Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for Potential consequenc ...

 Threats

Hackers belonging to the LAPSUS$ cybercrime group have published screenshots, allegedly taken from inside Oktas information systems. If the claims are true, they have access not only to the companys website, but also to a number of other internal systems, including quite critical ones. LAPSUS$ claims that they did not   show more ...

steal any data from the company itself, and that their targets were mainly Oktas customers. Judging by the dates on the screenshots, the attackers had access to the systems as early as January 2022. Oh man, if this it what it looks (Okta got popped)… Blue Team everywhere is gonna be crazy busy. pic.twitter.com/PY4dIzfwvM — _MG_ (@_MG_) March 22, 2022 What is Okta and why could the breach be so dangerous? Okta develops and maintains identity and access management systems. In particular, they provide a single sign-on solution. A huge number of large companies employ Oktas solutions. Kaspersky Lab experts believe that the hackers access to Oktas systems can explain a number of the rather high-profile data leaks from large companies, for which hackers from LAPSUS$ have already claimed responsibility. How cybercriminals gain access to Oktas systems? At the moment there is no conclusive evidence that the hackers really gained access. According to an Oktas official statement, its specialists are currently conducting an investigation and the company promises to share details as soon as the investigation is completed. It is possible that the published screenshots are related to the January incident, when an unknown actor tried to compromise the account of a technical support engineer working for a third-party subcontractor. Who are the LAPSUS$ group and what do we know about them? LAPSUS$ gained fame in 2020 when they compromised the Brazilian Ministry of Healths systems. Presumably, this is a Latin American hacker group that steals information from large companies for ransom. If the victims refuse to pay, the hackers publish the stolen information on the Internet. Unlike many other ransomware groups, LAPSUS$ does not encrypt the data of hacked organizations, but simply threatens to leak the data in case of non-payment of the ransom. Notable victims of LAPSUS$ include Nvidia, Samsung and Ubisoft. In addition, they recently released 37 GB of code believed to be related to internal Microsoft projects. How to stay safe? At the moment it is impossible to say with absolute certainty that the incident really happened. The publication of screenshots in itself is a rather strange move that may be aimed at self-promotion of the hackers, an attack on Oktas reputation, or an attempt to hide the real method by which LAPSUS$ gained access to one of Oktas clients. That said, to play it safe our experts recommend Oktas clients to employ the following protective measures: Enforce especially stringent monitoring of network activity and in particular of any activity related to authentication in internal systems; Provide staff with an additional cybersecurity hygiene training and prepare them to be alert and report on any suspicious activity; Perform a security audit of your organizations IT infrastructure to reveal gaps and vulnerable systems; Restrict access to remote management tools from external IP addresses; Ensure that remote control interfaces can only be accessed from a limited number of endpoints; Follow the principle of offering staff limited privileges and grant high-privileged accounts only to those who need this to fulfil their job; Use ICS network traffic monitoring, analysis and detection solutions for better protection from attacks potentially threatening technological process and main enterprise assets. Companies that do not have the internal resources to monitor suspicious activity in their IT infrastructure can employ the external experts.

image for ‘Spam Nation’ Vi ...

 Ne'er-Do-Well News

Pavel Vrublevsky, founder of the Russian payment technology firm ChronoPay and the antagonist in my 2014 book “Spam Nation,” was arrested in Moscow this month and charged with fraud. Russian authorities allege Vrublevsky operated several fraudulent SMS-based payment schemes, and facilitated money   show more ...

laundering for Hydra, the largest Russian darknet market. But according to information obtained by KrebsOnSecurity, it is equally likely Vrublevsky was arrested thanks to his propensity for carefully documenting the links between Russia’s state security services and the cybercriminal underground. An undated photo of Vrublevsky at his ChronoPay office in Moscow. ChronoPay specializes in providing access to the global credit card networks for “high risk” merchants — businesses involved in selling services online that tend to generate an unusually large number of chargebacks and reports of fraud, and hence have a higher risk of failure. When I first began writing about Vrublevsky in 2009 as a reporter for The Washington Post, ChronoPay and its sister firm Red & Partners (RNP) were earning millions setting up payment infrastructure for fake antivirus peddlers and spammers pimping male enhancement drugs. Using the hacker alias “RedEye,” the ChronoPay CEO oversaw a burgeoning pharmacy spam affiliate program called Rx-Promotion, which paid some of Russia’s most talented spammers and virus writers to bombard the world with junk email promoting Rx-Promotion’s pill shops. RedEye also was the administrator of Crutop, a Russian language forum and affiliate program that catered to thousands of adult webmasters. In 2013, Vrublevsky was sentenced to 2.5 years in a Russian penal colony for convincing one of his top affiliates to launch a distributed denial-of-service (DDoS) attack against a competitor that shut down the ticketing system for the state-owned Aeroflot airline. Following his release from jail, Vrublevsky began working on a new digital payments platform based in Hong Kong called HPay Ltd (a.k.a. Hong Kong Processing Corporation). HPay appears to have had a great number of clients that were running schemes which bamboozled people with fake lotteries and prize contests. According to Russian prosecutors, the scam went like this: Consumers would receive an SMS with links to sites that falsely claimed a number of well-known companies were sponsoring drawings and lotteries for people who enrolled or agreed to answer surveys. All who responded were told they were winners, but also that they had to pay a commission to pick up the prize. That scheme allegedly stole 500 million rubles (~ USD $4.5 million) from over 100,000 consumers. There are scant public records that show a connection between ChronoPay and HPay, apart from the fact that the latter’s website — hpay[.]io — was originally hosted on the same server (185.180.196.74) along with a handful of other domains, including Vrublevsky’s personal website rnp[.]com. But then earlier this month, KrebsOnSecurity received a large amount of information that was stolen from ChronoPay recently when hackers managed to compromise the company’s Confluence server. Confluence is a web-based corporate wiki platform, and ChronoPay used their Confluence installation to document in exquisite detail how it creatively distributes the risk associated with high-risk processing by routing transactions through a myriad of shell companies and third-party processors. A Google-translated snippet of the hacked ChronoPay Confluence installation. Click to enlarge. Incredibly, Vrublevsky himself appears to have used ChronoPay’s Confluence wiki to document his entire 20+ years of personal and professional history in the high-risk payments space, including the company’s most recent forays with HPay. The latest document in the hacked archive is dated April 2021. These diary entries, interspersed between highly technical how-tos, are all written in Russian and in the third person. But they are unmistakably Vrublevsky’s words: Some of the elaborate stories in the wiki were identical to theories that Vrublevsky himself espoused to me throughout hundreds of hours of phone interviews. Also, in some of the entries the narrator switches from “he” to “I” when describing the actions of Vrublevsky. Vrublevsky’s memoire/wiki invokes the nicknames and real names of Russian hackers who worked with the protection of corrupt officials in the Russian Federal Security Service (FSB), the successor agency to the Soviet KGB. In several diary entries, Vrublevsky writes about various cybercriminals and Russian law enforcement officials involved in processing credit card payments tied to online gambling sites. Russian banks are prohibited from processing payments for online gambling, and as a result many online gaming sites catering to Russian speakers have chosen to process credit card payments through Ukrainian financial institutions. That’s according to Vladislav “BadB” Horohorin, the convicted cybercriminal who shared the ChronoPay Confluence data with KrebsOnSecurity. In February 2017, Horohorin was released after serving four years in a U.S. prison for his role in the 2009 theft of more than $9 million from RBS Worldpay. Horohorin said Vrublevsky has been using his knowledge of the card processing networks to extort people in the online gambling industry who may run afoul of Russian laws. “Russia has strict regulations against processing for the gambling business,” Horohorin said. “While Russian banks can’t do it, Ukrainian ones can, so we have Ukrainian banks processing gambling and casinos, which mostly Russian gamblers use. What Pavel does is he blackmails those Ukrainian banks using his connections and knowledge. Some pay, some don’t. But some people are not very tolerant of that kind of abuse.” A native of Donetsk, Ukraine, Horohorin told KrebsOnSecurity he hacked and shared the ChronoPay Confluence installation because Vrublevsky had threatened a family member. Horohorin believes Vrublevsky secretly operated the “bad bank” channel on Telegram, which calls attention to online gambling operations that are violating Visa and MasterCard regulations (violations that can bring the violator hundreds of thousands of dollars in fines). “Pavel scrupulously wrote his diary for a long time, and there is a lot of information on the people he knows,” Horohorin told KrebsOnSecurity. “My understanding is he wrote this in order to blackmail people later. There is a lot of interesting stuff, a lot of names and a lot of very intimate info about Russian card processing market, as well as Pavel’s own escapades.” ChronoPay’s hacked Confluence server contains many diary entries about major players in the Russian online gambling and bookmaking industries. Among the escapades recounted in the ChronoPay founder’s diaries are multiple stories involving the self-proclaimed “King of Fraud!” Aleksandr “Nastra” Zhukov, a Russian national who ran an advertising fraud network dubbed “Methbot” that stole $7 million from publishers through bots made to look like humans watching videos online. The journal explains that Zhukov lived with a ChronoPay employee and had a great deal of interaction with ChronoPay’s high-risk department, so much so that Zhukov at one point gave Vrublevsky a $100,000 jeweled watch as a gift. Zukhov was arrested in Bulgaria in 2018 and extradited to the United States. Following a jury trial in New York that ended last year, Zhukov was sentenced to 10 years in prison. According to the Russian news outlet Kommersant, Vrublevsky and company operated “Inferno Pay,” a payments portal that worked with Hydra, the largest Russian darknet market for illicit goods, including drug trafficking, malware, and counterfeit money and documents. Inferno Pay, a cryptocurrency and payment API allegedly operated by the ChronoPay CEO. “The services of Inferno Pay, whose commission came to 30% of the transaction, were actively used by online casinos,” Kommersant wrote on Mar. 12. The drama surrounding Vrublevsky’s most recent arrest is reminiscent of events leading up to his imprisonment nearly a decade ago, when several years’ worth of ChronoPay internal emails were leaked online. Kommersant said Russian authorities also searched the dwelling of Dmitry Artimovich, a former ChronoPay director who along with his brother Igor was responsible for running the Festi botnet, the same spam botnet that was used for years to pump out junk emails promoting Vrublevsky’s pharmacy affiliate websites. Festi also was the botnet used in the DDoS attack that sent Vrubelvsky to prison for two years in 2013. Artimovich says he had a falling out with Vrublevsky roughly five years ago, and he’s been suing the company ever since. In a message to KrebsOnSecurity, Artimovich said while Vrublevsky was involved in a lot of shady activities, he doubts Vrublevksy’s arrest was really about SMS payment scams as the government claims. “I do not think that it was a reason for his arrest,” Artimovich said. “Our law enforcement usually don’t give a shit about sites like this. And I don’t think that Vrublevsky made much money there. I believe he angered some high-ranking person. Because the scale of the case is much larger than Aeroflot. Police made search of 22 people. Illegal seizure of money, computers.” The Hydra darknet market. Image: bitcoin.com

 Companies to Watch

Bionic, a Palo Alto, CA-based Application Security Posture Management platform, closed a $65m Series B funding. The round was led by Insight Partners with participation from existing investors Cyberstarts and Battery Ventures.

 Identity Theft, Fraud, Scams

A Steam user receives an unsolicited message from a stranger. It may be sent via Steam’s own messenger service, or it could be in a Discord channel. The scammer presents the “offer” as a way to help a fellow Steam enthusiast out.

 Malware and Vulnerabilities

A popular mobile app in the official Google Play store called “Craftsart Cartoon Photo Tools” has racked up more than 100,000 installs – but unfortunately for the app’s enthusiasts, it contains a version of the Facestealer Android malware.

 Trends, Reports, Analysis

These cyber assets could include cloud workloads, devices, network assets, applications, data assets, and users. The average security team is responsible for managing over 165,000 of these, a new report warned.

 Malware and Vulnerabilities

This malware was identified in 2017 and is used exclusively by Arid Viper, an advanced persistent threat (APT) group believed to be based in Gaza and known as APT-C-23. Deep Instinct named the Go-written malware Arid Gopher.

 Breaches and Incidents

New source code for the Russian-based Conti ransomware operation has been leaked on Twitter—as revenge for the ongoing war—by the Ukrainian researcher named Conti Leaks. The source code leak is a Visual Studio solution that can be decompiled easily, thus allowing anyone to compile the code and the decryptor. The recent leak shall help the security community to better understand Conti ransomware operations.

 Trends, Reports, Analysis

Researchers analyzed two recent ransomware attacks by BlackCat and BlackMatter and discovered overlaps in their TTPs. However, one of the representatives of BlackCat had already claimed that the ransomware is not the rebranding of BlackMatter. BlackCat could be playing an important role in helping several groups come together and work as a team.

 Threat Intel & Info Sharing

The FBI issued a joint cybersecurity advisory against AvosLocker ransomware operations aimed at crippling the networks of U.S. critical infrastructure. It has targeted multiple sectors including financial services, critical manufacturing sectors, and government facilities as well. The advisory provides multiple countermeasures to stay protected from AvosLocker ransomware attacks.

 Feed

Ubuntu Security Notice 5341-1 - It was discovered that GNU binutils incorrectly handled checks for memory allocation when parsing relocs in a corrupt file. An attacker could possibly use this issue to cause a denial of service. It was discovered that GNU binutils incorrectly handled certain corrupt DWARF debug   show more ...

sections. An attacker could possibly use this issue to cause GNU binutils to consume memory, resulting in a denial of service.

 Feed

Ubuntu Security Notice 5339-1 - Yiqi Sun and Kevin Wang discovered that the cgroups implementation in the Linux kernel did not properly restrict access to the cgroups v1 release_agent feature. A local attacker could use this to gain administrative privileges. It was discovered that an out-of-bounds memory access flaw   show more ...

existed in the f2fs module of the Linux kernel. A local attacker could use this issue to cause a denial of service.

 Feed

Ubuntu Security Notice 5338-1 - Yiqi Sun and Kevin Wang discovered that the cgroups implementation in the Linux kernel did not properly restrict access to the cgroups v1 release_agent feature. A local attacker could use this to gain administrative privileges. J

 Feed

Ubuntu Security Notice 5337-1 - It was discovered that the BPF verifier in the Linux kernel did not properly restrict pointer types in certain situations. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Yiqi Sun and Kevin Wang discovered that the cgroups implementation   show more ...

in the Linux kernel did not properly restrict access to the cgroups v1 release_agent feature. A local attacker could use this to gain administrative privileges.

 Feed

Five new security weaknesses have been disclosed in Dell BIOS that, if successfully exploited, could lead to code execution on vulnerable systems, joining the likes of firmware vulnerabilities recently uncovered in Insyde Software's InsydeH2O and HP Unified Extensible Firmware Interface (UEFI). Tracked as CVE-2022-24415, CVE-2022-24416, CVE-2022-24419, CVE-2022-24420, and CVE-2022-24421, the

 Feed

Back in 2018, Palo Alto Networks CTO and co-founder Nir Zuk coined a new term to describe the way that businesses needed to approach cybersecurity in the years to come. That term, of course, was extended detection and response (XDR). It described a unified cybersecurity infrastructure that brought endpoint threat detection, network analysis and visibility (NAV), access management, and more under

 Feed

The U.S. government on Monday once again cautioned of potential cyber attacks from Russia in retaliation for economic sanctions imposed by the west on the country following its military assault on Ukraine last month. "It's part of Russia's playbook," U.S. President Joe Biden said in   show more ...

a statement, citing "evolving intelligence that the Russian Government is exploring options." The development

 Feed

Microsoft and authentication services provider Okta said they are investigating claims of a potential breach alleged by the LAPSUS$ extortionist gang. The development, which was first reported by Vice and Reuters, comes after the cyber criminal group posted screenshots and source code of what it said were the companies' internal projects and systems on its Telegram channel. The leaked 37GB

2022-03
Aggregator history
Tuesday, March 22
TUE
WED
THU
FRI
SAT
SUN
MON
MarchAprilMay