Hakerzy z Korei Północnej w trakcie fałszywej rekrutacji do Amazona, proszą o ściągnięcie zbackdoorowanej wersji klienta Putty
Według opublikowanego raportu Mandiant, za ten wektor ataku odpowiedzialna jest grupa UNC4034 operująca głównie z Korei Północnej. Atak tak naprawdę jest kampanią phishingową polegającą na kontaktowaniu się za pośrednictwem e-mail z osobami poszukującymi prace i oferowaniu im wysokiego wynagrodzenia w Amazon. Na etapie rekrutacji, rekruter za pośrednictwem komunikatora WhatsApp prosi...
W ostatnich godzinach doszło do poważnego ataku na infrastrukturę Ubera. Włamywacz uzyskał szeroki dostęp do wewnętrznych narzędzi firmy i jej środowisk chmurowych, po czym… ogłosił to w internecie. Kto mógł stać za atakiem i dlaczego tak dobrze mu poszło?
Poranny przegląd Twittera przyniósł dzisiaj ciekawe wpisy.… Czytaj dalej
The post Jak włamano się do Ubera i dlaczego najwyraźniej nie było to trudne first appeared on Zaufana Trzecia Strona.
Uber – czyli firma zajmująca się logistyką związaną z usługą zamawiania transportu samochodowego, została zhackowana. Przynajmniej tak twierdzi haker, który uzyskał dostęp do wewnętrznych systemów z prawami administratora takich jak: G-Suite, konsola AWS, vSphere, domena, serwer komunikatora Slack, a nawet panel HackerOne z dostępem do wewnętrznych raportów podatności. Przeglądając zrzuty...
Artykuł Uber został zhackowany! Uzyskali m.in. dostęp do aktualnych raportów podatności pochodzi z serwisu Sekurak.
Pomimo, że w badacze z CTU publicznie ujawnili taktyki, techniki i wewnętrzne procedury grupy jeszcze w maju 2022 r. to do dzisiaj wykazują oni wiele powtarzalnych zachowań. Rys. 1. Ujawniona aktywność grupy COBALT MIRAGE, źródło. Przestępcy jednak próbowali usunąć ślady swoich działań poprzez likwidację webshelli, logów oraz narzędzi. Jednak kilka...
Artykuł Błędy OPSEC spowodowały ujawnienie tożsamości członków irańskiej grupy APT pochodzi z serwisu Sekurak.
Dyrektor Projektu Cyber w PKP Informatyka, Artur Ślubowski, gościem Rozmowy Kontrolowanej w niedzielę o 21
Po długiej przerwie wakacyjnej Rozmowa Kontrolowana powraca na swoje zwyczajowe tory. Jesień zaczynamy od spotkania z człowiekiem, który sporą część swojego życia poświęcił zabezpieczaniu informastruktury krytycznej. Poznajcie Artura.
Artur Ślubowski przeszedł dość popularną wśród gości naszego programu ścieżkę – od administratora do bezpiecznika.… Czytaj dalej
Uber on Thursday suffered a cyberattack, the attackers were able to penetrate its internal network and access internal documents, including vulnerability reports.
We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.— Uber Comms (@Uber_Comms) September 16, 2022
According to the New York Times, the threat actors hacked an employee’s Slack account and used it to inform internal personnel that the company had “suffered a data breach” and provided a list of allegedly hacked internal databases.
“I announce I am a hacker and Uber has suffered a data breach.” states the message.
The company was forced to take its internal communications and engineering systems offline to mitigate the attack and investigate the intrusion.
The attackers allegedly compromised several internal systems and provided images of email, cloud storage and code repositories to The New York Times and some cyber security researchers.
“They pretty much have full access to Uber,” said Sam Curry, a security engineer at Yuga Labs who corresponded with the person who claimed to be responsible for the breach. “This is a total compromise, from what it looks like.”
The attackers also had access to the company’s HackerOne bug bounty program, which means that they had access to every bug report submitted to the company by white hat hackers. This information is very important, threat actors could use it to launch further attacks. At this time is not possible to exclude that the reports include technical details about some flaws that have yet to be fixed by the company.
HackerOne has immediately disabled the Uber bug bounty program blocking any access to the list of the reported issues.
Someone hacked an Uber employees HackerOne account and is commenting on all of the tickets. They likely have access to all of the Uber HackerOne reports. pic.twitter.com/00j8V3kcoE— Sam Curry (@samwcyo) September 16, 2022
Update: A Threat Actor claims to have completely compromised Uber – they have posted screenshots of their AWS instance, HackerOne administration panel, and more.
They are openly taunting and mocking @Uber. pic.twitter.com/Q3PzzBLsQY
Uber notified law enforcement and started an internal investigation into the incident, a company spokesman confirmed.
“We don’t have an estimate right now as to when full access to tools will be restored, so thank you for bearing with us,” Latha Maripuri, Uber’s chief information security officer, told NYT via email.
Employees were instructed not to use the internal messaging service Slack and some of them, speaking on a condition of anonymity, told the NYT that other internal systems were inaccessible.
The hacker claims to be 18 years old and added that Uber had weak security, in the message sent via Slack he also said Uber drivers should receive higher pay.
This is not the first time that the company suffered a security breach. In 2017, the news of another data breach that took place in 2016 made the headlines.
In November 2017, Uber CEO Dara Khosrowshahi announced that hackers broke into the company database and accessed the personal data (names, email addresses, and cell phone numbers) of 57 million of its users, the disconcerting revelation was that the company covered up the hack for more than a year.
The attackers accessed also the names and driver’s license numbers of roughly 600,000 of its drivers in the United States.
The hack happened in 2016, it was easy for hackers that according to a report published by Bloomberg, obtained credentials from a private GitHub site used by the company’s development team. The hackers tried to blackmail Uber and demanded $100,000 from the company in exchange for avoiding publishing the stolen data.
Rather than notify the data breach to customers and law enforcement, as is required by California’s data security breach notification law, the chief of information security Joe Sullivan ordered to pay the ransom and to cover the story destroying any evidence. The payout was disguised as a bug bounty prize complete with non-disclosure agreements signed
(SecurityAffairs – hacking, Uber)
The post Uber hacked, internal systems and confidential documents were allegedly compromised appeared first on Security Affairs.
Tylko do poniedziałku można zgłaszać się po darmowe filmy edukacyjne z obszaru bezpieczeństwa. Zobacz, jakie tematy były najczęściej wybierane przez te 200 firm, które już skorzystały z propozycji i otrzymały swoje nagrania.
The post Ostatni dzwonek, czyli czego polskie firmy chcą nauczyć swoich pracowników first appeared on Zaufana Trzecia Strona.
On Monday, September 12, 2022, Akamai mitigated the largest DDoS attack ever that hit one of its European customers. The malicious traffic peaked at 704.8 Mpps and appears to originate from the same threat actor behind the previous record that Akamai blocked in July and that hit the same customer.
The following table compared the two massive DDoS attacks, it is possible to verify that while in July the number of cumulative attacks was 75, in September it jumped up to 201.July AttackSeptember AttackPeak pps659.6 Mpps704.8 MppsCumulative Attacks75201IPs Targeted5121813VectorUDPUDPDistribution1 location6 locationsDate of AttackJuly 21, 2022September 12, 2022Top Scrubbing LocationsHKG, LON, TYOHKG, TYO, LON
Unlike the July attack, this time the attackers launched the attack against six data center locations from Europe to North America.
“On Monday, September 12, 2022, Akamai successfully detected and mitigated the now-largest DDoS attack ever launched against a European customer on the Prolexic platform, with attack traffic abruptly spiking to 704.8 Mpps in an aggressive attempt to cripple the organization’s business operations.” reads the analysis published by Akamai. “The attackers’ command and control system had no delay in activating the multidestination attack, which escalated in 60 seconds from 100 to 1,813 IPs active per minute. Those IPs were spread across eight distinct subnets in six distinct locations.”
Akamai applauded the approach adopted by its customer to mitigate DDoS attacks, after the July attack it had secured all of its 12 data centers.
“Having a proven DDoS mitigation strategy and platform in place is imperative for shielding your business from downtime and disruption” concludes the security firm.
(SecurityAffairs – hacking, hacking)
The post Akamai mitigated a new record-breaking DDoS attack against a Europen customer appeared first on Security Affairs.
Researchers from Kaspersky have spotted a self-extracting archive, served to gamers looking for cheats on YouTube, that was employed to deliver the RedLine Stealer information-stealing malware and crypto miners.
The RedLine malware allows operators to steal several pieces of information, including credentials, credit card data, cookies, autocomplete information stored in browsers, cryptocurrency wallets, credentials stored in VPN clients and FTP clients. The malicious code can also act as first-stage malware.
Stolen data are stored in an archive (logs) before being uploaded to a server under the control of the attackers.
The videos were crafted to share links to malicious password-protected archive files designed to install the above malware families on infected machines.
“The videos advertise cheats and cracks and provide instructions on hacking popular games and software.” reads the report published by Kaspersky.
“The original bundle is a self-extracting RAR archive containing a number of malicious files, clean utilities and a script to automatically run the unpacked contents”
Some of the games for which the threat actors published videos are are APB Reloaded, CrossFire, DayZ, Farming Simulator, Farthest Frontier, FIFA 22, Final Fantasy XIV, Forza, Lego Star Wars, Sniper Elite, and Spider-Man, among others.
Upon executing the self-extracting archive, three executable files are run:
- cool.exe, which is the RedLine stealer;
- ***.exe, which is a cryptominer;
- The third executable file copies itself to the %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup directory to maintain persistence and runs the first of the batch files included in the archive.
The batch files run three other malicious files: MakiseKurisu.exe, download.exe and upload.exe, these are used to self-distribute the bundle. One of the batch files runs the nir.exe utility that is used to run the executable files without displaying any windows or taskbar icons.
MakiseKurisu.exe is a password stealer written in C# that was customized by the creators of the malicious bundle.
The info stealer is capable of extracting cookies from browsers, and using them to access to the victim’s YouTube account to upload a video with a link to the malicious archive.
Once the video is successfully uploaded to YouTube, upload.exe sends a message to Discord with a link to the video uploaded by the threat actors.
“Cybercriminals actively hunt for gaming accounts and gaming computer resources. As we noted in our overview of gaming-related cyberthreats, stealer-type malware is often distributed under the guise of game hacks, cheats and cracks.” concludes the report. “The self-spreading bundle with RedLine is a prime example of this: cybercriminals lure victims with ads for cracks and cheats, as well as instructions on how to hack games. At the same time, the self-propagation functionality is implemented using relatively unsophisticated software, such as a customized open-source stealer. All this is further proof, if any were needed, that illegal software should be treated with extreme caution.”
(SecurityAffairs – hacking, YouTube)
The post Experts warn of self-spreading malware targeting gamers looking for cheats on YouTube appeared first on Security Affairs.
Russia-linked Gamaredon APT group (aka Shuckworm, Actinium, Armageddon, Primitive Bear, and Trident Ursa) is targeting employees of the Ukrainian government, defense, and law enforcement agencies with a piece of a custom-made information stealer implant.
The malicious code was designed to exfiltrate files and deploy additional payloads, threat actors are using phishing documents containing lures related to the Russian invasion of Ukraine.
The threat actors relied on LNK files, PowerShell and VBScript to achieve initial access to the target systems, then deployed malicious payloads in the post-infection phase.
“Cisco Talos discovered Gamaredon APT activity targeting users in Ukraine with malicious LNK files distributed in RAR archives. The campaign, part of an ongoing espionage operation observed as recently as August 2022, aims to deliver information-stealing malware to Ukrainian victim machines and makes heavy use of multiple modular PowerShell and VBScript (VBS) scripts as part of the infection chain.” reads the analysis published by Talos. “The infostealer is a dual-purpose malware that includes capabilities for exfiltrating specific file types and deploying additional binary and script-based payloads on an infected endpoint.”
The nation-state actors are using weaponized Microsoft Office documents containing remote templates with malicious VBScript macros. The macros download and open RAR archives containing LNK files that download and activate the next-stage malware.
The Talos’s attribution of the attacks to Gamaredon is based on a significant overlap between the tactics, techniques and procedures (TTPs) used in this campaign and those used in previous attacks against Ukraine Computer Emergency Response Team (CERT-UA) and attributed to Gamaredon.
The experts observed threat actors using a PowerShell script used to deploy an information stealer used to exfiltrate files of specific extensions including .doc, .docx, .xls, .rtf, .odt, .txt, .jpg, .jpeg, .pdf, .ps1, .rar, .zip, .7z and .mdb. Experts pointed out that this infostealer was not involved in previous campaigns attributed to Gamaredon. The researchers speculate it may be a component of Gamaredon’s “Giddome” backdoor family, but at the time of this report, they have no evidence.
“Once started, the malware scans all attached storage devices looking for files with the aforementioned extensions. For each one, the malware makes a POST request with metadata about the exfiltrated file and its content.” concludes the analysis that also includes Indicators of Compromise (IoCs).
(SecurityAffairs – hacking, Gamaredon)
The post Russia-linked Gamaredon APT target Ukraine with a new info-stealer appeared first on Security Affairs.
8 września 2022 roku w newsroomie firmy Meta, czyli właściciela m.in. Facebooka i Instagrama, ukazała się informacja o wprowadzeniu nowego rozwiązania, mającego chronić prywatność i poprawić bezpieczeństwo użytkowników Facebooka. Chodzi o stworzenie dynamicznych identyfikatorów FBID w miejsce dotychczasowych – niezmiennych. Identyfikatory użytkowników Facebooka są nadawane przy zakładaniu konta i umożliwiają...
Artykuł Meta wprowadza dynamiczne identyfikatory użytkowników Facebooka – jak to wpłynie na OSINT? pochodzi z serwisu Sekurak.
The Federal Bureau of Investigation (FBI) has issued an alert about cyber attacks against healthcare payment processors to redirect victim payments.
Threat actors used employees’ publicly-available Personally Identifiable Information (PII) and social engineering techniques to impersonate victims and obtain access to files, healthcare portals, payment information, and websites.
The FBI also reported one attack in which the threat actors changed victims’ direct deposit information to a bank account under their control and redirected $3.1 million payments.
“Cyber criminals are compromising user login credentials of healthcare payment processors and diverting payments to accounts controlled by the cyber criminals. Recent reporting indicates cyber criminals will continue targeting healthcare payment processors through a variety of techniques, such as phishing campaigns and social engineering, to spoof support centers and obtain user access.” reads the alert.
Below are some cases included in the alert:
- April 2022: Threat actors posing as an employee of a healthcare company with more than 175 medical providers changed Automated Clearing House (ACH) instructions of one of their payment processing vendors to redirect the payments. The crooks stole approximately $840,000 dollars over two transactions prior to the discovery.
- February 2022: an attacker obtained credentials from a major healthcare company and changed direct deposit banking information from a hospital to a consumer checking account under the control of the cyber-criminal. The attacker stole $3.1 million with this attack.
- February 2022: in a separate incident a different threat actor used the same technique to steal approximately $700,000.
- From June 2018 to January 2019: cyber criminals targeted and accessed at least 65 healthcare payment processors throughout the United States to replace legitimate customer banking and contact information with accounts under their control. In one case, the victim reported having lost approximately $1.5 million. In this case, the attackers used both publicly available PII and data gained through phishing attacks aimed at gaining access to customer accounts.
The alert also reported potential indicators of malicious activities against user accounts, including phishing emails targeting financial departments of healthcare payment processors, suspected social engineering attempts to obtain access to internal files and payment portals, unwarranted changes in email exchange server configuration and the settings of custom rules for specific accounts, requests for employees to reset both passwords and 2FA phone numbers within a short timeframe, and employees reporting they are locked out of payment processor accounts due to failed password recovery attempts.
Below is the list of mitigations recommended by the FBI:
- Ensure anti-virus and anti-malware is enabled and security protocols are updated regularly and in a timely manner. Well-maintained anti-virus and anti-malware software may prevent commonly used attacker tools.
- Conduct regular network security assessments to stay up to date on compliance standards and regulations. These should include performing penetration tests and vulnerability scans to ensure the knowledge and level of current system and security protocols.
- Implement training for employees on how to identify and report phishing, social engineering, and spoofing attempts. As budget constraints allow, consider options in authentication or barrier layers to decrease or eliminate the viability of phishing.
- Advise all employees to exercise caution while revealing sensitive information such as login credentials through phone or web communications. Employees should conduct requests for sensitive information through approved secondary channels.
- Use multi-factor authentication for all accounts and login credentials to the extent possible. Viable choices such as hard tokens allow access to software and verifies identity with a physical device instead of authentication codes or passwords.
- Update or draft an incident response plan, in accordance with Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules.
- Mitigate vulnerabilities related to third-party vendors. Outside communication exchanges should contain email banners to alert employees of communications originating outside of the organization. Review and understand the vendor’s risk threshold and what comprises a breach of service.
- Verify and modify as needed contract renewals to include the inability to change both credentials and 2FA within the same timeframe to reduce further vulnerability exploitations.
- Ensure company policies include verification of any changes to existing invoices, bank deposits, and contact information for interactions with third-party vendors and organizational collaborations. Any direct request for account actions needs to be verified through the appropriate, previously established channels before a request is sanctioned.
- Create protocols for employees to report suspicious emails, changes to email exchange server configurations, denied password recovery attempts, and password resets including 2FA phone numbers within a short timeframe to IT and security departments for investigation.
- Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to have strong, unique passphrases. Passphrases should not be reused across multiple accounts or stored on the system where an adversary may have access. (Note: Devices with local administrative accounts should implement a password policy that requires strong, unique passwords for each administrative account.)
- If there is evidence of system or network compromise, implement mandatory passphrase changes for all affected accounts.
- Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.
(SecurityAffairs – hacking, healthcare)
The post FBI: Millions in Losses resulted from attacks against Healthcare payment processors appeared first on Security Affairs.