Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Security. Show all posts
User Safety
Cyber Safety Data Data Breach Data Leak Safety Security User Data User Safety

ERP Firm Data Breach Exposes Over 750 Million Records

 

A leading Enterprise Resource Planning (ERP) company based in Mexico inadvertently left an unsecured database online, exposing sensitive information on hundreds of thousands of users. This was discovered by cybersecurity researcher Jeremiah Fowler, who reported his findings to Website Planet. According to Fowler, the database contained 769 million records and was accessible to anyone who knew where to look.

The exposed data included highly sensitive and personally identifiable information such as API keys, secret keys, bank account numbers, tax identification numbers, and email addresses. The database, which is 395GB in size, belongs to ClickBalance, a software provider that offers a range of cloud-based business services including administration automation, accounting, inventory, and payroll.

Website Planet describes ClickBalance as one of Mexico’s largest ERP technology providers. Upon discovering the database, Fowler immediately contacted ClickBalance, which secured the database within hours. However, it remains unclear whether any malicious actors accessed the data before it was secured or whether the data has been used in any malicious activities. Fowler emphasizes that only a comprehensive forensic investigation can determine the full extent of the exposure.

The exposure of tax identification numbers and bank account details poses significant risks, enabling cybercriminals to conduct fraudulent activities. The theft of active email addresses is particularly concerning, as it allows criminals to launch phishing attacks that can deliver malware and ransomware.

Despite the severe potential consequences, unsecured databases continue to be a common cause of data breaches. Many large enterprises and government organizations have been found with online databases lacking adequate protection. For instance, a previous incident resulted in the personal information of the entire Brazilian population being leaked.
Read more »
Technology
AI Automation Cyber Threats Security survey Technology

AI's Rapid Code Development Outpaces Security Efforts

 


As artificial intelligence (AI) advances, it accelerates code development at a pace that cybersecurity teams struggle to match. A recent survey by Seemplicity, which included 300 US cybersecurity professionals, highlights this growing concern. The survey delves into key topics like vulnerability management, automation, and regulatory compliance, revealing a complex array of challenges and opportunities.

Fragmentation in Security Environments

Organisations now rely on an average of 38 different security product vendors, leading to significant complexity and fragmentation in their security frameworks. This fragmentation is a double-edged sword. While it broadens the arsenal against cyber threats, it also results in an overwhelming amount of noise from security tools. 51% of respondents report being inundated with alerts and notifications, many of which are false positives or non-critical issues. This noise significantly hampers effective vulnerability identification and prioritisation, causing delays in addressing real threats. Consequently, 85% of cybersecurity professionals find managing this noise to be a substantial challenge, with the primary issue being slow risk reduction.

The Rise of Automation in Cybersecurity

In the face of overwhelming security alerts, automation is emerging as a crucial tool for managing cybersecurity vulnerabilities. According to a survey by Seemplicity, 95% of organizations have implemented at least one automated method to manage the deluge of alerts. Automation is primarily used in three key areas:

1. Vulnerability Scanning: 65% of participants have adopted automation to enhance the precision and speed of identifying vulnerabilities, significantly streamlining this process.

2. Vulnerability Prioritization: 53% utilise automation to rank vulnerabilities based on their severity, ensuring that the most critical issues are addressed first.

3. Remediation: 41% of respondents automate the assignment of remediation tasks and the execution of fixes, making these processes more efficient.

Despite these advancements, 44% still rely on manual methods to some extent, highlighting obstacles to complete automation. Nevertheless, 89% of cybersecurity leaders acknowledge that automation has increased efficiency, particularly in accelerating threat response.

AI's Growing Role in Cybersecurity

The survey highlights a robust confidence in AI's ability to transform cybersecurity practices. An impressive 85% of organizations intend to increase their AI spending over the next five years. Survey participants expect AI to greatly enhance early stages of managing vulnerabilities in the following ways:

1. Vulnerability Assessment: It is argued by 38% of the demographic that AI will  boost the precision and effectiveness of spotting vulnerabilities.

2. Vulnerability Prioritisation: 30% view AI as crucial for accurately ranking vulnerabilities based on their severity and urgency.

Additionally, 64% of respondents see AI as a strong asset in combating cyber threats, indicating a high level of optimism about its potential. However, 68% are concerned that incorporating AI into software development will accelerate code production at a pace that outstrips security teams' ability to manage, creating new challenges in vulnerability management.


Views on New SEC Incident Reporting Requirements

The survey also sheds light on perspectives regarding the new SEC incident reporting requirements. Over half of the respondents see these regulations as opportunities to enhance vulnerability management, particularly in improving logging, reporting, and overall security hygiene. Surprisingly, fewer than a quarter of respondents view these requirements as adding bureaucratic burdens.

Trend Towards Continuous Threat Exposure Management (CTEM)

A trend from the survey is the likely adoption of Continuous Threat Exposure Management (CTEM) programs by 90% of respondents. Unlike traditional periodic assessments, CTEM provides continuous monitoring and proactive risk management, helping organizations stay ahead of threats by constantly assessing their IT infrastructure for vulnerabilities.

The Seemplicity survey highlights both the challenges and potential solutions in the evolving field of cybersecurity. As AI accelerates code development, integrating automation and continuous monitoring will be essential to managing the increasing complexity and noise in security environments. Organizations are increasingly recognizing the need for more intelligent and efficient methods to stay ahead of cyber threats, signaling a shift towards more proactive and comprehensive cybersecurity strategies.

Read more »
Security
Cyber Insurance Cyber Security insurance Safety Security

Significant Drop in Cyber-Insurance Premiums Makes Coverage More Affordable

 

Over the last year, a steady decline in premium rates has made cyber-insurance coverage more accessible and affordable for organizations of all sizes.

The primary driver behind this decrease is the increasingly competitive marketplace, with more insurance companies offering coverage for cybersecurity incidents such as ransomware attacks and data breaches. Additionally, improved cyber hygiene among insured organizations has contributed to the lower rates, according to a recent report from London-based Howden Insurance.

Howden's report highlighted a 15% reduction in average cyber-insurance premium rates in 2023 compared to the previous year. This decline follows a two-year period from December 2020 to December 2022 when rates surged due to a significant increase in ransomware-related claims.

Sarah Neild, head of cyber retail, UK, at Howden, stated, "Favorable dynamics have persisted into 2024, with the cost of cyber insurance continuing to fall despite ongoing attacks, heightened geopolitical instability, and the proliferation of GenAI. At no other point has the market experienced the current mix of conditions: a heightened threat landscape combined with a stable insurance market underpinned by robust risk controls."

Howden’s findings are echoed by US-based Aon, which reported a 17% decline in premium rates in 2023 compared to 2022. Aon also anticipates stable pricing through the end of the year due to ample capacity and a competitive market environment. Aon’s analysis showed that a rise in ransomware and other cyberattacks, alongside heightened regulatory reporting requirements, has increased interest in cyber insurance among organizations.

Shawn Ram, head of insurance at Coalition Insurance, noted that premium rates have declined even as cybersecurity-related claims have risen over the past year. "In 2023, overall claims frequency increased 13% year-over-year, and overall claims severity increased 10% YoY, resulting in an average loss of $100,000. Claims frequency increased across all revenue bands, with businesses between $25 million and $100 million in revenue seeing the sharpest spike — a 32% YoY increase." Despite the increased claims activity, pricing for cyber insurance remains stable due to the robust capacity in the market.

Insurance companies have become more adept at evaluating cyber risk, says Andrew Braunberg, an analyst with Omdia. "Carriers are getting a lot smarter in how they assess the cyber risks of prospects and the way they write up coverage," he explains, adding that insurers now conduct more thorough risk assessments and expect proactive security technologies to be in place.

Howden expects demand for cyber insurance from small and midsize enterprises (SMEs) to drive growth and price stability in the market over the next few years. SMEs, which contribute nearly half of the GDP in major economies, represent an underserved demographic offering significant growth opportunities for insurers and brokers. The market is also projected to expand significantly as insurance companies look to grow outside the US, which currently accounts for two-thirds of the global market.

Xing Xin, CEO and co-founder of cyber insurer Upfort, believes that while there are enough insurers eager to write more business around cybersecurity to keep prices stable for now, increased claims frequency and severity may eventually impact underwriting and rates. "A widespread cybersecurity issue that systemically triggers a high count of policies could reverse the current trend, leading to accelerated rate growth," he cautions.

By leveraging these insights, Elivaas can stay ahead in the rapidly evolving landscape of cyber-insurance, ensuring robust protection for their clients and continued market leadership.
Read more »
Vulnerabilities and Exploits
AI companies ChatGPT Data Leak OpenAI Security Vulnerabilities and Exploits

OpenAI Hack Exposes Hidden Risks in AI's Data Goldmine


A recent security incident at OpenAI serves as a reminder that AI companies have become prime targets for hackers. Although the breach, which came to light following comments by former OpenAI employee Leopold Aschenbrenner, appears to have been limited to an employee discussion forum, it underlines the steep value of data these companies hold and the growing threats they face.

The New York Times detailed the hack after Aschenbrenner labelled it a “major security incident” on a podcast. However, anonymous sources within OpenAI clarified that the breach did not extend beyond an employee forum. While this might seem minor compared to a full-scale data leak, even superficial breaches should not be dismissed lightly. Unverified access to internal discussions can provide valuable insights and potentially lead to more severe vulnerabilities being exploited.

AI companies like OpenAI are custodians of incredibly valuable data. This includes high-quality training data, bulk user interactions, and customer-specific information. These datasets are crucial for developing advanced models and maintaining competitive edges in the AI ecosystem.

Training data is the cornerstone of AI model development. Companies like OpenAI invest vast amounts of resources to curate and refine these datasets. Contrary to the belief that these are just massive collections of web-scraped data, significant human effort is involved in making this data suitable for training advanced models. The quality of these datasets can impact the performance of AI models, making them highly coveted by competitors and adversaries.

OpenAI has amassed billions of user interactions through its ChatGPT platform. This data provides deep insights into user behaviour and preferences, much more detailed than traditional search engine data. For instance, a conversation about purchasing an air conditioner can reveal preferences, budget considerations, and brand biases, offering invaluable information to marketers and analysts. This treasure trove of data highlights the potential for AI companies to become targets for those seeking to exploit this information for commercial or malicious purposes.

Many organisations use AI tools for various applications, often integrating them with their internal databases. This can range from simple tasks like searching old budget sheets to more sensitive applications involving proprietary software code. The AI providers thus have access to critical business information, making them attractive targets for cyberattacks. Ensuring the security of this data is paramount, but the evolving nature of AI technology means that standard practices are still being established and refined.

AI companies, like other SaaS providers, are capable of implementing robust security measures to protect their data. However, the inherent value of the data they hold means they are under constant threat from hackers. The recent breach at OpenAI, despite being limited, should serve as a warning to all businesses interacting with AI firms. Security in the AI industry is a continuous, evolving challenge, compounded by the very AI technologies these companies develop, which can be used both for defence and attack.

The OpenAI breach, although seemingly minor, highlights the critical need for heightened security in the AI industry. As AI companies continue to amass and utilise vast amounts of valuable data, they will inevitably become more attractive targets for cyberattacks. Businesses must remain vigilant and ensure robust security practices when dealing with AI providers, recognising the gravity of the risks and responsibilities involved.


Read more »
Security
AI technology Customer Information Data Breach Data Hackers OpenAI Security

Hacker Breaches OpenAI, Steals Sensitive AI Tech Details


 

Earlier this year, a hacker successfully breached OpenAI's internal messaging systems, obtaining sensitive details about the company's AI technologies. The incident, initially kept under wraps by OpenAI, was not reported to authorities as it was not considered a threat to national security. The breach was revealed through sources cited by The New York Times, which highlighted that the hacker accessed discussions in an online forum used by OpenAI employees to discuss their latest technologies.

The breach was disclosed to OpenAI employees during an April 2023 meeting at their San Francisco office, and the board of directors was also informed. According to sources, the hacker did not penetrate the systems where OpenAI develops and stores its artificial intelligence. Consequently, OpenAI executives decided against making the breach public, as no customer or partner information was compromised.

Despite the decision to withhold the information from the public and authorities, the breach sparked concerns among some employees about the potential risks posed by foreign adversaries, particularly China, gaining access to AI technology that could threaten U.S. national security. The incident also brought to light internal disagreements over OpenAI's security measures and the broader implications of their AI technology.

In the aftermath of the breach, Leopold Aschenbrenner, a technical program manager at OpenAI, sent a memo to the company's board of directors. In his memo, Aschenbrenner criticised OpenAI's security measures, arguing that the company was not doing enough to protect its secrets from foreign adversaries. He emphasised the need for stronger security to prevent the theft of crucial AI technologies.

Aschenbrenner later claimed that he was dismissed from OpenAI in the spring for leaking information outside the company, which he argued was a politically motivated decision. He hinted at the breach during a recent podcast, but the specific details had not been previously reported.

In response to Aschenbrenner's allegations, OpenAI spokeswoman Liz Bourgeois acknowledged his contributions and concerns but refuted his claims regarding the company's security practices. Bourgeois stated that OpenAI addressed the incident and shared the details with the board before Aschenbrenner joined the company. She emphasised that Aschenbrenner's separation from the company was unrelated to the concerns he raised about security.

While the company deemed the incident not to be a national security threat, the internal debate it sparked highlights the ongoing challenges in safeguarding advanced technological developments from potential threats.


Read more »
Security
Cybersecurity Threats Fickle Stealer Infostealer Malware Safety Security

New Infostealer 'Fickle Stealer' Targets Sensitive Data Using Multiple Distribution Methods

 

Security experts are raising alarms about a new infostealer named Fickle Stealer, which is being disseminated through various techniques across the internet. Fickle Stealer engages in typical malicious activities, such as stealing sensitive files, system information, browser-stored files, and cryptocurrency wallet details. However, what sets Fickle Stealer apart is its construction using the Rust programming language.

"Beyond targeting popular applications, this stealer searches for sensitive files in the parent directories of common installation paths to ensure thorough data collection," stated security researcher Pei Han Liao. "It also fetches a target list from the server, adding flexibility to Fickle Stealer's operations."

According to cybersecurity researchers from Fortinet FortiGuard Labs, Fickle Stealer employs four distinct distribution methods: a VBA dropper, a VBA downloader, a link downloader, and an executable downloader. Some of these methods utilize a PowerShell script that bypasses User Account Control (UAC) mechanisms. This script also transmits system information, such as the device's location (country and city), IP address, operating system version, computer name, and username, to a Telegram bot.

Infostealers are among the most prevalent and disruptive forms of malware, second only to ransomware. They enable cybercriminals to access sensitive services, including banking accounts, social media profiles, and corporate platforms. With access to cryptocurrency wallet data, hackers can transfer funds to their own wallets, effectively stealing any available money. Furthermore, infostealers allow criminals to access email inboxes, leading to phishing attacks, impersonation, identity theft, and potentially ransomware attacks on corporate IT systems.

Securing devices against infostealers involves the same precautions as defending against other types of malware. Users should avoid downloading and running suspicious files and thoroughly verify email attachments before opening them. By adhering to these practices, individuals and organizations can better protect their sensitive data from cyber threats.
Read more »
Technology
Artifcial Intelligence Economic crisis Recession Security Technology

AI Could Turn the Next Recession into a Major Economic Crisis, Warns IMF

 


In a recent speech at an AI summit in Switzerland, IMF First Deputy Managing Director Gita Gopinath cautioned that while artificial intelligence (AI) offers numerous benefits, it also poses grave risks that could exacerbate economic downturns. Gopinath emphasised that while discussions around AI have predominantly centred on issues like privacy, security, and misinformation, insufficient attention has been given to how AI might intensify economic recessions.

Historically, companies have continued to invest in automation even during economic downturns. However, Gopinath pointed out that AI could amplify this trend, leading to greater job losses. According to IMF research, in advanced economies, approximately 30% of jobs are at high risk of being replaced by AI, compared to 20% in emerging markets and 18% in low-income countries. This broad scale of potential job losses could result in severe long-term unemployment, particularly if companies opt to automate jobs during economic slowdowns to cut costs.

The financial sector, already a significant adopter of AI and automation, faces unique risks. Gopinath highlighted that the industry is increasingly using complex AI models capable of learning independently. By 2028, robo-advisors are expected to manage over $2 trillion in assets, up from less than $1.5 trillion in 2023. While AI can enhance market efficiency, these sophisticated models might perform poorly in novel economic situations, leading to erratic market behaviour. In a downturn, AI-driven trading could trigger rapid asset sell-offs, causing market instability. The self-reinforcing nature of AI models could exacerbate price declines, resulting in severe asset price collapses.

AI's integration into supply chain management could also present risks. Businesses increasingly rely on AI to determine inventory levels and production rates, which can enhance efficiency during stable economic periods. However, Gopinath warned that AI models trained on outdated data might make substantial errors, leading to widespread supply chain disruptions during economic downturns. This could further destabilise the economy, as inaccurate AI predictions might cause supply chain breakdowns.

To mitigate these risks, Gopinath suggested several strategies. One approach is to ensure that tax policies do not disproportionately favour automation over human workers. She also advocated for enhancing education and training programs to help workers adapt to new technologies, along with strengthening social safety nets, such as improving unemployment benefits. Additionally, AI can play a role in mitigating its own risks by assisting in upskilling initiatives, better targeting assistance, and providing early warnings in financial markets.

Gopinath accentuated the urgency of addressing these issues, noting that governments, institutions, and policymakers need to act swiftly to regulate AI and prepare for labour market disruptions. Her call to action comes as a reminder that while AI holds great promise, its potential to deepen economic crises must be carefully managed to protect global economic stability.


Read more »
Security
Antiphish Banks bfsi CISO phishing Phishing and Spam Security

Case Study: Implementing an Anti-Phishing Product and Take-Down Strategy


Introduction:

Phishing attacks have become one of the most prevalent cybersecurity  threats, targeting individuals and organizations to steal sensitive information such as login credentials, financial data, and personal information. To combat this growing threat, a comprehensive approach involving the deployment of an anti-phishing product and an efficient take-down strategy is essential.

This case study outlines a generic framework for implementing such measures, with a focus on regulatory requirements mandating the use of locally sourced solutions and ensuring proper validation before take-down actions.


Challenge:

Organizations across various sectors, including finance, healthcare, and e-commerce, face persistent phishing threats that compromise data security and lead to financial losses. The primary challenge is to develop and implement a solution that can detect, prevent, and mitigate phishing attacks effectively while complying with regulatory requirements to use locally sourced cybersecurity products and ensuring that take-down actions are only executed when the orginization is phished/imitated.


Objectives:

1. Develop an advanced anti-phishing product with real-time detection and response capabilities.

2. Establish a rapid and effective take-down process for phishing websites.

3. Ensure the anti-phishing product is sourced from a local provider to meet regulatory requirements.

4. Implement a policy where take-down actions are only taken when the orginization is phished.


Solution:

A multi-faceted approach combining technology, processes, and education was adopted to address the phishing threat comprehensively.


1. Anti-Phishing Product Development

An advanced anti-phishing product from a local cybersecurity provider was developed with the following key features:

Real-time Monitoring and Detection:

Utilizing AI and machine learning algorithms to monitor email traffic, websites, and network activity for phishing indicators.

- Threat Intelligence Integration:

  Incorporating global threat intelligence feeds to stay updated on new phishing tactics and campaigns.

- Automated Detection of Brand Violations: Implementing capabilities to automatically detect the use of logos, brand names, and other identifiers indicative of phishing activities.

- Automated Response Mechanisms:

Implementing automated systems to block phishing emails and malicious websites at the network level, while flagging suspicious sites for further review.

- User Alerts and Guidance: Providing immediate alerts to users when suspicious activities are detected, along with guidance on how to respond.


2. Phishing Website Take-Down Strategy

We developed a proactive approach to swiftly take down phishing websites, ensuring a balance between automation and human oversight, and validating the phishing activity before take-down:

- Rapid Detection Systems: Leveraging real-time monitoring tools to quickly identify phishing websites, especially those violating brand identities.

- Collaboration with ISPs and Hosting Providers:

Establishing partnerships with internet service providers and hosting companies to expedite the take-down process.

- Human Review Process and Validation of Phishing Activity:

Ensuring that no site is taken down without a human review to verify the phishing activity, preventing erroneous takedowns/rejections.

- Legal Measures:

Employing legal actions such as cease-and-desist letters to combat persistent phishing sites.

- Dedicated Incident Response Team:

Forming a specialized team to handle take-down requests and ensure timely removal of malicious sites, following human verification.


Results:

1. Reduction in Phishing Incidents: Organizations reported a significant decrease in successful phishing attempts due to the enhanced detection and response capabilities of the locally sourced anti-phishing product.

2. Efficient Phishing Site Take-Downs:

The majority of reported phishing websites were taken down within 24 hours, following human review and validation of phishing activity, minimizing the potential impact of phishing attacks.


Conclusion:

The implementation of an advanced, locally sourced anti-phishing product, combined with a robust take-down strategy and comprehensive educational initiatives, significantly enhances the cybersecurity posture of organizations. By adopting a multi-faceted approach that leverages technology, collaborative efforts, and user education, while ensuring compliance with regulatory requirements to use local solutions and validating phishing activity before take-down actions, organizations can effectively mitigate the risks posed by phishing attacks. This case study underscores the importance of an integrated strategy, ensuring automated systems are complemented by human oversight, in protecting against the ever-evolving threat of phishing.


By

Suriya Prakash & Sabari Selvan

CySecurity Corp

Read more »
Windows Hello
Biometric data Cyber Security FIDO2 Microsoft passkey authentication password-less personal accounts Phishing Attacks Security Windows Hello

Microsoft Introduces Passkey Authentication for Personal Microsoft Accounts

 

Microsoft has introduced a new feature allowing Windows users to log into their Microsoft consumer accounts using a passkey, eliminating the need for traditional passwords. This passkey authentication method supports various password-less options such as Windows Hello, FIDO2 security keys, biometrics like facial scans or fingerprints, and device PINs.

These "consumer accounts" are personal accounts used for accessing a range of Microsoft services including Windows, Office, Outlook, OneDrive, and Xbox Live. The announcement coincides with World Password Day, with Microsoft aiming to enhance security against phishing attacks and eventually phase out passwords entirely.

Previously available for logging into websites and applications, passkey support is now extended to Microsoft accounts, streamlining the login process without requiring a password.

Passkeys, unlike passwords, utilize a cryptographic key pair where the private key remains securely stored on the user's device. This method enhances security as it eliminates the risk of password interception or theft, and it simplifies the login experience, reducing reliance on password memorization and minimizing risky practices such as password recycling.

Moreover, passkeys offer compatibility across various devices and operating systems, ensuring a seamless authentication process. However, Microsoft's approach of syncing passkeys across devices raises some security concerns, potentially compromising account security if accessed by unauthorized individuals.

To enable passkey support for Microsoft accounts, users can create a passkey through a provided link and select from options like facial recognition, fingerprint, PIN, or security key. Supported platforms include Windows 10 and newer, macOS Ventura and newer, Safari 16 or newer, ChromeOS, Chrome, Microsoft Edge 109, iOS 16 and newer, and Android 9 and newer. Upon signing in, users can select their passkey from the list and proceed with the authentication process using the chosen method.
Read more »
Security
8Base Cyber Attacks CyberCrime Cyberscoop Cybersecurity CyberThreat Cyberthreats Data Breaches Security

UN Agency Faces Data Crisis: Ransomware Hack Exposes Extensive Data Theft

 


It is reported that the United Nations Development Programme (UNDP) is investigating a cyberattack involving human resources information stolen from its IT systems due to a breach. To eradicate poverty, fight inequality, and eliminate exclusion from society, UNDP, the UN's global development network, works in more than 170 countries and territories.

Donations are received from UN member states, private companies, and multilateral organizations. According to a statement released by the organisation published Tuesday, there was a hack in the local IT infrastructure at UN City, Copenhagen, in late March. In a statement released by the UNDP on Tuesday, the organization said that a “data extortion actor” had stolen human resources and procurement information in UN City, Copenhagen and that the IT infrastructure was targeted.

In the statement, it was not disclosed what kind of data had been stolen from the organization that is the lead agency on international development for the UN. According to notifications shared with affected parties and viewed by CyberScoop, hackers were able to access several servers and steal data that was significant in scope. 

CyberScoop was informed that the notification information included in its notification may include data about former and current employees' family members, as well as information about contractors, including dates of birth, social security numbers, bank account information, passport details, and information about their bank accounts, bank accounts, and passports. 

A UNDP entry on the 8Base ransomware gang's dark web data leak website has been added to its dark web data leak website since March 27, but the UN agency has yet to identify a specific threat group responsible for the attack. In their assertions, the attackers claim their operators were able to exfiltrate large amounts of sensitive information through the documents they were able to acquire during the breach. 

They allegedly leaked a large amount of confidential information via a now-extinct link, including personal information, accounting data, certificates, employment contracts, confidentiality agreements, invoices, receipts, and much more, according to the reports. They emerged in March 2022, and they spiked their activity in June 2023 after they began attacking companies across a greater range of industry verticals and switched to double extortion to increase their revenue. 

Data leaks were a major issue for the extortion group in May of 2023 when they claimed to be "honest and simple" pen testers that targeted "companies that neglected employees' and customers' privacy and the importance of their data." There have been over 350 victims listed on the site of this ransomware group so far, with some days announcing up to six victims at the same time. 

In 8Base, a custom version of Phobos ransomware has been used, a malicious program that emerged in 2019 and has many code similarities to the Dharma ransomware family. Additionally, in January 2021, the United Nations Environmental Programme (UNEP) announced that over 100,000 employee records containing personally identifiable information (PII) were made available online after a data breach. 

In July 2019, there was also a breach of UN networks in Geneva and Vienna, where a Sharepoint vulnerability allowed access to personnel records, health insurance data, and commercial contract data in an event, that a UN official described as a "major meltdown."
Read more »
Vulnerabilities and Exploits
China Exploit Hacker Groups Ivanti security flaws Researchers Security Vulnerabilities and Exploits

Researchers Uncover Numerous Chinese Hacker Collectives Exploiting Ivanti Security Vulnerabilities

 

Several threat actors with connections to China have been identified as responsible for exploiting three security vulnerabilities affecting Ivanti appliances. These vulnerabilities are identified as CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893.

Mandiant, a cybersecurity firm, has been monitoring these clusters of threat actors, identifying them under the names UNC5221, UNC5266, UNC5291, UNC5325, UNC5330, and UNC5337. Among them, UNC3886, a Chinese hacking group, has been previously known for exploiting zero-day bugs in Fortinet and VMware systems to infiltrate networks.

Financially motivated actors have also been observed exploiting CVE-2023-46805 and CVE-2024-21887, likely for cryptocurrency mining purposes.

UNC5266 overlaps in part with UNC3569, a China-nexus espionage actor that has been observed exploiting vulnerabilities in Aspera Faspex, Microsoft Exchange, and Oracle Web Applications Desktop Integrator, among others, to gain initial access to target environments," Mandiant researchers said

Post-exploitation activities by these threat actors often involve deploying malicious tools such as the Sliver command-and-control framework, WARPWIRE credential stealer variant, and a new backdoor named TERRIBLETEA, which comes with various functionalities like command execution and keylogging.

UNC5330 has been combining CVE-2024-21893 and CVE-2024-21887 to target Ivanti Connect Secure VPN appliances, leveraging custom malware like TONERJAM and PHANTOMNET for further actions. These include reconnaissance, lateral movement, and compromising LDAP bind accounts for higher privileges.

UNC5337, another China-linked group, has been using CVE-2023-46805 and CVE-2024-218 to infiltrate Ivanti devices since January 2024, deploying a custom malware toolset known as SPAWN. This toolset includes components like SPAWNSNAIL, SPAWNMOLE, SPAWNANT, and SPAWNSLOTH, designed for stealthy and persistent backdoor access.

Mandiant assesses with medium confidence that UNC5337 and UNC5221 might be the same group, highlighting the sophistication of their tools aimed at avoiding detection.

UNC5221 has also been associated with various web shells and a Perl-based web shell called ROOTROT, which is embedded into legitimate files to evade detection. Successful deployment of these shells leads to network reconnaissance and lateral movement, potentially compromising vCenter servers with a Golang backdoor named BRICKSTORM.

Finally, UNC5291, likely associated with another group called UNC3236, has been targeting academic, energy, defense, and health sectors, focusing on Citrix Netscaler ADC initially before shifting to Ivanti Connect Secure devices.

These findings emphasize the ongoing threat posed by edge appliances, with threat actors utilizing a combination of zero-day vulnerabilities, open-source tools, and custom backdoors to evade detection and maintain access to networks for extended periods. access to target systems.
Read more »
Security
Cyberattacks CyberCrime Cybersecurity Cyberthreats Data Breach data security ID IntelBroker Pandabuy Passcodes Security

1.3 Million Customers Affected: Pandabuy Grapples with Data Breach Fallout

 


A data breach allegedly occurred on Sunday at Pandabuy, an online store that aggregates items from Chinese e-commerce sites. As a result, 1,348,307 accounts were affected. A large amount of information has been leaked, including user IDs, first and last names, phone numbers, emails, login IP addresses, full addresses, and order information. 

Sanggiero and IntelBroker both exploited multiple vulnerabilities to breach the company's systems, allegedly leading to the leakage of the company's data. People throughout the world can use Pandabuy’s marketplace to access products from Chinese online marketplaces, such as JD.com, Tmall, and Taobao. 

Approximately 1.3 million PandaBuy customers' data has been accessed after two threat actors exploited multiple vulnerabilities to gain access to PandaBuy's system, according to PandaBuy's website. In addition to allowing international customers to purchase goods from a variety of Chinese e-commerce platforms, including Tmall, Taobao, and JD.com, PandaBuy is offering international users to purchase products from different e-commerce platforms. 

There was a breach at PandaBuy yesterday claimed by an individual known as 'Sanggiero', allegedly performed by 'IntelBoker' in conjunction with the threat actor 'Sanggiero'. The breach, according to Sanggiero, was possible as a result of exploiting critical API vulnerabilities, which allowed unauthorized access to internal platform services.

It has been found that over 3 million unique user IDs are now available on underground forums. These data include personal information such as names, phone numbers, e-mail addresses, and even more. For interested parties to obtain this information, they will need to pay a nominal fee in cryptocurrency, further aggravated by the breach itself. 

PandaBuy has reported that 1,348,407 PandaBuy accounts are being compromised, according to data breach aggregation service Have I Been Pwned (HIBP), which confirmed the breach. Furthermore, Sanggiero has provided a sample of leaked data containing email addresses, customer names, transaction information, and order details as well as a sample of the leaked data to verify the authenticity of it. 

A password reset request that Troy Hunt, the creator of HIBP, submitted by PandaBuy users confirmed the breach, confirming that at least 1.3 million email addresses were indeed linked to PandaBuy accounts. In any case, the initial claim of three million entries made by the threat actors appears inflated, with some entries being manufactured or duplicates. 

There are several forums where PandaBuy shoppers' information was leaked, and any registered members can obtain it by paying a symbolic payment of cryptocurrency in exchange for the data. The PandaBuy company has not yet acknowledged an incident of this nature, but one of its administrators on the firm's Discord channel pointed out that the incident was a result of old information, which was already dealt with. 

As a precautionary measure, PandaBuy users have been urged to reset their passwords immediately and to be vigilant against scam attempts. Consequently, PandaBuy customers are facing a significant security threat since their customer data was leaked on underground forums. During the test period, threat actors provided a sample dataset containing email addresses, customer names, order details, and payment information as a means of verifying the authenticity of the breach. 

Troy Hunt's validation of the leaked email addresses further corroborated the breach's legitimacy, emphasizing the urgency of corrective action required for it. The PandaBuy users who have been affected by the breach should act immediately to mitigate the risks. Resetting their passwords will help protect their accounts from unauthorized access in the future. 

It is also important to be vigilant against potential scams and to be very sceptical when receiving unsolicited communications. In addition to timely notifications, Have I Been Pwned integrations with data breach aggregation services ensure users can take proactive measures to protect their online security when data exposure occurs? It is essential that companies, particularly those that handle large amounts of consumer data, prioritize the security of their platforms to prevent such incidents. 

Consumers should remain vigilant and adopt best practices in terms of digital security to keep themselves safe, including strong, unique passwords, and be wary of phishing attempts that may try to steal personal information.
Read more »
Tycoon
Gmail malware MFA Bypass Microsoft 365 multifactor authentication phishing kit Safety Security Tycoon

'Tycoon' Malware Kit Bypasses Microsoft and Google Multifactor Authentication

 

An emerging phishing kit called "Tycoon 2FA" is gaining widespread use among threat actors, who are employing it to target Microsoft 365 and Gmail email accounts. This kit, discovered by researchers at Sekoia, has been active since at least August and received updates as recent as last month to enhance its evasion techniques against multifactor authentication (MFA).

According to the researchers, Tycoon 2FA is extensively utilized in various phishing campaigns, primarily aimed at harvesting Microsoft 365 session cookies to bypass MFA processes during subsequent logins. The platform has amassed over 1,100 domain names between October 2023 and late February, with distribution facilitated through Telegram channels under different handles such as Tycoon Group, SaaadFridi, and Mr_XaaD.

Operating as a phishing-as-a-service (PhaaS) platform, Tycoon 2FA offers ready-made phishing pages for Microsoft 365 and Gmail accounts, along with attachment templates, starting at $120 for 10 days, with prices varying based on the domain extension. Transactions are conducted via Bitcoin wallets managed by the "Saad Tycoon Group," suspected to be the operator and developer of Tycoon 2FA, with over 1,800 recorded transactions as of mid-March.

The phishing technique employed by Tycoon 2FA involves an adversary-in-the-middle (AitM) approach, utilizing a reverse proxy server to host phishing webpages. This method intercepts user inputs, including MFA tokens, allowing attackers to bypass MFA even if credentials are changed between sessions.

Despite the security enhancements provided by MFA, sophisticated attacks like Tycoon 2FA pose significant threats by exploiting AitM techniques. The ease of use and relatively low cost of Tycoon 2FA make it appealing to threat actors, further compounded by its stealth capabilities that evade detection by security products.

Sekoia researchers outlined a six-stage process used by Tycoon 2FA to execute phishing attacks, including URL redirections, Cloudflare Turnstile challenges, JavaScript execution, and the presentation of fake authentication pages to victims.

The emergence of Tycoon 2FA underscores the evolving landscape of phishing attacks, challenging the effectiveness of traditional MFA methods. However, security experts suggest that certain forms of MFA, such as security keys implementing WebAuthn/FIDO2 standards, offer higher resistance against phishing attempts.

To assist organizations in identifying Tycoon 2FA activities, Sekoia has published a list of indicators of compromise (IoCs) on GitHub, including URLs associated with Tycoon 2FA phishing campaigns.
Read more »
Security
AI-powered tool auto-fixes vulnerabilities Code Code Scanning Autofix CodeQL coding Cyber Security GHAS GitHub GitHub Advanced Security GitHub Copilot JavaScript Security

GitHub Unveils AI-Driven Tool to Automatically Rectify Code Vulnerabilities

GitHub has unveiled a novel AI-driven feature aimed at expediting the resolution of vulnerabilities during the coding process. This new tool, named Code Scanning Autofix, is currently available in public beta and is automatically activated for all private repositories belonging to GitHub Advanced Security (GHAS) customers.

Utilizing the capabilities of GitHub Copilot and CodeQL, the feature is adept at handling over 90% of alert types in popular languages such as JavaScript, Typescript, Java, and Python.

Once activated, Code Scanning Autofix presents potential solutions that GitHub asserts can resolve more than two-thirds of identified vulnerabilities with minimal manual intervention. According to GitHub's representatives Pierre Tempel and Eric Tooley, upon detecting a vulnerability in a supported language, the tool suggests fixes accompanied by a natural language explanation and a code preview, offering developers the flexibility to accept, modify, or discard the suggestions.

The suggested fixes are not confined to the current file but can encompass modifications across multiple files and project dependencies. This approach holds the promise of substantially reducing the workload of security teams, allowing them to focus on bolstering organizational security rather than grappling with a constant influx of new vulnerabilities introduced during the development phase.

However, it is imperative for developers to independently verify the efficacy of the suggested fixes, as GitHub's AI-powered feature may only partially address security concerns or inadvertently disrupt the intended functionality of the code.

Tempel and Tooley emphasized that Code Scanning Autofix aids in mitigating the accumulation of "application security debt" by simplifying the process of addressing vulnerabilities during development. They likened its impact to GitHub Copilot's ability to alleviate developers from mundane tasks, allowing development teams to reclaim valuable time previously spent on remedial actions.

In the future, GitHub plans to expand language support, with forthcoming updates slated to include compatibility with C# and Go.

For further insights into the GitHub Copilot-powered code scanning autofix tool, interested parties can refer to GitHub's documentation website.

Additionally, the company recently implemented default push protection for all public repositories to prevent inadvertent exposure of sensitive information like access tokens and API keys during code updates.

This move comes in response to a notable issue in 2023, during which GitHub users inadvertently disclosed 12.8 million authentication and sensitive secrets across more than 3 million public repositories. These exposed credentials have been exploited in several high-impact breaches in recent years, as reported by BleepingComputer.

Read more »
third-party provider
Cyber Security Data fast food chain Global Outage McDonald's Safety Security technical issues third-party provider

McDonald's Attributes Worldwide Outage to Third-Party Provider

McDonald's faced significant disruptions in its fast-food operations on Friday, attributing the widespread technical issues to a third-party provider rather than a cyber attack. The outage, which occurred during a "configuration change," affected stores in various countries including the UK, Australia, and Japan.

According to McDonald's, the problem led to the inability to process orders, prompting closures and service interruptions across affected regions. However, the company clarified that it swiftly identified and resolved the global technology system outage.

Brian Rice, McDonald's chief information officer, emphasized that the incident was an anomaly not directly linked to cybersecurity threats but rather stemmed from a third-party provider's actions during a system configuration change. He assured that efforts were underway to address the situation urgently.

Reports indicated that numerous McDonald's outlets, particularly in the UK and Australia, experienced disruptions, causing frustration among customers unable to place orders. The impact varied across regions, with some locations forced to close temporarily.

Despite the challenges, McDonald's reported progress in restoring operations across affected countries. Stores in Japan, initially hit by the outage, began resuming operations, albeit with temporary cash-only transactions and manual calculations.

While the disruption garnered attention on social media platforms, including complaints from customers unable to order through the McDonald's app, the company thanked customers and staff for their patience as services gradually resumed.

The outage affected McDonald's restaurants worldwide, highlighting the scale of the incident across its extensive network of approximately 40,000 outlets globally, with significant footprints in the UK, Ireland, the United States, Japan, and Australia.
Read more »
system spread
AI Worms Cyber Security Data Safety Data Theft Private Data Researchers Security system spread

Researchers Develop AI "Worms" Capable of Inter-System Spread, Enabling Data Theft Along the Way

 

A team of researchers has developed a self-replicating computer worm designed to target AI-powered applications like Gemini Pro, ChatGPT 4.0, and LLaVA. The aim of this project was to showcase the vulnerabilities in AI-enabled systems, particularly how interconnections between generative-AI platforms can facilitate the spread of malware.

The researchers, consisting of Stav Cohen from the Israel Institute of Technology, Ben Nassi from Cornell Tech, and Ron Bitton from Intuit, dubbed their creation 'Morris II', drawing inspiration from the infamous 1988 internet worm.

Their worm was designed with three main objectives. Firstly, it was engineered to replicate itself using adversarial self-replicating prompts, which exploit the AI applications' tendency to output the original prompt, thereby perpetuating the worm. 

Secondly, it aimed to carry out various malicious activities, ranging from data theft to the creation of inflammatory emails for propagandistic purposes. Lastly, it needed the capability to traverse hosts and AI applications to proliferate within the AI ecosystem.

The worm utilizes two primary methods for propagation. The first method targets AI-assisted email applications employing retrieval-augmented generation (RAG), where a poisoned email triggers the generation of a reply containing the worm, subsequently spreading it to other hosts. The second method involves inputs to generative-AI models, prompting them to create outputs that further disseminate the worm to new hosts.

During testing, the worm successfully pilfered sensitive information such as social security numbers and credit card details.

To raise awareness about the potential risks posed by such worms, the researchers shared their findings with Google and OpenAI. While Google declined to comment, an OpenAI spokesperson acknowledged the potential exploitability of prompt-injection vulnerabilities resulting from unchecked or unfiltered user inputs.

Instances like these underscore the imperative for increased research, testing, and regulation in the deployment of generative-AI applications.
Read more »
Security
Cyber Attacks Data Data Safety Hamilton Safety Security

Cyberattack on Hamilton City Hall Expands to Impact Additional Services

 

Hamilton is currently facing a ransomware attack, causing widespread disruptions to city services for more than a week. City manager Marnie Cluckie disclosed the nature of the cyber attack during a virtual press conference on Monday, marking the first public acknowledgment of the incident since it began on February 25. 

The attack has resulted in the shutdown of almost all city phone lines, hampering city council operations and affecting numerous services such as the bus schedule app, library WiFi, and permit applications.

Cluckie mentioned that the city has not provided a specific timeframe for resolving the situation, emphasizing that systems will only be restored once deemed safe and secure. While the city has not detected any unauthorized access to personal data, Hamilton police have been alerted and will conduct an investigation.

Regarding the attackers' demands, Cluckie remained cautious, refraining from disclosing details such as the requested amount of money or their location due to the sensitive nature of the situation. However, she mentioned that the city is covered by insurance for cybersecurity breaches and has enlisted the expertise of cybersecurity firm Cypfer to manage the incident response.

Ransomware attacks, characterized by denying access to systems or data until a ransom is paid, can have devastating consequences, as highlighted by the Canadian Centre for Cyber Security. Although paying the ransom does not guarantee system restoration, it is sometimes deemed necessary, as seen in previous cases involving other municipalities like St. Marys and Stratford.

Once the city's systems are restored, Cluckie will oversee a comprehensive review to understand the breach's cause and implement preventive measures. Council meetings have been postponed until at least March 15 due to operational constraints, with plans to resume once the situation stabilizes.

The impact of the attack on various city services is extensive. Phone lines for programs, councillors, and essential facilities like long-term care homes are down. Online systems for payments and services related to fire prevention, permits, and property are inaccessible. Engineering services, cemeteries, libraries, public health, property taxes, Ontario Works, vendor payments, waste management, child care, transit, Hamilton Water, city mapping, and recreation facilities are all affected to varying degrees, with disruptions in communication, payments, and service availability.

Efforts are underway to mitigate the effects of the attack, but until the situation is resolved, residents and city officials must navigate the challenges posed by the ransomware attack.
Read more »
wireless chargers
Academic attacks Cyber Security electromagnetic interference Researchers Security VoltSchemer Vulnerabilities wireless chargers

Researchers Develop 'VoltSchemer' Assaults Aimed at Wireless Charging Systems

 

A team of researchers from the University of Florida, collaborating with CertiK, a Web3 smart contract auditor, have uncovered potential security threats in wireless charging systems. Their research introduces new attack methods, named VoltSchemer, which exploit vulnerabilities in these systems by manipulating power supply voltages.

The VoltSchemer attacks, outlined in a research paper, target weaknesses in wireless charging setups, allowing attackers to disrupt charging devices, tamper with voice assistants, and override safety mechanisms outlined in the Qi standard. Notably, these attacks utilize voltage fluctuations from the power source, requiring no direct modifications to the chargers themselves.

While wireless chargers are generally considered more secure than wired alternatives due to their reliance on near-field magnetic coupling, the researchers argue that they are still susceptible to manipulation. By tampering with power signals, attackers could potentially compromise communication between the charger and the device being charged, leading to malicious actions.

The underlying issue lies in the susceptibility of wireless chargers to electromagnetic interference (EMI) caused by voltage fluctuations. This interference can modulate the power signals transmitted by the charger, enabling attackers to manipulate the magnetic field produced and issue unauthorized commands to connected devices.

In their experiments, the researchers tested the VoltSchemer attacks on nine commercially available wireless chargers, all of which were found to be vulnerable. By inserting a disguised voltage manipulation device, such as a modified power port, between the power adapter and the charger, the researchers successfully executed the attacks.

The consequences of these attacks were significant, with charging smartphones experiencing overheating and devices such as key fobs, USB drives, SSD drives, and NFC cards being permanently damaged or destroyed. The researchers emphasize that the root cause of these vulnerabilities lies in the lack of effective noise suppression in certain frequency bands within wireless charging systems.

Overall, the findings highlight the potential risks associated with wireless charging technologies and underscore the need for improved security measures, especially in high-power systems like electric vehicle (EV) wireless charging.
Read more »
travel account security
Cyber Security cybersecurity tips Data Safety preventing hacking Protecting online travel accounts Safety Security travel account security

Here's How to Safeguard Your Online Travel Accounts from Hackers

 

Just days following Kay Pedersen's hotel reservation in Chiang Mai, Thailand, via Booking.com, she received a troubling email. The email, poorly written in broken English, warned her of "malicious activities" within her account.

Subsequently, Kay and her husband, Steven, encountered issues. Steven noticed unauthorized reservations at different hotels, prompting them to report the fraudulent activity to Booking.com. In response, Booking.com cancelled all their bookings, including the one in Chiang Mai. Despite their immediate action, restoring their original reservation proved challenging. While Booking.com eventually reinstated the reservation, the new rate was more than double the original.

The Pedersens are not isolated cases. A recent surge in hacking incidents has targeted travellers. Criminals reportedly obtained Booking.com passwords through its internal messaging system. Loyalty program accounts and other online travel agencies have also been popular targets.

The susceptibility of travel accounts to attacks is attributed to the wealth of sensitive information they hold, including passports, driver’s licenses, and travel dates. Caroline McCaffery, CEO of ClearOPS, underscores the importance of safeguarding this information.

To mitigate the risk of hacking, travellers can employ several strategies:

1. Utilize two-factor authentication, preferably through an authenticator app, to enhance security.
2. Enable login notifications to receive alerts of any unauthorized account access.
3. Avoid reusing passwords and opt for strong, unique passwords for each account. Password management services like Google Password Manager can be helpful.
4. Exercise caution when using public Wi-Fi networks, and employ a Virtual Private Network (VPN) for added security.

However, travellers themselves also contribute to the problem by sharing excessive personal information and falling victim to phishing scams. Bob Bacheler, managing director of Flying Angels, highlights the risks associated with oversharing on social media and with unknown websites.

Phishing, in particular, remains a prevalent method for hacking attempts. Albert Martinek, a customer cyber threat intelligence analyst at Horizon3.ai, emphasizes the dangers of clicking on suspicious links.

The Pedersens' case underscores the challenges travellers face in resolving hacking incidents. While Booking.com investigated and secured their account, the couple endured uncertainty regarding their hotel reservation.

Ultimately, responsibility for addressing these security concerns lies with the companies that handle travellers' data. Implementing passwordless authentication systems like Passkeys could offer a solution to mitigate hacking risks. However, until travel companies prioritize safeguarding personal information, travellers will continue to bear the consequences.
Read more »
Security
Cyber Fraud CyberCrime Hackers Miami-Dade police officers prosecutors Safety Secure Security

Hackers Target Police Officers and Prosecutors in Miami-Dade

 

The police officers in North Miami Beach were misled by a counterfeit email masquerading as an official communication from the Miami Dade State Attorney's Office, as per sources knowledgeable about the scheme.

Utilizing the guise of an SAO investigator probing human trafficking, a scammer circulated the fraudulent email, successfully duping several employees of the North Miami Beach Police Department earlier this week, according to insiders.

Addressing the incident, city authorities issued a statement acknowledging that a handful of email accounts had fallen victim to a phishing scam, impacting multiple government entities. They assured that steps had been taken to regain control of the compromised accounts.

The city affirmed that neither the network nor the data had been affected by the breach, which was confined to email accounts. Investigations into the security breach were ongoing. The SAO also released a statement detailing a "highly sophisticated phishing attempt" aimed at their computer information system, which was detected and neutralized on February 13th.

The perpetrator employed "exceptional electronic reproductions of genuine SAO materials" in the email, designed to entice users into opening what appeared to be authentic documents from SAO personnel, as stated in the SAO's statement.

The incident serves as a stark reminder of the importance of vigilance in cybersecurity. Despite appearances, malicious emails can be highly deceptive, emphasizing the need for users to scrutinize links and documents for authenticity before clicking on them.
Read more »
Subscribe to: Posts (Atom)