FreshRSS

🔒
❌ About FreshRSS
There are new available articles, click to refresh the page.
Before yesterdayYour RSS feeds

Iranian Hackers Target Middle East Policy Experts with New BASICSTAR Backdoor

By Newsroom
The Iranian-origin threat actor known as Charming Kitten has been linked to a new set of attacks aimed at Middle East policy experts with a new backdoor called BASICSTAR by creating a fake webinar portal. Charming Kitten, also called APT35, CharmingCypress, Mint Sandstorm, TA453, and Yellow Garuda, has a history of orchestrating a wide range of social engineering campaigns that cast a

CISA Warning: Akira Ransomware Exploiting Cisco ASA/FTD Vulnerability

By Newsroom
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a now-patched security flaw impacting Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software to its Known Exploited Vulnerabilities (KEV) catalog, following reports that it's being likely exploited in Akira ransomware attacks. The vulnerability in question is CVE-2020-

U.S. Government Disrupts Russia-Linked Botnet Engaged in Cyber Espionage

By Newsroom
The U.S. government on Thursday said it disrupted a botnet comprising hundreds of small office and home office (SOHO) routers in the country that was put to use by the Russia-linked APT28 actor to conceal its malicious activities. "These crimes included vast spear-phishing and similar credential harvesting campaigns against targets of intelligence interest to the Russian government, such as U.S.

Microsoft, OpenAI Warn of Nation-State Hackers Weaponizing AI for Cyber Attacks

By Newsroom
Nation-state actors associated with Russia, North Korea, Iran, and China are experimenting with artificial intelligence (AI) and large language models (LLMs) to complement their ongoing cyber attack operations. The findings come from a report published by Microsoft in collaboration with OpenAI, both of which said they disrupted efforts made by five state-affiliated actors that used its

Alert: CISA Warns of Active 'Roundcube' Email Attacks - Patch Now

By Newsroom
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a medium-severity security flaw impacting Roundcube email software to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The issue, tracked as CVE-2023-43770 (CVSS score: 6.1), relates to a cross-site scripting (XSS) flaw that stems from the handling of

Microsoft Warns of Widening APT29 Espionage Attacks Targeting Global Orgs

By Newsroom
Microsoft on Thursday said the Russian state-sponsored threat actors responsible for a cyber attack on its systems in late November 2023 have been targeting other organizations and that it's currently beginning to notify them. The development comes a day after Hewlett Packard Enterprise (HPE) revealed that it had been the victim of an attack perpetrated by a hacking crew

Tech Giant HP Enterprise Hacked by Russian Hackers Linked to DNC Breach

By Newsroom
Hackers with links to the Kremlin are suspected to have infiltrated information technology company Hewlett Packard Enterprise's (HPE) cloud email environment to exfiltrate mailbox data. "The threat actor accessed and exfiltrated data beginning in May 2023 from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions,"

Microsoft's Top Execs' Emails Breached in Sophisticated Russia-Linked APT Attack

By Newsroom
Microsoft on Friday revealed that it was the target of a nation-state attack on its corporate systems that resulted in the theft of emails and attachments from senior executives and other individuals in the company's cybersecurity and legal departments. The Windows maker attributed the attack to a Russian advanced persistent threat (APT) group it tracks as Midnight Blizzard (formerly

Why Public Links Expose Your SaaS Attack Surface

By The Hacker News
Collaboration is a powerful selling point for SaaS applications. Microsoft, Github, Miro, and others promote the collaborative nature of their software applications that allows users to do more. Links to files, repositories, and boards can be shared with anyone, anywhere. This encourages teamwork that helps create stronger campaigns and projects by encouraging collaboration among employees

Russian APT28 Hackers Targeting 13 Nations in Ongoing Cyber Espionage Campaign

By Newsroom
The Russian nation-state threat actor known as APT28 has been observed making use of lures related to the ongoing Israel-Hamas war to facilitate the delivery of a custom backdoor called HeadLace. IBM X-Force is tracking the adversary under the name ITG05, which is also known as BlueDelta, Fancy Bear, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Sednit, Sofacy, and

How Multi-Stage Phishing Attacks Exploit QRs, CAPTCHAs, and Steganography

By The Hacker News
Phishing attacks are steadily becoming more sophisticated, with cybercriminals investing in new ways of deceiving victims into revealing sensitive information or installing malicious software. One of the latest trends in phishing is the use of QR codes, CAPTCHAs, and steganography. See how they are carried out and learn to detect them. Quishing Quishing, a phishing technique resulting from the

Top 5 Marketing Tech SaaS Security Challenges

By The Hacker News
Effective marketing operations today are driven by the use of Software-as-a-Service (SaaS) applications. Marketing apps such as Salesforce, Hubspot, Outreach, Asana, Monday, and Box empower marketing teams, agencies, freelancers, and subject matter experts to collaborate seamlessly on campaigns and marketing initiatives.  These apps serve as the digital command centers for marketing

Microsoft Warns of Fake Skills Assessment Portals Targeting IT Job Seekers

By Newsroom
A sub-cluster within the infamous Lazarus Group has established new infrastructure that impersonates skills assessment portals as part of its social engineering campaigns. Microsoft attributed the activity to a threat actor it calls Sapphire Sleet, describing it as a "shift in the persistent actor's tactics." Sapphire Sleet, also called APT38, BlueNoroff, CageyChameleon, and CryptoCore, has a

ServiceNow Data Exposure: A Wake-Up Call for Companies

By The Hacker News
Earlier this week, ServiceNow announced on its support site that misconfigurations within the platform could result in “unintended access” to sensitive data. For organizations that use ServiceNow, this security exposure is a critical concern that could have resulted in major data leakage of sensitive corporate data. ServiceNow has since taken steps to fix this issue.  This article fully analyzes

The Fast Evolution of SaaS Security from 2020 to 2024 (Told Through Video)

By The Hacker News
SaaS Security’s roots are in configuration management. An astounding 35% of all security breaches begin with security settings that were misconfigured. In the past 3 years, the initial access vectors to SaaS data have widened beyond misconfiguration management. “SaaS Security on Tap” is a new video series that takes place in Eliana V's bar making sure that the only thing that leaks is beer (

The Rise of the Malicious App

By The Hacker News
Security teams are familiar with threats emanating from third-party applications that employees add to improve their productivity. These apps are inherently designed to deliver functionality to users by connecting to a “hub” app, such as Salesforce, Google Workspace, or Microsoft 365. Security concerns center on the permission scopes that are granted to the third party apps, and the potential

7 Steps to Kickstart Your SaaS Security Program

By The Hacker News
SaaS applications are the backbone of modern businesses, constituting a staggering 70% of total software usage. Applications like Box, Google Workplace, and Microsoft 365 are integral to daily operations. This widespread adoption has transformed them into potential breeding grounds for cyber threats. Each SaaS application presents unique security challenges, and the landscape constantly evolves

Identity Threat Detection and Response: Rips in Your Identity Fabric

By The Hacker News
Why SaaS Security Is a Challenge In today's digital landscape, organizations are increasingly relying on Software-as-a-Service (SaaS) applications to drive their operations. However, this widespread adoption has also opened the doors to new security risks and vulnerabilities. The SaaS security attack surface continues to widen. It started with managing misconfigurations and now requires a

How to Protect Patients and Their Privacy in Your SaaS Apps

By The Hacker News
The healthcare industry is under a constant barrage of cyberattacks. It has traditionally been one of the most frequently targeted industries, and things haven’t changed in 2023. The U.S. Government’s Office for Civil Rights reported 145 data breaches in the United States during the first quarter of this year. That follows 707 incidents a year ago, during which over 50 million records were

Global Retailers Must Keep an Eye on Their SaaS Stack

By The Hacker News
Brick-and-mortar retailers and e-commerce sellers may be locked in a fierce battle for market share, but one area both can agree on is the need to secure their SaaS stack. From communications tools to order management and fulfillment systems, much of today's critical retail software lives in SaaS apps in the cloud. Securing those applications is crucial to ongoing operations, chain management,

SaaS in the Real World: How Global Food Chains Can Secure Their Digital Dish

By The Hacker News
The Quick Serve Restaurant (QSR) industry is built on consistency and shared resources. National chains like McDonald's and regional ones like Cracker Barrel grow faster by reusing the same business model, decor, and menu, with little change from one location to the next.  QSR technology stacks mirror the consistency of the front end of each store. Despite each franchise being independently

The Annual Report: 2024 Plans and Priorities for SaaS Security

By The Hacker News
Over 55% of security executives report that they have experienced a SaaS security incident in the past two years — ranging from data leaks and data breaches to SaaS ransomware and malicious apps (as seen in figures 1 and 2). Figure 1. How many organizations have experienced a SaaS security incident within the past two years The SaaS Security Survey Report: Plans and Priorities for 2024,

CAPTCHA-Breaking Services with Human Solvers Helping Cybercriminals Defeat Security

By Ravie Lakshmanan
Cybersecurity researchers are warning about CAPTCHA-breaking services that are being offered for sale to bypass systems designed to distinguish legitimate users from bot traffic. "Because cybercriminals are keen on breaking CAPTCHAs accurately, several services that are primarily geared toward this market demand have been created," Trend Micro said in a report published last week. "These

What's the Difference Between CSPM & SSPM?

By The Hacker News
Cloud Security Posture Management (CSPM) and SaaS Security Posture Management (SSPM) are frequently confused. The similarity of the acronyms notwithstanding, both security solutions focus on securing data in the cloud. In a world where the terms cloud and SaaS are used interchangeably, this confusion is understandable. This confusion, though, is dangerous to organizations that need to secure

Think Before You Share the Link: SaaS in the Real World

By The Hacker News
Collaboration sits at the essence of SaaS applications. The word, or some form of it, appears in the top two headlines on Google Workspace’s homepage. It can be found six times on Microsoft 365’s homepage, three times on Box, and once on Workday. Visit nearly any SaaS site, and odds are ‘collaboration’ will appear as part of the app’s key selling point.  By sitting on the cloud, content within

Where SSO Falls Short in Protecting SaaS

By The Hacker News
Single sign-on (SSO) is an authentication method that allows users to authenticate their identity for multiple applications with just one set of credentials. From a security standpoint, SSO is the gold standard. It ensures access without forcing users to remember multiple passwords and can be further secured with MFA. Furthermore, an estimated 61% of attacks stem from stolen credentials. By

How to Apply NIST Principles to SaaS in 2023

By The Hacker News
The National Institute of Standards and Technology (NIST) is one of the standard-bearers in global cybersecurity. The U.S.-based institute’s cybersecurity framework helps organizations of all sizes understand, manage, and reduce their cyber-risk levels and better protect their data. Its importance in the fight against cyberattacks can’t be overstated. While NIST hasn’t directly developed

How to Tackle the Top SaaS Challenges of 2023

By The Hacker News
Are you prepared to tackle the top SaaS challenges of 2023? With high-profile data breaches affecting major companies like Nissan and Slack, it's clear that SaaS apps are a prime target for cyberattacks. The vast amounts of valuable information stored in these apps make them a goldmine for hackers. But don't panic just yet. With the right knowledge and tools, you can protect your company's

Researchers Link SideWinder Group to Dozens of Targeted Attacks in Multiple Countries

By Ravie Lakshmanan
The prolific SideWinder group has been attributed as the nation-state actor behind attempted attacks against 61 entities in Afghanistan, Bhutan, Myanmar, Nepal, and Sri Lanka between June and November 2021. Targets included government, military, law enforcement, banks, and other organizations, according to an exhaustive report published by Group-IB, which also found links between the adversary

SaaS in the Real World: Who's Responsible to Secure this Data?

By The Hacker News
When SaaS applications started growing in popularity, it was unclear who was responsible for securing the data. Today, most security and IT teams understand the shared responsibility model, in which the SaaS vendor is responsible for securing the application, while the organization is responsible for securing their data.  What’s far murkier, however, is where the data responsibility lies on the

ESET APT Activity Report T3 2022

By Jean-Ian Boutin

An overview of the activities of selected APT groups investigated and analyzed by ESET Research in T3 2022

The post ESET APT Activity Report T3 2022 appeared first on WeLiveSecurity

Why Do User Permissions Matter for SaaS Security?

By The Hacker News
Earlier this year, threat actors infiltrated Mailchimp, the popular SaaS email marketing platform. They viewed over 300 Mailchimp customer accounts and exported audience data from 102 of them. The breach was preceded by a successful phishing attempt and led to malicious attacks against Mailchimp’s customers’ end users. Three months later, Mailchimp was hit with another attack. Once again, an

Hackers Using CAPTCHA Bypass Tactics in Freejacking Campaign on GitHub

By Ravie Lakshmanan
A South Africa-based threat actor known as Automated Libra has been observed employing CAPTCHA bypass techniques to create GitHub accounts in a programmatic fashion as part of a freejacking campaign dubbed PURPLEURCHIN. The group "primarily targets cloud platforms offering limited-time trials of cloud resources in order to perform their crypto mining operations," Palo Alto Networks Unit 42

Top 4 SaaS Security Threats for 2023

By The Hacker News
With 2022 coming to a close, there is no better time to buckle down and prepare to face the security challenges in the year to come. This past year has seen its fair share of breaches, attacks, and leaks, forcing organizations to scramble to protect their SaaS stacks. March alone saw three different breaches from Microsoft, Hubspot, and Okta.  With SaaS sprawl ever growing and becoming more

Iranian Hackers Strike Diamond Industry with Data-Wiping Malware in Supply-Chain Attack

By Ravie Lakshmanan
An Iranian advanced persistent threat (APT) actor known as Agrius has been attributed as behind a set of data wiper attacks aimed at diamond industries in South Africa, Israel, and Hong Kong. The wiper, referred to as Fantasy by ESET, is believed to have been delivered via a supply-chain attack targeting an Israeli software suite developer as part of a campaign that began in February 2022.

Chinese Hackers Target Middle East Telecoms in Latest Cyber Attacks

By Ravie Lakshmanan
A malicious campaign targeting the Middle East is likely linked to BackdoorDiplomacy, an advanced persistent threat (APT) group with ties to China. The espionage activity, directed against a telecom company in the region, is said to have commenced on August 19, 2021 through the successful exploitation of ProxyShell flaws in the Microsoft Exchange Server. Initial compromise leveraged binaries

New Flaw in Acer Laptops Could Let Attackers Disable Secure Boot Protection

By Ravie Lakshmanan
Acer has released a firmware update to address a security vulnerability that could be potentially weaponized to turn off UEFI Secure Boot on affected machines. Tracked as CVE-2022-4020, the high-severity vulnerability affects five different models that consist of Aspire A315-22, A115-21, and A315-22G, and Extensa EX215-21 and EX215-21G. <!--adsense--> The PC maker described the vulnerability as

New "Earth Longzhi" APT Targets Ukraine and Asian Countries with Custom Cobalt Strike Loaders

By Ravie Lakshmanan
Entities located in East and Southeast Asia as well as Ukraine have been targeted at least since 2020 by a previously undocumented subgroup of APT41, a prolific Chinese advanced persistent threat (APT). Cybersecurity firm Trend Micro, which christened the espionage crew Earth Longzhi, said the actor's long-running campaign can be split into two based on the toolset deployed to attack its victims

ESET APT Activity Report T2 2022

By Jean-Ian Boutin

An overview of the activities of selected APT groups investigated and analyzed by ESET Research in T2 2022

The post ESET APT Activity Report T2 2022 appeared first on WeLiveSecurity

Why Identity & Access Management Governance is a Core Part of Your SaaS Security

By The Hacker News
Every SaaS app user and login is a potential threat; whether it's bad actors or potential disgruntled former associates, identity management and access control is crucial to prevent unwanted or mistaken entrances to the organization's data and systems.  Since enterprises have thousands to tens of thousands of users, and hundreds to thousands of different apps, ensuring each entrance point and

Critical Flaw Reported in Move Virtual Machine Powering the Aptos Blockchain Network

By Ravie Lakshmanan
Researchers have disclosed details about a now-patched critical flaw in the Move virtual machine that powers the Aptos blockchain network. The vulnerability "can cause Aptos nodes to crash and cause denial of service," Singapore-based Numen Cyber Labs said in a technical write-up published earlier this month. Aptos is a new entrant to the blockchain space, which launched its mainnet on October

Researchers Detail Malicious Tools Used by Cyber Espionage Group Earth Aughisky

By Ravie Lakshmanan
A new piece of research has detailed the increasingly sophisticated nature of the malware toolset employed by an advanced persistent threat (APT) group named Earth Aughisky. "Over the last decade, the group has continued to make adjustments in the tools and malware deployments on specific targets located in Taiwan and, more recently, Japan," Trend Micro disclosed in a technical profile last week

The Ultimate SaaS Security Posture Management Checklist, 2023 Edition

By The Hacker News
It's been a year since the release of The Ultimate SaaS Security Posture Management (SSPM) Checklist. If SSPM is on your radar, here's the 2023 checklist edition, which covers the critical features and capabilities when evaluating a solution. The ease with which SaaS apps can be deployed and adopted today is remarkable, but it has become a double-edged sword. On the one hand, apps are quickly

Hackers Using PowerPoint Mouseover Trick to Infect Systems with Malware

By Ravie Lakshmanan
The Russian state-sponsored threat actor known as APT28 has been found leveraging a new code execution method that makes use of mouse movement in decoy Microsoft PowerPoint documents to deploy malware. The technique "is designed to be triggered when the user starts the presentation mode and moves the mouse," cybersecurity firm Cluster25 said in a technical report. "The code execution runs a

Researchers Identify 3 Hacktivist Groups Supporting Russian Interests

By Ravie Lakshmanan
At least three alleged hacktivist groups working in support of Russian interests are likely doing so in collaboration with state-sponsored cyber threat actors, according to Mandiant. The Google-owned threat intelligence and incident response firm said with moderate confidence that "moderators of the purported hacktivist Telegram channels 'XakNet Team,' 'Infoccentr,' and 'CyberArmyofRussia_Reborn

High-Severity Firmware Security Flaws Left Unpatched in HP Enterprise Devices

By Ravie Lakshmanan
A number of firmware security flaws uncovered in HP's business-oriented high-end notebooks continue to be left unpatched in some devices even months after public disclosure. Binarly, which first revealed details of the issues at the Black Hat USA conference in mid-August 2022, said the vulnerabilities "can't be detected by firmware integrity monitoring systems due to limitations of the Trusted

Microsoft Uncovers New Post-Compromise Malware Used by Nobelium Hackers

By Ravie Lakshmanan
The threat actor behind the SolarWinds supply chain attack has been linked to yet another "highly targeted" post-exploitation malware that could be used to maintain persistent access to compromised environments. Dubbed MagicWeb by Microsoft's threat intelligence teams, the development reiterates Nobelium's commitment to developing and maintaining purpose-built capabilities. Nobelium is the tech

Who Has Control: The SaaS App Admin Paradox

By The Hacker News
Imagine this: a company-wide lockout to the company CRM, like Salesforce, because the organization's external admin attempts to disable MFA for themselves. They don't think to consult with the security team and don't consider the security implications, only the ease which they need for their team to use their login.  This CRM, however, defines MFA as a top-tier security setting; for example,

Hackers Use Evilnum Malware to Target Cryptocurrency and Commodities Platforms

By Ravie Lakshmanan
The advanced persistent threat (APT) actor tracked as Evilnum is once again exhibiting signs of renewed activity aimed at European financial and investment entities. "Evilnum is a backdoor that can be used for data theft or to load additional payloads," enterprise security firm Proofpoint said in a report shared with The Hacker News. "The malware includes multiple interesting components to evade

Manual vs. SSPM: Research on What Streamlines SaaS Security Detection & Remediation

By The Hacker News
When it comes to keeping SaaS stacks secure, IT and security teams need to be able to streamline the detection and remediation of misconfigurations in order to best protect their SaaS stack from threats. However, while companies adopt more and more apps, their increase in SaaS security tools and staff has lagged behind, as found in the 2022 SaaS Security Survey Report.  The survey report,

7 Key Findings from the 2022 SaaS Security Survey Report

By The Hacker News
The 2022 SaaS Security Survey Report, in collaboration with CSA, examines the state of SaaS security as seen in the eyes of CISOs and security professionals in today's enterprises. The report gathers anonymous responses from 340 CSA members to examine not only the growing risks in SaaS security but also how different organizations are currently working to secure themselves. Demographics The

Experts Uncover New Espionage Attacks by Chinese 'Mustang Panda' Hackers

By Ravie Lakshmanan
The China-based threat actor known as Mustang Panda has been observed refining and retooling its tactics and malware to strike entities located in Asia, the European Union, Russia, and the U.S. "Mustang Panda is a highly motivated APT group relying primarily on the use of topical lures and social engineering to trick victims into infecting themselves," Cisco Talos said in a new report detailing

Microsoft Obtains Court Order to Take Down Domains Used to Target Ukraine

By Ravie Lakshmanan
Microsoft on Thursday disclosed that it obtained a court order to take control of seven domains used by APT28, a state-sponsored group operated by Russia's military intelligence service, with the goal of neutralizing its attacks on Ukraine. "We have since re-directed these domains to a sinkhole controlled by Microsoft, enabling us to mitigate Strontium's current use of these domains and enable

Into the Breach: Breaking Down 3 SaaS App Cyber Attacks in 2022

By The Hacker News
During the last week of March, three major tech companies - Microsoft, Okta, and HubSpot - reported significant data breaches. DEV-0537, also known as LAPSUS$, performed the first two. This highly sophisticated group utilizes state-of-the-art attack vectors to great success. Meanwhile, the group behind the HubSpot breach was not disclosed. This blog will review the three breaches based on

The Original APT: Advanced Persistent Teenagers

By BrianKrebs

Many organizations are already struggling to combat cybersecurity threats from ransomware purveyors and state-sponsored hacking groups, both of which tend to take days or weeks to pivot from an opportunistic malware infection to a full blown data breach. But few organizations have a playbook for responding to the kinds of virtual “smash and grab” attacks we’ve seen recently from LAPSUS$, a juvenile data extortion group whose short-lived, low-tech and remarkably effective tactics have put some of the world’s biggest corporations on edge.

Since surfacing in late 2021, LAPSUS$ has gained access to the networks or contractors for some of the world’s largest technology companies, including Microsoft, NVIDIA, Okta and Samsung. LAPSUS$ typically threatens to release sensitive data unless paid a ransom, but with most victims the hackers ended up publishing any information they stole (mainly computer source code).

Microsoft blogged about its attack at the hands of LAPSUS$, and about the group targeting its customers. It found LAPSUS$ used a variety of old-fashioned techniques that seldom show up in any corporate breach post-mortems, such as:

-targeting employees at their personal email addresses and phone numbers;
-offering to pay $20,000 a week to employees who give up remote access credentials;
-social engineering help desk and customer support employees at targeted companies;
-bribing/tricking employees at mobile phone stores to hijack a target’s phone number;
-intruding on their victims’ crisis communications calls post-breach.

If these tactics sound like something you might sooner expect from spooky, state-sponsored “Advanced Persistent Threat” or APT groups, consider that the core LAPSUS$ members are thought to range in age from 15 to 21. Also, LAPSUS$ operates on a shoestring budget and is anything but stealthy: According to Microsoft, LAPSUS$ doesn’t seem to cover its tracks or hide its activity. In fact, the group often announces its hacks on social media.

ADVANCED PERSISTENT TEENAGERS

This unusual combination makes LAPSUS$ something of an aberration that is probably more aptly referred to as “Advanced Persistent Teenagers,” said one CXO at a large organization that recently had a run-in with LAPSUS$.

“There is a lot of speculation about how good they are, tactics et cetera, but I think it’s more than that,” said the CXO, who spoke about the incident on condition of anonymity. “They put together an approach that industry thought suboptimal and unlikely. So it’s their golden hour.”

LAPSUS$ seems to have conjured some worst-case scenarios in the minds of many security experts, who worry what will happen when more organized cybercriminal groups start adopting these techniques.

“LAPSUS$ has shown that with only $25,000, a group of teenagers could get into organizations with mature cybersecurity practices,” said Amit Yoran, CEO of security firm Tenable and a former federal cybersecurity czar, testifying last week before the House Homeland Security Committee. “With much deeper pockets, focus, and mission, targeting critical infrastructure. That should be a sobering, if not terrifying, call to action.”

My CXO source said LAPSUS$ succeeds because they simply refuse to give up, and just keep trying until someone lets them in.

“They would just keep jamming a few individuals to get [remote] access, read some onboarding documents, enroll a new 2FA [two-factor authentication method] and exfiltrate code or secrets, like a smash-and-grab,” the CXO said. “These guys were not leet, just damn persistent.”

HOW DID WE GET HERE?

The smash-and-grab attacks by LAPSUS$ obscure some of the group’s less public activities, which according to Microsoft include targeting individual user accounts at cryptocurrency exchanges to drain crypto holdings.

In some ways, the attacks from LAPSUS$ recall the July 2020 intrusion at Twitter, wherein the accounts for Apple, Bill Gates, Jeff Bezos, Kanye West, Uber and others were made to tweet messages inviting the world to participate in a cryptocurrency scam that promised to double any amount sent to specific wallets. The flash scam netted the perpetrators more than $100,000 in the ensuing hours.

The group of teenagers who hacked Twitter hailed from a community that traded in hacked social media accounts. This community places a special premium on accounts with short “OG” usernames, and some of its most successful and notorious members were known to use all of the methods Microsoft attributed to LAPSUS$ in the service of hijacking prized OG accounts.

The Twitter hackers largely pulled it off by brute force, writes Wired on the July 15, 2020 hack.

“Someone was trying to phish employee credentials, and they were good at it,” Wired reported. “They were calling up consumer service and tech support personnel, instructing them to reset their passwords. Many employees passed the messages onto the security team and went back to business. But a few gullible ones—maybe four, maybe six, maybe eight—were more accommodating. They went to a dummy site controlled by the hackers and entered their credentials in a way that served up their usernames and passwords as well as multifactor authentication codes.”

Twitter revealed that a key tactic of the group was “phone spear phishing” (a.k.a. “voice phishing” a.k.a. “vishing”). This involved calling up Twitter staffers using false identities, and tricking them into giving up credentials for an internal company tool that let the hackers reset passwords and multi-factor authentication setups for targeted users.

In August 2020, KrebsOnSecurity warned that crooks were using voice phishing to target new hires at major companies, impersonating IT employees and asking them to update their VPN client or log in at a phishing website that mimicked their employer’s VPN login page.

Two days after that story ran, the FBI and the Cybersecurity & Infrastructure Security Agency (CISA) issued their own warning on vishing, saying the attackers typically compiled dossiers on employees at specific companies by mass-scraping public profiles on social media platforms, recruiter and marketing tools, publicly available background check services, and open-source research. The joint FBI/CISA alert continued:

“Actors first began using unattributed Voice over Internet Protocol (VoIP) numbers to call targeted employees on their personal cellphones, and later began incorporating spoofed numbers of other offices and employees in the victim company. The actors used social engineering techniques and, in some cases, posed as members of the victim company’s IT help desk, using their knowledge of the employee’s personally identifiable information—including name, position, duration at company, and home address—to gain the trust of the targeted employee.”

“The actors then convinced the targeted employee that a new VPN link would be sent and required their login, including any 2FA [2-factor authentication] or OTP [one-time passwords]. The actor logged the information provided by the employee and used it in real-time to gain access to corporate tools using the employee’s account.”

Like LAPSUS$, these vishers just kept up their social engineering attacks until they succeeded. As KrebsOnSecurity wrote about the vishers back in 2020:

“It matters little to the attackers if the first few social engineering attempts fail. Most targeted employees are working from home or can be reached on a mobile device. If at first the attackers don’t succeed, they simply try again with a different employee.”

“And with each passing attempt, the phishers can glean important details from employees about the target’s operations, such as company-specific lingo used to describe its various online assets, or its corporate hierarchy.”

“Thus, each unsuccessful attempt actually teaches the fraudsters how to refine their social engineering approach with the next mark within the targeted organization.”

SMASH & GRAB

The primary danger with smash-and-grab groups like LAPSUS$ is not just their persistence but their ability to extract the maximum amount of sensitive information from their victims using compromised user accounts that typically have a short lifespan. After all, in many attacks, the stolen credentials are useful only so long as the impersonated employee isn’t also trying to use them.

This dynamic puts tremendous pressure on cyber incident response teams, which suddenly are faced with insiders who are trying frantically to steal everything of perceived value within a short window of time. On top of that, LAPSUS$ has a habit of posting screenshots on social media touting its access to internal corporate tools. These images and claims quickly go viral and create a public relations nightmare for the victim organization.

Single sign-on provider Okta experienced this firsthand last month, when LAPSUS$ posted screenshots that appeared to show Okta’s Slack channels and another with a Cloudflare interface. Cloudflare responded by resetting its employees’ Okta credentials.

Okta quickly came under fire for posting only a brief statement that said the screenshots LAPSUS$ shared were connected to a January 2022 incident involving the compromise of “a third-party customer support engineer working for one of our subprocessors,” and that “the matter was investigated and contained by the subprocessor.”

This assurance apparently did not sit well with many Okta customers, especially after LAPSUS$ began posting statements that disputed some of Okta’s claims. On March 25, Okta issued an apology for its handling of the January breach at a third-party support provider, which ultimately affected hundreds of its customers.

My CXO source said the lesson from LAPSUS$ is that even short-lived intrusions can have a long-term negative impact on victim organizations — especially when victims are not immediately forthcoming about the details of a security incident that affects customers.

“It does force us to think about insider access differently,” the CXO told KrebsOnSecurity. “Nation states have typically wanted longer, more strategic access; ransomware groups want large lateral movement. LAPSUS$ doesn’t care, it’s more about, ‘What can these 2-3 accounts get me in the next 6 hours?’ We haven’t optimized to defend that.”

Any organizations wondering what they can do to harden their systems against attacks from groups like LAPSUS$ should consult Microsoft’s recent blog post on the group’s activities, tactics and tools. Microsoft’s guidance includes recommendations that can help prevent account takeovers or at least mitigate the impact from stolen employee credentials.

Researchers Trace Widespread Espionage Attacks Back to Chinese 'Cicada' Hackers

By Ravie Lakshmanan
A Chinese state-backed advanced persistent threat (APT) group known for singling out Japanese entities has been attributed to a new long-running espionage campaign targeting new geographies, suggesting a "widening" of the threat actor's targeting. The widespread intrusions, which are believed to have commenced at the earliest in mid-2021 and continued as recently as February 2022, have been tied

Typo 1: VulnHub CTF walkthrough (part 2)

By LetsPen Test

Introduction In the previous article, Part 1 of this CTF, we were able to complete the following steps on the victim machine: Getting the target machine IP address by running the VM Getting open port details by using the Nmap tool Enumerating HTTP port 80 service with Dirb utility Enumerating HTTP port 8000 and 8080 […]

The post Typo 1: VulnHub CTF walkthrough (part 2) appeared first on Infosec Resources.


Typo 1: VulnHub CTF walkthrough (part 2) was first posted on October 22, 2020 at 8:06 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Typo 1: VulnHub CTF walkthrough (part 1)

By LetsPen Test

In this article, we will solve a Capture the Flag (CTF) challenge that was posted on the VulnHub website by an author named Akanksha Sachin Verma. As per the description given by the author, it is an intermediate-level challenge. The goal is to get root access of the machine and read the root flag. You […]

The post Typo 1: VulnHub CTF walkthrough (part 1) appeared first on Infosec Resources.


Typo 1: VulnHub CTF walkthrough (part 1) was first posted on October 19, 2020 at 8:06 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Source 1: VulnHub CTF walkthrough

By LetsPen Test

In this article, we will solve a Capture the Flag (CTF) challenge that was posted on the VulnHub website by an author named darkstar7471. Per the description given by the author, this is an entry-level CTF. The target of this CTF is to get to the root of the machine and read the flag file. […]

The post Source 1: VulnHub CTF walkthrough appeared first on Infosec Resources.


Source 1: VulnHub CTF walkthrough was first posted on October 15, 2020 at 8:05 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Hack the Box (HTB) machines walkthrough series — Cascade (Part 1)

By Security Ninja

Today, we will be continuing with our exploration of Hack the Box (HTB) machines, as seen in previous articles. This walkthrough is the first half of an HTB machine named Cascade. HTB is an excellent platform that hosts machines belonging to multiple OSes. It also has some other challenges as well. Individuals have to solve […]

The post Hack the Box (HTB) machines walkthrough series — Cascade (Part 1) appeared first on Infosec Resources.


Hack the Box (HTB) machines walkthrough series — Cascade (Part 1) was first posted on October 5, 2020 at 8:05 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com
❌