The post Fortune 500 Company Adecco Group Suffers Data Breach appeared first on CISO MAG | Cyber Security Magazine.
]]>The database kept for sale contained over five million records from six Latin American/South American countries: Peru, Brazil, Argentina, Colombia, Chile, and Ecuador.
The Leaked Data
The data dump, which was later taken down by the hacker, supposedly contained different categories of data:
- “Candidatos_datos_personales” (candidates’ personal data) with 4,543,938 lines
- “Candidatos_candidatos_by_email” with 3,763,836 lines
- “Candidatos_login” with 5,321,943 lines
In common, all the categories exposed candidates’ sensitive information including full name, gender, marital status, birth dates, email addresses, passwords, and country of residence.
The Impact
While it is unclear why the post was taken down by the threat actor, Cybernews suspects that the database was sold out. The data could be misused for various malicious purposes, including:
- Targeted spear-phishing attacks
- Collecting and spamming users’ emails and phones
- Brute-forcing users’ other online accounts
Mitigation Measures
Cybernews also recommended certain security measures for users whose data may have been compromised in the security incident. These include:
- Change your passwords immediately. You should be using a unique password for each account you create.
- Add two-factor authentication (2FA) on your most sensitive accounts, including your primary email account. That way, even if a bad actor were able to uncover your credentials, they wouldn’t be able to get into your account.
- Watch out for suspicious emails, as they may be phishing attempts. Avoid clicking on links from suspicious emails.
- Watch out for suspicious activity on your financial accounts and set up identity theft monitoring.
Researchers suspected that the latest security incident appears to be from the same threat actors responsible for the recent VPN leaks, in which cybercriminals traded three databases that contained user credentials and device data from three Android Virtual Private Network (VPN) services – SuperVPN, GeckoVPN, and ChatVPN. Read more…
The post Fortune 500 Company Adecco Group Suffers Data Breach appeared first on CISO MAG | Cyber Security Magazine.
]]>The post State-sponsored Attackers Exploit Zero-day Microsoft Exchange Vulnerabilities appeared first on CISO MAG | Cyber Security Magazine.
]]>Volexity claimed that threat actors were exploiting the CVE-2021-26855 Microsoft Exchange Server vulnerability in their ongoing attacks to obtain remote code execution on vulnerable Exchange servers. Volexity identified a massive amount of information being transferred from the Exchange servers to unknown IP addresses legitimate users.
“The logs showed inbound POST requests to valid files associated with images, JavaScript, cascading style sheets, and fonts used by Outlook Web Access (OWA). It was initially suspected the servers might be backdoored and that webshells were being executed through a malicious HTTP module or ISAPI filter. This investigation revealed that the servers were not backdoored and uncovered a zero-day exploit being used in the wild,” Volexity said.
Volexity’s researchers found that the attackers were exploiting a zero-day server-side request forgery (SSRF) to steal the entire contents of several user mailboxes. As the CVE-2021-26855 vulnerability is remotely exploitable, an attacker does not require any kind of authentication or access to a target environment.
Indicators of Compromise
/owa/auth/Current/themes/resources/logon.css
/owa/auth/Current/themes/resources/owafont_ja.css
/owa/auth/Current/themes/resources/lgnbotl.gif
/owa/auth/Current/themes/resources/owafont_ko.css
/owa/auth/Current/themes/resources/SegoeUI-SemiBold.eot
/owa/auth/Current/themes/resources/SegoeUI-SemiLight.ttf
/owa/auth/Current/themes/resources/lgnbotl.gif
Volexity urged organizations and users to apply the available security patches or temporarily disable external access to Microsoft Exchange as early as possible.
“Highly skilled attackers continue to innovate to bypass defenses and gain access to their targets, all in support of their mission and goals. These vulnerabilities in Microsoft Exchange are no exception. These attackers are conducting novel attacks to bypass authentication, including two-factor authentication, allowing them to access e-mail accounts of interest within targeted organizations and remotely execute code on vulnerable Microsoft Exchange servers,” Volexity added.
The post State-sponsored Attackers Exploit Zero-day Microsoft Exchange Vulnerabilities appeared first on CISO MAG | Cyber Security Magazine.
]]>The post Lazarus Group Hits Defense Industries with “ThreatNeedle” Malware appeared first on CISO MAG | Cyber Security Magazine.
]]>“We have seen Lazarus attack various industries using this malware cluster before. In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscript (a.k.a. NukeSped). While investigating this activity,” Kaspersky said.
How ThreatNeedle Affects
Kaspersky claimed that the ongoing ThreatNeedle malware campaign leverages a multistep approach that begins with a spear-phishing attack to eventually gain control over the victim’s device.
Before launching an attack, attackers research the targeted organization to identify and create similar email addresses belonging to various departments of the company. The phishing emails, with a malicious link or infected Microsoft Word Document attachment, are sent to several employees in various departments. Upon opening the malicious document, the malware is dropped and proceeds to a multistage deployment procedure to compromise the victim’s device.
ThreatNeedle Traits
Once the final payload of ThreatNeedle malware is deployed on the victim’s system, it allows a remote attacker to execute multiple functions including:
- Manipulate files/directories
- System profiling
- Control backdoor processes
- Enter sleeping or hibernation mode
- Update backdoor configuration
- Execute received commands
“Our investigation showed that the initial spear-phishing attempt was unsuccessful due to macros being disabled in the Microsoft Office installation of the targeted systems. To persuade the target to allow the malicious macro, the attacker sent another email showing how to enable macros in Microsoft Office. The document contains information on the population health assessment program and is not directly related to the subject of the phishing email (COVID-19), suggesting the attackers may not completely understand the meaning of the contents they used,” Kaspersky added.
The post Lazarus Group Hits Defense Industries with “ThreatNeedle” Malware appeared first on CISO MAG | Cyber Security Magazine.
]]>The post Newly Identified “LazyScripter” Hacking Group Phishing Users Since 2018 appeared first on CISO MAG | Cyber Security Magazine.
]]>Active since 2018, Malwarebytes discovered LazyScripter operators in December 2020. The research report suggests that LazyScripter deployed Powershell Empire on victims’ devices using a payload known as Emploader. However, the threat actors recently switched to Octopus and Koadic, which are installed using Kocktopus payload.
LazyScripter’s Phishing Baits
The operators behind LazyScripter used several techniques to trick users into clicking or downloading malicious URLs or attachments to infect their devices. The main intention of LazyScripter operators is to pilfer critical information and intelligence from the targeted victims. The phishing baits used by these actors include:
- IATA security (International Air Transport Association security)
- BSPlink Updater or Upgrade (BSPlink is the global interface for travel agents and airlines to access the IATA Billing and Settlement Plan (BSP)).
- IATA ONE ID
- User support kits for IATA users
- Tourism (UNWTO)
- COVID-19 related information
- Microsoft Updates
- Job information
- Canada skill worker program
- Canada Visa (CanadaVisa.com is the online presence of the Campbell Cohen Immigration Law Firm)
Malwarebytes’ researchers found 14 malicious documents used by the threat actors’ group since 2018, which carried embedded objects that are variants of the KOCTOPUS or Empoder payloads.
“We were able to collect some of the spam emails used by this actor over the past two years. In these spam emails, the actor used several methods to redirect the user to download a variant of KOCTOPUS. The latest campaign was spotted on February 5, 2021, in which the actor was distributing a variant of KOCTOPUS pretending to be ‘BSPLink Upgrade.exe’ and managed to drop a variant of Quasar Rat in addition to OCTOPUS and Koadic. Before that we have spotted another campaign on Jan 6th, 2021 in which the actors were distributing a variant of KOCTOPUS pretending to be ‘IATA ONE ID.exe’ software,” Malwarebytes said.
The post Newly Identified “LazyScripter” Hacking Group Phishing Users Since 2018 appeared first on CISO MAG | Cyber Security Magazine.
]]>The post North Korean APT37 Uses RokRAT Trojan to Target South Korea appeared first on CISO MAG | Cyber Security Magazine.
]]>“On December 7, 2020, we identified a malicious document uploaded to Virus Total, which was purporting to be a meeting request likely used to target the government of South Korea. The meeting date mentioned in the document was January 23, 2020, which aligns with the document compilation time of January 27, 2020, indicating that this attack took place almost a year ago,” Malwarebytes said.
The RokRAT Trojan
According to the researchers, the malicious document (meeting invite) contains an embedded macro that uses a VBA self-decoding procedure to decode itself within the memory spaces of Microsoft Office and then embeds a variant of the RokRat into Notepad. Earlier, APT37 exploited Hangul Office documents (hwp files) to target victims in South Korea because it is the most used software in South Korea. However, this time, the attackers used an alternative method by delivering the malware via self-decoding VBA Office files.
“We can consider this technique an unpacker stub, which is executed upon opening the document. This unpacker stub unpacks the malicious macro and writes it into the memory of Microsoft Office without being written to disk. This can easily bypass several security mechanisms. Microsoft by default disables the dynamic execution of the macro, and if an attacker needs to execute one dynamically — which is the case here — the threat actor needs to bypass the VB object model (VBOM) by modifying its registry value,” Malwarebytes added.
RokRAT’s Key Traits
- Capture Screenshots
- Gathers system info (Username, Computer name, BIOS)
- Data exfiltration to cloud services
- Stealing credentials
- File and directory management
Once successfully injected, the RokRAT Trojan harvests sensitive data from the victim’s machine and sends it to threat actors via cloud services like Pcloud, Dropbox, Box, and Yandex.
Indicators of Compromise
Maldoc:
3c59ad7c4426e8396369f084c35a2bd3f0caa3ba1d1a91794153507210a77c90
RokRAT:
676AE680967410E0F245DF0B6163005D8799C84E2F8F87BAD6B5E30295554E08
A42844FC9CB7F80CA49726B3589700FA47BDACF787202D0461C753E7C73CFD2A
2A253C2AA1DB3F809C86F410E4BD21F680B7235D951567F24D614D8E4D041576
C7CCD2AEE0BDDAF0E6C8F68EDBA14064E4A9948981231491A87A277E0047C0CB
The post North Korean APT37 Uses RokRAT Trojan to Target South Korea appeared first on CISO MAG | Cyber Security Magazine.
]]>The post Iranian Expats Under Radar of ‘Rampant Kitten’ Cyber Espionage for Six Years appeared first on CISO MAG | Cyber Security Magazine.
]]>“The conflict of ideologies between those movements and the Iranian authorities makes them a natural target for such an attack, as they align with the political targeting of the regime,” Check Point said.
Attack Vectors
- Check Point researchers found four variants of Windows info-stealers intended to steal the victim’s personal documents as well as access to their Telegram Desktop and KeePass account information.
- Android backdoor that extracts two-factor authentication codes from SMS messages and records the phone’s voice surroundings.
- Telegram phishing pages, distributed using fake Telegram service accounts.
Malware Analysis
Hackers used multiple malware payloads to obtain data from the targeted devices including:
Information Stealer: Once uploaded on the victim’s device, this malware allows the attackers to make full usage of the victim’s Telegram account. It steals information from the KeePass application, uploads any file it finds, which ends with pre-defined extensions. It also logs clipboard data and takes desktop screenshots.
Module Downloader: This malware downloads and installs several additional modules.
Unique Persistence: This malware implements a persistence mechanism based on Telegram’s internal update procedure.
“The backdoor’s functionality and the emphasis on stealing sensitive documents and accessing KeePass and Telegram accounts shows that the attackers were interested in collecting intelligence about those victims, and learning more about their activities,” Check Point added.
Attacks via Dharma Ransomware
Recently, Group-IB researchers detected attacks on multiple companies across the globe that are carried out by Iranian newbie threat actors for financial gain. These attacks have been actively orchestrated since at least June 2020. The threat actors are using Dharma ransomware along with a set of other publicly available tools to target companies specifically in Russia, Japan, China, and India. Once compromised, the gang typically demands a ransom between 1-5 Bitcoins (BTC). The threat actors seem to be naïve since they did not have a fixed plan about what to do with the compromised networks.
The post Iranian Expats Under Radar of ‘Rampant Kitten’ Cyber Espionage for Six Years appeared first on CISO MAG | Cyber Security Magazine.
]]>The post Game Over! Chinese and Malaysian Hackers Charged for Computer Intrusion Campaigns appeared first on CISO MAG | Cyber Security Magazine.
]]>The hackers were indicted for stealing sensitive software data and business intelligence from companies globally, including software development firms, non-profit organizations, universities, think-tanks, social media companies, and even politicians in Hong Kong.
The cyber activities of the attackers, which are tracked as APT41, Barium, Winnti, Wicked Panda, and Wicked Spider, were intended to pilfer software code signing certificates, customer account data, and valuable business information. In addition, they were also involved in other criminal schemes like ransomware attacks and crypto jacking.
The Chinese hackers are indicted on counts of multiple conspiracies including computer fraud, wire fraud, and intentional damage to a protected computer, and obtaining digital items of value.
The indictment against the two Malaysian hackers is changed on 23 counts of racketeering, conspiracy, identity theft, aggravated identity theft, access device fraud, money laundering, violations of the CFAA, and falsely registering domain names. They are also alleged of stealing business secrets and gaming artifacts from multiple video gaming firms across the U.S., France, Japan, Singapore, and South Korea.
Deputy Attorney General Jeffrey A. Rosen said, “The Department of Justice has used every tool available to disrupt the illegal computer intrusions and cyberattacks by these Chinese citizens. Regrettably, the Chinese communist party has chosen a different path of making China safe for cybercriminals so long as they attack computers outside China and steal intellectual property helpful to China.”
The FBI Deputy Director David Bowdich, commented, “Today’s announcement demonstrates the ramifications faced by the hackers in China but it is also a reminder to those who continue to deploy malicious cyber tactics that we will utilize every tool we have to administer justice. The arrests in Malaysia are a direct result of partnership, cooperation, and collaboration. As the cyber threat continues to evolve larger than any one agency can address, the FBI remains committed to being an indispensable partner to our federal, international and private sector partners to stop rampant cybercrime and hold those carrying out these kind of actions accountable.”
Chinese Hackers Target COVID-19 Research
In a recent indictment, the DoJ charged two Chinese nationals, Li Xiaoyu and Dong Jiazhi, for their alleged involvement in attempts of hacking and targeting companies that are testing and developing the COVID-19 vaccines. As per the allegations, the duo has been active for the past 11 years and have since been carrying out targeted cyberattacks against countries like the U.S., Australia, Belgium, the Netherlands, Spain, South Korea, Sweden, and the U.K.
The post Game Over! Chinese and Malaysian Hackers Charged for Computer Intrusion Campaigns appeared first on CISO MAG | Cyber Security Magazine.
]]>The post Global Bank Heist! North Korea’s “BeagleBoyz” are After Bank ATMs appeared first on CISO MAG | Cyber Security Magazine.
]]>The joint advisory released by the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), the FBI, and the U.S. Cyber Command (USCYBERCOM) stated that they have identified malware and indicators of compromise (IOCs) used by the North Korean hackers to make fraudulent money transfers and cause ATM cash-outs. The advisory warned the world about the potential cyberthreats posed by the North Korean hackers to the global banking and financial institutions.
History of BeagleBoyz’s Bank Heists
The BeagleBoyz group is a part of the North Korean government’s Reconnaissance General Bureau and is said to have been active since 2014. It is estimated that BeagleBoyz stole nearly $2 billion since 2015 by manipulating critical computer systems at banks and financial institutions. In 2018, a bank in Africa halted its ATMs and point of sale services for its customers for two months after BeagleBoyz compromised their systems. The group also deployed a wiper malware in 2018 against a bank in Chile that compromised thousands of computers and servers to send fraudulent messages from the bank’s SWIFT terminal.
BeagleBoyz Attack Method
Measures to Counter Cyberthreats
The agencies advised organizations to follow certain practices to strengthen their security posture, which includes:
- Implement chip and PIN requirements for debit cards.
- Require and verify message authentication codes on issuer financial request-response messages.
- Perform authorization response cryptogram validation for chip and PIN transactions.
- Maintain up-to-date antivirus signatures and engines.
- Keep operating system patches up to date.
- Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
- Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators’ group unless required.
“Any BeagleBoyz robbery directed at one bank implicates many other financial services firms in both the theft and the flow of illicit funds back to North Korea. BeagleBoyz activity fits a known North Korean pattern of abusing the international financial system for profit. Fraudulent ATM cash-outs have affected upwards of 30 countries in a single incident. The conspirators have withdrawn cash from ATM machines operated by various unwitting banks in multiple countries, including in the United States,” the advisory said.
The post Global Bank Heist! North Korea’s “BeagleBoyz” are After Bank ATMs appeared first on CISO MAG | Cyber Security Magazine.
]]>The post Lazarus Hacking Group Strikes Again Using New Malware Variant “MATA” appeared first on CISO MAG | Cyber Security Magazine.
]]>Researchers stated that the MATA malware campaign began as early as April 2018. “The actor behind this advanced malware framework used it aggressively to infiltrate corporate entities around the world. We identified several victims from our telemetry and figured out the purpose of this malware framework,” the researchers said.
How MATA Spreads
According to Kaspersky, MATA malware is used to load plugins into the operating system’s running commands to infect and manipulate files and processes by injecting DLLs, creating HTTP proxies, and tunnels on targeted Windows devices. Once the malware successfully deployed, the attackers find databases with customers’ sensitive information and run database queries to acquire customer data.
“During our research, we also found a package containing different MATA files together with a set of hacking tools. In this case, the package was found on a legitimate distribution site, which might indicate that this is the way the malware was distributed. It included a Windows MATA orchestrator, a Linux tool for listing folders, scripts for exploiting Atlassian Confluence Server (CVE-2019-3396), a legitimate socat tool and a Linux version of the MATA orchestrator bundled together with a set of plugins,” the researchers added.
The Lazarus Timeline
The Lazarus hacking Group was involved in multiple cyberattacks earlier. In 2018, Kaspersky uncovered AppleJeus, a malicious operation by Lazarus Group to intrude on cryptocurrency exchanges and applications. In December 2019, the researchers discovered a malware dubbed as “Fileless” distributed by the Lazarus group. According to the security researchers, the hacking group was spreading malware targeting MacOS users, to create fake cryptocurrency trading applications.
The post Lazarus Hacking Group Strikes Again Using New Malware Variant “MATA” appeared first on CISO MAG | Cyber Security Magazine.
]]>The post Russia-based APT29 Targets COVID-19 Vaccine Research appeared first on CISO MAG | Cyber Security Magazine.
]]>In a joint advisory, the agencies stated that the APT29 group, also known as “the Dukes” or “Cozy Bear,” targeted several organizations that are working on COVID-19 vaccine development in Canada, the U.S., and the U.K. The group is using its custom malware known as WellMess and WellMail and other techniques to target government entities, diplomats, think-tanks, health care providers, and companies under the energy sector.
“The group frequently uses publicly available exploits to conduct widespread scanning and exploitation against vulnerable systems, likely in an effort to obtain authentication credentials to allow further access. This broad targeting potentially gives the group access to a large number of systems globally, many of which are unlikely to be of immediate intelligence value. The group may maintain a store of stolen credentials in order to access these systems in the event that they become more relevant to their requirements in the future,” the advisory said.
The advisory also highlighted that the APT29 group continues to attack COVID-19 vaccine research and development centers for their financial or intellectual gains. The agencies strongly recommended organizations to use robust security measures to defend against cyberthreats.
NCSC and CISA Advisory on COVID-19 Threats
Recently, cybersecurity officials from the NCSC, the U.S. Department of Homeland Security (DHS), and the Cybersecurity and Infrastructure Agency (CISA) stated that cybercriminals and advanced persistent threat (APT) groups are targeting individuals and organizations with a variety of ransomware and malware attacks, thereby exploiting the COVID-19 outbreak for their personal gain. The security agencies have released a joint advisory describing the growing number of attackers and other malicious groups in the U.K. and the U.S. The NCSC and CISA stated that they are working with law enforcement and industry experts to prevent COVID-19 related cyber activities. It is said that the NCSC and the CISA have observed hackers scanning for vulnerabilities in remote working tools and exploited the increased use of video conferencing software.
The post Russia-based APT29 Targets COVID-19 Vaccine Research appeared first on CISO MAG | Cyber Security Magazine.
]]>