Cybersecurity platform CrowdStrike reported a supply chain attack that involved the use of a trojanized installer for the Comm100 Live Chat application to distribute a JavaScript backdoor. The application suffered an attack from 27 September to 29, 2022.
Yanluowang ransomware Gang has published Cisco Systems' stolen data on the dark web and following the data leak, Cisco confirmed that the data was stolen from its network during an intrusion that took place in May.
Cisco Security Incident Response (CSIRT) conducted an investigation wherein it was found that the attackers acquired control of a personal Google account that had the credentials saved in the browser. The threat actors compromised these credentials to launch voice phishing attacks. The idea behind the attacks was to lure the targeted employee into accepting the MFA notification.
Cisco revealed in a report published in August that the firm's networks had been infiltrated by the Yanluowang ransomware after hackers gained access to an employee's VPN account. The company further asserted that the only information taken was employee login information from Active Directory and non-sensitive files saved in a Box account.
Once the threat actors obtained the employee's Cisco credentials, the hackers employed social engineering and other techniques to get beyond multi-factor authentication (MFA) and gather more data.
After gaining initial access, the hackers registered a list of new devices for MFA, authenticated effectively to the Cisco VPN, and dropped multiple tools in the victim network including RATs such as LogMeIn, TeamViewer, Cobalt Strike, PowerSploit, Mimikatz, and Impacket, as per Security Affairs.
Over the weekend, Cisco said in an update that "the content of these files matched what we have detected and released. We continue to see no effect on the business, including Cisco goods or services, confidential customer data or sensitive employee data, copyrights, or supply chain activities, which is consistent with our previous examination of this incident."
The researchers at the cybersecurity firm eSentire linked Yanluowang with "Evil Corp" (UNC2165), the Lapsus$ gang, and FiveHands malware (UNC2447).
The hacked Google account of an employee that had enabled password synchronization through Google Chrome and saved their Cisco details in the browser allowed the thieves to initially access the Cisco VPN.
The leader of Yanluowang ransomware told BleepingComputer that they had stolen thousands of files totaling 55GB from a cache that contained sensitive information including technical schematics and source code. The hacker did not offer any evidence. The only thing they provided was a screenshot showing access to what seemed like a development system.
Erich Kron, security awareness advocate at security awareness training company KnowBe4 implies that it goes unsaid that Cisco decided against paying the ransom demanded by the ransomware group, which resulted in the stolen data being posted.
In a single phishing attempt, the hackers behind a number of recent attacks, such as those targeting Twilio, Cloudfare, MailChimp, and Klaviyo, infiltrated over 130 firms.
Through this phishing attack, 9,931 login credentials were stolen using a phishing kit with the codename "0ktapus," which the hackers then used to log into business networks and systems using VPNs and other remote access tools.
Because the primary intent of the assaults was to "get Okta identity credentials and two-factor authentication (2FA) codes from users of the targeted organizations," the conduct has been denounced by Group-IB.
The Singapore-based corporation said that the opponent sought out employees of businesses that use Okta, a provider of identity services, and praised the attacks for being well-planned and carried out. With the help of the identity-as-a-service (IDaaS) platform Okta, employees may access all of their company's software with just one login.
The phrases "OKTA," "HELP," "VPN," and "SSO" were used in 169 different phishing domains that supported the 0ktapus campaign.
In addition, customers who used these services, such as Signal, and DigitalOcean, became the target of supply-chain attacks as a result of these breaches.
The threat actors targeted businesses in a variety of areas, including bitcoin, technology, banking, and recruiting, based on the phishing domains built as part of this effort.
These login credentials were then utilized by the hackers to log into internal customer support systems, corporate networks, and VPNs in order to steal consumer data. As earlier witnessed with DigitalOcean and Signal, subsequent supply-chain hacks were carried out using this customer data.
The hacked information was disseminated over a Telegram channel via the phishing kit employed in this effort. One of the channel administrators who went by the handle "X" was connected by the experts to a Twitter and GitHub account, which suggests the person may be based in North Carolina, US.
Threat actors frequently targeted data belonging to organizations in the bitcoin industry, according to revelations from previous victims.
According to Group-IB, the hackers were able to steal 5,441 records with MFA codes, 3,129 data with emails, and 9,931 records with user credentials from 136 businesses, with the mass of the targeted businesses being based in the United States.
After customers complained about their funds being stolen, Solana, a blockchain that is growing in popularity for its quick transactions, became the subject of the most recent breach in the cryptocurrency world.
The platform has launched an inquiry and is currently attempting to ascertain how the hackers were able to steal the money.
What is SOL?
The value of Solana's stake, dropped by 7% to $38.4 in the past day, marking its lowest level in a week.
Solana is an open-source project that relies on the permissionlessness of blockchain technology to offer decentralized financial (DeFi) solutions. According to CoinGecko, end-user applications in the Solana ecosystem include non-fungible tokens (NFT), marketplaces, gaming, e-commerce, and decentralized finance (DeFi).
According to CoinGecko, Solana is one of the top 10 cryptocurrency assets in terms of market value, although its value has fallen significantly from its all-time high of $259.96 reached in November 2021.
The primary reason for the breach
The security problem appears to have affected more than 8,000 wallets, depleting them of their SOL tokens and USDC stablecoins, according to Changpeng Zhao, CEO of cryptocurrency exchange Binance.
A blockchain consulting firm called Elliptic stated that the attack started on August 2 and has already resulted in the data theft of $5.8 million for its clients. The Solana cryptocurrency, and non-fungible tokens, as per the report, were among the stolen goods.
Elliptic noted that the issue didn't seem to be with the blockchain core, the digital ledger of transactions that serves as the foundation of cryptocurrency assets, but rather with software utilized by such wallets.
Phantom, Slope, and TrustWallet are among the other wallets that have been compromised by the hack.
Several blockchain security experts believe that a supply chain attack, a browser zero-day vulnerability, or a flawed random number generator used during the key generation process might have been leveraged to access such a huge number of private keys.