Search This Blog
Load More
Trendy Right Now

Popular Posts

Twitter
Apple Cyber Security Elon Musk iPhone Smartphone Twitter

Elon Musk is Planning to Develop an Alternate Smartphone

If Apple decides to remove Twitter from the App Store, Elon Musk has an easy strategy,  to build his own smartphone. 

Musk has changed a lot about Twitter since he joined at the end of October, including major staff cuts and firings that prompted managers in charge of data privacy and content moderation to resign.

In terms of content filtering, Musk fundamentally supports the right to free expression. Additionally, he apparently intends to attempt and make money for Twitter through explicit content. When Jack Dorsey was in charge, content filtering was more deliberate and concentrated on user 'safety,' outlawing obscenity, hate speech, and violence. 

Musk tweeted on Friday night, "If Apple & Google expel Twitter from their app stores, @elonmusk should manufacture his own smartphone," in response to the conservative commentator Liz Wheeler. The prejudiced, snooping iPhone & Android would be cheerfully abandoned by half of the country. A foolish little smartphone ought to be simple for the man who makes rockets to Mars, right? ”

"I sincerely hope it never comes to that, but indeed, If there is no other option, I will develop an alternate phone," Musk said.

Phil Schiller, a senior Apple marketing executive that oversees the company's App Store, deactivated his Twitter account last week, which could be a terrible sign for Twitter. After Musk criticized Apple's fees on Twitter, calling them a hidden 30% tax on the internet, Schiller made the change.











Read more »
Windows
Cyber Security Data Safety Security Server Window Server Windows

New Windows Server Updates Cause Domain Controller Freezes, Restarts

 

Microsoft is looking into LSASS memory leaks (caused by Windows Server updates released during the November Patch Tuesday) that may result in domain controller freezes and restarts. LSASS (Local Security Authority Subsystem Service) is in charge of enforcing security policies on Windows systems and managing access tokens, password changes, and user logins. 

If this service fails, logged-in users lose access to their Windows accounts on the machine and are presented with a system restart error followed by a system reboot. 

"LSASS might use more memory over time and the DC might become unresponsive and restart," Microsoft explains on the Windows Health dashboard.

"Depending on the workload of your DCs and the amount of time since the last restart of the server, LSASS might continually increase memory usage with the uptime of your server and the server might become unresponsive or automatically restart."

Out-of-band Windows updates pushed out to address authentication issues on Windows domain controllers may also be affected by this known issue, according to Redmond. Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2 are all affected. Microsoft is working on a solution and promises an update in an upcoming release.

Workaround  Available:

Until a fix for this LSASS memory leak issue is available, the company offers a workaround for IT administrators to work around domain controller instability. This workaround requires admins to set the KrbtgtFullPacSignature registry key (used to gate CVE-2022-37967 Kerberos protocol changes) to 0 using the following command: reg add "HKLM\System\CurrentControlSet\services\KDC" -v "KrbtgtFullPacSignature" -d 0 -t REG_DWORD

"Once this known issue is resolved, you should set KrbtgtFullPacSignature to a higher setting depending on what your environment will allow," Microsoft added.

"It is recommended to enable Enforcement mode as soon as your environment is ready. For more information on this registry key, please see KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967."

Redmond addressed another known issue that caused Windows Server domain controller reboots due to LSASS crashes in March. Microsoft fixed domain controller sign-in failures and other authentication issues caused by November Patch Tuesday Windows updates earlier this month with emergency out-of-band (OOB) updates.

Read more »
Cyber Attacks
Advanced Persistent Threat APT attacks APT Group Cyber Attacks

APTs: Description, Key Threats, and Best Management Practices


An Advances Persistent Threat (APT) is a sophisticated, multiple staged cyberattack, in which the threat actor covertly creates and maintain its presence within an organization’s network, undetected, over a period of time. 

A government agency or a business could be the target, and the information could be stolen or used to do additional harm. When attempting to penetrate a high-value target, an APT may be launched against the systems of one entity. APTs have been reported to be carried out by both state actors and private criminals. 

Several organizations closely monitor the threat actor groups that pose these APTs. CrowdStrike, a security company that monitors over 170 APT groups, claims to have witnessed a nearly 45% rise in interactive infiltration efforts between year 2020 and 2021. Nation-state espionage activities are now a strong second in frequency, although (financial) e-crime is still the most frequently identified motive.

An APT comprises of mainly three main reasons: 

  1. Network infiltration 
  2. The expansion of the attacker’s presence 
  3. The extraction of amassed data (or, in some instances, the launch of sabotage within the system)

Since the threat is established to both evade detection and acquire sensitive information, each of these steps may entail several steps and be patiently carried out over an extended period of time.

Successful breaches may operate covertly for years; yet, some acts, including jumping from a third-party provider to the ultimate target or carrying out a financial exfiltration, may be carried out very rapidly. 

APTs have a reputation for using deception to avoid giving proper, direct credit for their work. An APT for one country could incorporate language from another country into its code to confuse investigators. 

Investigating teams may as well have close relationships with state-intelligence agencies, leading some to raise questions pertaining to the objectivity of their findings. 

Amidst this, the tactics, techniques, and procedures (TTPs) of APTs are up for constant updates, in response to the continuously changing environment and countermeasures. “This past year, there was a dramatic uptick in APT attacks on critical infrastructure such as the transportation and financial sectors,” says Trellix’s Head of Threat Intelligence. 

List of key threats

New APTs based on advanced techniques are, by nature, generally operating yet being undetected. Additionally, quite challenging attacks continue to be carried out against organizations, long after they were first detected (for instance, SolarWinds). 

Moreover, fresh common trends and patterns are constantly being identified and duplicated, unless a means is discovered in order to render them ineffective. Listed below are some of the major trends in APTs, identified by a Russian internet security firm ‘Kaspersky’: 

The private sector supporting an influx of new APT players: It is anticipated that more and more APTs will use commercially available products like the Pegasus software from the Israeli company NSO Group, which is marketed to government agencies for its zero-click surveillance capabilities. 

Mobile devices exposed to wide, sophisticated attacks: Although Apple's new Lockdown Mode for the iOS 16 iPhone software update is meant to address the exploitation of spyware by NSO Group, its phones still stand with Android and other mobile devices as the top targets of APTs. 

More supply-chain attacks: Supply-chain attacks should continue to be a particularly effective strategy for reaching high-value government and private targets, as demonstrated by SolarWinds. 

Continued exploitation of work-from-home (WFH): With the emerging WFH arrangements since the year 2020, hacker groups will continue targeting employees’ remote systems, until those systems are potent enough to combat exploitation. 

Increase in APT intrusions in the Middle East, Turkey, and Africa (META) region, (especially in Africa): With the constantly diminishing geopolitical situation, globally, espionage is emerging rapidly in areas where systems and communications are the most vulnerable. 

APT Identification and Management Practices: 

Since APTs are designed to be covert, facilitated, backed by constant advancement, and illicit traffic in zero-day exploits, it becomes intrinsically challenging to detect them. Attacks, however, frequently follow a pattern, going for predictable targets like admin credentials and privileged data repositories that represent important company assets. 

Following are 5 recommendations for avoiding and identifying APT intrusion: 

1. Threat modeling and instrumentation: According to Igor Volovich, Vice President of Compliance for Omulos “Threat modeling is a useful practice that helps defenders understand their risk posture from an attacker’s perspective, informing architecture and design decisions around security controls […] Instrumenting the environment with effective controls capable of detecting malicious activity based on intent rather than specific technique is a strategic direction that enterprises should pursue.” 

2. Stay alert: Pay closer attention to the operation of security analyst and security community posting, which keeps a check on the APT groups, since they look for activities pertaining to indications of threat group actions, or that of an activity group and threat actors; as well as activities that indicate a potential intrusion or cyber-campaigns. 

3. Baseline: It is crucial to understand your own environment and establish a common baseline in order to identify anomalous behavior in the environment and, consequently, spot the tell-tale signs of the presence of APTs. It is easier to identify odd traffic patterns and unusual behavior by using this baseline. 

4. Use your tools: In order to identify APTs, one may as well use existing security tools like endpoint protection, network prevention systems, firewalls, and email protection. 

5. Threat Intelligence: Threat intelligence sources should be evaluated against data from security tools and information on potentially unusual traffic. Organizations that use threat feeds can describe the threat and what it can signify for the target organisation. These technologies can help a management team identify potential attackers and determine their possible objectives.  

Read more »
Vulnerabilities
CAN Cyber Security Operational Technology Vulnerabilities

Fixing Insecure Operational Technology That Threatens the Global Economy

 


Considering the widespread technology leading to cyberattacks, the demand for work to safeguard the systems and networks also increases. Many techniques have been developed for protecting bits and bytes of computer networks, yet no such method has been discovered for strengthening the physical framework which handles the world’s economy. 

In many countries, operational technology (OT) platforms have largely polluted traditional physical infrastructures as they have been able to computerize their entire physical infrastructure, whether it is buildings, bridges, trains, and cars, or the industrial equipment and assembly lines that work hard to generate an economy's wealth. Even after so many updates in the tech world, if there is any cyberattack with new technology on things like planes or beds, it will be completely whimsy. There is a definite requirement to take proper care and actions to avoid destructive damage caused due to such attacks.  

Consider, for instance, a scenario in which our country's northeast regions are left without heat in the middle of a brutal cold snap. This is the result of an attack on an energy plant. If such an attack was carried out, imagine the enormous amount of hardship that would be caused and even death - as homes would turn dark, businesses would lose customers, hospitals would have trouble operating, and airports would be shut down. 

The first idea was that this kind of cyber threat could be a prime target for physical infrastructure when the Stuxnet virus emerged over a decade ago. At least 14 industrial sites, including a uranium enrichment plant in Iran, were infected by a malicious threat known as Stuxnet, which inserted malware into the software. 

Built-in vulnerabilities 

Operational technology manufacturers have always had a problem in which they did not design their products with security in mind when they developed them. Thus, trillions of dollars worth of OT assets are incredibly vulnerable today, which has led to tremendous financial losses. Almost all the products in this category are designed to use microcontrollers that communicate over controller area networks (CANs), which are insecure. 

As well as for passenger vehicles and agricultural equipment, the CAN protocol is used in an extensive range of other products, such as medical instruments and building automation systems. However, it does not include mechanisms for supporting secure communications. Additionally, it lacks authentication and authorization. When a CAN frame is sent, it does not involve any information about the sender's address hence the recipient's address cannot be determined from the CAN frame. 

Thus, there has been a considerable increase in the vulnerability of CAN bus networks to malicious attacks, as a consequence, especially with the expansion of the cyberattack landscape. We, therefore, need to come up with more advanced approaches and solutions to better secure CAN buses and protect vital infrastructures to better secure them. 

As we examine what can happen if a CAN bus network is compromised, let us first examine what might happen if we consider what this security should look like. Several microprocessors are interconnected by a CAN bus. They act as a communication channel that is shared by all of them. The CAN bus makes it possible for several systems within an automobile. For example, to communicate seamlessly over a common channel. The CAN bus allows the engine system, combustion system, braking system, and lighting system to operate seamlessly in communicating.

However, hackers can still send random messages in compliance with the protocol and interfere with CAN bus communication because it is inherently insecure. Consider the havoc that would ensue if even a small-scale hack of an automated vehicle occurred, transforming these cars into a swarm of potentially lethal objects, causing an unimaginable amount of disaster and mayhem. 

As much as the automotive industry is facing the challenge of designing a well build, embedded security mechanism to protect CAN, the challenge is that it must achieve high fault tolerance while keeping costs low. Ultimately, these startups will be able to defend all our physical assets, including planes, trains, and manufacturing systems from cyberattacks. 

How OT Security Would Work 

How would such a company look if it existed? By intercepting data from the CAN and deconstructing the protocol, this kind of application could enrich and alert anomalous communication traffic traversing the OT data bus. This is ranging the CAN. An operator of high-value physical equipment, having such a solution installed, would be able to gain real-time, actionable insight into anomalies and intrusions within their systems - and hence would be better equipped to thwart any cyberattacks that may occur. 

Usually, this type of company comes from the defense industry, but it can also come from other sectors. As well as having the potential to examine various machine protocols, it will also have a lodged data plane with deep foundational technology. 

A $10 billion-plus opportunity can easily be created with the right team and support. Protecting the physical infrastructure of our country is one of the most imperative obligations that we have. Hence, there is a clear need for new solutions, concentrated on hardening critical assets against cyberattacks, which can provide a practical solution to the problem.
Read more »
Vulnerability and Exploits.
Data protection Elon Musk EU GDPR Social Media threats Twitter Vulnerability and Exploits.

Twitter's Brussels Staff Sacked by Musk 

After a conflict on how the social network's content should be regulated in the Union, Elon Musk shut down Twitter's entire Brussels headquarters.

Twitter's connection with the European Union, which has some of the most robust regulations controlling the digital world and is frequently at the forefront of global regulation in the sector, may be strained by the closing of the company's Brussels center. 

Platforms like Twitter are required by one guideline to remove anything that is prohibited in any of the EU bloc's member states. For instance, tweets influencing elections or content advocating hate speech would need to be removed in jurisdictions where such communication is prohibited. 

Another obligation is that social media sites like Twitter must demonstrate to the European Commission, the executive arm of the EU, that they are making a sufficient effort to stop the spread of content that is not illegal but may be damaging. Disinformation falls under this category. This summer, businesses will need to demonstrate how they are handling such positions. 

Musk will need to abide by the GDPR, a set of ground-breaking EU data protection laws that mandate Twitter have a data protection officer in the EU. 

The present proposal forbids the use of algorithms that have been demonstrated to be biased against individuals, which may have an influence on Twitter's face-cropping tools, which have been presented to favor youthful, slim women.

Twitter might also be obligated to monitor private conversations for grooming or images of child sexual abuse under the EU's Child Sexual Abuse Materials proposal. In the EU, there is still discussion about them.

In order to comply with the DSA, Twitter will need to put in a lot more effort, such as creating a system that allows users to flag illegal content with ease and hiring enough moderators to examine the content in every EU member state.

Twitter won't have to publish a risk analysis until next summer, but it will have to disclose its user count in February, which initiates the commission oversight process.

Two lawsuits that might hold social media corporations accountable for their algorithms that encourage dangerous or unlawful information are scheduled for hearings before the US Supreme Court. This might fundamentally alter how US businesses regulate content. 
Read more »
User Privacy
Chrome Extension data security Data Theft Login Credentials Mobile Security User Privacy

Malicious Chrome Extension Discovered Siphoning Private Data of Roblox Players

 

Customers at Roblox, the popular online game platform, are being targeted via malicious Google Chrome browser extension that attempts to siphon their passwords and private data. 

Threat analysts at Bleeping Computer uncovered two separate chrome extensions called SearchBlox, with more than 200,000 downloads, containing a backdoor that allow the hackers to steal users’ Roblox credentials and their Rolimons assets. 

It remains unclear clear whether the designer of these two extensions added the backdoor intentionally or if another hacker did, however, threat analysts were able to analyze their code and find the backdoor. 

The malicious extensions identified on the Chrome Web Store add a player search box to the users’ page that allows it to scan the game’s servers for other players. Although they have different icons, the extensions were both designed by the same developer and have identical descriptions. 

Surprisingly, the first extension was actually featured on the Chrome Web Store despite its three-star rating. Upon scanning the comment section on its review page, Roblox players seemed quite satisfied with the extension before the backdoor was suddenly added, which indicates that a threat actor was responsible and not its developer TheM2. 

To mitigate the potential threat, researchers advised Roblox players to uninstall the extension immediately, clear browser cookies, and alter the login credentials for Roblox, Rolimons, and other websites where they logged in while the extension was active. 

Additionally, the Google spokesperson confirmed that the extensions were removed immediately and would also be automatically erased from systems where they were installed. 

"The identified malicious extensions are no longer available on the Chrome Web Store," Google stated. The extensions are block listed and will be automatically removed from any user machine that previously downloaded them." 

This is not the first instance Roblox users have been the victims of cybercrime. Earlier this year in May, security experts identified a malicious file concealed inside the legitimate Synapse X scripting tool which is utilized to inject exploits or cheat codes into Roblox. 

Malicious hackers exploited Synapse X to deploy a self-executing program on Windows PCs that installs library files into the Windows system folder. This has the potential to break applications, corrupt or erase data or even send data back to the attackers responsible.
Read more »
WhatsApp
Data Data Breach Data Safety data security Security WhatsApp

Experts Look into WhatsApp Data Leak: 500M User Records for Sale

 

On November 16, an actor advertised a 2022 database of 487 million WhatsApp user mobile numbers on a well-known hacking community forum. The dataset is said to contain WhatsApp user data from 84 different countries. 

According to the threat actor, there are over 32 million US user records included. Egypt (45 million), Italy (35 million), Saudi Arabia (29 million), France (20 million), and Turkey each have a sizable number of phone numbers (20 million). The dataset for sale also allegedly contains the phone numbers of nearly 10 million Russians and over 11 million UK citizens. The threat actor told Cybernews that they were selling the US dataset for $7,000, the UK dataset for $2,500, and the German dataset for $2,000.

Since such data is frequently used by attackers in smishing and vishing attacks, we advise users to be cautious of any calls from unknown numbers, as well as unsolicited calls and messages. According to reports, WhatsApp has more than two billion monthly active users worldwide. The seller of WhatsApp's database provided a sample of data to Cybernews researchers upon request. The shared sample included 1097 UK and 817 US user numbers.

Cybernews probed all of the numbers in the sample and was able to confirm that they are all WhatsApp users. The seller did not say how they obtained the database, only that they "used their strategy" to collect it, and assured Cybernews that all the numbers in the instance belong to active WhatsApp users.

Cybernews contacted WhatsApp's parent company, Meta, but received no immediate response. We will update the article as soon as we learn more. The data on WhatsApp users could be obtained by harvesting information at scale, also known as scraping, which is against WhatsApp's Terms of Service.

This claim is entirely speculative. However, large data dumps posted online are frequently obtained through scraping. Over 533 million user records were leaked on a dark forum by Meta, which has long been chastised for allowing third parties to scrape or collect user data. The actor was practically giving away the dataset for free.

Days after a massive Facebook data leak made headlines, a popular hacker forum listed an archive containing data purportedly scraped from 500 million LinkedIn profiles for sale. Phone numbers that have been leaked could be used for marketing, phishing, impersonation, and fraud.

Head of Cybernews research team Mantas Sasnauskas said, “In this age, we all leave a sizeable digital footprint – and tech giants like Meta should take all precautions and means to safeguard that data. We should ask whether an added clause of ‘scraping or platform abuse is not permitted in the Terms and Conditions’ is enough. Threat actors don’t care about those terms, so companies should take rigorous steps to mitigate threats and prevent platform abuse from a technical standpoint.”
Read more »
Security
Cyber Attacks information management ISO Security

Reasons for Being Updated ISO 27001 Crucial For Business Security

 


The supplier of the UK’s National Health Service, Advanced, faced a cyberattack on 4 august 2022 in the morning. It worked as a vicious example for an alerting situation: “how much a well-regulated set of rules and controls are important in security for any company?” As an effect of the cyber-attack, NHS 111, which is NHS’S 24/7 health helpline, was taken down, and the centers for urgent treatment were taken down, which caused disorderliness. 

There are numerous cases of such cyber attacks where organizations face huge losses. This made “security” a very crucial part of any business operation at present. To achieve a secured network for your digital assets, you should turn towards a set of efforts, effective practices, and well-populated principles in your industry. ISO 27001 works well for this purpose. 

ISO 27001 is also known as “the standard” or “ISO” it is a part of the ISO 27000 family, which is an information security auditable standard. ISO is considered best to provide leading advice and directions for implementing and maintaining an ISMS. ISO family is considered to be relevant throughout the world. 

Specifically, ISO 27002 is a directive for Information Security Management Systems. It explains “physical and logical controls” that a company or business should follow to protect its confidential data. It is the well-known “international standard” for information security management systems, and it was first ever published in 2005. 

In 2005, it was published as a solid informative security framework for handling risks like cyberattacks, data leaks, etc. Recently on October 25, 2022, a new update with new features and factors has been published. 

This standard has been updated with a set of clauses, under which it defines the management system, and Annex A explains a series of controls. The clauses include proper management of risk and Annex A’s power controls patch management, antivirus, and access control. 

One more additional benefit which ISO27001 provides to businesses is that there is no compulsion for all the controls, all businesses can make selections for the specific controls as per their needs. 

Benefits ISO 27001 Certification Gives to Your Business

One of the most crucial benefits of implementing ISO 27001 is the security advantages it provides to the organizations from initiation. 

The certification of ISO27001, which companies gain by devoting their time appraised by customers as a company that values information security solemnly. 

Considering the increasing number of cyber-attacks and new variants of cyber-attack, companies should get alert in making their information more protected and make ISO 27001 mandatory. Taking such safeguarding measures at the earliest is better to give a wide berth to missing out commercially.

ISO 27001 also works as cyber-insurance, which works on stages to safeguard the financial sector of the firm for the longer term. As cyber-attacks in any sector result in a huge monetary loss along with the downfall of reputation, to avoid such losses ISO 27001 is also suited best. 

It might seem daunting for our business to implement all of this in a way that is both effective and efficient. However, by putting together the right plan in place, we can greatly benefit from all the benefits ISO 27001 certification can provide. 

To ensure that businesses are successful in achieving certification under the revised version of the standard, it is also important to recognize that October was not the deadline for obtaining certification. Before certification bodies are ready to offer certifications, businesses may have a few months before they can do so. Following the announcement of the revised standard, businesses will likely be required to undergo a two-year transition period before they can retire ISO 27001:2013 completely. 

As we move forward with ISO 27001 adoption, it Is imperative to remember that although ISO 27001 compliance can be challenging, there is no doubt that ISO 27001 compliance is invaluable in today's hyper-connected world for businesses that wish to establish themselves as highly trusted and reliable partners.
Read more »
Supply Chain Platform
Cyber Data Cyber Security Data Safety data security Microsoft Supply Chain Supply Chain Platform

Microsoft Announces the Microsoft Supply Chain Platform

 

Software as a Service (SaaS) applications from Microsoft that combine artificial intelligence, collaboration, low-code, security, and supply chain management have been launched as the Microsoft Supply Chain Platform.

Dynamics 365, Microsoft Teams, Power BI, Power Automate, Power Apps, Azure Machine Learning,
Azure Synapse Analytics, Azure IoT, the Microsoft Intelligent Data Platform, Azure Active Directory,
Defender for IoT and Microsoft Security Services for Enterprise are among the Microsoft
applications and platforms in this group.
 
Microsoft's PowerApps low-code development platform is intended to let users create a connected supply chain. It enables supply chain information, supply and demand insights, performance tracking, supplier management, real-time collaboration, and demand management to lessen risk.

Additionally, it addresses order tracking and traceability, pricing management, warehouse
management, and inventory optimization. According to Microsoft, businesses are suffering from an overabundance of petabytes of data that are dispersed among legacy systems, enterprise resource planning (ERP) software, and custom solutions, giving them a fragmented view of their supply chain.

The Microsoft Supply Chain Center preview has also been released by Microsoft. It promises to track global events that may impact a customer's supply chain, coordinate actions across a supply chain, and use AI to lessen supply and demand mismatches. According to Microsoft, this constitutes the foundation of the supply chain platform.

"Although supply chain disruption is not new, its complexity and the rate of change are outpacing organizations' ability to address issues at a global scale. Many solutions today are narrowly focused on supply chain execution and management and are not ready to support this new reality," said Charles Lamanna, corporate vice president, of Microsoft Business Applications and Platform, in a press release.

"Businesses are dealing with petabytes of data spread across legacy systems, ERP, supply chain management and point solutions, resulting in a fragmented view of the supply chain," Lamanna stated. 

"Supply chain agility and resilience are directly tied to how well organizations connect and orchestrate their data across all relevant systems. The Microsoft Supply Chain Platform and Supply Chain Center enable organizations to make the most of their existing investments to gain insights and act quickly." 

Even though it wants to serve as a platform for the entire supply chain, it will continue to collaborate with businesses like Accenture, Avanade, EY, KPMG, PwC, and TCS. Data from standalone supply chain systems, SAP and Oracle ERP systems, Dynamics 365, and other systems will be fed into the Microsoft Supply Chain Center.

Data ingestion for supply chain visibility is made possible via the Supply Chain Center's Data Manager capability. FedEx, FourKites, Overhaul, and C.H. Robinson are some of the partners in the preview launch. The supply and demand insights module, the order management module, the built-in Teams connection, and partner modules within the center are just a few of the prebuilt modules that the Supply Chain Center provides to solve supply chain disruptions.

According to Microsoft, the data remains consistent regardless of the module used because the center runs on a Dataverse common data service environment, eliminating the need to check which reports have the most recent data.

Read more »
Cyberattack
API security API- Application Programming Interface Cyber Security Cyberattack

How API Security is Emerging as a Potential Threat to Data-Driven Enterprises


Application programming interfaces play a big role in data-driven enterprises since they rely largely on their software application architecture. APIs have led to a sea change in the way we use web applications as they act as a communication pipeline between numerous services. Using APIs, developers can incorporate any contemporary technology into their architecture, which is quite helpful for including functionality that a consumer needs. 

APIs, by nature, are at risk of getting the application logic or sensitive data exposed, such as personally identifiable information (PII). Since APIs are generally accessible over public networks, they are often well-documented and can easily be manipulated and reverse-engineered by a threat actor. Additionally, they are susceptible to DDoS attacks. 

Since most significant data leaks happen as a result of defective, vulnerable, or hacked APIs, exposing data like medical, financial, or personal information, it is crucial to ensure the security of APIs. Additionally, if an API is not properly secured, it could result in numerous cyberattacks, making API security essential for today's data-driven enterprises. 

Critical API vulnerabilities and attacks 

In recent times, APIs have emerged as a preferred method for establishing more advanced applications, significantly for mobile devices and the internet of things (IoT). however, some businesses still need to fully understand the possible risks pertaining to their APIs while making them accessible to the public, given the continually evolving application-development methodologies and pressure for innovation. 

Businesses should as well be cautious of these typical security errors before public deployment.

Authentication flaws: Many APIs deny requests for authentication status made by legitimate users. Threat actors could take advantage of these exploits in a variety of ways by replicating API requests, such as session hijacking and account aggregation. 

Lack of encryption: Several APIs lack encryption layers present between the API client and server. Flaws as such could lead a threat actor into intercepting unencrypted or stealing sensitive data via unencrypted or inadequately protected API transactions. 

• Flawed endpoint security: Since most IoT devices and microservices are created in order to communicate with the server via an API channel, hackers often attempt to acquire unauthorized access over them through IoT endpoints. This frequently causes the API to reorder its sequence, leading to a data breach. 

Challenges Faced by API Security

As per Yannick Bedard, head of penetration testing, IBM security X-Force Red, one of the challenges in API security in current times is going through tests for security, for intended logic flows could be difficult to understand, and test it is not clearly comprehended. 

Bedard tells VentureBeat, “In a web application, these logical flows are intuitive through the use of the web UI, but in an API, it can be more difficult to detail these workflows […] This can lead to security testing missing vulnerabilities that may, in turn, be exploited by attackers.” 

“It is common for services to inherently trust data coming from other APIs as clean, only for it to turn out to not be properly sanitized,” says Bedard.  “Malicious data would eventually flow to backend APIs, sometimes behind many other services. These APIs would, in turn, be vulnerable and could provide the attacker an initial foothold into the organization.”

“The top challenge is discovery, as many security teams just aren’t sure how many APIs they have,” says Sandy Carielli, principal analyst at Forrester. 

Carielli said that many teams unknowingly deploy rogue APIs or there may be unmaintained APIs that are still publicly accessible, which can lead to several security hazards. 

According to her, many teams obliviously use rogue APIs, and there may be unmaintained APIs that are still accessible to the general public. This poses a number of security risks. “API specifications could be outdated, and you can’t protect what you don’t know you have,” she said. “Start by understanding what controls you already have in your environment to secure APIs, and then identify and address the gaps. Critically, make sure to address API discovery and inventory.” 

Best practices to enhance API security 

Listed are a few approaches that may be utilized in order to effectively secure your system against API intruders: 

API gateway: API gateway serves as the cornerstone of an API security framework, since it is easy to create, administer, monitor, and secure APIs, and serves as the cornerstone of an API security framework. The API gateway can enable API monitoring, logging, and rate limitation in addition to protecting against a variety of threats. Additionally, it may automatically validate security tokens and restrict traffic depending on IP addresses and other data. 

Web application firewalls (WAF): WAF serves as a layer between traffic and the API gateway or application. It offers an additional security layer against threat actors, like bots, by providing malicious bot detection, the ability to detect attack signatures, and additional IP intelligence, WAFs can be useful for preventing malicious traffic from entering your gateway in the first place. 

Security applications: Standalone security applications with features like real-time protection, static coded and vulnerability scanning, built-time checking, and security fuzzing can as well be incorporated into the security architecture. 

Security in code: An internal form of security that is built into the API or apps is security code. However, it can be challenging to apply uniformly across all of your API portfolios the resources necessary to verify that all security measures are applied appropriately in your API code.   

Read more »
Web browser
Apple Competition Watchdogs Cyber Security Gaming Community Google iOS UK User Privacy Web browser

Apple and Google's Accused for Mobile Browser Monopoly Activities

The domination of Apple and Google in web devices and cloud gaming will be examined, according to the UK's authorities.

The Competition and Markets Authority announced on Tuesday that it is shifting forward on a market investigation it first suggested in June of how the companies regulate internet browsers for mobile devices and concerns that Apple restricts cloud gaming on its devices after receiving help in a public consultation.

The Competition and Markets Authority (CMA) found from market research conducted last year that they controlled the majority of mobile operating systems, app marketplaces, and web browsers.

If the 18-month study indicates an adverse impact on competition, the CMA may enforce modifications. However, the allegations are rejected by both businesses.

The authority announced on Tuesday that it is starting the investigation in part since the U.K. has put off giving its competition regulator new authority over digital markets, which is similar to what was recently passed in the European Union and which it claimed could help resolve those problems.

According to remarks released on Tuesday as part of the CMA's public consultation on its inquiry, some major IT rivals backed the investigation against Apple and Google. If nothing is done, Microsoft Corp. warned that Apple and Google's grip over its mobile ecosystems might pose growing challenges to the competition.






Read more »
User Security
business risks Cyber Security data security Data Theft IIoT IoT devices User Security

IoT Security: A Major Concern for Businesses Worldwide

 

As technology continues to evolve and more industries across the globe become connected, understanding the security challenges linked with the industrial internet of things (IoT) deployments is increasingly important. 

Businesses planning to roll out a manufacturing or industrial IoT initiative, or link existing technology for automated and remote monitoring or access, will need to consider all of the potential threats and attack vectors linked with those decisions. The most common security challenges with industrial IoT security are as follows: 

Security Breach Via Old Systems 

The surge in the volume of IoT apps has made it easier for malicious hackers to identify vulnerabilities to infiltrate organizational data. The operation of multiple IoT devices through the same internet connection makes it easier for attackers to exploit them as a point of illegal access to other resources. This lack of network segmentation can be devastating, as one successful assault on an IoT device can open the door to attackers to siphon sensitive data. 

To safeguard IoT-powered enterprises from data breaches, it’s important to boost the security of the devices with a hardware-based VPN technology and execute a real-time monitoring solution that will continuously scan and report the behavior of the linked devices. 

DDoS Attack 

The hackers can target businesses' endpoint devices by flooding them with overwhelming traffic so that they cannot complete the work they were intended to do. 

For example, when an industrial thermostat is linked to unprotected internet, a coordinated DDoS attack on the entire system could lead to system downtime. One of the best ways to mitigate this type of IIoT threat is to safeguard internet connection with a firewall. 

Device Spoofing  

In IIoT, a device spoofing assault is launched when the hackers pose themselves as a legitimate device to send information between businesses' centralized network and the IIoT endpoint device. For example, the hacker can pose a trusted IoT sensor to send back false information that could alter an organization’s manufacturing process. However, this risk can be mitigated by employing a hardware-based security solution.

Device Theft 

Another common issue, particularly with devices out in the field, is the theft of the physical devices themselves. This threat increases when endpoint devices are storing critical data that may cause concern if that information is stolen by the attackers. 

To minimize the threat, it’s necessary to avoid storing sensitive information on endpoint devices and use cloud-based infrastructure to store critical data. 

Data Siphoning 

The smooth deployment of data by endpoint devices can be blocked via an eavesdropping attack. What the hacker does here is eavesdrop on the network traffic from the endpoint device to secure access to collected data. 

The industries most impacted by this type of IoT attack are the health, security, and aerospace industries. To mitigate the threat, organizations must have a security policy ensuring that all transmitted data is adequately encrypted using the best encryption software. 

“Organizations need to think through this. There are a lot of requirements and they need to figure out a strategy. When looking at product security requirements, I see this as a challenging aspect as organizations get a handle around what they are manufacturing,” Robert M. Lee, CEO at Dragos Incorporation raised a concern regarding organizations' security. 

“There are organizations for example in industries such as health care, medical devices, and power and utilities that are starting to ask questions of their suppliers as they consider security before they deploy devices into their customer ecosystem. Where I see a lot of organizations struggle is in understanding system misconfiguration or not having the architecture, they thought they did in order to make sure their manufacturing environment is reliable.”
Read more »
Web3 Domain
Decentralized websites Technology Web3 Domain

6 Ways Web3 Domains Will Alter Our Ways of Web Surfing


The emerging blockchain technology has opened up a variety of newer ways for decentralization to transform established systems. 

Cryptocurrencies came first, followed by Non-Fungible Tokens, or NFTs. A "Web3 domain" is a new sort of NFT that is currently evolving. 

Web3 domains are, in an essence a complete tokenized infrastructure that allows different data forms to be held under one asset, owned by an individual or a company. 

This further offers new possibilities that completely transform how people interact in both the metaverse and the real, everyday world. Here are just 6 unique use cases that decentralized domains can offer to users worldwide. 

1. Creating a Human Readable Payment Address: 

One of the most significant benefits of the Web3 domain is how it transforms traditional blockchain addresses into a human readable one, which is much easier to remember. Thus, bringing decentralized payments in line with what a user is already aware of. 

This step plays an important part in getting more people to accept digitally native payments. 

2. Building Your Digital Identity: 

One notable aspect of Web3 domain is it implements a user-owned, verifiable digital identity, that is identifiable across the entire spectrum of the internet. A decentralized domain could be linked to a user’s personal information, credentials, achievements or more. Since the person entirely controls the domain, they can use this as identification. 

With Web3, one can control what others can or cannot see, unlike Web2 domains. For instance, with the emergence of this technology, one could as well offer a lender a cryptographic proof providing that they possess a minimum amount of funds in order to qualify for a loan, without having to expose their net value. 

As an alternative, attaching employment and qualification data to a Web3 domain would enable the proof of a person's prior employment, membership in a particular community, or passed specific qualifying exams, all without disclosing their entire history or even their name, if not applicable. 

3. Sending Encrypted and Private Emails: 

Another benefactory aspect of Web3 domains is how it provides users with efficient ways to send and receive emails privately, or even encrypted emails. It is possible to add an additional layer of security to your Gmail or Outlook accounts by simply linking your Web3 domain to a private email client. New emails are forwarded through the private email client that is connected to your domain and into your personal inbox. 

This facilitates the blocking of spam emails, the sending and receiving of encrypted emails, maintaining account privacy. Additionally, only your Web3 domain email will be shown and your personal email will stay hidden, ensuring your privacy. 

While email encryption is not a new aspect introduced to users, with a number of services already available, this method does not require trusting a third-party entity or code. Users hold control at all times, while possessing a level of security that many other means may not provide. 

4. A Digital Business Card: 

While the case is being made for this technology as a private user ID, it could as well be a professional one. The same domain that allows a user to prove their identity personally, can also serve as a business avatar, much like how a business card only divulges the most crucial details. 

Potential business partners or employers could get a hold of the basics of what the user has to offer, their relevant work history, or contact information. But only up to a limit, as any further information would only be available if the holder grants permission for the same. Thanks to the built-in veracity, these would be far more trustworthy than any printed physical card. 

5. Building a Decentralized Website: 

Web3 domain, along with payments and emails, provides users a way to create a website on the decentralized web. These decentralized websites let people have complete ownership and control over their data, as well as giving them an alternative to renting Web2 domains. 

This specific use case for decentralized domains could alter the way users engage with the internet, making website visits a lot more secure and transparent experience in near future. 

6. Brand Recognition: 

Further extending the notion of how Web3 domain provides provable identity and reputation to branding, it could as well be a remarkable step in order to bring celebrity recognition or that of any major business or brand franchises. 

Additionally, any business or personality could acquire a domain token linked not just to their history, but presumably to domains of partners, employees, or customers. All of this information would now be linked to their brands in a way that would be easier and clearer to unpack. 

Concluding Remark: 

Even with all the aforementioned possibilities, there is so much more that developers could offer users in the coming times. One can deduce that the true potential of Web3 domains lies in their veracity, privacy, and user control. 

Any kind of data that can be encoded into such assets could be confirmed without being disclosed. This thus has the potential to alter the way that digital and physical interactions are conducted. 

Furthermore, personal freedom along with business confidence could be escalated, making the future of commerce much more efficient, all thanks to the adoption of Web3 domains.  

Read more »
QakBot.
Black Basta Ransomware Cyber Attacks Cybereason Cybersecurity QakBot.

Active Threat of Black Basta Ransomware on US Companies by QakBot Malware

 


Recently Joakim Kandefelt and Danielle Frankel, researchers at Cybereason, a cybersecurity organization, announced that the Black Basta ransomware is operating a new campaign targeting U.S. companies with QakBoat malware. The malicious actors are trying to enter and later capture the organization’s network through this campaign. 

The threat actors use dangerous ransomware known as Black Basta Ransomware as a tool to capture the data of the victim’s network or system. This ransomware is specially targeted at organizations instead of individuals. Black Basta Ransomware captures and locks the data of the targeted organization by using encryptions that cannot be cracked without the specific decryption keys. 

Black Basta ransomware was first observed in April and was considered to be an outgrowth of the Conti ransomware. It uses the tested method of double extortion to extract confidential information from the targeted organization. After collecting this data, the cyber attackers use it to coerce the victim to get a ransom in exchange for the data. The attackers threaten the victim to release the information to the public in case the victim fails to pay demanded ransom. 

It is worth noting that Black Basta Ransomware attacks on a network make changes to the victim's desktop. These changes include renaming the original file name with the ‘.basta’ file extension, changing the desktop background with a new image, and creating a new file on the system as “readme.txt.” The wallpaper image includes a short message which directs the targeted users to open that text file. 

The prime target companies of the ransomware are from the U.S., Canada, Australia, and New Zealand. 

The QakBot, used in the latest campaign by Black Basta ransomware, dated back to 2019 and was highly used in many other ransomware attacks, like Fujifilm Holding Corp in 2020. The prominent factor of QakBot that made it the most used malware by attackers is that once the QakBot gets access to the target’s network, it also creates an entrance for the threat actor to deploy more malware. 

In a study of the campaign by Black Basta ransomware, it was observed that the minds behind this campaign are highly advanced and working sophisticatedly. In an attack under this campaign, the malicious actors get access to the domain of the victim’s network within 2 hours, and they can deliver the ransomware in just twelve hours. 

The Cybereason sent out a warning to organizations to be aware of and safeguard them from these attacks. There are certain precautionary measures that need to be followed. Firstly, the companies should be aware and avert infections from Black Basta and QakBot, and secondly, Cybereason customers should permit variant payload protection and obstruct vulnerable users and sources. 

Additionally, every organization should spot network connections that seem malicious. Resetting Active Directory access is also advised by Cybereason.
Read more »
User Security
Banking Trojan File Manager Malicious Android Apps Malicious Apps Mobile Security User Privacy User Security

SharkBot Malware Targets Thousands of Android Users Via Disguised File Manager App

 

Variants of the SharkBot banking trojan were identified in multiple file manager Android applications on the Google Play Store, some of them with thousands of downloads. 

The majority of users who downloaded the trojanized apps were located in the U.K. followed by Italy, Iran, and Germany, security researchers at Bitdefender said in an analysis published this week. 

"The Google Play Store would likely detect a trojan banker uploaded to their repository, so criminals’ resort to more covert methods," reads the advisory. One way is with an app, sometimes legitimate with some of the advertised features, that doubles as a dropper for more insidious malware." 

This was the case with multiple file manager apps, which were disguised as such to justify the request for permission to install external packages from the user. 

The permissions asked by trojanized apps included READ_EXTERNAL_STORAGE, WRITE_EXTERNAL_STORAGE, GET_ACCOUNTS, REQUEST_INSTALL_PACKAGES, QUERY_ALL_PACKAGES, and REQUEST_DELETE_PACKAGES. 

"Of course, that permission is used to download malware," the researchers wrote. "As Google Play apps only need the functionality of a file manager to install another app and the malicious behavior is activated to a restricted pool of users, they are challenging to detect." 

While the applications identified by the researchers are no longer available on the Play Store, they can still be downloaded via multiple third-party stores, making them a huge threat. 

The first app examined by the researchers was 'X-File Manager,' designed by 'Viktor Soft ICe LLC' and counting over 10,000 installs before it was taken down by Google. 'FileVoyager' was the second one, manufactured by 'Julia Soft Io LLC' with nearly 5,000 downloads. 

The researchers discovered two more apps following an identical methodology, but they were never present on the Google Play store. They are called 'Phone AID, Cleaner, Booster' and 'LiteCleaner M' and were identified on the web via third-party app stores. 

The advisory published by the Bitdefender team comes weeks after threat analysts at Cleafy indicated the Android banking Trojan Vultur has reached more than 100,000 downloads on the Google Play Store.

Users who have downloaded the malicious apps are advised to delete them and change their bank account passwords immediately. Additionally, users are recommended to enable Play Store Protect and scan app ratings and reviews before downloading them.
Read more »
Sophos
Credential Phishing Cyber Security iOS MFA Phishing Attacks Ransomware Attacks. Scam Sophos

Sophos 2023 Threat Report: Cryptocurrency Will Fuel Cyberattacks

The Sophos 2022 Threat Report, released by Sophos, a pioneer in next-generation cybersecurity, illustrates how the gravitational influence of ransomware is attracting other cyber threats to building one vast, linked ransomware delivery system, having essential ramifications for IT security.

Entry-level hackers can buy malware and spyware installation tools from illicit markets like Genesis, and also sell illegal passwords or other data in mass. Access brokers increasingly sell other criminal groups' credentials and susceptible software exploits.

A new ransomware-as-a-service economy has emerged in the last decade due to the rising popularity of ransomware. In 2022, this as-a-service business model has grown, and almost every component of the cybercrime toolkit from initial infection to methods of evading detection is now accessible for purchase, according to the researchers.

Several step-by-step tools and methods that attackers might use to spread the ransomware were revealed when an affiliate of the Conti ransomware published the deployment guide supplied by the operators. RaaS affiliates and other ransomware operators can use malware distribution platforms and IABs to discover and target potential victims once they have the virus they require. The second significant trend predicted by Sophos is being fueled by this.

Gootloader was launching innovative hybrid operations in 2021, as per Sophos's research, that blended broad campaigns with rigorous screening to identify targets for particular malware packs.

Ransomware distribution and delivery will continue to be adapted by well-known cyber threats. Which include spam, spyware, loaders, droppers, and other common malware in addition to increasingly sophisticated, manually handled first access brokers.

Data theft and exposure, threatening phone calls, distributed denial of service (DDoS) assaults, and other pressure tactics were all included in the list of ten pressure methods Sophos incident responders compiled in 2021.

Cryptocurrency will continue to feed cybercrimes like ransomware and unlawful crypto mining. In 2021, Sophos researchers discovered crypto miners like Lemon Duck and MrbMiner, which installed themselves on machines and servers by using newly revealed vulnerabilities and targets that had already been compromised by ransomware operators. Sophos anticipates that the trend will continue until international cryptocurrencies are better regulated.

In addition to promoting their products, cybercrime vendors sometimes post job openings to hire attackers with specialized capabilities. In addition to profiles of their abilities and qualifications, job seekers are posting help-wanted sites on some markets, which also have technical hiring personnel.

As web services grow, different kinds of credentials, particularly cookies, can be utilized in a variety of ways to penetrate networks more deeply and even get through MFA. Credential theft continues to be one of the simplest ways for new criminals to enter gray markets and start their careers.

Read more »
Tax Platform
attackers Cyber Security Data Google Hackers Meta Software Tax Platform

Report: Tax Preparation Software Returned Personal Consumer Data to Meta and Google

 

As per The Markup, popular tax preparation software such as TaxAct, TaxSlayer, and H&R Block sent sensitive financial information to Facebook's parent company Meta via its widely used code known as a pixel, which helps developers track user activity on their sites. 

In accordance with a report published on Tuesday by The Verge, Meta pixel trackers in the software sent information such as names, email addresses, income information, and refund amounts to Meta, violating its policies. The Markup also discovered that TaxAct sent similar financial data to Google via its analytics tool, though the data did not include names.

According to CNBC, Meta employs tiny pixels that publishers and businesses embed on their websites. When you visit, the dots send a message back to Facebook. It also enables businesses to target advertisements to people based on previous websites they have visited.

Based on the report, Facebook could use data from tax websites to power its advertising algorithms even if the person using the tax service does not have a Facebook account. It's yet another example of how Facebook's tools can be utilized to track people across the internet, even if users are unaware of it. According to some statements provided to The Markup, it could have been a mistake.

Ramsey Solutions, a financial advice and software company that uses TaxSlayer, told The Markup that it "NOT KNEW and was never alerted that personal tax information was being gathered by Facebook from the Pixel," and that the company informed TaxSlayer to deactivate the Pixel tracking from SmartTax.

An H&R Block spokesperson said the company takes “protecting our clients’ privacy very seriously, and we are taking steps to mitigate the sharing of client information via pixels.” 

H&R Block further stated in a statement on Wednesday that it had "removed the pixels from its DIY online product to stop any client tax information from being collected."

The Markup discovered the data trail earlier this year while working with Mozilla Rally on a project called "Pixel Hunt," in which participants installed a browser extension that sent the group a copy of data shared with Meta via its pixel.

“Advertisers should not send sensitive information about people through our Business Tools,” a Meta spokesperson told CNBC in a statement. “Doing so is against our policies and we educate advertisers on properly setting up Business tools to prevent this from occurring. Our system is designed to filter out potentially sensitive data it is able to detect.”

Meta considers potentially sensitive data to contain information about income, loan amounts, and debt status.

“Any data in Google Analytics is obfuscated, meaning it is not tied back to an individual and our policies prohibit customers from sending us data that could be used to identify a user,” a Google spokesperson told CNBC. “Additionally, Google has strict policies against advertising to people based on sensitive information.”

A TaxAct spokesperson said in a statement, “The privacy of our customers is very important to all of us at TaxAct, and we continue to comply with all laws and IRS regulations. Data provided to Facebook is used at an aggregate level, not the individual level, by TaxAct to analyze our advertising effectiveness. TaxAct is not using the information provided by its customers and referenced in the report issued by The Markup to target advertising with Facebook.”

A TaxSlayer representative did not immediately respond to CNBC's request for comment.
Read more »
Unit 42
Cyber Attacks Luna Moth Unit 42

Rise of Luna Moth’s Malware-Free Extortion Campaign

 


A group of security researchers has discovered that a threat actor has managed to extort hundreds of thousands of dollars from mostly small and midsized businesses over the last few months without using any encryption tools or malware. 

A group of attackers, known as Luna Moth (also called the "Silent" ransomware group), has been using an array of legitimate tools and a method of extortion known as "call-back phishing" to target victims. Later, they use sensitive data as leverage over them to take control of their finances.

Targeted attacks 

In a report published by Palo Alto Network's Unit 42 on Monday, researchers said that in the past, the adversary has primarily targeted smaller legal firms, but in recent times, it has begun moving after larger retailers as well, according to the report. There is evidence that the threat actor's tactics have evolved over the last few years, suggesting that they have become more efficient. According to a security vendor, this means that it now poses a danger to every organization, regardless of its size.

As a senior threat researcher at Palo Alto Networks and a threat researcher with Unit 42, Kristopher Russo is finding that this tactic is widely used to target businesses of all sizes, from large retailers to small and medium-sized law firms. "Because social engineering targets individuals, the size of the company does not offer much protection", said Kristopher Russo. 

Call-Back Phishing 

Call-back phishing is a tactic that security researchers first observed being used by the Conti ransomware over a year ago in a campaign to install BazarLoader malware on their targets' systems. 

The scam starts with an adversary sending a phishing email to a specific, targeted individual at a victim organization. The phishing email is custom-made for the recipient. It originates from a legitimate email service and involves some kind of lure to get the user to initiate a phone call with the attacker. 

In the Luna Moth incidents that Unit 42 researchers observed, the phishing email contained an invoice in the form of a PDF file for a subscription service in the recipient's name. The attackers inform the victim that the subscription will soon be active and billed to the credit card on file. The email provides a phone number to a purported call center — or sometimes multiple numbers, that users can call if they have questions about the invoice. Some of the invoices have logos of well-known companies on top of the page. 

"This invoice even includes a unique tracking number used by the call center," Russo says. "So, when the victim calls the number to dispute the invoice, they look like a legitimate business." The attackers then convinced users who called to initiate a remote session with them using the Zoho Assist virtual support tool. Once the victim is connected to the remote session, the attacker takes control of the victim's keyboard and mouse. He enables access to the clipboard, and blanks out the user's screen, Unit 42 said. 

After the attackers have accomplished that, their next step is to install legitimate Syncro remote support software for maintaining persistence on the victim's machine. They have also deployed other legit tools such as Rclone or WinSCP to steal data from it. Security tools rarely flag these products as suspicious because administrators have legitimate use cases for them in an environment. 

In previous attacks, the adversaries installed multiple remote monitoring and management tools such as Atera and Splashtop on victim systems. However, lately, they appear to have whittled down their toolkit, Unit 42 said. 

If a victim does not have administrative rights on their system, the attacker eschews any attempt to persist on it. Instead, he proceeds straight to stealing data by leveraging WinSCP Portable.

"In cases where the attacker established persistence, exfiltration occurred hours to weeks after initial contact. Otherwise, the attacker only took what they could during the call," Unit 42 said in its report. 

Russo, who is the CEO of Russo Technologies, Inc., believes that the invoice even includes a tracking number that is used by the call center. As a result, when a victim telephones the number to dispute an invoice, it appears to be a legitimate company. 

A user who called was then convinced to engage in a remote session with the attackers via the Zoho Assist virtual support tool after they had been warned. The attackers will take control of the victim's keyboard and mouse as soon as he is connected to the remote session. It has been reported by Unit 42 that the threat actor also blanks the screen of the user after enabling access to the clipboard. 

Having obtained the victim's system credentials, the attackers then proceeded to install official Syncro remote support software on the victim's device. This was necessary to maintain persistence on their host machine. Additionally, a couple of other legitimate tools have been used to steal data from this computer, such as Rclone and WinSCP. Since administrators have legitimate reasons for using these products in their environments, these products are rarely flagged as suspicious by security tools. 

There were initially multiple monitoring and management tools installed on victims' computers by the adversaries, such as Atera and Splashtop, during the initial attacks. Despite this, Unit 42 reported that it appears they have been whittling down their tool set as of late. 

Any attempt by the attacker to persist on a system without administrative rights will be blocked if the victim does not have administrative rights on the system. Rather, what he does is directly access WinSCP Portable and use that to steal data directly from the computer. 

Depending on the circumstances, a persistent attacker may be able to exfiltrate the victim after hours or even weeks after initial contact. If the attacker does not establish persistence, exfiltration may take place after a few days or even weeks after initial contact, Unit 42 reported. 

Applying the Most Pressure 

According to Russo, the Luna Moth group usually looks for data that, when used appropriately, will pose the greatest pressure on their victims with the least amount of risk. A deep understanding of the legal industry was evident from the attacker's targeting of law firms. A person with knowledge of computer science could easily distinguish which data would be harmful if misused. 

Ruso describes Unit 42 as working on cases in which the law firm's sensitive and confidential data had been targeted by hackers. A sample of the most damaging data they stole was included in the extortion email that attackers sent out after reviewing the data they had stolen. 

There have been many attacks in which the adversary changed the victim's biggest clients by name and threatened to contact them directly if the victim organization did not pay the demanded ransom - which could range anywhere from 2 to 78 Bitcoins in some cases. 

According to the investigations carried out by Unit 42, the attackers in the cases where they gained access to the victim's computer did not move laterally once they obtained access. Although, Russo points out that the organization does continually monitor the compromised computer if the victim has admin credentials - even venturing so far as to telephone victims and taunt them if they notice remedial efforts have been made. 

Among the first to report on Luna Moth's activities, Sygnia described Luna Moth as surfacing most likely in March, according to one of its reports. In addition to using commercially available remote access tools, including Atera, Splashtop, and Syncro, as well as AnyDesk for persistence, the security vendor said that it had observed the threat actor working with commercially available remote access tools. Researchers from Sygnia said that in addition to the SoftPerfect network scanner, Sygnia observed that the threat actor was also using a third-party tool called SharpShares for network enumeration and a fourth tool called SharpShares for reconnaissance during their investigation. According to Sygnia, the attackers have included spoof names in the names of the tools they have stored on compromised systems to disguise them as legitimate binaries. 

According to Russo, the threat actor whose actions are being targeted is only concerned with minimizing their digital footprint to circumvent most technical security controls. 

Unit 42 said that since the attackers relied completely on social engineering to conduct the campaign and legitimate tools to execute it, there were few artifacts left behind following the attack. To be able to safeguard themselves against this new threat, Russo said his organization recommends that organizations of all sizes conduct security awareness training for their employees.
Read more »
Subscribe to: Posts (Atom)