Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label CrowdStrike. Show all posts
Online Security
Cloudfare CrowdStrike Cyber Attacks Cybersecurity Okta Data Breach Online Security

Cloudflare Faces Cybersecurity Breach in Okta Supply-Chain Attack



Cloudflare, a prominent Internet security and DDoS protection company, recently fell victim to a cyberattack linked to the widespread Okta supply-chain campaign last fall. The breach, affecting Cloudflare's Atlassian Bitbucket, Confluence, and Jira platforms, commenced on Thanksgiving Day.

Cloudflare, in collaboration with industry and government partners, determined that a nation-state attacker aimed to gain persistent and widespread access to its global network. Working with CrowdStrike, the company found that cyber attackers initially accessed the internal wiki (Confluence) and bug database (Jira). They later established persistence on the Atlassian server and proceeded to explore potential points of entry. The assailants successfully breached Cloudflare's source code management system (Bitbucket) and an AWS instance.

The analysis revealed the attackers sought information about the configuration and management of Cloudflare's global network. They accessed various Jira tickets related to vulnerability management, secret rotation, MFA bypass, network access, and the company's response to the Okta incident. Fortunately, due to network segmentation and a zero-trust authentication approach limiting lateral movement, the attackers were largely prevented from accessing critical systems.

Despite minimal access, Cloudflare took comprehensive measures, rotating over 5,000 production credentials, segmenting test and staging systems, and conducting forensic triages on nearly 5,000 systems. The company also reimaged and rebooted every machine in its global network and all Atlassian products.

Experts emphasise the severity of supply chain attacks, highlighting the risk of non-human access being exploited by attackers to gain high-privilege access to internal systems. This breach underscores the importance of monitoring both cloud-based and on-premises solutions.

Notably, Cloudflare identified the compromise's connection to a prior Okta breach in October. Okta, an identity and access management services provider, disclosed a compromise in its customer support case management system, exposing sensitive customer data. The attackers leveraged access tokens and service account credentials obtained during the Okta compromise. All threat actor access was terminated on November 24, according to CrowdStrike.

In response, Cloudflare conducted a thorough security remediation, emphasising the need for credential rotation after a security incident. Okta confirmed its prior notification to customers about the October security incident, urging them to rotate credentials and providing indicators of compromise.

This incident draws attention to the ongoing challenges posed by sophisticated cyber threats, making it clear that the importance of continuous vigilance and proactive security measures is substantial. The collaboration between companies and security experts remains crucial in mitigating the impact of such attacks.

As cybersecurity threats continue to evolve, it is imperative for organisations to stay informed, implement robust security practices, and prioritise swift responses to potential breaches.


Read more »
Threat actors
CISA & FBI CrowdStrike cryptocurrency hack Cyber Attacks IT Companies JumpCloud Labyrinth Collima North Korea Hackers Threat actors

North Korea-Backed Hackers Breach US Tech Company to Target Crypto Firms


A North Korean state-sponsored hacking group has recently breached a US IT management company, in a bid to further target several cryptocurrency companies, cybersecurity experts confirmed on Thursday. 

The software company – JumpCloud – based in Louisville, Colorado reported its first hack late in June, where the threat actors used their company’s systems to target “fewer than 5” of their clients. 

While the IT company did not reveal the identity of its affected customers, cybersecurity firms CrowdStrike Holding and Alphabet-owned Mandiant – managing JumpCloud and its client respectively – claims that the perpetrators are known for executing heists targeting cryptocurrency. 

Moreover, two individuals that were directly connected to the issue further confirmed the claim that the JumpCloud clients affected by the cyberattack were in fact cryptocurrency companies. 

According to experts, these North Korea-backed threat actors, who once targeted firms piecemeal are now making efforts in strengthening their approach, using tactics like a “supply chain attack,” targeting companies that could provide them wider access to a number of victims at once.

However, Pyongyang’s mission to the UN did not respond to the issue. North Korea has previously denied claims of it being involved in cryptocurrency heists, despite surplus evidence claiming otherwise.

CrowdStrike has identified the threat actors as “Labyrinth Collima,” one of the popular North Korea-based operators. The group, according to Mandiant, works for North Korea’s Reconnaissance General Bureau (RGB), its primary foreign intelligence agency.

However, the U.S. cybersecurity agency CISA and the FBI did not confirm the claim. 

Labyrinth Chollima is one of North Korea’s most active hackers, claiming responsibility for some of the most notorious and disruptive cyber threats in the country. A staggering amount of funds has been compromised as a result of its cryptocurrency theft: An estimated $1.7 billion in digital currency was stolen by North Korean-affiliated entities, according to data from blockchain analytics company Chainalysis last year.

JumpCloud hack first came to light earlier this month when an email from the firm reached its customers, mentioning how their credentials would be changed “out of an abundance of caution relating to an ongoing incident.”

Adam Meyers, CrowdStrike’s Senior Vice President for Intelligence further warns against Pyongyang’s hacking squads, saying they should not be underestimated. "I don't think this is the last we'll see of North Korean supply chain attacks this year," he says.  

Read more »
Data Theft
Cloud Data CrowdStrike Cyber Frauds. Cyberattacks Cybesecurity Data Theft

Cloud Data Theft is Booming According to CrowdStrike

 

An industry-leading cybersecurity company known as CrowdStrike reported that it had seen the largest increase in adversaries in one year. This was in comparison with what it had observed in the past. There was an increase in cloud attacks by 95% according to the study, which identified 33 re-new threat actors, approximately three times as many cases from 2021 involving cloud-conscious actors as they did in 2022. 

As a result of these trends, CrowdStrike believes that it will become more common for e-currency and nation-state actors to use their tradecraft and knowledge to greatly exploit cloud environments in the future, it stated in its global threat report for 2023. 

There has been a shift among bad actors away from deactivating antivirus and firewall technologies, and away from efforts to tamper with logs. Instead, they have turned toward modifications to authentication processes and attacks on identities, according to the report. 

There has been a dramatic rise in identity theft as a result of a wide range of threats. Identifying and privileged access credentials are among the most common targets targeted by hackers. Why? On the dark web, attackers want to sell compromised information to third parties for high prices to become access brokers and make money off the stolen information. 

As attackers reinvent themselves as access brokers, CrowdStrike's report provides a sobering look at their emergence. There is a 20% increase in adversaries engaging in extortion campaigns and theft of data related to the cloud as per the report. 

A broader analysis revealed an increase of 33 new adversaries in just one year. This was the biggest increase in the number of adversaries ever! Recent telecommunications, BPO, tech, and BPO companies have been the victims of sophisticated attacks carried out by both Scattered Spider and Slippery Spider malware. 

Cloud Security is Hampered by Overcast Skies

In addition to the multitude of new and unknown threat actors that CrowdStrike's report uncovered, CrowdStrike's report also noted a surge in identity-based threats, cloud exploits, national intelligence services, and attacks that re-pointed to previously patched vulnerabilities as weapons of mass destruction.

CrowdStrikeFalcon OverWatch measures the break-through time of adversaries according to the report by determining how far a compromised host is from a second host within the victim environment or how long the adversaries have to move laterally within the victim environment to gain access to the compromised host. This report from the National Institute on Crime and Law Enforcement suggests that for interactive eCrime intrusions, the average breakthrough time has decreased from 98 minutes in 2021 to 84 minutes in 2022. 

To minimize costs and ancillary damages caused by attackers, CISOs and their teams must respond more quickly as the breach window shrinks, and as attack windows become shorter. The 1-10-60 rule is one that CrowdStrikes recommends security teams follow: detect threats within the first minute, understand them within the first 10 minutes, and respond within the first 60 minutes.

It is well known that hackers, nation-states, and cybercriminals are growing at an exponential rate around the world. 

In an announcement made by Meyers, CrowdStrike has added Syria, Turkey, and Columbia to its list of malicious host countries it has already identified. As a result of interactive intrusions, Meyers reported there was a 50% increase compared to last year. Human adversaries try to bypass the computer's and antivirus defenses, contributing to the rise in human-computer crime. 

The Microsoft company published 28 zero days and 1,200 patches; however, only two out of 28 of those patches and zero days were exploited by nation-nexus and cybercriminal adversaries, who circumvented patches and bypassed mitigations, exploiting legacy vulnerabilities such as Log4Shell and keeping up with ProxyNotShell and Follina vulnerabilities. 

Engineers and Cloud Defenders Must be Versatile 

A variety of techniques are used by attackers to inject themselves into cloud environments and move laterally once they have entered them. There’s no doubt that CrowdStrike’s data shows an increase in both the number of valid cloud accounts used for initial cloud access and the number of public-facing applications being deployed. Also, according to the company, there has been an increase in the number of actors who are attempting to discover cloud accounts as opposed to cloud infrastructures and using legitimate higher-privileged accounts when looking for cloud accounts. 

To be successful in the cloud computing field, engineers need to be more versatile than ever before. For a business or enterprise to succeed, they need to be able to manage, plan, architect, monitor, and anticipate issues regarding cloud security and manage them as part of a continuous process.
Read more »
Threat Detection
2023 Global Threat Report CrowdStrike Cyber Crime Data Extortion Ransomware ransomware attacks Threat Detection

CrowdSrike: Cybercriminals Are Choosing Data Extortion Over Ransomware Attacks


CrowdStrike’s threat intelligence recently reported that cybercriminals have been learning how data extortion attacks are more profitable than ransomware attacks, leading to a drastic shift in the behavior of cyber activities throughout 2022. 

The cybersecurity vendor's "2023 Global Threat Report," which summarizes CrowdStrike's research on cybercrime (or "e-Crime") from the previous year, was released this week. The report's major sections address ongoing geopolitical disputes, cloud-related attacks, and extortion attacks without the use of software. 

One of the major findings from the CrowdStrike research is that the number of malicious actors who conducted data theft and extortion attacks without the use of ransomware increased by 20% in 2022 compared to the previous year. Data extortion is the practice of obtaining confidential information from target companies and then threatening to post the information online if the victim does not provide the ransom demanded by the attacker. 

Data extortion has frequently been a part of ransomware operations, with the fear of data exposure intended to provide additional incentive for the victim to pay the demanded ransom. However, as per the CrowdStrike findings, more attackers are now inclining toward data extortion, while abandoning the ransomware element altogether. 

Adam Meyers, head of intelligence at CrowdStrike says that “We’re seeing more and more threat actors moving away from ransomware[…]Ransomware is noisy. It attracts attention. It’s detectable. Encryption is complex.” 

According to Meyers, the rise in extortion addresses the adaptability of cyber adversaries. He further adds that while ransom payments were down slightly in 2022, both extortion and ransomware-as-a-service (RaaS) have witnessed a significant boost. 

CrowdStrike observed and noted the overall waning interest in malware. The firm reported that in 2022, up from 62% in 2021, malware-free activity accounted for 71% of its threat detections. 

"This was partly related to adversaries' prolific abuse of valid credentials to facilitate access and persistence in victim environments[…]Another contributing factor was the rate at which new vulnerabilities were disclosed and the speed with which adversaries were able to operationalize exploits," the report said. 

While also noting the improved resilience of the RaaS network, CrowdStrike stated that affiliated hackers will continue to be a major concern as they move from one network to another despite the move away from conventional ransomware deployment.  

Read more »
Vulnerabilities and Exploits
CrowdStrike Cyberattacks CyberCriminal Microsoft Phishing Attacks Vulnerabilities and Exploits

To Get Around Security, Hackers Use This Old Trick

 


An old vulnerability in Intel drivers is being exploited by cybercriminals in an attempt to gain access to networks. This is in the form of a security flaw that enables them to get around cybersecurity measures and bypass security systems.  

According to cybersecurity researchers at CrowdStrike, one of the groups tracking the attack is Scattered Spider, also known as Roasted 0ktapus and UNC3944. This group is responsible for the attack on Windows PCs. The campaign has been identified as the work of a cybercriminal group. 

As a financially motivated cybercrime operation, Scattered Spider is described by researchers as especially interested in targeting business outsourcing companies and telecom companies. Obtaining access to the mobile carrier network is the project's main objective.  

Attackers may have initially used phishing attacks using SMS messages to gain access to networks by stealing usernames and passwords. This is to get into them. Several instances have been recorded where attackers have hacked into devices and exploited this access to gain access to other credentials. The group appears to be engaged in SIM-swapping attacks as well.   

As soon as Scattered Spider has gained access to a network, it makes use of a technique called "Bring Your Own Vulnerable Driver" (BYOD), which is designed to exploit security loopholes within the Windows platform.  Microsoft tries to limit the ability of malware to gain access to systems by preventing unsigned kernel-mode drivers from being run by default, but hackers can get around this by installing a legitimately signed but malicious driver, enabling them to carry out attacks despite this. The BYOVD system allows attackers to use unsigned kernel-mode drivers to carry out attacks.   

An attacker may find a way to hack legitimately signed certificates while taking advantage of workarounds to be able to self-sign their own certificates or obtain certificates through deception. Regardless of how they were obtained, the malware may then secretly run on computers, install their own drivers, and disable the security products on them. This is so that their activity can easily be hidden.  

They do not use any malware for this purpose to operate as discreetly as possible. They instead install a large number of legitimate remote access tools that will ensure persistence on the compromised system after they have been compromised. 

There is a vulnerability in the Intel Ethernet diagnostics driver for Windows, which has been identified by CrowdStrike as one of how attackers can deliver malicious kernel drivers.

This vulnerability has been known for a long time, as the ID number suggests. If the security update that closes the vulnerability has not been applied to the system, cybercriminals will still be able to exploit it on the system.  

To combat this and other attacks involving abused signed drivers in the future, researchers urge users to patch vulnerable drivers as a priority.  

There have been several tools that have been compromised by attackers. These include Microsoft Defender for Endpoint, Palo Alto Networks Cortex XDR, and SentinelOne, as well as CrowdStrike's own Falcon security product that attackers have attempted to bypass. Researchers at CrowdStrike claim that Falcon can detect and prevent malicious activity that is being performed by cybercriminals when trying to install and run their own code.  

It has been warned previously by Microsoft that attacks are increasingly targeting legitimate drivers in the ecosystem and infecting computers through their vulnerabilities. Despite Microsoft's efforts to prevent abuse, this attack technique is still successfully used today. 

Scattered Spider seems to be targeting a specific set of industries with this campaign. In contrast, CrowdStrike recommends that security professionals in every industry develop a strategy to ensure the security of their networks against attack, irrespective of their industry type. As an example, this can be achieved by applying the old security patch that has been installed.  

Microsoft also provides advice on how you can help harden services by blocking drivers according to the recommended rules. As with any software or hardware, removing drivers from a device may lead to the malfunctioning of the device or software, and, in some cases, a blue screen of death. A vulnerable driver blocklist cannot guarantee that all drivers found to have vulnerabilities will be identified and eliminated from the list.  
Read more »
Spear Phishing Campaign
CrowdStrike Cyber Phishing malware Malware Attack Phishing Campaign RATs Spear Phishing Campaign

Callback Malware Campaign Imitates CrowdStrike and Other Big Cybersecurity Organizations


About the Attack

Earlier this month, CrowdStrike Intelligence found a callback phishing campaign copying big cybersecurity companies, including CrowdStrike. The phishing emails say that the receiver's (e-mail) company has been compromised and that the victim should contact the given phone number. The campaign incorporates similar social-engineering techniques that were used in the recent callback campaigns like WIZARD SPIDER'S 2021 Bazaar all campaign. 

The campaign is likely to include common genuine remote administration tools (RATs) for access in initial stage, off the shelf penetration testing tools for lateral movement, and execution of ransomware or extorting data. The callback campaign incorporates emails that look like it originates from big security companies, the message says that the security company found a potential issue in the receiver's network. As we have noticed in the earlier campaigns, the threat actor gives the recipient a phone number to call. 

In the past, callback campaign operators have tried to convince victims to install commercial RAT software to get an early foothold on the network. "For example, CrowdStrike Intelligence identified a similar callback campaign in March 2022 in which threat actors installed AteraRMM followed by Cobalt Strike to assist with lateral movement and deploy additional malware," says CrowdStrike. 

Current Situation 

Currently, CrowdStrike intelligence can't confirm the version in use, the callback operators will most probably use ransomware to monetize their operations. "This assessment is made with moderate confidence, as 2021 BazarCall campaigns would eventually lead to Conti ransomware — though this ransomware-as-a-service (RaaS) recently ceased operations. This is the first identified callback campaign impersonating cybersecurity entities and has higher potential success given the urgent nature of cyber breaches," says CrowdStrike.

Read more »
Microsoft Exchange Server
China CrowdStrike Email Fraud IISS Malicious Module malware Microsoft Exchange Server

On Microsoft Exchange Servers, a New IceApple Exploit Toolkit was Launched

 

Security analysts discovered a new post-exploitation framework that could enable Microsoft Exchange servers to be compromised. This framework, known as IceApple, was created by threat actors who wanted to preserve a low profile while launching long-term attacks to assist reconnaissance and data exfiltration. 

"As of May 2022, IceApple is under active development, with 18 modules seen in operation across several enterprise contexts," CrowdStrike reported. The complex virus was identified in various victim networks and in geographically separate areas, which were detected in late 2021. Victims come from a variety of fields, including technology, academia, and government.

IceApple is unique for being an in-memory framework, implying a threat actor's desire to keep a low forensic footprint and avoid detection, which bears all the signs of a long-term algorithmic mission by creating files that appear to come from Microsoft's IIS web server. While most of the malware has been found on Microsoft Exchange servers, IceApple can function under any Internet Information Services (IIS) web app, making it a dangerous threat.

IceApple activity, as per CrowdStrike researchers, could be linked to nation-state attacks. Although IceApple has not been linked to any single threat actor, many believe it was developed by China. 

The actual number of victims of the attack has not been determined by CrowdStrike, but they do not rule out the possibility that the threat will expand in the following weeks. In this regard, the experts suggested updating any apps used by public and commercial businesses to strengthen the system's protection against this framework. 

The malware can locate and erase files and directories, write data, collect credentials, search Active Directory, and transfer sensitive data due to the framework's various components. These components' build timestamps date back to May 2021.
Read more »
United States
APT31 China CrowdStrike Cyber Attacks RAT Russia United States

Widespread Cyber Espionage Attacks Use New Chinese Spyware

 

According to new research, a threat actor believed to be of Chinese origin was linked to a series of ten attacks from January to July 2021 that involved the deployment of a remote access trojan (RAT) on infected computers and targeted Mongolia, Russia, Belarus, Canada, and the United States. The breaches have been linked to APT31 (FireEye), an advanced persistent threat that has been dubbed Zirconium (Microsoft), Judgement Panda (CrowdStrike), and Bronze Vinewood (Secureworks) by the cybersecurity community. 

BRONZE VINEWOOD has hidden malicious activity within legal network traffic by using prominent social media and code repository sites. Previous BRONZE VINEWOOD campaigns leveraging DLL search-order hijacking to distribute the HanaLoader downloader malware and other malicious payloads have also been uncovered by Secureworks Counter Threat Unit (CTU) researchers. 

According to researchers, the group is thought to be a Chinese state-sponsored cyberespionage actor attempting to acquire intelligence to aid the Chinese government and state-owned firms. 

In the attacks, a new malware dropper was utilized, which included a downloader for next-stage encrypted payloads from a remote command-and-control server, as well as the ability to decode and execute the malware. The malicious code can download further malware, putting vulnerable victims at risk even more, as well as perform file operations, exfiltrate sensitive data, and even remove itself from the compromised machine. 

Positive Technologies researchers Denis Kuvshinov and Daniil Koloskov discovered the self-delete command fascinating since it employed a bat file to wipe all of the registry keys and files created as a result of running the command. 

The malware's similarities to a trojan known as DropboxAES RAT, which was used by the same threat group last year and relied on Dropbox for command-and-control (C2) communications, are also worth noting, with numerous overlaps found in the techniques and mechanisms used to inject the attack code, achieve persistence, and delete the espionage tool.

Despite the fact that BRONZE VINEWOOD calls the software DropboxAES RAT, CTU researchers discovered that it does not use the Advanced Encryption Standard (AES). Instead, it uses the ChaCha20 stream cypher to encrypt and decrypt data. When encrypting data, older versions of the malware may have used AES encryption. 

"The revealed similarities with earlier versions of malicious samples described by researchers, such as in 2020, suggest that the group is expanding the geography of its interests to countries where its growing activity can be detected, Russia in particular," the researchers concluded.
Read more »
Spirit Spider
CrowdStrike malware Ransomware Spirit Spider

Sprite Spider Emerging as One of The Most Destructive Ransomware Threat Actors

 

Recently, two CrowdStrike cybersecurity leads during a Cyber Threat Intelligence Summit at the SANS  Senior Security Researcher Sergei Frankoff, and Senior Intelligence Analyst Eric Loui, shared detailed information on the ‘Spirit Spider’, an emerging leading ransomware actor. Like other ransomware attacks, the malicious crew behind Sprite Spider attacks has rapidly increased in terms of sophistication and damage capabilities since 2015. At present, Sprite Spider has become one of the most dangerous ransomware malicious actors of 2021. 

Although, this ransomware ‘Sprite Spider’, did not come as a surprise for many world-leading IT firms, like other organized ransomware groups which are filled with threat actors who are often fruitfully employed by nation-state cybercriminals. 

The journey of Sprite Spider


To have come so far to make headlines, it must have gotten started somewhere, but when and where? It was back in 2015 when the ransomware was employed as a banking Trojan called Shifu, and then in 2017, a malware loader called Vatet. The gang had deployed a remote access Trojan called PyXie, in 2018, and in 2019, the attackers’ deployed ransomware called DEFRAY777. 

Crowdstrike researchers linked Shifu, Wyatt, and Pixi to the DEFRAY777 ransomware attacks. At this point they realized that all the activities from these components were linked to a single-malicious group, operating stealthily behind the scenes. 

The threat actors can often avoid detection mainly because the malicious code is secretly hidden in open-source projects such as Notepad++, which technically is invisible and hence visibly harmless. The only thing the Sprite Spider writes to disk is ‘Vatet’, which makes it even more difficult for the intelligence to identify it during an attack. 

“I think we’ve seen a number of nation-states engage in these types of attacks to generate revenue, specifically North Korea,” CrowdStrike’s senior vice president of intelligence Adam Meyers tells CSO. He added that “Iran and China are also getting in on the ransomware game. It’s not necessarily the nation-state that is conducting the attack, but [the cybercriminals] are using the skills they learned [by working for nation-state attackers] to make a little extra money on the side. The individuals engaged by the nation-state are conducting ransomware attacks on a moonlight shift.” 

Mark Weatherford, chief strategy officer at the National Cybersecurity Center and a former DHS cybersecurity official in the Obama administration, said “I think it will take an international effort to address the growing ransomware scourge. Until there is more of an international policy discussion, I think we’re going to see these things grow. What we need is an international combined effort from nations around the world to say that this is no longer acceptable.” He tells CSO.
Read more »
Russian Hacker
Chinese Hackers CrowdStrike North Korean Hackers Russian Hacker

Russian Hacking Trouble for the Cyber World



According to data analysis by computer security company CrowdStrike, Russian hacking attack team spares only 19 minutes to the victim to respond to the attack. The next fastest group were North-Koreans who took two hours to jump to the next server to spread the attack,the third on the list comes Chinese attackers who on average gives four hours to the victim to foil their target attack.

Statistically the calculated time is coined as  “dubbed time“ and is the time attacker takes to jump from one network to another to spread the attack. Introducing the concept, CrowdStrike wrote in its report “shows how much time defenders have on average to detect an initial intrusion, investigate it and eject the attacker before sensitive data can be stolen or destroyed.”

According to the author, Pete Singer, the new analysis is eye-opening, "These stats are driven by a whole variety of factors, among them the skills and capability, the relative risk each is making in their likelihood of getting caught and the consequences. No matter how you look at it, an average of 18 minutes is quite amazing given the scale."

The Russians hackers have attacked many defense and military establishments throughout Europe and NATO since last year. Russian hackers were alleged to attack PyeongChang Winter Olympic Games in 2018.

Chris Krebs, DHS Cybersecurity and Infrastructure Security Agency Director, told defenseone.com recently, “We are doubling down on election security in advance of the 2020 election. Despite what some of the reporting might be, election security and countering foreign influence efforts aren’t going anywhere.”

According to a research from Arizona state University, researchers revealed that the exploiting a known vulnerability depended greatly on the country of the attacker.For Instance, the researchers looked at the Dark Web chat rooms , If attackers were discussing  vulnerabilities in National Database and If the hackers discussing the bug were Chinese, the chances to exploit the vulnerability in question was nine percent, But if the conversation was between Russians, then the probability of exploiting vulnerability is forty percent.

Read more »
Subscribe to: Posts (Atom)