Search This Blog

Showing posts with label User Privacy. Show all posts

30 Million Data Theft Hacktivists Detained in Ukraine

The Security Service of Ukraine's (SSU) cyber division has eliminated a group of hackers responsible for the data theft or roughly 30 million people. 

According to SSU, its cyber branch has dismantled a group of hacktivists who stole 30 million accounts and sold the data on the dark web. According to the department, the hacker organization sold these accounts for about UAH 14 million ($375,000). 

As stated by the SSU, the hackers sold data packs that pro-Kremlin propagandists bought in bulk and then utilized the accounts to distribute false information on social media, generate panic, and destabilize Ukraine and other nations. 

YuMoney, Qiwi, and WebMoney, which are not permitted in Ukraine, were used by the group to receive funds.The police discovered and seized many hard drives containing stolen personal data, alongside desktops, SIM cards, mobile phones, and flash drives, during the raids on the attackers' homes in Lviv, Ukraine. 

By infecting systems with malware, fraudsters were able to gather sensitive data and login passwords. They targeted systems in the European Union and Ukraine. According to Part 1 of Article 361-2 of the Ukrainian Criminal Code, unauthorized selling of material with restricted access, the group's organizer has been put under investigation.

The number of people detained is still unknown, but they are all charged criminally with selling or disseminating restricted-access material stored in computers and networks without authorization. There are lengthy prison terms associated with these offenses.

The gang's primary clients were pro-Kremlin propagandists who utilized the stolen accounts in their destabilizing misinformation efforts in Ukraine and other nations.

The SSU took down five bot farms that spread misinformation around the nation in March and employed 100,000 fictitious social media profiles. A huge bot farm with one million bots was found and destroyed by Ukrainian authorities in August.

The SSU discovered two further botnets in September that were using 7,000 accounts to propagate false information on social media.

Malware producers are frequently easier to recognize, but by using accounts belonging to real people, the likelihood that the operation would be discovered is greatly reduced due to the history of the posts and the natural activity.






US Forex Scam Lasted for Ten Years

Two US men, Patrick Gallagher, 44, of Middleborough, Massachusetts, and Michael Dion, 49, of Orlando, Florida, both pled guilty to one charge of conspiracy to commit financial crimes in a foreign exchange operation that spanned a decade. 

Forex: Is it a con?

The world's currencies are traded on the Forex market, a credible platform.  It would be tricky to trade the currencies required to pay for imports, sell exports, travel, or conduct cross-border business without the Forex market. However, because there is no centralized or regulated exchange and massive leverage positions (which theoretically have the potential to earn traders a lot of money), are available, con artists use the scenario and rookie traders' desire to join the market. 

Since the forex market is a 'zero-sum' market, in order for one trader to profit, another dealer must lose money. As a result, the forex market does not by itself increase market value. 

About the Scam  

According to the Department of Justice, hackers established a fake organization called Global Forex Management and lured investors by assuring them large profits based on falsified trading performances from the past.

Hackers alleged that IB Capital, the business of a conspirator, would use an online trading platform to trade the victims' money. Rather, Gallagher and Dion were stealing the money from the victim investors while collaborating with other criminals in the Netherlands.

Gallagher and Dion carried out their scheme in May 2012 by deliberately setting up negative trades for the investors, effectively stealing $30 million from their victims.

After fabricating the enormous trading loss, Gallagher and Dion used shell businesses they had built up all across the world to transfer the stolen funds.

How can we detect a forex scam?

Learning how to correctly trade on the Forex market is the single most crucial thing a person can do to avoid getting conned. Finding reliable Forex brokers, on the other hand, is a challenge in this situation. Before trading with real money, practice making long-term profits on demo accounts. Be aware that it can take years to thoroughly learn the Forex trade, just like it does with any professional ability. Avoid any claim that suggests 'you can generate money quickly.'

Furthermore, don't accept the assertions made at face value; instead, take the time to conduct your own investigation. The legitimacy of the business that makes the claims or offers the course or expertise is something else a person might wish to investigate. 

Ukraine Neutralizes Pro-Russian Hacking Group for Selling Data of 30 million Accounts

 

The cyber department of Ukraine‘s Security Service (SSU) has dismantled a hacking group acting on behalf of Russian interests operating from Lviv, the largest city in western Ukraine. 

The malicious group sold 30 million accounts belonging to residents from Ukraine and the European Union on the dark web accumulating a profit of $372,000 via banned electronic payment systems YuMoney, Qiwi, and WebMoney, in Ukraine. 

As per the SSU’s press release, the hackers were pro-Kremlin propagandists who primarily targeted Ukrainian citizens and people in Europe to exfiltrate the private details of unsuspecting users. 

The malicious actors exploited these accounts to spread chaos and panic in the region through disinformation campaigns and to encourage wide-scale destabilization in Ukraine through fake news.

“Their wholesale customers were pro-Kremlin propagandists. It was they who used the received identification data of Ukrainian and foreign citizens to spread fake news from the front and create panic. The goal of such manipulations was large-scale destabilization in countries,” the Security Service of Ukraine (SSU) stated. “It was also established that hacked accounts were allegedly used on behalf of ordinary people to spread disinformation about the socio-political situation in Ukraine and the EU.”

During the searches, the law enforcement agencies seized magnetic disks containing private data as well as computer equipment, mobile phones, SIM cards, and flash drives containing evidence of illegal activities from the searches carried out at the hackers’ homes. 

“Currently, the organizer has been notified of the suspicion under Part 1 of Art. 361-2 (unauthorized sale or distribution of information with limited access, which is stored in electronic computing machines (computers), automated systems, computer networks or on media of such information) of the Criminal Code of Ukraine,” SSU concluded. 

Ukrainian organizations facing the heat 

Multiple hackers from across the globe have tried to capitalize on the ongoing conflict between Russia and Ukraine to launch a barrage of cyberattacks. Earlier this year in June, the malicious actors targeted the Ukrainian streaming service Oll.tv and replaced the broadcast of a football match between Ukraine and Wales with Russian propaganda. 

One month later in July, the anonymous hacking group targeted Ukrainian radio operator TAVR Media to spread fake news that Ukrainian President Volodymyr Zelensky was hospitalized and in critical condition. 

The hackers broadcasted reports that the Ukrainian President was in an intensive care ward and that his duties were being temporarily performed by the Chairman of the Ukrainian parliament Ruslan Stefanchuk, the State Service of Special Communications and Information Protection of Ukraine (SSSCIP) stated.

Malicious SEO Campaign is Leading Search Engine Users to JavaScript Malware

 

Threat analysts from security firm Deepwatch have unearthed a sophisticated search engine optimization (SEO) poisoning campaign targeting employees from several industries and government entities when they scan for specific words relevant to their work. Upon clicking on the malicious search outcomes, which are higher in ranking, the victims unknowingly download a popular JavaScript malware downloader. 

"Our findings suggest the campaign may have foreign intelligence service influence through analysis of the blog post subjects," researchers explained in a new report. "The threat actors used blog post titles that an individual would search for whose organization may be of interest to a foreign intelligence service e.g., 'Confidentiality Agreement for Interpreters.' The Threat Intel Team discovered the threat actors highly likely created 192 blog posts on one site." 

SEO poisoning modus operandi 

The researchers identified the malicious campaign while scanning an incident where one of the employees scanned for a “transition services agreement” on Google and ended up on a malicious site that offered them what seemed to be a forum thread where one of the customers shared a link to a zip archive. 

The zip archive included a file called "Accounting for transition services agreement" with a .js (JavaScript) extension that was a variant of Gootloader, a multi-staged JavaScript malware package that has been in the wild since late 2020. 

During the investigation of the site hosting the malware delivery page, the researchers realized it was a sports streaming distribution site. However, over 190 blog posts were hidden in their design on multiple topics relevant to professionals working in various industry sectors. These blog posts can solely be reached via Google search results. 

"The suspicious blog posts cover topics ranging from government, and legal to real estate, medical, and education," the researchers added. "Some blog posts cover topics related to specific legal and business questions or actions for US states such as California, Florida, and New Jersey. Other blog posts cover topics relevant to Australia, Canada, New Zealand, the United Kingdom, the United States, and other countries." 

Additionally, the hackers deployed a translation methodology that mechanically interprets and manufactures versions of these blog posts in Portuguese and Hebrew. Threat analysts attribute this malicious campaign to a group tracked as TAC-011 that has been active for a number of years and has likely exploited hundreds of authentic WordPress websites and may have generated thousands of individual blog posts to inflate their Google search rankings. 

Thwarting SEO poisoning assaults 

The researchers recommended organizations train their workers, remain vigilant regarding SEO poisoning assaults, and never open files with malicious extensions. Employees can use a text editor such as Notepad rather than open files with potentially risky script extensions such as .js, .vbs, .vbe, .jse, .hta, and .wsf rather than with the Microsoft Windows Based Script Host program, which is the default behavior in Windows. 

Furthermore, the security analysts advised organizations to make sure employees have the agreement templates they need available internally. Over 100 of the blog posts spotted on that one exploited sports streaming site were related to the business agreement template. The hackers have been employing fake forum thread methodology since at least March 2021, suggesting malicious actors still believe it as viable and a high success rate technique.

Teen Hacking Suspect Arrested by London Police for GTA 6 and Uber Breach

A 17-year-old Oxfordshire kid was detained on suspicion of hacking, according to information released by the City of London Police on Friday.

According to experts, the recent security breaches at Uber and Rockstar Games may have something to do with the arrest.

On September 18, a cyber threat actor identified as the 'teapotuberhacker' claimed to have hacked Rockstar Games, the company behind the well-known and contentious Grand Theft Auto (GTA) franchise, in a post on GTAForums.com. Teapotuberhacker claimed to have taken 90 movies of alpha material and the source code for Grand Theft Auto VI and its predecessor GTA V from Rockstar in that post, which has since been removed.

Notably, a 17-year-old Oxford boy was among the seven minors who were detained. The Oxford teenager was detained after other hackers posted his name and address online. The boy had two internet aliases: 'Breachbase' and 'White'. According to the reports, the boy had earned about $14 million via data theft. 

Further information concerning the inquiry was kept under wraps by the UK authorities. 

Seven adolescents were detained and later freed by City of London police in connection with a probe into the Lapsus$ hacking organization this spring.

Uber released more information regarding the latest security breach earlier this week. According to the firm, the threat actor responsible for the intrusion is connected to the LAPSUS$ hacker organization.

Flashpoint, a security company, presented a report of the Grand Theft Auto VI data breach this week and disclosed that the name of the hacker responsible for the two attacks had been made public on a dark web forum.

The forum administrator claimed that teapotuberhacker was the same guy who had allegedly hacked Microsoft and owned Doxbin in the debate, which was titled 'The Person Who Hacked GTA 6 and Uber is Arion,' according to the story that was published by FlashPoint.

If these claims are true, which is not entirely apparent, it will assist in explaining the most recent incident that law police conducted.

Noberus Ransomware Has Updated Its Methods

Recently there has been an increase in the use of different techniques, tools, and procedures (TTPs) by attackers using the Noberus aka BlackCat ransomware, making the threat more serious than ever. On Thursday, Symantec provided new techniques, tools, and procedures (TTPs) that Noberus ransomware attackers have employed recently.

Noberus is believed to be the sequel payload to the Darkside and BlackMatter ransomware family, according to a blog post by Symantec's Threat Hunter Team. The company said that Darkside is the same virus that was used in the May 2021 ransomware assault on Colonial Pipeline.

About  Coreid 

Coreid operates a ransomware-as-a-service (RaaS) business, which implies it creates the malware but licenses it to affiliates in exchange for a share of the earnings. 

Since Noberus was the first genuine ransomware strain to be deployed in real-world attacks and it was written in the computer language Rust, it piqued interest when it was discovered in November 2021; as a cross-platform language, Rust is notable. In accordance with Coreid, Noberus can encrypt files on the Windows, EXSI, Debian, ReadyNAS, and Synology operating systems.

The organization has chosen to utilize the ransomware known as Noberus, which is short for the BlackCat ALPHV ransomware that has been used in attacks on multiple American colleges, to escape law enforcement by using fresh ransomware strains, according to Symantec researchers.

The researchers claim that the criminal organization first started stealing money from businesses in the banking, hospitality, and retail industries using the Carbanak malware. Before the group's transition towards ransomware-as-a-service (RaaS) operation in the early 2020s, three of its members were arrested in 2018.

Noberus is a destructive ransomware

Coreid emphasized Noberus' various improvements over other ransomware, such as encrypted negotiation conversations that can only be seen by the intended victim. Cybercriminals have access to two different encryption methods and four different ways to encrypt computers, depending on their needs for speed and the size of their data heaps, thanks to Noberus.

Noberus employs a program called Exmatter to recover the stolen data. According to Symantec, Exmatter is made to take particular kinds of files from particular directories and upload them to the attacker's site even before the ransomware is activated. Exmatter, which is constantly modified and updated to exfiltrate files through FTP, SFTP, or WebDav, can produce a report of all the processed exfiltrated files and if used in a non-corporate setting, it has the potential to self-destruct.

Noberus is also capable of collecting credentials from Veeam backup software, a data protection and recovery product that many organizations use to store login information for domain controllers and cloud services, utilizing information-stealing malware called Infostealer. By using a specific SQL query, the malware known as Eamfo can connect to the SQL database containing the credentials and steal them.

Symantec reported that in December the gang introduced a 'Plus' category for allies who had extorted at least $1.5 million in attacks. The group has demonstrated that it will cut off allies who don't earn enough in ransoms, according to Symantec.

A potent data exfiltration tool for the most common file types, including.pdf,.doc,.docx,.xls,.xlsx,.png,.jpg,.jpeg,.txt, and more, was added to Coreid last month.

Similar to some other organizations, Coreid has outlined four primary entities that affiliates are not permitted to attack: the Commonwealth of Independent States, nations with ties to Russia, healthcare providers, and nonprofits.

According to Symantec, the affiliates are 'directed to avoid assaulting the education and government sectors,' but given the numerous attacks on universities around the world, they seem to be lax about this directive.




Void Balaur Targets Russian Entities

A hacker-for-hire company that was originally revealed in 2019 has extended its scope to target victims with links to Russia in the political and corporate sector. 

Reported to attack a variety of known target groups worldwide, Void Balaur is a very active hacker-for-hire cyber mercenary gang. Since at least 2016, people have seen their services available for purchase online. Private data collection and access to particular online email and social media sites, including Gmail, Outlook, Telegram, Yandex, Facebook, Instagram, and corporate emails, are among the services offered. 

Google claims Since 2012, TAG has been keeping tabs on a diverse group of Indian hackers-for-hire, many of whom have worked briefly for Indian security companies Appin and Belltrox.

The gang often conducts attacks that are both general and opportunistic with the goal of getting illegal access to popular email services, social networks, communications, and corporate accounts.

According to reports, the hack-for-hire service provided by the gang is offered using a variety of guises, including Hacknet and RocketHack. The operators have offered additional services over the years, including real-time location tracking, SMS logs, and remote device access.

Furthermore, the assault infrastructure run by Void Balaur includes more than 5,000 distinct domains that present themselves as portals for public services, authentication services, and email websites.

A wide range of industries, frequently with specific political or business ties to Russia, are among the new targets. Additionally, Void Balaur hunts out targets useful for positioning or assisting upcoming assaults. They have the United States, Russia, Ukraine, and a number of other nations as their targets.

However, in early 2022, one of the group's managed domains resolved to an IP address that belongs to and is run by the Russian Federal Guard Service (FSO), indicating what appears to be an operating oversight and raising the possibility of a connection.

Despite the fact that Void Balaur targets persons and organizations all over the world, ads launched in 2022 have targeted individuals who are active in political and business circumstances that are important to Russia.

The use of highly repeatable phishing emails that look like they are from banks or local governments is common in order to deceive recipients into clicking a malicious link and divulging their account information.

In September 2021, one of the group's most infamous efforts featured attacks that targeted the personal email accounts of lawmakers and government leaders of an Eastern European nation.

In accordance with its reputation as a cyber mercenary, Void Balaur does not confine itself to the geopolitical sphere. Nonetheless,  employing and adopting the proper security measures will help in repelling cyber mercenary attacks.

FDA Issues Cybersecurity Alert on Medtronic Insulin Pumps

The U.S. Food and Drug Administration issued a warning on Tuesday regarding the vulnerability of some insulin pump devices made by Medtronic. The flaw makes the devices vulnerable to cyberattacks while presenting a possibility for hackers to interfere with insulin delivery by gaining access to the device.

The FDA, a U.S. government organization, has issued an advisory regarding the MiniMed 600 Series Insulin Pump System from Medtronic, which includes the MiniMed 630G and MiniMed 670G devices.

The Department of Health and Human Services safeguards the public's health by ensuring the efficacy, security, and safety of pharmaceuticals for use in humans and animals, medical devices, and vaccinations. The agency is in charge of regulating tobacco products as well as the safety and security of our country's food supply, cosmetics, nutritional supplements, and devices that emit electronic radiation.

The FDA pointed out that many parts, including the insulin pump, constant glucose monitoring (CGM) transmitter, blood glucose meter, and CareLink USB device, connect wirelessly. A technical malfunction could make it possible for someone to break in and trigger the pump to administer the patient with either too much or too little insulin.

The insulin pumps are offered by Medtronic's diabetes division, which generated $2.41 billion in sales in 2021, or 8% of the business's overall revenue.

In the aftermath of the security incident, Medtronic cautioned users about the dangers and offered suggestions, such as advising them to permanently disable the 'Remote Bolus' function on the pump, refrain from disclosing the serial number of the device to unauthorized individuals, and avoid connecting or linking devices in public.

The business warned that patients should never accept remote connection requests and other remote activities unless patients or support persons initiated them and should always detach the USB device from their laptop while it is not being used to download pump data.

Although medical equipment is frequently connected to the internet, hospital networks, and other devices, the FDA warned that these same characteristics may pose cybersecurity threats.

According to the FDA advisory, "Medical devices, like other computer systems, might be subject to security breaches, possibly affecting the device's safety and effectiveness."

The MiniMed 508 and Paradigm insulin pumps have security flaws that Medtronic is unable to fully fix with software updates or patches. The FDA said that it was working with Medtronic to identify, discuss, and anticipate the negative consequences of this risk.


Email Phishing Attack Revealed by American Airlines

Several passengers of American Airlines are being warned that their personal information might have been compromised as a result of threat actors getting access to employee email accounts. 

The airline said that a phishing attempt led to hackers gaining access to the mailboxes of a limited number of employees. The stolen email accounts held some consumers' personal data. The airline noted in notice letters distributed on Friday, September 16th, that there is no proof that the disclosed data was misused.

The hack was detected on July 5th by American Airlines, which then swiftly protected the affected email accounts and recruited a cybersecurity forensics company to look into the security incident.

American Airlines had hired a cybersecurity forensics company to look into the incident. The inquiry revealed that unauthorized actors had obtained the personal information of both customers and workers. Although they did not say how many consumers were impacted, they did say that names, dates of birth, addresses, emails, phone numbers, passport numbers, and even certain medical information could have been exposed.

American Airlines issued the following statement to BleepingComputer by the Manager for Corporate Communications. "American Airlines is aware of a phishing campaign that resulted in a small number of team members' mailboxes being improperly accessed."

A very small amount of customers' and workers' personal information was found in those email accounts, according to American Airlines, which also provided a two-year membership to Experian's IdentityWorks.

With regard to the incident, the company stated "data security is of the utmost importance and we provided customers and team members with precautionary support. We also are actively developing additional technical safeguards to avoid a similar incident from happening in the future, even though we have no proof that any personal information has been misused."

In March 2021, the Passenger Service System (PSS), which is used by many airlines worldwide, including American Airlines, was infiltrated. SITA, a leading provider of air information technology, revealed that hackers broke into its systems.

To help employees recognize targeted phishing attacks, firms must ensure that staff receives adequate security training. Organizations' IT and security departments should explain to staff how communications will be handled. It is crucial to always inform people about how to recognize phishing emails. 












Thousands of Users Impacted in Revolut Data Breach

 

Financial technology firm Revolut has suffered a massive data breach that may have allowed hackers to access the private details of over 50,000 users. 

The fintech giant, which has a banking license in Lithuania, described the assault as “highly targeted” and stated the hacker only had access to 0.16% of customers’ data for a “short period” of time. 

“We immediately identified and isolated the attack to effectively limit its impact and have contacted those customers affected. Customers who have not received an email have not been impacted,” Revolut spokesperson Michael Bodansky explained. To be clear, no funds have been accessed or stolen. Our customers’ money is safe – as it has always been. All customers can continue to use their cards and accounts as normal.”  

However, according to Revolut’s breach disclosure to the authorities in Lithuania, the firm says nearly 50,150 global customers, including 20,687 in the European Economic Area (EEA) and 379 Lithuanian citizens, may have been impacted by the data breach. The leaked data includes names, postal and email addresses, telephone numbers, partial card details, and bank account information.  

Soon after the attack, multiple Revolut users complained regarding obscene texts received via the application’s chat feature. Some customers also reported getting text messages directed to a Revolut phishing website. It’s unclear if these events are related to the breach. 

In its data breach notification to affected users, Revolut warned impacted users to be on high alert for follow-on phishing and fraud scams using leaked details. 

“Cyber-criminals are constantly looking for ways to make money at your expense and try to exploit human emotions in order to extract the information they need directly from you using social engineering techniques. Scammers usually follow the same principle – they try to force you to take actions without thinking about them after starting an emotional conversation,” the company warned users. 

“Malicious persons and fraudsters may try, using the publicized information about this breach of personal data security, to trick you with various login or other important personal data, offer some fictitious services and ask you to pay for them.” 

According to Forbes, London-based Revolut is UK’s most valuable fintech startup currently valued at $33 billion. It has over 20 million customers in 200 nations but is most popular in Europe and the UK. The app-based bank was established in 2015 by Russia-born Nikolay Storonsky and Ukraine-born Vlad Yatsenko.

Uber Blames Extortion, Hacking Group Lapsus$ For Recent Data Breach

 

Uber revealed more details about the security incident that occurred last week on Monday, pinning the attack on a threat actor it believes is affiliated with the notorious LAPSUS$ hacking group. 

The financially motivated extortionist group was dealt a massive blow in March 2022 when the City of London Police arrested seven suspected LAPSUS$ gang members aged 16 to 21. Two of them were charged for their actions weeks later. The hacker responsible for the Uber breach, an 18-year-old teenager known as Tea Pot, has also claimed responsibility for breaking into video game publisher Rockstar Games over the weekend.

"This group typically uses similar techniques to target technology companies, and in 2022 alone has breached Microsoft, Cisco, Samsung, NVIDIA, and Okta, among others," the San Francisco-based company said in an update.

As the company's investigation into the incident continues, Uber stated that it is functioning with "several leading digital forensics firms," in addition to cooperating with the US Federal Bureau of Investigation (FBI) and the Justice Department.

In terms of how the attack occurred, the ridesharing company stated that an "EXT contractor" had their personal device compromised with malware and their corporate account credentials stolen and sold on the dark web, correlating with an earlier Group-IB report. The previous week, the Singapore-based company reported that at least two of Uber's employees in Brazil and Indonesia had been infected with Raccoon and Vidar information robbers.

"The attacker then repeatedly tried to log in to the contractor's Uber account," the company said. "Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in."

After gaining access, the miscreant appears to have accessed other employee accounts, giving the malicious party access to "several internal systems" such as Google Workspace and Slack. The company also stated that as part of its incident response measures, it disabled impacted tools, rotated keys to the services, locked down the codebase, and blocked compromised employee accounts from accessing Uber systems or issued password resets for those accounts.

Uber did not say how many employee accounts were potentially compromised, but it emphasised that no unauthorised code changes were made and that there was no evidence the hacker had access to production systems that support its customer-facing apps. The firm also revealed that the attacker gained access to HackerOne bug reports, but added that "any bug reports the attacker was able to access have been remediated."

"There is only one solution to making push-based [multi-factor authentication] more resilient and that is to train your employees, who use push-based MFA, about the common types of attacks against it, how to detect those attacks, and how to mitigate and report them if they occur," Roger Grimes, data-driven defence evangelist at KnowBe4, said in a statement.

According to Chris Clements, vice president of solutions architecture at Cerberus Sentinel, organisations must recognise that MFA is not a "silver bullet" and that not all factors are created equal.
While there has been a transition from SMS-based authentication to an app-based approach to reduce the dangers associated with SIM swapping attacks, the attack against Uber and Cisco shows that security controls that were once thought to be infallible are being circumvented by other means.

The fact that threat actors are relying on attack paths such as adversary-in-the-middle (AiTM) proxy toolkits and MFA fatigue (aka prompt bombing) to trick an unsuspecting employee into inadvertently handing over MFA codes or authorising an access request underscores the importance of employing phishing-resistant methods.

"To prevent similar attacks, organizations should move to more secure versions of MFA approval such as number matching that minimize the risk of a user blindly approving an authentication verification prompt," Clements said.

"The reality is that if an attacker only needs to compromise a single user to cause significant damage, sooner or later you are going to have significant damage," Clements added, underscoring strong authentication mechanisms "should be one of many in-depth defensive controls to prevent compromise."

Microsoft Alert a Major Click Fraud Scheme Targeting Gamers

Microsoft is keeping tabs on a widespread click fraud scheme that targets gamers and uses covertly installed browser extensions on hacked devices.

The act of exaggerating the number of clicks on pay-per-click advertisements that constitutes a fraudulent click. According to experts, botnets are responsible for approximately a third of the traffic created by advertising on ad networks. To safeguard their image and keep their clients happy, advertising platforms frequently use click fraud prevention techniques, such as the Google search engine. 

In a series of tweets over the weekend, Microsoft Security Intelligence stated that "attackers monetize clicks generated by a web node WebKit or malicious browser extension stealthily installed on devices."

The internet company clarified in a tweet that the initiative targets unaware people who click rogue advertising or comments on YouTube. 

By doing this, a fake game cheats ISO file will be downloaded, and when opened, it will install the threat actors' necessary browser node-webkit (NW.js) or browser extension. Microsoft also mentioned that they saw the actors using Apple Disk Image files, or DMG files, indicating that the campaign is a cross-platform endeavor. 

It's important to note that the ISO file contains hacks and cheats for the first-person shooter game Krunker. Cheats are software tools that provide users of a game with a distinct advantage over other players.

DMG files, which are Apple Disk Image files usually used to distribute software on macOS, are also employed in the attacks in place of ISO images, demonstrating that the threat actors are aiming their attacks at several operating systems.

The discovery is no longer shocking because threat actors frequently use gamers as fine targets in their efforts, especially those who are scrambling to locate free cheats online.

The prevalence of virus spreading through well-known game franchises was demonstrated earlier in September by a report from endpoint security provider and customer IT security software company Kaspersky. The most popular file was distributed via Minecraft, which had 131,005 users infected between July 2021 and June 2022. 



Akamai Sighted an Evolving DDoS attack in EU

 

The most recent DDoS attack record was set by Akamai in July, but it was surpassed on Monday, September 12, by a fresh attack. 

In a DDoS attack, cybercriminals flood servers with fictitious requests and traffic to block legitimate users from using their services.

According to the cybersecurity and cloud services provider Akamai, the recent attack looks to be the work of the same threat actor, indicating that the operators are now strengthening their swarm.

European businesses were the main targets of the current attack, according to Akamai. It peaked at 704.8 million packets per second, making it the second attack of this size against the same client in as few as three months and around 7% more powerful than the attack in July.

Prior to June 2022, this user primarily experienced attack traffic against the principal data center, as per Craig Sparling of Akamai. Six data center locations were hit by the threat actors' firepower in Europe and North America.

The day after it was discovered, the attack was stopped. This DDoS attack, while not the biggest ever, was notable because it was the biggest one on European organizations. The DDoS attack vector utilized by the attackers included UDP, along with ICMP, SYN, RESET floods, TCP anomaly, and PUSH flood.

The multidestination attack was immediately launched by the attackers' command and control system, increasing the number of active IPs per minute from 100 to 1,813 in just 60 seconds.

This expansion of the targeting area attempts to attack resources that aren't deemed essential and aren't effectively safeguarded, but whose absence will still be problematic for the company.

Published in July, the company saw 74 DDoS attacks, and 200 or more were added later. The business claimed that this campaign shows how hackers are always enhancing their attack methods to avoid detection. 

However, because the particular organization had safeguarded all 12 of its data centers in response to the July incident, 99.8% of the malicious traffic was already pre-mitigated.

The security company Akamai concluded, that having a solid DDoS mitigation platform and plan in place is essential for protecting your company from disruption and downtime.





Bell Canada Hit by Hive ransomware

Bell Canada, a telecommunications firm, alerted consumers of a cybersecurity incident in which hackers gained access to business data. With more than 4,500 people, BTS is an autonomous subsidiary that specializes in installing Bell services for household and small-business customers in the provinces of Ontario and Québec.

Bell Technical Solutions, an independent subsidiary that specializes in the setup of Bell services for housing and small business customers in Ontario and Québec, had been the target of the recent cybersecurity incident, the company identified, according to a notice published on bell.ca. that "Some operational company and employee information was accessed in the recent cybersecurity incident,"

Although the Canadian telecoms operator declined to say when its network was compromised or the attack transpired, Hive claims in a fresh post to its data leak blog that BTS' systems were encrypted on August 20, 2022, almost exactly one month earlier.

To assist in the recovery process, outside cybersecurity professionals were hired. The Royal Canadian Mounted Police's cybercrime unit has been contacted about the attack, and the corporation has informed Canada's Office of the Privacy Commissioner of the occurrence.

In the wake of the occurrence, the Bell subsidiary cautioned customers that they might become the victim of phishing attacks and took immediate action to secure the compromised systems and to reassure users that no customer data, including credit and debit card numbers, banking information, or other financial data, was accessed as a result of the incident.

"Any persons whose private data could have been accessed will be promptly informed by us. Other Bell clients or other Bell businesses were not impacted; Bell Technical Solutions runs independently from Bell on a different IT system" the company stated.

Hive is an affiliate-based ransomware version that was first noticed in June 2021 and is used by hackers to launch ransomware attacks targeting healthcare facilities, charities, retailers, energy suppliers, and other industries globally.

Recently cyberattack by the Hive ransomware gang has led to an extortion attempt worth $2 million against Damart, the French clothing firm with over 130 locations throughout the world. According to data from Recorded Future, Hive is still one of the most active ransomware gangs, responsible for more than 150 attacks last month.









Uber Investigates Potential Breach Of its Computer System

 

Uber announced on Thursday that it is responding to a cybersecurity incident involving a network breach and that it is in contact with law enforcement authorities. The incident was first reported by the New York Times. When reached for comment, the company referred to its tweeted statement.  

As per two employees who were not authorised to speak publicly, Uber employees were instructed not to use the company's internal messaging service, Slack, and discovered that other internal systems were inaccessible.

Uber employees received a message that read, "I announce I am a hacker and Uber has suffered a data breach" shortly before the Slack system was taken offline on Thursday afternoon. The message went on to list a number of internal databases that the hacker claimed were compromised.

"It appeared that the hacker was later able to gain access to other internal systems, posting an explicit photo on an internal information page for employees," the New York Times stated. 

Uber has not released any additional information about the incident, but it appears that the hacker, believed to be an 18-year-old teenager, social-engineered the employee to obtain their password by impersonating a corporate IT employee and then used it to gain access to the internal network. 

The attacker was able to circumvent the account's two-factor authentication (2FA) protections by bombarding the employee with push notifications and contacting the individual on WhatsApp to abide by the authorization by claiming to be from Uber's IT department. The technique is similar to the recently disclosed Cisco hack, in which cybercriminal actors used prompt bombing to gain 2FA push acceptance. 

"Once on the internal network, the attackers found high privileged credentials laying on a network file share and used them to access everything, including production systems, corp EDR console, [and] Uber slack management interface," Kevin Reed, a chief information security officer at Acronis, told The Hacker News.

It's not the first time

This is not Uber's first security breach. It came under fire for failing to adequately reveal a 2016 data breach that affected 57 million riders and drivers and then paying hackers $100,000 to obfuscate the breach. It was only in late 2017 that the public became aware of it.

Uber's top security executive at the time, Joe Sullivan, was fired for his role in the company's response to the hack. Mr. Sullivan was charged with obstructing justice for failing to notify regulators of the breach, and he is currently on trial. Mr. Sullivan's lawyers have argued that other employees were responsible for regulatory disclosures and that the company had made Mr. Sullivan a scapegoat. 

In December 2021, Sullivan was sentenced to three additional counts of wire fraud in addition to the previously filed felony obstruction and misprision charges.

"Sullivan allegedly orchestrated the disbursement of a six-figure payment to two hackers in exchange for their silence about the hack," the superseding indictment said. It further said he "took deliberate steps to prevent persons whose PII was stolen from discovering that the hack had occurred and took steps to conceal, deflect, and mislead the U.S. Federal Trade Commission (FTC) about the data breach."

The latest breach comes as Sullivan's criminal case goes to trial in the United States District Court in San Francisco.

Reed concluded, "The compromise is certainly bigger compared to the breach in 2016. Whatever data Uber keeps, the hackers most probably already have access."

HP Bug Left Unpatched for a Year

Six high-severity software flaws have been known since July 2021, they cause a range of vulnerabilities in HP products used in enterprise settings and are not yet patched.

Firmware defects can result in malware infections that last even after an OS re-installation or allow long-term breaches that would not be detected by regular security techniques, making them extremely dangerous.

Although some of the weaknesses were made public by Binarly at Black Hat 2022 a month ago, the manufacturer hasn't delivered security upgrades for all afflicted models, leaving many customers vulnerable to attacks.

Binarly contributed to the resolution of six serious flaws that not only affect these devices but also numerous other HP product lines. This disclosure, which details arbitrary code execution flaws linked to System Management Mode, was coordinated with the HP PSIRT team (HPSBHF03806) (SMM).

SMM is a component of the UEFI firmware, which offers system-wide features including power management and low-level device control. Since this SMM sub-system has greater privileges than the operating system kernel (ring 0), vulnerabilities affecting the SMM can render security mechanisms ineffective.

According to Binarly, HP has not fixed the following six vulnerabilities for months:
  • Stack-based buffer overflow resulting in unauthorized code execution is CVE-2022-23930. Score for CVSS v3: 8.2 'High'
  • Out-of-bounds write on CommBuffer, which permits evading some validation, is CVE-2022-31644. Score for CVSS v3: 7.5 'High'
  • Out-of-bounds write on CommBuffer due to failure to verify the size of the pointer given to the SMI handler, CVE-2022-31645. Score for CVSS v3: 8.2 'High'
  • Out-of-bounds writing using the direct memory manipulation API feature can result in privilege elevation and arbitrary code execution, according to CVE-2022-31646. Score for CVSS v3: 8.2 'High'
  • CVE-2022-31640 - Inadequate input validation gives attackers access to the CommBuffer data and creates a conduit for unauthorized changes. Score for CVSS v3: 7.5 'High'
  • Callout vulnerability in the SMI handler that allows for arbitrary code execution is CVE-2022-31641. Score for CVSS v3: 7.5 'High'
Patch fix updates

Three security advisories have been posted by HP acknowledging the aforementioned vulnerabilities, and an equal number of BIOS updates have been released to remedy the problems for some of the vulnerable models; with the exception of thin client PCs, which received security updates on August 9, 2022. 

While CVE-2022-31640 and CVE-2022-31641 were fixed during August, the most recent update was released on September 7, 2022, and many HP workstations are still vulnerable. Furthermore, CVE-2022-23930 was patched on all impacted systems in March 2022.

The BIOS is a crucial component that guarantees compatibility between updated software and legacy hardware. Before installing Windows 10, make certain that your computer has the most recent BIOS installed.

The Windows update may fail and roll back due to an outdated graphics driver. Before beginning the update procedure, it is advised to check and make sure the most recent Graphics drivers are installed on your computer.


Shopify Risking Customers Data by Employing Weak Password Policy

 

Specops Software, a password manager, and authentication solutions vendor published a new report this week disclosing that e-commerce giant, Shopify with more than 3.9 million live websites globally, employs weak password policies on the user-facing section of its website. 

To create a Shopify account, users only need to create a password that is at least five characters in length and that does not begin or end with a space. 

Threat analysts at Specops examined a list of a billion breached passwords and unearthed that nearly every (99.7%) of those passwords comply with Shopify's requirements. However, this does not mean that Shopify customers' passwords have been breached, in fact, it only highlights the threats linked with using weak passwords. 

Shopify headquartered in Ottawa, Ontario was founded in 2006 by Tobias Lütke, Daniel Wenand, and Scott Lake following the trio's failure to find a suitable off-the-shelf e-commerce platform for a planned snowboarding store, Snowdevil. 

Risk of using weak passwords 

According to security analysts at Specops, password attacks work because the majority of businesses require users to set short-length passwords. For example, starting with a common word, followed by a number and/or special character. The length of the password is also very defensive. 

Earlier this year, Hive Systems, a cybersecurity firm, analyzed the amount of time required to brute force crack passwords of multiple lengths and with different levels of complexity. The security analysts discovered that a five-character password can be easily breached, irrespective of complexity. Given the ease with which hackers can crack shorter passwords, organizations ideally require complex passwords that are at least 12 characters in length. 

Enterprises risking users’ data safety 

According to the survey conducted by identity management vendor Hitachi ID, nearly 46% of enterprises store corporate passwords in office documents like spreadsheets making them vulnerable to a significant cyber threat. Hitachi ID surveyed 100 executives across EMEA and North America to recognize better how secure their password management is. 

It suggests that businesses aren’t practicing what they preach because almost all (94%) participants asserted they need password monitoring training, with 63% claiming they do so more than once a year.

Enhancing IT security 

This, of course, raises the question of what businesses require to strengthen their overall password security. Perhaps the most critical recommendation would be to set a password requirement that is longer and more complex than what is currently used. Businesses can employ Windows operating systems containing account policy settings to control password length and complexity requirements.

Additionally, organizations can use Specops Password Policy to restrict users from designing passwords vulnerable to dictionary assaults by blocking commonly employed passwords. This might include using consecutive repeating characters (such as 99999) or replacing letters impersonating symbols (such as $ instead of s).

Microsoft Teams: Bugs Use GIFs to Construct Reverse Shells

Malicious hackers can utilize Microsoft Teams to launch innovative phishing attacks and discreetly carry out commands to steal data via GIFs using a new attack method known as "GIFShell."

The new attack pattern demonstrates how hackers can merge various Microsoft Teams flaws and security holes to reap the benefits of reliable Microsoft infrastructure and distribute malicious files, and orders, and perform data exfiltration via GIFs.

This attack chain can be highly destructive, especially in network security environments where Microsoft Teams may be one of a limited set of authorized, trusted hosts and apps, as per Raunch. The GIFShell stager can be persuasively dropped and implemented on the victim's computer by exploiting two additional vulnerabilities found in Microsoft Teams, including a lack of permission enforcement and attachment spoofing.

Bobby Rauch, a cybersecurity expert, and pentester revealed multiple holes in Microsoft Teams that may be chained together for code execution, data theft, cybersecurity bypasses, and phishing attacks. This led Rauch to the discovery of the new attack chain.

This attack's primary tool is referred to as "GIFShell," and it enables an attacker to build a reverse shell that sends malicious commands via base64-encoded GIFs in Teams and exfiltrates the output using GIFs recovered by Microsoft's own servers.

GIFShell Attack

Since the data exfiltration takes place through Microsoft's own systems, security software that interprets the traffic as normal Microsoft Team activity will have a hard time identifying it.

The attacker must first persuade a user to install a malicious stager that runs commands and uploads command outputs via a GIF URL to a Microsoft Teams web hook to construct this reverse shell.

Rauch created a new phishing attack on Microsoft Teams to help with this. As we know, phishing assaults are effective at infecting devices.

The 'stager,' a malicious program that GIFShell uses to mislead users into launching on their devices, continuously scans the Microsoft Teams logs.

Any malware on the system can access these logs because they contain all received messages and are viewable by all Windows user groups.

Hackers would build their own Microsoft Teams tenant after installing the stager and get in touch with other Microsoft Teams users from outside their organization. Attackers can easily accomplish this since Microsoft Teams by default permits external communication.

Rauch's GIFShell Python script enables the hackers to transmit a message to a Microsoft Teams user that comprises a specially created GIF to start the attack. This GIF file was altered to add instructions to run on the target's computer.

The email and the GIF will be saved in Microsoft Team's logs when the victim receives them, which the malware stager watches.

The base64-encoded commands will be extracted by the stager and run on the device when it recognizes a message that contains a GIF. The output of the command will subsequently be converted to base64 text by the GIFShell PoC.

The hacker's open Microsoft Teams webhook is accessed by the stager using this base64 text as the filename for a remote GIF placed in a Microsoft Teams poll card.

To get the GIF, which would be named using the base64-encoded result of the executed command, Microsoft's servers will link back to the hacker's server URL when Microsoft Teams creates flashcards for the user.

This request will be received by the GIFShell server, which is installed on the hacker's server, and will instantly decode the filename so that the hackers can view the results of the command issued to the targeted device.

The Microsoft Teams files folder has also been discovered to be accessed by other software, including malware and commercial monitoring tools like Veriato.

In a report to BleepingComputer, Microsoft purely reaffirmed its claim to Rauch stating, "We evaluated the methods mentioned by this researcher and found that the two stated do not satisfy the requirements for an immediate security fix. To help maintain customer security, we're always exploring for new ways to better combat phishing, and we might do something in a future release to assist prevent this tactic."

Users should ensure ethical computing habits online, including vigilance when clicking on links to websites, opening unexpected files, or allowing file transfers. Users shall remain aware of this type of phishing.

Analysis of Cyberthreats Linked to Gaming Industry in 2022

 

In 2022, the global gaming industry will surpass $200 billion, with 3 billion players worldwide, predicts the analytical firm Newzoo. Such committed, solvent and eager-to-win viewers have become a bit of trivia for botnets, that always look for ways to deceive their victims. 

According to data gathered by Kaspersky between July 2021 and July 2022, dangerous files that propagated through the misuse of gaming brands were mostly related to Minecraft (25%), FIFA (11%), Roblox (9.5%), Far Cry (9.4%), and Call of Duty (9%).

In specific, the report reviewed the most widespread PC game–related threats and statics on miner breaches, attacks disguised as game frauds, and thefts. Also, it examined several most energetic malware groups, offering them detailed, in-depth features.

In aspects of annual dynamics, Kaspersky reveals seeing a decline in both the quantities of distribution (-30%) and the number of users (-36%) compared to 2020.

Further, in the first half of 2022, Kaspersky said those who witnessed a notable increase in the number of consumers threatened by schemes that can deceive secret info, with a 13% increase over the first half of 2021.

In the same period, hackers also amplified their attempts to expand Trojan–PSW: 77% of secret-stealing spyware infection cases have been linked to Trojan–PSW.

A few recent cases of concealing malware in software encouraged as game frauds, installers, keygens, and the games themself are the following:
  • Minecraft alt lists on videogames forums dropping Chaos ransomware
  • NPM packages masquerading as Roblox libraries conveying malware and password stealers
  • Microsoft Store copies of games with malware loaders
  • Valorant cheats elevated via YouTube falling info-stealing malware
The cause why hackers exploit game titles to entice people is mainly the massive targeted pool, as the exploited game titles capture the interest of tens of millions of players.

A few instances of fake in-game item stores that copied the originals are highlighted by Kaspersky. These stores conned gamers into paying for stuff they would never receive while also phishing their login information.

Some users find the cost of games itself to be prohibitive and turn to pirated versions instead. Other games are being developed in closed beta, which excludes many potential players and forces users to look for alternate access points. Hackers take advantage of these circumstances by selling fraudulent, pirated beta testing launchers.

In terms of threat variants, Kaspersky reported that little had changed since last year in the environment that impacts gamers, with downloaders (88.56%) topping the list of harmful and unwanted software that is disseminated using the names of well-known games. Trojans (2.9%), DangerousObject (0.86%), and Adware (4.19%) are the next three most prevalent threats.

Finally, many developers advise users to disable antivirus software before installing game-related mods, cheats, and tools because many of them are created by unofficial one-person projects and may trigger false positive security detections.

As a result, players may disregard AV alerts and run malicious programs that have been found on their systems. Downloaders dominate because they can pass internet security checks without incident while still retrieving riskier payloads later on when the user runs the program.

Kaspersky claims that information thieves, cryptocurrency miners, or both are frequently dumped onto the victim's PC. As always, only download free software from reputable websites and exercise caution when doing so.

Cryptominer Malware Posing as Desktop Version of Google Translate

 

While advertising desktop versions of well-known apps, a crypto mining effort from Turkey has been found infecting thousands of PCs. This campaign's offender is known as "Nitrokod." 

Nitrokod is a Turkish-speaking software company that has been operating since 2019 and promotes its free and secure software. The majority of the programs Nitrokod provides are well-known apps without a formal desktop version. For instance, the desktop version of Google Translate is the most used Nitrokod application. Since Google hasn't made a desktop version available, the hackers' version is quite tempting.

Over 111,000 individuals have been infected by Nitrokod in 11 countries so far.

Malware operation 

Free software that is hosted on websites like Uptodown and Softpedia is used by the campaign to spread malware. Every dropper in the executable's four-stage attack chain pulls the one after it. In the seventh stage, this ultimately results in the download of actual malware (XMRig) falling.

The victims of the campaign are spread throughout a number of nations, including the United Kingdom, Sri Lanka, the United States, Greece, Australia, Israel, Turkey, Cyprus, Mongolia, Poland, and Germany.

The creators of Nitrokod segregate destructive activities from the Nitrokod program that was initially downloaded in order to escape detection:
  • Nearly a month after the Nitrokod software was set up, the malware is first executed.
  • After six earlier phases of infected programs, the malware is deployed.
  • A scheduled job technique was used to maintain the virus chain after a lengthy wait, giving the hackers time to destroy any evidence.
Using Check Point's Infinity XDR (Extended Detection and Response) platform, a prevention-focused XDR solution, CPR discovered this new crypto miner malware campaign. With the use of this technology, SOC teams can swiftly identify, look into, and react to assaults across their whole IT infrastructure. By utilizing data collected from all products, including Endpoint, Networks, Web security, and others, it detects risks inside the company and stops its growth.

Nearly a month after the first infection, the malware is removed. The third stage dropper runs five days after the last run, and the fourth stage dropper adds four more scheduled activities with intervals ranging from one to fifteen days. The phases are removed following the creation of these assignments.

Detection &prevention  

The investigators will have an extremely difficult time identifying the attack and linking it to the bogus installation as a result of this. In order to obtain a configuration file to launch the XMRig mining operation, the virus also creates a connection to a distant C2 server.

Due to extended infection chains and staged infection, hackers were able to avoid detection for months. This gave them plenty of time to change the final payload into crypto miners or ransomware. In order to keep the malware versions in demand and unique, the virus is removed from popular apps like Google Translate that doesn't actually have a desktop version.