat, specifically crafted to extract a wide spectrum of sensitive data. Its repertoire includes the theft of browser histories, credit card particulars, screenshots, keystrokes, FTP credentials, messenger conversations, and data linked to the Steam platform.

Uptycs, the cybersecurity company behind the discovery, underscored that the QwixxRAT is available for purchase on the criminal market. Interested parties can acquire a weekly subscription for 150 rubles or opt for a lifetime subscription priced at 500 rubles. Additionally, a limited free version has been noted by the researchers.

Technically, the QwixxRAT is coded in C# and takes the form of a compiled binary, functioning as a 32-bit executable tailored for CPU operations. With a total of 19 distinct functions, the malware exhibits a diverse set of capabilities.

In order to evade scrutiny, the malware incorporates various anti-analysis features and evasion tactics. Notably, the RAT employs a sleep function to introduce delays, serving as a mechanism to detect potential debugging activities. Furthermore, the malicious code performs checks to ascertain if it is running within a sandbox or virtual environment.

The QwixxRAT establishes persistence by creating a scheduled task tied to a concealed file located at "C:\Users\Chrome\rat.exe". Additionally, the malware possesses a self-destruct mechanism that can be triggered for the C# program's termination.

A unique characteristic of the QwixxRAT is its incorporation of a clipper code, enabling the capture of data copied to the clipboard. This technique is adeptly employed to extract cryptocurrency wallet information pertaining to Monero, Ethereum, and Bitcoin.

The researchers have taken a proactive step by publishing a YARA detection rule tailored to identify this particular threat.
Read more »
ToolKit
Credentials Cyber Security Safety Security ToolKit

This New AlienFox Toolkit Steals Credentials for 18 Cloud Services

 

Threat actors can use a new modular toolkit called 'AlienFox' to scan for misconfigured servers and steal authentication secrets and credentials for cloud-based email services. The toolkit is sold to cybercriminals through a private Telegram channel, which has become a common transaction channel for malware authors and hackers. 

According to SentinelLabs researchers who examined AlienFox, the toolset targets common misconfigurations in popular services such as online hosting frameworks such as Laravel, Drupal, Joomla, Magento, Opencart, Prestashop, and WordPress. Analysts discovered three versions of AlienFox, indicating that the toolkit's author is actively developing and improving the malicious tool.

AlienFox is after your secrets

AlienFox is a modular toolset made up of a variety of custom tools and modified open-source utilities created by various authors. It is used by threat actors to collect lists of misconfigured cloud endpoints from security scanning platforms such as LeakIX and SecurityTrails.

Then, AlienFox searches the misconfigured servers for sensitive configuration files commonly used to store secrets, such as API keys, account credentials, and authentication tokens, using data-extraction scripts.

1and1, AWS, Bluemail, Exotel, Google Workspace, Mailgun, Mandrill, Nexmo, Office365, OneSignal, Plivo, Sendgrid, Sendinblue, Sparkpostmail, Tokbox, Twilio, Zimbra, and Zoho are among the cloud-based email platforms targeted. Separate scripts are also included in the toolkit to establish persistence and escalate privileges on vulnerable servers.

According to SentinelLabs, the first version discovered in the wild is AlienFox v2, which focuses on web server configuration and environment file extraction. The malware then parses the files for credentials and attempts to SSH using the Paramiko Python library on the targeted server.

AlienFox v2 also includes a script (awses.py) that automates the sending and receiving of messages on AWS SES (Simple Email Services) as well as the application of elevated privilege persistence to the threat actor's AWS account. Finally, AlienFox 2.0 includes an exploit for CVE-2022-31279, a deserialization vulnerability in the Laravel PHP Framework.

AlienFox v3 added automated key and secret extraction from Laravel environments, and stolen data now included tags indicating the harvesting method. The third version of the kit, in particular, improved performance by including initialization variables, Python classes with modular functions, and process threading.

AlienFox v4 is the most recent version, which includes improved code and script organisation as well as targeting scope expansion. The fourth version of the malware, in particular, includes WordPress, Joomla, Drupal, Prestashop, Magento, and Opencart targeting, an Amazon.com retail site account checker, and an automated cryptocurrency wallet seed cracker for Bitcoin and Ethereum.

The new "wallet cracking" scripts indicate that AlienFox's developer wishes to broaden the toolset's clientele or enhance its capabilities in order to secure subscription renewals from existing customers.

Administrators must ensure that their server configuration is set with the proper access controls, file permissions, and the removal of unnecessary services to protect against this evolving threat.Furthermore, implementing MFA (multi-factor authentication) and monitoring for any unusual or suspicious activity on accounts can aid in the early detection of intrusions.



Read more »
Theft
Credentials Cyber Fraud Fraud Safety Scammers Scams Security Theft

How to Prevent Corporate Login Credential Theft?

 

Expenditure on enterprise cybersecurity is growing rapidly. According to the most recent estimates, the average figure for 2021 will be more than $5 million. Despite this, US organizations reported a record number of data breaches in the same year. 

So, what's the problem? Static passwords, user errors, and phishing attacks continue to undermine security efforts. Threat actors benefit greatly from easy access to credentials. And user training alone will not be enough to restore the balance. A strong credential management strategy is also required, with multiple layers of protection to ensure credentials do not fall into the wrong hands.

During the first half of this year, nearly half of all reported breaches involved stolen credentials. Once obtained, these credentials allow threat actors to disguise themselves as legitimate users in order to deploy malware or ransomware or move laterally through corporate networks. Extortion, data theft, intelligence gathering, and business email compromise (BEC) can all be carried out by attackers, with potentially huge financial and reputational consequences. Breaches caused by stolen or compromised credentials cost an average of $4.5 million in 2021, and they are more difficult to detect and contain (327 days).

It may come as no surprise that the cybercrime underground is rife with stolen credentials. In fact, 24 billion were in circulation in 2021, a 65% increase over 2020. Poor password management is one factor.  Since password reuse is common, these credential hauls can be fed into automated software to unlock additional accounts across the web, a technique known as credential stuffing. They are quickly put to use once they are in the hands of hackers. 

As per one study, cybercriminals gained access to almost a quarter (23%) of accounts immediately after the compromise, most likely through automated tools designed to quickly validate the credibility of the stolen credential.

Phishing is a particularly serious enterprise threat that is becoming more sophisticated. Unlike the error-ridden spam of yesteryear, some efforts appear so genuine that even a seasoned pro would have difficulty detecting them. Corporate logos and typefaces are accurately reproduced. Domains may use typosquatting to appear identical to legitimate domains at first glance.

They may even use internationalized domain names (IDNs) to imitate legitimate domains by replacing Roman alphabet letters with lookalikes from non-Latin alphabets. This enables fraudsters to register phishing domains that look exactly like the original.

The same holds true for the phishing pages that cybercriminals direct employees to. These pages are intended to be convincing. URLs will frequently use the same tactics mentioned above, such as letter substitution. They also intend to imitate logos and fonts. These techniques make pages appear to be the "real deal." To trick users, some login pages display fake URL bars that display the real website address. This is why you can't expect employees to know which sites are legitimate and which are attempting to dupe them.

This means that user awareness programs must be updated on a regular basis to account for specific hybrid-working risks as well as constantly changing phishing tactics. Short, bite-sized lessons with real-world simulation exercises are required. Creating a culture in which reporting attempted scams is encouraged is also important.

But be aware that there is no silver bullet, and user education alone will not reliably prevent credential theft. Bad actors only need to be fortunate once. And there are numerous ways for them to contact their victims, including email, social media, and messaging apps. It is unrealistic to expect every user to detect and report these attempts. Education must use technology and solid processes.

Credential management should be approached in layers by organizations. The goal is to reduce the number of sites where users must enter passwords. Single sign-on (SSO) should be implemented by organizations for all reputable necessary work applications and websites. SSO should be supported by all SaaS providers.

In the meantime, a password manager would be useful if there are logins that require different credentials. This also allows employees to determine whether a login page can be trusted, as the password manager will not provide credentials for a site it does not recognize. To secure logins, organizations should also enable multi-factor authentication (MFA).

FIDO2 is also gaining popularity. It will provide a more robust solution than traditional authenticator apps, though those apps will still be superior to text-message codes. Not everything is foolproof, and risky login pages may slip through the cracks. Employees should only be flagged for risky login pages as a last resort. 

This can be accomplished by analyzing threat intelligence metrics, webpage similarities, domain age, and how users arrived at a log in page in real-time. This rating can then be used to either block high-risk login pages or warn users to check again for less-risky ones. Importantly, because this technology only intervenes at the last second, security appears transparent to the user and does not make them feel watched.

A layered approach to credential management, when combined with an architectural approach to security across the entire stack, can help reduce the attack surface and mitigate risk from an entire class of threat.
Read more »
Vidar Stealer
attackers CopperStealer Credentials malware Password Software Vidar Stealer

This Malware is Spreading Via Fake Cracks

 

An updated sample of the CopperStealer malware has been detected, infecting devices via websites providing fraudulent cracks for applications and other software.

Cyber attackers employ these bogus apps to perform a range of assaults. The hackers in this assault operation took advantage of the desire for cracks by releasing a phoney cracked programme that actually contained malware. 

The infection starts with a website or Telegram channel offering/presenting false cracks for downloading and installing the needed cracks. The downloaded archive files include a password-protected text file and another encrypted archive. 

The decrypted archive displays the executable files when the password specified in the text file is typed. There are two files in this sample: CopperStealer and VidarStealer. 

What are the impacts of Copper Stealer and Vidar Stealer on the systems? 

CopperStealer and Vidar stealer can cause many system infections, major privacy problems, financial losses, and identity theft. 
  • CopperStealer: The primary function of CopperStealer is to steal stored login information - usernames and passwords - as well as internet cookies from certain browsers. Mostly focuses on the login details for business-oriented Facebook and Instagram accounts. CopperStealer variants also seek login credentials for platforms and services such as Twitter, Tumblr, Apple, Amazon, Bing, and Apple. The malware can steal Facebook-related credentials from browsers such as Google Chrome, Microsoft Edge, Mozilla Firefox, Opera, and Yandex.
  • Vidar stealer: The most common ways for this malware to propagate are through pirated software and targeted phishing efforts. Vidar stealer is capable of stealing credit cards, usernames, passwords, data, and screenshots of the user's desktop. The malware steals data from a range of browsers and other system apps. It can also steal cryptocurrency wallets such as Bitcoin and Ethereum. 
Safety first

Attackers can utilise data stealers like CopperStealer to steal sensitive information for more illegal reasons. Users can stay secure by taking the following precautions: 
  • Downloading cracks from third-party websites should be avoided. 
  • Keep the systems up to date with the newest patches. 
  • It is highly advised that security detection and prevention technologies be enabled to safeguard systems from attacks.
Read more »
Personal Data
attacks Christmas Credential Stuffing Attacks Credentials Cyber Attacks data security Financial Data Personal Data

Watch out for Christmas 2021 Credential Stuffing Attacks!

 

As per Arkose Labs' research, there were over two billion credential stuffing attacks (2,831,028,247) in the last 12 months, with the number increasing exponentially between October 2020 to September 2021. 

This form of online fraud has increased by 98 percent over the previous year, and it is projected to spike during the Christmas shopping season. Credential stuffing attacks in 2021 accounted for 5% of all web traffic in the first half of 2021. 

Credential stuffing is the most recent cyber-attack technique used by online criminals to obtain unauthorized access to users' financial and personal accounts. Cybercriminals take control of real user accounts and monetize them in a variety of ways. These include draining money from compromised accounts, collecting and reselling personal information, selling databases of the known verified username and password combinations, and exploiting compromised accounts to launder money obtained from other illegal sources. People who reuse the same username/password combination across various sites are frequently targeted by cybercriminals. 

The anti-fraud community has highlighted credential stuffing as an increasing problem in recent years. However, due to the jump in internet activity in the pandemic and the growth of online purchasing, it has risen in recent months. Credential stuffing increased 56 percent during the Christmas and New Year shopping season last year, according to research analysts, with forecasts that the same period in 2021 will witness up to eight million attacks on consumers every day. 

The Arkose Labs network detected and blocked 285 million credential stuffing assaults in the first half of 2021, with spikes of up to 80 million in a single week. In just one week, one intensively targeted social media organization experienced 1.5 million credential stuffing attacks. 

Kevin Gosschalk, CEO at Arkose Labs stated, “The global e-commerce landscape is more connected than ever before and personal information has become the currency of fraudsters. Credential stuffing is prolific. It’s become an enormous concern to online businesses and is fast overtaking other well-known attack tactics, such as ransomware, as THE cyber attack to watch out for.” 

“Fraudsters are compelled to this type of cybercrime as the low barrier to entry makes it easy to deploy and online criminals can generate profits with just one successful compromised account. Their volumetric approach can come on abruptly, quickly overloading businesses’ servers and putting customers at risk.” 

Other key information 

According to the research team's newest findings, 
  • The top attacked industries by sector include gaming, digital and social media, and financial services. 
  • Credential stuffing assaults accounted for over half of all attacks aimed at the gaming industry. 
  • The United Kingdom was also named as one of the top three regions that carried out the most credential stuffing attacks against the rest of the world. 
  • Alongside, Asia and North America, both demonstrated massive amounts of fraudulent activity emanating from their respective regions.
  • During the first half of 2021, mobile-based attacks accounted for approximately one-quarter of all attacks.
Read more »
Subscribe to: Posts (Atom)