Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label data steal. Show all posts

Lapsus$ Targeting SharePoint, VPNs and Virtual Machines

NCC Group on Thursday released a report in which it has described the techniques and tactics of the highly unpredictable Lapsus$ attacks, along with how Lapsus$ attacks are launched and what makes it such a unique group. 

The group currently gave up its operation following the arrests of alleged members in March. The attacks launched by the group remain confusing in both their motives and their methods. The group is known for targeting world-famous companies including Microsoft, Nvidia, Okta, and Samsung. 

According to the report, Lapsus$ used stolen authentication cookies, specifically ones used for SSO applications, to initially get access into targeted systems. With this, the threat actors also scraped Microsoft SharePoint sites used by target organizations to get credentials within technical documentation. 

"Credential harvesting and privileged escalation are key components of the LAPSUS$ breaches we have seen, with the rapid escalation in privileges the LAPSUS$ group has been seen to elevate from a standard user account to an administrative user within a couple of days," the report said. 

Following the report, it has been learned that a major goal of the group is to exploit corporate VPNs, capitalizing on their increased use of them over the last few years. 

"Access to corporate VPNs is a primary focus for this group as it allows the threat actor to directly access key infrastructure which they require to complete their objectives. In our incident response cases, we saw the threat actor leveraging compromised employee email accounts to email helpdesk systems requesting access credentials or support to get access to the corporate VPN," the report further read. 

The Group has grown in just a few months from launching a handful of sensitive attacks that were designed to steal and publish the source code of multiple top-tier technology companies. Sometimes the group is referred to as a ransomware group in reports, however, Lapsus$ is also known for not deploying ransomware in extortion attempts.

Hackers Steal Around $320M+ from Crypto Firm Wormhole

 

A threat actor abused a vulnerability in the Wormhole cryptocurrency platform to steal $322 million worth of Ether currency. 

Wormhole Portal, a web-based application—also known as a blockchain "bridge"—that enables users to change one type of bitcoin into another, was the target of the attack earlier. Bridge portals transform an input cryptocurrency into a temporary internal token, which they then turn into the user's preferred output cryptocurrency using "smart contracts" on the Ethereum blockchain. 

The attacker is suspected to have taken advantage of this method to deceive the Wormhole project into releasing significantly more Ether (ETH) and Solana (SOL) tokens than they originally provided. The attacker allegedly stole crypto-assets worth $322.8 million at the time of the attack, according to reports. As per reports, the attacker acquired crypto-assets worth $322.8 million at the time of the incident, which have since depreciated to $294 million due to price swings since the breach became public. 

While a Wormhole official is yet to respond to a request for comment on today's incident. The firm verified the incident on Twitter and put its site on maintenance while it investigates. The Wormhole attack is part of a recent pattern of abusing [blockchain] bridges, according to Tal Be'ery, CTO of bitcoin wallet app ZenGo who informed The Record about the Wormhole Attack. 

A hacker stole $80 million from Qubit Finance just a week ago, in a similar attack against another blockchain bridge. As per data compiled by the DeFiYield project, if Wormhole officially acknowledges the number of stolen funds, the incident will likely become the biggest hack of a cryptocurrency platform so far this year, and the second-largest hack of a decentralised finance (DeFi) platform of all time. 

Wormhole offered a $10 million "bug bounty" to a hacker. Be'ery pointed out that, similar to the Qubit hack, Wormhole is now appealing to the attacker to return the stolen funds in return for a $10 million reward and a "whitehat contract," which indicates that the platform will most likely not file any criminal complaints against the attacker. 

As per Wormhole's most recent Twitter update, posted on Thursday, February 3, the vulnerability has been fixed. However, as one former Uber executive discovered, such contracts exonerating hackers are illegal in some areas, and authorities may still investigate the hacker.


This Android Malware Wipes Your Device After Stealing Data

 

The BRATA Android malware has been updated to include additional functions such as GPS tracking and the ability to execute a factory reset on the device. 

The Android RAT BRATA (the term originates from 'Brazilian RAT Android') was founded in 2019 by Kaspersky security professionals and was used to eavesdrop on Brazilian users. In January 2019, the BRATA RAT was discovered circulating over WhatsApp and SMS communications. 

The RAT was distributed both through Google's official Play Store and through alternative Android app marketplaces. The majority of the infected apps masquerade as an update to the popular instant messaging service WhatsApp, claiming to fix the CVE-2019-3568 vulnerability in the app. The malware will begin keylogging after it has infected the victim's device, adding real-time streaming features to it. 

To connect with other apps on the victim's device, the malware makes use of the Android Accessibility Service function. Many instructions are supported by BRATA, including unlocking the victims' devices, gathering device information, shutting off the device's screen to run tasks in the background, executing any specific application, uninstalling itself, and removing any infection traces. 

Researchers from security firm Cleafy discovered a new variation affecting Android banking users in Europe in December 2021, with the goal of stealing their passwords. The same researchers have now discovered a new version that has the new features mentioned above. 

The Android RAT's current version is aimed at e-banking users in the United Kingdom, Poland, Italy, Spain, China, and Latin America. It uses custom overlay pages to target specific banking applications and steal users’ PINs. All the versions employ the same obfuscation strategies, allowing the danger to remain undetected. 

The following is a list of new features in the most recent BRATA releases: 

• Capability to perform the device factory reset: it appears that TAs are leveraging this feature to erase any trace, right after an unauthorized wire transfer attempt. 
• GPS tracking capability 
• Capability to use multiple communication channels (HTTP and TCP) between the device and the C2 server to keep a persistent connection. 
• Capability to continuously monitor the victim’s bank application through VNC and keylogging techniques. 

Researchers believe that the factory reset option enables threat actors to erase all signs of a hack once it has been completed or when the application detects that it is running in a virtual environment for analysis. 

The report stated, “this mechanism represents a kill switch for this malware. In fact, it was also observed that this function is executed in two cases: 
• A bank fraud has been completed successfully. In this way, the victim is going to lose even more time before understanding that a malicious action happened. 
• The application is installed in a virtual environment. BRATA tries to prevent dynamic analysis through the execution of this feature.” 

The BRATA RAT's recent evolution implies that threat actors are working to improve it in order to broaden its target demographic.

Ursnif Trojan Steals Personal User Data, Proofpoint Report Says

 

Researchers at Proofpoint have found a a latest Ursnif banking malware used by a hacking group called TA544 which is attacking companies in Italy. Cybersecurity experts found 20 major campaigns providing harmful messages directed towards Italian organizations. 

TA544 is a threat actor working for financial purposes, it has been active since 2017, the group targets attacks on banking users, aggravating banking trojans and different payloads to compromise companies across the world, primarily in Italy and Japan. Experts observed that from the time period between January and August 2021, total number of identified Ursnif campaigns affecting Italian companies, was almost equal to the number of Ursnif campaigns attacks in Italy in 2020. 

"Today’s threats – like TA544’s campaigns targeting Italian organizations – target people, not infrastructure. That’s why you must take a people-centric approach to cybersecurity. That includes user-level visibility into vulnerability, attacks and privilege and tailored controls that account for individual user risk," suggests concludes Proofpoint. 

TA544 threat actor uses social engineering techniques and phishing to attract victims into clicking macro present in weaponized docs. Once the macro is enabled, the malware process starts. If we look into recent attacks against Italian companies, the threat actor impersonated an energy company or an Italian courier, scamming victims via payments. 

These spams use weaponized office docs to deploy Ursnif banking malware in the last stage. While investigating these campaigns, TA544 used geofencing methods to find if we're targeted in geographic areas before attacking them with the malware. If the user wasn't in the target area, the malware C2C would direct it to an adult site. As of now in 2021, experts have found around five lakhs messages related with the malware campaigns. The threat actor used file injectors to deploy malicious codes used to steal personal user data like login credentials and banking details. 

The research of web injections used by hacking groups reveals that hackers were also trying to steal website credentials with related to major sellers. 

Proofpoint reports "recent TA544 Ursnif campaigns included activity that targeted multiple sites with web injects and redirections once the Ursnif payload was installed on the target machine. Web injects refer to malicious code injected to a user’s web browser that attempts to steal data from certain targeted websites. The list included dozens of targeted sites."

LockBit 2.0 Ransomware Hit Israeli Defense Firm E.M.I.T. Aviation Consulting

 

LockBit 2.0 ransomware operators have reportedly hit the Israeli aerospace and defense firm E.M.I.T. in a new campaign of attacks. According to Aviation Consulting Ltd, hackers claim to have accessed the internal system and also have stolen credential data from the company. 

Post attack, the group is threatening to publish the stolen data which includes sensitive information, invoices, employees, and possibly payment data, onto their dark web leak site in case the company is not ready to pay the ransom. Although the group of attackers is yet to leak the stolen data as proof of the attack, the countdown will end on 07 October 2021. 

Currently, it has not been disclosed how the attackers' group acquired access to the system of the company and when the incident took place. Similar to other ransomware attacks, LockBit 2.0 has also executed a ransomware-as-a-service model and maintains a network of affiliates. 

According to the technical data, the ransomware operation group LockBit ransomware has been in action since September 2019, in June the group announced the LockBit 2.0 RaaS. After ransomware ads were banned on the hacking forums, the group of LockBit operators came with their own leak site and also promoting the latest model and advertising the LockBit 2.0 affiliate program. 

At present, the LockBit gang is highly active targeting numerous organizations including Riviana, Anasia Group, Wormington & Bollinger, Vlastuin Group, DATA SPEED SRL, SCIS Air Security, Peabody Properties, Island independent buying group, Buffington Law Firm Day Lewis, and many others worldwide. 

A few months, the Australian Cyber Security Centre (ACSC) had warned its Australian organizations against LockBit 2.0 ransomware attacks. E.M.I.T. Aviation Consulting Ltd was established in 1986, the company is involved in designing and assembling complete aircraft, tactical and sub tactical UAV systems, and mobile integrated reconnaissance systems.

Spoofed Zix Encrypted Email is Used in Credential Spear-Phishing

 

Hackers have used a credential phishing attack to steal data from Office 365, Google Workspace, and Microsoft Exchange by spoofing an encrypted mail notification from Zix. According to Armorblox security researchers, the assault impacted around 75,000 users, with small groups of cross-departmental staff being targeted in each customer environment. 

Social engineering, brand impersonation, replicating existing workflows, drive-by downloads, and accessing valid domains were among the methods employed by the hackers to obtain data. “Secure Zix message” emails were sent to victims. In the body of the email, there was a header that repeated the email subject and claimed the victim had received a secure communication from Zix, a security technology company that provides email encryption and data loss prevention services.

The victim is invited to view the secure message by clicking on the "Message" button in the email. While the phoney email is not a facsimile, it is similar enough on the surface to fool the unwary victims. According to researchers, clicking the “Message” link in the email causes an HTML file entitled “securemessage” to be installed on the victim's PC. The file could not be opened in a virtual machine (VM) because the download redirect did not show within the VM.

Using valid (albeit unrelated) domains to send emails, according to Armorblox researcher Abhishek Iyer, is “more about tricking security measures (i.e. evading authentication checks) than it is about tricking recipients, especially if the domains are not forged to appear like the real thing.”

A Verizon credential phishing campaign located on the website of a Wiccan coven, for example, was discovered by Armorblox last year. Another example is an Amazon credential phishing email sent from the domain of Blomma Flicka Flowers, a tiny floral design firm situated in Vermont. Under the pretext of Amazon item delivery notices, the campaign intended to steal passwords and other personal information. 

“Whether these domains are used to send the email or host the phishing page, the attackers’ intent is to evade security controls based on URL/link protection and get past filters that block known bad domains,” Iyer said via email.

"To host phishing pages on legitimate domains, attackers usually exploit vulnerabilities in the web server or the Content Management Systems (CMS) to host the pages without the website admins knowing about it," he continued.

Jupyter Trojan Steals Chrome Firefox Data and Opens Backdoor

Researchers at Morphisec has recently discovered a trojan malware campaign targeted at stealing information from businesses and higher education. Reportedly, the malware named Jupyter has been used by Russian speaking hackers to gather data from various software. 

Primarily targeting Google Chrome, Mozilla Firefox, and Chromium code in itself, Jupyter's attack chain, delivery, and loader demonstrate additional capabilities such as a C2 client, execution of PowerShell scripts and commands, hollowing shellcode into legitimate windows configuration applications, for full backdoor functionality. 

The infostealer's attack begins with a zip file containing an installer which typically impersonates legitimate software like Docx2Rtf. When the installer is executed, a .NET C2 client is inserted into memory. Jupyter loader has a well-defined protocol, persistence modules, and versioning matrix, it furthers with downloading the next stage, a PowerShell command to execute the Jupyter injected in memory earlier. Now using the commonalities between both the .Net components an end-to-end framework is developed for the implementation of the Jupyter infostealer as both have similar code, obfuscation, and unique UID implementation. 
 
As per the analysis published by Morphisec, "Jupyter is an infostealer that primarily targets Chromium, Firefox, and Chrome browser data. However, its attack chain, delivery, and loader demonstrate additional capabilities for full backdoor functionality.” 
 
"Morphisec has monitored a steady stream of forensic data to trace multiple versions of Jupyter starting in May 2020. While many of the C2s are no longer active, they consistently mapped to Russia when we were able to identify them," read the report. 

Over the last 6 months, these installers have given exceptional results at bypassing security scanning controls, some among these installers even maintained 0 detections in VirusTotal.

Multiple versions of Jupyter were traced back to Russia and the planet name was noticeably misspelled from Russian to English, as per the Morphisec researchers who also found out the same image on Russian-language forums upon running a reverse Google Image search of the C2 admin panel image, concluding that the attack has Russian origins. 
 
"This is the first version seen in the wild of the infostealer stealing information (autocomplete, cookies, and passwords) only from Chrome browsers," said researchers. 

"This version added Firefox information stealing (cookies, logins, certificates, and form history). This version uses the same technique of copying the stolen information before accessing it to evade detection." The researchers further added.

Apple catches TikTok spying on million of iPhone users globally


Apple announced its latest OS iOS14 at this year's WWDC and during the beta testing for the same, the tech giant caught TikTok recording user's cut-paste data and whatever the user was typing on their keyboard.


The new alert on iOS14 lets the user know if any app is pasting from the clipboard and if they are reading from the cut-paste data. This alert leads to TikTok's reveal. This alert was added based on the research by German software engineer Tommy Mysk in February; he discovered that every app installed on an iPhone or iPad can access clipboard data. And thus Apple added this new banner alert in its latest OS.

Soon after the update, many users started complaining about the issue, “Hey @tiktok_us, why do you paste from my clipboard every time I type a LETTER in your comment box?” wrote @MaxelAmador actor and podcast host on Twitter. “Shout out to iOS 14 for shining a light on this HUGE invasion of privacy.” Though many other apps like Accu Weather, Call of Duty Mobile, and even Google News can read clipboard data it seems strange as to why TikTok would need to do so.

After finding this glitch, Apple released a patch and fixing the issue, even TikTok said in March that it would stop the practice but it seems like they are still snooping on user's data.

In response, the social media app stated, “For TikTok, this was triggered by a feature designed to identify repetitive, spammy behavior. We have already submitted an updated version of the app to the App Store removing the anti-spam feature to eliminate any potential confusion”. 

The clipboard tool in iOS helps the user to copy text and images and paste them on another app, the glitch leads to apps access this data, making it quite worrisome. And all this data could be accessed without the user's consent. Apple should be appalled for this expose but another pressing question remains- should the Android community be worried about the same?

CSIRO's Data61 Developed Voice Liveness Detection 'Void' to Safeguard Users Against Voice Spoofing Attacks


Spoofing attacks that impersonate user's devices to steal data, spread malware, or bypass access controls are becoming increasingly popular as the threat actors expand their horizon with the improvisation of various types of spoofing attacks. Especially, voice spoofing attacks that have been on a rise as more and more voice technologies are being equipped to send messages, navigate through smart home devices, shop online, or to make use of net banking.

In a joint effort for the aforementioned concern, Samsung Research and South Korea's Sungkyunwan University and Commonwealth Scientific and Industrial Research Organisation's (CSIRO) Data61, came up with 'the voice liveness detection' (Void) to keep users safe against voice spoofing attacks.

In order to detect the liveness of a voice, Void gains insights from a visual representation of the spectrum of frequencies known as 'spectrograms' – it makes the functionality of void a little less complex compared to other voice spoofing methods that rely on deep learning models, as per Data61.

How Void helps in detecting hackers spoofing a system? 

The void can be inserted in consumers' voice assistance software or smartphones in order to spot the difference between 'a voice replayed using a speaker' and 'a live human voice', by doing so it can easily identify when a cybercriminal attempts to spoof a user's system.

While giving further related insights, Muhammad Ejaz Ahmed, a cybersecurity research scientist at Data61, told, “Although voice spoofing is known as one of the easiest attacks to perform as it simply involves a recording of the victim’s voice, it is incredibly difficult to detect because the recorded voice has similar characteristics to the victim’s live voice,” he said.

“Void is a game-changing technology that allows for more efficient and accurate detection helping to prevent people’s voice commands from being misused.”

Bengaluru: Passport offices alerts public against fake websites


Bengaluru: Passport offices throughout the country are apprehensive about the increase in fake websites that masquerade as official portals for passport related services and siphon off applicant's data and money.

The ministry has been issuing advisories and alerts on its social media handles to caution the public against such fraudulent websites. The crime branch, working with the ministry has also started awareness drives in order to prevent passport applicants from being duped by bogus.

 The fake websites that the offices caught were-
 www.indiapassport.org,
 www.online-passportindia.com,
 www.passport-seva.in,
 www.passport-india.in,
 www.passportindiaporlal.in and www.applypassport.org. (Sc.TOI)

Whereas, the official website to apply for a passport is- "www.passportindia.gov.in" and the official mobile application to avail passport related services is - "mPassport Seva".

Victims who were cheated by these bogus websites and mobile applications approached the passport office and filed complaint at the local police station, said Officials at the Regional Passport Office, Bengaluru. Not only websites but mobile applications and brokers outside the passport offices also demand more payment and could be stealing personal data like Adhaar Card, Voter Id, resident proof and birth certificate to partake in more serious crimes like identity theft or selling the data to immigrants.

The officials said they came across websites that charged unwarranted prices for filling up online forms for a new passport and other services and even people who were highly educated fell victim to the fraud. Where the real cost for a passport is Rs.1,500 for normal and Rs.3, 500 for tatkal, these fraudsters are charging from Rs. 4,500 to Rs. 6,000. And money is the lighter concern, the bigger threat is the theft of personal data like Adhar Number, Voter ID and phone connections.

These websites used logos of other government schemes like Swachh Bharat Abhiyan to appear more genuine and true. Even on Google Play Store, at least eight unauthenticated and false applications were found.

This problem is not centrist to Karnataka, as cases from all over the country have been popping up, for instance, NCR and Bhuvaneshwar being two of the areas. Bharath Kumar Kuthati, regional passport officer, Bengaluru, says "they are creating awareness by issuing warnings on social media. It is a pan-India problem and the department is taking steps to counter it."