Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Data Theft. Show all posts
security measures
Account security AT&T Customer Data Cybersecurity measures Data Breach data security Data Theft security measures

AT&T Data Breach: Essential Steps for Victims to Protect Themselves

 

Telecom giant AT&T recently disclosed a massive data breach affecting nearly all of its approximately 110 million customers. If you were a customer between May 2022 and January 2023, there is a high chance your data, including call and text message records, was accessed through an illegal download from a third-party cloud platform. Customers should watch for contact from AT&T or check their accounts for notifications. First, change your password. 

Since your password is likely compromised, update it on both your AT&T account and any other accounts where it was used. While it’s inconvenient, using different passwords for each service is essential. Numerous tools can create secure, randomly generated passwords, and password managers can help you remember them. Also, activate two-factor authentication on your account and any other accounts using the same password. Combining two login methods enhances security. Given the nature of this leak, consider changing your cell phone number as well. Prepare for an increase in spam calls, but the bigger concern is potential scammers.

Be extra cautious about giving out personal details such as banking information or your address over the phone, as these could be cleverly disguised phishing schemes. Stay vigilant online, as even anonymous phone number information can be pieced together by scammers to identify individuals. Treat every email from unfamiliar addresses as suspicious. Additionally, inform your bank about the breach. They can monitor for any suspicious transactions and introduce new security measures to ensure you are contacting your bank, not an imposter.  

Lastly, protect yourself further by using one of the best VPNs to secure your online data. VPNs not only spoof your IP address location but also securely encrypt your data. There are even free VPN plans like ProtonVPN. Many VPNs also include antivirus elements. For instance, NordVPN has its Threat Protection Pro system, which is effective against phishing. A Surfshark One subscription includes dedicated antivirus software and an Alternative ID feature, which allows you to sign up for services online with randomly generated details, including a decoy phone number. With an Alternative ID, you can create accounts for less trustworthy services (or those frequently attacked, like AT&T) with peace of mind. 

This way, you can minimize spam and rest assured that if your details get leaked, you haven’t actually been compromised. Hackers will have nothing to piece together; you can simply disconnect that ID, generate another random identity, and move on securely.
Read more »
User Security
Cyber Fraud Data Theft Euro Final QR Codes Quishing User Security

England Fans Warned Over 'Quishing' Scam Ahed of Euro Final

 

England football fans have been urged to be wary of a 'quishing' scam as they gather in pubs to watch the Euro 2024 final against Spain. The duping phenomenon has the potential to be devastating for victims, and it has caught supporters off guard amid scenes of flying beer as fans celebrated achieving Sunday's landmark. In certain places, the scam has already been going on as the national team advanced to the final four. 

And now that England has advanced to the final, fans have been warned to keep an eye out for the scam. It employs the now-familiar digital QR codes, but individuals scanning the code with their phones can also be duped into downloading malicious stuff via fake codes. 

This is not a new thing, but for fans watching the game in pubs, it can be worrying. It combines 'QR codes' and 'phishing'. Fake QR (quick response) codes could imitate an existing code, leading users to download malicious content. According to Cloudflare, their goal is to collect sensitive information such as passwords, financial data, or personally identifying information (PII). A code might also deceive victims when sent as an email or message. 

“Once this sensitive information is captured, attackers can exploit it for various malicious purposes, including identity theft, financial fraud, or ransomware,” Cloudfare added.

QR codes, which emerged during the coronavirus pandemic, were popular as a way to order food or drinks in bars. It may appear harmless, but it means that a once-harmless transaction now involves a possible risk. 

Scammers started using QR codes, which operate by inserting instructions within a black and white dot-based graphic, to trick customers. Smartphones, apps, and scanners transform QR codes into information that people can understand. However, the coders usually direct to websites, links to media, or buttons to download an app. 

According to TitanHQ, an anti-phishing platform, 84% of smartphone users have scanned a QR code at least once, with more than 34% scanning a QR code once every week. However, the ease with which QR codes are used has enabled criminals to indulge in phishing. 

These scams might have varying effects depending on the type, but the consequences can be serious for people who are targeted by scammers. Football fans will likewise be enthusiastic for Sunday's game, and many possibly have a few drinks before watching their team.
Read more »
UK
Cyber Security Data Theft Databreach NHS Ransomware UK

Cybersecurity Expert Warns NHS Still Vulnerable After Major Ransomware Attack

 

A leading cybersecurity expert has warned that the NHS remains at risk of further cyber-attacks unless it updates its computer systems. This stark warning follows a significant ransomware attack that severely disrupted healthcare services across London. 

Prof Ciaran Martin, the founding CEO of the UK's National Cyber Security Centre (NCSC), told the BBC: "I was horrified, but not completely surprised. Ransomware attacks on healthcare are a major global problem." NHS England announced it was increasing its cybersecurity resilience and had invested $338 million over the past seven years to address the issue. 

However, Prof Martin’s warnings suggest more urgent action is necessary. A recent British Medical Association report highlighted the NHS's ageing IT infrastructure, revealing that doctors waste 13.5 million hours annually due to outdated systems - equivalent to 8,000 full-time medics' time. 

 The cyber-attack on 3 June, described by Prof Martin as one of the most serious in British history, targeted Synnovis, a pathology testing organisation. This severely affected services at Guy's, St Thomas', King's College, and Evelina London Children's Hospitals. 

NHS England declared it a regional incident, resulting in 4,913 outpatient appointments and 1,391 operations being postponed, alongside major data security concerns. The Russian-based hacking group Qilin, believed to be part of a Kremlin-protected cyber army, demanded a $40 million ransom. When the NHS refused to pay, the group published stolen data on the dark web. 

This incident reflects a growing trend of Russian cyber criminals targeting global healthcare systems. Now a professor at the University of Oxford, Prof Martin highlighted three critical issues facing NHS cybersecurity: outdated IT systems, the need to identify vulnerable points, and the importance of basic security practices.

He further said, "In parts of the NHS estate, it's quite clear that some of the IT is out of date." He stressed the importance of identifying "single points of failure" in the system and implementing better backups. 

Additionally, he emphasized that improving basic security measures could significantly hinder attackers, noting: "Those little things make the point of entry quite a lot harder for the thugs to get in." Emphasizing the severity of the recent attack, he said, "It was obvious that this was going to be one of the most serious cyber incidents in British history because of the disruption to healthcare."
Read more »
Ransowmare
BlackSuit CDK Global Cyber Attacks Cyberattack Data Theft Kadokawa Ransowmare

Cyberattack by BlackSuit Targets Kadokawa and CDK Global

In early June, Kadokawa's video-sharing platform Niconico experienced a server outage, which has now been claimed by the Russia-linked hacker group BlackSuit. This group, a rebrand of the Royal ransomware operation and linked to the defunct Conti cybercrime syndicate, has issued a threat on the dark web to release 1.5 terabytes of sensitive data, including signed documents, contracts, legal statements, and emails, unless a ransom is paid by July 1, 2024. 

Details of the Attack on Kadokawa: 

Kadokawa first acknowledged the cyberattack in early June, which disrupted multiple websites and services. Despite efforts by Kadokawa's IT department, BlackSuit reportedly managed to steal 1.5 terabytes of sensitive data, including business plans, user data, contracts, and financial records. The hackers exploited vulnerabilities in Kadokawa’s network, gaining access to a control center that allowed them to encrypt the entire network, affecting subsidiaries like Dwango and NicoNico. Kadokawa has assured customers that no credit card information was compromised, as it was not stored on their system. 

The company is prioritizing the restoration of accounting functions and normalizing manufacturing and distribution in its publication business, with expected results by early July. Although the production of new publications remains steady, the shipment of existing publications is currently at one-third of normal levels. Kadokawa is implementing alternative arrangements, including increasing human resources, to mitigate the impact. 

In the Web Services business, all Niconico family services are still suspended, but provisional services like Niconico Video (Re: tmp) and Niconico Live Streaming (Re: tmp) have been provided. Existing services such as Niconico Manga smartphone version and NicoFT have resumed. The Merchandise business has seen limited impact, with shipping functions operating normally. However, the failure of Kadokawa’s account authentication function has prevented users from logging into certain online shops. Temporary pages have been created for affected users, and Kadokawa will keep providing updates regarding this issue. 

Impact on CDK Global: 

BlackSuit is also believed to be behind ongoing outages at CDK Global, a software provider for approximately 15,000 North American car dealerships. Several major U.S. auto dealers, including AutoNation, Group 1 Automotive, Penske Automotive Group, Sonic Automotive, and Lithia Motors, have reported disruptions in their services due to the cyberattack. As a result, many dealerships have had to revert to pen and paper for managing auto repairs, closing new car sales, and conducting other business. 

CDK attempted to restore its systems but was hit with a second cyberattack, causing them to shut down all systems again. The company has yet to acknowledge that the attack is a result of ransomware, but an incident like this could take weeks to recover from. Even after operations return to normal, CDK will have to investigate what data was stolen, how the attack happened, and the impact on its customers. 

Allan Liska, a ransomware analyst at Recorded Future, mentioned that the CDK attack has been attributed to BlackSuit in hacker forums and private chat channels. Malicious cybercriminal gangs are known to boast about their schemes on these platforms. While CDK is not yet listed on BlackSuit's dark web site, indicating ongoing negotiations, Bloomberg reported that the hackers are asking for a ransom in the tens of millions of dollars.
Read more »
US Cyber Security
Customer Information Cyber Security data security Data Theft IT systems breach sensitive data theft US Cyber Security

Back-to-Back Cyberattacks Disrupt Car Dealers in the US and Canada

 

In recent weeks, car dealerships across the United States and Canada have been severely disrupted by consecutive cyberattacks, underlining the growing vulnerability of the automotive retail sector. These attacks, involving sophisticated ransomware operations, have caused significant operational challenges, impacting the ability of dealerships to conduct business as usual. 

The cybercriminals targeted dealership IT systems, locking down critical data and demanding hefty ransoms for its release. This tactic has not only paralyzed daily operations but also jeopardized sensitive customer information. The attacks have disrupted everything from vehicle sales and service appointments to finance and insurance processes, causing substantial financial losses and reputational damage. 

One of the primary concerns stemming from these incidents is the exposure of customer data. Personal details, financial information, and even vehicle identification numbers (VINs) are at risk, potentially leading to identity theft and financial fraud. This breach of trust can have long-term consequences for the affected dealerships, eroding customer confidence and loyalty. The recent wave of cyberattacks has prompted a swift response from the automotive industry and cybersecurity experts. Dealerships are being urged to enhance their cybersecurity protocols, including implementing stronger encryption methods, regular system audits, and comprehensive employee training programs. 

These measures are essential to fortify defenses against future attacks and safeguard sensitive information. The automotive sector, much like other industries, must recognize the persistent threat posed by cybercriminals. As these attacks become increasingly sophisticated, the need for proactive and robust cybersecurity strategies is more critical than ever. This includes not only technical defenses but also a culture of awareness and vigilance among employees. 

In the wake of these attacks, industry bodies and regulatory authorities are also calling for greater collaboration and information sharing. By working together, dealerships can better understand emerging threats, share best practices, and develop collective defenses against cyber adversaries. The disruptions caused by these back-to-back cyberattacks serve as a stark reminder of the importance of cybersecurity in the digital age. 

For car dealerships, the priority must now be on bolstering their defenses to protect their operations and the personal data of their customers. As the automotive industry continues to embrace digital transformation, ensuring robust cybersecurity measures will be key to maintaining business continuity and customer trust.
Read more »
Ransomware
Arctic Wolf cyber attack Cyber Attacks Data Theft Fog Ransomware Ransomware

New Ransomware Variant "Fog" Targets U.S. Education and Recreation Sectors

Arctic Wolf Labs has identified a new, sophisticated ransomware variant named "Fog," which has been aggressively targeting organizations in the United States, particularly within the education and recreation sectors. This variant came to light following several incident response cases in May and was publicly disclosed in June, raising considerable concerns due to the intricate nature of the attacks. 

Fog ransomware typically infiltrates victim networks using compromised VPN credentials, exploiting vulnerabilities in remote access systems from two different VPN gateway vendors. The attackers gain unauthorized access by leveraging stolen VPN credentials. 

Once inside the network, the attackers employ various techniques, including: Pass-the-hash activity, Credential stuffing, and Deployment of PsExec across multiple systems. The group also utilizes RDP/SMB protocols to reach targeted hosts and disable Windows Defender on Windows Servers to maintain their foothold. Working of Fog Ransomware Fog ransomware operates using a JSON-based configuration block that orchestrates activities both pre- and post-encryption. They deploy PsExec, disable Windows Defender, and systematically query system files, volumes, and network resources before commencing the encryption. 

Additionally, Fog ransomware targets VMDK files in Virtual Machine storage, deletes backups from Veeam object storage, and Windows volume shadow copies. It employs an embedded public key for encryption and appends unique extensions (.FOG and .FLOCKED) to the encrypted files. Unlike many other ransomware types, Fog does not engage in data exfiltration; instead, it focuses on quickly encrypting VM storage data, demanding ransoms for decryption. 

The encryptor binary of the Fog ransomware employs several well-known techniques. First, it creates a log file named DbgLog.sys in the %AppData% directory. Next, it utilizes the NT API to gather system information via the NtQuerySystemInformation function, such as the number of logical processors, to enhance its encryption efficiency. The encryption itself uses outdated Windows APIs like CryptImportKey and CryptEncrypt. After the encryption process is completed, the attackers leave a ransom note, typically called 'readme.txt,' providing instructions for contacting them to obtain decryption keys. 

An analysis of these ransom notes shows that the Fog ransomware group demands ransom payments that can reach hundreds of thousands of dollars, offering decryption keys and assurances of data deletion in return.Organizations, particularly in the education and recreation sectors, should prioritize enhancing their cybersecurity defenses by implementing robust security measures, ensuring the protection and proper management of VPN credentials, and maintaining up-to-date and secure backups to mitigate the potential impact of ransomware attacks.
Read more »
Microsoft
Azure Data Breach data scam Data Theft Microsoft

Security researcher says Azure Tags are security threat but Microsoft disagrees

 

Tenable recently identified a notable security issue within Microsoft's Azure Network service tags. While Tenable classified this as a high-severity vulnerability, Microsoft disagreed with this classification. Despite their differences, both companies jointly disclosed the security issue on Monday. 

What is Azure? 

Azure is Microsoft's comprehensive public cloud platform, offering over 200 services. These include Platform as a Service (PaaS) for application development and operation, Infrastructure as a Service (IaaS) for virtual machines, networking, and storage, and Managed Database Services for simplified database management. Azure supports developers, IT professionals, and business owners, providing the tools to build, run, and manage applications across multiple environments, including on-premises and edge locations. This flexibility and scalability make Azure adaptable to a wide range of organizational needs. 

What is the Issue?

Azure service tags represent groups of IP addresses for various Azure services, streamlining the creation of access control rules. These tags can be used in firewall settings to permit traffic from specific Azure services. However, Tenable uncovered a serious flaw: attackers could potentially bypass firewall rules that rely exclusively on service tags by masquerading as trusted services. 

Specific Vulnerability Scenario 

The vulnerability arises under the following conditions: Inbound traffic is permitted through a service tag. Services allowing inbound traffic might let users control parts of web requests, such as the URL path or destination host. An attacker in one tenant (Tenant A) could exploit this to access resources in another tenant (Tenant B) if the target allows traffic from the service tag and lacks additional authentication methods. For example, Azure Monitor Availability Tests use the ApplicationInsightsAvailability service tag for synthetic monitoring. A malicious user could exploit this setup to access endpoints in a different subscription. 

What Customer Should do? 

Reviewing and Strengthening Security Posture Azure customers using service tags should reevaluate their network settings: Recognize that relying solely on service tags does not fully secure traffic. Implement additional authentication and authorization checks for enhanced security. Ensure appropriate security measures are in place to safeguard traffic between Azure tenants. Refer to Microsoft's updated best practices for service tags and specific service guidelines. Adhere to Azure security fundamentals to secure your Azure platform and infrastructure. Enable and configure suitable monitoring controls in Azure Monitor. Example Mitigation Strategy To protect against unauthorized traffic via the ApplicationInsightsAvailability service tag, customers can create a token and include it as an HTTP header in availability tests. Validate this HTTP header in incoming requests to authenticate traffic origins, rejecting any requests missing the custom header. 

Microsoft’s Response and Mitigation Following Tenable's report, 

Conducted an extensive review and search for similar vulnerabilities. 

Updated documentation for Azure services utilizing inbound service tags. 

Released best practices for service tags to aid users in securing their environments more effectively. 

This collaborative disclosure by Tenable and Microsoft underscores the importance for Azure customers to regularly review and enhance their network security configurations. Service tags should be integrated into a comprehensive security strategy that includes robust authentication and monitoring practices.
Read more »
sabotage
Bitkom report China cyber threats Cyber Security cyberattacks increase CyberCrime Data Theft economic damage espionage foreign organizations Russia cyber threats sabotage

Surge in Cyber Attacks on German Businesses Costs Billions of Euros

 

Around 80% of targeted firms have fallen victim to data theft, espionage, or sabotage, according to the German digital industry association Bitkom. Cybercrime is on the rise in Germany, with damages estimated to cost the economy €148 billion annually.

Data released by German authorities on Monday indicated a 28% increase in cyberattacks by foreign organizations in 2023, with significant activity from Russia and China.

German Interior Minister Nancy Faeser highlighted the high threat level in cybersecurity while presenting the national report on cybercrime. Bitkom managing director Bernhard Rohleder added that cyberattacks from Russia had doubled in the past two years, and those from China had increased by 50%.

Rohleder also noted that 80% of German companies targeted experienced data theft, espionage, or sabotage, causing financial damages amounting to €148 billion per year. Most of these attacks were attributed to criminal gangs or foreign intelligence services, targeting key infrastructures such as energy supplies, transport, and hospitals.

The motivations behind these cyberattacks vary. Some cybercriminals seek financial gain, while others, including private individuals, are driven by the desire to cause disruption or simply for amusement.

The report’s release comes amidst heightened concerns ahead of the European Parliament elections in June. Earlier this month, Germany accused Russia of launching cyberattacks against its defense and aerospace sectors, as well as members of the Social Democratic Party, in response to Germany's support for Ukraine.

Interior Minister Faeser emphasized Germany’s resilience, stating, "We will not be intimidated by the Russian regime. We will continue to do everything to protect our democracy from Russian cyber actions and we will continue to support Ukraine."
Read more »
University Hack
Bitfinex Cyber Attacks Data Safety Data Theft Hackers Ransom Demands Ransomware threats University Hack

Assessing F Society's Latest Ransomware Targets: Are They at Risk?

 

In recent developments, the F Society ransomware group has once again made headlines by listing four additional victims on its leak site. The alleged targets include Bitfinex, Coinmoma, Rutgers University, and SBC Global Net. Bitfinex, a renowned cryptocurrency exchange platform, and Coinmoma, offering cryptocurrency-related data, are among the victims. 

Rutgers University, one of the oldest universities in the US, and SBC Global Net, an email service once provided by SBC Communications, are also allegedly affected. While the attacks are yet to be officially confirmed, the ransomware group has provided unique descriptions for each victim, along with links to sample data obtained from the attacks. 

Bitfinex was reportedly targeted with the theft of 2.5 TB of information and personal details of 400K users. Rutgers University faced an alleged theft of 1 TB of data, with the specific type of information not disclosed. Coinmoma was claimed to have sensitive data, including user information and transaction histories, compromised, with a file size of 2TB and 210k user records. 

Similarly, SBC Global Net was stated to have unauthorized access, leading to the theft of personal user details, with a file size of 1 TB. Despite these claims, no ransom amount has been publicly mentioned, and the victims are given seven days to comply with the demands, failing which the obtained data will be leaked. 

As of now, there have been no official responses from the victims, and the claims remain unverified. While the authenticity of F Society's claims is uncertain, Bitfinex had previously experienced a significant hacking incident in 2016. During this incident, approximately 119,754 bitcoins were stolen from the platform due to a breach, leading to unauthorized transactions. The stolen bitcoins were later recovered by law enforcement after a thorough investigation, marking one of the largest recoveries in the history of the US Department of Justice. 

However, the perpetrator behind the hack remains unidentified, although it is known that they attempted to cover their tracks using a data destruction tool. The previous security lapse experienced by Bitfinex highlights the importance of robust cybersecurity measures, especially in the realm of cryptocurrency exchanges. As cyber threats continue to evolve, organizations must prioritize the implementation of stringent security protocols to safeguard sensitive data and mitigate the risk of ransomware attacks.
 
Additionally, prompt response and collaboration with law enforcement agencies are essential in investigating such incidents and holding perpetrators accountable for their actions. The recent targeting of prominent entities by the F Society ransomware group underscores the persistent threat posed by cybercriminals. As organizations strive to fortify their defenses against such attacks, proactive measures and swift action are imperative to protect valuable assets and maintain trust among stakeholders in an increasingly digital landscape.
Read more »
Routers Threat
Cloud Credentials Cyber Security data security Data Theft Hijacking attacks Router vulnerability Routers Routers Threat

New Cuttlefish Malware Hijacks Router Connections, Cloud Data Stolen

 

In the ever-evolving landscape of cybersecurity threats, a new menace has emerged: Cuttlefish. This sophisticated malware targets enterprise-grade and small office/home office (SOHO) routers, posing a significant risk to both businesses and individual users alike. 

Discovered by Lumen Technologies' Black Lotus Labs, Cuttlefish operates by infecting routers and creating a proxy or VPN tunnel to stealthily exfiltrate data. By doing so, it bypasses security measures designed to detect unusual sign-ins, making it particularly insidious. One of the most concerning aspects of Cuttlefish is its ability to perform DNS and HTTP hijacking within private IP spaces. 

This interference with internal communications can disrupt organizational workflows and potentially introduce additional payloads, compounding the damage caused by the initial infection. While Cuttlefish shares some code similarities with HiatusRat, a malware previously associated with Chinese state interests, there is no definitive link between the two. Attribution remains challenging, further complicating efforts to combat this threat effectively. 

According to Black Lotus Labs, Cuttlefish has been active since at least July 2023, primarily targeting users in Turkey. However, infections have been reported elsewhere, impacting services such as satellite phones and data centres. The exact method of initial infection remains unclear, but it likely involves exploiting known vulnerabilities or brute-forcing credentials. Once inside a router, Cuttlefish deploys a bash script to collect host-based data and download its primary payload. 

What sets Cuttlefish apart is its adaptability to various router architectures, making it a versatile threat capable of targeting a wide range of devices. Once executed, the malware monitors all connections passing through the router, searching for specific data such as usernames, passwords, and tokens associated with cloud services like AWS and Digital Ocean. Once this data is captured, Cuttlefish exfiltrates it to the attacker's command and control (C2) server using a peer-to-peer VPN or proxy tunnel.

Additionally, the malware can redirect DNS and HTTP requests to actor-controlled infrastructure, enabling further data interception and manipulation. Cuttlefish severely threatens organizations worldwide, allowing attackers to bypass traditional security measures and dwell undetected within cloud environments. Network administrators should take proactive steps to strengthen their defences to mitigate the risk posed by Cuttlefish and similar threats. 

This includes eliminating weak credentials, monitoring for unusual logins, securing traffic with TLS/SSL encryption, and inspecting devices for signs of compromise. Additionally, regular router reboots, firmware updates, and password changes are recommended for SOHO router users to prevent exploitation.  

Cuttlefish represents a significant escalation in cyber threats, underscoring the importance of robust cybersecurity practices and constant vigilance in today's digital landscape. Organizations can better protect themselves against emerging threats like Cuttlefish by staying informed and implementing proactive security measures.
Read more »
Ransomware threats
Cyber Attacks Cybercime Cyberhackers data security Data Theft Ransom Demand Ransomware attack Ransomware threats

Ransomware Strikes St-Jerome Company: Everest Group Suspected

 

Les Miroirs St-Antoine Inc., a longstanding company in the St-Jérôme region, is grappling with the aftermath of an alleged ransomware attack orchestrated by the infamous Everest Group. Founded in 1956, Les Miroirs St-Antoine specializes in glazing and aluminum products for commercial, industrial, and institutional sectors. 

However, the tranquility of this family-owned business has been shattered by the looming threat of cybercrime. As of now, crucial details regarding the attack, such as the extent of the data breach, the level of data compromise, and the motive behind the attack, remain undisclosed by the ransomware group. 
Nevertheless, the Everest Group has issued a chilling ultimatum, demanding that Les Miroirs St-Antoine Inc. contact them within 24 hours, failing which, all stolen data will be made public. Since its emergence in December 2020, the Everest ransomware group has established itself as a formidable threat within the cybersecurity landscape. 

Operating primarily within Russian-speaking circles, the group has strategically targeted organizations spanning various industries and regions. Notable victims, including renowned entities such as NASA and the Brazilian Government, have fallen prey to the group's sophisticated data exfiltration tactics. What sets Everest ransomware apart is its ruthless demand for ransom, which extends beyond decrypting files to threatening the public release of stolen data. 

This coercive strategy places immense pressure on victims to meet the group's demands, amplifying the stakes of their cyberattacks. Moreover, the threat of double extortion, wherein stolen data is released to the public, exacerbates the company's predicament and underscores the severity of the situation. 

In response to the alleged ransomware attack, Les Miroirs St-Antoine Inc. must mobilize its cybersecurity resources to assess the extent of the breach and mitigate further damage. Collaboration with law enforcement agencies and cybersecurity experts is essential in identifying the perpetrators and holding them accountable for their actions. 

Furthermore, transparent communication with stakeholders, including customers, employees, and partners, is imperative to address concerns and reassure the community amidst the crisis. By prioritizing vigilance, preparedness, and proactive measures, Les Miroirs St-Antoine Inc. can navigate the challenges posed by cybercriminals and emerge stronger from this ordeal. 

The alleged ransomware attack targeting Les Miroirs St-Antoine Inc. serves as a poignant reminder of the ever-present threat posed by cybercriminals in today's digital landscape. As organizations strive to safeguard their assets and uphold the trust of their stakeholders, resilience, adaptability, and robust cybersecurity measures are paramount in thwarting malicious attacks and preserving business continuity.
Read more »
Qlik Servers
Backups Cactus ransomware Cyber Security Data Theft Qlik Servers

Qlik Sense Servers Prone To Cactus Ransomware Threats

 


Security experts are urgently warning about the vulnerability of thousands of Qlik Sense servers to potential ransomware attacks by the troubling Cactus group. Despite prior disclosures of vulnerabilities by Qlik, many organisations remain at risk due to unpatched systems.

Qlik, an eminent player in data visualisation and business intelligence, disclosed two critical vulnerabilities, known as CVE-2023-41266 and CVE-2023-41265, in August last year. These flaws, when exploited together, enable remote attackers to execute arbitrary code on vulnerable systems. Additionally, a subsequent disclosure in September, CVE-2023-48365, revealed a bypass of Qlik's initial fix, leaving systems vulnerable to exploitation.

Recent reports highlight the active exploitation of these vulnerabilities by the Cactus ransomware group to infiltrate target environments. Despite warnings from security vendors like Arctic Wolf, ongoing attacks persist. A recent scan by Fox-IT uncovered over 5,000 internet-accessible Qlik Sense servers, with a significant portion still vulnerable to exploitation.

Countries such as the US, Italy, Brazil, Netherlands, and Germany face a concerning number of vulnerable servers, elevating the risk for organisations in these regions. In response, security organisations like Fox-IT and the Dutch Institute for Vulnerability Disclosure (DIVD) have launched efforts under Project Melissa to disrupt Cactus group operations.

Upon identifying vulnerable servers, Fox-IT and DIVD have actively notified affected organisations, urging immediate action to mitigate the risk of a ransomware attack. Joining the effort, the ShadowServer Foundation emphasises the urgent need for remediation to prevent compromise.

To assist organisations in identifying potential compromise, specific indicators such as the presence of unusual font files, qle.ttf and qle.woff, have been highlighted. These files, not standard in Qlik Sense installations, may indicate unauthorised access or remnants of previous security incidents.

In recognizing the gravity of the situation, Fox-IT stressed the need for proactive measures to address the potential risks of ransomware attacks. These measures include promptly patching vulnerable systems to fix known security issues and conducting thorough security assessments to identify and resolve any existing weaknesses in the network infrastructure.

Additionally, organisations are encouraged to implement robust cybersecurity measures, such as deploying intrusion detection and prevention systems, enhancing network segmentation to limit the impact of potential breaches, and enforcing strong access controls to prevent unauthorised access to sensitive data.

Regular employee training and awareness programs play a crucial role in identifying and mitigating security risks, including phishing attacks or social engineering attempts. By educating employees about the latest cybersecurity threats and best practices, organisations can strengthen their overall security posture and reduce the risk of successful ransomware attacks.

Moreover, maintaining up-to-date backups of critical data is essential to ensure data integrity and facilitate recovery in the event of a ransomware attack. Organisations should establish a comprehensive backup strategy that includes regular backups, secure storage of backup data, and testing of backup restoration procedures to ensure their effectiveness.

Given these developments, the collective efforts of security organisations, alongside proactive measures by organisations, are critical in mitigating the risk posed by the Cactus ransomware group and similar threats.


Read more »
malware
Credential Darknet Data Theft Kaspersky malware

Rise In Cybercrime: Dark Web Fueling Credential Attacks

 


In an unsettling situation, cybercriminals are increasingly turning to credential theft as a lucrative business, aided by the rise of infostealer malware attacks. Over the past three years, these threat actors have capitalised on the opportunity, compromising millions of personal and corporate devices globally.

The Rise of Infostealer Malware

According to cybersecurity experts at Kaspersky, infostealer malware attacks have surged sevenfold in recent years, with over 10 million devices compromised in 2022 alone. These sophisticated attacks enable hackers to silently collect login credentials and sensitive data from devices, posing a significant cybersecurity threat.

The Lucrative Market for Stolen Credentials

The value of corporate credentials in the cybercrime market has soared, leading to a 643% increase in data theft attacks. Cybercriminals act as initial access brokers, stealing corporate credentials and selling them on dark web forums for substantial profits. Kaspersky researchers highlight various sales models, with prices starting at $10 per log file.

Emerging Dark Web Hubs

Darknet markets have become key enablers of cybercrime, facilitating the sale of stolen credentials and victim profiles to cybercriminal groups. Following the takedown of Genesis Market, new hubs like Kraken Market and DNM Aggregator have emerged, offering seamless payment options via crypto processors.

Regional Impact

Regions like the Asia-Pacific and Latin America have been particularly affected by credential stealing attacks, with millions of credentials stolen from countries like Brazil, India, Colombia, and Vietnam. In Australia, compromised credentials accounted for the majority of cybersecurity incidents, with compromised or stolen credentials implicated in 56% of all incidents.

The Role of Initial Access Brokers

The number of initial access brokers (IABs) operating worldwide has risen significantly, with the APAC region experiencing a particularly sharp increase. These brokers play a critical role in fueling cybercrime operations, selling access to corporate networks and facilitating activities like ransomware attacks.

Despite the perception of cyberattacks as complex operations, the reality is that many exploit the simplicity of credential vulnerabilities. According to the Cybersecurity and Infrastructure Security Agency (CISA), over half of government and critical infrastructure attacks leverage valid credentials, with stolen credentials implicated in 86% of breaches involving web-based platforms. Credential stuffing, a technique where attackers use stolen usernames and passwords on various websites, has become increasingly popular due to individuals' tendency to reuse login information for convenience. 

With cybercriminals exploiting vulnerabilities in corporate and personal networks, organisations and individuals must remain a step ahead to protect against this pervasive threat.




Read more »
Singapore
Cyber Crime Cyber Safety CyberCriminal data security Data Stolen Data Theft Database Breach Hacker attack KYC Singapore

Cybercriminals Threaten Release of Stolen World-Check Database, Exposing Millions to Financial Risk

 

A financially motivated criminal hacking group, self-identified as GhostR, has claimed responsibility for the theft of a confidential database containing millions of records from the renowned World-Check screening database. The stolen data, totaling 5.3 million records, includes sensitive information used by companies for screening potential customers and assessing their links to sanctions and financial crime.
 
World-Check, a vital tool for conducting "know your customer" (KYC) checks, enables companies to identify high-risk individuals with potential ties to money laundering, government sanctions, or other illicit activities. The hackers disclosed that they obtained the data from a Singapore-based firm with access to the World-Check database, though the specific company remains unnamed. 

A portion of the stolen data encompasses individuals sanctioned as recently as this year. The compromised records include details of current and former government officials, diplomats, politically exposed persons (PEPs), individuals associated with organized crime, suspected terrorists, intelligence operatives, and even a European spyware vendor. These individuals are deemed high-risk for involvement in corruption, bribery, or other illicit activities. 

The stolen data comprises a wealth of sensitive information, including names, passport numbers, Social Security numbers, online cryptocurrency account identifiers, bank account numbers, and more. Such a breach poses significant risks, as it could potentially expose innocent individuals to unwarranted scrutiny and financial harm. 

Simon Henrick, a spokesperson for the London Stock Exchange Group (LSEG), which oversees World-Check, clarified that the breach did not originate from LSEG's systems but involved a third party's data set. While LSEG did not disclose the identity of the third-party company, they emphasized their commitment to collaborating with the affected party to safeguard data integrity and notify relevant authorities. 

Privately operated databases like World-Check are not immune to errors, raising concerns about the accuracy and fairness of their content. Past incidents, such as the 2016 leak of an older World-Check database, underscore the potential repercussions of erroneous data, including wrongful accusations and financial repercussions for innocent individuals. 

The breach highlights the critical need for enhanced cybersecurity measures and regulatory oversight to protect sensitive personal information and mitigate the risks associated with data breaches. As investigations into the incident continue, stakeholders must prioritize transparency, accountability, and proactive measures to prevent future breaches and safeguard consumer data privacy.
Read more »
Privnote
Cryptocurrency Breach Data Breach Data Theft malicious phishing Privnote

Privnote Secure Messaging App Is Under Phishing Threat

 

Privnote.com, launched in 2008, revolutionized secure messaging with its encryption technology. It allows users to send messages with a unique link, ensuring privacy as the content self-destructs after reading. However, its popularity among cryptocurrency enthusiasts also drew the attention of malicious actors who engaged in phishing activities. 

Phishers exploit Privnote's model by creating clones, such as privnote[.]co, that mimic its functionality. These clones surreptitiously replace cryptocurrency addresses when users create notes containing crypto wallets. Thus, unsuspecting users fall victim to sending funds to the phisher's address instead of the intended recipient. 

GitHub user, fory66399, lodged a complaint last month against MetaMask, a cryptocurrency wallet, alleging wrongful flagging of privnote[.]co as malicious. Threatening legal action, fory66399 demanded evidence and compensation. However, MetaMask's lead product manager, Taylor Monahan, swiftly debunked these claims by providing screenshots showing the fraudulent activities of privnote[.]co. 

According to DomainTools.com, the domain privatenote[.]io has changed hands between two individuals: Andrey Sokol from Moscow and Alexandr Ermakov from Kiev, over two years. While these names may not be the real identities of the scammers, they provide clues to other sites targeting Privnote since 2020. 

Furthermore, Alexandr Ermakov is linked to several other domains, including pirvnota[.]com, privatemessage[.]net, privatenote[.]io, and tornote[.]io, as per DomainTools. This suggests a potential network of fraudulent activities associated with Privnote, emphasizing the need for caution in identifying phishing attempts. 

Let’s Understand Suspicious Activities on Privnote: 

Domain Registrations: The domain pirvnota[.]com saw a change in registration details from Andrey Sokol to "BPW" and "Tambov district" as the registrant's state/province. This led to the discovery of pirwnote[.]com, along with other suspicious domains like privnode[.]com, privnate[.]com, and prevnóte[.]com, all linking to the same internet address. Interestingly, pirwnote[.]com is now selling security cameras from a Hong Kong-based internet address. 

Deceptive Legitimacy: Tornote[.]io appears to have undergone efforts to establish credibility. A Medium account has published numerous blog posts endorsing Tornote as a secure messaging service. However, testing reveals its malicious intent, as it also alters cryptocurrency addresses in messages. 

Search Engine Manipulation: Phishing sites manipulate search engine results to appear prominently for terms like "privnote." Currently, a Google search for "privnote" lists tornote[.]io as the fifth result. These sites rotate cryptocurrency addresses every five days to evade detection. 

According to the Privnote website, it is a web-based service focused on privacy, allowing users to create encrypted notes shared via unique one-time-use HTTPS links. Notes and their contents are processed securely in users' browsers, with no readable data stored on Privnote's servers. 

IP addresses are processed solely for communication and promptly deleted thereafter. Personal data within notes remains encrypted and inaccessible to Privnote. The service uses cookies for functional and non-functional purposes, respecting user privacy preferences. Privnote does not target children under 16 and commits to regularly updating its Privacy Policy.
Read more »
Waterfall Security
Data Breach Data Theft IoT IT OT Ransomware Waterfall Security

Rise of Hacktivist Groups Targeting OT Systems

Recent research from Waterfall Security Solutions has revealed important insights into the changing nature of cyberattacks on Operational Technology (OT) organizations. One key finding is the rise of hacktivist groups as major players in targeting OT systems. 

Additionally, the study emphasizes that most disruptions in OT environments do not occur directly through manipulation of OT systems but rather as a result of IT-based attacks, particularly ransomware incidents. In simpler terms, hackers are increasingly using ransomware to disrupt OT operations, and these disruptions are causing significant problems for OT organizations. 

Let’s Understand Operational Technology 

Operational Technology (OT) involves using both hardware and software to control industrial equipment, focusing on how it interacts with the physical world. This includes systems like programmable logic controllers (PLCs), distributed control systems (DCSs), and supervisory control and data acquisition (SCADA) systems. 

OT environments are responsible for overseeing and managing real-world processes in industries like manufacturing, energy, healthcare, building management, and environmental systems. 

Differences Between OT, IT, and IOT 

The blending of Operational Technology (OT) and Information Technology (IT) is changing industries in the era of the Internet of Things (IoT). OT deals with managing physical equipment, while IT deals with data systems. IoT connects ordinary objects to the internet, allowing smooth communication and automation. This merging presents fresh chances for making processes more efficient and fostering innovation in various fields. 

Following the report, it highlights a worrying trend a nearly 20% rise in cyberattacks causing physical consequences. 

As per report, last year, cyber incidents inflicted hefty financial blows on companies like Johnson Controls and Clorox, racking up costs of approximately $27 million and $49 million, respectively. In Massachusetts, MKS Instruments faced a staggering $200 million loss due to a cyberattack that halted its operations temporarily. Moreover, its supplier, Applied Materials Inc. based in California, reported an additional loss of $250 million stemming from the same incident. 

Further it reveals that only about 25% of cyberattacks cause problems for operational technology (OT) but instead compromise other parts of the network infrastructure directly. Various attacks happen by compromising machines in the IT network. 

Andrew Ginter, from Waterfall, explains that companies often shut down their OT systems as a precaution when there is a risk of nearby compromised processes. For example, Hahn Group GmbH turned off its systems after an attack last March, leading to weeks of recovery work. Similarly, UK Royal Mail had printers hijacked to print ransom notes, resulting in nationwide mail export suspensions and £42 million in losses. 

Furthermore, Ginter points out if there is a problem with the IT network, it can affect the OT network and vice versa, potentially leading to disruptions in physical operations that rely on these networks.
Read more »
secure public Wi-Fi
Cyber Crime Data Theft Financial crime Online Scam secure public Wi-Fi

Public WiFi Convenience Leads to Cyber Threats, Read to Know Everything

 

Cybersecurity experts are issuing a stern warning to Scots regarding the potential dangers lurking within public WiFi networks. While the convenience of accessing the internet on the go, such as during train commutes, may seem appealing, experts emphasize the significant cybersecurity risks that accompany such practices. 

One of the primary concerns raised by cybersecurity professionals is the phenomenon known as "session hijacking." In this scenario, cybercriminals exploit vulnerabilities present in public WiFi networks to gain unauthorized access to users' devices while they are browsing online. 

Let’s Understand ‘Session Hijacking’ in Simple Words 

Session hijacking, a prevalent cybersecurity attack, occurs when an attacker gains control of an individual's internet session while they are engaged in activities such as checking their credit card balance, paying bills, or shopping online. 

Typically, session hijackers target browser or web application sessions to perpetrate their attacks. Once a session hijacking attack is successful, the attacker gains the ability to perform any action that the victim could undertake on the targeted website. Essentially, the hijacker deceives the website into believing that they are legitimate users, thereby granting them unauthorized access and control over the victim's session.  And it can lead to various cyber-crimes and financial scams. 

Do You Know What Risks Lurking in Public WiFi Networks? 

Vincent van Dijk MSc a cybersecurity expert, warns individuals about the lurking dangers within public WiFi networks, highlighting three prevalent cyber threats: 

1. Man-in-the-Middle attacks 
2.  Evil Twin attacks 
3. Malware Present in Networks 

In a Man-in-the-Middle attack, hackers infiltrate the public network, intercepting data as it travels from a connected device to the WiFi router. Vincent explains the severity of this threat, stating, "If you are engaged in online banking during such an attack, hackers can easily access your passwords and account information. Your credit card numbers, email addresses, and other personal details become vulnerable to theft." 

Evil Twin attacks present another insidious threat. When users search for a public WiFi hotspot, they may encounter a fraudulent network pretending as a legitimate one. These malicious networks often bear names strikingly similar to authentic ones, such as 'Free University Wi-Fi2' or 'Station Wi-Fi04.' Therefore, connecting to these clones exposes users to scammers, compromising their private data and leaving them susceptible to exploitation. 

Further, Vincent explains that when hackers successfully infect a network with malware, they gain the ability to distribute harmful software bugs to any device connected to it. As a cautionary measure, he advises users to exercise caution if they encounter unexpected pop-up notifications while connected to such networks. Clicking on these pop-ups could inadvertently lead to exposure to infected links, putting users' devices and sensitive information at risk. 

Following the concerns related to public WiFi, experts suggested public to use Virtual Private Networks (VPNs) and verify network authenticity while using Public Wifi. By doing so users can mitigate the risks associated with public WiFi usage, safeguarding their sensitive information from cybercriminals.
Read more »
Data Theft
APT Cyberattacks CyberCrime Cybersecurity Data Breach Data Heist Data Theft

The Great Data Heist: China's Alleged Theft of Voter Data and Its Potential Impact

 


Chinese-backed hackers allegedly targeted U.S. officials, journalists, corporations, pro-democracy activists and the United Kingdom's electoral watchdog in a comprehensive, state-backed attack on March 25, authorities announced in an announcement on March 25. The attack was aimed at targeting officials, journalists, corporations, pro-democracy activists, and the British election watchdog. 

In 2010, China launched Operation Troll to harass critics of the government, steal trade secrets from American corporations, as well as spy on and trace high-level political figures, an operation that began in 2010. Officials say the campaign began in 2010. During the last election, Western officials sounded a fresh alarm about a country long regarded as having advanced espionage capabilities when they revealed the operation, which was carried out by a hacking group called APT31. 

According to the U.S. Justice Department, seven hackers are being charged with crimes in China, and they are believed to be living there. An official announcement by the British government concerning the breach that may have provided China with access to information on tens of millions of U.K. voters held by the Electoral Commission was that a front company and two defendants had been imposed sanctions by the British government. 

U.K. Deputy Prime Minister Oliver Dowden said that hackers working for the Chinese government were responsible for the 2021 data breach at the Electoral Commission in his speech to lawmakers in Parliament on Monday. It was the first time since the cyberattack was reported in 2023 that the United Kingdom has attributed it to the Chinese government and has said it is not going to hesitate to take swift and robust actions whenever the Chinese government threatens its interest.

In his speech, Dowden said the U.K. government would not hesitate to take quick and robust action whenever the Chinese government threatened its interests. In the United Kingdom, the Electoral Commission, which keeps copies of the register of citizens eligible for voting, reported in July that hackers had taken an estimated 40 million U.K. citizens' names and addresses. There are approximately 5 million registered voters across the U.S. including all people who voted in the last 4 years.

Between 2014 and 2022, over 30 million people were affected by the data breach, but they weren't recognized until after a year had passed. As the deputy prime minister of the United Kingdom mentioned in Parliament in Downden's speech, the attack likely occurred as part of a wider threat perpetrated by government-backed groups. 

The government of New Zealand, as well as the governments of other Western countries, have also voiced their concerns. Several high-profile phishing attacks targeting German politicians that were linked to Russian-backed groups have recently been reported in the media. APT31, a Chinese-based cyberattack group, has been sanctioned in the UK as part of the government's response to the attack by responding to the involvement of two individuals, Zhao Guangzong and Ni Gaobin, and one company, Wuhan Xiaoruizhi Science and Technology Company Ltd. 

Those companies are no longer authorised to handle these funds or assets, and the individuals are not allowed to enter the country. " There is no doubt that APT31 has an impeccable track record of targeting politicians both in the US and Europe. They have targeted various political campaigns, parliamentarians, and other targets to gain insight into the landscape," said John Hultquist, Chief Analyst of Mandiant Intelligence - Google Cloud. APT31 has been identified as a threat targeting British lawmakers during a separate campaign in 2021, the National Cyber Security Centre said, even though no parliamentary accounts were compromised, a reconnaissance activity was conducted against the lawmakers during that campaign. 

The British Foreign Secretary, David Cameron, made a formal request for the Chinese ambassador to be summoned, and he said in a separate statement that he raised the matter directly with the Chinese Foreign Minister, Wang Yi. It is clear from the episode that for the UK, this represents an increasing level of tension that has been growing since Hong Kong passed security legislation that the UK says undermines freedom in Hong Kong. Moreover, this violated the handover agreement signed by the two countries when Beijing took over the governance of the territory in 1997.z
Read more »
User Safety
Data Breach Data Theft Footwear Firm User Privacy User Safety

Vans Warns Consumers of Fraudsters Following ALPHV Data Breach

 

Vans customers have been alerted to the possibility of fraud or identity theft as a result of an ALPHV data breach at the parent firm. 

Vans claims that in December 2023, VF Group discovered "unauthorised activities" on a section of its IT systems. It also claimed that no passwords or detailed financial data were stolen.

However, it also stated that "it cannot be excluded" and that attackers may try to make use of the customer data they had taken hold of. The North Face, Dickies, Timberland, and other brands are owned by VF Group.

In an email to its customers, Vans stated that the data breach was discovered by VF Group on December 13 and was "apparently carried out by external threat actors."

The firm says it "immediately took steps" to address the threat, which included shutting down affected IT systems and hiring cybersecurity experts. By 15 December, it says, the hackers were ejected. 

"Our investigation revealed that the incident has affected some personal information of our customers that we normally store and process in order to manage online purchases, such as email address, full name, phone number, billing address, and shipping address," the email reads. 

However, it stated that the company did not "collect or retain" payment or financial data, such as bank account or credit card information, therefore there was "no chance that any detailed financial information was exposed to the threat actors." 

It said that no customers had been affected as of yet, but warned that the issue "may result in attempts at identity theft, phishing, and possibly fraud in general." 

It has warned users to be wary of unfamiliar emails, texts, and phone calls seeking personal information. Vans says it has informed the relevant law enforcement agencies and will evaluate its cybersecurity protocols.
Read more »
Proofprint
Black Basta Ransomware Cyber Attacks CyberCrime Data Theft Email Phishing Email scam email security Hacekrs NTLM Proofprint

New Email Scam Targets NTLM Hashes in Covert Data Theft Operation

 


TA577 has been identified as a notorious threat actor who orchestrated a sophisticated phishing campaign, according to researchers at security firm Proofpoint. Currently, the group is utilizing a new method of phishing involving ZIP archive attachments. This tactic is geared towards pilfering the hash data of NT LAN Manager (NTLM) users.

According to our investigation, this group is utilizing a chain of attacks aimed at stealing authentication information from the NT LAN Manager (NTLM) system. It would be possible to exploit this method for obtaining sensitive data and facilitating further malicious activity if this method were to be exploited. 

By using booby-trapped email attachments containing booby-trapped NTLM hashes to steal employees' NTLM hashes, a threat actor that is known for establishing initial access to organizations' computer systems and networks is using these attachments to steal employees’ hashes. Earlier this week, enterprise security firm Proofpoint published a report that suggested that the new attack chain "is capable of gathering sensitive information and facilitating follow-on activities." 

As reported by the company, at least two phishing campaigns have utilized this approach since February 26, 2024, when thousands of messages were distributed worldwide and hundreds of organizations were targeted. As an initial access broker (IAB), TA577 has previously been associated with Qbot and has been linked to Black Basta ransomware infections. 

The phishing waves spread thousands of messages around the world and targeted hundreds of organizations. The email security company Proofpoint reported today that although it has seen TA577 favouring Pikabot deployment in recent months, two recent attacks indicate that TA577 has taken a different approach to the attack. 

A group called TA578, which has been linked with the Qbot malware campaign and the Black Basta ransomware campaign, is one of the first access brokers. Recently, it has demonstrated an increasing interest in exploiting authentication protocols despite its previous inclination toward deploying Pikabot malware. 

NTLM hashes are a cornerstone of the security of Windows systems for authentication and session management. Attackers are extremely interested in these hashes as they are potentially useful in offline password cracking and in pass-the-hash attacks, which do not require actual passwords to gain access to services but instead use hashes as shortcuts. 

A technique known as thread hijacking, by which the attackers craft phishing emails that seem like legitimate follow-up emails to ongoing conversations, is used by the attackers. There is a malicious external server that is used to capture NTLM hashes, as these emails contain personalized ZIP files with HTML documents. When opened, these malicious servers start connecting to a malicious external server that has been set up specifically to capture these hashes. 

TA577 likely has the resources, time, and experience to iterate and test new delivery methods at the rate at which it adopts and distributes new tactics, techniques, and procedures (TTPs). TA577, along with other IABs, seems to be on top of the threat landscape and understands when and why certain attack chains cease to be effective. 

To increase the effectiveness and likelihood of victim engagement with their payload delivery and bypass detections, they will be able to create new methods to bypass detections and make use of them as quickly as possible. Researchers at Proofpoint have also noticed an increase in the use of file scheme URIs to direct recipients to external file shares such as SMB and WebDAV for the delivery of malware. To prevent exploits identified in this campaign, organizations should block outbound SMBs to prevent these sophisticated attacks. 

While restricting guest access to SMB servers is a simple security measure, it falls short of preventing these sophisticated attacks. The company advises that strict email filtering be implemented, outbound SMB connections should not be allowed, and Windows group policies should be activated to minimize the risk. 

To combat these types of NTLM-based threats effectively, Microsoft has introduced advanced security features into Windows 11 to help users. It is important to maintain constant vigilance and take strong security measures to prevent phishing attacks targeting the NTLM authentication protocol. For organizations to remain safe from sophisticated cybercriminal endeavours, they must stay abreast of emerging threats and adjust their defences to keep up with the rapidly evolving threats.
Read more »
Subscribe to: Posts (Atom)