Hackers belonging to the LAPSUS$ cybercrime group have published screenshots, allegedly taken from inside Oktas information systems. If the claims are true, they have access not only to the companys website, but also to a number of other internal systems, including quite critical ones. LAPSUS$ claims that they did not show more ...
steal any data from the company itself, and that their targets were mainly Oktas customers. Judging by the dates on the screenshots, the attackers had access to the systems as early as January 2022. Oh man, if this it what it looks (Okta got popped)… Blue Team everywhere is gonna be crazy busy. pic.twitter.com/PY4dIzfwvM — _MG_ (@_MG_) March 22, 2022 What is Okta and why could the breach be so dangerous? Okta develops and maintains identity and access management systems. In particular, they provide a single sign-on solution. A huge number of large companies employ Oktas solutions. Kaspersky Lab experts believe that the hackers access to Oktas systems can explain a number of the rather high-profile data leaks from large companies, for which hackers from LAPSUS$ have already claimed responsibility. How cybercriminals gain access to Oktas systems? At the moment there is no conclusive evidence that the hackers really gained access. According to an Oktas official statement, its specialists are currently conducting an investigation and the company promises to share details as soon as the investigation is completed. It is possible that the published screenshots are related to the January incident, when an unknown actor tried to compromise the account of a technical support engineer working for a third-party subcontractor. Who are the LAPSUS$ group and what do we know about them? LAPSUS$ gained fame in 2020 when they compromised the Brazilian Ministry of Healths systems. Presumably, this is a Latin American hacker group that steals information from large companies for ransom. If the victims refuse to pay, the hackers publish the stolen information on the Internet. Unlike many other ransomware groups, LAPSUS$ does not encrypt the data of hacked organizations, but simply threatens to leak the data in case of non-payment of the ransom. Notable victims of LAPSUS$ include Nvidia, Samsung and Ubisoft. In addition, they recently released 37 GB of code believed to be related to internal Microsoft projects. How to stay safe? At the moment it is impossible to say with absolute certainty that the incident really happened. The publication of screenshots in itself is a rather strange move that may be aimed at self-promotion of the hackers, an attack on Oktas reputation, or an attempt to hide the real method by which LAPSUS$ gained access to one of Oktas clients. That said, to play it safe our experts recommend Oktas clients to employ the following protective measures: Enforce especially stringent monitoring of network activity and in particular of any activity related to authentication in internal systems; Provide staff with an additional cybersecurity hygiene training and prepare them to be alert and report on any suspicious activity; Perform a security audit of your organizations IT infrastructure to reveal gaps and vulnerable systems; Restrict access to remote management tools from external IP addresses; Ensure that remote control interfaces can only be accessed from a limited number of endpoints; Follow the principle of offering staff limited privileges and grant high-privileged accounts only to those who need this to fulfil their job; Use ICS network traffic monitoring, analysis and detection solutions for better protection from attacks potentially threatening technological process and main enterprise assets. Companies that do not have the internal resources to monitor suspicious activity in their IT infrastructure can employ the external experts.
Pavel Vrublevsky, founder of the Russian payment technology firm ChronoPay and the antagonist in my 2014 book “Spam Nation,” was arrested in Moscow this month and charged with fraud. Russian authorities allege Vrublevsky operated several fraudulent SMS-based payment schemes, and facilitated money show more ...
laundering for Hydra, the largest Russian darknet market. But according to information obtained by KrebsOnSecurity, it is equally likely Vrublevsky was arrested thanks to his propensity for carefully documenting the links between Russia’s state security services and the cybercriminal underground. An undated photo of Vrublevsky at his ChronoPay office in Moscow. ChronoPay specializes in providing access to the global credit card networks for “high risk” merchants — businesses involved in selling services online that tend to generate an unusually large number of chargebacks and reports of fraud, and hence have a higher risk of failure. When I first began writing about Vrublevsky in 2009 as a reporter for The Washington Post, ChronoPay and its sister firm Red & Partners (RNP) were earning millions setting up payment infrastructure for fake antivirus peddlers and spammers pimping male enhancement drugs. Using the hacker alias “RedEye,” the ChronoPay CEO oversaw a burgeoning pharmacy spam affiliate program called Rx-Promotion, which paid some of Russia’s most talented spammers and virus writers to bombard the world with junk email promoting Rx-Promotion’s pill shops. RedEye also was the administrator of Crutop, a Russian language forum and affiliate program that catered to thousands of adult webmasters. In 2013, Vrublevsky was sentenced to 2.5 years in a Russian penal colony for convincing one of his top affiliates to launch a distributed denial-of-service (DDoS) attack against a competitor that shut down the ticketing system for the state-owned Aeroflot airline. Following his release from jail, Vrublevsky began working on a new digital payments platform based in Hong Kong called HPay Ltd (a.k.a. Hong Kong Processing Corporation). HPay appears to have had a great number of clients that were running schemes which bamboozled people with fake lotteries and prize contests. According to Russian prosecutors, the scam went like this: Consumers would receive an SMS with links to sites that falsely claimed a number of well-known companies were sponsoring drawings and lotteries for people who enrolled or agreed to answer surveys. All who responded were told they were winners, but also that they had to pay a commission to pick up the prize. That scheme allegedly stole 500 million rubles (~ USD $4.5 million) from over 100,000 consumers. There are scant public records that show a connection between ChronoPay and HPay, apart from the fact that the latter’s website — hpay[.]io — was originally hosted on the same server (185.180.196.74) along with a handful of other domains, including Vrublevsky’s personal website rnp[.]com. But then earlier this month, KrebsOnSecurity received a large amount of information that was stolen from ChronoPay recently when hackers managed to compromise the company’s Confluence server. Confluence is a web-based corporate wiki platform, and ChronoPay used their Confluence installation to document in exquisite detail how it creatively distributes the risk associated with high-risk processing by routing transactions through a myriad of shell companies and third-party processors. A Google-translated snippet of the hacked ChronoPay Confluence installation. Click to enlarge. Incredibly, Vrublevsky himself appears to have used ChronoPay’s Confluence wiki to document his entire 20+ years of personal and professional history in the high-risk payments space, including the company’s most recent forays with HPay. The latest document in the hacked archive is dated April 2021. These diary entries, interspersed between highly technical how-tos, are all written in Russian and in the third person. But they are unmistakably Vrublevsky’s words: Some of the elaborate stories in the wiki were identical to theories that Vrublevsky himself espoused to me throughout hundreds of hours of phone interviews. Also, in some of the entries the narrator switches from “he” to “I” when describing the actions of Vrublevsky. Vrublevsky’s memoire/wiki invokes the nicknames and real names of Russian hackers who worked with the protection of corrupt officials in the Russian Federal Security Service (FSB), the successor agency to the Soviet KGB. In several diary entries, Vrublevsky writes about various cybercriminals and Russian law enforcement officials involved in processing credit card payments tied to online gambling sites. Russian banks are prohibited from processing payments for online gambling, and as a result many online gaming sites catering to Russian speakers have chosen to process credit card payments through Ukrainian financial institutions. That’s according to Vladislav “BadB” Horohorin, the convicted cybercriminal who shared the ChronoPay Confluence data with KrebsOnSecurity. In February 2017, Horohorin was released after serving four years in a U.S. prison for his role in the 2009 theft of more than $9 million from RBS Worldpay. Horohorin said Vrublevsky has been using his knowledge of the card processing networks to extort people in the online gambling industry who may run afoul of Russian laws. “Russia has strict regulations against processing for the gambling business,” Horohorin said. “While Russian banks can’t do it, Ukrainian ones can, so we have Ukrainian banks processing gambling and casinos, which mostly Russian gamblers use. What Pavel does is he blackmails those Ukrainian banks using his connections and knowledge. Some pay, some don’t. But some people are not very tolerant of that kind of abuse.” A native of Donetsk, Ukraine, Horohorin told KrebsOnSecurity he hacked and shared the ChronoPay Confluence installation because Vrublevsky had threatened a family member. Horohorin believes Vrublevsky secretly operated the “bad bank” channel on Telegram, which calls attention to online gambling operations that are violating Visa and MasterCard regulations (violations that can bring the violator hundreds of thousands of dollars in fines). “Pavel scrupulously wrote his diary for a long time, and there is a lot of information on the people he knows,” Horohorin told KrebsOnSecurity. “My understanding is he wrote this in order to blackmail people later. There is a lot of interesting stuff, a lot of names and a lot of very intimate info about Russian card processing market, as well as Pavel’s own escapades.” ChronoPay’s hacked Confluence server contains many diary entries about major players in the Russian online gambling and bookmaking industries. Among the escapades recounted in the ChronoPay founder’s diaries are multiple stories involving the self-proclaimed “King of Fraud!” Aleksandr “Nastra” Zhukov, a Russian national who ran an advertising fraud network dubbed “Methbot” that stole $7 million from publishers through bots made to look like humans watching videos online. The journal explains that Zhukov lived with a ChronoPay employee and had a great deal of interaction with ChronoPay’s high-risk department, so much so that Zhukov at one point gave Vrublevsky a $100,000 jeweled watch as a gift. Zukhov was arrested in Bulgaria in 2018 and extradited to the United States. Following a jury trial in New York that ended last year, Zhukov was sentenced to 10 years in prison. According to the Russian news outlet Kommersant, Vrublevsky and company operated “Inferno Pay,” a payments portal that worked with Hydra, the largest Russian darknet market for illicit goods, including drug trafficking, malware, and counterfeit money and documents. Inferno Pay, a cryptocurrency and payment API allegedly operated by the ChronoPay CEO. “The services of Inferno Pay, whose commission came to 30% of the transaction, were actively used by online casinos,” Kommersant wrote on Mar. 12. The drama surrounding Vrublevsky’s most recent arrest is reminiscent of events leading up to his imprisonment nearly a decade ago, when several years’ worth of ChronoPay internal emails were leaked online. Kommersant said Russian authorities also searched the dwelling of Dmitry Artimovich, a former ChronoPay director who along with his brother Igor was responsible for running the Festi botnet, the same spam botnet that was used for years to pump out junk emails promoting Vrublevsky’s pharmacy affiliate websites. Festi also was the botnet used in the DDoS attack that sent Vrubelvsky to prison for two years in 2013. Artimovich says he had a falling out with Vrublevsky roughly five years ago, and he’s been suing the company ever since. In a message to KrebsOnSecurity, Artimovich said while Vrublevsky was involved in a lot of shady activities, he doubts Vrublevksy’s arrest was really about SMS payment scams as the government claims. “I do not think that it was a reason for his arrest,” Artimovich said. “Our law enforcement usually don’t give a shit about sites like this. And I don’t think that Vrublevsky made much money there. I believe he angered some high-ranking person. Because the scale of the case is much larger than Aeroflot. Police made search of 22 people. Illegal seizure of money, computers.” The Hydra darknet market. Image: bitcoin.com
Bionic, a Palo Alto, CA-based Application Security Posture Management platform, closed a $65m Series B funding. The round was led by Insight Partners with participation from existing investors Cyberstarts and Battery Ventures.
A Windows local privilege escalation zero-day vulnerability that Microsoft has failed to fully address for several months now, allows users to gain administrative privileges in Windows 10, Windows 11, and Windows Server.
A Steam user receives an unsolicited message from a stranger. It may be sent via Steam’s own messenger service, or it could be in a Discord channel. The scammer presents the “offer” as a way to help a fellow Steam enthusiast out.
The FBI said that the hackers gained access to an NGO cloud by abusing default MFA protocols. They enrolled their own device into the organization’s Duo MFA.
U.S. Department of Health and Human Services records show health care companies in North Carolina and South Carolina have reported 47 large breaches of unsecured protected health information impacting more than 1.4 million people since 2020.
A popular mobile app in the official Google Play store called “Craftsart Cartoon Photo Tools” has racked up more than 100,000 installs – but unfortunately for the app’s enthusiasts, it contains a version of the Facestealer Android malware.
Internal screenshots were posted by a group of hackers known as LAPSUS$ on their Telegram channel late on Monday. In an accompanying message, the group said its focus was "ONLY on Okta customers."
The vulnerability received a shout-out from the NSA’s top cybersecurity official, who warned defenders not to be fooled by the (relatively) low severity rating and patch immediately.
In January 2022, the FBI issued a PSA warning people of a new trend: cybercriminals are allegedly taking advantage of QR codes to redirect victims to malicious sites that can steal their credentials and financial information.
Earlier this month the group said on its Telegram channel that it was seeking employees inside technology companies who would be willing to work with them, including Microsoft.
The point of compromise was VetIS, a state information system used by veterinary services and companies engaging in the field, making it likely a supply chain compromise, although more clarification is needed.
At the start of this year, Symphony Technology Group (STG) announced Trellix was the new name for the business unit that resulted from the merger of McAfee Enterprise and FireEye last October.
Tracked as CVE-2022-24415, CVE-2022-24416, CVE-2022-24419, CVE-2022-24420, and CVE-2022-24421, the high-severity vulnerabilities are rated 8.2 out of 10 on the CVSS scoring system.
These cyber assets could include cloud workloads, devices, network assets, applications, data assets, and users. The average security team is responsible for managing over 165,000 of these, a new report warned.
This malware was identified in 2017 and is used exclusively by Arid Viper, an advanced persistent threat (APT) group believed to be based in Gaza and known as APT-C-23. Deep Instinct named the Go-written malware Arid Gopher.
White House officials delivered classified briefings to more than 100 companies last week, urging at-risk private sector partners to bolster cybersecurity defenses against potential intrusions by Russia-linked actors.
In a new BitRAT malware distribution campaign discovered by researchers at AhnLab, threat actors are distributing the malware as a Windows 10 Pro license activator on webhards.
In his statement on cybersecurity preparedness, Secretary of Homeland Security Alejandro N. Mayorkas said that organizations of every size and across every sector should continue enhancing their cybersecurity defenses.
New source code for the Russian-based Conti ransomware operation has been leaked on Twitter—as revenge for the ongoing war—by the Ukrainian researcher named Conti Leaks. The source code leak is a Visual Studio solution that can be decompiled easily, thus allowing anyone to compile the code and the decryptor. The recent leak shall help the security community to better understand Conti ransomware operations.
Researchers analyzed two recent ransomware attacks by BlackCat and BlackMatter and discovered overlaps in their TTPs. However, one of the representatives of BlackCat had already claimed that the ransomware is not the rebranding of BlackMatter. BlackCat could be playing an important role in helping several groups come together and work as a team.
HP has published security advisories for three critical-severity vulnerabilities affecting hundreds of its LaserJet Pro, Pagewide Pro, OfficeJet, Enterprise, Large Format, and DeskJet printer models.
The FBI issued a joint cybersecurity advisory against AvosLocker ransomware operations aimed at crippling the networks of U.S. critical infrastructure. It has targeted multiple sectors including financial services, critical manufacturing sectors, and government facilities as well. The advisory provides multiple countermeasures to stay protected from AvosLocker ransomware attacks.
SAMH (the Scottish Association for Mental Health) helps provide care and support for adults and young people suffering from issues with their mental health, and campaigns to influence positive social change.
ELTA, the state-owned provider of postal services in Greece, has disclosed a ransomware incident detected on Sunday that is still keeping most of the organization's services offline.
A follow-up message asked the recipient to delete the erroneously sent email and explained that any of the information accidentally leaked was in any case available on a public electoral register.
ForAllSecure plans to use the funding to accelerate growth, hire new talent, and build a solution that would help secure open source projects that businesses worldwide depend on.
Ubuntu Security Notice 5341-1 - It was discovered that GNU binutils incorrectly handled checks for memory allocation when parsing relocs in a corrupt file. An attacker could possibly use this issue to cause a denial of service. It was discovered that GNU binutils incorrectly handled certain corrupt DWARF debug show more ...
sections. An attacker could possibly use this issue to cause GNU binutils to consume memory, resulting in a denial of service.
Ubuntu Security Notice 5339-1 - Yiqi Sun and Kevin Wang discovered that the cgroups implementation in the Linux kernel did not properly restrict access to the cgroups v1 release_agent feature. A local attacker could use this to gain administrative privileges. It was discovered that an out-of-bounds memory access flaw show more ...
existed in the f2fs module of the Linux kernel. A local attacker could use this issue to cause a denial of service.
Ubuntu Security Notice 5338-1 - Yiqi Sun and Kevin Wang discovered that the cgroups implementation in the Linux kernel did not properly restrict access to the cgroups v1 release_agent feature. A local attacker could use this to gain administrative privileges. J
iRZ mobile routers versions RU21, RU21w, RL21, RU41, and RL01 suffer from a cross site request forgery vulnerability that can enable remote code execution.
Ubuntu Security Notice 5337-1 - It was discovered that the BPF verifier in the Linux kernel did not properly restrict pointer types in certain situations. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Yiqi Sun and Kevin Wang discovered that the cgroups implementation show more ...
in the Linux kernel did not properly restrict access to the cgroups v1 release_agent feature. A local attacker could use this to gain administrative privileges.
Five new security weaknesses have been disclosed in Dell BIOS that, if successfully exploited, could lead to code execution on vulnerable systems, joining the likes of firmware vulnerabilities recently uncovered in Insyde Software's InsydeH2O and HP Unified Extensible Firmware Interface (UEFI). Tracked as CVE-2022-24415, CVE-2022-24416, CVE-2022-24419, CVE-2022-24420, and CVE-2022-24421, the
Back in 2018, Palo Alto Networks CTO and co-founder Nir Zuk coined a new term to describe the way that businesses needed to approach cybersecurity in the years to come. That term, of course, was extended detection and response (XDR). It described a unified cybersecurity infrastructure that brought endpoint threat detection, network analysis and visibility (NAV), access management, and more under
The U.S. government on Monday once again cautioned of potential cyber attacks from Russia in retaliation for economic sanctions imposed by the west on the country following its military assault on Ukraine last month. "It's part of Russia's playbook," U.S. President Joe Biden said in show more ...
a statement, citing "evolving intelligence that the Russian Government is exploring options." The development
Microsoft and authentication services provider Okta said they are investigating claims of a potential breach alleged by the LAPSUS$ extortionist gang. The development, which was first reported by Vice and Reuters, comes after the cyber criminal group posted screenshots and source code of what it said were the companies' internal projects and systems on its Telegram channel. The leaked 37GB