Search This Blog

Showing posts with label High Profile Attacks. Show all posts

Fake CISO Profiles of Corporate Giants swamps LinkedIn


LinkedIn has recently been flooded with fake profiles for the post of Chief Information Security Officer (CISO) at some of the world’s largest organizations. 

One such LinkedIn profile is for the CISO of the energy giant, Chevron. One might search for the profile, and find the profile for Victor Sites, stating he is from Westerville, Ohio, and is a graduate of Texas A&M University. When in reality, the role of Chevron is currently occupied by Christopher Lukas, who is based in Danville, Calif. 

According to KrebsOnSecurity, upon searching the profile of “Current CISO of Chevron” on Google, they were led to the fake CISO profile, for it is the first search result returned, followed by the LinkedIn profile of the real Chevron CISO, Christopher Lukas. It was found that the false LinkedIn profiles are engineered to confuse search engine results for the role of CISOs at major organizations, and the profiles are even considered valid by numerous downstream data-scraping sources. 

Similar cases could be seen in the LinkedIn profile for Maryann Robles, claiming to be the CISO of another energy giant, ExxonMobil. LinkedIn was able to detect more such fabricated CISO profiles since the already detected fake profile suggested 1 view a number of them in the “People Also Viewed” column. 

Who is Behind the Fake Profiles? 

Security experts are not yet certain of the identity of the threat actors behind the creation and operation of these fake profiles. Likewise, the intention leading to the cyber security incident also remains unclear.  

LinkedIn, in a statement given to KrebsOnSecurity, said its team is working on tracking the fake accounts and taking down the con men. “We do have strong human and automated systems in place, and we’re continually improving, as fake account activity becomes more sophisticated,” the statement reads. “In our transparency report we share how our teams plus automated systems are stopping the vast majority of fraudulent activity we detect in our community – around 96% of fake accounts and around 99.1% of spam and scam,” said LinkedIn. 

What can LinkedIn do?  

LinkedIn could take simple steps that could inform the user about the profile they are looking at, and whether to trust the given profile. Such as, adding a “created on” date for every profile, and leveraging the user with filtered searches. 

The former CISO Mason of LinkedIn says it could also experiment with offering the user something similar to Twitter’s ‘verified mark’ to those who chose to validate that they can respond to email at the domain linked with their stated current employer. Mason also added LinkedIn needs a more streamlined process allowing employers to remove phony employee accounts.

Novel ToddyCat APT Attacking Microsoft Exchange Servers


ToddyCat APT has been targeting Microsoft Exchange servers in enterprises throughout Asia and Europe since at least December 2020. 

The ToddyCat APT  group boosted its attacks in February 2021 and is looking for unpatched Microsoft Exchange servers with ProxyLogon exploits to launch attacks on. A passive backdoor dubbed Samurai and a new Ninja trojan were identified while following the group's activity. Both types of malware take over compromised devices and migrate laterally throughout networks. 

Some of the organisations infiltrated by the gang in three separate countries were hacked at the same time by other Chinese-backed hackers using the FunnyDream backdoor. High-profile organisations from the government and military sectors are the targeted victims. The group appears to be focused on attaining essential goals that are linked with geopolitical objectives. 

Numerous waves of attacks 

The initial wave of strikes began in December 2020 and ended in February 2021. The group was solely targeting a few government entities in Vietnam and Taiwan at the time. Between February and May 2021, the second round of assaults began targeting organisations in a variety of nations, including Iran, Russia, India, and the United Kingdom. 

The group targeted the same set of nations in the following phase, which lasted through February 2022, as well as communities from Uzbekistan, Kyrgyzstan, and Indonesia. ToddyCat Group has expressed interest in the government and military sectors and is expected to continue operations. 

Organizations should employ threat intelligence services to remain up to date on emerging dangers and defend their networks. Additionally, they should utilise the given IOCs to improve threat detection.