Cybercriminals exploited a series of vulnerabilities in Accellion FTA, a third-party file transfer service widely used in enterprises as an alternative to email attachments. The massive cyberattack led to a data breach at Morgan Stanley, exposing sensitive personal information, according to Ars Technica. Morgan show more ...
Stanley is one of the collateral victims of the Accellion FTA cyberattack. A variety of data was stolen, including social security numbers, birth dates, addresses, names, and the names of affiliated companies. Guidehouse, a third-party service used by Morgan Stanley was in possession of the information and shockingly enough, the staff went radio silent. Morgan Stanley representatives... (read more)
According to a statement from Republican National Committee, cybercriminals gained access to the IT infrastructure of one of the committee's contractors, Synnex. Although the infrastructure was breached, no data was lost as a result of the cyberattack, says NPR. If the alleged source of the attack (REvil) is show more ...
confirmed, it will be the second major cyber attack launched by a Russian network against the United States in the last period. More than 200 U.S. organizations were affected by a massive ransomware cyberattack conducted by the REVil Russian cybercriminal gang over the weekend. Richard Walters, chief of staff at RNC posted on Twitter "We immediately blocked all access from Synnex accounts to our cloud environment,"[...]"Our tea... (read more)
Recent findings of several security flaws in the Coursera online learning platform have been revealed, according to ZDNet. A significant vulnerability, known as a Broken Object Level Authorization (BOLA) issue, was present in the vulnerable APIs and it could have exposed sensitive information. Due to the popularity of show more ...
Coursera, researchers decided to take a peak into their security practices. A security point dubbed as access control is listed in the program as an in-scope concern. This included accessing data that you were not authorized to see, data belonging to another student, and being able to access the backend administrative systems. Checkmarx discovered a number of API issues, including a REST API, a listing via password reset function error, resource constraints linked to both a GraphQL and a GraphQL misconfiguration, amongst other difficult... (read more)
ESET's Cybersecurity researchers disclosed yesterday a malware espionage campaign targeting South American commercial networks, with the majority of efforts focused on Venezuela, according to The Hacker News. Bandidos is an improved version of the Bandook, a malware designed to target enterprises in industries show more ...
such as healthcare, software services, retail, manufacturing, and construction. Developed by Dark Caracal, Bandook was used between 2015 and 2017 to gather intelligence. The group claims to be acting on behalf of Kazakh and Lebanese government interests. According to the chain analysis of the latest attack, the PCs of potential victims can be infected by opening malicious emails that contain PDF attachments. The email provides the web addr... (read more)
For employees facing hundreds of e-mails, the temptation to speed-read and download attachments on autopilot can be great. Cybercriminals, of course, take advantage, sending out seemingly important documents that might contain just about anything from phishing links to malware. Our experts recently discovered two very show more ...
similar spam campaigns distributing the IcedID and Qbot banking Trojans. Spam with malicious documents Both e-mails were disguised as business correspondence. In the first case, the attackers demanded compensation for some bogus reason or said something about canceling an operation. Attached to the message was a zipped Excel file named CompensationClaim plus a series of numbers. The second spam mailing had to do with payments and contracts and included a link to the hacked website where the archive containing the document was stored. In both cases, the attackers’ aim was to persuade the recipient to open the malicious Excel file and run the macro in it, thus downloading either IcedID or (less commonly) Qbot to the victim’s machine. IcedID and Qbot The IcedID and Qbot banking Trojans have been around for years, with IcedID first coming to researchers’ attention back in 2017 and Qbot in service since 2008. Moreover, attackers are constantly honing their techniques. For example, at one point they hid the main component of IcedID in a PNG image using a trick called steganography that is pretty hard to detect. Today, both malware programs are available on the shadow market; in addition to their creators, numerous clients distribute the Trojans. The malware’s main task is to steal bank card details and login credentials for bank accounts, preferably business accounts (hence the businesslike e-mails). To achieve their objectives, the Trojans employ various methods. For example, they may: Inject a malicious script into a Web page to intercept user-entered data; Redirect online banking users to a fake login page; Steal data saved in the browser. Qbot can also log keystrokes to intercept passwords. Unfortunately, theft of payment data is not the only trouble that awaits victims. For example, IcedID can download other malware, including ransomware, to infected devices. Meanwhile, Qbot’s tricks include stealing e-mail threads for use in further spam campaigns, and providing its operators with remote access to victims’ computers. On work machines in particular, the consequences can be serious. How to stay safe from banking Trojans No matter how crafty cybercriminals can be, you don’t need to reinvent the wheel to stay safe. Both of the spam campaigns in question rely on recipients taking risky actions — if they don’t open the malicious file and let it execute the macro, the scheme simply will not work. To reduce your chances of becoming a victim: Check the sender’s identity, including the domain name. Someone claiming to be a contractor or a corporate client but using a Gmail address, for example, may be suspicious. And if you simply don’t know who the sender is, check with colleagues; Prohibit macros by default, and treat documents that require you to enable macros or other content with suspicion. Never run a macro unless you’re absolutely sure the file needs it — and is safe; Install a reliable security solution. If you work on a personal device, or your employer is lax when it comes to workstation protection, make sure it’s protected. Our products detect both IcedID and Qbot.
Last summer, financial institutions throughout Texas started reporting a sudden increase in attacks involving well-orchestrated teams that would show up at night, use stolen trucks and heavy chains to rip Automated Teller Machines (ATMs) out of their foundations, and make off with the cash boxes inside. Now it appears show more ...
the crime — known variously as “ATM smash-and-grab” or “chain gang” attacks — is rapidly increasing in other states. Four different ATM “chain gang” attacks in Texas recently. Image: Texas Bankers Association. The Texas Bankers Association documented at least 139 chain gang attacks against Texas financial institutions in the year ending November 2020. The association says organized crime is the main source of the destructive activity, and that Houston-based FBI officials have made more than 50 arrests and are actively tracking about 250 individuals suspected of being part of these criminal rings. From surveillance camera footage examined by fraud investigators, the perpetrators have followed the same playbook in each incident. The bad guys show up in the early morning hours with a truck or tractor that’s been stolen from a local construction site. Then two or three masked men will pry the front covering from the ATM using crowbars, and attach heavy chains to the cash machine. The canisters of cash inside are exposed once the crooks pull the ATM’s safe door off using the stolen vehicle. In nearly all cases, the perpetrators are done in less than five minutes. Tracey Santor is the bond product manager for Travelers, which insures a large number of financial institutions against this type of crime. Santor said investigators questioning some of the suspects learned that the smash-and-grabs are used as a kind of initiation for would-be gang members. “One of the things they found out during the arrest was the people wanting to be in the gang were told they had to bring them $250,000 within a week,” Santor said. “And they were given instructions on how to do it. I’ve also heard of cases where the perpetrators put construction cones around the ATM so it looks to anyone passing by that they’re legitimately doing construction at the site.” Santor said the chain gang attacks have spread to other states, and that in the year ending June 2021 Travelers saw a 257 percent increase in the number of insurance claims related to ATM smash-and-grabs. That 257 percent increase also includes claims involving incidents where attackers will crash a stolen car into a convenience store, and then in the ensuing commotion load the store’s ATM into the back of the vehicle and drive away. In addition to any cash losses — which can often exceed $200,000 — replacing destroyed ATMs and any associated housing can take weeks, and newer model ATMs can cost $80,000 or more. “It’s not stopping,” Santor said of the chain gang attacks. “In the last year we counted 32 separate states we’ve seen this type of attack in. Normally we are seeing single digits across the country. 2021 is going to be the same or worse for us than last year.” Increased law enforcement scrutiny of the crime in Texas might explain why a number of neighboring states are seeing a recent uptick in the number of chain gang attacks, said Elaine Dodd, executive vice president of the fraud division for the Oklahoma Bankers Association. “We have a lot of it going on here now and they’re getting good at it,” Dodd said. “The numbers are surging. I think since Texas has focused law enforcement attention on this it’s spreading like fingers out from there.” Chain gang members at work on a Texas bank ATM. Image: Texas Bankers Association. It’s not hard to see why physical attacks against ATMs are on the rise. In 2019, the average amount stolen in a traditional bank robbery was just $1,797, according to the FBI. In contrast, robbing ATMs is way less risky and potentially far more rewarding for the perpetrators. That’s because bank ATMs can typically hold hundreds of thousands of dollars in cash. Dodd said she hopes to see more involvement from federal investigators in fighting chain gang attacks, and that it would help if more of these attacks were prosecuted as bank robberies, which can carry stiff federal penalties. As it is, she said, most incidents are treated as property crimes and left to local investigators. “We had a rash of three attacks recently and contacted the FBI, and were told, ‘We don’t work these,'” Dodd said. “The FBI looks at these attacks not as bank robbery, but just the theft of cash.” In January, Texas lawmakers are introduced legislation that would make destroying an ATM a third degree felony offense. Such a change would mean chain gang members could be prosecuted with the same zeal Texas applies to people who steal someone’s livestock, a crime which is punishable by 2-10 years in prison and a fine of up to $10,000 (or both). “The bottom line is, right now bank robbery is a felony and robbing an unattended ATM is not,” Santor said. KrebsOnSecurity checked in with the European ATM Security Team (EAST), which maintains statistics about fraud of all kinds targeting ATM operators in Europe. EAST Executive Director Lachlan Gunn said overall physical attacks on ATMs in Europe have been a lot quieter since the pandemic started. “Attacks fell right away during the lockdowns and have started to pick up a little as the restrictions are eased,” Gunn said. “So no major spike here, although [the United States is] further ahead when it comes to the easing of restrictions.” Gunn said the most common physical attacks on European ATMs continue to involve explosives — such as gas tanks and solid explosives that are typically stolen from mining and construction sites. “The biggest physical attack issue in Europe remains solid explosive attacks, due to the extensive collateral damage and the risk to life,” Gunn said. The Texas Bankers Association report, available here (PDF), includes a number of recommended steps financial institutions can take to reduce the likelihood of being targeted by chain gangs.
In this episode of the podcast, sponsored by Trusted Computing Group we dig deep on this week’s ransomware attack on the Kaseya IT management software with Adam Meyers of CrowdStrike and Frank Breedijk of the Dutch Institute of Vulnerability Disclosure. Also: Tom Laffey, a product security strategist at Aruba, a show more ...
Hewlett Packard Enterprise firm,...Read the whole entry... » Related StoriesEpisode 218: Denial of Sustenance Attacks -The Cyber Risk To AgricultureEpisode 215-2: Leave the Gun, Take the McFlurryEpisode 214: Darkside Down: What The Colonial Attack Means For The Future of Ransomware
Hancitor can send malspams to infect as many users as possible. Its main purpose is to distribute other malware such as FickerStealer, Pony, CobaltStrike, Cuba ransomware, and Zeppelin ransomware.
A sophisticated campaign targeting large companies in the oil and gas sector has been underway for more than a year, researchers said, spreading common RATs for cyber-espionage purposes.
Checkmarx revealed multiple security flaws in the Coursera platform, including a BOLA flaw that may expose endpoints that handle object identifiers, potentially opening the door to wider attacks.
The initial attack vector is a phishing email with a Microsoft Word document attachment. Upon opening the document, a password-protected Microsoft Excel file is downloaded from a remote server.
In terms of initial infection vectors, X-Force incident response data indicates that vulnerability exploitation and stolen credentials are the most common entry points for adversaries.
IT management software vendor Kaseya has delayed the restoration of its SaaS services until Sunday, July 11th. CEO Fred Voccola took personal responsibility for the delay.
NCC Group researcher Stephen Tomkinson released a technical advisory exploring CVE-2021-21586 (CVSS 8.1) and CVE-2021-21587 (CVSS 5.3), two flaws in WMS privately reported to Dell in early May.
Fake-account creation and utilizing fake accounts is a problem for not only social-media platforms but almost any enterprise that has a system that collects accounts for any purpose.
CNA Financial Corporation, a leading US-based insurance company, is notifying customers of a data breach following a Phoenix CryptoLocker ransomware attack that hit its systems in March.
Conti is developed and maintained by the so-called TrickBot gang, and it is mainly operated through a RaaS affiliation model. The Conti ransomware is derived from the codebase of Ryuk.
The REvil ransomware gang's attack on MSPs and their customers last week outwardly should have been successful, yet changes in their typical tactics and procedures have led to few ransom payments.
According to experts, the member “integra” has joined the forum in September 2012 and has gained a high reputation over the course of time. The threat actor aims at buying malware with zero detection.
Virtual cyber fusion can help alleviate the limitations of manually-driven security strategies while leveraging threat intelligence and automation to help address a myriad of use cases.
The Washington Post reported Thursday that Leonardtown in Southern Maryland fell victim to the cyberattack, with town administrator Laschelle McKay first learning of the problem on Friday.
Cisco released security patches for high severity vulnerabilities in Business Process Automation (BPA) and Web Security Appliance (WSA) that expose users to privilege escalation attacks.
The CSA said attackers capitalised on pandemic-related anxiety, targeting e-commerce, data security, vaccine-related research, and operations, including contact-tracing operations.
Cybercriminals seek illicit marketplaces with a reputation for serving their needs while being operationally secure and trustworthy, much like business deals are conducted in traditional economies.
Ransomware attacks are now so prolific that some companies simply cannot help every newly hacked victim get back online. And a shortage of workers means no immediate help in sight.
Microsoft says that the emergency security patches released early this week correctly address the PrintNightmare Print Spooler vulnerability (CVE-2021-34527) for all supported Windows versions.
The RaaS ecosystem is evolving into something akin to a corporate structure, researchers say, with new openings available for "negotiators" -- a role focused on extorting victims to pay a ransom.
A suspected Chinese state-sponsored group is targeting telecommunications organizations in Taiwan, Nepal and the Philippines, researchers at Recorded Future’s Insikt Group said in a report Thursday.
The highest awarded bounty was $200,000 for a vulnerability reported in Hyper-V. The average bounty reward was more than $10,000 per valid bug report across all programs.
The notorious Lazarus advanced persistent threat (APT) group has been identified as the cybergang behind a campaign spreading malicious documents to job-seeking engineers.
Kaspersky spotted WildPressure APT group deploying a new malware to target businesses in the oil and gas sector, through both Windows and macOS systems. Experts also noted some similarities in the techniques of the WildPressure APT and BlackShadow, which also targets organizations in the Middle East. The observation, however, wasn’t enough to come to any attribution conclusion.
INTERPOL arrested Dr. Hex under the operation Lyrebird. The accused was involved in attacks on 134 websites from 2009–2018 across multiple regions. This arrest comes as a breath of fresh air for the security community. The suspect is under investigation and more details may emerge in the future, which may be helpful for the security community.
Google singled out nine apps—with over 5.8 million combined downloads—masqueraded as genuine apps such as Horoscope Daily and Rubbish Cleaner to steal Facebook login details. Before and after installing any app, users must stay vigilant for unusual activity and permissions required by the apps.
Netskope was valued at $7.5 billion after it raised $300 million in a funding round led by existing investor ICONIQ Growth, with participation from other existing investors.
A vulnerability exists within the polkit system service that can be leveraged by a local, unprivileged attacker to perform privileged operations. In order to leverage the vulnerability, the attacker invokes a method over D-Bus and kills the client process. This will occasionally cause the operation to complete without show more ...
being subjected to all of the necessary authentication. The exploit module leverages this to add a new user with a sudo access and a known password. The new account is then leveraged to execute a payload with root privileges.
Gentoo Linux Security Advisory 202107-22 - An information disclosure vulnerability in InspIRCd may allow remote attackers to obtain sensitive information. Versions less than 3.10.0 are affected.
Gentoo Linux Security Advisory 202107-21 - Multiple vulnerabilities have been found in Wireshark, the worst of which could result in the arbitrary execution of code. Versions less than 3.4.6 are affected.
Gentoo Linux Security Advisory 202107-20 - Multiple vulnerabilities have been found in Redis, the worst of which could result in the arbitrary execution of code. Versions less than 6.0.13 are affected.
While it's a norm for phishing campaigns that distribute weaponized Microsoft Office documents to prompt victims to enable macros in order to trigger the infection chain in the background, new findings indicate that macro security warnings can be disabled entirely without requiring any user interaction. In yet another instance of malware authors continue to evolve their techniques to evade
Multiple security vulnerabilities have been disclosed in Philips Clinical Collaboration Platform Portal (aka Vue PACS), some of which could be exploited by an adversary to take control of an affected system. "Successful exploitation of these vulnerabilities could allow an unauthorized person or process to eavesdrop, view or modify data, gain system access, perform code execution, install
For years, security professionals have recognized the need to enhance SaaS security. However, the exponential adoption of Software-as-a-Service (SaaS) applications over 2020 turned slow-burning embers into a raging fire. Organizations manage anywhere from thirty-five to more than a hundred applications. From collaboration tools like Slack and Microsoft Teams to mission-critical applications
Cybercrime actors part of the Magecart group have latched on to a new technique of obfuscating the malware code within comment blocks and encoding stolen credit card data into images and other files hosted on the server, once again demonstrating how the attackers are continuously improving their infection chains to escape detection. "One tactic that some Magecart actors employ is the dumping of
