Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Data Exfiltration. Show all posts
Vulnerabilities and Exploits
Data Exfiltration Files Microsoft SharePoint threats Vulnerabilities and Exploits

Secrets of SharePoint Security: New Techniques to Evade Detection

 



According to a recent discovery by Varonis Threat Labs, two new techniques have emerged that pose a significant threat to data security within SharePoint, a widely used platform for file management. These techniques enable users to evade detection and retreat files without triggering alarm bells in audit logs.

Technique 1: Open in App Method

The first technique leverages SharePoint's "open in app" feature, allowing users to access and download files while leaving behind only access events in the file's audit log. This method, which can be executed manually or through automated scripts, enables rapid exfiltration of multiple files without raising suspicion.

Technique 2: SkyDriveSync User-Agent

The second technique exploits the User-Agent for Microsoft SkyDriveSync, disguising file downloads as sync events rather than standard downloads. By mislabeling events, threat actors can bypass detection tools and policies, making their activity harder to track.

Implications for Security

These techniques pose a significant challenge to traditional security tools such as cloud access security brokers and data loss prevention systems. By hiding downloads as less suspicious access and sync events, threat actors can circumvent detection measures and potentially exfiltrate sensitive data unnoticed.

Microsoft's Response

Despite Varonis disclosing these methods to Microsoft, the tech giant has designated them as a "moderate" security concern and has not taken immediate action to address them. As a result, these vulnerabilities remain in SharePoint deployments, leaving organisations vulnerable to exploitation.

Recommendations for Organisations

To alleviate the risk posed by these techniques, organisations are advised to closely monitor access events in their SharePoint and OneDrive audit logs. Varonis recommends leveraging User and Entity Behavior Analytics (UEBA) and AI features to detect and stop suspicious activities, such as mass file access.

What Are the Risks?

While SharePoint and OneDrive are essential tools for facilitating file access in organisations, misconfigured permissions and access controls can inadvertently expose sensitive data to unauthorised users. Threat actors often exploit these misconfigurations to exfiltrate data, posing a significant risk to organisations across various industries.

Detection and Prevention Strategies

To detect and prevent unauthorised data exfiltration, organisations should implement detection rules that consider behavioural patterns, including frequency and volume of sync activity, unusual device usage, and synchronisation of sensitive folders. By analysing these parameters, organisations can identify and mitigate potential threats before they escalate.




Read more »
Vulnerabilities and Exploits
Conti Ransomware Data Exfiltration Encryption Phishing Attacks Ransomware Attacks. Vulnerabilities and Exploits

Conti's Legacy: Ransomware's Evolution and Future Threats

Ransomware has been a persistent and highly lucrative threat in the cybersecurity landscape, and one group that has garnered significant attention is Conti. Known for their sophisticated tactics and high-profile attacks, Conti has left a lasting impact on the cybersecurity community. However, recent developments indicate that Conti's legacy is undergoing a transformation, with spinoffs refining their attack strategies and raising concerns about the future of ransomware.

Conti first emerged in 2020 and quickly gained notoriety for its highly effective and profitable ransomware operations. The group targeted a wide range of industries, including healthcare, manufacturing, and finance, leveraging advanced techniques to breach networks and encrypt valuable data. Their success was attributed to their ability to exploit vulnerabilities in organizations' security infrastructure and their aggressive extortion tactics.

However, recent reports suggest that Conti's original group may have disbanded or rebranded, leading to the emergence of spinoffs carrying on their legacy. These new entities, operating under different names, have refined their attack strategies and continue to pose a significant threat to organizations worldwide.

One notable aspect of these spinoffs is their focus on data exfiltration alongside encryption. Instead of merely encrypting files and demanding a ransom, they now steal sensitive data before encryption, increasing their leverage by threatening to expose confidential information if the ransom is not paid. This approach not only amplifies the financial pressure on victims but also raises concerns about potential data breaches and regulatory implications.

To make matters worse, these spinoffs have also adopted a more targeted approach, carefully selecting victims based on their perceived ability to pay a significant ransom. By focusing on organizations with deep pockets or critical infrastructure, they maximize their chances of success and potential profit. Additionally, they have become more adept at evading detection by using sophisticated obfuscation techniques and employing anonymous communication channels.

The evolution of Conti's legacy highlights the need for organizations to remain vigilant and proactive in their cybersecurity measures. This includes implementing robust security controls, conducting regular vulnerability assessments, and educating employees about the risks and best practices for preventing ransomware attacks. It is also crucial for organizations to establish and regularly test incident response plans to minimize the impact and downtime in the event of an attack.

Furthermore, collaboration among law enforcement agencies, cybersecurity firms, and the private sector is essential to disrupt the operations of ransomware groups and bring their members to justice. By sharing threat intelligence and coordinating efforts, the global community can work towards dismantling these criminal networks and mitigating the widespread damage caused by ransomware attacks.
Read more »
Data Theft
Corporate Security Data Breach Data Exfiltration data security Data Theft

Data Theft: Employees Steal Company Data After Getting Fired


Employees taking personal data with them

Around 47 Million Americans left their jobs in 2021, and some took away personal information with them.

The conclusion comes from the latest report by Cyberhaven Inc, a data detection and response firm. It studied 3,72,000 cases of data extraction, and unauthorized transferring of critical info among systems- it involves 1.4 over a six-month period. Cyberhaven Inc found that 9.% of employees took data during that time frame. 

Over 40% of the compromised data was customer or client details, 13.8% related to source code, and 8% was regulated by personally identifiable information. The top 1% of guilty actors are accountable for around 8% of cases and the top 10% of guilty parties are responsible for 35% of cases. 

Reason for data extraction

As expected, the prime time for data extraction was between notice submissions by employees and their last day at work. Cyberhaven calculated around a 38% rise in cases during the post-notice period and an 83% rise in two weeks prior to an employee's resignation. The Cases bounced to 109% on the day the employees were fired from the company. 

Cyberhaven Inc blog says:

"While external threats capture headlines, our report proves that internal leaks are rampant – costing millions (sometimes billions) in IP loss and reputational damage. High-profile recent examples include Twitter, TikTok, and Facebook, but for the most part, this trend has flown under the radar."

The scale of the incident

If you look at the threat on a per-person basis, the risk is not significant, however, it intensifies with scale. Companies experience a mere average of 0.045% data extraction cases/per employee every month, however, it piles up to 45 monthly events at 1,000-employee organizations. 

A general way an employee usually takes out information is through cloud storage accounts, these were used in 27.5% of cases, then 19% belonging to personal webmail, with 14.4% incidents having corporate email messages sent to personal accounts. Removable storage drives amount to one in seven cases. 

Most incidents caused due to accident

Howard Ting (Chief Executive) warned not to jump to any conclusions, thinking many employees are criminals. He believes that the first and foremost cause of data exfiltration is an accident, one shouldn't assume every user is guilty. He said that users are generally unaware they aren't able to upload critical info on drives. 

Most organizations fail to clearly mention policies regarding data ownership. People in sales may believe they can keep account details they have, and developers may keep their code as a personal achievement. Organization mails having internal contact details are casually forwarded to personal accounts without ill intent and critical information can be stored in local hard drives, just a few clicks away. Cyberhaven inc comments:

"Our data suggests employees often sense their impending dismissal and decide to collect sensitive company data for themselves, while others quickly siphon away data before their access is turned off."





Read more »
Ransomware
Cyber Attacks Data Exfiltration Encryption Extortion Scheme Ransomware

Newly Discovered Royal Ransomware is Targeting Organizations with Multi-Million Dollar Assaults

 

A new ransomware operation dubbed “Royal” is targeting organizations with ransom demands ranging from $250.000 to over $2 million. 

A new report from BleepingComputer in collaboration AdvIntel researchers has investigated the group’s encryptor and its methodology. The ransomware group was first identified in January 2022 and includes vetted and experienced hackers from past operations. 

Interestingly, it does not operate as a Ransomware-as-a-Service (RaaS), but instead as a private group without partners or affiliates. At first, the group employed the encryptors of other ransomware operations, such as the BlackCat example, before utilizing its own encryptors, the first being Zeon, an encryptor that designs ransom notes identical to Conti’s. 

Royal modus operandi 

Based on the observations gathered by threat analysts, this month, the Royal ransomware used a new encryptor and its name in ransom notes to represent itself accurately. The security experts have also identified that the hacking group is working underground and has not employed a data leak site to disclose their activities. 

The malicious campaign is employing a technique called “callback phishing,” wherein the Royal hackers mimic software vendors and food delivery platforms in emails, pretending to be an offer to renew a subscription. 

When victims call the number, the ransomware operators employ social engineering to lure them into installing remote access software, thus acquiring access to the corporate network. Subsequently, the hackers execute multiple attack procedures, eventually leading to the encryption of the exploited devices. They employ Cobalt Strike to spread out across the network, collect credentials, steal data, and finally encrypt machines. 

The targeted individuals would then discover a ransom note, named README.TXT, containing a Tor link to engage in negotiations with malicious hackers. The ransomware operators will offer their demand, with ransom amounts ranging from $250.000 to over $2 million. To prove that they have the firm’s data, Royal will decrypt a few files and share lists of the siphoned data. 

It remains unclear how successful the operation is because at the time of writing there are no reports of any victims actually paying for the decryption key. The researchers have strongly recommended network, windows, and security admins to keep an eye on the activities of this group, as they are ramping up their operations and will likely surge to become a significant business-targeting ransomware operation.
Read more »
Websites
Corporate Data Exfiltration Data Extortion Data Hacking Double extortion malware Night Sky Ransom Ransom note Ransomware Tor Site Websites

Night Sky: New Ransomware Targeting Corporate Networks

 

The new year has brought with it new ransomware named 'Night Sky,' which targets corporate networks and steals data in double-extortion attacks. 

The Night Sky operation began on December 27th, according to MalwareHunterTeam, which was the first to identify the new ransomware. The ransomware has since published the data of two victims. 

One of the victims got an initial ransom demand of $800,000 in exchange for a decryptor and the promise that the stolen material would not be made public. 

How Night Sky encrypts devices

A sample of the Night Sky ransomware seen by BleepingComputer has a personalised ransom note and hardcoded login credentials to access the victim's negotiation page. 

When the ransomware is activated, it encrypts all files except those with the.dll or.exe file extensions. The ransomware will not encrypt the following files or folders: 
AppData
Boot
Windows
Windows.old
Tor Browser
Internet Explorer
Google
Opera
Opera Software
Mozilla
Mozilla Firefox
$Recycle.Bin
ProgramData
All Users
autorun.inf
boot.ini
bootfont.bin
bootsect.bak
bootmgr
bootmgr.efi
bootmgfw.efi
desktop.ini
iconcache.db
ntldr
ntuser.dat
ntuser.dat.log
ntuser.ini
thumbs.db
Program Files
Program Files (x86)
#recycle

Night Sky appends the.nightsky extension to encrypted file names while encrypting them. A ransom letter named NightSkyReadMe.hta is included in each folder, and it provides details about what was stolen, contact emails, and hardcoded passwords to the victim's negotiation page. 

Instead of communicating with victims through a Tor site, Night Sky employs email addresses and a transparent website that runs Rocket.Chat. The credentials are used to access the Rocket.Chat URL specified in the ransom note. 

Double extortion tactic: 

Before encrypting devices on the network, ransomware operations frequently grab unencrypted data from victims. Threat actors then utilize the stolen data in a "double-extortion" scheme, threatening to leak the information unless a ransom is paid. 

Night Sky built a Tor data leak site to leak the data of victims, which now contains two victims, one from Bangladesh and the other from Japan. While there hasn't been much activity with the new Night Sky ransomware operation, one should keep a watch on it as we enter the new year.
Read more »
Subscribe to: Posts (Atom)