Search This Blog

Showing posts with label Data. Show all posts

New Windows Server Updates Cause Domain Controller Freezes, Restarts

 

Microsoft is looking into LSASS memory leaks (caused by Windows Server updates released during the November Patch Tuesday) that may result in domain controller freezes and restarts. LSASS (Local Security Authority Subsystem Service) is in charge of enforcing security policies on Windows systems and managing access tokens, password changes, and user logins. 

If this service fails, logged-in users lose access to their Windows accounts on the machine and are presented with a system restart error followed by a system reboot. 

"LSASS might use more memory over time and the DC might become unresponsive and restart," Microsoft explains on the Windows Health dashboard.

"Depending on the workload of your DCs and the amount of time since the last restart of the server, LSASS might continually increase memory usage with the uptime of your server and the server might become unresponsive or automatically restart."

Out-of-band Windows updates pushed out to address authentication issues on Windows domain controllers may also be affected by this known issue, according to Redmond. Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2 are all affected. Microsoft is working on a solution and promises an update in an upcoming release.

Workaround  Available:

Until a fix for this LSASS memory leak issue is available, the company offers a workaround for IT administrators to work around domain controller instability. This workaround requires admins to set the KrbtgtFullPacSignature registry key (used to gate CVE-2022-37967 Kerberos protocol changes) to 0 using the following command: reg add "HKLM\System\CurrentControlSet\services\KDC" -v "KrbtgtFullPacSignature" -d 0 -t REG_DWORD

"Once this known issue is resolved, you should set KrbtgtFullPacSignature to a higher setting depending on what your environment will allow," Microsoft added.

"It is recommended to enable Enforcement mode as soon as your environment is ready. For more information on this registry key, please see KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967."

Redmond addressed another known issue that caused Windows Server domain controller reboots due to LSASS crashes in March. Microsoft fixed domain controller sign-in failures and other authentication issues caused by November Patch Tuesday Windows updates earlier this month with emergency out-of-band (OOB) updates.

Experts Look into WhatsApp Data Leak: 500M User Records for Sale

 

On November 16, an actor advertised a 2022 database of 487 million WhatsApp user mobile numbers on a well-known hacking community forum. The dataset is said to contain WhatsApp user data from 84 different countries. 

According to the threat actor, there are over 32 million US user records included. Egypt (45 million), Italy (35 million), Saudi Arabia (29 million), France (20 million), and Turkey each have a sizable number of phone numbers (20 million). The dataset for sale also allegedly contains the phone numbers of nearly 10 million Russians and over 11 million UK citizens. The threat actor told Cybernews that they were selling the US dataset for $7,000, the UK dataset for $2,500, and the German dataset for $2,000.

Since such data is frequently used by attackers in smishing and vishing attacks, we advise users to be cautious of any calls from unknown numbers, as well as unsolicited calls and messages. According to reports, WhatsApp has more than two billion monthly active users worldwide. The seller of WhatsApp's database provided a sample of data to Cybernews researchers upon request. The shared sample included 1097 UK and 817 US user numbers.

Cybernews probed all of the numbers in the sample and was able to confirm that they are all WhatsApp users. The seller did not say how they obtained the database, only that they "used their strategy" to collect it, and assured Cybernews that all the numbers in the instance belong to active WhatsApp users.

Cybernews contacted WhatsApp's parent company, Meta, but received no immediate response. We will update the article as soon as we learn more. The data on WhatsApp users could be obtained by harvesting information at scale, also known as scraping, which is against WhatsApp's Terms of Service.

This claim is entirely speculative. However, large data dumps posted online are frequently obtained through scraping. Over 533 million user records were leaked on a dark forum by Meta, which has long been chastised for allowing third parties to scrape or collect user data. The actor was practically giving away the dataset for free.

Days after a massive Facebook data leak made headlines, a popular hacker forum listed an archive containing data purportedly scraped from 500 million LinkedIn profiles for sale. Phone numbers that have been leaked could be used for marketing, phishing, impersonation, and fraud.

Head of Cybernews research team Mantas Sasnauskas said, “In this age, we all leave a sizeable digital footprint – and tech giants like Meta should take all precautions and means to safeguard that data. We should ask whether an added clause of ‘scraping or platform abuse is not permitted in the Terms and Conditions’ is enough. Threat actors don’t care about those terms, so companies should take rigorous steps to mitigate threats and prevent platform abuse from a technical standpoint.”

Report: Tax Preparation Software Returned Personal Consumer Data to Meta and Google

 

As per The Markup, popular tax preparation software such as TaxAct, TaxSlayer, and H&R Block sent sensitive financial information to Facebook's parent company Meta via its widely used code known as a pixel, which helps developers track user activity on their sites. 

In accordance with a report published on Tuesday by The Verge, Meta pixel trackers in the software sent information such as names, email addresses, income information, and refund amounts to Meta, violating its policies. The Markup also discovered that TaxAct sent similar financial data to Google via its analytics tool, though the data did not include names.

According to CNBC, Meta employs tiny pixels that publishers and businesses embed on their websites. When you visit, the dots send a message back to Facebook. It also enables businesses to target advertisements to people based on previous websites they have visited.

Based on the report, Facebook could use data from tax websites to power its advertising algorithms even if the person using the tax service does not have a Facebook account. It's yet another example of how Facebook's tools can be utilized to track people across the internet, even if users are unaware of it. According to some statements provided to The Markup, it could have been a mistake.

Ramsey Solutions, a financial advice and software company that uses TaxSlayer, told The Markup that it "NOT KNEW and was never alerted that personal tax information was being gathered by Facebook from the Pixel," and that the company informed TaxSlayer to deactivate the Pixel tracking from SmartTax.

An H&R Block spokesperson said the company takes “protecting our clients’ privacy very seriously, and we are taking steps to mitigate the sharing of client information via pixels.” 

H&R Block further stated in a statement on Wednesday that it had "removed the pixels from its DIY online product to stop any client tax information from being collected."

The Markup discovered the data trail earlier this year while working with Mozilla Rally on a project called "Pixel Hunt," in which participants installed a browser extension that sent the group a copy of data shared with Meta via its pixel.

“Advertisers should not send sensitive information about people through our Business Tools,” a Meta spokesperson told CNBC in a statement. “Doing so is against our policies and we educate advertisers on properly setting up Business tools to prevent this from occurring. Our system is designed to filter out potentially sensitive data it is able to detect.”

Meta considers potentially sensitive data to contain information about income, loan amounts, and debt status.

“Any data in Google Analytics is obfuscated, meaning it is not tied back to an individual and our policies prohibit customers from sending us data that could be used to identify a user,” a Google spokesperson told CNBC. “Additionally, Google has strict policies against advertising to people based on sensitive information.”

A TaxAct spokesperson said in a statement, “The privacy of our customers is very important to all of us at TaxAct, and we continue to comply with all laws and IRS regulations. Data provided to Facebook is used at an aggregate level, not the individual level, by TaxAct to analyze our advertising effectiveness. TaxAct is not using the information provided by its customers and referenced in the report issued by The Markup to target advertising with Facebook.”

A TaxSlayer representative did not immediately respond to CNBC's request for comment.

An Online Date Led to an Inquiry into 'Systemic' Failures at American Express

 

Last summer, John Smith* had just returned to Sydney after more than a decade abroad when he met someone online. He began chatting with a man named Tahn Daniel Lee on the dating app Grindr. Lee was undergoing treatment for COVID at the time, so they communicated online for a few weeks before meeting in Sydney's Surry Hills for their first date - a Japanese dinner followed by Messina ice cream. The date would be one of many in a relationship that progressed quickly before taking a dark turn when Smith began to suspect Lee was watching his bank accounts.

The Age and The Sydney Morning Herald can disclose that American Express, one of the world's largest financial companies, would not only dismiss Smith's initial complaint without proper investigation but would also provide misleading information during an external inquiry. It comes after two major ASX-listed companies, Optus and Medibank, revealed sensitive identification and health data to criminals, igniting a national debate about how to best deal with emerging cyber threats.

The "insider threat," according to cybersecurity experts, is a major risk, and the Privacy Commissioner's inability to penalize companies that violate the law has created a culture of impunity among corporate Australia.

“Because, what is the recourse? Businesses just aren’t doing the risk management that’s required. The tone starts from the top, ” says former Australian Federal Police investigator turned cyber expert Nigel Phair.

Smith's first assumption of Lee was that he had a charming smile, and the relationship developed quickly. Lee worked as a relationship manager for American Express Centurion, an exclusive club for black cardholders who spend at least $500,000 per year.

Smith had a platinum American Express card from living in the United States, but Lee suggested he sign up in Australia so he could illustrate how to maximize the benefits. He consented and began using American Express as his primary banking card shortly thereafter. After a series of comments about items Smith had purchased, places he had been, or payments he had made, he became skeptical that Lee was watching his transactions.

“I asked him how he was able to do this without my consent or authority (one-time pin etc), and he replied, ‘because the system is completely open, I have god mode’,” Smith wrote in a complaint later filed with American Express.

Smith has autism, and while he is classified as "high functioning," he occasionally struggles to recognize inappropriate behavior. He noticed "warning signs" about Lee but ignored them while traveling to Hawaii and Hamilton Island with his new partner, he claims.

During one of these trips, Smith became uneasy with the manner in which Lee discussed his clients' affairs, including major food distributor Primo Foods, which he claimed siphoned millions of dollars to the Cayman Islands. Lee later texted, "FYI, everything I tell you about work is highly confidential." 

By April, he had attempted to end the relationship and had warned Lee that he would report his behavior to American Express. Lee reacted negatively to this. He begged Smith to continue the relationship and, at one point, called Smith's close friend out of the blue to persuade her not to file a complaint. This was the breaking point. He was hell-bent on reporting Lee.

Amex: ‘No inappropriate access’

At the same time, another American Express employee noticed unusual activity on Smith's account. Lee was subjected to an internal investigation, which swiftly cleared him of any wrongdoing. On May 26, the company wrote to Smith, claiming Lee was not in a position to access his account and, in any case, there was training and processes in place to protect customer data.

Unconvinced, Smith asked American Express to confirm that Lee's access to his account had been blocked and reported the Primo Foods discussions. Smith claims that the following week, during a phone call, he was told that if Lee had looked at his account, it was no big deal because they were partners, and discussing Centurion's clients was also no cause for concern.

Smith filed a complaint with the Privacy Commissioner, who directed it to the Australian Financial Complaints Authority. AFCA immediately requested a meeting with American Express to verify that Lee had lost the rights to Smith's account.

The company's response was quick, but it turned out to be incorrect.  “We confirm that the employee has no access to [Smith]’s account,” Amex responded.

In subsequent letters between AFCA, Smith, and American Express, the company continued to imply that there had been no inappropriate access or violation of privacy laws. Until the plot shifted. In August, three months after Lee's suspicious activity was discovered, Smith was notified by American Express that Lee had indeed accessed his personal information.  

Lee accessed Smith's private account nine times between February and April of this year, according to digital access logs. American Express then stated that while it was impossible to prevent Lee from accessing the account, he would be disciplined and the account would be monitored to ensure no further intrusions.

“American Express is unable to practically restrict American Express employees from being able to access any specific Card member data. We acknowledge that [Smith] feels uncomfortable with his previous partner access to his personal information and have made every effort to implement controls to further protect his data,” the company wrote in a letter.

In a final decision issued this month, AFCA determined that American Express violated privacy laws by letting Lee to access his accounts without authorization both before and after the relationship. It awarded Smith $2000 in damages but did not order an apology or absolve the company of any wrongdoing.

“I am satisfied the financial firm has investigated the matters raised by the complainant, and in the circumstances, it has responded appropriately,” AFCA found.

American Express declined to answer specific questions about how it investigated Smith's complaint or what action it took against Lee, but stated it maintains the "highest levels of integrity" and has cooperated with AFCA.

“Whilst they made a determination against us, they concluded that American Express had investigated and responded appropriately,” the company said. “We are satisfied that this matter poses no risk to the integrity of our systems. Protecting the privacy of our customers and the integrity of our systems remains our utmost priority.”

Current laws allow for fines of up to $2.2 million for each unauthorized access. The federal government is considering raising the penalty to $50 million per breach, which would mean that American Express could have faced penalties totaling $450 million for the nine breaches.

“Companies need to take this issue around unauthorized access to information more seriously because the penalties are significant,” CyberCX privacy law expert David Batch says. “But in reality, the Privacy Commissioner has historically not handed down those fines.”

Smith was informed in October that AFCA's systemic issues team had agreed to investigate American Express's handling of Smith's case. This team investigates serious violations and systemic issues and has the authority to refer cases to other regulators, such as the Privacy Commissioner, however, its findings are a little transparent. AFCA was unable to comment on whether the promised investigation would be carried out.

According to Nigel Phair, Professor of Cybersecurity at the University of New South Wales, the "insider threat" is a major concern for businesses, where the actions of rogue employees can jeopardize the security of the entire organization.

He claims that the government's failure to implement harsh penalties on companies that mishandle their customers' data fosters a culture of impunity among Australian corporations.

For Smith, American Express and the system designed to hold companies accountable have let him down. He now makes a point of only using the card in ways that do not reveal his location. Requests for comment from Lee and Primo Foods were not returned.

*Not his real name. He asked that his identity be kept confidential.

China-Based Sophisticated Phishing Campaign Utilizes 42K Domains

 

In a widespread phishing campaign, a Chinese hacking group known as "Fangxiao" is using thousands of imposter domains to target victims. Thousands are at risk from the Fangxiao phishing campaign. Thousands of people are at risk as a result of a massive phishing campaign run by the Chinese hacking group "Fangxiao." 

To facilitate phishing attacks, this campaign used 42,000 imposter domains. These bogus domains are intended to direct users to adware (advertising malware) apps, giveaways, and dating websites. The 42,000 phony domains used in this campaign were discovered by Cyjax, a cybersecurity and threat solutions company. The scam was described as sophisticated in a Cyjax blog post by Emily Dennison and Alana Witten, with the ability to "exploit the reputation of international, trusted brands in multiple verticals including retail, banking, travel, pharmaceuticals, travel, and energy".

The scam commences with a nefarious WhatsApp message impersonating a well-known brand. Emirates, Coca-Cola, McDonald's, and Unilever are examples of such brands. This message contains a link to a webpage that has been enticingly designed. The redirection site is determined by the target's IP address as well as their user agent.

For example, McDonald's may advertise a free giveaway. When the victim completes their registration for the giveaway, the Triada Trojan malware can be downloaded. Malware can also be installed through the download of a specific app, which victims are instructed to install in order to continue participating in the giveaway.

Fangxiao's infrastructure is mostly protected by CloudFlare, an American Content Delivery Network, according to Cyjax's blog post about this campaign (CDN). It was also discovered that the imposter domains were registered on GoDaddy, Namecheap, and Wix, with their names shifting on a regular basis.

The majority of these phishing domains were registered with.top, with the rest mostly with.cn,.cyou,.xyz,.tech, and.work.

The Fangxiao Group Is Not a New Concept

The Fangxiao hacking collective has been active for some time. The domains used in this campaign were discovered by Cyjax in 2019 and have been increasing in number since then. Fangxiao added over 300 unique domains in just one day in October 2022.

.The group's location in China is not 100% confirmed, but Cyjax has determined it with high confidence. The use of Mandarin in one of the group's exposed control panels is one indication of this. Cyjax also speculated that the campaign's goal is most likely monetary gain.
 
Phishing is one of the most common cybercrime tactics today, and it can take many different forms. Phishing attacks, especially those that are highly sophisticated, can be difficult to detect. Although spam filters and antivirus software can help to reduce phishing attacks, it's still important to trust your instincts and avoid any communications that don't seem quite right.

This Infostealer has a Lethal Sting for Python Developers

 

Checkmarx cybersecurity researchers discovered over two dozen malicious packages on PyPI, a popular repository for Python developers, and published their findings in a new report (opens in new tab). 

These malicious packages, which are designed to look almost identical to legitimate ones, attempt to dupe inexperienced developers into downloading and installing the wrong one, thereby spreading malware. The practice is known as typosquatting, and it is widely used by cybercriminals who target software developers. 

The attackers use two distinct methods to conceal the malware: steganography and polymorphism. Steganography is the practice of concealing code within an image, allowing threat actors to spread malicious code via seemingly innocent.JPGs and.PNGs. Polymorphic malware, on the other hand, changes the payload with each installation, allowing it to avoid detection by antivirus software and other cybersecurity solutions.

These techniques were used by the attackers to deliver WASP, an infostealer capable of stealing people's Discord accounts, passwords, cryptocurrency wallet information, credit card data, and any other information on the victim's endpoint that the attacker deems interesting.

When the data is identified, it is returned to the attackers via a hard-coded Discord webhook address. The campaign appears to be a marketing ploy, as researchers discovered threat actors advertising the tool on the dark web for $20 and claiming that it is undetectable.

Furthermore, the researchers believe this is the same group that was behind a similar attack reported earlier this month by Phylum(opens in new tab) and Check Point researchers (opens in new tab). It was previously stated that a group known as Worok had been distributing DropBoxControl, a custom.NET C# infostealer that uses Dropbox file hosting for communication and data theft, since at least September 2022.

Worok, based on its toolkit, is thought to be the work of a cyberespionage group that operates quietly, moves laterally across target networks, and steals sensitive data. It also appears to be using its own, proprietary tools, as no one else has been observed using them.

'Washing Checks' and 'Mailbox Phishing' Emerge as Popular Crimes

 

Fraudsters attempt to steal paper checks from mailboxes, "washing" them with nail polish remover and filling in new amounts and payees, causing victims and their banks, which usually foot the bill, to suffer indefinitely. The black market for "glass" — pilfered checks sold online with the assurance that they will clear at the bank — is becoming more widespread and sophisticated. 

Criminals are diversifying into the sale of stolen account numbers and identity theft, as well as the "arrow keys" used by mail carriers to open multiple boxes. Following the theft of the checks, a large amount of mail, including mail-in voter ballots, is dumped. Thieves either "fish" letters out of the mail slot or rob postal workers of their mail and arrow keys. 

"We see [sellers] offering $1,000 to $7,000 a key, depending on the number of mailboxes in the ZIP code," states David Maimon, a cybercrime expert at Georgia State University who has been tracking the surge.

As per Maimon, personal checks now "go up to $250" apiece, up from $125 to $175 previously this year. Washed business checks can now fetch up to $650, up from $250.
 
"It's gone berserk," says Frank McKenna, a banking fraud consultant who traces the phenomenon back to the pandemic-era surge in stolen stimulus checks and unemployment benefits.

Maimon's Evidence-Based Cybersecurity Research Group has been monitoring 60 black-market communication channels to study the online fraud ecosystem for more than two years. He claims that most illegal activity occurs on Telegram, though how-to videos on check-washing can also be found on YouTube.
 
While California, New York, New Jersey, and Florida are among the most affected, Maimon tells Axios that "we're seeing this spreading to distant states." And the data sold with a check has changed significantly: fraudsters now offer the check-Social writer's Security number as well as account balances obtained from the dark web.

"We're talking about a very sophisticated supply chain at this point. It's just mind-boggling how things have evolved."The United States Postal Service has placed warning signs on blue mailboxes, advising people to use online bill pay or bring their letters to a post office," he further added.

Because checks written in indelible ink cannot be washed, gel pens are marketed as "fraud prevention." Congress recently held a hearing on "rampant" mail theft, the scope of which is unknown. Banks are staffing up in check processing to combat fraud while blaming staffing cuts at the US Postal Inspection Service, the USPS' law enforcement arm.

"Check fraud has become so widespread due to brazen criminality and mail theft that many banks are struggling to collect on bad checks from other banks," the American Banker reports." Though fraud losses are skyrocketing at all banks, small banks appear to be bearing the brunt of check fraud," the news site said. 

"Banks typically reimburse their customers when a fraudulent or stolen check gets posted against their account, but getting repaid for a bad check has become a long, drawn-out affair."

The Postal Inspection Service is on the hot seat over the issue. The Postal Inspection Service, for its part, claims that it has made "significant security enhancements" to mailboxes and that postal inspectors made 1,511 arrests for mail theft in 2021, with 1,263 convictions.

"It's really frustrating that banks are being held liable because the Postal Service can't secure the mail," says Paul Benda, senior vice president for operational risk and cybersecurity at the American Bankers Association." These numbers may seem impressive at first blush, but they are not," he said in congressional testimony.

The bottom line is that "much more systematic data on this type of fraud is needed to better understand how it works, crack down on the activity, and prevent it from occurring in the first place," according to Maimon.

Google Reaches an Agreement with 40 States Over Location Tracking Practices

 

Google has consented to a $391.5 million settlement with 40 states over its use of location tracking, according to Oregon Attorney General Ellen Rosenblum. Even when users thought they had turned off location tracking in their account settings, Google continued to collect information about their whereabouts, according to Oregon's Attorney General's office. 

Commencing in 2023, the settlement requires Google to be more transparent with users and provide clearer location-tracking disclosures. The settlement was led by Rosenblum and Nebraska Attorney General Doug Peterson. As per the release, it is the largest consumer privacy settlement ever led by a group of attorneys general.

“Consistent with improvements we’ve made in recent years, we have settled this investigation which was based on outdated product policies that we changed years ago,” said Google spokesperson José Castañeda in a statement.

The basis of the investigation was revealed in a 2018 Associated Press report.

Rosenblum said in the release, “For years Google has prioritized profit over their users’ privacy. They have been crafty and deceptive. Consumers thought they had turned off their location tracking features on Google, but the company continued to secretly record their movements and use that information for advertisers.”

Google paid $85 million to settle a similar lawsuit with Arizona last month, and the company is facing additional location tracking lawsuits in Washington, D.C., Indiana, Texas, and Washington state. According to the four AGs, Google was using location data for its ad business. 

The lawsuits instruct the court to order Google to hand over any algorithms developed with allegedly ill-gotten gains, as well as any monetary profits.

Hackers Use These Five Common Ways to Hack Websites

 

Cybercriminals frequently target all websites. Data theft, remote access, and malware distribution can all occur through social media platforms, online retailers, file-sharing services, and other types of online services. Hackers employ a variety of techniques to infiltrate websites, the top 5 types of attacks are discussed in this article. 

1. Brute force attacks 

Brute force attacks employ a trial-and-error method of cryptography to allow hackers to force their way into a website. Cryptography allows data to be stored safely, but it also involves the process of code-solving, which is what cybercriminals are interested in. A hacker can use cryptography to guess passwords, login credentials, and decryption keys. This technique can even be used to locate hidden web pages.

2. Keyloggers and Spyware

An attacker can use a keylogger to record all keystrokes made on an infected device or server. It is a type of monitoring software program that is widely used in data theft. For example, if someone enters their payment card information while a keylogger is active, the malicious operator will be able to spend money without the card owner's knowledge. In the case of websites, the attacker may be able to conceal the credentials required to log in and gain access by monitoring a website administrator with a keylogger. Keyloggers are a type of spyware, and spyware can take many forms, such as adware and Trojans.

3.Man-in-the-Middle Attacks

A malicious actor eavesdrops on private sessions in a Man-in-the-Middle (MitM) attack. The attacker will place themselves between a user and an application in order to gain access to valuable data that they can exploit. Instead of simply eavesdropping, the attacker could pretend to be a legitimate party.


Because much of the intercepted data may be encrypted via an SSL or TLS connection, the attacker must find a way to break this connection in order for the data to be interpreted. If the malicious actor is successful in making this data readable, such as through SSL stripping, they can use it to hack websites, accounts, and applications, among other things.

4. Remote Code Execution 

Remote Code Execution (RCE) is a fairly self-explanatory term. It entails the execution of malicious computer code from a remote location through a security flaw. Remote code execution can take place over a local network or the internet. This enables the attacker to gain physical access to the targeted device and infiltrate it.

An attacker can steal sensitive data and perform unauthorized functions on a victim's computer by exploiting an RCE vulnerability. Because this type of attack can have serious consequences, RCE vulnerabilities are (or should be) taken very seriously.

5. Third-Party Exploits

Thousands of businesses around the world rely on third-party vendors, particularly in the digital realm. Many applications act as third-party service providers for online businesses, whether they process payments, authenticate logins, or provide security tools. However, third-party vendors can be used to gain access to their client's websites.

Attackers can take advantage of a security vulnerability, such as a bug, in a third-party vendor. Some third-party applications and services have lax security measures, making them vulnerable to hackers. This exposes sensitive data from a website to the attacker for retrieval. Even if the website has advanced security features, the use of third-party vendors can be a weakness.

Unfortunately, even when we use the proper security measures, websites and accounts are still vulnerable to attacks. As cybercriminals improve their methods, it becomes more difficult to detect red flags and stop an attack in its tracks. However, it is critical to be aware of the tactics used by cybercriminals and to employ the proper security practices to protect yourself as much as possible.


Thales Denies Getting Hacked as Ransomware Group Reveals Gigabytes of Information

 

Overnight, a 9.5-gigabyte archive of information pertaining to [the French company] Thales was published on the website of the cybercrime gang Lockbit. The archive houses information about Thales contracts and partnerships in Italy and Malaysia. When contacted by Le Monde, Thales confirmed that the data had been posted on the hackers' website, but claimed that "no intrusion" had occurred into the company's IT system. 

"Thales' security experts have narrowed down one of two possible sources of the information theft. It was a partner's account on a dedicated exchange portal that led to the disclosure of a limited amount of information," said a company spokesperson, adding that its teams are working to identify the second source. Thales also stated that the data leak has no impact on its business.

The documents published on Lockbit's website mention, among other items, a project announced in 2018 by Thales and Malaysia-based Novatis Resources to implement aerial surveillance tools for Malaysia's Kota Kinabalu airport. The documents, which are dated 2021, indicate the project and the company's monitoring. 

Other files discuss Thales' contracts in Italy, particularly in Florence, to support an automated ticket sales system for public transportation services. The archive appears to include no personal information about the company's employees.

Lockbit announced earlier this month that it had data stolen from Thales and threatened to publish it on its website. The cybercriminal group then announced a November 7 release date. On that day, the site posted a message stating that the data had been published but did not provide access to it, casting doubt on the attack's factuality. The stolen files were eventually discovered on the site during the night of November 10 to 11.

Lockbit has claimed an attack on Thales before: in January, the group announced that it had stolen data from the company. The data released at the time consisted primarily of code repositories from the company's external server, data deemed "not very sensitive" by the French company.

On Thursday, US authorities revealed the arrest of a Canadian citizen suspected of working for the Lockbit group. This citizen, who holds dual Russian and Canadian citizenship, is currently being held in detention awaiting extradition to the United States.

According to court documents, a search conducted by law enforcement agencies in August resulted in the seizure of the suspect's computer, which disclosed traces of logins to the control panel of Lockbit's ransomware, as well as messages exchanged with LockBitSupp, an account used by the cybercriminal group to provide support for its software. 

As per the US Attorney's Office, a file on the suspect's computer contained a list of past and future Lockbit group targets. During a second search, investigators discovered a cryptocurrency wallet belonging to the suspect, which contained 0.8 bitcoin (€13,482 at the time of publication). This bitcoin came from a ransom payment made by one of the Lockbit group's victims. The suspect faces a maximum sentence of five years in prison.

Amazon, Microsoft Cloud Leaks Highlight Lingering Misconfiguration Issues

 

A slew of household names has recently been accused of misconfigured cloud storage buckets overflowing with unencrypted data, shedding light on a cybersecurity problem that appears to have no solution. Anurag Sen, a security researcher, revealed just last week that an Amazon server had exposed data on Amazon Prime members' viewing habits. 

During the same time period, Thomson Reuters admitted that three misconfigured servers had exposed 3TB of data via public-facing ElasticSearch databases, according to Cybernews, which first reported the issues. And Microsoft admitted in mid-October that it had left an open misconfigured cloud endpoint that could have exposed customer data such as names, email addresses, email content, and phone numbers.

"The issue was caused by an unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem and was not the result of a security vulnerability," Microsoft said in its statement on the misconfigured server. "We are working to improve our processes to further prevent this type of misconfiguration and performing additional due diligence to investigate and ensure the security of all Microsoft endpoints."

Indeed, rather than bugs, the leaks are driven by a range of misconfigurations, ranging from insecure read-and-write permissions to improper access lists and misconfigured policies, all of which could enable threat actors to access, copy, and potentially alter sensitive data from accessible data stores.

"The main concern with this kind of leak is the high impact, and that is why the threat actors go after misconfigured storage [servers] and buckets," says Ensar Şeker, CISO at SOCRadar, the cybersecurity firm that discovered the Microsoft issue. "Once they discover [the accessible data], the bucket might ... contain huge amounts of sensitive data for one tenant [or] numerous tenants."

According to Venafi, 81% of organizations have experienced a security incident related to their cloud services in the last 12 months, with nearly half (45%) experiencing at least four incidents. According to Sitaram Iyer, senior director of cloud-native solutions at Venafi, the increase in incidents is due to the increasing complexity of cloud-based and hybrid infrastructure, as well as a lack of visibility into that infrastructure.

"Yes, misconfigured cloud storage is one of the primary reasons for data leaks — I do believe that this is a trend," he says. "The increase in this trend is most often due to misconfiguration related to access controls: While only authorized users need to be allowed access to cloud storage, a simple mistake in configuration often enables [any] authenticated users to gain access."

Companies should monitor their cloud assets on a regular basis to detect when a datastore or storage bucket has been exposed to the public internet. Furthermore, using infrastructure-as-code (IaC) configuration files when deploying cloud storage not only automates deployments but also helps eliminate errors, according to data from Snyk, a maker of security services for the software supply chain.

According to the company, implementing IaC reduces cloud misconfigurations by 70%. The division of responsibilities between cloud providers and business customers remains an issue. While the customer is responsible for configuring cloud assets, Venafi's Iyer believes that the cloud service should make configuring cloud assets as simple as possible.

"Principle of least privilege must be adopted for every aspect of the data," he says. "Access to data must be provided as needed, with proper controls and authorization policies that tie it to a specific user or service account, and proper logging of access and notifications must be implemented."

An Amazon spokesperson told Dark Reading in a statement about the Prime Video case: "A Prime Video analytics server experienced a deployment error. This issue has been resolved, and no account information (including login or payment information) was compromised."

However, misconfiguration is not always the original sin; instead, a worker or developer will deploy a "shadow" server, a container or a storage bucket unknown to the IT department and thus unmanaged by the company.

Misconfigured storage has a long history of compromising security. The issue is frequently ranked among the top ten security issues in the popular Open Web Applications Security Project (OWASP) Top 10 security list. Security Misconfiguration rose to fifth place in 2021, from sixth place in 2017. Verizon Business' annual "Data Breach Investigations Report" also highlights the outsized impact of misconfigured cloud storage: In 2021, human errors accounted for 13% of all breaches.

GitHub Introduces Private Flaw Reporting to Secure Software Supply Chain

 

GitHub, a Microsoft-owned code hosting platform, has announced the launch of a direct channel for security researchers to report vulnerabilities in public repositories that allow it. The new private vulnerability reporting capability allows repository administrators to enable security researchers to report any vulnerabilities found in their code to them. 

Some repositories may include instructions on how to contact the maintainers for vulnerability reporting, but for those that do not, researchers frequently report issues publicly. Whether the researcher reports the vulnerability through social media or by creating a public issue, this method may make vulnerability details insufficiently public. 

To avoid such situations, GitHub has implemented private reporting, which allows researchers to contact repository maintainers who are willing to enroll directly. If the functionality is enabled, the reporting security researchers are given a simple form to fill out with information about the identified problem.

According to GitHub, "anyone with admin access to a public repository can enable and disable private vulnerability reporting for the repository." When a vulnerability is reported, the repository maintainer is notified and can either accept or reject the report or ask additional questions about the issue.

According to GitHub, the benefits of the new capability include the ability to discuss vulnerability details privately, receiving reports directly on the same platform where the issue is discussed and addressed, initiating the advisory report, and a lower risk of being contacted publicly.

Private vulnerability reporting can be enabled from the repository's main page's 'Settings' section, in the 'Security' section of the sidebar, under 'Code security and analysis.' Once the functionality is enabled, security researchers can submit reports by clicking on a new 'Report a vulnerability' button on the repository's 'Advisories' page.

The private vulnerability reporting was announced at the GitHub Universe 2022 global developer event, along with the general availability of CodeQL support for Ruby, a new security risk and coverage view for GitHub Enterprise users, and funding for open-source developers.

The platform will provide a $20,000 incentive to 20 developers who maintain open-source repositories through the new GitHub Accelerator initiative. While, the new $10 million M12 GitHub Fund will support future open-source companies.

UPI Frauds led to 15.3% Rise in Cybercrime Complaints Between Q1, Q2 in 2022: MHA

 

The unified payments interface (UPI) was a huge success. On the other hand, people are increasingly being cheated when conducting online transactions. UPI frauds contributed significantly to a 15.3% increase in the overall number of complaints reported on the National Cybercrime Reporting Portal (NCRP) between the first and second quarters of 2022, according to data from the Ministry of Home Affairs.

While the total number of registered complaints in the first quarter of 2022 was 206,198, it increased by 15.3 percent to 237,658 in the second quarter. The number of 'UPI fraud complaints,' a cyber crime category under NCRP, increased from 62,350 in Q1 2022 to 84,145 in Q2 2022.

When compared to other NCRP cyber crime categories such as debit/credit card fraud, internet banking-related fraud, and others, this represents a 34% increase.
These overall figures correspond to an increase in the number of cybercrime complaints registered on the NCRP portal since 2021.

This rise can be attributed to the expansion of digital payment systems since the Covid-19 pandemic, which has allowed small businesses to enter the ecosystem. UPI payments increased by more than 1,200 percent in the six months ending in September, according to an RBI report.

According to the MHA report, "Online financial fraud, a cyber crime category under NCRP is the most prevalent among others, as 67.9 percent of the total reported cyber crime were 'online financial frauds. However, no actual figures for this category were provided in the report.

Debit/credit card/sim swap fraud increased from Q1 to Q2 of 2022, which falls under financial fraud. In Q2, the figures were 26,793 compared to 24,270 in Q1. Nevertheless, complaints about internet banking decreased in the second quarter of 2022. While the figure was 20,443 in the first quarter of 2022, it fell to 19,267 in the second quarter.

UPI transactions are increasing

Unified Payments Interface (UPI) transactions hit a new high of Rs 12,11 lakh crore in October, six months after surpassing Rs 10 lakh crore in May.

This figure is expected to rise, with the RBI's Payment Vision 2025 projecting that UPI will grow by 50% on an annualized basis. This increased adoption of UPI will unintentionally contribute to an increase in UPI fraud.

In response, the National Payments Corporation of India (NPCI) launched 'UPI-Help' on the Bharat Interface for Money (BHIM) UPI last year to provide a simple grievance resolution mechanism.

One can view their transaction history in the BHIM UPI application by selecting the 'raise a complaint option. The user can then choose which transaction requires a complaint to be filed. They can raise a concern by clicking "raise concern," describing the issue in an online complaint and submitting it.

NPCI also launched the Safety Shield campaign earlier this year to assist users with online payments via UPI.

Medibank: Hacker Gained Access to 9.7M Customers' Data and Refuses to Pay a Ransom

 

On Monday, Medibank Private Ltd (MPL.AX), Australia's largest health insurer, stated that no ransom payment will be made to the criminal responsible for a recent data theft in which the data of approximately 9.7 million current and former customers was compromised. 

Highlighting the findings of the firm's investigation thus far, Medibank confirmed that the data theft accessed the name, date of birth, address, phone number, and email addresses of approximately 9.7 million current and former customers. Cyber security issues in Australia have skyrocketed in recent years, according to a government report, with one attack occurring every seven minutes.

"Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers' data and prevent it from being published," Medibank CEO David Koczkar said.

Paying a ransom could encourage the hacker to directly extort customers, causing more people to suffer, according to Koczkar. The insurer reiterated that business operations remained normal during the cyberattack, with customers continuing to have access to health care.

Medibank has warned its customers to be cautious because the criminal may leak the data online or attempt to contact them directly.

In the last few weeks, Singapore Telecommunications' (STEL.SI) unit Optus disclosed a breach of up to 10 million customer accounts, and Woolworths (WOW.AX) revealed that the data of millions of customers using its bargain shopping website had been compromised.  

Medibank has announced that it will commission an external review in order to learn from the cyberattack, as well as expand its Cyber Response Support Program. 

All of your Wi-Fi Passwords are Stored on Computer Somewhere. Here's How to Locate Them

 

After configuring all of the devices, you're likely to forget your home Wi-Fi password. That is until a friend or family member arrives and requests access to your network. What was the password, again? Is it the ridiculously long number on the back of your router? Even if you don't have the Wi-Fi password saved anywhere or memorized it, there is a way to find all of your Wi-Fi passwords in one place. Simply check your computer. 

The Wi-Fi password is permanently stored in your settings as long as your Windows or Mac computer has previously connected to the network. It may take some digging on your part, but all of the passwords are available.

On MacOS and Windows, here's how to find the passwords for all Wi-Fi networks you've ever connected to. Find out more about the 17 most important settings for customising your MacBook or how to get the most out of Windows 11.

How to Find Wi-Fi Passwords in MacOS 

Every password you enter and save on a Mac is saved in Keychain Access, MacOS' password management system. This includes passwords for Wi-Fi networks.

To begin, open the Keychain Access app using the search feature and do the following:
1. Click on System under System Keychains in the sidebar.
2. Next, click on Passwords at the top of the window.
3. Find the Wi-Fi network you want the password for and double-click on it.
4. Finally, check the box next to Show password and enter your password when prompted.

The password field then displays your password to connect to that Wi-Fi network. If necessary, double-click in the password field to select the password and copy it to your clipboard.

How to Look for Wi-Fi Passwords in Windows

On Windows, finding the password to the Wi-Fi network you're currently connected to is simple, but getting your hands on all stored Wi-Fi passwords requires some effort, so we'll go over both methods below.

1. Click the Start button and then go to Control Panel > Network and Internet > Network and Sharing Center (Windows 11) or Settings > Network & Internet > Status > Network and Sharing Center (Windows 10).
2. Next to Connections, click your Wi-Fi network name highlighted in blue.
3. In the Wi-Fi Status page that opens, click Wireless Properties and then on the Security tab.
4. Finally, check the box next to Show characters to display your Wi-Fi network password above it.

This is not, however, the only way to find your Wi-Fi network passwords. The method described above only allows you to view the password for the Wi-Fi network to which you are currently connected, but there is a way to find the passwords for all Wi-Fi networks to which you have ever connected on your Windows computer. 

To find all your Wi-Fi network passwords on Windows:

1. Right-click on the Windows icon in the taskbar on your desktop.
2. Click Windows Terminal (Admin).
3. Type in netsh wlan show profile and hit Enter on your keyboard to view every Wi-Fi network you've connected to.
4. Once you find the Wi-Fi network you want the password for, type in netsh wlan show profile "(Wi-Fi network name)" key=clear (for example, netsh wlan show profile "Netgear667" key=clear), and then hit the Enter key.

To find your Wi-Fi network passwords on Windows, go to Settings > Profile, Connectivity, Security, and Cost. The Wi-Fi network password will be displayed next to Key Content in the Security settings. In addition to Windows Terminal, you can use the Command Prompt application to enter the commands mentioned above to find your Wi-Fi passwords.

The ALMA Observatory has Suspended Operations due to a Cyberattack

 

Following a cyberattack on Saturday, October 29, 2022, the Atacama Large Millimeter Array (ALMA) Observatory in Chile has suspended all astronomical observation operations and taken its public website offline. 

Email services are currently limited at the observatory, and IT specialists are working to restore the affected systems. The organization announced the security incident on Twitter yesterday, saying that given the nature of the incident, it is impossible to predict when normal operations will resume.

The observatory also stated that the attack did not compromise the ALMA antennas or any scientific data, indicating that no unauthorized data access or exfiltration occurred. In an attempt to learn more about the security incident, BleepingComputer contacted ALMA Observatory, and a spokesperson shared the following comment:

"We cannot further discuss the details as there is an ongoing investigation. Our IT team was prepared to face the situation and had the proper infrastructure, although there is no flawless defense against hackers. We are still working hard on the full recovery of services. Thanks for your understanding." - ALMA Observatory.

The ALMA observatory is made up of 66 high-precision radio telescopes of 12 m diameter arranged in two arrays and is located on the Chajnantor plateau at an elevation of 5,000 m (16,400 ft). The project cost $1.4 billion, making it the most expensive ground telescope in the world, and it was created through a collaborative effort involving the United States, Europe, Canada, Japan, South Korea, Taiwan, and Chile.

Since its normal operational status in 2013, ALMA has contributed to a pioneering comet and planetary formation studies, participated in the Event Horizon project to photograph a black hole for the first time in history, and detected the biomarker 'phosphine' in Venus' atmosphere.

The observatory is used by scientists from the National Science Foundation, the European Southern Observatory, the National Astronomical Observatory of Japan, and other organizations from around the world, so any interruption in operations has ramifications for multiple science teams and ongoing projects.

For the time being, users should keep an eye out for status updates on the NRAO's website or the ALMA Observatory's social media channels. Observers can seek assistance from the organization by using this online portal.

French Cybercriminals Opera1or Stole up to $30m from Banks

 

Based on a new report published by cybersecurity firm Group-IB, a French-speaking cybercrime group may have stolen more than $30 million from banks and other types of organizations in recent years. 

Group-IB has identified the threat actor as Opera1er. Others have previously investigated some of its activities, naming it Common Raven, Desktop-Group, and NXSMS. The cybersecurity firm is aware of 30 successful attacks carried out between 2019 and 2021, with many of the victims being attacked multiple times. 

The majority of the attacks targeted African banks, but victims also included financial services, mobile banking services, and telecommunications companies. Victims were discovered in 15 countries across Africa, Latin America, and Asia.

Group-IB has confirmed stealing $11 million from victims since 2019, but believes cybercriminals may have stolen more than $30 million. The typical Opera1er attack begins with a spear-phishing email sent to a small number of people within the targeted organisation. Access to domain controllers and banking back-office systems is the goal.

The hackers waited 3-12 months after gaining access to an organization's systems before stealing money. The cybercriminals used the banking infrastructure in the final phase of the operation to transfer money from bank customers to mule accounts, from which it was withdrawn at ATMs by money mules, typically on weekends and public holidays.

“In at least two banks, Opera1er got access to the SWIFT messaging interface,” Group-IB explained. “In one incident, the hackers obtained access to an SMS server which could be used to bypass anti-fraud or to cash out money via payment systems or mobile banking systems. In another incident, Opera1er used an antivirus update server which was deployed in the infrastructure as a pivoting point.”

There does not appear to be any zero-day vulnerabilities or custom malware used by Opera1er. They have exploited old software flaws as well as widely available malware and tools. The majority of the attackers' emails were written in French, according to Group-analysis, IB's and their English and Russian are "quite poor."  

The Urlscan.io API Unintentionally Exposes Sensitive URLs and Data

 

Researchers have issued a warning about enterprise software misconfigurations that result in the leak of sensitive records on urlscan.io. 
Urlscan.io is a website scanning and analysis platform. The system accepts URLs and generates a wealth of data, including domains, IP addresses, DOM information, and cookies, as well as screenshots. According to the developers, the engine's goal is to enable "anyone to easily and confidently analyze unknown and potentially malicious websites."

Many enterprise customers and open-source projects are supported by Urlscan.io, and an API is provided to integrate these checks into third-party products. GitHub alert Positive Security stated in a blog post published today (November 2) that the urlscan API came to its attention as a result of an email sent by GitHub in February warning customers that GitHub Pages URLs had been accidentally leaked via a third-party during metadata analysis.

“With the type of integration of this API (for example via a security tool that scans every incoming email and performs a urlscan on all links), and the amount of data in the database, there is a wide variety of sensitive data that can be searched for and retrieved by an anonymous user,” the researchers say.

Positive Security discovered that this could include urlscan.io dorks, password reset links, setup pages, Telegram bots, DocuSign signing requests, meeting invitations, package tracking links, and PayPal invoices after further investigation.

Pingbacks to leaked email addresses appeared to indicate that the culprits were misconfigured security tools that submitted links received via email as public scans to urlscan.io. Many API integrations, for example, used generic python-requests/2.X.Y user agents that ignored account visibility settings, allowing scans to be incorrectly submitted as public.

Misconfiguration of SOAR

Positive Security contacted a number of leaked email addresses and received only one response: from a company that sent an employee a DocuSign link to their work contract and then launched an investigation. The employer discovered that the problem was caused by a misconfiguration of their Security Orchestration, Automation, and Response (SOAR) playbook, which was integrated with urlscan.io.

Positive Security investigated historical urlscan.io data and discovered misconfigured clients that could be abused by scraping the system for email addresses and sending them unique links to see if they appeared on urlscan. Password resets for many web services can be triggered for users of such misconfigured clients, and the leaked link can be used to set a new password and take over the accounts.

Speaking to The Daily Swig, Fabian Bräunlein, co-founder of Positive Security said that this attack vector could be triggered “for personal services like banking or social media or company services such as for popular SaaS or custom applications.

“For many SaaS providers, access to an email address with a certain domain is already sufficient to gain access to internal company data (e.g. chats or code repositories),” Bräunlein added. “In such a case, an attacker does not even need to take over existing accounts but can just create new accounts at interesting services.”

Urlscan  Overhaul

Positive Security reported its findings to urlscan.io once the impact of the issue assessment was completed in July. As a result, the cybersecurity firm and urlscan.io developers collaborated to resolve the issues discovered, resulting in the release of a new engine version later this month.

The updated software features an improved scan visibility interface as well as team-wide visibility settings. Urlscan.io later published Scan Visibility Best Practices, which explain the security benefits and risks posed by the three visibility settings users select when submitting a URL: 'Public,' 'Unlisted,' and 'Private.'

Urlscan.io has also contacted customers who have submitted a large number of public scans and has started reviewing third-party SOAR tool integrations. Finally, the developers added deletion rules, highlighted visibility settings in the user interface, and included a report button to disable problematic search results.

“Security teams that run a SOAR platform must make sure that no sensitive data is leaked to the public via integrations of third-party services,” Bräunlein commented.

Urlscan GmbH CEO Johannes Gilger told The Daily Swig: “We welcome the research performed by Positive Security and appreciate their professional conduct while working with us to identify the scope and source of these inadvertent information leaks.

“We have improved the visibility of the relevant settings on our platform, we have educated our users about the issue through a dedicated blog post and we continue to work with third-party automation providers to ensure adherence to safe default behaviors. A platform like urlscan will always carry the risk of unintended information disclosure due to the nature of its operation, so we take every available measure to minimize the likelihood of these things happening.”

Leaked Amazon Prime Video Server Exposed Users Viewing Habits

A database containing Amazon Prime Video users' viewing habits, which was stored on an internal Amazon server, was accidentally exposed online and could be accessed by anyone with a web browser. 
Anurag Sen, a cyber-security researcher, discovered the database containing Amazon Prime viewing habits on an internal Amazon server that was accessible online. According to TechCrunch, the database was first detected as being exposed to the internet on September 30 by the search engine Shodan.

"But because the database was not protected with a password, the data within could be accessed by anyone with a web browser just by knowing its IP address," the report noted.

The database contained nearly 215 million viewing data entries, such as the name of the show or movie being streamed, the device on which it was streamed, and other internal data. The Amazon Prime Video database was eventually taken down from the Internet. According to an Amazon spokesperson, there was a "deployment error with a Prime Video analytics server."

"This problem has been resolved and no account information (including login or payment details) was exposed. This was not an AWS issue; AWS is secure by default and performed as designed," the spokesperson added.

'The Lord of the Rings: The Rings of Power' attracted more than 25 million global viewers on its first day, the largest debut in Prime Video history, and is closing in on 100 million viewers to date, according to the company's latest Q3 earnings call. It also kicked off Prime Video's inaugural season as the exclusive home of NFL Thursday Night Football with over 15 million viewers for its first game.

Hackers Selling Ransomware Victims and Network Access Data for $4 Million

 

In accordance with a new report, hackers are selling access to 576 corporate networks worldwide for a total cumulative sales price of $4,000,000, fueling enterprise attacks. The findings come from the Israeli cyber-intelligence firm KELA, which published its Q3 2022 ransomware report, which showed stable activity in the initial access sales sector but a significant increase in the value of the offerings. Despite the fact that the number of network access sales remained roughly the same as in the previous two quarters, the total requested price has now reached $4,000,000. In comparison, the total value of initial access listings in Q2 2022 was $660,000, a decrease that coincided with the summer ransomware hiatus, which hampered demand. 
The Rise of Ransomware

IABs are hackers who sell access to corporate networks, typically through credential theft, webshells, or exploiting vulnerabilities in publicly exposed hardware.

After gaining access to the network, threat actors sell it to other hackers, who use it to steal valuable data, deploy ransomware, or engage in other malicious activity.


The reasons IABs do not use network access vary, from a lack of diverse intrusion skills to a preference not to risk increased legal trouble.

IABs continue to play an important role in the ransomware infection chain, despite the fact that they were sidelined last year when large ransomware gangs that operated as crime syndicates had their own IAB departments.

KELA analysts observed 110 threat actors posting 576 initial access offerings totaling $4,000,000 in the third quarter of 2022. The average selling price of these listings was $2,800, with a record median selling price of $1,350. KELA also witnessed a single access being offered for sale at the exorbitant price of $3,000,000. However, due to concerns about its authenticity, this listing was not included in the Q3 '22 stats and totals.

In Q3 2022, the top three IABs ran a large-scale business, selling between 40 and 100 accesses. According to hacking forum discussions and marketplace listing removal events, the average time to sell corporate access was only 1.6 days, while the majority were of  RDP and VPN types.

The United States was the most targeted country this quarter, accounting for 30.4% of all IAB offerings. This figure is comparable to the 39.1% share of ransomware attacks targeting US businesses in the third quarter.

Professional services, manufacturing, and technology led the targeted sectors with 13.4%, 10.8%, and 9.4%, respectively. Ransomware attacks are ranked similarly, emphasizing the link between the two. 

Because initial access brokers have become an essential component of the ransomware attack chain, protecting your network from intrusion is critical. To prevent the theft of corporate credentials, remote access servers should be placed behind VPNs, access to publicly exposed devices should be restricted, MFA should be enabled, and phishing training should be conducted.