Shipping and Logistic Firms Targeted  

The increasing risks of cyberthreats become a severe crisis to logistics and shipping organizations worldwide, as they operate across air, ground, and maritime and are responsible for shifting critical goods. Hacker intrusions on these companies could have a massive impact on the global consumer economy as they transport billions of dollars worth of consumer goods.

Also Read: 3 Digital Assets That Are High in Demand on Dark Web Forums

Intel 471 identified a new threat actor and credentials broker in July 2021, claiming to have access to a network owned by a Japanese container transportation and shipping company. The attackers dumped the credentials belonging to over 50 companies on the dark web for sale. In August 2021, the researchers found Conti ransomware operators claiming access to corporate networks belonging to a U.S.-based transportation management and trucking software supplier and a U.S.-based commodity transportation services company.

Intel 471 stated that the threat actors had obtained credentials by exploiting vulnerabilities in remote access solutions such as Remote Desktop Protocol (RDP), VPNs, SonicWall, and Citrix. “Over the past few months, Intel 471 has observed network access brokers selling credentials or other forms of access to shipping and logistics companies on the cybercrime underground. The actors responsible for selling these credentials range from newcomers to the most prolific network access brokers,” Intel 471 said.

Lasting Impact

Stealing login credentials and trading them on the dark web has become a common attack vector for various cybercriminal groups and affiliates. Several threat actors misuse these credentials to exploit the critical network systems, encrypt them, and demand ransom. The threat to critical infrastructure affects the consumer economy of a country. It is also one of the reasons why ransomware impacted organizations are compelled to pay ransom to restore their services at the earliest.

From fuel services, health care services, and food processing supply chains, threat actors exploit every sector to their advantage. Colonial Pipeline, JBS, and Kaseya attacks exemplify how ransomware is getting bigger by the day.

The post Login Credentials of Shipping and Logistics Firms Being Traded on Dark Web appeared first on CISO MAG | Cyber Security Magazine.

In a DDoS attack, cybercriminals make a targeted network or service unavailable to its users by flooding it with unwanted incoming traffic from different sources.

DDoS Attacks in Russia

The report revealed that DDoS attackers mainly targeted finance, online trading, and public sector organizations. The most significant DDoS attacks were focused on organizations located in Moscow, accounting for 60% of the total number of incidents, with the highest power of DDoS attacks – more than 70 Gbps. The attackers continue to leverage already known techniques for organizing DDoS attacks and large-scale botnets to increase the power of attacks. The most common DDoS attacks reported were UDP flood, SYN flood, and fragmented packet attacks (FRAG), which are usually organized using botnets.

“The power and complexity of DDoS attacks are increasing every year. This is due to the active use of larger botnets by hackers. They consist of a multitude of devices, which are exploited with new vulnerabilities. In particular, in September, cybercriminals organized the largest DDoS attack using the Meris botnet, which is estimated to scale 200,000 devices. Such sophisticated attacks are already directed at well-protected organizations and companies, whose resources can only be disabled by a very powerful DDoS. For example, it can be banks, large industrial or energy enterprises, etc.,” said Timur Ibragimov, Head of Anti-DDoS and WAF Cybersecurity Services Platform Solar MSS of Rostelecom-Solar. 

DDoS Attack Trends in Russia

The Russian internet service provider Yandex recently sustained the largest DDoS attack in the history of the Russian Internet (RuNet). Security experts claim that the attack was implemented via a new botnet tracked as Meris. It was found that the DDoS attack power was more than 20 million requests per second (RPS), affecting over 30,000 host devices.

In terms of attacking trends, DDoS actors appear to be changing their game plans and are turning to ransom distributed denial of service (RDDoS) as a new ransom vector. In an RDDoS attack, cybercriminals either launch a DDoS attack and then demand ransom to stop, or they may ask for the ransom first by threatening with a DDoS attack if not paid.

DDoS Mitigation

To mitigate the risk of DDoS attacks, experts from Rostelecom recommended organizations and users detach web applications from the critical resources by deploying them in separate databases. Adding a Web Application Firewall (WAF) with the existing anti-DDoS solution also helps prevent data thefts or unauthorized intrusions.

The post DDoS Attacks in Russia Surge 2.5 Times in 2021 appeared first on CISO MAG | Cyber Security Magazine.

Financial Data Exposed

According to Group-IB, the leaked database contained a password-protected zip archive text file comprising one million records of data such as card numbers, expiration dates, CVV/CVC codes, name of the cardholder, Country, State, City, address, Zip code, email IDs, and phone numbers. The database contained 810 expired cards, and 27,112 cards are set to expire in August 2021.

Multiple Cards Data Impacted

According to the research findings, over 200,000 (22%) compromised cards were belonged to the Indian banks, followed by Mexico (9%), the U.S. (9%), and Australia (8%). Nearly 77% of the cards in the database were debit cards, and 23% were credit cards. Cards from multiple payment system services were exposed in the incident, including Visa (48%), Mastercard (47%), RuPay (4%), and American Express (1%).

Advertising New Carding Forum

Researchers claimed that the attackers were trying to advertise their newly established carding forum All World Cards, which provides services like trading stolen card details, identity theft, and currency counterfeiting.

“The alleged owners of the card shop had launched a massive promo campaign in the underground to advertise their new platform, which, in addition to a huge database giveaway, included a writing contest for other cybercriminals with a cash prize of USD 15,000. This post analyzes the latest one million stolen bank card record database as well as the short history of the All World Cards card shop and the activity of its alleged owners who are most likely not the newbies of the carding business,” Group-IB researchers said.

Related Story:

• From Data Leak to Dark Web: What Happens to Your Stolen Credit Card Data?

The post Details of 1 Mn International Credit Cards Exposed on Dark Web appeared first on CISO MAG | Cyber Security Magazine.

According to a recent investigation by Privacy Affairs on various darknet markets, private data related to organizations like NASA, McDonald’s, Visa, MasterCard, Microsoft, and Google was found trading on the dark Web. Privacy Affairs discovered hundreds of data samples that were being sold for various price tags ranging from $25-$6000, based on the sensitivity of the data. The researchers scanned various dark web marketplaces and created a Dark Web Price Index, a price menu of various stolen information.

Buy One Get One Offers

Cybercriminals advertised and lured users with discounted prices and buy one get one free offer on users’ basic info to sensitive financial details on the dark web. Privacy Affairs found that online banking logins cost an average of $40, credit card details including associated data cost $14-$30. A full range of documents and account details can be obtained at $1,000.

“With the massive influx of supply, buyers seem to be gravitating towards bigger, trustworthy sites, with White House Market holding the largest market share of sales. The Dark Web markets are even starting to parody traditional markets with comical offers of buy 2 cloned credit cards and get 1 for free!! for example,” Privacy Affairs said.

New Data Added on Regular Basis

Privacy Affairs found that there is much more volume being sold this year compared to last year. Fake ID, cloned credit cards, hacked crypto accounts, and Uber accounts are the newest entry to dark web sales this year.

“Hacked crypto accounts seem to be one of the most valuable items for purchase. Due to the skyrocketing prices of BTC and other cryptocurrencies, hacked accounts may hold large sums of coin-based currency and cash, protected by relaxed security measures after the initial verification process,” Privacy Affairs added.

It was also found that darknet market operators did not accept Bitcoin payments and moved towards Monero payments and communicated only via PGP encryption to evade tracking and detection by law enforcement.

Our personal information is valuable to cybercriminals for various reasons. They forge documents like driving licenses, passports, cloned credit cards, and auto-insurance cards with the leaked users’ data. It is advised to be vigilant on the potential data theft risks and act accordingly. Boost your data security by avoiding unnecessary information sharing on social media platforms and maintaining a robust cyber hygiene practice.

The post Know the Worth of Your Data on the Dark Web Price Index 2021 appeared first on CISO MAG | Cyber Security Magazine.

The Fake for Real Business

The IHMA stated that cybercriminals are selling fraudulent vaccines on various dark web forums for $500 and $1000 per dose. The vaccine research centers and manufacturers are urged to boost their authentication and verification technologies to protect consumers against rising fake vaccine scams.

“COVID-19 presents opportunities for criminals, who are infiltrating global supply channels, deploying scams, and counterfeiting measures to trick worried people and damage legitimate manufacturers. Falsified medicines and test kits among other items can pose a terrible threat and endanger lives. Supply chains and drugs’ infrastructures across the country must be bolstered with stronger, more effective security plans, including the introduction of hard-hitting anti-counterfeiting regulations and strategies,” said Paul Dunn, Chair of the IHMA.

Growing Demand for Fake Certificates

The roll-out of vaccine shots to treat Coronavirus continues to accelerate globally. There are billions of people who are still waiting for their first dose of vaccine. However, there will always be people who look for alternatives and shortcuts to fulfill their needs. With COVID-19 restrictions imposed globally to allow those who have been vaccinated or tested negative to board flights, cross international borders, attend events, or start new jobs, several people showing up on darknet forums to obtain fake vaccination certificates and forged negative COVID-19 test reports quickly.

“As our societies struggle to return to pre-COVID norms, a negative COVID test result or a vaccination certificate is becoming the golden key that will unlock restrictions and enable people to move and mingle with greater freedom. And of course, this creates an opportunity for criminals and scammers to exploit those people who are willing to risk using fake documents to achieve that freedom,” Check Point said in its research.

Key Findings

• Fake vaccine passport certificates on sale for $250 – users are simply required to send their details and the money, and the seller emails back the fake documents.
• Fake negative COVID-19 test results on sale from various sellers from just $25.
• Multiple vaccine variants for sale: AstraZeneca, Sputnik, SINOPHARM, and Johnson & Johnson, with prices ranging between $500 and $1000 per dose.
• The vaccines advertised include Oxford – AstraZeneca (at $500), Johnson & Johnson ($600), the Russian Sputnik vaccine ($600), and the Chinese SINOPHARM vaccine.

“As COVID-19 is likely to play a major role in dictating what we as individuals can and cannot do in our daily lives for the foreseeable future, countries’ Governments should be aware of this fast-growing illegal and dangerous trend for fake vaccination certificates and official medical records being sold and produced to whoever wishes to pay for them,” Check Point added.

The post Adversaries Offer Fake COVID-19 Vaccine Certificates on Darknet Forums appeared first on CISO MAG | Cyber Security Magazine.

Big Data is Growing Big

Statistics show enterprises that leveraged Big Data generated massive revenues. According to a survey, Big Data was responsible for profits amounting to $122 billion in 2015 and it is expected to generate a whopping $274.3 billion by 2022.

Since Big Data involves a large volume of both structured and unstructured data, companies collect, process, and analyze it as per the business requirements and systematically leverage it to maximize business opportunities. Organizations working on Big Data handle huge amounts of users’ personalized data to analyze their online behavior.

Risks Around Big Data Security

Several cybersecurity experts reported that threat actors are taking advantage of legitimate Big Data sources to exploit users’ valuable information.  Recent research from Intel 471 revealed that adversaries are misusing Big Data technology to steal users’ data and sell it on the Chinese-language dark web markets. “With China injecting Big Data into every economic sector, the environment has become ripe for criminals to create and execute schemes that hide in the noise brought on by the amount of data at hand,” Intel 471 said.

Key Highlights

• A threat actor in January 2021 offered real-time data for casino gaming, lottery, and stocks on a popular forum used by Chinese-linked cybercriminals. The data allegedly originated from big data sources of two of the most popular mobile network operators in China.
• In February 2021, cybercriminals offered website and application crawler data collection services on a Chinese-language cybercrime marketplace. The actor claimed to have access to insider channels of Chinese mobile operators for data collection purposes.
• In early March, an actor on a marketplace offered 10,000 user records tied to a parenting application. The offering was described as big data from an undisclosed mobile operator or operators.
• In late March, another actor offered big data information for Canada and the U.S. that included commercial databases of Canadian and U.S. businesses and investors, a hacked Twitter database, and Canadian and U.S. citizens’ information.

Malicious Schemes by Chinese Actors

Intel 471 researchers observed a series of malicious schemes involving different layers of cybercriminal activities to illicitly obtain users’ data and trade it on darknet forums. Cybercriminals maintained a data underground monetization chain consisting of a group of individuals working as per the commands, which include:

• A boss or requester who requires data for illegal use or commands a group or syndicate dealing with illegal products or services.
• Insiders or attackers who receive instructions directly from a boss and can gain access to raw data and extract the information from a service provider. These individuals profit from the information they provide to the main boss or requester.
• Middlemen who act as intermediaries for the boss and any other individuals requesting to purchase such data products. The middlemen profit by taking a cut of the commission from product sales.
• Underground platforms serve as an avenue for the syndicate or middlemen to advertise their products. End users, such as scammers, multiple types of threat actors, and even direct marketers can purchase the data or engage the services of such syndicates directly on these platforms.

“The schemes themselves proliferate partly due to China’s desire to be a global epicenter in big data analytics, especially as it pushes to become synonymous with new technology sectors like the Internet of Things (IoT),” Intel 471 added.

The post Chinese State-Actors Exploit Big Data for Financial Benefit appeared first on CISO MAG | Cyber Security Magazine.

Security researchers from Flashpoint stated that they found a security breach on Maza, which has been active since 2003. The attackers also posted a warning message saying, “Your data has been leaked / This forum has been hacked.”

Also known as Mazafaka earlier, the hacking forum is a closed and restricted platform for Russian-speaking threat actors. The threat actors on this forum are involved in various criminal activities like carding stolen financial data and payment card information, exchanging techniques on malware distribution, vulnerability exploits, spam, money laundering, and more.

Flashpoint stated that over 2,000 accounts and sensitive information like user IDs, usernames, email addresses, messenger app links — including Skype, MSN, and Aim — and passwords, both hashed and obfuscated — were exposed in the incident.

“Flashpoint is actively monitoring cybercriminal discussions of Maza across the entire cybercriminal forum ecosystem commenting on the recent disruptions to many elite services and communities. Users on the Exploit forum are discussing moving away from using emails to register on forums as recent disruption efforts may have increased exposure of their online activities. Others are claiming that the database leaked by the attackers is either old or incomplete,” Flashpoint said.

Tasting One’s Own Medicine

This is not the first time cybercriminals targeted their fellow operators. Earlier, researchers discovered database leaks of three hacking forums – Sinful Site, SUXX.TO, and Nulled. These databases have been exposing hackers’ personal information since the beginning of May 2020. Hacking forums are the places of aggregation for cybercriminals to participate in general discussions with other hackers to share and sell data leaks, hacking tools, malware, and tutorials, etc. They can easily buy and own malware and ransomware via such forums and dark web market networks.

The post Hackers Hacked a Hacking Forum! appeared first on CISO MAG | Cyber Security Magazine.

The database kept for sale contained over five million records from six Latin American/South American countries: Peru, Brazil, Argentina, Colombia, Chile, and Ecuador.

The Leaked Data

The data dump, which was later taken down by the hacker, supposedly contained different categories of data:

• “Candidatos_datos_personales” (candidates’ personal data) with 4,543,938 lines
• “Candidatos_candidatos_by_email” with 3,763,836 lines
• “Candidatos_login” with 5,321,943 lines

In common, all the categories exposed candidates’ sensitive information including full name, gender, marital status, birth dates, email addresses, passwords, and country of residence.

The Impact

While it is unclear why the post was taken down by the threat actor, Cybernews suspects that the database was sold out. The data could be misused for various malicious purposes, including:

• Targeted spear-phishing attacks
• Collecting and spamming users’ emails and phones
• Brute-forcing users’ other online accounts

 Mitigation Measures

Cybernews also recommended certain security measures for users whose data may have been compromised in the security incident. These include:

• Change your passwords immediately. You should be using a unique password for each account you create.
• Add two-factor authentication (2FA) on your most sensitive accounts, including your primary email account. That way, even if a bad actor were able to uncover your credentials, they wouldn’t be able to get into your account.
• Watch out for suspicious emails, as they may be phishing attempts. Avoid clicking on links from suspicious emails.
• Watch out for suspicious activity on your financial accounts and set up identity theft monitoring.

Researchers suspected that the latest security incident appears to be from the same threat actors responsible for the recent VPN leaks, in which cybercriminals traded three databases that contained user credentials and device data from three Android Virtual Private Network (VPN) services – SuperVPN, GeckoVPN, and ChatVPN. Read more…

The post Fortune 500 Company Adecco Group Suffers Data Breach appeared first on CISO MAG | Cyber Security Magazine.

To determine why some users are more likely targeted by phishing scams, Google teamed up with security researchers at Stanford University to study the intentions of malicious actors. “We measure over 1.2 billion email-based phishing and malware attacks against Gmail users to understand what factors place a person at heightened risk of attack,” Google said. 

Google Blocks 99.9% Phishing Mails

Google stated that it blocks more than 100 million spam and malicious emails from reaching Gmail users. The search engine giant observed over 18 million COVID-19-related malware and phishing emails daily during the pandemic, in addition to more than 240 million COVID-19-related spam messages. Google’s machine learning models understand and filter more than 99.9% of spam, phishing, and malware from reaching its users.

U.S. Gmail Users are Most Targeted

Based on its five-month-long investigation, Google discovered that users in the U.S. were the most popular targets for phishing attacks (42%), followed by the U.K. (10%), and Japan (5%). The study also found that the attackers pre-plan their phishing campaigns by leveraging botnets and malicious attachments.

Who are at High Risk?

• Users who have exposed their email or other personal details in a third-party data breach are likely targeted by phishing or malware by 5X.
• User location matters. Where you live also affects risk. In Australia, users faced 2X the odds of attack compared to the U.S., despite the U.S. being the most popular target by volume.
• With respect to demographics, the odds of experiencing an attack was 1.64X higher for 55- to 64-year-olds, compared to 18- to 24-year-olds.
• Mobile-only users experienced lower odds of attack – 0.80X compared to multi-device users.

Other Findings

• Most attackers don’t localize their efforts, using the same English email template for users in multiple countries.
• There is, however, some evidence of regional attackers. Nearly 78% of the attacks targeting users in Japan occurred in Japanese, while 66% of attacks targeting Brazilian users occurred in Portuguese.
• Threat actors rely on fast-churning campaigns. A similar email based on a template is sent to 100–1,000 targets on average.
• The campaigns are brief, lasting just one to three days on average.
• In a single week, these small-scale campaigns accounted for over 100 million phishing and malware emails in aggregate, targeting Gmail users around the globe.

Preventive Measures

Though Gmail’s phishing and malware protections are turned on by default, Google recommended certain security tips to avoid any phishing risks. These include:

• Complete a Security Checkup for personalized and actionable security advice.
• If appropriate, consider enrolling in Google’s Advanced Protection Program, which provides Google’s strongest security to users at increased risk of targeted online attacks.
• Enable Enhanced Safe Browsing Protectionin Google Chrome to substantially increase your defenses against dangerous websites and downloads on the web.

Related Stories:

• Five Phishing Baits You Need to Know
• How to Detect Weak Passwords Using Google Chrome

The post Here’s Why You Are More Likely to Be Targeted with a Phishing Email appeared first on CISO MAG | Cyber Security Magazine.

According to a report, the exposed information included patients’ personal identifying information (PII) like their names, addresses, date of birth, scanned diagnostic results, letters to insurers, background checks on hospital employees, and patients’ medical diagnoses.

While there was no sign of encrypting systems by threat actors, the hospitals authorities stated they did not open a ransomware demand.

Cyberattacks on health care organizations have become rampant in 2020. With multiple data breaches and ransomware attacks, health care providers continued to be the primary target for cybercriminals. According to the “U.S. Health Care Data Breach Statistics” survey, around 70% of the U.S. population was affected by healthcare data breaches, with over 230,954,151 health records lost, stolen, or exposed in various security incidents.

Not the First Time for Leon

Leon Medical Centers suffered a data breach in November 2020, which compromised patients’ names, contact information, social security numbers, medical records, financial information, date of birth details, family details, prescription information, diagnosis and treatment history, and health insurance details. The authorities stated that cybercriminals illicitly obtained access to its computer networks and infected them with malware. Leon Medical notified the U.S. Department of Health and Human Services (HHS), the Florida Attorney General, and the FBI for further investigation.

The post Hackers Posted Patients’ Data of Two U.S. Hospitals on Dark Web appeared first on CISO MAG | Cyber Security Magazine.