Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Ransomware attack
cyber attack Cyber Attacks Cyber Threats Kellogg college Michi Ransomware attack

Kellogg Community College Closes after Ransomware Attack

 

Kellogg Community College in Michigan has closed its campuses and canceled classes after falling victim to a cyber-attack. It's a Battle Creek-based community college and according to the recent data, it serves approximately 7000 students annually. 

On its official website on Sunday the community posted a statement in which it has shared basic information about the ransomware attack that took place over the weekend. Following the attack, the cancellation of all Monday classes and the closure of its five campuses in Battle Creek, Coldwater, Albion, and Hastings were announced.

Furthermore, as the website notified that the attack is causing continued technology problems in the systems, the college told, “the technology issues we have been experiencing were caused by a ransomware attack that continues to affect our systems.” 

All five Kellogg campuses will remain closed while the security vulnerabilities are under investigation, however, the college community is hoping to reopen the campuses later this week. The community is also working to launch a “forced password reset for all students, faculty, and staff” to better secure the network.

“We want to reassure our faculty and students that we will take any actions necessary for students to complete course work in a timely manner and appreciate your patience and support in the meantime,” the alert read. 

According to the data, since 2021, various community colleges have been the victims of ransomware attacks, including Butler County Community College in Pennsylvania, Sierra College in California Lewis, and Clark Community College in Illinois. 

“As we have previously informed you, we have been the victim of a ransomware attack on our systems and services. We are still working to understand the full extent of this incident, but since our last update, we have been working diligently with our IRT team and have made progress in our restoration process,” said the Kellogg Community College.
Read more »
Security
Cyber Fraud Fake Emails Fraud Google phishing Scam Scammers Security

Google SMTP Relay Service Exploited for Sending Phishing Emails

 

Phishers are exploiting a vulnerability in Google's SMTP relay service to send malicious emails that imitate well-known brands. Threat actors use this service to mimic other Gmail tenants, according to Avanan researcher Jeremy Fuchs. Since April 2022, they've noticed a massive rise in these SMTP relay service exploit attacks in the wild. 

Organizations utilise Google's SMTP relay service to send out promotional messages to a large number of consumers without the risk of their mail server being blacklisted. 

Fuchs explained, “Many organizations offer this service. Gmail does as well, with the ability to route outgoing non-Gmail messages through Google. However, these relay services have a flaw. Within Gmail, any Gmail tenant can use it to spoof any other Gmail tenant. That means that a hacker can use the service to easily spoof legitimate brands and send out phishing and malware campaigns. When the security service sees avanan.com coming into the inbox, and it’s a real IP address from Gmail’s IP, it starts to look more legitimate.” 

As Gmail's SMTP relay servers are usually trusted, email security solutions are circumvented, and recipients see a legitimate-looking email address in the "From:" field. Users will only know something is wrong if they inspect the message headers. 

This brand impersonation method will only work if the impersonated corporation/brand company hasn't enabled its DMARC reject policy, according to Fuchs. A DNS-based authentication standard is known as DMARC. It protects enterprises from impersonation threats by preventing malicious, spoof emails from reaching their intended recipients. 

Using tools like MXToolbox, any phisher — indeed, anyone who uses the internet – may verify whether the DMARC reject policy has been enabled for a certain domain. Trello and Venmo, for example, haven't, according to Fuchs, while Netflix has. 

On April 23rd, 2022, Fuchs claims to have warned Google about how phishers were using their SMTP relay service. “Google noted that it will display indicators showing the discrepancy between the two senders, to aid the user and downstream security systems,” he told Help Net Security. 

He also points out that any SMTP relay could be vulnerable to this type of assault. The DMARC protocol, which Google recommends, is the overarching solution to this well-known security issue. However, until that becomes the norm, recipients should verify the headers of unsolicited email messages and avoid opening attachments or clicking on links in those messages if they can't tell whether they're harmful. 

“We have built-in protections to stop this type of attack. This research speaks to why we recommend users across the ecosystem use the Domain-based Message Authentication, Reporting & Conformance (DMARC) protocol. Doing so will defend against this attack method, which is a well-known industry issue,” a Google spokesperson told Help Net Security.
Read more »
phishing
cyber attack Cyber Attacks data scam Data Stolen Fraud phishing

Russia-linked APT29 Targets Diplomatic World Wide

 

Security intelligence from Mandiant has discovered a spear-phishing campaign, launched by the Russia-linked APT29 group, designed to victimize diplomats and government entities worldwide including European, the Americas, and Asia. 

The group is believed to be sponsored by the Russian Foreign Intelligence Service (SVR) and to have orchestrated the 2020 SolarWinds attack which hit hundreds of organizations. 

According to the data, the Russia-linked APT29 group popularly known as SVR, Cozy Bear, and The Dukes is active since at least 2014, along with the APT28 cyber threat group which was involved in the Democratic National Committee hack, the wave of attacks aimed at the 2016 US Presidential Elections and a November 2018 attempt to infiltrate DNC. 

The phishing emails have been masqueraded as official notices related to various embassies. Nation-state actors used Atlassian Trello, DropBox, and cloud services, as part of their command and control (C2) infrastructure. 

“APT29 targeted large lists of recipients that Mandiant suspected were primarily publicly-listed points of contact of embassy personnel. These phishing emails utilized a malicious HTML dropper tracked as ROOTSAW, which makes use of a technique known as HTML smuggling to deliver an IMG or ISO file to a victim system.” reads the analysis published by Mandiant. 

The threat actors used the HTML smuggling technique to deliver an IMG or ISO file to the targets. The ISO image contains a Windows shortcut file (LNK) that installs a malicious DLL file when it is clicked. When the attachment file opens, the ROOTSAW HTML dropper will write an IMG or ISO file to disk. Following the steps, once the DLL file is executed, the BEATDROP downloader is delivered and installed in memory. 

“BEATDROP is a downloader written in C that makes use of Trello for C2. Once executed, BEATDROP first maps its own copy of ntdll.dll into memory for the purpose of executing shellcode in its own process. BEATDROP first creates a suspended thread with RtlCreateUserThread which points to NtCreateFile...” 

 “…Following this, BEATDROP will enumerate the system for the username, computer name, and IP address. This information is used to create a victim ID, which is used by BEATDROP to store and retrieve victim payloads from its C2. Once the victim ID is created, BEATDROP will make an initial request to Trello to identify whether the current victim has already been compromised”, the report read.
Read more »
Privacy
Data Privacy mental Health Mobile Apps Mozilla Privacy

Mental Health Apps Fail Privacy Guidelines Spectacularly, Says Mozilla

An inquiry into mental health and prayer apps disclosed a problematic lack of concern around user security and privacy. Last Monday, Mozilla published the findings of new research about these kinds of apps, which mostly deal with sensitive issues like depression, anxiety, mental health awareness, PTSD, domestic violence, etc., and religion-based services. Mozilla's recent "Privacy Not Included," guide says that even though these apps manage personal information, they regularly share data, allow easy passwords, pick vulnerable users via targeted ads, and show poorly written and vague privacy policies. 

In a study consisting of 32 applications focused on mental health and religion, Mozilla identified 25 apps that failed to meet its Minimum Security Standards. The privacy standards work as the main highlight for the Privacy Not Included reports. The unauthorized sharing and selling of user data, poor data management services, poor encryption, weak password guidelines, inaccurate vulnerability management system, and different lax privacy policies can lead to the downgrading of a vendor product in accordance with Mozilla's standards. 

Once an app fails to touch these minimum standards, they are labeled with a "the privacy not included" warning tag. Mental health and healing-related applications have received an accolade, but they can't be covered. To protect users' privacy and security, these applications are the worst in any product category that Mozilla experts have investigated or reviewed in the past six years. The examined apps include Better Help, Talkspace, Calm, 7 Cups, Glorify, Wysa, Headspace, and Better Stop Suicide. 

As a result, every one of these apps now has a dedicated slot that users can access to know more about the app's privacy and security rating. According to ZDNet, "while the app gathers some personal information and says that users can reach out to them if they have further queries, they did not respond to Mozilla's attempts at contact and did not mention who "trusted partners'" were when data sharing. Only two applications on the list, PTSD Coach and the AI chatbot Wysa seemed to take data management and user privacy seriously."
Read more »
User Privacy
Data Breach Data Privacy data security Hackers Hacking User Data User Privacy

Anonymous Hacks Russian Energy Companies, Leaking 1Million+ Emails

 

Anonymous claims to have hacked into Russian energy businesses in order to expose emails and continue its cyberwar on Ukraine. On Twitter, the hacker collective claimed to have exposed over 1 million emails from ALET, a Russian customs broker for gasoline and energy firms. 

The tweet stated, "NEW: #Anonymous hacked nearly 1.1 million emails (1.1 TB of data) from ALET, a Russian customs broker for companies in the fuel and energy industries, handling exports and customs declarations for coal, crude oil, liquefied gases and petroleum products."

DDoSecrets, an organisation co-founded by Emma Best and dedicated to comprehensive data transparency in the public interest, disclosed the breach. 

What is ALET? 

ALET is a customs broker based in Russia. It manages exports and customs declarations for petroleum products, coal, liquefied gases, and crude oil for enterprises in the fuel and energy industry. It has worked with 400 businesses and filed 119,000 customs declarations since 2011 with oil products accounting for the majority of its revenues. Gazprom, Gazprom Neft, and Bashneft have all recommended it.

Anonymous has threatened to fight a cyberwar against Putin since the start of the Russia-Ukraine conflict. So far, it has lived up to that promise. Not only has the organisation disclosed Russian information, but it has also infiltrated Russian organisations in order to inform citizens about what is happening outside the nation. 

Anonymous is best known for hacking Russian streaming sites and TV networks in order to show Russian residents what was going on in Ukraine. Last week, the group hacked Enerpred, Russia's largest hydraulic equipment manufacturer dealing in the energy, coal, gas, oil, and construction industries, and stole 645,000 emails (up to 432GB of data).

The company's headquarters are in Irkutsk, Eastern Siberia's capital, and offices in major Russian cities including Moscow and St. Petersburg. DDoSecrets' (Distributed Denial of Secrets) website has the leaked data.
Read more »
NATO
Bangladesh Cyber Army Botnets CIA Cyber Attacks DDOS Tools keylogger Malicious actor NATO

 Bangladesh Cyber Incident Response Team has Issued a Warning About Malware Attacks Around Eid

 

Officials have warned of a possible cyber-attack on Bangladesh's financial and other key institutions' computer systems during the Eid vacations. According to a statement issued by the Digital Security Agency, the affected authorities must install or update anti-DDOS hardware and software. 

Officials believe the warning was sent by the government's specialized cyber-threat agency as a global cyberwar erupts in the Russia-Ukraine conflict, with NATO assisting the latter with arms support. 

The Bangladesh Computer Council's e-Government Computer Incident Response Team (BGD e-GOV CIRT) also recommends all key information facilities' internal systems be checked and monitored.

Following the current conflict between Ukraine and Russia, Tarique M Barkatullah, director (operations) of the Digital Security Agency and project director of the BGD e-GOV CIRT, stated “hackers from both sides are using important information infrastructures of different countries to spread botnets and malware and attack each other.” 

Botnets are computer networks infected with malware (such as computer viruses, key loggers, and other malicious code or malware) and remotely controlled by criminals, either for monetary gain or to launch assaults on websites or networks. 

BGD e-Gov CIRT discovered over 1400 IP numbers used in Russia after analyzing the warning message issued by the Russian Computer Security Incident Response Team. According to the CIA, hackers are using these IPs to spread propaganda and launch distributed denial of service (DDoS) operations. 

Tareq M Barkatullah, project director of BGD e-Gov CIRT, remarked in this reference: “The country's afflicted financial institutions and public service suppliers are being hampered in providing its usual services due to the exploitation of these IP-enabled Bangladeshi servers."

According to the Financial Express, Prof Dr. Md Salim Uddin, chairman of the executive committee of Islami Bank Bangladesh Limited (IBBL), several financial institutions have been targeted by cyber-attacks as a result of the current crisis between Ukraine and Russia.

IBBL is well-prepared to thwart any cyber-attack because it is always adopting new technological solutions. Among the internal systems, he emphasized strengthening cyber-security with new tech solutions and monitoring systems. To prevent all types of cyber threats, financial institutions should join an organization or platform to improve cooperation and integration. He further urges the government to expand collaboration and support in this area in order to combat rising cyber-threats in the future.
Read more »
Windows 10
Cyber Attacks Ransomware security threat User Security Windows 10

Magniber Ransomware Tricking Users via Fake Windows 10 Updates

 

Security analysts have unearthed a new ransomware campaign targeting Windows systems. Malicious actors are using fake Windows 10 updates to spread the Magniber ransomware strain. 

Since April 27, users around the world have been posting their stories on the BleepingComputer forum seeking a solution. According to the publication, these fake Windows 10 updates are being distributed under multiple names such as Win10.0_System_Upgrade_Software.msi and Security_Upgrade_Software_Win10.0.msi via platforms such as pirated sites, posing as legitimate cumulative or security updates.

Aside from these files, there also are other fake knowledge-based articles on Microsoft that can install the Magniber ransomware: 

• System.Upgrade.Win10.0-KB47287134.msi 
• System.Upgrade.Win10.0-KB82260712.msi 
• System.Upgrade.Win10.0-KB18062410.msi 
• System.Upgrade.Win10.0-KB66846525.msi

Based on the submissions to VirusTotal, this malicious campaign appears to have started on April 8th, 2022 and has seen massive distribution worldwide since then. Meanwhile, it remains unclear how the fake Windows 10 updates are being promoted and distributed from fake warez and crack sites. 

Once installed, Magniber will erase shadow volume copies and then encrypt files. When encrypting files, the ransomware will append a random 8-character extension, such as .gtearevf,. The ransomware also produces a README.html document in each folder which it encrypts. The documents then redirect users to Magniber’s Tor payment site, which is called 'My Decryptor'.

The payment site allows a victim to decrypt one file for free, contact 'support,' or determine cryptocurrency address to send coins to if they decide to pay the ransom. The ransomware demands tend to be around $2,500 or 0.068 bitcoin, Bleeping Computer reported. 

“The only 1 way to decrypt your files is to receive the private key and decryption program,” the ransom note reads. “Any attempts to restore your files with the third-party software will be fatal for your files!”

According to security researchers, no safe decryptor exists for the ransomware. Nor any weaknesses of the malware are known to reverse its infection. The ransomware presently targets regular users and students, and not corporate customers. Thus, the users need to remain vigilant, avoid downloading cracked versions, and use legit sites only. 

The ransomware was first spotted in 2017 targeting victims in South Korea. Back in 2021, the ransomware was using the PrintNightmare exploit to Target Windows user, and earlier this year in January, it was distributed via Microsoft Edge and Chrome.
Read more »
security threat
Cyber Scam Mobile Security Phishing Campaign security threat

Beware of New Phishing Campaign Targeting Facebook Users

 

Facebook users need to remain vigilant after researchers at Abnormal Security uncovered the new phishing campaign designed to steal passwords from admin that run company Facebook pages. The scam begins with a victim being sent a phishing email claiming to be from 'The Facebook Team’. 

The email warns that the user's account might be disabled or the page might be removed over repeatedly posting content that infringes on someone else’s rights. 

Once scaring a victim into thinking their Facebook profile could soon be taken down, the victim is invited to appeal the report by clicking on a link that the security researchers said goes to a Facebook post – and within this post, there's another link that directs users to a separate website. To file an ‘appeal’, a Facebook user is told to enter sensitive information including their name, email address, and Facebook password. 

All this information is sent to the threat actor, who can exploit it to log in to the victim's Facebook page, gather sensitive details from their account, and potentially lock them out of it. If the victim re-uses their Facebook email address and password for other websites and applications, the attacker can access those too. One of the reasons phishing attacks like this are successful is because they create a sense of urgency. 

“What makes this attack interesting (and particularly effective) is that the threat actors are leveraging Facebook’s actual infrastructure to execute the attack. Rather than sending the target straight to the phishing site via a link in the email, the attackers first redirect them to a real post on Facebook. Because the threat actors use a valid Facebook URL in the email, it makes the landing page especially convincing and minimizes the chance the target will second-guess the legitimacy of the initial email,” researchers explained. 

“In addition, it appears the attackers are targeting accounts of people who manage Facebook Pages for companies. For these individuals, a disabled Facebook account wouldn’t just be an inconvenience; it could have an impact on their marketing, branding, and revenue. If they believed their account was at risk, they would be particularly motivated to act quickly.” 

If you have already been a victim of this campaign, or want to stay safe from any future threats, Facebook on its website has issued recommendations for its users. The social network advises anyone who thinks they’ve fallen for a phishing scam to report it, change their password, and make sure they log out of any devices they don’t recognize. Facebook also recommends users turn on multi-factor authentication, which helps to add an extra level of security to their account.
Read more »
User Security
Android Applications Android Apps data security Google Technology User Data User Security

Google's Safety Section Will Show What Android Apps Do With the User Data

Earlier this week, Google rolled out a new Data Safety section for Android apps on Play Store to mention the type of data that is collected and given to third parties. It is the users' right to know why their data is collected and if the developer shares user data with a third party. 

Besides this, users should know how application developers are protecting user data when an app is downloaded. The transparency measure, built in accordance with Apple's Privacy Nutrition Labels, was first announced by Google last year in May 2021. 

The Data safety section will show up against all app listings on the digital storefront, presenting a unified view of what kind of data is getting collected, why it's being collected, and how it'll be used, also mentioning what data is shared with the third parties. Moreover, the labels may also show an app's security practices, for instance, data encryption in transit and if the user can ask for the data to be deleted. 

Additionally, it will validate these practices against security standards like Mobile Application Security Verification Standard (MASVS). The feature will probably be rolled out for all users, app developers can expect a deadline of 20 July 2022 to finalize the work and update the users if there is any change in the apps' functionality or data handling practices. 

Data safety may face similar concerns that Apple did, as the system is built entirely on an honor system, which needs app developers, to be honest, and clear about what they'll do with the data, avoiding listing it as inaccurate labels. 

Since then, Apple said that the company will audit labels for authenticity, and make sure that these labels are dependable and don't give the users fake assurance about security. 

"Google, last year, had said that it intends to institute a mechanism in place that requires developers to furnish accurate information and that it will mandate them to fix misrepresentations should it identify instances of policy violations," reports The Hacker News.

Read more »
Vulnerabilities and Exploits
Bugs Critical Flaw Local privilege escalation vulnerability Microsoft Privilege Escalation Flaw Security Bug Security flaw Security Vulnerabilities Vulnerabilities and Exploits

ExtraReplica: Microsoft Patches Cross-Tenant Bug in Azure PostgreSQL

 

Recently, Microsoft has patched pair of security vulnerabilities in its Azure Database for PostgreSQL Flexible Server which could have been exploited to execute malicious code. On Thursday, cyber security researchers from Wiz Research published an advisory on "ExtraReplica," wherein they described it as a "cross-account database vulnerability" in Azure's infrastructure. 

The first is a privilege escalation bug in a modification that Microsoft made to the PostgreSQL engine and the second bug leverages the privilege escalation enabled by the former to give attackers cross-account access. 

Microsoft Azure is a hybrid cloud service and accounts for hundreds of thousands of enterprise customers, it also provides various services to different enterprises including software as a service (SaaS), infrastructure as a service (IaaS), and platform as a service (PaaS). 

It supports various programming languages, frameworks, and tools including both Microsoft-specific and third-party software and systems, as well as housing the data for various other Microsoft tools is one of its key features. 

According to the report, security vulnerabilities in the software could be used to bypass Azure's tenant isolation, which prevents software-as-a-service (SaaS) systems users from accessing resources belonging to other tenants. 

Also, ExtraReplica's core attack vector is based on a flaw that gave full access to customer data across multiple databases in a region without authorization, researchers from cloud security vendor Wiz Research recently added. 

"An attacker could create a full copy of a target database in Azure PostgreSQL [Flexible Server], essentially exfiltrating all the information stored in the database…," 

 “…The vulnerabilities would have allowed attackers to bypass firewalls configured to protect the hosted databases unless an organization had configured it for private access only but this is not the default configuration," says Ami Luttwak, co-founder and CTO at Wiz. 

Following the attack, Microsoft said it has mitigated the security vulnerabilities in the second week of January 2022, less than 48 hours after Wiz had warned about the attack. However, the company said that its research showed no evidence that hackers has exploited the vulnerabilities to access customer data.
Read more »
Notice
Breach Cyber Data Cyber Security Data Privacy Hacking Notice

All Organisations Must Report Cybersecurity Beaches Within 6 Hours: CERT-In

 

CERT-In, India's computer, and emergency response team released new guidelines on Thursday that mandate that service providers, intermediaries, data centres, and government institutions disclose cybersecurity incidents, including data breaches, within six hours.

The government said in a release, "Any service provider, intermediary, data center, body corporate and Government organization shall mandatorily report cyber incidents [...] to CERT-In within six hours of noticing such incidents or being brought to notice about such incidents."

Compromise of critical systems, targeting scanning, unauthorised access to computers and social media accounts, website defacements, malware deployments, identity theft, DDoS attacks, data breaches and leaks, rogue mobile apps, and attacks against servers and network appliances such as routers and IoT devices are among the types of incidents covered.

The government stated  it was taking these steps to ensure that the required indicators of compromise (IoC) associated with security events are easily accessible to "carry out the analysis, investigation, and coordination as per the process of the law”

Concerned organisations are also required to synchronise ICT system clocks to the National Informatics Centre (NIC) or National Physical Laboratory (NPL) Network Time Protocol (NTP) Server, maintain ICT system logs for a rolling period of 180 days, and necessitate VPN service providers to maintain data such as names, addresses, phone numbers, emails, and IP addresses of subscribers for a minimum of five years, according to the guidelines.

The guidelines also require virtual asset service, exchange, and custodian wallet providers to preserve records on Know Your Customer (KYC) and financial transactions for a period of five years, starting in 60 days.

India's Ministry of Electronics and Information Technology (MeitY) said in a statement, "These directions shall enhance overall cyber security posture and ensure safe and trusted Internet in the country."

Read more »
Subscribe to: Comments (Atom)