Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Hacking Group. Show all posts
Hacking Group
Canada Cyber Attacks Cyber Breach Digital Security Challenges education sector Education Sector Cybersecurity Hacker attack Hacking Group

ShinyHunters Cyberattack Disrupts Canvas Platform Across Universities and Schools

 

This week, a significant digital breach affected educational institutions throughout the United States, Canada, and Australia. The incident followed claims by the hacking collective ShinyHunters. Their target: Canvas, a commonly adopted online learning system. Despite its widespread use, the platform proved vulnerable. 

Though details remain partial, reports confirm active exploitation of security gaps. While some schools shifted to offline methods, others delayed classes. Because of the reach of the network, effects spread quickly. Since access was blocked at peak hours, confusion grew early. Not every region reported identical issues - some experienced minor delays instead. Even so, trust in ed-tech infrastructure has taken a hit. 

As investigations continue, officials are reviewing how data was exposed. Midway through the year’s final academic stretch, a cyberattack triggered broad system failures across roughly 9,000 schools globally. Coursework uploads faltered, exam access vanished, lectures disappeared, grading stalled - student work ground to a halt. Though Instructure owns the platform, control slipped when services went down; officials acknowledged the breach soon after. 

Recovery came slowly - Canvas returned for many, yet pockets of disruption lingered on campuses far apart. Midway through tests, alerts flashed unexpectedly - spreading uncertainty among test takers and instructors at multiple campuses. Because of the interference, assessments set for Friday at Mississippi State University got delayed without prior notice. Screens displayed warnings stating “ShinyHunters has breached Instructure (again),” followed by demands for cryptocurrency transfers to prevent data leaks. 

Some learners recalled frozen systems right when submitting answers. Though officials confirmed the incident, details remained limited throughout the afternoon. By evening, investigations had begun while backups were reviewed quietly behind closed doors. After finishing their long exam essays, one student - Aubrey Palmer - noticed the ransom note pop up. When doubts emerged about whether files were actually saved, stress began spreading through the group. 

Some felt upset right away, others grew uneasy only later. Midterms approached fast when campuses started alerting students about sudden changes. Following technical issues, Sydney advised against accessing Canvas until further details arrived from Instructure. With finals looming, the timing of the outage posed serious challenges. Though routine disruptions happen now and then, this one struck during peak assessment periods.  

Among those impacted were Penn State University, Idaho State University, the University of British Columbia, the University of Toronto, UCLA, and the University of Chicago. With IT departments reviewing how far the breach reached, some campuses postponed exams - others called them off entirely. Later on campus, Jacques Abou-Rizk noticed something off after opening an email link - he saw a message that seemed tied to a demand for payment. 

Though the note mimicked one from school staff, officials clarified they were already tracking the event. Despite initial concerns, leaders emphasized no additional platforms showed signs of intrusion. Cybersecurity analysts pointed to screenshots suggesting the attacks might have started several days before the public alerts, as seen in timed demands delivered to targeted organizations. 

While ransom discussions could still be happening behind the scenes, the hacker collective hasn’t revealed its next steps regarding the data it claims to possess. Besides earlier cases, another breach now ties back to ShinyHunters - a group already connected to several prominent corporate intrusions. While details differ, patterns point to similar tactics used before across large-scale data compromises. 

Surprisingly, the widespread outage sparked fresh worries over how ready schools really are when it comes to digital safety. At nearly the same time, officials like Senator Chuck Schumer began pushing for tougher nationwide protection - especially since artificial intelligence-driven attacks and online ransom schemes keep growing across countries.
Read more »
leaked sensitive data
Customer Data Data Breach Data Leak Data protection data security Hacking Attack Hacking Group leaked sensitive data

ShinyHunters Vimeo Data Breach Exposes Information of Over 119,000 Users

 

Early this year, Vimeo faced a security incident leading to the theft of personal details tied to over 119,000 people by the ShinyHunters hacking collective. Information on the leak became known via Have I Been Pwned, a service tracking compromised accounts, after examining the exposed records. 

Late last month, Vimeo revealed a security issue affecting its systems. The platform, known for hosting and streaming videos globally, serves many millions of active users. Access by unknown parties came via a flaw tied to Anodot. This firm provides tools that spot irregularities in data flows. Its technology connects directly into parts of Vimeo’s infrastructure. 

The event marks one point where external partnerships introduced risk. Details emerged only after internal reviews concluded. One thing became clear: the entry did not stem from inside Vimeo's own network. Instead, it traced back to how outside services link up. Security teams now examine how third-party integrations affect overall protection levels. 

Surprisingly, early reports showed hackers obtained technical data, video metadata, and titles - sometimes even user emails. Despite the breach, payment information, account passwords, and live session tokens stayed secure, according to internal confirmation. Throughout the event, Vimeo’s main system kept running smoothly, maintaining full service availability. Unexpectedly, operations continued without noticeable interference. 

Right away, Vimeo shut down every login linked to Anodeto stop any more unwanted entry once the break-in came to light. Instead of handling things alone, outside cyber experts joined to support the inquiry. At the same time, officials responsible for enforcing laws got word about what happened. Later, even so, the hackers released a huge 106GB collection of stolen files online when talks reportedly broke down. 

That data appeared on a hidden website used by the ShinyHunters crew, who stated weak login credentials tied to Anodot opened doors unexpectedly. From there, they moved into Vimeo's storage platforms - Snowflake and BigQuery - with little resistance. Some 119,200 individuals had their email addresses disclosed, along with names in certain instances, based on findings from Have I Been Pwned after reviewing the leaked data. 

Though the breach details have circulated, Vimeo hasn’t officially verified how many accounts were impacted. Inside these breaches, access began through deceptive emails or fake support calls tricking staff. Not long ago, compromised logins gave hackers entry to identity tools like Okta and Microsoft Entra. From there, movement spread toward customer relationship software, team messaging apps, file storage, design programs, help desks, and workplace productivity suites. Cloud infrastructure and subscription-based tech now draw more attention than before. 

Breach attempts often follow weak points in unified login setups across company networks. Though main networks stay secure, outside providers sometimes open doors hackers exploit. A breach in one connected service might unlock several company areas at once. Experts observe rising incidents targeting cloud logins and partner tools for this reason. Instead of attacking central defenses, intruders shift focus to these links. Sensitive client data ends up at risk even if primary infrastructure holds firm.  

Recently, ShinyHunters took credit for hacks spanning education, retail, health care, gaming, and government bodies. Vimeo's situation shows third-party links still pose steady threats to big digital services managing vast user information. Despite different targets, weak outside connections often open doors. One breach can ripple through many layers unexpectedly.
Read more »
us marines
Data Breach Hacking Group Handala hackers Iranian hackers MOIS us marines

U.S. Marines Reportedly Targeted by Iranian-Linked Hackers in New Data Exposure Incident

 



Iran-linked hacking group Handala has allegedly leaked personal information belonging to thousands of U.S. Marines deployed across the Persian Gulf region, shortly after American military personnel in the Middle East began receiving threatening messages from the group.

According to posts published on Handala’s website, the hackers claim to have released the names and phone numbers of 2,379 U.S. Marines as proof of what they described as their “intelligence superiority.” The group further claimed that the exposed information represents only a small sample from a much larger collection of data allegedly tied to American military personnel stationed in the region.

Handala asserted that it possesses additional details related to military members and their families, including home addresses, movement patterns, military base affiliations, commuting routines, shopping behavior, and other personal activities. These claims have not been independently verified by U.S. authorities.

The alleged leak surfaced days after several U.S. service members reportedly received threatening WhatsApp messages warning that they were under surveillance. The messages referenced Iranian drone and missile systems and attempted to intimidate military personnel by claiming their identities and movements were being tracked. Similar threatening communications believed to be linked to Handala were also reportedly sent to civilians in Israel earlier this week, suggesting a broader psychological and cyber influence campaign connected to escalating tensions in the Middle East.

Since the regional conflict involving Iran, Israel, and the United States intensified earlier this year, Handala has repeatedly claimed responsibility for several high-profile cyber incidents. Last month, the group allegedly leaked hundreds of emails said to have originated from the personal Gmail account of Kash Patel. The hackers have also been linked to a cyberattack targeting medical technology company Stryker, an operation that reportedly resulted in data being erased from tens of thousands of employee devices globally.

However, questions remain regarding the authenticity and quality of the newly leaked Marine data. An analysis of the published sample reportedly identified multiple inconsistencies, including incomplete phone numbers and entries that appeared to contain military contract identifiers rather than personal names. Several listed numbers reportedly connected only to automated voicemail systems.

In a limited number of cases, voicemail names reportedly matched information included in the leak. One individual contacted by reporters allegedly confirmed their identity before ending the call, while others declined to comment or redirected inquiries to military public affairs officials.

U.S. Central Command referred media questions regarding the incident to the Naval Criminal Investigative Service, which had not publicly commented on the matter at the time of reporting.

The incident comes amid growing concerns over cyber-enabled psychological operations targeting military personnel and their families. Earlier this month, Navy Secretary John Phelan urged sailors to strengthen the security of their mobile devices and social media accounts amid concerns over phishing attacks and malicious online activity. In an internal warning, he noted that threat actors may attempt to manipulate military personnel into opening harmful files or clicking malicious links designed to compromise personal accounts and devices.

Handala publicly portrays itself as a pro-Palestinian hacktivist organization. However, multiple cybersecurity firms and recent assessments from the U.S. Department of Justice have alleged that the group operates as a front tied to Iran’s Ministry of Intelligence and Security (MOIS).

Cybersecurity experts note that modern cyber campaigns increasingly combine data leaks, online intimidation, and misinformation tactics to create psychological pressure rather than relying solely on technical disruption. Analysts also caution that hacker groups sometimes exaggerate the scale or sensitivity of stolen data to amplify fear and media attention.

Although U.S. authorities have previously seized domains associated with Handala, the group continues to remain active by turning to new websites and communication platforms, including Telegram, allowing it to sustain its cyber and propaganda operations online.

Read more »
Hacking Group
Cyber Attacks Cyber Outage Digital Learning E-learning Facebook Canvas Hacker attack Hacking Group

Canvas Learning Platform Outage Disrupts Universities After ShinyHunters Cyberattack

 

Midday classes hit pause when Canvas went offline nationwide following a security alert that triggered emergency repairs. Though the issue began in Texas, ripple effects reached campuses far outside, cutting off vital links to homework and recorded lectures. When servers dropped, so did access - assignments vanished from view, gradebooks locked tight. Some professors switched to paper handouts; others postponed deadlines without warning. 

By evening, partial functions returned, though glitches lingered like static on a radio. Not every login worked smoothly, leaving doubts about full recovery. Reports suggest a connection between the incident and ShinyHunters, a hacking collective lately seen exploiting cloud systems by leveraging weak points in external service providers. Though details remain limited, evidence traces back to prior attacks where stolen information was used as leverage against corporate networks. 

Instead of relying on brute force, the group often manipulates access flaws within shared digital environments. While some breaches go unnoticed at first, forensic analysis later reveals patterns matching earlier intrusions tied to similar tactics. Later came confirmation from Instructure - Canvas's developer - that the platform had entered temporary maintenance mode after the event unfolded. Though restoration of service remained possible, according to officials, institutions using the system faced urgent hurdles just when course activities demanded stability. 

Despite assurances, timing turned problematic for schools depending heavily on seamless access at a pivotal point in the term. Midway through the week, campuses like Southern Methodist University felt the strain as systems went offline. Not far behind, the University of North Texas System faced similar disruptions, slowing down daily functions. At Baylor University, staff worked under pressure - rescheduling classes became a priority. Meanwhile, Tarrant County College saw delays ripple across departments. With email and portals unreliable, instructors adapted on the fly while leadership tried to reconnect threads. 

Because updates lagged, many waited hours just to confirm basic plans. Final exams set for Friday at Southern Methodist University got pushed to Sunday after a widespread system failure left services down. Because of the same national disruption, Baylor University rescheduled its tests too, alerting learners that interruptions might stretch on without clear timing. Officials admitted they lacked answers about how long things would stay broken - access may return in hours or drag into multiple days. 

Across town, the University of North Texas System cut off broad access to Canvas until faculty and tech experts figured out next steps for ongoing classes, scores, and year-end tests. Farther south, Tarrant County College acknowledged its digital crews were checking the breach, watching for ripples among learners and workers alike. Unexpected outages reveal how tightly schools now rely on centralised online learning systems. 

Not only do tools such as Canvas support daily teaching tasks, but they also handle submission tracking, feedback cycles, and course materials distribution. Should access fail, functions stall - particularly under pressure, like mid-semester assessments. Interruptions expose fragile infrastructure beneath routine digital workflows. What stands out is how this event ties into a wider pattern - cyber gangs increasingly going after schools and companies that run online platforms. 

Though they hold vast collections of student records and private details, many learning organizations lack strong digital defenses. Because of these gaps, threat actors see them as easier wins when chasing ransom payments. Still probing the incident, campuses now shift toward regular classes - though officials stay alert for leaked data. This disruption highlights once more that when hackers strike common online systems, ripple effects hit countless people at many schools all at once.
Read more »
Hacking Group
Cyber Security Ransomware Attacks Data Breach Data Leak Data protection data security Hacker attack Hacking Group

ShinyHunters Targets McGraw Hill In Salesforce Data Leak Dispute Over Breach Scope

 

A breach at McGraw Hill came to light when details appeared on a leak page run by ShinyHunters, a hacking collective now seeking payment. Appearing online without warning, the listing suggested sensitive data had been taken. The firm acknowledged something went wrong only after outsiders pointed to the published claims. Instead of silence, there followed a brief statement - no elaborate explanations, just confirmation. What exactly was accessed remains partly unclear, though the criminals promise more leaks if demands go unmet. Their method? Take data first, then pressure victims publicly through exposure. 

Though the collective says it pulled around 45 million records from Salesforce setups, McGraw Hill challenges how serious the incident really was. A flaw in a cloud-based Salesforce setup - misconfigured, not hacked - led to what occurred, according to the company. Public release looms unless money changes hands by their stated date. Not a breach of core infrastructure, they clarify. Timing hinges on whether terms get fulfilled. What surfaced came via access error, not forced entry. 

Later came confirmation from the firm: only minor data sat exposed through a public page tied to Salesforce. Not part of deeper networks - systems handling daily operations stayed untouched. Customer records? Still secure. Educational material platforms? Unreached. Personal identifiers like income traces or school files showed no signs of exposure. The breach never reached those layers. A single weak link elsewhere might open doors wider than expected. Problems often start outside core networks, hidden in connected tools. 

One misstep in setup could ripple across several teams relying on Salesforce. When outside systems slip, sensitive details sometimes follow. Security gaps far from the main system still carry risk close to home. What seems distant can quickly become immediate. Even with those reassurances, ShinyHunters insists the breached records include personal details - setting their version against the firm’s own review. Contradictions like this often surface when attacks aim to extort, as hackers sometimes inflate what they took to push targets into responding. 

Now operating at a steady pace, ShinyHunters stands out within the underground scene by focusing less on locking files and more on quietly siphoning information. Instead of scrambling networks, they pressure victims using material already taken - payment demands follow exposure threats. Their name surfaced after breaches hit well-known companies, where leaked datasets served as leverage. Rather than causing immediate downtime, their power lies in what could be revealed. 

What stands out lately is how this group exploited a security gap at Anodet, an analytics company, gaining entry through leaked access tokens aimed squarely at cloud-based data systems. Alongside that incident came the public drop of massive corporate datasets - another sign their main goal remains pulling vast amounts of information from high-profile targets. Among recent breaches, the one involving McGraw Hill stands out - not because of its scale, but due to how it reveals weaknesses hidden within standard cloud setups. 

Instead of breaking through strong defenses, hackers often slip in via small errors made during setup steps handled by outside teams. What makes this case notable is less about immediate damage, more about what follows: sensitive information pulled quietly into unauthorized hands. While systems keep running without interruption, stolen data becomes the weapon - threatening public release unless demands are met. 

Over time, such tactics have shifted the focus of digital attacks away from crashes toward silent leaks. With probes still underway, one thing becomes clear: oversight of outside connections matters more now than ever. When digital intruders challenge what companies say, credibility hinges on openness. Tight rules around setup adjustments help reduce weak spots. How firms handle disclosures can shape public trust just as much as technical fixes. Clarity during crises often separates measured responses from confusion.
Read more »
Hacking Group
Amazon Cloud Cloud Defense Cloud Device Cyber Campaigns Cyber Security GRU Hacking Attack Hacking Group

Amazon Links Five-Year Cloud Cyber Campaign to Russia’s Sandworm Group

 

Amazon is talking about a hacking problem that has been going on for a long time. This problem was targeting customers who use cloud services in countries. Amazon says that a group called Sandworm, which is linked to Russias intelligence is behind this hacking. Amazons team that looks at threats found out that this hacking has been happening for five years. The hackers were looking for weaknesses in how customers set up their devices than trying to find problems with the software. They were exploiting these weaknesses to get into customer environments. 

Amazon and the customers were using cloud services. The hackers were targeting these cloud-connected environments. The hacking group Sandworm is the one that Amazon says is responsible, for this activity. The people at Amazon looked at this problem in December. Amazons chief information security officer, CJ Moses said that this is a change in how some groups try to get into important systems. CJ Moses said that these groups are not trying to get in by using software that has not been updated. 

Instead they are looking at devices that are connected to the cloud and are not set up correctly. These devices are how they get into the organizations they are trying to attack. CJ Moses and the people, at Amazon think that this is a way that state-sponsored actors are trying to get into critical infrastructure. The devices that are connected to the cloud are the way that these actors get into the systems they are trying to attack. 

The cyberattacks were different from others. The systems that were compromised were not old or missing security updates. The people who did the attack found problems with the equipment that helps connect things, like gateways and devices that sit at the edge of networks. These devices had been set up incorrectly by the customers who used them. This equipment is usually between the networks of a company and the cloud services they use outside. 

So it gave the attackers a way to get into the rest of the system without needing to find brand weaknesses or use very complicated bad software at the start. The attackers used these edge devices as a kind of bridge to get into the system. They were able to do this because the devices were not set up correctly by the customers. The cyberattacks were able to happen because of this mistake. It made it easier for the attackers to get into the system. The compromised systems, including the routing equipment and gateways were the key, to the attack. 

The bad people got into the system. They were able to get important information like passwords. Then they were able to move to different cloud services and the internal system. Amazon looked at this. They think that the bad people were able to hide what they were doing by making it look like normal activity on the network. This made it harder to catch them. The bad people used passwords and normal paths, on the network so they did not trip any alarms. This meant that the security people did not notice them because they were not doing anything that seemed out of the ordinary. 

The Sandworm activity was seen times over a few years with signs of it going back to at least 2021. The people behind this campaign were going after targets all around the world. They were especially interested in organizations that do important work like those that deal with critical infrastructure. Amazon found out that the people behind the Sandworm activity were really focused on energy companies, in North America and Europe. This shows that the Sandworm activity was a thoughtful and planned operation and that is what makes it so serious the Sandworm activity is a big deal. 

Security specialists looked at the results. They think this is part of a bigger pattern with advanced threat actors. What is happening is that people are taking advantage of mistakes in how thingsre set up rather than looking for things that need to be updated. As organizations start to use hybrid and cloud-based systems this is becoming a bigger problem. Even people who are very good at IT can miss mistakes in how thingsre set up and this can leave them open, to attacks all the time. Security specialists and these advanced threat actors know that they can take advantage of these mistakes without setting off the warnings that something is wrong. 

Advanced threat actors are using these mistakes to get in. Amazons disclosure is a warning that having cloud security is not just about doing the usual updates. Companies that use cloud and hybrid environments for work need to do more. They need to make sure everything is set up correctly always check for problems with devices that are connected to the internet and limit who can get into the system. These things are very important, for security. Amazons cloud security is an example of this. Cloud security requires a lot of work to keep it safe. 

In a separate disclosure, Amazon also acknowledged detecting attempts by North Korean operators to conduct large-scale cyber activity, though this was unrelated to the Sandworm campaign. The company later clarified that the Russian-linked operation targeted customer-managed devices hosted on AWS rather than Amazon’s own infrastructure, and that the activity represented sustained targeting over several years rather than uninterrupted access.
Read more »
Ransomwares
Cyber Attacks Data Leak data security Data Theft DragonForce DragonForce Ransomware Group Hacker attack Hacking Group Ransomware attack Ransomware group Ransomwares

Belk Hit by Ransomware Attack as DragonForce Claims Responsibility for Data Breach

 

The department store chain Belk recently became the target of a ransomware attack, with the hacking group DragonForce taking responsibility for the breach. The cybercriminals claim to have stolen 156 GB of sensitive data from the company’s systems in early May. 

JP Castellanos, Director of Threat Intelligence at cybersecurity firm Binary Defense, stated with high confidence that DragonForce is indeed behind the incident. The company, based in Ohio, specializes in threat detection and digital forensics. During an investigation of dark web forums on behalf of The Charlotte Observer, Castellanos found that DragonForce had shared samples of the stolen data online. 

In a message directed at Belk, the group stated that its original aim wasn’t to damage the company but to push it into acknowledging its cybersecurity failures. DragonForce claims Belk declined to meet ransom demands, which ultimately led to the data being leaked, affecting numerous individuals. 

Following the breach, Belk has been named in multiple lawsuits. The complaints allege that the company not only failed to protect sensitive personal information but also delayed disclosing the breach to the public. Information accessed by the attackers included names, Social Security numbers, and internal documentation related to employees and their families. 

The cyberattack reportedly caused a complete systems shutdown across Belk locations between May 7 and May 11. According to a formal notice submitted to North Carolina’s Attorney General, the breach was discovered on May 8 and disclosed on June 4. The total number of affected individuals was 586, including 133 residents of North Carolina. 

The stolen files contained private details such as account numbers, driver’s license data, passport information, and medical records. Belk responded by initiating a full-scale investigation, collaborating with law enforcement, and enhancing their digital security defenses. On June 5, Belk began notifying those impacted by the attack, offering one year of free identity protection services. These services include credit and dark web monitoring, as well as identity restoration and insurance coverage worth up to $1 million. 

Despite these actions, Belk has yet to issue a public statement or respond to ongoing media inquiries. DragonForce, identified by experts as a hacktivist collective, typically exploits system vulnerabilities to lock down company networks, then demands cryptocurrency payments. If the demands go unmet, the stolen data is often leaked or sold. 

In Belk’s case, the group did not list a price for the compromised data. Castellanos advised anyone who has shopped at Belk to enroll in credit monitoring as a precaution. Belk, which was acquired by Sycamore Partners in 2015, has been working through financial challenges in recent years, including a short-lived bankruptcy filing in 2021. 

The retailer, now operating nearly 300 stores across 16 southeastern U.S. states, continues to rebuild its financial footing amid cybersecurity and operational pressures.
Read more »
Slack
Data Breach Data Hacking data security Disney Disney data leak Disney Slack breach Hacking Group Personal Information Sensitive data Slack

Disney Data Breach Exposes Sensitive Corporate and Personal Information

 

In July, Disney experienced a significant data breach that exposed far more than initially reported, compromising a wide array of sensitive information. While early reports focused on stolen Slack messages, it has since been revealed that the breach extended deep into the company’s critical corporate files. According to sources, hackers gained access to sensitive information, including financial projections, strategic plans, sales data, and streaming forecasts. 

The breach did not stop at corporate data. Hackers also accessed personal information of Disney Cruise Line members, including passport numbers, visa statuses, contact details, and birthplaces. In addition, data related to theme park pass sales was compromised, potentially impacting thousands of visitors. This breach has raised serious concerns about the security of personal data at Disney, one of the world’s most recognized entertainment companies. 

Initially, Disney reported that over a terabyte of data was leaked, but the full extent of the breach is still under investigation. In an August address to investors, the company acknowledged the severity of the attack, prompting questions about the cybersecurity measures in place not only at Disney but also at other major corporations. The incident has highlighted the growing need for robust and effective cybersecurity strategies to protect against increasingly sophisticated cyber threats. The hacking group Nullbulge has claimed responsibility for the attack. 

In a blog post, the group boasted of gaining access to internal data on upcoming projects as well as employee details stored in Disney’s Slack system. This claim has raised further alarms about the potential exposure of sensitive company plans and employee information. When asked to comment on the specifics of the breach, Disney declined to provide details. A spokesperson stated, “We decline to comment on unverified information that has purportedly been obtained as a result of illegal activity.” 

This response underscores the complexity and evolving challenges that companies face in safeguarding sensitive information from cyber threats. As cyber threats become more sophisticated, this breach serves as a stark reminder of the vulnerabilities even within prominent organizations. It emphasizes the urgent need for businesses to strengthen their cybersecurity measures to protect both corporate and personal data from being compromised in an increasingly digital world.
Read more »
Windows zero-day exploit
cybersecurity threat Fudmodule malware Hacking Group Microsoft vulnerability North Korea Vulnerabilities and Exploits Windows zero-day exploit

North Korea Exploited Windows Zero-Day Vulnerability to Install Fudmodule

 

North Korea's Lazarus hacking group has once again exploited a zero-day vulnerability in Microsoft Windows to deploy malware on targeted devices. On August 13, Microsoft addressed this issue with its monthly Patch Tuesday updates, fixing a flaw in the Windows Ancillary Function Driver (Afd.sys) for WinSock, identified as CVE-2024-38193. Security experts strongly recommend applying this update promptly, as Microsoft has confirmed that the vulnerability is actively being exploited.

The flaw allows attackers to escalate system privileges through a use-after-free memory management issue, potentially granting them elevated system access, according to Rapid7. The advisory underscores the urgency of this patch, highlighting the low complexity of attacks, lack of required user interaction, and minimal privileges needed for exploitation.

The warning proved accurate, as Avast researchers Luigino Camastra and Martin Milanek, who initially discovered and reported the flaw to Microsoft in June, revealed that Lazarus had been exploiting this vulnerability before the fix was issued. Their primary aim was to install a rootkit named Fudmodule on the affected systems, utilizing the zero-day vulnerability to remain undetected by security software.

Details on the specific organizations targeted and their industries have not been disclosed. However, Lazarus is known for its focus on stealing cryptocurrency to support North Korea’s financially strained regime. The regime also uses its hacking teams to gather intelligence on Western nuclear facilities and defense systems.

This incident is part of a broader pattern of North Korean hacking activities targeting Windows drivers. In February, Microsoft patched another vulnerability, CVE-2024-21338, which Lazarus had used to gain system-level access. This flaw was in the appid.sys AppLocker driver, crucial for controlling application execution on Windows systems. Avast had previously reported this vulnerability, which was actively being exploited by Lazarus to install Fudmodule. The updated version of Fudmodule included enhancements, such as disabling antivirus protections like Microsoft Defender and CrowdStrike Falcon.

The rise of "Bring Your Own Vulnerable Driver" (BYOVD) attacks, where attackers use legitimate but vulnerable drivers to bypass security measures, has been noted. Lazarus has employed this tactic since at least October 2021, using it to infiltrate systems by loading drivers with known vulnerabilities. Other groups have also utilized similar methods, such as Sophos reporting on RansomHub's use of outdated drivers to disable endpoint detection and response tools, and deploying ransomware.

Overall, as Lazarus and similar groups continue to adapt their strategies, the need for vigilance and timely updates is crucial to protect systems from these sophisticated attacks.
Read more »
Tor Website
Cyber Security Hacking Group Ransomware Gang Threat Landscape Tor Website

LockBit is Recruiting Members of ALPHV/BlackCat and NoEscape Ransomware Outfit

 

Recruiting affiliates and developers from the troubled BlackCat/ALPHV and NoEscape ransomware operations is one of the calculated steps being taken by the LockBit ransomware group. An ideal opportunity emerged for LockBit to expand its network due to the recent disruptions and exit scams within NoEscape and BlackCat/ALPHV. 

Affiliates of NoEscape and BlackCat/ALPHV Tor organisations are in disarray due to the sudden inaccessibility of their websites, as well as reports of escape scams and ransom payments being stolen. While the exact reason of the disruptions is unknown, speculations include hardware malfunctions, internal issues, and law enforcement intervention. 

LockBitSupp, the manager of LockBit, has actively recruited affiliates on Russian-speaking hacking forums in response to the chaos surrounding BlackCat and NoEscape. LockBitSupp makes a tempting offer, stating that affiliates who have copies of stolen data can use LockBit's bargaining panel and data leak website to keep blackmailing victims. 

Additionally, LockBitSupp is trying to hire the coder who created the ALPHV encryptor. Although LockBit's relationship to the troubled ransomware gangs is still unknown, there have been reports of a victim who was BlackCat's previous target now showing up on LockBit's data leak website. 

The change emphasises how groups dealing with ransomware experience disruptions, rebranding, and sometimes even changing affiliations. The ransomware ecosystem continues to evolve, and outfits such as LockBit, by taking advantage of other people's vulnerabilities and interruptions, demonstrate the flexibility and intelligence that these nefarious activities possess.

In the always changing threat landscape, this particular situation may lead to additional rebranding and restructuring as it calls into doubt the reliability of ransomware groups such as BlackCat and NoEscape.
Read more »
Sensitive data
aerospace giant Boeing data breach CISA report Cybersecurity Data Breach Extortion Hacking Group Lockbit cybercrime Online Threat Ransomware attack Sensitive data

Boeing Evaluates Cyber Group's Data Dump Threat

 

Boeing Co announced on Friday that it is currently evaluating a claim made by the Lockbit cybercrime group, which asserts that it has obtained a significant volume of sensitive data from the aerospace giant. The group has threatened to release this information online unless Boeing pays a ransom by November 2.

To emphasize their ultimatum, the hackers displayed a countdown timer on their data leak website, accompanied by a message stating, "Sensitive data was exfiltrated and ready to be published if Boeing do not contact within the deadline!"

The group conveyed that, for now, they will refrain from providing lists or samples of the data in order to safeguard the company. However, they asserted that this stance may change before the deadline arrives.

Lockbit typically deploys ransomware on an organization's system to encrypt it and also pilfers sensitive information as a means of extortion.

A spokesperson for Boeing stated, "We are assessing this claim" via email.

According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Lockbit was the most active ransomware group globally last year, based on the number of victims it claimed on its data leak blog.

The gang, known for its eponymous ransomware, which emerged on Russian-language cybercrime forums in January 2020, has reportedly conducted 1,700 attacks on U.S. organizations since then, as per CISA's report in June.

Lockbit did not disclose the volume of data it purportedly acquired from Boeing, nor did they reveal the ransom amount they are demanding. Boeing declined to provide further comments.

The hacking group has yet to respond to a request for comment sent to the address mentioned on their data leak site.
Read more »
User Privacy
Chinese Hackers Data Breach Hacking Group Malicious actor Phishing Attacks Red Cross Unauthorized access User Privacy

AtlasCross Hackers Target Organizations with Red Cross Phishing Lures

A new hacking group called AtlasCross is targeting organizations with phishing lures impersonating the American Red Cross. The group uses macro-enabled Word documents to deliver backdoor malware to victims' devices.

The phishing emails typically contain a link to a malicious website or an attachment containing a macro-enabled Word document. If the victim opens the attachment and enables macros, the malware will be installed on their device.

The malware used by AtlasCross is called DangerAds and AtlasAgent. DangerAds is a system profiler and malware loader, while AtlasAgent is a backdoor that allows attackers to remotely control the victim's device.

Once the attackers have control of the victim's device, they can steal sensitive data, such as login credentials, financial information, and trade secrets. They can also use the device to launch further attacks against other organizations.

Bill Toulas, CEO of NSS Labs, aptly notes, "The AtlasCross phishing campaign is a reminder that even the most sophisticated organizations can be targeted by cybercriminals. It is important to be vigilant and take steps to protect yourself from these attacks."

How to protect your organization from AtlasCross phishing attacks:

  • Exercise Caution with Unsolicited Emails: Especially those bearing attachments or links.
  • Scrutinize Known Senders: Verify email addresses to confirm legitimacy.
  • Exercise Restraint with Unknown Emails: Refrain from opening attachments or clicking links if authenticity is in doubt.
  • Disable Macros in Microsoft Office: Unless they are absolutely essential, it's prudent to keep macros disabled to thwart potential malware delivery.
  • Maintain Updated Software: Ensure your operating system, web browser, and antivirus software are up-to-date, as these updates frequently contain vital security patches.

Organizations can take the following steps to augment their defense against AtlasCross phishing campaigns:
  • Employee Education: Provide thorough training on recognizing and evading phishing attempts, as employees are the first line of defense.
  • Utilize a Robust Security Solution: Employ a solution adept at detecting and thwarting phishing emails based on various indicators.
  • Segment Your Network: Isolate devices to prevent easy lateral movement in case of a compromise.
  • Enforce Stringent Password Policies: Implement multi-factor authentication to bolster device and account security.
Global organizations and individuals are seriously threatened by the AtlasCross hacking group. The aforementioned advice can help you safeguard yourself from phishing attempts. It is significant to remember that there is a possibility that you could fall victim to a phishing assault even if you take all necessary safeguards. Cybercriminals are continually creating new phishing attack methods as they get more proficient.

.



Read more »
Threat Landscape
Cyber Crime Espionage Campaign Hacking Group Malicious Ads Phishing email Threat Landscape

This Hacker Outfit has Targeted Thousands of Companies Across the Globe

 

ESET's cybersecurity researchers have recently uncovered a relatively new hacker outfit that has had great success targeting organisations all around the world. 

The researchers are still unsure of the group's eventual goal, which goes by the name of Asylum Ambuscade. BleepingComputer claims that over the past three years, it has been active all over the world, but primarily in the West.

It makes use of many different tools, such as the Sunseed malware, Akhbot, and Nodebot, which enable the team to carry out a wide range of malicious operations, such as stealing screenshots, stealing passwords stored in well-known web browsers, deploying Cobalt Strike loaders, running a keylogger, and more. In short, the group's skills encompass everything from espionage to cybercrime. 

They have a wide range of targets, including small and medium-sized businesses (SMB), government officials and organisations, bank customers, cryptocurrency speculators, and traders. 

Modus operandi 

Typically, a phishing email including a malicious script is the first step in an assault. Depending on the target's endpoints, the group selects which extra payloads to send after downloading the Sunseed virus. 

The researchers discovered that in certain cases the group generated Google Ads that drove consumers to websites that included malicious JavaScript code.

Additionally, the organisation appears to be very successful. Researchers at ESET began monitoring the gang's activity in January of last year and have since discovered almost 4,500 victims, which suggests the group targeted 265 businesses and organisations each month.

The group's intentions continue to be the biggest mystery. The researchers are unable to precisely identify what the group is attempting to do because they have access to a wide variety of tools that can be used to commit all types of cybercrime and a diverse list of victims. One explanation contends that the group is just selling knowledge and access to other threat actors, which explains their diverse strategy.
Read more »
Toronto-area Police
Cyber Attacks FBI Hacking Group Hive Hive Ransomware Ransomware group Toronto-area Police

Here is How Toronto-area Police Force Helped Take Down a Russian-linked Hacking Group


The Toronto police force has recently been explanatory on how it ended up getting involved with the international attempt on legally hack Hive, one of most ruthless ransomware groups in the world. 

The contributions made by the Peel Regional Police are one of the reasons why Canadian flag is among the icons displayed on what was the dark website for the Russian-linked ransomware group Hive, along with the logos of the U.S. Department of Justice, the FBI, and a variety of police forces around the globe. 

According to Detective Const. Karim Hussain in an interview with CTV News Toronto, Peel's detectives got engaged early when a local firm contacted them in 2021 claiming that their systems were down and a text message on their desktops revealed a ransom note. 

“We had one of the first cases in Canada of Hive ransomware[…]It was the first to market. At the time we started gathering evidence, Hive was a fairly new ransomware group. Everything we brought to the table was interesting because no one had seen it before,” he says. 

The attributes of the Hive case were similar to numerous other high-profile incidents, like a hospital in Louisiana where threat actors had accessed data of around 270,000 patients, and a Ohio hospital that was attacked and made them incapable of accepting new patients even during the massive surge of COVID-19. 

Those were only a few of the more than 1,500 attacks throughout the globe that had the digital traces of Hive, an organization whose associates, according to authorities, have made $150 million since 2021 as they demand money from companies in exchange for access to their data or system. 

The attacks are carried out via a "ransomware as a service" (RaaS) model, in which a small group of individuals create malicious software and then distribute it to numerous users, allowing them to quickly scale up their attacks before the security flaws they exploit are addressed. 

“You have an overarching group that provides everything down to the infrastructure, to lesser-capable cyber criminals, and they provide them the tools to conduct the hack,” Hussain said. 

The case brought the RCMP, the FBI, the police from France, Germany, Norway, and Lithuania together with Peel Police and other agencies dealing with Hive's impact. 

In retaliation, the group took over Hive's website earlier this year and replaced it with a landing page with the logos of numerous investigative agencies. “Simply put, using lawful means, we hacked the hackers,” said U.S. Deputy Attorney General Lisa Monaco in a press conference in January. 

Adding to this, she says that the police had found and then openly disseminated decryptor keys that may aid anyone who had been assaulted in independently recovering their data or liberating their systems. 

According to Christopher Wray, director of the FBI, these actions have prevented around $130 million in ransom from being paid. “This cut off the gas that is fueling Hive’s fire,” Wray said. 

According to Hussain, the inquiry is still ongoing as the prevalence of ransomware grows. Ransomware assaults made up 11% of all cyber security incidents in 2021, according to Statistics Canada. 

“There’s no end in sight to cybercrime right now,” Hussain said.  

Read more »
ransomware attacks
Antwerp Cyber Security Hacking Group Play Website ransomware attacks

Hacking Group Takes Down "Antwerp" from Website

 

The City of Antwerp is no longer listed as one of the organizations that the hacker group Play has compromised on its website. Uncertainty surrounds the meaning of this. Geert Baudewijns, a cyber security specialist, asserts that it's possible that either talk between the hackers and the City of Antwerp is in progress or that there is already a deal in place, in which case a ransom payment may have been made. 

A week and a half ago, the City of Antwerp was the target of a significant cyber-attack, which has since caused the suspension of several of the city's public services. A City Hall position is not often easy to get, and the hacking impacts libraries, museums, and schools. 

The Play hacker collective claimed responsibility for the hacking of its website on the so-called "dark web" not long after the City of Antwerp's websites were compromised. The city officials had until Monday, December 19 to comply with the collective's ransom demand. 

If not, the gang threatens to upload more than 500 gigabytes of information on the city and its residents, including all personal information, to the internet. 

Negotiation or ransomware? 

Only two possible explanations exist for the city's disappearance from the Play website. Geert Baudewijns of Secutec, a cyber-security specialist, told VRT News, a local media outlet, "Either the talks are proceeding apace. or the city has made the payment. Despite the fact that I am not taking part in the negotiations, I can speak from negotiation experience." 

"A firm may occasionally be required to pay a ransom equal to up to 10% of its annual revenue." For municipal or city officials, however, things may be very different. I am unable to remark on that.

According to Tim Verheyden of VRT NWS, Play is well-known in the hacker community. They were in charge of significant cyberattacks against the United States, Canada, Bulgaria, Switzerland, and now the City of Antwerp. The reason it is no longer visible on Play's website has not yet been addressed by the City of Antwerp.
Read more »
Void Balaur
Cyber Crime domains Hacking Group Phishing Attacks Russia Telegram User Privacy Void Balaur

Void Balaur Targets Russian Entities

A hacker-for-hire company that was originally revealed in 2019 has extended its scope to target victims with links to Russia in the political and corporate sector. 

Reported to attack a variety of known target groups worldwide, Void Balaur is a very active hacker-for-hire cyber mercenary gang. Since at least 2016, people have seen their services available for purchase online. Private data collection and access to particular online email and social media sites, including Gmail, Outlook, Telegram, Yandex, Facebook, Instagram, and corporate emails, are among the services offered. 

Google claims Since 2012, TAG has been keeping tabs on a diverse group of Indian hackers-for-hire, many of whom have worked briefly for Indian security companies Appin and Belltrox.

The gang often conducts attacks that are both general and opportunistic with the goal of getting illegal access to popular email services, social networks, communications, and corporate accounts.

According to reports, the hack-for-hire service provided by the gang is offered using a variety of guises, including Hacknet and RocketHack. The operators have offered additional services over the years, including real-time location tracking, SMS logs, and remote device access.

Furthermore, the assault infrastructure run by Void Balaur includes more than 5,000 distinct domains that present themselves as portals for public services, authentication services, and email websites.

A wide range of industries, frequently with specific political or business ties to Russia, are among the new targets. Additionally, Void Balaur hunts out targets useful for positioning or assisting upcoming assaults. They have the United States, Russia, Ukraine, and a number of other nations as their targets.

However, in early 2022, one of the group's managed domains resolved to an IP address that belongs to and is run by the Russian Federal Guard Service (FSO), indicating what appears to be an operating oversight and raising the possibility of a connection.

Despite the fact that Void Balaur targets persons and organizations all over the world, ads launched in 2022 have targeted individuals who are active in political and business circumstances that are important to Russia.

The use of highly repeatable phishing emails that look like they are from banks or local governments is common in order to deceive recipients into clicking a malicious link and divulging their account information.

In September 2021, one of the group's most infamous efforts featured attacks that targeted the personal email accounts of lawmakers and government leaders of an Eastern European nation.

In accordance with its reputation as a cyber mercenary, Void Balaur does not confine itself to the geopolitical sphere. Nonetheless,  employing and adopting the proper security measures will help in repelling cyber mercenary attacks.

Read more »
User Security
Data Data Breach Data Leak Hackers Hacking Group uber User Data User Privacy User Security

Uber Blames Extortion, Hacking Group Lapsus$ For Recent Data Breach

 

Uber revealed more details about the security incident that occurred last week on Monday, pinning the attack on a threat actor it believes is affiliated with the notorious LAPSUS$ hacking group. 

The financially motivated extortionist group was dealt a massive blow in March 2022 when the City of London Police arrested seven suspected LAPSUS$ gang members aged 16 to 21. Two of them were charged for their actions weeks later. The hacker responsible for the Uber breach, an 18-year-old teenager known as Tea Pot, has also claimed responsibility for breaking into video game publisher Rockstar Games over the weekend.

"This group typically uses similar techniques to target technology companies, and in 2022 alone has breached Microsoft, Cisco, Samsung, NVIDIA, and Okta, among others," the San Francisco-based company said in an update.

As the company's investigation into the incident continues, Uber stated that it is functioning with "several leading digital forensics firms," in addition to cooperating with the US Federal Bureau of Investigation (FBI) and the Justice Department.

In terms of how the attack occurred, the ridesharing company stated that an "EXT contractor" had their personal device compromised with malware and their corporate account credentials stolen and sold on the dark web, correlating with an earlier Group-IB report. The previous week, the Singapore-based company reported that at least two of Uber's employees in Brazil and Indonesia had been infected with Raccoon and Vidar information robbers.

"The attacker then repeatedly tried to log in to the contractor's Uber account," the company said. "Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in."

After gaining access, the miscreant appears to have accessed other employee accounts, giving the malicious party access to "several internal systems" such as Google Workspace and Slack. The company also stated that as part of its incident response measures, it disabled impacted tools, rotated keys to the services, locked down the codebase, and blocked compromised employee accounts from accessing Uber systems or issued password resets for those accounts.

Uber did not say how many employee accounts were potentially compromised, but it emphasised that no unauthorised code changes were made and that there was no evidence the hacker had access to production systems that support its customer-facing apps. The firm also revealed that the attacker gained access to HackerOne bug reports, but added that "any bug reports the attacker was able to access have been remediated."

"There is only one solution to making push-based [multi-factor authentication] more resilient and that is to train your employees, who use push-based MFA, about the common types of attacks against it, how to detect those attacks, and how to mitigate and report them if they occur," Roger Grimes, data-driven defence evangelist at KnowBe4, said in a statement.

According to Chris Clements, vice president of solutions architecture at Cerberus Sentinel, organisations must recognise that MFA is not a "silver bullet" and that not all factors are created equal.
While there has been a transition from SMS-based authentication to an app-based approach to reduce the dangers associated with SIM swapping attacks, the attack against Uber and Cisco shows that security controls that were once thought to be infallible are being circumvented by other means.

The fact that threat actors are relying on attack paths such as adversary-in-the-middle (AiTM) proxy toolkits and MFA fatigue (aka prompt bombing) to trick an unsuspecting employee into inadvertently handing over MFA codes or authorising an access request underscores the importance of employing phishing-resistant methods.

"To prevent similar attacks, organizations should move to more secure versions of MFA approval such as number matching that minimize the risk of a user blindly approving an authentication verification prompt," Clements said.

"The reality is that if an attacker only needs to compromise a single user to cause significant damage, sooner or later you are going to have significant damage," Clements added, underscoring strong authentication mechanisms "should be one of many in-depth defensive controls to prevent compromise."
Read more »
Ransomware
BianLian Hacking Group malware Ransomware

A New Ransomware Gang BianLian on a Sudden Rise



BianLian has 20 victims 

A new ransomware gang working under the name BianLian surfaced last year and is actively on the rise since then. The group already has a record of twenty victims across various industries (engineering, medicine, insurance, and law). Most of the victim organizations are based in Australia, the UK, and North America.

Cybersecurity firm Redacted published a report regarding the incident, it hasn't attributed the attack to anyone but believes the threat actor "represents a group of individuals who are very skilled in network penetration but are relatively new to the extortion/ransomware business." 

Redacted firm finds the group 

Unfortunately, the Redacted team of experts has found proof that BianLian is now trying to advance its tactics. In August, the experts noticed that a troubling expansion in the rate by which BianLian was bringing new [CBC] servers online. 

"The BianLian group has developed a custom tool set consisting of a backdoor and an encryptor, developing both using the Go programming language," says the report.

The experts currently lack the insight to know the reason for the sudden increase in growth, it may hint that the hacking group is ready to increase its operational tempo, though whatever may be the reason, there isn't much good that comes from a ransomware operator that has resources readily available to him. 

How does BianLian work?

To get initial access into the victim's network, BianLian generally attacks the SonicWall VPN devices, servers that offer remote network access through solutions like Remote Desktop, ProxyShell vulnerability chain 

Once exploited, they deploy either a webshell or a lightweight remote access solution like ngrok as the follow-on payload. Once inside the victim network, BianLian takes upto six weeks to initiate the encryption process. 

As BianLian in the beginning spreads throughout the network, looking for the most important information to steal and find out the most important machines to encrypt, it appears to take steps to reduce observable incidents, via living of the land (LOL) methods to move horizontally. 

In the past, BianLian has occasionally posted teaser information on victim organizations, leaving the victims identities masked, which may have served as an additional pressure mechanism on the victims in an attempt to have them pay the actors ransom demand, says Redacted report. 

Read more »
Malicious actor
Cyber Security domains Google Hacking Hacking Group malicious Malicious actor

Google Blocks Malicious Domains Used by Hack-for-hire Groups

About hack-for-hire

Threat Analyst Group (TAG) of Google last week revealed that it blocked around 36 malicious domains used by Hacking groups in Russia, UAE, and India. 

In a technique similar to surveillance ecosystems, hack-for-hire groups give their clients the leverage to launch targeted cyberattacks on corporate organizations, politicians, activists, journalists, and other users that are at high-risk. 


What is Google saying?

Google in its Blog says "as part of our efforts to combat serious threat actors, we use results of our research to improve the safety and security of our products. Upon discovery, all identified websites and domains were added to Safe Browsing to protect users from further harm."  

The only difference in the manners of the two is that while users buy the spyware from commercial vendors and later use it themselves, the actors behind hack-for-hire cyberattacks deploy the hacking attempts on the clients' behalf so that the buyers remain anonymous. 


How does hack-for-hire operate?

The hack-for-hire ecosystem is flexible in two ways, first in how the actors deploy the attacks themselves, and second, in the large range of targets, they seek in a single campaign on their clients' behalf. 

Some hacking groups publicly market their products and services to any user that is willing to pay, however, few operate in a hidden manner and sell their services to a limited public. 

"We encourage any high risk user to enable Advanced Protection and Google Account Level Enhanced Safe Browsing and ensure that all devices are updated. Additionally, our CyberCrime Investigation Group is sharing relevant details and indicators with law enforcement," says Google. 


Other Details


A recent campaign launched by an Indian hacking group attacked an IT company in Cyprus, a fintech organization in the Balkans, an educational institute in Nigeria, and a shopping company in Israel, hinting the wide range of victims. 

According to Google Since 2012, TAG has been tracking an interwoven set of Indian hack-for-hire actors, with many having previously worked for Indian offensive security providers Appin and Belltrox. 

One cluster of this activity frequently targets government, healthcare, and telecom sectors in Saudi Arabia, the United Arab Emirates, and Bahrain with credential phishing campaigns, Google adds. 
Read more »
NVIDIA
Customer Care Cyber Blackmail Data Breach FedEx Hacking Group NVIDIA

Lapsus$ Attackers Gained Access to a Support Engineer's Laptop, as per Okta

 

According to Okta, a quick inquiry into the posting of screenshots that appeared to depict a data breach discovered they are linked to a "contained" security incident that occurred in January 2022. 

After the LAPSUS$ hacking group shared screenshots on Telegram which it claimed were taken after gaining access to "Okta.com Superuser/Admin and several other systems," Okta, an enterprise identity, and access management business, initiated an investigation. 

Lapsus$ is a hacking gang that has risen through the ranks by supposedly breaking into the networks of high-profile companies one by one to collect information and threaten to disclose it online until blackmail payments are made.

Sitel, Okta's third-party provider of customer support services, was hacked by the Lapsus$ data extortion gang. "The Okta Security team was notified on January 20, 2022, a new factor had been added to a Sitel customer service engineer's Okta account. It was a password which served as this factor" Okta explains. "Though this individual approach was unsuccessful, it reset the account and contacted Sitel," says the company, which then hired a top forensic agency to conduct an investigation. 

Okta is a publicly-traded corporation based in San Francisco with thousands of users, including several technology companies. FedEx, Moody's, T-Mobile, JetBlue, and ITV are among the company's top clients. 

"Lapsus$ is infamous for extortion, threatening victims with the publication of sensitive information if demands are not met," said Ekram Ahmed, a Check Point spokesperson. "The gang boasts of infiltrating Nvidia, Samsung, and Ubisoft, among others." The public has never fully understood how the gang was able to penetrate these targets. 

Okta claims it was unaware of the scope of the event in January, believing it to be restricted to a failed account takeover attempt aimed at a Sitel support engineer. Sitel's hiring of a forensics firm to investigate the incident and prepare a report also assured Okta at the moment the situation didn't need to be escalated any further.

The stock price of Okta dropped about 20% in less than a week after the company's clumsy announcement of the January hacking event. At first, Okta CEO Todd McKinnon described the event as an "attempt" by malicious attackers to hack a support engineer's account. However, it was eventually discovered the problem had affected 2.5 percent of Okta's clients (366 in total). Sitel's support engineers have restricted access to Jira requests and support systems, but they are not allowed to download, create, or delete client records. 

According to Okta, the screenshots posted by the Lapsus$ group were taken from a compromised Sitel engineer's account with limited access. Regardless, the corporation voiced dissatisfaction with the amount of time it took for the investigation's findings to be released.
Read more »
Subscribe to: Posts (Atom)