Tag: Attacks

Monday.com removes feature after it was abused in phishing attacks

Post author By lisa nichols
Post date May 10, 2024
No Comments on Monday.com removes feature after it was abused in phishing attacks

[ad_1]

Popular project management and collaboration tool Monday.com was forced to disable one of its features after it was abused by a threat actor to send out phishing emails.

The “Share Update” feature allows users to share real-time updates, progress, or important information with team members, or stakeholders. Users can post updates, attach files or images, mention specific team members, and even set up automatic notifications for certain updates.

But a threat actor has now hijacked the feature to send out mass emails to people outside their account, leading to monday.com having to temporarily disable it.

No customer data compromised

The company told BleepingComputer it was made aware of phishing emails seemingly coming from its email accounts. The emails were sent via SendGrid, and were coming from the [email protected] address. They passed SPF, DMARC, and DKIM authentications.

The messages pretended to come from the Human Resources department and asked the recipients to acknowledge the “organization’s workplace sex policy” or submit feedback as part of a “2024 Employee Evaluation.”

In the body of the email was a link, shortened with an URL shortener service, leading to a phishing form hosted on formstack.com. Since the forms have been removed in the meantime, we don’t know what kind of information the attackers were after. We also don’t know how many of these emails were sent.

“Unfortunately, a user misused this feature by sending a phishing message. We promptly suspended this user and removed the feature,” the company confirmed to the publication in a statement. “This feature has no connection to data hosted on monday.com or access to any customer accounts or data. We have reached out and shared precautions with the email recipients of the phishing message.”

Monday.com is a major project management platform, used by the likes of Uber, Canva, Coca-Cola, and others.

Malware attacks on Docker Hub spread millions of malicious repositories

Post author By lisa nichols
Post date May 2, 2024
No Comments on Malware attacks on Docker Hub spread millions of malicious repositories

[ad_1]

Cybersecurity researchers from JFrog recently discovered three malicious campaigns in Docker Hub – Docker’s cloud-based registry service for storing and sharing container images. These campaigns contained millions of repositories that pushed generic trojan malware to the developers.

The conclusion of JFrog’s findings is that with open-source repositories such as Docker Hub, keeping them clean of malware is an immensely difficult task.

As the researchers explained, Docker Hub repositories have two key aspects: the images (an application that can be updated and accessible through a fixed name), and the metadata (short descriptions and documentation in HTML format, which will be displayed on the repository’s main page).

Millions of bad repositories

“Usually, repository documentation aims to explain the purpose of the image and provide guidelines for its usage,” the researchers explained.

However, roughly 4.6 million repositories contained no Docker images, meaning they couldn’t be run using a Kubernetes cluster, or a Docker engine – they were practically useless. They just contained the overview page which tried to trick the developers into visiting phishing websites, or other pages hosting malicious code.

Of the 4.6 million repositories, 2.81 million were linked to three campaigns: “Downloader”, “eBook Phishing”, and “Website SEO”.

In terms of the number of malicious repositories, Downloader was the biggest one, amounting to almost 10% of the entire share (1,453,228 repositories). However, it did not have as many users (9,309) as, for example, Website SEO (194,699). The latter, however, only took up 1.4% of the share, having a “mere” 215,451 repositories.

With 7.1% of the share, eBook Phishing was the second, with 1,069,160 repositories. It only had 1,042 users though.

JFrog disclosed its findings to Docker, which prompted the project to remove the malicious repositories – 3.2 million of them.

“Unlike typical attacks targeting developers and organizations directly, the attackers in this case tried to leverage Docker Hub’s platform credibility, making it more difficult to identify the phishing and malware installation attempts,” JFrog said.

“Almost three million malicious repositories, some of them active for over three years highlight the attackers’ continued misuse of the Docker Hub platform and the need for constant moderation on such platforms.”

Okta says it is facing unprecented levels of attacks

Post author By lisa nichols
Post date April 29, 2024
No Comments on Okta says it is facing unprecented levels of attacks

[ad_1]

Identity and access management company Okta says it is facing an “unprecedented” scale of credential stuffing attacks, looking to breach user accounts of its online services.

Credential stuffing is a type of cyberattack in which threat actors use a previously obtained username/password list and “stuff” them into different services, to see if they can gain access.

It’s basically just trying out different combinations, but by using automation the process is incredibly fast and the attackers can try hundreds of combinations in minutes. The login credentials are usually purchased off the black market in advance.

Mitigations at the edge

Okta suspects that whoever is behind this campaign has also done the same against Cisco’s VPN services earlier this year, as the same infrastructure was used. In all of the attacks, the requests came from the TOR anonymization network as well as different residential proxies.

While only a “small percentage” of customers had these requests proceed to authentication, they all shared similar configurations, the company confirmed. These firms were almost always running on Okta Classic Engine, with ThreatInsight configured in Audit-only mode, as opposed to Log and Enforce mode. What’s more, Authentication policies permitted requests from anonymizing proxies.

In the blog post, Okta provided a set of mitigations for the attacks at the network edge, including going passwordless (Require Okta FastPass and FIDO2 WebAuthn, for example), forcing users into generating stronger passwords, enforcing multi-factor authentication (MFA) on sign-in, denying requests from locations where the organization does not operate, denying authentication requests from IPs with poor reputation, and monitoring for, and responding to, anomalous sign-in behavior.

The blog also announced a new feature for Workforce Identity Cloud and Customer Identity Solution users – the ability to block access requests originating from residential proxies prior to authentication. Residential proxies are IP addresses assigned to real residential locations, often by Internet Service Providers (ISPs).They act as intermediaries between the user and the internet, masking the user’s real IP address and providing anonymity online.

South Korea defense firms hit by North Korean attacks

Post author By lisa nichols
Post date April 23, 2024
No Comments on South Korea defense firms hit by North Korean attacks

[ad_1]

Multiple North Korean state-sponsored hacking groups have been attacking South Korean defense companies for more than a year, stealing login credentials and sensitive data.

A Reuters report, citing South Korea’s law enforcement, claims three major threat actors – Lazarus, Kimsuky, and Andariel, have been going after defense organizations and third-party contractors, planting malicious code in data systems, pulling out passwords and technical information.

The police managed to identify the attackers by tracking their source IP addresses, re-routing architecture of the signals, and the malware signatures.

Lazarus attacks again

The report did not state which organizations were targeted, or what the nature of the data was, but Reuters did hint that South Korea grew into a “major global defense exporter”, with fresh contracts to sell mechanized howitzers, tanks, and fighter jets. The deals were reportedly valued at billions of dollars.

While all three of these threat actors have made headlines before, Lazarus Group is probably the most infamous one. This group was observed targeting cryptocurrency businesses in the west, stealing millions of dollars in crypto tokens, with which the North Korean government apparently finances its nuclear weapons programs.

The biggest crypto heist to happen to this day is the April 2022 breach at the Ronin network, which resulted in the theft of $625 million in various cryptocurrencies. Ronin network is a cryptocurrency bridge developed by the same company behind the hugely popular blockchain-based game, Axie Infinity.

A bridge is a service that allows users to transfer crypto tokens from one network to another.

Besides Ronin, Lazarus Group was also confirmed to be behind the Harmony bridge attack, which happened in June 2022, and resulted in the theft of $100 million.

Apple Warns Users in 92 Countries About Mercenary Spyware Attacks

Post author By miranda cosgrove
Post date April 11, 2024
No Comments on Apple Warns Users in 92 Countries About Mercenary Spyware Attacks

[ad_1]

Apple on Wednesday sent threat notifications to users in 92 countries warning that they may have been targeted by mercenary spyware attacks, likely because of who they are or what they do.

According to TechCrunch, Apple sent the alerts to the individuals at 12 p.m. Pacific Time, delivered via email and iMessage using the contact details associated with the user’s Apple ID. A notification also appears at the top of the page if the user signs into appleid.apple.com.

“Apple detected that you are being targeted by a mercenary spyware attack that is trying to remotely compromise the iPhone associated with your Apple ID -xxx-,” the company wrote in the warning to affected customers. “We are unable to provide more information about what caused us to send you this notification, as that may help mercenary spyware attackers adapt their behavior to evade detection in the future.”

“This attack is likely targeting you specifically because of who you are or what you do. Although it’s never possible to achieve absolute certainty when detecting such attacks, Apple has high confidence in this warning — please take it seriously,” added the warning.

In an updated support document, Apple said it has sent similar threat notifications to users in over 150 countries since 2021. “The extreme cost, sophistication, and worldwide nature of mercenary spyware attacks makes them some of the most advanced digital threats in existence today,” said the company. “As a result, Apple does not attribute the attacks or resulting threat notifications to any specific attackers or geographical regions.”

Last October, Apple sent similar warnings to some journalists and politicians in India. Soon after, nonprofit advocacy group Amnesty International reported that it had found Israeli cyber-arms company NSO Group’s invasive spyware Pegasus on the iPhones of prominent journalists in India. Users in India are among those who received the latest threat notifications, according to people familiar with the matter who spoke to TechCrunch.

The alerts come at a time when many nations are preparing for democratic elections. Apple previously described the attackers as “state-sponsored” in the support document, but has replaced those references with “mercenary spyware attacks.” The warning to customers reads: “Mercenary spyware attacks, such as those using Pegasus from the NSO Group, are exceptionally rare and vastly more sophisticated than regular cybercriminal activity or consumer malware.”

Apple advises those who have received a threat notification to seek expert help, such as the rapid-response emergency security assistance provided by the Digital Security Helpline at the nonprofit Access Now. Apple threat notification recipients can contact the Digital Security Helpline 24 hours a day, seven days a week through their website.

Users who have not received an Apple threat notification but have good reason to believe they may be individually targeted by mercenary spyware attacks are advised to enable Lockdown Mode on their devices for additional protection.

[ad_2]

Source Article Link

Tags Apple, Attacks, countries, Mercenary, Spyware, users, warns

Featured

Cisco alerts users to password-spraying attacks targeting VPN services

Post author By lisa nichols
Post date March 29, 2024
No Comments on Cisco alerts users to password-spraying attacks targeting VPN services

[ad_1]

Networking giant Cisco has warned its users of an ongoing attack against its business VPN services.

In a security advisory, Cisco said it had been notified of an ongoing password-spraying attack against different third-party VPN concentrators.

In this instance, it was Remote Access VPN (RAVPN) services configured on Cisco Secure Firewall that were affected.

Russian attackers

“Depending on your environment, the attacks can cause accounts to be locked, resulting in Denial of Service (DoS)-like conditions,” Cisco explained, saying that the activity appears to be a reconnaissance effort. The threat actors were not named.

Password spraying is a type of attack in which the threat actor tries the same password with multiple accounts, until one combination works.

Listing its set of defenses and mitigations, Cisco recommended enabling logging to a remote syslog server for improved correlation and auditing of network and security incidents across various network devices; securing default remote access VPN profiles by pointing unused default connection profiles to sinkhole AAA servers; leveraging TCP shun to manually bloc dangerous IP addresses, configuring control-place ACLs to block unauthorized public IP addresses from running VPN sessions; and using certificate-based authentication for RAVPN.

Security researcher Aaron Martin claims the attack was likely the work of an undocumented malware botnet named Brutus.

He made the connection after observing the malware’s targeting scope and attack patterns, it was said. In his analysis of the botnet, Martin said it counts some 20,000 IP addresses worldwide. At first, the attacks targeted SSLVPN appliances from Fortinet, Palo Alto, SonicWall, and Cisco, but have since evolved to include web apps using Active Directory for authentication, too.

To avoid raising any flags, Brutus rotates its IPs every six attempts.

Although inconclusive, some evidence points to Brutus being the work of APT29, an infamous Russian state-sponsored threat actor.

Via BleepingComputer

New Zealand government claims it also suffered attacks from Chinese hacking groups

Post author By lisa nichols
Post date March 26, 2024
No Comments on New Zealand government claims it also suffered attacks from Chinese hacking groups

[ad_1]

New Zealand has joined the UK in accusing China of sponsoring hacking groups in their attempts to steal sensitive information from western nations.

The country’s government has pointed the finger at a group tracked as APT40, which has been linked to a breach of the Parliamentary Counsel Office and the Parliamentary Service in 2021, around the same time that the UK suffered a similar attack.

The United States has charged several people linked to a hacking operation that has been ongoing for 14 years and may have affected millions of Americans.

Western condemnation of Beijing-backed hacking scandals

In an announcement of the attack suffered by the New Zealand parliamentary organizations, attorney-general and minister of defense Judith Collins said that the security services had “completed a robust technical assessment following a compromise of the Parliamentary Counsel Office and the Parliamentary Service in 2021, and has attributed this activity to a PRC state-sponsored group known as APT40.”

Collins continued, stating that New Zealand’s Government Communications Security Bureau (GCSB) and National Cyber Security Center (NCSC), “worked with the impacted organizations to contain the activity and remove the actor shortly after they were able to access the network.”

Australia backed up New Zealand’s criticism of China’s involvement in a number of cyberattacks that have targeted western national security, with home affairs minister Claire O’Neill and foreign minister Penny Wong sharing their “serious concerns about malicious cyber activities by China state-backed actors targeting UK democratic institutions and parliamentarians.”

Speaking on the recent spate of accusations against Beijing’s sponsorship of hacking attempts, Don Smith, VP Threat Intelligence, Secureworks Counter Threat Unit (CTU), said, “Chinese state-sponsored cyber espionage is not a new threat. The UK and the US have been calling out these covert operations for several years now. The purpose of cyber espionage from China’s point of view, is to access information that will advance the People’s Republic of China agenda.”

“Over the past couple of years, tired of having their operations rumbled and publicly outed, the Chinese have placed a growing emphasis on stealthy tradecraft in cyber espionage attacks. This is a change in MO from its previous ‘smash and grab’ reputation but it is viewed by the Chinese as a necessary evolution to one, make it harder to get caught and two, make it nearly impossible to attribute an attack to them,” Smith continued.

“Specifically, this has manifested itself in four key areas: Obfuscated networks; Living on the Edge; Living off the Land and Living in the Cloud. Combined these tactics make identification of malicious activity harder, but more importantly make attribution more complicated.”

Via The Register

VR headsets could be hacked in “Inception-esque” attacks — with attackers able to steal your data without you even noticing

[ad_1]

If someone were to infect your Meta Quest VR headset with malware, they could trick you into seeing things in the virtual world which weren’t real, experts have warned.

Academics from Cornell University recently published a paper describing the possibility of hijacking people’s VR sessions and controlling their interactions with internal applications, external servers, and more.

As per the paper, hackers could, in theory, insert what they call an “Inception Layer” between the VR Home Screen and the VR User/Server. For example, the victim could open their banking app in virtual reality, and see their usual balance, while being completely bankrupt in reality. The hackers could also, potentially, trick the victim into initiating a wire transfer, while being completely oblivious to what’s actually going on.

VR phishing

Things can get even more crazy when you throw in generative AI, deepfakes, and other upcoming technology. People could end up thinking they were talking with their friends, coworkers, and bosses, in VR, while being taken for all they have, in the background.

While the threats sound ominous, it’s important to note that the researchers didn’t really explore the possibility of compromising these VR headsets. Whether or not they have a vulnerability that could be exploited this way is unknown at the time. What’s more, there is no proof-of-concept, no malware that could be able to pull such an attack off.

Instead, the researchers were just interested in whether or not people would notice anything was amiss if such an infection did occur.

In total, 27 people were tested to see if they would notice anything strange during their session of Beat Saber. The only visual clue was a little flickering on the home screen before playing the game. In total, 10 people noticed the change, nine of which attributed it to an innocuous system glitch.

In other words, prepare to read about elaborate phishing scams in the metaverse.

Via Tom’s Hardware

How to Protect Your Cryptocurrency Investments from Cyber Attacks

Post author By miranda cosgrove
Post date February 27, 2024
No Comments on How to Protect Your Cryptocurrency Investments from Cyber Attacks

cryptocurrency

Cryptocurrency theft or attack is a serious issue of concern in the digital currency world. In fact, in the latest Statista crypto theft report, $320 million was lost in February 2022 alone and was never recovered. While cryptocurrencies are well known for sophisticated security systems, hackers have always found entryways into these tough security systems to cause mayhem. Whether it’s your first time trading coins or you are an experienced trader, it’s important to learn how to protect your investments. Here are some proven ways to go about it.

Store in a Cold Wallet

One of the main reasons why hackers easily attack and steal cryptocurrency investments is because they’re stored online in hot wallets. Cold wallets are devices that store cryptocurrency private keys offline. Once you buy Bitcoin, for instance, you can hold it in a cold wallet and have the private keys transferred from an internet-connected device to a non-connected or offline device. This way, you minimize attacks on your investments either at a personal or corporate level.

Learn About Latest Cyber Scams

Cyber scams have continued to evolve with every new invention of cybersecurity trends. Scammers and cybercriminals also take advantage of the struggles law enforcers go through globally to curb rising cybercrimes. If you’re a newcomer in this trade, even the oldest of scams can catch you unawares, leaving you counting your losses.

For instance, scammers can easily trick you into revealing your one-time password (OTP) to be used in activating two-factor authentication to access your account. Fraudsters can use different tricks to acquire your OTPs, including the following:

Accessing unmonitored verification forms
Posing as authorized parties
Impersonating you at banks
Sending malware-infiltrated links

Regardless of the nature of the scam, you should be well prepared to avert the threats they carry to remain safe in the long run.

Always Use Secure Internet

It’s important to emphasize that public or widely shared internet protocols are major leeways to various forms of cyber attacks. Even if you use public Wi-Fi for personal use, when it comes to trading and crypto transactions, you must switch to a secure connection. You can use a VPN to add an extra layer of protection over your home or office network just to cover your location and IP address, keeping you secure whenever you browse.

Open Multiple Wallets

Opening multiple wallets can help minimize the magnitude of loss in case you’re attacked, and your investment goes. You can maintain a separate wallet for various activities, like one for active trading, another for online purchases and transactions and another one for storing your investments.

Doing this will help restrict any loss to the account that’s been attacked, leaving the rest safe and intact. If hackers got your wallet information from a website or platform you purchased something from, they could only steal what’s in that account while your other investments remain safe.

Don’t Expose Your Crypto Holdings

Many users are tempted to show the world their trading success in an attempt to woo newcomers into the craft for some commission. Hackers use social media as a fertile ground for gathering user information before launching an attack. You might end up exposing just what they need to gain access to your account and steal everything remaining there.

Protecting your cryptocurrency investments from cyber attacks will demand a lot from you, which means you must remain vigilant anytime you’re transacting. These five crucial tips should help you achieve a smooth run with your investment accounts in the long run.

Image Credit Kanchanara

Filed Under: Guides, Technology News

Latest timeswonderful Deals

Disclosure: Some of our articles include affiliate links. If you buy something through one of these links, timeswonderful may earn an affiliate commission. Learn about our Disclosure Policy.

Tags Attacks, Cryptocurrency, Cyber, Investments, protect