Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Report. Show all posts
W3LL
Account Attack BEC Business Compromise Cyber Security Cyberattack CyberCrime Email hack Hacking MFA Microsoft Panel phishing Report Security threat W3LL

W3LL Store: Unmasking a Covert Phishing Operation Targeting 8,000+ Microsoft 365 Accounts

 

A hitherto undisclosed "phishing empire" has been identified in a series of cyber attacks targeting Microsoft 365 business email accounts spanning six years. 

According to a report from cybersecurity firm Group-IB, the threat actor established an underground market called W3LL Store, catering to a closed community of around 500 threat actors. This market offered a custom phishing kit called W3LL Panel, specifically designed to bypass Multi-Factor Authentication (MFA), alongside 16 other specialized tools for Business Email Compromise (BEC) attacks.

Between October 2022 and July 2023, the phishing infrastructure is estimated to have aimed at over 56,000 corporate Microsoft 365 accounts,  compromising at least 8,000 of them. The majority of the attacks were concentrated in countries including the U.S., the U.K., Australia, Germany, Canada, France, the Netherlands, Switzerland, and Italy. The operators of this operation reportedly reaped approximately $500,000 in illegal gains.

Various sectors fell victim to this phishing campaign, notably manufacturing, IT, consulting, financial services, healthcare, and legal services. Group-IB pinpointed almost 850 distinct phishing websites associated with the W3LL Panel during the same timeframe.

The Singapore-based cybersecurity company has characterized W3LL as a comprehensive phishing tool that offers an array of services, encompassing customized phishing tools, mailing lists, and access to compromised servers. This underscores the growing prevalence of phishing-as-a-service (PhaaS) platforms.

The threat actor responsible for this kit has been active since 2017, initially focusing on creating tailored software for bulk email spam (referred to as PunnySender and W3LL Sender) before shifting their attention towards developing phishing tools for infiltrating corporate email accounts.

A key element of W3LL's arsenal is an adversary-in-the-middle (AiTM) phishing kit, capable of evading multi-factor authentication (MFA) protections. It is available for purchase at $500 for a three-month subscription, followed by a monthly fee of $150. The panel not only harvests credentials but also includes anti-bot features to bypass automated web content scanners, prolonging the lifespan of their phishing and malware campaigns.

The W3LL Store extends a 70/30 split on commissions earned through its reseller program to PhaaS affiliates, along with a 10% "referral bonus" for bringing in other trusted parties. To prevent unauthorized distribution or resale, each copy of the panel requires a license-based activation.

BEC attacks employing the W3LL phishing kit involve a preparatory phase to verify email addresses using an auxiliary utility known as LOMPAT, followed by the delivery of phishing messages. Victims who interact with the deceptive link or attachment are directed through an anti-bot script to filter out unauthorized visitors, subsequently landing on the phishing page via a redirect chain employing AiTM tactics to extract credentials and session cookies.

With this access, the threat actor proceeds to log into the target's Microsoft 365 account without triggering MFA, utilizing a custom tool called CONTOOL for automated account discovery. This enables the extraction of emails, phone numbers, and other sensitive information.

Noteworthy tactics employed by the malware author include using Hastebin, a file-sharing service, to store stolen session cookies, and utilizing platforms like Telegram and email for exfiltrating the credentials to criminal actors.

This disclosure comes shortly after Microsoft's warning regarding the proliferation of AiTM techniques through PhaaS platforms, such as EvilGinx, Modlishka, Muraena, EvilProxy, and Greatness, which facilitate unauthorized access to privileged systems at scale without the need for re-authentication.

"What really makes W3LL Store and its products stand out from other underground markets is the fact that W3LL created not just a marketplace but a complex phishing ecosystem with a fully compatible custom toolset that covers almost entire killchain of BEC and can be used by cybercriminals of all technical skill levels," Group-IB's Anton Ushakov said.

"The growing demand for phishing tools has created a thriving underground market, attracting an increasing number of vendors. This competition drives continuous innovation among phishing developers, who seek to enhance the efficiency of their malicious tools through new features and approaches to their criminal operations."


Read more »
Vulnerability
Australia Breach Customer Cyber Attacks Data Energy Experts Investigation Ransomware Report Security Software threat UK Vulnerability

Cyberattack Strikes Australian Energy Software Company Energy One

 

Energy One, an Australian company specializing in software solutions and services for the energy industry, has fallen victim to a cyber assault.

In an announcement made on Monday, the company revealed that the breach was identified on August 18 and had repercussions for certain internal systems both in Australia and the United Kingdom.

“As part of its work to ensure customer security, Energy One has disabled some links between its corporate and customer-facing systems,” Energy One said.

Energy One is actively engaged in an inquiry to ascertain the extent of the impact on customer-related systems and personal data. The organization is also committed to tracing the initial point of intrusion employed by the attacker.

Though detailed specifics about the attack are presently undisclosed, the company's official statement strongly suggests the possibility of a deliberate ransomware attack.

To facilitate the investigation, cybersecurity specialists have been enlisted, and competent authorities in both Australia and the UK have been informed about the incident.

According to a recent report by Searchlight Cyber, a British threat intelligence firm, malevolent actors have been peddling opportunities for initial access into energy sector enterprises globally, with prices ranging from $20 to $2,500.

Perpetrators of cybercrime can exploit various avenues, including Remote Desktop Protocol (RDP) access, compromised login credentials, and vulnerabilities in devices like Fortinet products.
Read more »
Security
Cyber Attacks Data Ransomware attack Report Safe Safety Security

Rising Costs of Cyberattacks: Ransomware Victims Paying More, Finds Report

 

Indigo Books & Music continues to calculate the extensive expenses resulting from a ransomware attack that temporarily crippled its e-commerce platform, disrupted payment processing in retail stores for three days, and caused its website to go offline for approximately a month earlier this year.

During its most recent quarter, the retailer incurred a loss of $42.5 million, $19 million more than the same period last year. Indigo stated that although an exact figure is unavailable, the majority of this increased loss was attributed to the cyberattack.

Indigo made the decision not to pay a ransom to the perpetrators, who utilized LockBit, a type of software, to unlawfully gain access to its network. The company expressed concerns that paying the ransom could potentially fund terrorists or individuals on sanctions lists.

However, a recent report from Blakes, a law firm, reveals that most Canadian companies affected by ransomware attacks do comply with ransom demands, which have become considerably more costly for businesses compared to previous years.

Ransomware attacks occur when hackers use malware to infiltrate a company's IT systems, encrypt or steal information, and then demand payment in exchange for its return.

“The threat actors — the bad guys — are getting to be quite sophisticated in their attacks,” said Sunny Handa, a partner at Blakes who leads the firm’s technology practice.

“They are taking a lot of data, they are targeting sensitive data and they are publishing that data … they’re (also) hunting down the backups and they’re destroying backup systems.”

According to Handa, a breach counsel advising clients on cyberattacks, once a business's networks are encrypted by hackers, the company's operations are effectively paralyzed. This factor, along with the emergence of an industry centered around cyberattacks, contributes to the willingness of victims to pay ransoms to avoid extended disruptions to their operations.

Handa states that the value of ransom demands continues to rise as hackers invest more in their techniques and recognize the existence of a market where victims are willing to pay higher sums.

Blakes compiled its report based on publicly traded companies listed on the Toronto Stock Exchange that disclosed cyberattacks, as well as information from its own clients. The report covers breaches that occurred from September 1, 2021, to December 31, 2022.

Handa clarifies that the report does not encompass every data breach in Canada but aims to provide insights into trends within the industry. Although the exact number of incidents each year is unclear due to many companies not disclosing cyberattacks, Handa estimates the figure to be in the thousands.

Apart from ransom payments, companies face various financial consequences when dealing with data breaches. Handa highlights the "hard costs" associated with hiring professionals such as himself, forensic teams, and communication experts. Additionally, there are the "opportunity costs" stemming from lost business and the potential damage to a company's public image.

In its recent disclosure, Indigo revealed that it spent $5.2 million to address the ransomware attack, which included legal and professional fees, data remediation costs, hardware and software restoration, and losses related to inventory. Furthermore, the attack impeded sales processing and caused significant operational disruptions for the company.

Indigo has cyber insurance coverage and is currently working with its insurer to file claims, but it anticipates a delay between incurring costs and receiving insurance compensation.

Last week, Calgary-based Suncor experienced a cyberattack that is expected to result in substantial financial losses for the company.

Canada's Communications Security Establishment, the electronic spy agency, stated in its annual report last week that it successfully blocked 2.3 trillion "malicious actions" targeting the federal government throughout the previous fiscal year.
Read more »
Security
Cyber Security Data Data Safety data security Investments Report Safety Security

Insufficient Investments Impede Progress in Identity Security Measures

 

According to a report from The Identity Defined Security Alliance (IDSA), organizations are still struggling with incidents related to identity, with a concerning 90% of them reporting such incidents within the past year. This marks a 6% increase compared to the previous year. 

The growing number of identities has presented significant challenges for identity stakeholders, who often lack sufficient support from their leadership teams. Shockingly, only 49% of the respondents indicated that their leadership teams understand identity and security risks and take proactive measures to invest in protection before experiencing an incident.

“As cloud adoption, remote work, mobile device usage, and third-party relationships drive up the number of identities, more and more organizations are suffering from identity-related incidents,” said Jeff Reich, Executive Director, IDSA.

“Protecting digital identities has never been more important in the fight against increasingly savvy cyberattacks. And while managing and securing identities continues to be called out as a top priority by organizations, meaningful shifts in proactive investment and leadership are necessary to reduce risk,” Reich continued

In the face of rapidly increasing cyberattacks in terms of both sophistication and volume, safeguarding digital identities has become more critical than ever. Organizations must ensure that only authorized individuals have access to appropriate data, networks, and systems. Additionally, they need to employ effective technologies to prevent malicious actors from gaining access to sensitive information.

The research highlights that the expanding number of identities has resulted in more businesses experiencing identity-related incidents, leading them to prioritize identity security as a crucial focus area. However, securing these identities remains a major challenge for most organizations, and achieving desired security outcomes is an ongoing process.

The report identifies several barriers faced by security teams, including complex identity frameworks due to multiple vendors and different architectures (40%), as well as intricate technology environments (39%). Respondents also cited insufficient budget (30%), lack of expertise (29%), absence of standards (26%), inadequate personnel (25%), and governance issues (23%) as additional hurdles.

Furthermore, the study reveals that 55% of the respondents attribute the increase in the number of identities to the adoption of more cloud applications. Other significant factors driving identity growth include the rise of remote work (50%), increased usage of mobile devices (44%), and the establishment of third-party relationships (41%). Managing and securing identities emerge as a top-five priority for 86% of the surveyed organizations.

Regarding the impact of emerging trends on identity security, 89% of businesses express concerns about the influence of new privacy regulations. Furthermore, 98% of the respondents believe that artificial intelligence and machine learning (AI/ML) can address identity-related challenges, with 63% highlighting the identification of outlier behaviors as the primary use case. Businesses also worry about employees using corporate credentials for social media accounts, with 90% expressing slight or significant levels of concern.

Although investments in security outcomes have shown improvement, the process is still a work in progress. 96% of identity stakeholders believe that better security outcomes could have mitigated the business impact of incidents. Some of the measures that could have prevented or minimized the effects of incidents, according to the respondents, include implementing multifactor authentication (MFA) for all users (42%), conducting timely reviews of access to sensitive data (40%), and managing privileged access (34%). Additionally, 97% of the organizations plan to further invest in security outcomes in the next 12 months.
Read more »
Technology News
Android Connectivity Mobile Phones Phone Report Satellite Smartphone Technology Technology News

Report States Many Phones To Soon Get Satellite Connectivity

 

A new partnership between satellite phone company Iridium and chip giant Qualcomm will bring satellite connectivity to premium Android smartphones later this year. It implies that handsets can communicate with passing satellites to send and receive messages even in areas with no mobile coverage.

Qualcomm chips are found in many Android-powered smartphones. Apple announced a satellite feature for the iPhone 14 in September 2022. The service is currently only available for sending and receiving basic text messages in an emergency.

Bullitt, a British smartphone maker, was the first to launch its own satellite service, beating Apple to the punch. It is also intended for emergency use and will initially be available in select areas.

Iridium was the first satellite phone system, launching its first satellite into orbit in 1997. In 2019, it completed a refresh of its 75-spacecraft network.

The satellites cover the entire globe and fly in low orbit, approximately 485 miles (780 kilometres) above the Earth, and groups of them can communicate with one another, passing data between them.

Qualcomm stated that the new feature, dubbed Snapdragon Satellite, will initially be included only in its premium chips and is unlikely to appear in low-cost devices.

However, it will ultimately be rolled out to tablets, laptops, and even vehicles, and will also become a service that is not limited to emergency communication - though there will most probably be a fee for this.

Satellite connectivity is widely regarded as the next frontier for mobile phones because it addresses the issue of "not-spots," or areas with no existing coverage. These are more common in rural or remote areas.

It has already been used to provide broadband coverage by services like Elon Musk's Starlink. Satellite broadband is faster and more reliable than cable or fiber connections but is more expensive.

But since countries such as India and China prohibit the use of satellite phones, the use of the feature will be subject to local government regulations.
Read more »
Vulnerabilities and Exploits
Amazon Android Apps Bugs Flaws Report Vulnerabilities and Exploits

Amazon Patches Ring Android App Flaw Exposing Camera Recordings

 

Amazon has patched a critical vulnerability in the Amazon Ring app for Android that could have enabled hackers to download saved camera recordings from customers. The flaw was discovered and disclosed to Amazon on May 1st, 2022 by security researchers at application security testing company Checkmarx, and it was fixed on May 27th. 

Because the Ring Android app has over 10 million downloads and is used by people all over the world, access to a customer's saved camera recordings could have enabled a wide range of malicious behaviour, from extortion to data theft. 

Checkmarx discovered an 'activity' that could be launched by any other app installed on the Android device while analysing the Ring Android app. An 'activity' on Android is a programme 0component that displays a screen that users can interact with to perform a specific action. When developing an Android app, you can expose that activity to other installed apps by including it in the app's manifest file.

Checkmarx discovered that the 'com.ringapp/com.ring.nh.deeplink.DeepLinkActivity' activity was exposed in the app's manifest, enabling any other install app to launch it.

"This activity would accept, load, and execute web content from any server, as long as the Intent's destination URI contained the string “/better-neighborhoods/”," explained a report by Checkmarx shared with BleepingComputer before publishing.

This meant they could start the activity and send it to an attacker-controlled web server to interact with it. However, only pages hosted on the ring.com or a2z.com domains were able to interact with the activity.

The Checkmarx researchers got around this restriction by discovering an XSS vulnerability on the https://cyberchef.schlarpc.people.a2z.com/ URL, which allowed them to compromise the system.

"With this cookie, it was then possible to use Ring’s APIs to extract the customer’s personal data, including full name, email, and phone number, and their Ring device’s data, including geolocation, address, and recordings." - Checkmarx.

With a working attack chain in place, the researchers could have exploited the vulnerability by developing and publishing a malicious app on Google Play or another site. Once a user was duped into installing the app, it would launch the attack and send the Ring customer's authentication cookies to the attackers.

Analyzing videos with machine learning

However, as a threat actor, what would you do with the massive amount of videos that you could gain access to by exploiting this vulnerability?

Checkmarx discovered that they could sift through the videos using the Amazon Rekognition service, an image and video analysis service. The service could use machine learning to find videos of celebrities, documents containing specific words, or even a password scribbled carelessly on a post-it note stuck to a monitor.

This information could then be relayed back to the threat actor, who could use it for extortion, network intrusion, or simply to be a voyeuristic observer. The good news is that Amazon quickly responded to Checkmarx's bug report and released a fix.

"It was a pleasure to collaborate so effectively with the Amazon team, who took ownership and were professional through the disclosure and remediation process," concluded the Checkmarx report.

"We take the security of our devices and services seriously and appreciate the work of independent researchers. We issued a fix for supported Android customers back in May, soon after the researchers' submission was processed. Based on our review, no customer information was exposed," Ring told BleepingComputer.
Read more »
Vulnerabilities and Exploits
attacks CISO Log4j Report Research Risk Vulnerabilities and Exploits

Homeland Security Warns Log4j’s 'Endemic' Threats for Years to Come

 

The US Department of Homeland Security (DHS) published the Cyber Safety Review Board's (CSRB) first report into the December 2021 Log4j incident, when a variety of vulnerabilities with this Java-based logging framework were revealed, this week. 

The report's methodology comprised 90 days of interviews and information requests with around 80 organisations and individuals, including software developers, end users, security specialists, and businesses. 

This was done to ensure that the board met with a wide range of representatives and understand the complexities of how different attack surfaces are constructed and defended. According to the report, although standardised and reusable "building blocks" are essential for developing and expanding software, they also allow any possible vulnerability to be mistakenly included in multiple software packages, putting any organization that uses those programs at risk. 

According to the report, while Log4j remains dangerous, the government-wide approach helped tone down the vulnerability. The board also noted the need for extra financing to help the open-source software security community, which is primarily comprised of volunteers. 

Industry experts, such as Michael Skelton, senior director of security operations at Bugcrowd, said of Log4J: “Dealing with it is a marathon, one that will take years to resolve. Java and Log4j are prevalent everywhere, not only in core projects but in dependencies that other projects rely on, making detection and mitigation not as simple an exercise as it may be with other vulnerabilities.” 

John Bambenek, the principal threat hunter at Netenrich, was more critical of the report’s timing, believing that “anyone still vulnerable is highly unlikely to read this report or in much of a position to do anything about it if they did. Most of the American economy is small to medium businesses that almost always never have a CISO and likely not even a CIO. Until we find ways to make the public without security budgets safe, no high-level list of best practices will move the ball significantly.” 

The CSRB report went on to state that, thankfully, it is unaware of any large Log4j-based attacks on critical infrastructure assets or systems, and that efforts to hack Log4j happened at a lesser level than many experts expected. 

The paper, however, emphasises that the Log4j incident is "not over" and will continue to be an "endemic vulnerability" for many years, with considerable risk persisting. The research concluded with 19 actionable recommendations for government and business, which were divided into four divisions. They were as follows:
  • Address Continued Risks of Log4j
  • Drive Existing Best Practices for Security Hygiene
  • Build a Better Software Ecosystem
  • Investments in the Future
Read more »
survey
Cyber Security Privacy Report Research Safety Safety Measures survey

Survey: 89% Firms Experienced One or More Successful Email Breach

 

During the past 12 months, 89 percent of firms had one or more successful email intrusions, resulting in significant expenses. 

The vast majority of security teams believe that their email protection measures are useless against the most significant inbound threats, such as ransomware. This is according to a survey of business customers using Microsoft 365 for email commissioned by Cyren and conducted by Osterman Research. The survey examined issues with phishing, business email compromise (BEC), and ransomware threats, attacks that became costly incidents, and readiness to cope with attacks and incidents. 

“Security team managers are most concerned that current email security solutions do not block serious inbound threats (particularly ransomware), which requires time for response and remediation by the security team before dangerous threats are triggered by users,” according to the report.

Less than half of those surveyed felt their companies can prevent email threats from being delivered. Whereas, less than half of firms consider their current email security solutions to be efficient. Techniques to detect and stop mass-mailed phishing emails are seen as the least effective, followed by safeguards against impersonation attacks. 

As a result, it's perhaps unsurprising that nearly every company polled has experienced one or more sorts of email breaches. Overall, successful ransomware attacks have climbed by 71% in the last three years, Microsoft 365 credential compromise has increased by 49%, and successful phishing assaults have increased by 44%, according to the report. 

Email Defences 

When the firms looked into where email defence falls short, they discovered that, surprisingly, the use of email client plug-ins for users to flag questionable communications is on the upswing. According to a 2019 survey, half of the firms now employ an automatic email client plug-in for users to flag questionable email messages for review by skilled security personnel, up from 37% in 2019. The most common recipients of these reports are security operations centre analysts, email administrators, and an email security vendor or service provider, however, 78 percent of firms alert two or more groups. 

In addition, most firms now provide user training on email dangers, according to the survey: More than 99% of companies provide training at least once a year, and one out of every seven companies provides email security training monthly or more regularly. 

“Training more frequently reduces a range of threat markers Among organizations offering training every 90 days or more frequently, the likelihood of employees falling for a phishing, BEC or ransomware threat is less than organizations only training once or twice a year,” as per the report.

Furthermore, the survey discovered that more regular training leads to a higher number of suspicious messages being reported, as well as a higher percentage of these messages being reported as such. The survey also revealed that firms are utilising at least one additional security product to supplement Microsoft 365's basic email protections. However, the survey discovered that their implementation efficacy differs. 

The report explained, “Additive tools include Microsoft 365 Defender, security awareness training technology, a third-party secure email gateway or a third-party specialized anti-phishing add-on. There is a wide range of deployment patterns with the use of these tools.”

The firms came to the conclusion that these kinds of flaws, as well as weak defences in general, result in significant expenses for businesses.

“Costs include post-incident remediation, manual removal of malicious messages from inboxes, and time wasted on triaging messages reported as suspicious that prove to be benign. Organizations face a range of other costs too, including alert fatigue, cybersecurity analyst turnover, and regulatory fines” the report further read.
Read more »
threats
Cyber Security Ransomware Ransomware Threat Report Research Safety threats

Security Professionals View Ransomware and Terrorism as Equal Threats

 

Venafi published the results of a global poll of over 1,500 IT security decision-makers, which showed that 60% of security professionals believe ransomware threats should be treated on par with terrorism. 

Following the attack on the Colonial Pipeline earlier this year, the US Department of Justice upgraded the threat level of ransomware. According to the report, just about a third of respondents have put in place basic security protections to break the ransomware kill chain. 

Other significant findings:
  • Over the last 12 months, 67 per cent of respondents from companies with more than 500 employees have suffered a ransomware assault, rising to 80 per cent for companies with 3,000-4,999 employees. 
  • Although 37% of respondents said they would pay the ransom, 57% said they would reconsider if they had to publicly publish the payment, as required by the Ransomware Disclosure Act, a bill introduced in the US Senate that would require corporations to reveal ransomware payments within 48 hours.
  • Despite the increased frequency of ransomware assaults, 77 percent of respondents are optimistic that the mechanisms they have in place would keep them safe from ransomware. IT decision makers in Australia have the most faith in their tools (88 percent), compared to 71 percent in the United States and 70 percent in Germany.
  • Paying a ransom is considered "morally wrong" by 22% of respondents. 
  • Seventeen per cent of those hacked admitted to paying the ransom, with Americans paying the highest (25 per cent) and Australian businesses paying the least (9 per cent). 

Many depend on traditional security controls to tackle ransomware threats 

Kevin Bocek, VP ecosystem and threat intelligence at Venafi stated, “The fact that most IT security professionals consider terrorism and ransomware to be comparable threats tells you everything you need to know; these attacks are indiscriminate, debilitating, and embarrassing.” 

“Unfortunately, our research shows that while most organizations are extremely concerned about ransomware, they also have a false sense of security about their ability to prevent these devastating attacks. Too many organizations say they rely on traditional security controls like VPNs and vulnerability scanning instead of modern security controls, like code signing, that are built-in to security and development processes.” 

According to the survey, most businesses do not employ security controls that disrupt the ransomware kill chain early in the attack cycle. Many ransomware attacks begin with phishing emails including a malicious attachment, yet only 21% of ransomware assaults restrict all macros in Microsoft Office documents. 

Only 28% of firms require all software to be digitally signed by their organization before employees are permitted to execute it, and only 18% utilize group policy to limit the usage of PowerShell. 
Read more »
Subscribe to: Posts (Atom)