برچسب: information security

A social engineering campaign leveraging job-themed lures is weaponizing a years-old remote code execution flaw in Microsoft Office to deploy Cobalt Strike beacons on compromised hosts.
“The payload discovered is a leaked version of a Cobalt Strike beacon,” Cisco Talos researchers Chetan Raghuprasad and Vanja Svajcer said in a new analysis published Wednesday.
“The beacon configuration contains commands to perform targeted process injection of arbitrary binaries and has a high reputation domain configured, exhibiting the redirection technique to masquerade the beacon’s traffic.”

The malicious activity, discovered in August 2022, attempts to exploit the vulnerability CVE-2017-0199, a remote code execution issue in Microsoft Office, that allows an attacker to take control of an affected system.
The entry vector for the attack is a phishing email containing a Microsoft Word attachment that employs job-themed lures for roles in the U.S. government and Public Service Association, a trade union based in New Zealand.


Cobalt Strike beacons are far from the only malware samples deployed, for Cisco Talos said it has also observed the usage of the Redline Stealer and Amadey botnet executables as payloads at the other end of the attack chain.
Calling the attack methodology “highly modularized,” the cybersecurity company said the activity also stands out for its use of Bitbucket repositories to host malicious content that serves as a starting point for downloading a Windows executable responsible for deploying the Cobalt Strike DLL beacon.

In an alternative attack sequence, the Bitbucket repository functions as a conduit to deliver obfuscated VB and PowerShell downloader scripts to install the beacon hosted on a different Bitbucket account.
“This campaign is a typical example of a threat actor using the technique of generating and executing malicious scripts in the victim’s system memory,” the researchers said.
“Organizations should be constantly vigilant on the Cobalt Strike beacons and implement layered defense capabilities to thwart the attacker’s attempts in the earlier stage of the attack’s infection chain.”

//e&&!t&&(jQuery.ajax({url:”https://thehackernews.com/feeds/posts/default?alt=json&max-results=4″,type:”get”,cache:!1,dataType:”jsonp”,success:function(e){for(var t=””,s=””,r=0;r
.

Every year, billions of credentials appear online, be it on the dark web, clear web, paste sites, or in data dumps shared by cybercriminals. These credentials are often used for account takeover attacks, exposing organizations to breaches, ransomware, and data theft.
While CISOs are aware of growing identity threats and have multiple tools in their arsenal to help reduce the potential risk, the reality is that existing methodologies have proven largely ineffective. According to the 2022 Verizon Data Breach Investigations Report, over 60% of breaches involve compromised credentials.
Attackers use techniques such as social engineering, brute force, and purchasing leaked credentials on the dark web to compromise legitimate identities and gain unauthorized access to victim organizations’ systems and resources.
Adversaries often leverage the fact that some passwords are shared among different users, making it easier to breach multiple accounts in the same organization. Some employees reuse passwords. Others use a shared pattern in their passwords among various websites. An adversary can use cracking techniques and dictionary attacks to overcome password permutations by leveraging a shared pattern, even if the password is hashed. The main challenge to the organization is that hackers only need a single password match to break in.
To effectively mitigate their exposure, given current threat intelligence, organizations need to focus on what is exploitable from the adversary’s perspective.

Here are five steps organizations should take to mitigate credentials exposure:
Gather Leaked Credentials Data
To start addressing the problem, security teams need to collect data on credentials that have been leaked externally in various places, from the open web to the dark web. This can give them an initial indication of the risk to their organization, as well as the individual credentials that need to be updated.
Analyze the Data
From there, security teams need to identify the credentials that could actually lead to security exposures. An attacker would take the username and password combinations (either cleartext or hashed), then try to use them to access services or systems. Security teams should use similar techniques to assess their risks. This includes:

• Checking if the credentials allow access to the organization’s externally exposed assets, such as web services and databases
• Attempting to crack captured password hashes
• Validating matches between leaked credential data and the organization’s identity management tools, such as Active Directory
• Manipulating the raw data to increase the achieved number of compromised identities. For example, users commonly use the same password patterns. Even if the leaked credentials do not allow access to external-facing assets or match Active Directory entries, it may be possible to find additional matches by testing variations.

Mitigate Credential Exposures
After validating the leaked credentials to identify actual exposures, organizations can take targeted action to mitigate the risk of an attacker doing the same. For instance, they could erase inactive leaked accounts in Active Directory or initiate password changes for active users.
Reevaluate Security Processes
After direct mitigation, security teams should evaluate whether their current processes are safe and make improvements where possible. For instance, if they are dealing with many matched leaked credentials, they may recommend changing the entire password policy across the organization. Similarly, if inactive users are found in Active Directory, it may be beneficial to revisit the employee offboarding process.
Repeat Automatically
Attackers are continuously adopting new techniques. Attack surfaces change, with new identities being added and removed on a routine basis. Similarly, humans will always be prone to accidental mistakes. As a result, a one-time effort to find, validate, and mitigate credential exposures is not enough. To achieve sustainable security in a highly dynamic threat landscape, organizations must continuously repeat this process.
However, resource-constrained security teams cannot afford to manually perform all these steps on a sufficient cadence. The only way to effectively manage the threat is to automate the validation process.
Pentera offers one way for organizations to automatically emulate attackers’ techniques, attempting to exploit leaked credentials both externally and inside the network. To close the validation loop, Pentera provides insights into full attack paths, along with actionable remediation steps that allow organizations to efficiently maximize their identity strength.
To find out how Pentera can help you reduce your organization’s risk of inadvertent credential exposure, contact us today to request a demo.

//e&&!t&&(jQuery.ajax({url:”https://thehackernews.com/feeds/posts/default?alt=json&max-results=4″,type:”get”,cache:!1,dataType:”jsonp”,success:function(e){for(var t=””,s=””,r=0;r
.

Several hacktivist groups are using Telegram and other tools to aid anti-government protests in Iran to bypass regime censorship restrictions amid ongoing unrest in the country following the death of Mahsa Amini in custody.
“Key activities are data leaking and selling, including officials’ phone numbers and emails, and maps of sensitive locations,” Israeli cybersecurity firm Check Point said in a new report.

The company said it has also witnessed sharing of proxies and open VPN servers to get around censorship and reports on the internet status in the country, with one group helping the anti-government demonstrators access social media sites.
Chief among them is a Telegram channel called Official Atlas Intelligence Group (AIG) that’s primarily focused on publishing data associated with government officials as well as maps of prominent locations.

Calling itself the “CyberArmy,” the group is said to have commenced its operations in May and has also advertised a wide range of services in the past, such as data leaks, DDoS attacks, and remote access to organizations. It’s also known to voluntarily hunt and dox pedophiles.
According to Cyberint, the cyber mercenary actor also claims to have “connections with people in several law enforcement entities in Europe who can deliver sensitive information about certain individuals exclusively.”

A second group of interest is ARVIN, which consists of about 5,000 members and shares news reports about the ongoing protests along with providing a list of Open VPN servers to circumvent internet blockades.
RedBlue™, a 4,000-member group on Telegram, has also pitched in with similar efforts, in addition to sharing hacking conversations and guides.
Privacy-focused messaging app Signal, for its part, has reached out to its community to set up a proxy that will help people in the country use the service on Android.

//e&&!t&&(jQuery.ajax({url:”https://thehackernews.com/feeds/posts/default?alt=json&max-results=4″,type:”get”,cache:!1,dataType:”jsonp”,success:function(e){for(var t=””,s=””,r=0;r
.

Cybercriminals are continuing to prey on users searching for cracked software by directing them to fraudulent websites hosting weaponized installers that deploy malware called NullMixer on compromised systems.
“When a user extracts and executes NullMixer, it drops a number of malware files to the compromised machine,” cybersecurity firm Kaspersky said in a Monday report. “It drops a wide variety of malicious binaries to infect the machine with, such as backdoors, bankers, downloaders, spyware, and many others.”
Besides siphoning users’ credentials, address, credit card data, cryptocurrencies, and even Facebook and Amazon account session cookies, what makes NullMixer insidious is its ability to download dozens of trojans at once, significantly widening the scale of the infections.

Attack chains typically start when a user attempts to download cracked software from one of the sites, which leads to a password-protected archive that contains an executable file that, for its part, drops and launches a second setup binary designed to deliver an array of malicious files.

These malicious websites leverage search engine optimization (SEO) poisoning techniques such as keyword stuffing to feature them highly in search engine results. Similar tactics have been adopted by actors behind GootLoader and SolarMarker campaigns.
NullMixer, last month, was linked to the distribution of a rogue Google Chrome extension called FB Stealer, which is capable of Facebook credential theft and search engine substitution.

Some of the other prominent malware families distributed by the dropper include DanaBot and a raft of information-stealing malware such as ColdStealer, PseudoManuscrypt, Raccoon Stealer, Redline Stealer, and Vidar.

Also deployed using NullMixer are trojan downloaders like FormatLoader, GCleaner, LegionLoader (aka Satacom), LgoogLoader, PrivateLoader, SgnitLoader, ShortLoader, and SmokeLoader, as well as the C-Joker cryptocurrency wallet stealer.
Kaspersky said it blocked attempts to infect more than 47,778 victims worldwide, with a majority of the users located in Brazil, India, Russia, Italy, Germany, France, Egypt, Turkey, and the U.S. The threat actor operating NullMixer has not been attributed to a known group.
The latest findings are yet another indication that malware and unwanted applications are being increasingly propagated via pirated software. It’s also recommended to check online accounts regularly for unknown transactions.
“Any download of files from untrustworthy resources is a real game of roulette: you never know when it will fire, and which threat you will get this time,” Kaspersky researcher Haim Zigel said. “Receiving NullMixer, users get several threats at once.”

//e&&!t&&(jQuery.ajax({url:”https://thehackernews.com/feeds/posts/default?alt=json&max-results=4″,type:”get”,cache:!1,dataType:”jsonp”,success:function(e){for(var t=””,s=””,r=0;r
.

The Ukrainian government on Monday warned of “massive cyberattacks” by Russia targeting critical infrastructure facilities located in the country and that of its allies.
The attacks are said to be targeting the energy sector, the Main Directorate of Intelligence of the Ministry of Defense of Ukraine (GUR) said.
“By the cyberattacks, the enemy will try to increase the effect of missile strikes on electricity supply facilities, primarily in the eastern and southern regions of Ukraine,” the agency said in a brief advisory.

GUR also cautioned of intensified distributed denial-of-service (DDoS) attacks aimed at the critical infrastructure of Ukraine’s closest allies, chiefly Poland and the Baltic states of Estonia, Latvia, and Lithuania.
It’s not immediately clear what prompted the intelligence agency to issue the notice, but Ukraine has been at the receiving end of disruptive and destructive cyberattacks since the onset of the Russo-Ukrainian war earlier this February.
Even prior to that, a Russian state-sponsored group tracked as Sandworm (aka Voodoo Bear) orchestrated the 2015 and 2016 targeting of the Ukrainian power grids, causing over 225,000 Ukrainians to lose electricity during the month of December.
While the first attack involved the use of a revamped variant of a malware called BlackEnergy, the December 2016 intrusions notably made use of a custom malware known as Industroyer (aka CrashOverRide) that’s specifically designed to sabotage critical infra systems.

In the aftermath of the Russian military invasion of Ukraine, the Computer Emergency Response Team (CERT-UA) disclosed in April that it had fielded an attack targeting an unnamed energy provider that utilized an updated version of the Industroyer malware.
Sandworm, for its part, has been most recently observed masquerading as Ukrainian telecom operators such as Datagroup and EuroTransTelecom to deliver payloads like Colibri loader and Warzone RAT.
Microsoft, in June, also notified of rising Russian cyberattacks, stating that threat actors were not only going after government systems, but also prioritizing other sectors as part of its espionage efforts, including think tanks, IT firms, and energy companies.

//e&&!t&&(jQuery.ajax({url:”https://thehackernews.com/feeds/posts/default?alt=json&max-results=4″,type:”get”,cache:!1,dataType:”jsonp”,success:function(e){for(var t=””,s=””,r=0;r
.