Search This Blog

Showing posts with label User Security. Show all posts

Malicious SEO Campaign is Leading Search Engine Users to JavaScript Malware


Threat analysts from security firm Deepwatch have unearthed a sophisticated search engine optimization (SEO) poisoning campaign targeting employees from several industries and government entities when they scan for specific words relevant to their work. Upon clicking on the malicious search outcomes, which are higher in ranking, the victims unknowingly download a popular JavaScript malware downloader. 

"Our findings suggest the campaign may have foreign intelligence service influence through analysis of the blog post subjects," researchers explained in a new report. "The threat actors used blog post titles that an individual would search for whose organization may be of interest to a foreign intelligence service e.g., 'Confidentiality Agreement for Interpreters.' The Threat Intel Team discovered the threat actors highly likely created 192 blog posts on one site." 

SEO poisoning modus operandi 

The researchers identified the malicious campaign while scanning an incident where one of the employees scanned for a “transition services agreement” on Google and ended up on a malicious site that offered them what seemed to be a forum thread where one of the customers shared a link to a zip archive. 

The zip archive included a file called "Accounting for transition services agreement" with a .js (JavaScript) extension that was a variant of Gootloader, a multi-staged JavaScript malware package that has been in the wild since late 2020. 

During the investigation of the site hosting the malware delivery page, the researchers realized it was a sports streaming distribution site. However, over 190 blog posts were hidden in their design on multiple topics relevant to professionals working in various industry sectors. These blog posts can solely be reached via Google search results. 

"The suspicious blog posts cover topics ranging from government, and legal to real estate, medical, and education," the researchers added. "Some blog posts cover topics related to specific legal and business questions or actions for US states such as California, Florida, and New Jersey. Other blog posts cover topics relevant to Australia, Canada, New Zealand, the United Kingdom, the United States, and other countries." 

Additionally, the hackers deployed a translation methodology that mechanically interprets and manufactures versions of these blog posts in Portuguese and Hebrew. Threat analysts attribute this malicious campaign to a group tracked as TAC-011 that has been active for a number of years and has likely exploited hundreds of authentic WordPress websites and may have generated thousands of individual blog posts to inflate their Google search rankings. 

Thwarting SEO poisoning assaults 

The researchers recommended organizations train their workers, remain vigilant regarding SEO poisoning assaults, and never open files with malicious extensions. Employees can use a text editor such as Notepad rather than open files with potentially risky script extensions such as .js, .vbs, .vbe, .jse, .hta, and .wsf rather than with the Microsoft Windows Based Script Host program, which is the default behavior in Windows. 

Furthermore, the security analysts advised organizations to make sure employees have the agreement templates they need available internally. Over 100 of the blog posts spotted on that one exploited sports streaming site were related to the business agreement template. The hackers have been employing fake forum thread methodology since at least March 2021, suggesting malicious actors still believe it as viable and a high success rate technique.

Scammers Employing Stolen Credit Card Data to Design Fake Websites


Cybersecurity researchers at ReasonLabs have unearthed a massive global multi-million dollar fraudulent scheme, operating since 2019. The number of victims including major firms like Amazon Web Services, Mastercard, and Visa is in the range of tens of thousands. 

Scammers methodology 

The fraudsters employed two types of websites, dating sites and customer support portals. When visiting the alleged firm’s websites, the researchers identified that the corporate sites either didn’t exist or had fake email addresses. The sites, although operational, didn’t receive massive traffic and were ranked very low in Google Search results, as their motive wasn’t to lure individuals, but allegedly to serve as a money laundering gateway. 

According to ReasonLabs cofounder and chief technology officer Andrew Newman, the domain structure and content of the websites were identical, indicating that were designed by automated tools. The customer support portals either use a fake identity or are created to impersonate real brands.  

The biggest hurdle of the fraudulent scheme was the registration of these fake sites as payment acquirers with the processors, who would typically classify them as “high risk”. To avoid being blacklisted, these sites introduced a 24/7 support chat system and a working telephone line, outsourced to a genuine support center provider. The sites also included a toll-free number for users if they want to cancel their payments which typically is not available on fraudulent websites. 

The researcher believes the scheme is operated from the middle of Europe or Russia, but the firm hasn't been able to fully verify the fraudsters' location. 

Tens of millions of dollars siphoned 

Once the legitimacy of the sites was approved, the scammers would tap into the pool of millions of stolen payment cards on the dark web (CC dumps), and charge them on the sites. The targeted cardholders were typically from the United States, but cards from French-speaking nations were also identified. 

Small amounts were being charged from the cards through recurring payments, using generic names blending with the victims’ spending habits. In some cases, the scammers charge the users back via the integrated “cancel subscription” system to artificially lower the charge-back rate and make their business seem authentic. 

By siphoning little amounts, this fraudulent scheme has been able to operate since 2019 without being discovered while generating tens of millions of dollars in revenue. The researchers randomly investigated several of the 275 fake websites, and unfortunately, they are all operating at the time of writing the article. Payment processors and law enforcement have reported the operation and are expected to take action soon.

Uber Blames Extortion, Hacking Group Lapsus$ For Recent Data Breach


Uber revealed more details about the security incident that occurred last week on Monday, pinning the attack on a threat actor it believes is affiliated with the notorious LAPSUS$ hacking group. 

The financially motivated extortionist group was dealt a massive blow in March 2022 when the City of London Police arrested seven suspected LAPSUS$ gang members aged 16 to 21. Two of them were charged for their actions weeks later. The hacker responsible for the Uber breach, an 18-year-old teenager known as Tea Pot, has also claimed responsibility for breaking into video game publisher Rockstar Games over the weekend.

"This group typically uses similar techniques to target technology companies, and in 2022 alone has breached Microsoft, Cisco, Samsung, NVIDIA, and Okta, among others," the San Francisco-based company said in an update.

As the company's investigation into the incident continues, Uber stated that it is functioning with "several leading digital forensics firms," in addition to cooperating with the US Federal Bureau of Investigation (FBI) and the Justice Department.

In terms of how the attack occurred, the ridesharing company stated that an "EXT contractor" had their personal device compromised with malware and their corporate account credentials stolen and sold on the dark web, correlating with an earlier Group-IB report. The previous week, the Singapore-based company reported that at least two of Uber's employees in Brazil and Indonesia had been infected with Raccoon and Vidar information robbers.

"The attacker then repeatedly tried to log in to the contractor's Uber account," the company said. "Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in."

After gaining access, the miscreant appears to have accessed other employee accounts, giving the malicious party access to "several internal systems" such as Google Workspace and Slack. The company also stated that as part of its incident response measures, it disabled impacted tools, rotated keys to the services, locked down the codebase, and blocked compromised employee accounts from accessing Uber systems or issued password resets for those accounts.

Uber did not say how many employee accounts were potentially compromised, but it emphasised that no unauthorised code changes were made and that there was no evidence the hacker had access to production systems that support its customer-facing apps. The firm also revealed that the attacker gained access to HackerOne bug reports, but added that "any bug reports the attacker was able to access have been remediated."

"There is only one solution to making push-based [multi-factor authentication] more resilient and that is to train your employees, who use push-based MFA, about the common types of attacks against it, how to detect those attacks, and how to mitigate and report them if they occur," Roger Grimes, data-driven defence evangelist at KnowBe4, said in a statement.

According to Chris Clements, vice president of solutions architecture at Cerberus Sentinel, organisations must recognise that MFA is not a "silver bullet" and that not all factors are created equal.
While there has been a transition from SMS-based authentication to an app-based approach to reduce the dangers associated with SIM swapping attacks, the attack against Uber and Cisco shows that security controls that were once thought to be infallible are being circumvented by other means.

The fact that threat actors are relying on attack paths such as adversary-in-the-middle (AiTM) proxy toolkits and MFA fatigue (aka prompt bombing) to trick an unsuspecting employee into inadvertently handing over MFA codes or authorising an access request underscores the importance of employing phishing-resistant methods.

"To prevent similar attacks, organizations should move to more secure versions of MFA approval such as number matching that minimize the risk of a user blindly approving an authentication verification prompt," Clements said.

"The reality is that if an attacker only needs to compromise a single user to cause significant damage, sooner or later you are going to have significant damage," Clements added, underscoring strong authentication mechanisms "should be one of many in-depth defensive controls to prevent compromise."

Uber Claims No Private Details Accessed in Latest Network Breach


The hacker who claims to have hacked Uber might not have landed a stinging punch. The ridesharing firm has provided an update regarding the security breach by confirming there's "no evidence" to suggest that intruders accessed sensitive user data, such as trip histories. 

All services provided by the company, including Uber, Eats, Freight, and the Uber Driver app are functioning correctly and have also restored the use of internal software it took down upon unearthing the network breach. 

“We have no evidence that the incident involved access to sensitive user data (like trip history),” the company stated. “Internal software tools that we took down as a precaution yesterday are coming back online this morning.” 

Uber contacted law enforcement and started an internal investigation into the incident, a company spokesman confirmed. However, the company didn't say more about the reported perpetrator or the nature of the incident, several security experts believe that it is downplaying the incident and has no clear idea regarding the depth of the breach. 

Intrusion details 

The breach allegedly involved a lone hacker, who claimed to be an 18-years-old male, who employed a social engineering-based hacking technique to trick an Uber employee into revealing login credentials by posing as a coworker. 

Upon securing an initial foothold, the hacker discovered an internal network share containing PowerShell scripts with privileged admin credentials, allowing carte blanche access to other critical systems, including AWS, Google Cloud Platform, OneLogin, SentinelOne incident response portal, and Slack. 

Singapore-based Group-IB's follow-up investigation of downloaded artifacts as captured by the hacker reveals complete access to Uber's cloud-based infrastructure to hold private consumer and financial data. The hacker blamed Uber’s feeble security system for successfully exploiting its databases. He also contacted the New York Times claiming that he hacked Uber for fun and has its source code in his possession, which he might post online. 

Firm’s history of downplaying the data breach 

Network breach has been an issue for Uber in the past. In 2018, it agreed to a $148 million settlement over a 2016 data breach the company failed to reveal. Hackers were able to siphon data on 57 million drivers and riders, including private details such as names, email addresses, and driver's license numbers.

The data breach incident remained buried for more than a year. However, in November 2017 multiple reports surfaced that Uber suffered a massive security breach, and paid the hackers $100,000 to delete the information and had them sign a nondisclosure agreement.

Uber Investigates Potential Breach Of its Computer System


Uber announced on Thursday that it is responding to a cybersecurity incident involving a network breach and that it is in contact with law enforcement authorities. The incident was first reported by the New York Times. When reached for comment, the company referred to its tweeted statement.  

As per two employees who were not authorised to speak publicly, Uber employees were instructed not to use the company's internal messaging service, Slack, and discovered that other internal systems were inaccessible.

Uber employees received a message that read, "I announce I am a hacker and Uber has suffered a data breach" shortly before the Slack system was taken offline on Thursday afternoon. The message went on to list a number of internal databases that the hacker claimed were compromised.

"It appeared that the hacker was later able to gain access to other internal systems, posting an explicit photo on an internal information page for employees," the New York Times stated. 

Uber has not released any additional information about the incident, but it appears that the hacker, believed to be an 18-year-old teenager, social-engineered the employee to obtain their password by impersonating a corporate IT employee and then used it to gain access to the internal network. 

The attacker was able to circumvent the account's two-factor authentication (2FA) protections by bombarding the employee with push notifications and contacting the individual on WhatsApp to abide by the authorization by claiming to be from Uber's IT department. The technique is similar to the recently disclosed Cisco hack, in which cybercriminal actors used prompt bombing to gain 2FA push acceptance. 

"Once on the internal network, the attackers found high privileged credentials laying on a network file share and used them to access everything, including production systems, corp EDR console, [and] Uber slack management interface," Kevin Reed, a chief information security officer at Acronis, told The Hacker News.

It's not the first time

This is not Uber's first security breach. It came under fire for failing to adequately reveal a 2016 data breach that affected 57 million riders and drivers and then paying hackers $100,000 to obfuscate the breach. It was only in late 2017 that the public became aware of it.

Uber's top security executive at the time, Joe Sullivan, was fired for his role in the company's response to the hack. Mr. Sullivan was charged with obstructing justice for failing to notify regulators of the breach, and he is currently on trial. Mr. Sullivan's lawyers have argued that other employees were responsible for regulatory disclosures and that the company had made Mr. Sullivan a scapegoat. 

In December 2021, Sullivan was sentenced to three additional counts of wire fraud in addition to the previously filed felony obstruction and misprision charges.

"Sullivan allegedly orchestrated the disbursement of a six-figure payment to two hackers in exchange for their silence about the hack," the superseding indictment said. It further said he "took deliberate steps to prevent persons whose PII was stolen from discovering that the hack had occurred and took steps to conceal, deflect, and mislead the U.S. Federal Trade Commission (FTC) about the data breach."

The latest breach comes as Sullivan's criminal case goes to trial in the United States District Court in San Francisco.

Reed concluded, "The compromise is certainly bigger compared to the breach in 2016. Whatever data Uber keeps, the hackers most probably already have access."

Crypto Scammers Hack Famous Youtube Channel ‘DALLMYD’ with 13 Million Subscribers


Popular YouTuber Jake Koehler (aka Scuba Jake) has disclosed the hacking of his channel with over 13 million subscribers and 1.75 billion views since its establishment in 2011. The crypto fraudsters took control of the channel on September 9 and tried to defraud subscribers with a bogus giveaway involving Bitcoin (BTC) and Ethereum (ETH). 

An analysis by the financial news and crypto analysis blog Finbold shows that fraudsters siphoned 1.01 BTC, equivalent to nearly $21,000 in a fake crypto lottery. The investigation relied on QR codes published by scammers for subscribers to scan before sending cryptocurrencies. 

The shared Bitcoin wallet recorded four transactions and received a total of 1,0107 BTC. That’s the same amount the crypto scammers siphoned from Jake’s subscribers, but it can be much higher as the fraudsters may have switched wallets during the live broadcast, reported. 

The scam impersonated other fraudulent incidents on YouTube where scammers utilize an old interview involving a famous personality in crypto circles, re-post it as a live stream, and advertise the fake giveaway in the information section. It is believed that scammers opt for the live option because it offers more credibility. 

How fraudsters targeted Scuba Jack subscribers 

Under the crypto scam, the fraudsters changed the channel’s name from ‘DALLMYD’ to ‘MicroStargey US,’ replicating the crypto-friendly American business intelligence company MicroStrategy. 

Subsequently, the scammers conducted at least two live streams of an old video involving former MicroStrategy’s CEO Michael Saylor. In this case, the scammers lured innocent subscribers into sending cryptocurrency, thinking they would receive a prize from Saylor or higher returns. Currently, the channel had been restored, with Jack confirming the same via an Instagram story on September 10.

Scammers leveraging YouTube to launch crypto scams 

The scammers are exploiting the YouTube platform to target high-profile individuals and organizations. Earlier this year in May, the crypto scammers employed a “double your funding” scheme to lure their victims with the promise of high Bitcoin profits. Millions of dollars were stolen with the help of fake endorsements from the prominent faces of Elon Musk, Jack Dorsey, and Cathie Wood. 

The unknown fraudsters made more than $1.3 million in just a few weeks after re-streaming an edited model of an old live panel dialogue on cryptocurrency with Elon Musk, Jack Dorsey, and Cathie Wood at Ark Invest’s “The ₿ Word” convention. 

Furthermore, research by antivirus software firm Kaspersky disclosed that besides targeting YouTube channels, fraudsters are increasingly prowling the comments section under videos to promote fake crypto services while offering low prices for certain currencies. The hackers usually target top-trending videos and leave comments promoting a fake “breach” in the crypto market with enticing statistics.

Attackers Compromise Employee Data at PVC-Maker Eurocell

According to a law firm, a leading British PVC manufacturer has been contacting current and former employees to notify them of a "substantial" data breach. 

A data protection law specialist, Derbyshire-based Eurocell, which also operates as a distributor of UPVC windows, doors, and roofing products, disclosed the news in a letter to those affected. The firm apparently explained in it that an unauthorised third party gained access to its systems, as per Hayes Connor.

The compromised data included employment terms and conditions, dates of birth, next of kin, bank account, NI and tax reference numbers, right-to-work documents, health and wellbeing documents, learning and development records, and disciplinary and grievance docs. That's a lot of information for potential fraudsters to use in subsequent phishing or even extortion.

Eurocell has reportedly stated that there is no proof of data misuse, but this will provide little comfort to those affected. It is also unknown how many employees would be affected.

“The company has over 2,000 current employees, but it is possible that many more former employees could also be at risk given the type of information that has been exposed,” warned Hayes Connor legal representative, Christine Sabino.

“Every employer has various obligations when it comes to data security, which means they have a duty to keep sensitive information secure. This type of incident warrants a significant investigation. Our team has started to make our own enquiries into the case and are determined to ensure our clients get the justice they deserve.”

Hayes Connor made headlines earlier this year when it announced that over 100 current and former employees of a leading luxury car dealership would sue the firm following a data breach. On that occasion, they were dissatisfied with LSH Auto's lack of transparency regarding the incident.

Threat Actors Exploit WeTransfer to Spread Lampion Malware


In a new phishing campaign unearthed by Cofense researchers, the Lampion malware is being distributed massively, with hackers exploiting WeTransfer as part of their campaign.

WeTransfer is an internet-based computer file transfer service that can be utilized free of cost, hence it's a no-cost way to circumvent security software that may not detect URLs in emails. 

The malware authors are sending phishing emails from exploited firm accounts requesting customers to download a "Proof of Payment" document from WeTransfer. 

The file sent to the targets is a ZIP archive containing a VBS (Virtual Basic script) file that the user must open in order for the attack to begin. Upon clicking on the file, the script launches a WScript process that manufactures four VBS files with random names. The first is empty, the second has limited functionality, and the third's sole motive is to launch the fourth script. 

According to Cofense researchers, this extra step is unclear, but modular execution approaches are typically preferred for their versatility, allowing easy file swaps. The fourth script initiates a new WScript process that links to two hardcoded URLs to retrieve two DLL files concealed inside password-protected ZIPs. The malicious links lead to Amazon AWS instances. 

The ZIP file password is concealed in the script, so the archives are extracted without user communication. The contained DLL payloads are loaded into memory, allowing Lampion to be stealthily executed on compromised systems. 

Subsequently, the malware initiates extracting data from the computer, and bank accounts, and overlaying its own login forms on login pages. These fake bogus forms are stolen and sent to the hacker when users enter their credentials. 

The Lampion trojan has been active since at least 2019, primarily targeting Spanish-speaking users and employing exploited servers to deploy its malicious ZIPs. 

Last year, the malware was identified exploiting cloud services for hosting the malware for the first time, including Google Drive and pCloud. Recently, in March 2022, Cyware reported an increase in trojan distribution, identifying a hostname link to Bazaar and LockBit operations.

Prevention Tips 

Researchers advised users to apply the following mitigations to defend against malware attacks: 
  • Update software, including operating systems, applications, and firmware frequently 
  • Install OS patches when they are available 
  • Enforce MFA to the greatest extent possible 
  • If you use RDP and/or other potentially risky services, secure and monitor them closely 
  • Employ cryptographic vaults for data safety

US Law Enforcement Agencies Employ Obscure Phone Tech to Track People Movements


Multiple law enforcement agencies in Southern California and North Carolina are employing a powerful but relatively inexpensive cellphone tool dubbed ‘Fog reveal’ to track individual devices without a warrant based on data collected from apps installed on citizens’ smartphones. 

According to a detailed report published by the Associated Press based on documents extracted by the Electronic Frontier Foundation (EFF), the tool provided US police the ability to scan billions of records from 250 million mobile devices and harness the ensuing data to create “patterns of life” for each individual, which also included homes and workplaces locations. 

Fog Reveal was designed by Virginia-based Fog Data Science and is reportedly used extensively by law enforcement agencies in the US to solve criminal cases. 

According to AP, the surveillance software collected the data in a searchable way and designed software able to sift through it in a sophisticated way. Subsequently, the app makers sold the software in about 40 contracts to nearly 20 agencies, with prices starting at $7,500 a year. 

The technology is controversial as US courts are still weighing the use of location data, and the latest such ruling from the US Supreme Court held that law enforcement agencies would require a warrant in most cases, to access records of users’ movements and location. 

Additionally, mobile geolocation data of individuals should only be requested from Google (Android devices) or Apple (iPhones and iPads) by police forces in possession of a warrant released by a court.

The Virginia-based firm defended this claim by arguing that its data is anonymized, with the company not having any way of linking signals back to a specific device or owner. At the same time, some of the documents obtained by AP suggest police forces may be able to deanonymize the data to identify and locate specific individuals. 

The AP investigation primarily relied on public records (including GovSpend and Freedom of Information Act requests) and internal emails extracted by the local news outlet. The report comes days after the US military and intelligence agencies revealed a new monitoring operation to guard electoral procedures from hacking and fake news before and during the November midterms elections.

NSA and CISA Share Tips to Secure the Software Supply Chain

Recently, the U.S. National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have published a 64 long pages document in which the institutions gave tips on securing the software supply chain. 

The guidelines are framed by the Enduring Security Framework (ESF)—a public-private partnership that works on intelligence-driven, shared cybersecurity challenges and addresses threats to U.S. critical infrastructure and national security systems—to serve as a collection of suggested practices for software developers. 

"Securing the Software Supply Chain for Developers was created to help developers achieve security through industry and government-evaluated recommendations," the Department of Defense's intelligence agency said. 

State-sponsored cyberattacks like the SolarWinds supply-chain attack and FireEye which led to exploitation of several US federal agencies, and took advantage of software vulnerabilities like Log4j brought the Enduring Security Framework into the course. 

Following the cyber threats, US President Biden signed an executive order in May 2021 to advance the country's mechanism against cyberattacks. Additionally, the Biden cabinet released a new Federal strategy against cyber threats in January, pushing its government to adopt a "zero trust" security model. Later, NSA and Microsoft recommended this approach in February 2021 for large enterprises and critical networks. 

“The developer holds a critical responsibility to the security of our software. As ESF examined the events that led up to the SolarWinds attack, it was clear that investment was needed in creating a set of best practices that focused on the needs of the software developer,” reads NSA’s statement. 

Following are some of the mitigation tips that have been recommended in the report: 

• Generate architecture and design documents
• Create threat models of the software product
• Gather a trained, qualified, and trustworthy development team
• Define and implement security test plans
• Establish product support and vulnerability handling policies and procedures
• Define release criteria and evaluate the product against it
• Document and publish the security procedures and processes for each software release
• Assess the developers’ capabilities and understanding of the secure development process and assign training

Furthermore, the report recommends that the supplier and developer management team should set policies and security-focused principles that ensure the growth and protection of the company’s infrastructure against cybercrimes. 

JuiceLedger Attacker Linked to Phishing Attacks Targeting PyPI Users


Threat analysts at SentinelOne and Checkmarx have unearthed the hacker behind the recently launched phishing attacks targeting Python Package Index (PyPI) users. 

Earlier this week on Thursday, researchers disclosed that the supply chain attacks were part of a larger campaign aimed at spreading the JuiceStealer credential-stealing malware since late last year. 

Initially, JuiceStealer was deployed via a methodology called typosquatting, in which the hacker tracked as JuiceLedger injected PyPI with hundreds of packages that nearly impersonated the names of popular ones, in the hopes that some users would fall into a trap and install them. 

The malware was identified on VirusTotal in February when the hacker submitted a Python app that secretly installed the malware. JuiceStealer is developed using the .Net programming framework to steal sensitive data from victims’ browsers. Based on the data extracted from the code, the researchers have linked the malware to activity that started in late 2021 and has evolved rapidly since then. One likely connection is to Nowblox, a fraud site that claimed to offer free Robux, the online currency for the game Roblox. 

Recently, the hacker started employing crypto-themed fake apps such as the Tesla Trading bot, which was deployed in zip files accompanying additional legitimate software. 

"JuiceLedger appears to have evolved very quickly from opportunistic, small-scale infections only a few months ago to conducting a supply chain attack on a major software distributor," the researchers wrote in a post. "The escalation in complexity in the attack on PyPI contributors, involving a targeted phishing campaign, hundreds of typosquatting packages, and account takeovers of trusted developers, indicates that the threat actor has time and resources at their disposal." 

With account takeover attacks becoming a popular technique for hackers looking to exploit software supply chains, PyPI has started imposing a mandatory two-factor authentication (2FA) requirement for projects deemed "critical." People downloading packages from PyPI—or any other open-source repository—should remain vigilant to ensure the software they're downloading is authentic. 

PyPI is by far not the sole code repository that threat actors have exploited recently. Security vendors have reported multiple identical attack incidents involving other widely employed registries such as npm and Maven Central. 

“Given the widespread use of PyPI and other open source packages in enterprise environments, attacks such as these are a cause of concern, and security teams are urged to review the provided indicators and take appropriate mitigation measures,” researchers added.

Over 1,900 Signal User Data Exposed


The attacker involved in the latest Twilio data leak may have obtained phone numbers and SMS registration codes for 1,900 Signal users.

“Among the 1,900 phone numbers, the attacker explicitly searched for three numbers, and we’ve received a report from one of those three users that their account was re-registered,” the Signal team shared on Monday.

Twilio offers phone number verification services (through SMS) to Signal. Earlier this month, several Twilio employees were duped into receiving SMS messages that seemed to be from the company's IT department. The attacker gained access to information pertaining to 125 Twilio client accounts, including Signal's.

“During the window when an attacker had access to Twilio’s customer support systems it was possible for them to attempt to register the phone numbers they accessed to another device using the SMS verification code,” the Signal team explained.

As previously stated, the attacker was able to re-register at least one of the three numbers they specifically sought for.

“All users can rest assured that their message history, contact lists, profile information, whom they’d blocked, and other personal data remain private and secure and were not affected,” the team noted. That’s because that data is stored on the users’ device and Signal has no access to or copy of it. “And this information certainly is not available to Twilio, or via the access temporarily gained by Twilio’s attackers,” the team added.

Unfortunately, if the attacker was successful in re-registering an account, they might impersonate the user by sending and receiving Signal communications from that phone number.

Signal is immediately contacting potentially affected users of this vulnerability through SMS. The business has unregistered Signal on all devices that these 1,900 users are now using (or that an attacker has registered for them) and is requesting that they re-register Signal with their phone number on their preferred device.

Furthermore, they are advising them to enable registration lock (Signal Settings (profile) > Account > Registration Lock) for their account, which is a function that aids in the prevention of this sort of fraud.

The attacker was able to obtain either the phone numbers of 1,900 registered Signal users or the SMS verification code they used to register with Signal as a result of this.

“The kind of telecom attack suffered by Twilio is a vulnerability that Signal developed features like registration lock and Signal PINs to protect against. We strongly encourage users to enable the registration lock. While we don’t have the ability to directly fix the issues affecting the telecom ecosystem, we will be working with Twilio and potentially other providers to tighten up their security where it matters for our users,” the team concluded.

Aetna Reports Mailing Vendor Hack Affected 326,000


Aetna ACE revealed to federal regulators a health data breach impacting about 326,000 people that was caused by a ransomware event involving OneTouchPoint, a subcontractor that offers printing and mailing services to one of the insurer's contractors. 

OneTouchPoint, located in Wisconsin, revealed to Maine's attorney general last week that a hacking issue uncovered in April affected roughly 1.1 million people. In a statement posted on its website, OneTouchPoint also identifies more than 30 health plan clients who were affected by the event. That list does not include Aetna ACE. 

Despite this, Aetna ACE reported the OneTouchPoint issue to the Department of Health and Human Services on July 27 as a HIPAA breach impacting almost 326,300 people. Aetna states the exposed information may have included names, residences, dates of birth, and limited medical information, according to a statement given to Information Security Media Group on Tuesday. 

According to Aetna, the incident did not include any of Aetna's or parent company CVS Health's systems. Some experts believe that breaches involving health insurers pose significant privacy and security risks to their members' protected health information. 

"Insurance companies typically hold large volumes of individually identifiable data that are valuable to hackers," says Kate Borten, president of privacy and security consulting firm The Marblehead Group. 

The OneTouchPoint incident is not Aetna's first known health data leak involving a vendor that offers printing and mailing services. Aetna paid millions of dollars in regulatory fines and civil settlements as a result of a botched mailing breach in 2017. 

This privacy violation happened during a vendor's sending of letters to around 12,000 Aetna plan participants in different states informing them of new alternatives for filling their HIV medicines. The members' HIV medicine information was possibly apparent via the clear windows of the shipping envelopes. Aetna paid more than $20 million in court settlements relating to regulatory fines imposed by a few state attorneys general and the resolution of class action lawsuits as a result of the privacy issue.

Novel Phishing Campaign Employs Countdown Timer to Pressurize Victims


A new phishing campaign is forcing victims into entering their credentials by claiming their account will be deactivated and it employs a countdown timer to build the pressure. 

The malicious campaign begins with a text which claims to warn the recipient that an attempt to log in to their account from a location they haven't used before has been blocked and is offered a solution in the form of email verification, cybersecurity researchers at Cofense explained in a blog post. 

Ransomware attackers frequently employ fear tactics because sending victims into a state of panic means they're more likely to follow instructions, particularly if they've been told something is wrong with their accounts. 

What sets this phish apart from other campaigns is the countdown clock displayed to the recipient once the malicious link is accessed. The timer ticks down for an hour, claiming the user must enter their username and password to 'validate' their account before the countdown clock hits zero. 

The real scenario is completely different because nothing will be deleted even if the countdown timer reaches zero. The phishing campaign can only be successful if the targeted user falls into a trap and enters login credentials. 

Phishing attacks are one of the most common techniques hackers employ to steal usernames and passwords. Earlier this year in May, researchers at Zscaler's ThreatLabz identified a phishing campaign employing fake voicemails to exfiltrate data of US organizations across various industries, including software security, security solution providers, the military, healthcare, and pharmaceuticals. 

Tips to mitigate phishing attacks 

1. Employ MFA 

Using multi-factor authentication (MFA) can help protect accounts because even if the attacker knows the correct login credentials, the need for extra verification prevents them from being able to access the account, as well as providing a warning that something could be wrong. 

2. Get free anti-phishing add-ons 

Most browsers nowadays will enable you to download add-ons that spot the signs of a malicious website or alert you about known phishing sites. They are usually completely free so there’s no reason not to have them installed on every device in your organization. 

3. Don’t enter your credentials on an unsecured site 

If the URL of the website doesn’t start with “https”, or you cannot see a closed padlock icon next to the URL, do not enter any sensitive information or download files from that site. Sites without security certificates may not be intended for phishing scams, but it’s better to be safe than sorry.

Discord Users Targeted by Malicious Npm Packages


Kaspersky researchers have unearthed yet another supply chain attack campaign employing multiple malicious npm packages, this time targeting Discord users to steal their payment card information. 

The malware employed in these attacks is a modified version of an open-source and Python-based Volt Stealer token logger and JavaScript malware dubbed Lofy Stealer. 

“The Python malware is a modified version of an open-source token logger called Volt Stealer. It is intended to steal Discord tokens from infected machines and the victim’s IP address and upload them via HTTP,” reads the analysis published by Igor Kuznetsov and Leonid Bezvershenko. 

The malware monitors the victims' actions, such as Discord logins, attempts to change the credentials, multi-factor authentication (MFA) toggles, or the addition of new payment methods to steal Discord accounts and payment information. 

Subsequently, the harvested data is uploaded to the remote endpoint whose address is hardcoded (e.g., life.polarlabs.repl[.]co, sock.polarlabs.repl[.]co, idk.polarlabs.repl[.]co). 

“The JavaScript malware we dubbed ‘Lofy Stealer’ was created to infect Discord client files in order to monitor the victim’s actions, researchers added. It detects when a user logs in, changes email or password, enables/disables multi-factor authentication (MFA), and adds new payment methods, including complete bank card details. Collected information is also uploaded to the remote endpoint whose address is hard-coded,” the analysis further read.

Kaspersky states that they are constantly monitoring the updates to repositories to rapidly scan and remove all new malicious packages. 

According to researchers, this is a repetitive process among malicious npm packages, and it's just one of the seemingly endless streams of malware specifically designed to target Discord users in recent years with info stealers. 

For example, in 2019, malware dubbed Spidey Bot was employed to alter the Windows Discord user to backdoor it and deploy an information-stealing trojan. Last year, malicious npm and PyPI libraries were also employed to target Discord users, steal their user tokens and browser information, and deploy MBRLocker data wiping malware called Monster Ransomware. 

Earlier this year, JFrog researchers uncovered multiple malicious packages in the NPM registry particularly targeting several popular media, logistics, and industrial companies based in Germany to carry out supply chain assaults.

Uber Admits Covering up Data Breach Involving 57M Users


Uber has reached an agreement with the US Department of Justice regarding its cover-up of a data breach in November 2016. In exchange for avoiding prosecution, the ride-hailing company has agreed to assist the DOJ in prosecuting its former top security officer Joseph Sullivan. 

The agreement stemmed from a data breach that compromised the personal information of 57 million people, including both passengers and drivers. The attackers gained access to a secret source code repository and obtained an access key, which they then used to steal the data. 

According to reports, the corporation decided to pay off the criminals while also hiding the breach from the Federal Trade Commission (FTC), which was already examining its security policies at the time. Uber notified the FTC and dismissed Sullivan in November 2017, following the resignation of previous CEO Travis Kalanick and the appointment of new CEO Dara Khosrowshahi. It reached an agreement with the Commission in 2018, agreeing to maintain a privacy programme that includes external audits. It also paid $148 million to resolve disputes with all 50 states. 

In August 2020, the Department of Justice charged Sullivan with obstruction of justice and hiding a felony. In December 2021, it announced new accusations of wire fraud for neglecting to notify Uber drivers that their driver's licences had been compromised. Uber had previously been working with the investigation and will continue to do so under the conditions of the most recent settlement. 

The corporation has agreed to disclose any materials and witnesses needed to help the DoJ prosecute Sullivan. In exchange, Uber and its affiliates are exempt from prosecution in connection with the 2016 data breach. 

According to Ilia Kolochenko, founder of ImmuniWeb and member of the Europol Data Protection Experts Network, Uber may still face a private legal lawsuit.“To void such undesirable situations, companies should take privacy and data breaches seriously, considering their duties and obligations under all applicable laws and regulations,” he said. 

“Having a well-thought-out data breach response plan in place that would include, among other things, swift interaction with internal and external legal teams, media and investors, is crucial to minimize reputational and financial damage of unpreventable data breaches. The close collaboration of technical and legal experts is the next big thing in cybersecurity,” further added. 

Sullivan is a former federal prosecutor who currently serves as Cloudflare's chief security officer. He served as an assistant US attorney in the Northern District of California from 2000 to 2002, where he will be tried in September. He stated yesterday that he will be taking time off from work to prepare for the trial.

T-Mobile Agrees to Pay $350M to Users in Data Breach Settlement


This week, T-Mobile agreed to pay $350 million to settle litigation brought over an August 2021 cyberattack in which a hacker siphoned private information belonging to an estimated 76.6 million people. 

According to an SEC filing Friday afternoon, the company also promised to make an additional $150 million investment in data security and related technologies this year and next. The $350 million payout will fund claims by class members, the legal fees of plaintiffs’ counsel, and the costs of administering the settlement. 

If the court approves the settlement, it “will resolve substantially all of the claims brought by the Company’s current, former and prospective customers who were impacted by the 2021 cyberattack,” T-Mobile said in its SEC filing. 

The Bellevue, Wash.-based wireless carrier will continue to cooperate with various regulators who are separately investigating the incident, according to a T-Mobile spokesperson. “As we continue to invest time, energy, and resources in addressing this challenge, we are pleased to have resolved this consumer class action filing,” T-Mobile issued a statement Friday regarding the settlement on its website. 

According to the SEC filing, T-Mobile expects to record a pre-tax charge of about $400 million in the second quarter as a result of the settlement. The filing notes that the charge and the $150 million investment in security were anticipated in its prior financial guidance to investors. 

Last year in August, T-Mobile announced a data breach after a hacking organization infiltrated its computer systems to steal sensitive data relating to millions of customers, and sold some of the information on the dark web. 

The motherboard was given access to some of the data, and the publication confirmed that it contained correct details on T-Mobile subscribers. The seller told Motherboard that they had infiltrated multiple T-Mobile servers. A subset of the data, containing around 30 million social security numbers and driver's licenses, is being sold on the forum for six bitcoins, while the rest is being sold privately.

T-Mobile is the brand name for the mobile communications companies of Deutsche Telekom AG, a German telecommunications firm. In the Czech Republic (T-Mobile Czech Republic), the Netherlands (T-Mobile Netherlands), Poland (T-Mobile Polska), and the United States (T-Mobile US). 

Microsoft Adds Default Account Lockout Policy in Windows 11 to Block RDP Brute-Force Attacks


In the latest Windows 11 builds, Microsoft introduced default Account Lockout Policy which will automatically lock user accounts after 10 consecutive failed login attempts for 10 minutes. 

The account brute forcing process involves inputting a massive number of passwords consecutively using automated tools. The new policy blocks such attacks and can be found in Windows 11 Insider Preview Build 22528.1000 and newer. 

"Win11 builds now have a DEFAULT account lockout policy to mitigate RDP and other brute force password vectors," David Weston, Microsoft's VP for Enterprise and OS Security, stated. "This technique is commonly used in Human Operated Ransomware and other attacks - this control will make brute forcing much harder which is awesome!" 

Brute forcing credentials is a common methodology employed by hackers to infiltrate Windows systems via Remote Desktop Protocol (RDP) when they don't know the account passwords. The use of Remote Desktop Services is so popular among hackers that the FBI said RDP is responsible for nearly 70-80% of all network breaches leading to ransomware assaults. 

The tech giant is gradually blocking all entry vectors employed by ransomware attackers to infiltrate Windows networks and systems. Earlier this year, Microsoft made some security-focused changes including auto-blocking Office macros in downloaded documents and enabling multi-factor authentication (MFA) in Azure AD. The change was temporarily rolled back earlier this month, but it’s back now. 

“We’re resuming the rollout of this change in Current Channel. Based on our review of customer feedback, we’ve made updates to both our end user and our IT admin documentation to make clearer what options you have for different scenarios. For example, what to do if you have files on SharePoint or files on a network share,” Kellie Eickmeyer, Principal Program Manager at Microsoft, announced on Wednesday. 

Windows 10 systems also come with an Account Lockout Policy but are not enabled by default, allowing hackers to brute force their way into Windows systems with exploited Remote Desktop Protocol (RDP) services. Admins can enable this policy on Windows 10 in the Group Policy Management Console from Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy. 

This is a major step taken to enhance security since many RDP servers, particularly those used to assist teleworkers access corporate assets, are directly exposed to the Internet, exposing the businesses' network to attacks when poorly configured.

Neopets Hacked, 69 Million Accounts Potentially Breached


The virtual pet website Neopets has announced that it has been hacked. JumpStart Games, as announced yesterday on Twitter and the official forums, is requesting that all 69 million accounts reset their passwords. 

"Neopets recently became aware that customer data may have been stolen," reads the official Twitter announcement. "We immediately launched an investigation assisted by a leading forensics firm. We are also engaging law enforcement and enhancing the protections for our systems and our user data." 

The hacker responsible, as first reported by Neopets community site JellyNeo (via Polygon), has been found offering the whole Neopets database and source code for 4 Bitcoins (approximately $100,000). For an extra cost, the hacker would provide live access to the database. It's unclear whether this hack involves credit card information. Neopets charges a fee to eliminate adverts from the site and gain access to the forums and other premium services. In-game cash called NeoCash is also utilised for numerous microtransactions. 

Neopets, which debuted in 1999, were a brief phenomenon. Neopets, a website where players take care of a virtual pet, soon grew to millions of users, with original developer Adam Powell selling the service to Viacom for $160 million in 2005. Viacom eventually sold the site to JumpStart Games, which still owns it. The Neopets themselves require frequent food and care, yet even if neglected, they will not perish. 

One may also take them on a tour to Neopia (the Neopets world), where they and their Neopet can participate in a variety of minigames and enjoy the site's comprehensive social features. Although it is no longer at its peak, Neopets still has a committed user base. This isn't the first time that Neopets has been compromised. In 2016, a similar data breach compelled all Neopets users to change their passwords. 

This current attack is also unlikely to help the site's tattered reputation, especially in light of the recent announcement of the Neopets Metaverse Collection, a new NFT initiative that fans have slammed as a brazen cash grab.

Google Removes Several Apps From Play Store Distributing Malware


Earlier this week, Google blocked dozens of malicious Android apps from the official Play Store that were propagating Joker, Facestealer, and Coper malware families via the virtual marketplace. 

According to the findings from Zscaler ThreatLabz and Pradeo researchers, the Joker spyware exfiltrated SMS messages, contact lists, and device information and lured victims to sign up for premium service subscriptions. 

A total of 54 Joker downloader apps were unearthed by the two cybersecurity firms, with the apps installed cumulatively over 330,000 times. Nearly half of the apps belonged to communication (47.1%) category followed by tools (39.2%), personalization (5.9%), health and, photography. 

“The tools and communication were among the most targeted categories covering the majority of the Joker-infected apps. ThreatLabz discovered daily uploads of apps containing the Joker malware indicating the high activity level and persistence of the adversary group.” reads the blog post published by Zscaler. “Consistent with previous findings, ThreatLabz's latest discoveries belonging to the Joker malware campaign continue to follow similar developer naming patterns and use of familiar techniques.” 

ThreatLabz experts also uncovered multiple apps compromised with the Facestealer and Coper malware. 

The Facestealer spyware was first unearthed in July last year by Dr. Web researchers, and was designed to steal Facebook users’ logins and passwords and authentication tokens. 

The Coper malware is a banking trojan that targets banking applications in Europe, Australia, and South America. The hackers distribute the apps by disguising them as legitimate apps in the Google Play Store. 

“Once downloaded, this app unleashes the Coper malware infection which is capable of intercepting and sending SMS text messages, making USSD (Unstructured Supplementary Service Data) requests to send messages, keylogging, locking/unlocking the device screen, performing overly attacks, preventing uninstalls and generally allowing attackers to take control and execute commands on infected device via remote connection with a C2 server.” continues the report. 

The researchers recommended users to refrain from granting unnecessary permissions to apps and verify their authenticity by checking for developer information, reading reviews, and scrutinizing their privacy policies. If you become a victim of a malicious app from the Play Store, inform Google about it immediately through the support options in your play Store app.