Search This Blog

Showing posts with label MFA. Show all posts

9 Million Patients' Data Exposed by Ransomware Attack on US Dental Giant

 


A ransomware attack may have compromised nearly nine million individuals' personal information in the United States. This is due to the harm caused by an apparent attack on a dental health insurer — one of the country's largest.

According to Managed Care of North America (MCNA) Dental, a multinational dental insurance company headquartered in the United States, the company took notice of certain activities in its computer system on March 6, 2023. MCNA immediately stopped those activities and began an investigation.

As a result, despite those steps being taken, the LockBit ransomware – which acquired responsibility for the attack – is making a comeback with a threat to leak 700GB of data stolen from MCNA's network if the company does not pay the attackers a $10 million ransom. To allow anyone to download all of the data, reports suggest the group released the data on its website on April 7 for anyone to download.

There are several dental insurers in the United States. However, Managed Care of North America (MCNA) Dental claims to be the nation's largest dental insurer for children and seniors covered by government-sponsored plans. Among the notices the company posted on Friday, it stated it became aware on March 6 that "certain activities in our computer system took place without our permission" and that the company had decided to take action. After it was discovered that a hacker had gained access to their computer system between February 26 and March 7, 2023, the company became suspicious that there was a breach of security. 

A breach notice from MCNA ticks the typical boxes: it was discovered that a criminal could view and copy some information stored in our computer system using IDX, a ZeroFox Inc.-owned company. 

Names, addresses, dates of birth, telephone numbers, e-mail addresses, Social Security numbers, driver's licenses, and other government-issued identification numbers were among the information that was stolen. There was also information regarding health insurance details, dental care records, billing, and insurance details that were taken. 

According to MCNA Dental, the hackers also gained access to information about a patient's health insurance plan information, Medicaid ID numbers, billing and insurance claim information, and bills and insurance claims. 

During this time, PharMerica, a leading pharmacy service provider with over 2,500 facilities in the US and offering over 3,100 pharmacy and healthcare programs, announced a data breach that exposed nearly six million patients. PharMerica operates in more than 2,500 facilities across the country.

As part of the notification to Maine's attorney general regarding the data breach, PharmaCrime indicated that on March 14, its computer network was discovered to have suspicious activity on it. 

It was reported on March 7 that the LockBit ransomware gang was responsible for the attack, saying they were willing to publish 700 gigabytes of stolen data unless the victim paid a $10 million ransom. LockBit released the data on April 7 because MCNA failed to pay the ransom.

To assist people whose personal information may have been involved in this incident, the insurer is now sending individual letters directly to them. 

Several questions must be addressed about possible liability and responsibilities arising from LockBit having the data and publishing it versus MCNA publishing its breach notice. Until well over a month after LockBit first released its data, the company did not notify its patients of the breach, which gave threat actors ample opportunity to target those in the affected area before the company was fully notified.

In the past, security experts have told organizations that are victims of ransomware not to pay the attackers in exchange for the decryption keys, however, due to double-extortion attacks that can lead to both companies and their clients suffering long-term harm due to data leaks, the rules of the game have changed. There are several factors to consider before paying a ransom. It might be to your advantage to give in to a ransom demand. This will save you a lot of trouble and time in the long run. 

Organizations can take several measures to prevent ransomware attacks from gaining a foothold in their networks. These measures include enhancing their overall security defense posture and implementing multifactor authentication (MFA). 

As part of their efforts to prevent phishing attacks, organizations should also maintain strong controls to shield them since attackers often use credentials stolen in this way as an entry point into a network to launch ransomware attacks and other malicious software.

The Challenges with Passkeys: Addressing Limitations

Passkeys have become a popular method for authentication, offering an alternative to traditional passwords. However, despite their advantages, there are several key issues that need to be addressed. This article explores the problems associated with passkeys and the need for further improvements in authentication methods.

Passkeys, often referred to as passwordless authentication, aim to provide a more convenient and secure way to access accounts and devices. Unlike passwords, which can be forgotten, stolen, or easily guessed, passkeys utilize unique characteristics of the user's device, such as biometrics or hardware-based keys, to grant access.

One of the primary concerns with passkeys is their reliance on specific devices or platforms. For instance, a passkey that works on an Android device might not be compatible with an iOS device or a different operating system. This lack of cross-platform compatibility limits the usability and convenience of passkeys, as users may need multiple passkeys for different devices or services.

Additionally, passkeys are vulnerable to potential security risks. While they eliminate the need for passwords, which are often weak and prone to hacking, passkeys are not immune to threats. If a passkey is compromised, it could lead to unauthorized access to the associated account or device. Furthermore, if the passkey is stored insecurely, such as in the cloud or on an easily accessible device, it could be accessed by malicious actors.

Another challenge is the adoption and support of passkeys across various platforms and services. Although major tech companies like Google have introduced passkey support, it requires widespread adoption from service providers and developers to offer a seamless experience for users. If passkey support remains limited, users may still need to rely on traditional password-based authentication methods.

To address these issues, further advancements in passkey technology and authentication methods are necessary. First and foremost, there should be greater collaboration between tech companies and service providers to establish standardized protocols for passkey implementation. This would enable interoperability across different platforms, making passkeys more accessible and user-friendly.

Enhancing the security of passkeys is also critical. Additional layers of protection, such as multi-factor authentication, can be integrated with passkeys to add an extra level of security. This could include biometric verification, device attestation, or behavioral analysis to ensure the legitimacy of the user.

Furthermore, educating users about the importance of passkey security and best practices is crucial. Users need to understand the risks associated with passkeys and be encouraged to store them securely, preferably using hardware-based solutions or secure vaults.

Safeguarding Your Data: 10 Best Practices to Prevent a Data Breach

 

Data breaches have become a significant concern for organizations and individuals alike, as cyber threats continue to evolve in complexity and scale. The consequences of a data breach can be severe, ranging from financial loss and reputational damage to legal implications. It is crucial for businesses to implement robust preventive measures to protect their valuable data and maintain customer trust. Here are some best practices and tactics to prevent a data breach.
  1. Develop a comprehensive security strategy: Establish a well-defined security plan that includes policies, procedures, and guidelines for data protection. Regularly review and update this strategy to adapt to evolving threats.
  2. Educate and train employees: Human error is a leading cause of data breaches. Conduct regular training sessions to educate employees on data security practices, such as strong password management, recognizing phishing attempts, and handling sensitive data appropriately.
  3. Implement strong access controls: Limit access to sensitive data and ensure that access rights are granted based on a need-to-know basis. Regularly review and update user permissions as employees change roles or leave the organization.
  4. Encrypt sensitive data: Utilize encryption techniques to protect data both at rest and in transit. Encryption adds an extra layer of security, making it difficult for unauthorized individuals to access and interpret the data.
  5. Regularly patch and update systems: Keep all software, operating systems, and applications up to date with the latest security patches. Vulnerabilities in outdated software can be exploited by attackers to gain unauthorized access.
  6. Use multi-factor authentication (MFA): Implement MFA for accessing critical systems and sensitive data. MFA adds an extra layer of authentication, making it harder for attackers to gain unauthorized access even if passwords are compromised.
  7. Conduct regular security assessments: Perform comprehensive security assessments, including vulnerability scans and penetration testing, to identify potential weaknesses and address them proactively.
  8. Implement data backup and recovery procedures: Regularly back up critical data and test the restoration process. In the event of a breach, having reliable backups can help restore systems and minimize downtime.
  9. Monitor network and system activity: Employ intrusion detection and prevention systems, as well as log monitoring and analysis tools, to identify and respond to suspicious activity promptly.
  10. Establish an incident response plan: Develop a well-defined incident response plan that outlines the steps to be taken in the event of a data breach. This plan should include communication strategies, containment measures, and coordination with relevant stakeholders.
By following these best practices, organizations can significantly reduce the risk of a data breach and protect sensitive information. However, it's essential to stay informed about emerging threats, industry best practices, and regulatory requirements to ensure ongoing data security. Remember, prevention is key when it comes to data breaches, and a proactive approach can save you from costly and damaging repercussions.


GAO Urges Federal Agencies to Implement Key Cloud Security Practices

The Government Accountability Office (GAO) has called on federal agencies to fully implement essential cloud security practices in order to enhance their cybersecurity posture. In a recent report, the GAO highlighted the importance of adopting and adhering to these practices to mitigate risks associated with cloud computing.

According to the GAO, four federal departments have not fully implemented cloud security practices, which puts their systems and data at increased vulnerability. The report emphasizes that addressing these shortcomings is critical for ensuring the confidentiality, integrity, and availability of sensitive information stored in the cloud.

Cloud computing offers numerous benefits to federal agencies, including increased efficiency, scalability, and cost-effectiveness. However, it also introduces unique cybersecurity challenges that must be addressed proactively. The GAO report outlines several key security practices that agencies should prioritize to strengthen their cloud security posture.

One of the primary recommendations is to implement strong identity and access management controls. This involves ensuring that only authorized individuals have access to sensitive data and systems and that user privileges are properly managed and monitored. By implementing multi-factor authentication and robust user access controls, agencies can significantly reduce the risk of unauthorized access.

Another crucial aspect highlighted by the GAO is the need for comprehensive data protection measures. This includes encrypting sensitive data both at rest and in transit, implementing secure data backup and recovery processes, and regularly testing the effectiveness of these measures. By employing encryption and backup protocols, agencies can minimize the impact of data breaches or system failures.

Additionally, the GAO emphasizes the importance of monitoring and logging activities within cloud environments. By implementing robust logging mechanisms and real-time monitoring tools, agencies can detect and respond to security incidents promptly. This enables them to identify unauthorized access attempts, suspicious activities, and potential vulnerabilities that could be exploited by attackers.

The GAO report further highlights the significance of training and awareness programs for agency personnel. It recommends providing comprehensive cybersecurity training to employees, ensuring they are aware of potential threats, best practices, and their role in maintaining a secure cloud environment. Regular training and awareness initiatives can help strengthen the overall security culture within agencies.

The GAO study concludes by serving as a reminder to government agencies of the significance of fully implementing important cloud security measures. Agencies can dramatically improve their cybersecurity posture in the cloud by giving priority to identity and access control, data protection, monitoring, and training. Federal agencies must act quickly on these recommendations and set aside the necessary funds to guarantee the integrity and security of their cloud-based systems and data.

Picking The Right Password Manager: Five Things To Bear In Mind

 

The best password managers, along with efficient password and credential management, are becoming more crucial as more and more business is conducted online. Your company will be more immune to cybercrime if you make sure the password manager you select provides the majority or all of these. 

Whether through widespread hacking or targeted efforts, cybercrime continues to pose serious hazards to organisations. In light of this, it makes sense for businesses in particular to invest in the best password managers. How can you select from the best password managers, though? 

Below are the five key characteristics you should consider while selecting a password manager. These essential components, in our opinion, are what separate a good platform from a just good service.

1. End-to-end encryption

A password manager's superior encryption is its most crucial component. It is a must. In the end, password managers are really all about data security, and without end-to-end encryption, your data won't be safe enough. 

Your data is indecipherable while it is in transit and at rest thanks to end-to-end encryption. A special authentication key must be given for the platform in order to decode the data. The only person with access to this authentication key is the user thanks to end-to-end encryption.

This implies that no one, not even your provider, can access your passwords. Your encrypted and unreadable data is all that is stored by the platform. Your passwords will therefore be secure even if the provider is compromised. 

End-to-end encryption, also known as zero-knowledge architecture, enables a provider to encrypt and store client data at the greatest levels of security without knowing what data is being stored. It is the first thing you should look for if you want to keep your organization's passwords and credentials in the most secure manner possible. 

2. Multi-factor authentication (MFA) 

While we're talking about security, let's talk about MFA. Users must log in with MFA and a secondary authentication method in addition to their password. This guarantees that a user's account will probably stay secure even if their master password is stolen.

An app-generated unique code or a one-time password are both acceptable forms of secondary authentication. These supplementary techniques are typically connected to a user's personal device, like their mobile phone or personal email address. This makes sure that a user needs their email address or device in addition to the master password to access their account. 

Because user login is one of the most major points of vulnerability across all password managers, MFA is one of the simplest ways to boost your account's security. If a user's master password is compromised and a provider doesn't have MFA procedures in place, then all of the encryption and security measures in the world won't matter and their data could still be exposed. Selecting a password manager with MFA capability is something we strongly advise.

3. Regular updates 

Make sure to verify that your preferred options are up to date because password managers, like any other piece of software, must be kept updated. You should invest in a password organiser that is regularly updated to keep up with the ever-changing security landscape because hackers and other cybercriminals constantly change their tactics and behaviour. 

4. Password creation 

The first challenge we all confront is coming up with a strong password. You should gain the further advantage of the software's ability to produce a new log-in anytime you require it by investing in a high-quality password manager. This will always be considerably superior than anything you generate yourself, therefore it should be secure and safe. 

5. Setting up passwords 

There is an additional benefit to using a password manager if you have been using log-ins for any length of time. There are many password manager programmes that can analyse your current password collection and let you know which ones are weak or possibly have previously been compromised. They frequently have the ability to compare them to databases of compromised log-in details, and they can offer advice on how to update details to best protect against possible assaults.

Source Code & Private Data Stolen From GoTo

GoTo, the parent company of LastPass, has disclosed that hackers recently broke into its systems and seized encrypted backups belonging to users. It claimed that in addition to LastPass user data, hackers managed to obtain data from its other enterprise products.

A data breach including the theft of source code and confidential technical information was announced by GoTo affiliate LastPass in August of last year. GoTo acknowledged being impacted by the attack in November, which was connected to an unidentified third-party cloud security vendor.

Paddy Srinivasan, chief executive of GoTo, revealed that the security breach was more severe than initially suspected and involved the loss of account usernames, salted and hashed passwords, a piece of the Multi-Factor Authentication (MFA) settings, along with some product settings and license data.

Despite the delay, GoTo did not offer any restoration assistance or guidance for the impacted consumers. According to GoTo, the company does not keep track of its client's credit card or bank information or compile personal data like dates of birth, addresses, or Social Security numbers. Contrast that with the incident that affected its subsidiary, LastPass, in which hackers grabbed the contents of users' encrypted password vaults along with their names, email addresses, phone numbers, and payment information.

LastPass' response to the leak was ripped apart by cybersecurity experts, who charged the firm with being opaque about the gravity of the situation and failing to stop the hack. To provide more reliable authentication and login-based security solutions, GoTo is also transferring its accounts onto an improved Identity Management Platform.

The number of impacted consumers was not disclosed by GoTo. Jen Mathews, director of public relations at GoTo, claimed that the company has 800,000 clients, including businesses, but she declined to address other queries.

Info-stealing Ads Spread by Malvertising

HP Wolf Security's cybersecurity researchers have issued a warning about various ongoing activities that aim to use typosquatting domains and malicious advertising to spread different types of malware to unwitting victims.

Additionally, the scammers paid various ad networks to broadcast ads promoting these bogus websites. Search engines can end up presenting harmful versions of the websites alongside trustworthy ones when users search for these programs in this manner. Users risk being misdirected if they are not careful and double-check the URL of the website they are viewing.

Bogus installers

A total of 92 domains that look like other software and may have been used to spread IcedID were found. If victims do find themselves in the incorrect location, they would not likely notice the difference.

The websites are meticulously created to resemble the real ones in practically every way. In the context of Audacity, the website hosts a malicious.exe file that poses as the installation for the program. 'audacity-win-x64.exe' is the file's name, and it is larger than 300MB in size. The attackers strive to avoid detection by being this large, in addition to antivirus software. The researchers found that several antivirus products' automatic scanning functions do not check really huge files.

According to Cyble security experts, Rhadamanthys was used to steal data from web browsers, crypto wallets, and messaging apps. It was spread using Google Ads that imitated AnyDesk, Zoom, Bluestacks, and Notepad++.

Another issue involved DEV-0569 abusing Google Ads to distribute BatLoader, according to Microsoft researchers. As part of the spreading process, the group imitated LogMeIn, Adobe Flash Player, and Microsoft Teams.

Due to their extensive capabilities, info-stealers are now a common type of malware utilized by hackers. The demand for this malware is so great that it rules many underground market forums.

Increased sales of victim data on the dark net will result from selling these new malware strains and the accessibility of info-stealer malware source code.

Users should double-check the integrity of these websites before downloading any installers as the most recent assault campaign mostly uses bogus websites that look legal to distribute malware. To reduce the risk of info-stealer malware, it is also advised to deploy MFA across all accounts.




SMBs are Currently Incapable of Managing Cyberattacks

Videoconferencing is a tool that businesses utilize to discuss corporate plans as well as judicial, military, healthcare, or other issues. For a business, its staff, clients, and customers, the theft of that data may be fatal.
 
However, a recent analysis of videoconferencing security by the Aite-Novarica Group revealed that 93% of the IT experts polled were aware of security flaws and severe hazards in their videoconferencing platforms.

The majority of the 847,376 public cyberattacks and malware activity criticism received by the FBI's Internet Crime Complaint Center was made by small businesses, according to Sohn. In the past six months, over a third of SMBs reported that the attacks they experienced became more complex, and 45% also reported an increase in attack frequency.

In the past six months, over a third of SMBs reported that the attacks they experienced became more complex, and 45% also reported an increase in attack frequency.

Businesses are aware of technological solutions that can help SMBs with this issue. To manage it and provide a comprehensive, or front perspective on visibility, four out of five (80%) respondents said they would prefer to have an all-in-one safeguards solution. They are also contemplating Zero Trust Network Access as a network security measure.

According to a recent Forrester report, 68% of companies want to increase their financial commitment to Zero Trust efforts. 22% of buyers involve individuals from non-IT departments in the software evaluation process. Too many SMBs exclude other significant stakeholders who can offer additional insight into how the software will be utilized daily, even though IT teams should be consulted in every software acquisition to ensure compatibility with existing tech infrastructures.

According to experts, the risk is particularly acute for small and medium-sized businesses (SMBs). Before the pandemic, this group of people relied significantly on video communication to reduce travel expenses.SMBs could also lack the internal knowledge or security awareness needed to strengthen their defenses. Implementing very basic cyber wellness, such as two-factor or multi-factor authentication techniques, may have prevented such attacks.




 Find Out if Your Email Address Is Being Sold on the Dark Web


Almost everybody uses email. You have probably had a data breach if your private information, like your email address, is discovered on the dark web. There are numerous methods to sell and use your personal information.  

The portion of the Internet that is hidden and inaccessible with a standard web browser is known as the dark web.  The dark web's material is encrypted and needs special permission to access. The most popular method for accessing the black web is Tor, a program that masks IP addresses and locations. Additionally, hackers can easily purchase and sell identity-related information on the dark web, including credit card data, Social Security numbers, medical records, passports, etc. 

How to search for your email on the dark web

1. Launch a computer scan

Unusual or suspicious activity is a certain indication that your email account has been hijacked. Monitoring your laptop for viruses. For instance, it is very likely that your account has been hijacked if you find that your recovery email address or phone number has changed. 

2. Search Have I Been PWned?

You can utilize the website Have I Been Pwned to determine whether your data has been exposed as a result of a breach. The free tool gathers data while searching the internet for database dumps.

3. Employ a password manager

The entire objective of password managers is to assist users with all aspects of password management. A built-in password generator is typically included with password managers, allowing you to create complicated, secure passwords right away. 

4. Make use of two-factor authentication

A hacker will have a much harder time gaining access thanks to the additional layer of security provided by two-factor authentication. 

You must confirm the login attempt after providing your normal information. Usually, to do this, you will get a text message with a random number that you must enter in order to access your account. By doing this, even someone who knows your email and password cannot access your accounts.  

In some circumstances, opening a new email account could be the best and safest choice. From social media to banking, disconnect all of the accounts from the compromised address and link them to a new one.  

Users ought to use more than one email account to achieve optimal security. Decentralizing your online presence and protecting your devices from cyber risks can be accomplished in large part by setting up distinct accounts for work, banking services, social networking, and newsletter subscriptions. Users must ensure they are aware of cybersecurity fundamentals because maintaining online safety takes more than just securing their email account.

Sophos 2023 Threat Report: Cryptocurrency Will Fuel Cyberattacks

The Sophos 2022 Threat Report, released by Sophos, a pioneer in next-generation cybersecurity, illustrates how the gravitational influence of ransomware is attracting other cyber threats to building one vast, linked ransomware delivery system, having essential ramifications for IT security.

Entry-level hackers can buy malware and spyware installation tools from illicit markets like Genesis, and also sell illegal passwords or other data in mass. Access brokers increasingly sell other criminal groups' credentials and susceptible software exploits.

A new ransomware-as-a-service economy has emerged in the last decade due to the rising popularity of ransomware. In 2022, this as-a-service business model has grown, and almost every component of the cybercrime toolkit from initial infection to methods of evading detection is now accessible for purchase, according to the researchers.

Several step-by-step tools and methods that attackers might use to spread the ransomware were revealed when an affiliate of the Conti ransomware published the deployment guide supplied by the operators. RaaS affiliates and other ransomware operators can use malware distribution platforms and IABs to discover and target potential victims once they have the virus they require. The second significant trend predicted by Sophos is being fueled by this.

Gootloader was launching innovative hybrid operations in 2021, as per Sophos's research, that blended broad campaigns with rigorous screening to identify targets for particular malware packs.

Ransomware distribution and delivery will continue to be adapted by well-known cyber threats. Which include spam, spyware, loaders, droppers, and other common malware in addition to increasingly sophisticated, manually handled first access brokers.

Data theft and exposure, threatening phone calls, distributed denial of service (DDoS) assaults, and other pressure tactics were all included in the list of ten pressure methods Sophos incident responders compiled in 2021.

Cryptocurrency will continue to feed cybercrimes like ransomware and unlawful crypto mining. In 2021, Sophos researchers discovered crypto miners like Lemon Duck and MrbMiner, which installed themselves on machines and servers by using newly revealed vulnerabilities and targets that had already been compromised by ransomware operators. Sophos anticipates that the trend will continue until international cryptocurrencies are better regulated.

In addition to promoting their products, cybercrime vendors sometimes post job openings to hire attackers with specialized capabilities. In addition to profiles of their abilities and qualifications, job seekers are posting help-wanted sites on some markets, which also have technical hiring personnel.

As web services grow, different kinds of credentials, particularly cookies, can be utilized in a variety of ways to penetrate networks more deeply and even get through MFA. Credential theft continues to be one of the simplest ways for new criminals to enter gray markets and start their careers.

Ransomware Exposed Stolen Data From Cisco on Dark Web

Yanluowang ransomware Gang has published Cisco Systems' stolen data on the dark web and following the data leak, Cisco confirmed that the data was stolen from its network during an intrusion that took place in May. 

Cisco Security Incident Response (CSIRT) conducted an investigation wherein it was found that the attackers acquired control of a personal Google account that had the credentials saved in the browser. The threat actors compromised these credentials to launch voice phishing attacks. The idea behind the attacks was to lure the targeted employee into accepting the MFA notification. 

Cisco revealed in a report published in August that the firm's networks had been infiltrated by the Yanluowang ransomware after hackers gained access to an employee's VPN account. The company further asserted that the only information taken was employee login information from Active Directory and non-sensitive files saved in a Box account.

Once the threat actors obtained the employee's Cisco credentials, the hackers employed social engineering and other techniques to get beyond multi-factor authentication (MFA) and gather more data.

After gaining initial access, the hackers registered a list of new devices for MFA, authenticated effectively to the Cisco VPN, and dropped multiple tools in the victim network including RATs such as LogMeIn, TeamViewer, Cobalt Strike, PowerSploit, Mimikatz, and Impacket, as per Security Affairs. 

Over the weekend, Cisco said in an update that "the content of these files matched what we have detected and released.  We continue to see no effect on the business, including Cisco goods or services, confidential customer data or sensitive employee data, copyrights, or supply chain activities, which is consistent with our previous examination of this incident."

The researchers at the cybersecurity firm eSentire linked Yanluowang with "Evil Corp" (UNC2165), the Lapsus$ gang, and FiveHands malware (UNC2447).

The hacked Google account of an employee that had enabled password synchronization through Google Chrome and saved their Cisco details in the browser allowed the thieves to initially access the Cisco VPN.

The leader of Yanluowang ransomware told BleepingComputer that they had stolen thousands of files totaling 55GB from a cache that contained sensitive information including technical schematics and source code. The hacker did not offer any evidence. The only thing they provided was a screenshot showing access to what seemed like a development system. 

Erich Kron, security awareness advocate at security awareness training company KnowBe4 implies that it goes unsaid that Cisco decided against paying the ransom demanded by the ransomware group, which resulted in the stolen data being posted. 


Sophos: Employing Stolen Session Cookies to Navigate MFA & Access Networks

Hackers on the internet keep getting better. Stealing cookies from recently completed or ongoing web sessions is one new strategy they have been employing to avoid multi-factor authentication (MFA). 

Recently, Sophos researchers reported a new attack technique that is already becoming more prevalent. According to the researchers, the "cookie-stealing cybercrime spectrum" is vast, encompassing entry-level hackers as well as sophisticated rivals who employ a variety of strategies. 

On dark web forums, cybercriminals purchase stolen credentials in bulk or collect cookies. Because ransomware groups exploit genuine executables, both those that are already present and those that are added as tools, 'their operations may not be detected by simple anti-malware defenses.'

Cookie theft

Cookies are used by cloud infrastructures as well for user authentication. It's becoming simpler for entry-level attackers to engage in credential theft thanks to the malware-as-a-service sector. 

For instance, all they need to do is purchase a copy of an information-stealing Trojan like Raccoon Stealer to bulk collect information like cookies and passwords and then sell them on illicit markets like Genesis. Once this data is purchased, other criminals in the attack chain, such as ransomware developers, can search through it for anything they think would help their attacks. 

In contrast hand, in two of the most recent events that Sophos studied, the attackers adopted a more focused strategy. For one event, the hackers infiltrated a target's network for months in order to collect cookies from the Microsoft Edge browser. The attackers employed Cobalt Strike and Meterpreter activity to take advantage of a legal compiler tool in order to scrape access tokens after the initial penetration occurred via an exploit kit.

The attackers dropped a malicious payload that scraped cookie files for a week using a legal Microsoft Visual Studio component.

"Although mass cookie theft has been an issue, hackers are using a far more focused and efficient method to steal cookies. There is no limit to the kinds of nefarious activities attackers might engage in with stolen session cookies now that so much of the workplace is web-based. Hackers have the power to alter cloud infrastructures, corrupt corporate email, persuade other staff members to download malware, and even modify product code. Their own imagination is their only constraint," said Sean Gallagher, principal threat researcher at Sophos.

Cookies Access Systems Against Safety Protocols

According to Digital Trends, hackers are able to abuse different online tools and services as a result of cookie theft. This exploitation can occur in browsers, web-based programs, web services, malware-infected emails, and ZIP files. Since cookies are so popular, hacking with them is a sophisticated practice.

Sophos lists Emotet botnet as one cookie-stealing virus that preys on data in the Google Chrome browser. Acquiring data from credit cards and saved logins are the objectives. Even if the browser is encrypted and uses multifactor authentication, the Emotet botnet can still gather login information.

Ransomware organizations also gather cookies. As hackers exploit genuine executables that are both already present and ones that can bring with them tools, simple anti-malware defenses are unable to detect their actions, according to eSecurity Planet.

Microsoft Facing a Growing Threat by Cryptojackers

 

Cryptojackers, are still invading computers all over the world while also getting more discreet and skilled at evading detection. The data was released by Microsoft's 365 Defender Research Team, which on Thursday posted a new analysis of cryptojackers on its blog.

Microsoft Defender Antivirus detects cryptojackers on more than 200,000 devices per day using a variety of sensors and innovative detection techniques, including its connection with Intel TDT. In campaigns, hackers strongly favor the exploitation of notepad.exe over several valid system utilities.

What are Cryptojackers?

Cryptojackers are mining viruses that hijack and use a target's device resources for the former's gain without the user's knowledge or approval. They are one of the threat categories that have emerged and thrived since the advent of cryptocurrencies. The threat data indicates that over the past year, companies have encountered millions of cryptojackers.

Furthermore, as per Microsoft, Javascript is frequently used in the creation of cryptojackers, which in this instance use browsers to infiltrate systems. The tech titan also cautioned against fileless cryptojackers, who mine in a device's memory and maintain persistence by abusing legal programs and LOLBins.

Cryptojacking operation

Among several legitimate system utilities, notepad.exe abuse is heavily favored by attackers in campaigns that have been observed. An improved version of the cryptojacker known as Mehcrypt was employed in this campaign. 
  • This is a significant improvement over the previous version, which used a script to access its command-and-control (C2) server and download additional components that later carried out malicious deeds. 
  • The new version also condenses all of its routines into a single script and connects to a C2 server in the final stage of its attack chain.
  • An archive file containing autoit.exe and a heavily obscured, arbitrarily named.au3 script serves as the threat's delivery vehicle. 
  • Autoit.exe is started when the archive file is opened, and it decodes the.au3 script in memory. 
  • When the script is executed, it continues to decode more obfuscation layers and loads more decoded scripts into memory.
  • The script then places a copy of itself and autoit.exe in a folder with an arbitrary name under C:ProgramData.
  • To run the script each time the device begins, the script inserts autostart registry entries and generates a scheduled task to destroy the original files.
  • The software then incorporates persistence methods, loads malicious code into VBC.exe using process hollowing, and establishes a connection to a C2 server to wait for commands. 
  • The software loads its cryptojacking code into notepad.exe using process hollowing based on the C2 answer.

The warning was issued just a few weeks after Microsoft released a study describing how a widespread phishing effort managed to steal sign-in credentials, hijack sign-in sessions, and bypass the authentication step even when multi-factor authentication (MFA) was turned on.

Microsoft: Phishing Alert Over Russian-Related Threats

As part of the cybercrime gang's illegal surveillance and data theft operations, Microsoft claims to have banned accounts used by the Seaborgium troupe, which has ties to Russia, to spam and exploit login information.

In order to identify employees who work for the victims, the hackers exploited bogus LinkedIn profiles, email, OneDrive, and other Microsoft cloud services accounts.

Microsoft is keeping tabs on the cluster of espionage-related activities under the chemical element-themed moniker SEABORGIUM, which it claims is associated with a hacker organization also known as Callisto, COLDRIVER, and TA446.

Coldriver, alias Seaborgium, was accused of running a hack-and-leak campaign resulting in the publication of documents that were purportedly obtained from high-ranking Brexit supporters, including Richard Dearlove, a former British agent. 

Targets &Tactics

Microsoft reported that it had seen "only very modest changes in their social engineering tactics and in how they deliver the initial malicious URL to their targets."

The main targets are think tanks, higher education institutions, non-governmental and intergovernmental organizations (IGOs), defense and intelligence consulting firms, and to a lesser extent, nations in the Baltics, Nordics, and Eastern Europe.

Former secret services, Russian affairs experts, and Russian nationals living abroad are further subjects of interest. It is estimated that more than 30 businesses and individual accounts were infected.

The process begins with the reconnaissance of potential targets using fictitious personas made on social media sites like LinkedIn, and then contact is established with them through neutral email messages sent from recently registered accounts that have been set up to match the names of the fictitious subjects.

If the target falls prey to the malicious code tactic, hackers launch the attack sequence by sending a weaponized message that contains a PDF document that has been compromised or a link to a file stored on OneDrive. 

According to Microsoft, "SEABORGIUM also abuses OneDrive to host PDF files that contain a link to the malicious URL.  Since the start of 2022, The actors have included a OneDrive link in the email body that, when clicked, takes the subscriber to a PDF file held within a SEABORGIUM-controlled OneDrive account."

Additionally, it has been discovered that the adversary conceals its operational network using open redirects which appear to be innocent to drive visitors to the malicious server, which then asks them to input their credentials in order to view the material.

The last stage of the attack involves leveraging the victim's email accounts with the stolen login information, exploiting the illegal logins to exfiltrate emails and attachments, setting up email forwarding rules to assure ongoing data gathering, and executing other key work.

Caution

According to Redmond, "SEABORGIUM has been spotted in a number of instances employing their impersonation accounts to encourage dialog with certain people of interest and, as a result, were involved in conversations, sometimes unintentionally, involving several users."

The enterprise security firm Proofpoint noted the group's propensity for reconnaissance and skilled impersonation for the delivery of malicious links. Proofpoint records the actor under the moniker TA446.

As per Microsoft, there are steps that may be taken to counter Seaborgium's strategies. This entails turning off email auto-forwarding and configuring Office 365 email settings to stop fake emails, spam, and emails containing viruses.

The security team also suggests utilizing more secure MFA techniques, such as FIDO tokens or authenticator tools with number matching, in place of telephony-based MFA and demanding multi-factor authentication (MFA) for all users from all locations, even those that are trusted.

Ransomware Gang Hacks Cisco

The Yanluowang ransomware organization broke into Cisco's business network in late May and stole internal data, the company said in a statement.

Hacker's compromised a Cisco employee's credentials after taking over a personal Google account where credentials saved in the victim's browser were being synced, according to an investigation by Cisco Security Incident Response (CSIRT) and Cisco Talos.

Cisco claims that an attacker targeted one of its employees and was only successful in stealing files from a Box folder linked to that employee's account and employee authentication information from Active Directory. According to the company, the data kept in the Box folder wasn't sensitive.

The Yanluowang threat actors hijacked a Cisco employee's personal Google account, which contained credentials synchronized from their browser, and used those credentials to enter Cisco's network.

Through MFA fatigue and a series of sophisticated voice phishing assaults carried out by the Yanluowang gang under the guise of reputable assistance businesses, the attacker persuaded the Cisco employee to accept multi-factor authentication (MFA) push alerts.

Cisco has linked the attack to an initial access broker with ties to Lapsus$, the gang that attacked several major corporations before its alleged members were apprehended by law enforcement, as well as threat actor UNC2447, a group with ties to Russia known for using the ransomware FiveHands and HelloKitty. The Yanluowang ransomware group has also been connected to the initial access broker.

In actuality, the Yanluowang ransomware organization claimed responsibility for the attack and said it had stolen about 3,000 files totaling 2.8Gb in size. According to the file names the hackers have disclosed, they may have stolen NDAs, source code, VPN clients, and other data.

The attack did not use ransomware that encrypts files. After being removed from Cisco's systems, the hackers did email Cisco executives, but it didn't contain any explicit threats or demands for ransom.






Microsoft Hit by Huge Service Outage


This week's 6-hour-long global outage of Microsoft 365 was caused by a flawed Enterprise Configuration Service (ECS) deployment, as per a preliminary post-incident review. This deployment caused cascade errors and availability effects across numerous locations.

ECS is an internal central configuration repository created to allow Microsoft services to make targeted updates, such as particular configurations per tenant or user, as well as broad-scope dynamic changes affecting many services and features.

According to Microsoft, a recent deployment that featured a "broken link to an internal storage service" was the most likely reason for an outage that prevented many customers from accessing or using a variety of Microsoft 365 products for several hours.

Access to several Microsoft services, including Microsoft Teams, Exchange Server, Microsoft 365 admin center, Microsoft Word, and other Office programs, was slowed down as a result of the service issues, which began on Wednesday, July 20 in the evening and persisted into Thursday morning. Microsoft Managed Desktop and other services were also not able to auto-patch due to the problem.

Overview of the outage

Through its public Twitter statements, Microsoft failed to mention the location of the disruptions. According to comments in Microsoft's Twitter statement, the Teams outage appears to have impacted users in Los Angeles, Dallas, New York City, Hong Kong, and Eastern Australia.

With its cloud computing, Microsoft does have a complex service level agreement. Accordingly, the sole form of compensation for any downtime that an organization can receive is a service-time credit. Additionally, since it is not automatically applied, they must ask for the service credit.

"Telemetry shows that this incident had an impact on about 300,000 calls. Due to business hours falling inside the effect timeframe, the Asia Pacific (APAC) region was the most impacted. Direct Routing and Skype MFA were also significantly affected," the company explained.


What sparked the outage?

In the end, the incident had an impact on users seeking to use one or more of the Microsoft 365 apps and services, according to Bleeping Computer.

The botched Enterprise Configuration Service (ECS) deployment was the initial root cause of this outage, as stated by Redmond in their incident report. "Backward compatibility with services that use ECS was impacted by a deployment of the ECS service that had a code flaw. The end result was that it would send inaccurate configurations to all of its partners for services using ECS " the firm stated.

As a result, downstream services received a status response with the code 200, suggesting that the pull was successful, but it just included a JSON object that was poorly formatted. How each Microsoft service used the flawed configuration supplied by ECS determined the impact's severity. Impact varied from services collapsing, like Teams, to low or no impact on other services.

Microsoft claims that as a result of this incident, they are working to strengthen the Microsoft Teams service's resilience so that it may fall back to a previous version of the ECS configuration in the case of a future ECS failure.


84% of US Businesses Experienced Identity-Related Breaches

 

According to new information from the non-profit Id Outlined Safety Alliance, the range of security breaches resulting from phishing or exploiting identities has reached epidemic proportions (IDSA). For its 2022 Developments in Securing Digital Identities report, the IDSA surveyed 500 US identity and security experts. 

In the past year, 84 % of respondents reported having suffered an identity-related hack, with the clear majority (78 %) stating that it had a direct effect on the firm. Increased identity fraud in the corporate sector daily contributes to the issue. 

When leaders prioritize identity security, risky behavior is reduced. 71 % of companies have executives who publicly address staff members about password security. In the light of that, risky security behaviors were acknowledged by 60% of IT/security stakeholders. 

Having focused on the fundamentals and investments in security outcomes 97%  will invest in identity-focused security results. MFA is a major area of interest, especially for employees and privileged users. 

The report suggested a few basic steps businesses may take to enhance security outcomes of unauthorized access. When executives discuss corporate credentials, for instance, the survey found that 72% of respondents are more cautious with their work passwords than with using personal passwords. 

However, it seems that businesses are making sense. Almost all respondents (97%) stated they intended to invest in "identification-focused security outcomes," and 94 % reported that identity investments are a part of strategic efforts, such as cloud adoption (62 %), the deployment of Zero Trust (51 %), and digital transformation activities (42% ).

According to the Anti-Phishing Working Group(APWG), phishing reached an all-time high in the first quarter of 2022. 

Microsoft Now Permits IT Administrators to Evaluate and Deactivate Inactive Azure AD users

 

Azure Active Directory has received a handful of security updates from Microsoft. In preview, the business has unveiled a new access reviews tool that allows enterprises to delete inactive user accounts which may pose a security concern. Users who created the new Azure AD tenant after October 2019 received security defaults, however, customers who built Azure AD tenants before October 2019 did not receive security defaults. 

According to Microsoft, the Azure AD security defaults are utilized by around 30 million companies today, and the defaults will be rolled out to many more organizations, resulting in the settings protecting 60 million more accounts. IT admins could now terminate Azure AD accounts that haven't signed in for a certain number of days. 

The Azure Active Directory Identity Governance service now includes the new access review feature. It's useful for companies who don't want contractors or former employees to have access to sensitive data. Azure Active Directory (Azure AD) is a Microsoft cloud service that manages identification and authentication for on-premise and cloud applications. In Windows 2000, it was the advancement of Active Directory Domain Services. 

"The term "sign-in activity" refers to both interactive and non-interactive sign-in activities. Stale accounts may be automatically removed during the screening process. As a result, your company's security posture increases," Microsoft explained. 

According to Alex Weinert, Microsoft's director of identity security, the defaults were implemented for new tenants to ensure that they had "minimum security hygiene," including multi-factor authentication (MFA) and contemporary authentication, independent of the license. He points out that the 30 million firms which have security defaults in place are significantly less vulnerable to intrusions.

This month, Microsoft will send an email to all global admins of qualified Azure AD tenants informing them of security settings. These administrators will receive an Outlook notification from Microsoft in late June, instructing them to "activate security defaults" and warning of "security defaults will be enforced automatically for respective businesses in 14 days." All users in a tenant will be required to register for MFA using the Microsoft Authenticator app after it has been activated. A phone number is also required of global administrators.

Devious Phishing Tactic Circumvents MFA Using Remote Access Software

 

As per a new phishing technique,adversaries can defeat multi-factor authentication (MFA) by having victims connect to their accounts directly on attacker-controlled servers using the VNC screen sharing system.

Bypassing multi-factor authentication (MFA) configured on the intended victim's email accounts is one of the most difficult barriers to successful phishing attempts. Even if threat actors can persuade users to input their credentials on a phishing site, if the account is protected by MFA, completely breaching the account requires the victim's one-time passcode. 

Phishing kits have been upgraded to employ reverse proxies or other means to obtain MFA codes from unwitting victims to get access to a target's MFA-protected accounts. Companies, on the other hand, are becoming aware of this technique and have begun implementing security measures that prevent logins or cancel accounts when reverse proxies are found. VNC is here to help. 

Mr.d0x, a security researcher, attempted to create a phishing attack on the client's employees to get corporate account credentials while conducting a penetration test for a customer. Mr.d0x put up a phishing assault utilising the Evilginx2 attack framework, which operates as a reverse proxy to steal credentials and MFA codes because all of the accounts were configured with MFA. 

The researcher discovered that when reverse proxies or man-in-the-middle (MiTM) attacks were detected, Google blocked logins. According to Mr.d0x, this was a new security feature installed by Google in 2019 precisely to avoid these types of attacks. 

Websites like LinkedIn, according to the researcher, identify man-in-the-middle (MiTM) assaults and delete accounts following successful logins. To get around this, Mr.d0x devised a cunning new phishing technique that employs the noVNC remote access software and browsers in kiosk mode to display email login prompts that are hosted on the attacker's server but shown in the victim's browser. 

VNC is a remote access software that allows users to connect to and control the desktop of a logged-in user. Most people use dedicated VNC clients to connect to a VNC server, which opens the remote desktop in a similar way to Windows Remote Desktop. 

An application called noVNC, on the other hand, allows users to connect to a VNC server directly from within a browser by merely clicking a link, which is where the researcher's new phishing method comes into play. 

A new report by Mr.d0x on his new phishing technique explained, "So how do we use noVNC to steal credentials & bypass 2FA? Setup a server with noVNC, run Firefox (or any other browser) in kiosk mode and head to the website you’d like the user to authenticate to (e.g. accounts.google.com)."   

"Send the link to the target user and when the user clicks the URL they’ll be accessing the VNC session without realizing. And because you’ve already set up Firefox in kiosk mode all the user will see is a web page, as expected." 

A threat actor can use this configuration to send targeted spear-phishing emails with links that launch the target's browser and log into the attacker's remote VNC server. These links are highly customisable, allowing the attacker to make links that do not appear to be suspicious VNC login URLs.  

Since the attacker's VNC server is set up to run a browser in kiosk mode, which displays the browser in full-screen mode, when the victim clicks on a link, they will be taken to a login screen for the targeted email provider, where they can log in as usual. 

However, because the attacker's VNC server is displaying the login prompt, all login attempts will be made directly on the remote server. Once a user logs into the account, an attacker can utilise a variety of tools to obtain passwords and security tokens, according to Mr.d0x. 

Even more dangerous, since the user enters the one-time passcode directly on the attacker's server, authorising the device for future login attempts, this technique bypasses MFA. If the attack was limited to a few people, merely entering into their email account using the attacker's VNC session would grant the device permission to connect to the account in the future. Because VNC allows many individuals to monitor the same session, an attacker might disconnect the victim's connection after the account was logged in and reconnect later to gain access to the account and all of its email. 

While this attack is yet to be observed in the open, the researcher told BleepingComputer that he believes it will be used in the future. Every phishing advice remains the same when it comes to safeguarding from these types of attacks: do not click on URLs from unknown senders, scan embedded links for strange domains, and take all email as suspect, especially when it asks you to log in to your account.