Tag: hackers

Use iPhone to change website passwords that hackers stole

Post author By miranda cosgrove
Post date May 2, 2024
No Comments on Use iPhone to change website passwords that hackers stole

[ad_1]

It’s World Password Day, and that’s a good opportunity to do something you’ve probably been procrastinating about: Replace your website passwords that hackers stole because of some company’s lax security. Fortunately, your Apple devices make it easy to find out which of your passwords leaked so you can change them.

Fix a potentially serious problem now, before something bad happens..

iCloud Keychain helps you deal with too many passwords

If you’re like me, you probably use unique passwords to log in to hundreds of websites and apps. I have so many I can’t conveniently count them – I stopped at 100 and was still near the top of the list.

Apple makes it easy to store and use your passwords with iCloud Keychain. With it, your Apple device (iPhone, Mac, etc.) remembers passwords for you, and automatically inserts them into websites and apps. All you have to do is verify your identity with Face ID or Touch ID.

This makes it easy for you to use strong passwords and change them periodically, because you never need to remember them. Your computer remembers for you.

But if you don’t ever change passwords, you’re opening yourself up to a criminal using your password to, say, buy a bunch of products on Amazon. Or simply empty your bank accounts.

How to find and change passwords compromised by data breaches

How to find hacked passwords on your iPhone — Go to the Passwords section of Settings, see the Security Recommendations, then tap Change Password on Website.
Graphic: Ed Hardy/Cult of Mac

Beyond simply storing them, your Apple device also will warn you if passwords in your iCloud Keychain have been compromised by a data leak. It’s easy to find which ones need to be updated.

This feature is available on iPhone, iPad and Mac. (I’m using iPhone for my example.) And you must be using iCloud Keychain, but that’s something Apple urges you to turn on whenever you set up a new device.

Go to Settings > Passwords. You’ll need to go through Face ID or Touch ID to open this section, of course.

Then look for the Security Recommendations section. Next to this is probably a number. This is how many security problems Keychain has found in your password list. You’ll note I have 184 – I need to take my own advice and update some passwords.

Tap on Security Recommendations to open a list of websites and applications for which your passwords have problems. You are told why for each one, with “this password has appeared in a data leak” being the most common reason.

You have the option to tap on each website for a more detailed description of the security problems. This might include a scolding on reusing passwords.

For each password, you are given the option to Change Password on Website.

An example of changing a Google password via iCloud Keychain

To give you an example of how easy this is, I’ll change the password for one of my Google accounts when going through Passwords in Settings.

While looking at the list of Security Recommendations, I hit Change Password on Website, which opens the Google sign-on screen. I have to sign in to the Google account before I can change the password, obviously. There’s no problem because iCloud Keychain has the user name and current password stored.

Google wants me to go through two-factor authentication so it texts me a code. After I supply this, the screen to enter a new password opens.

The Safari browser is smart enough to figure out that I want to create a new password and automatically suggests a strong one.

Keychain then asks if I should store the new password. I tell it to do so.

And that’s it. The process is very similar with other sites. Or you could just take the iCloud Keychain as a warning and switch over to your favorite web browser, go to the website, and update the password there.

Change passwords the easy way: You’ll be glad you did

I get it – changing passwords is kind of a hassle. I’m the guy with 184 security warnings, after all. But it’s worth it.

Any day you discover someone has used one of your leaked passwords to steal money from you is a bad day. Changing your passwords goes a long way toward preventing that.

[ad_2]

Source Article Link

Tags Change, hackers, iPhone, passwords, Stole, Website

Featured

Hackers of all kinds are attacking routers across the world

Post author By lisa nichols
Post date May 2, 2024
No Comments on Hackers of all kinds are attacking routers across the world

[ad_1]

When hackers find a vulnerable router, they compromise it by installing malware that grants persistence, the ability to run distributed denial of service (DDoS) attacks, hide malicious traffic, and more. But what happens when the hackers find a router that was already compromised by a rival gang?

Cybersecurity researchers from Trend Micro published a report that found that one of two things happen: either one group allows the other one to use the compromised infrastructure for a fee, or they each find a different way to break into the device and they use them simultaneously.

Trend Micro’s researchers made an example out of Ubiquity’s EdgeRouters, internet routers that were abused by a handful of hacking groups at the same time, some being state-sponsored, and others being financially-driven.

Shared co-working spaces

“Cybercriminals and Advanced Persistent Threat (APT) actors share a common interest in proxy anonymization layers and Virtual Private Network (VPN) nodes to hide traces of their presence and make detection of malicious activities more difficult,” the researchers explained. “This shared interest results in malicious internet traffic blending financial and espionage motives.”

When it comes to Ubiquity, Trend Micro researchers said they observed the endpoints being used by the APT28 threat actor for “persistent espionage campaigns.” APT28 is a Russian state-sponsored group, also known as Fancy Bear, or Pawn Storm. At the same time, they also saw a financially motivated group called the Canadian Pharmacy gang, using the same infrastructure to mount pharma-related phishing campaigns. Finally, they observed the Ngioweb malware being loaded directly into the memory of these devices – malware that was attributed to the Ramnit group.

EdgeRouters were a popular target mostly because the victims kept them either poorly defended, or entirely undefended. However, they don’t stand out much from other routers, which are all an equally popular asset for hackers. This is because generally they have reduced security monitoring, less stringent password policies, are rarely updated, and run on powerful operating systems that can be used for a wide number of things, Trend Micro concluded.

Hackers attempt to hijack a major WordPress plugin that could allow for site takeovers

Post author By lisa nichols
Post date April 27, 2024
No Comments on Hackers attempt to hijack a major WordPress plugin that could allow for site takeovers

[ad_1]

A critical vulnerability recently discovered in a popular WordPress plugin, is being actively abused in the wild, researchers have said, with hackers potentially able to use the flaw to fully take over a victim’s website.

WordPress security firm Patchstack first discovered an SQL injection (SQLi) vulnerability in the WP‑Automatic plugin, in mid-March 2024.

WP-Automatic is a WordPress plugin designed to automate the process of importing and publishing content from various sources. It can grab content from RSS feeds, websites, YouTube channels, and more, and then automatically create and publish posts.

Five million attacks

According to a WPScan alert, cybercriminals can use the flaw to “gain unauthorized access to websites, create admin‑level user accounts, upload malicious files, and potentially take full control of affected sites.” So far, the flaw was used to create new administrator accounts, which the hackers would later use for additional attacks (installing malicious add ons, exfiltrating sensitive data, and more).

It was given a rating of 9.9 (critical), and tracked as CVE-2024-27956. All versions up to 3.9.2.0 are said to be vulnerable. So far, more than five million exploitations attempts were recorded.

“Once a WordPress site is compromised, attackers ensure the longevity of their access by creating backdoors and obfuscating the code,” WPScan said. “To evade detection and maintain access, attackers may also rename the vulnerable WP‑Automatic file, making it difficult for website owners or security tools to identify or block the issue.”

The Hacker News, also said that the file renaming part might also be an attempt by hackers to prevent other hackers from taking over.

WordPress is by far the most popular website builder platform around today, powering almost half of the entire Internet. Still, it is considered relatively safe, with themes and plugins being the weakest link. WordPress site users are advised to only install themes and addons they plan on using, and to keep them updated at all times.

Developing countries are being used by hackers to try out new ransomware strains

Post author By lisa nichols
Post date April 26, 2024
No Comments on Developing countries are being used by hackers to try out new ransomware strains

[ad_1]

IT security pros are not the only ones with sandboxes and honeypots to test malware in, as hackers are doing the same – in developing parts of the world.

A report from Performanta says that many hackers would first try out new malware strains in developing countries, before targeting companies in the developed world.

The report claims this process is particularly effective as organizations in the developing world have less awareness of the issue of cybersecurity and as such are an easier target, so organizations in Africa, Latin America, and Asia are hit first, before the attackers pivot towards Europe and North America.

Cheaper malware

The researchers claim to have observed attacks in Senegal, Chile, Colombia, and Argentina, using strains which later ended up on systems in Europe and North America. One of the strains being tested this way is Medusa, a ransomware variant that was first seen in South Africa, Senegal, and Tonga, after which it hit organizations in the US, UK, Canada, Italy, and France.

In 2023, there were roughly a hundred reported cases of Medusa attacks.

In its writeup, Ars Technica discussed the problem with Nadir Izrael, chief technology officer at cyber security group Armis, who said attackers were observed discussing an exploit for a new vulnerability earlier this year. “They ‘specifically targeted a few [exposed servers] in third world countries to test out how reliable the exploit was,’” he said.

Armis confirmed the strategy a few weeks later, when its honeypots picked up the threat actor going after firms in Southeast Asia, first.

However, not everyone agrees with this assessment, with Microsoft’s director of threat intelligence strategy, Sherrod DeGrippo, telling the publication that in reality – malware and ransomware variants had gotten cheaper, allowing hackers in the developing world to mount their own, mini attacks.

Darktrace director of threat research, Hanah-Marie Darley, also believes Medusa lowered its prices, resulting in more attacks in poorer countries.

UnitedHealth confirms major cyberattack, says hackers stole “substantial” amount of patient data

Post author By lisa nichols
Post date April 23, 2024
No Comments on UnitedHealth confirms major cyberattack, says hackers stole “substantial” amount of patient data

[ad_1]

UnitedHealth Group has issued an update on the data breach that recently struck its subsidiary, Change Healthcare.

The healthcare giant suffered a ransomware attack that knocked some of its services offline and affected different pharmacies and other adjacent businesses across the United States.

In an update, UnitedHealth Group said that based on initial targeted data sampling to date, the company found “files containing protected health information (PHI) or personally identifiable information (PII), which could cover a substantial proportion of people in America.”

Ransomware fiasco

So far, there has been no evidence that the hackers stole materials such as doctors’ charts, or full medical histories.

The company further explained that the data review is ongoing and complex, and that it will likely take a few months to conclude the investigation, suggesting that the type of stolen data, as well as its scope, might change.

In the meantime, it set up a dedicated website http://changecybersupport.com/ where affected individuals can get more information and details. It also set up a dedicated call center, and is offering free credit monitoring and identity theft protection for two years.

The ransomware attack suffered something of a fiasco on both sides. The company was apparently attacked by an affiliate of the infamous ALPHV (BlackCat) ransomware-as-a-service (RaaS). To address the problem and get its data back, the company paid the attackers $22 million in cryptocurrency. However, due to the nature of RaaS, the affiliates who breached Change never got the money, as ALPHV took all of it and shut the entire operation down.

This also meant that Change never got its data back. In the meantime, a separate threat actor came forward, claiming to be in possession of the data, and asking for even more money.

UnitedHealth Group said that it’s monitoring the internet and the dark web, together with industry experts, to determine if any data made it online.

“There were 22 screenshots, allegedly from exfiltrated files, some containing PHI and PII, posted for about a week on the dark web by a malicious threat actor. No further publication of PHI or PII has occurred at this time,” the notification concludes.

Microsoft says Russian hackers are exploiting an ancient printer security flaw

Post author By lisa nichols
Post date April 23, 2024
No Comments on Microsoft says Russian hackers are exploiting an ancient printer security flaw

[ad_1]

Russian state-sponsored threat actors were observed abusing an old printer vulnerability to drop custom malware on target endpoints.

The malware helped them exfiltrate sensitive data and login credentials. This is according to a new report from Microsoft Threat Intelligence, published earlier this week.

As per the report, since mid-2019, a group known as Fancy Bear has been abusing a print spooler elevation of privilege bug found in Windows printers. The vulnerability, tracked as CVE-2022-38028, was discovered in 2022, and patched in October the same year.

The fall of Moobot

However, even after the release of the fix, Fancy Bear targeted unpatched endpoints in government, non-government, education, and transportation firms, located in Ukraine, Western European, and North American countries.

Once found, the devices would be infected with a custom-built malware called GooseEgg, which granted the attackers elevated privileges, and the ability to steal credentials across compromised systems.

Given that the patch has been available for almost two years now, it’s the best and easiest way to protect the endpoints from Russian spies.

Fancy Bear is probably Russia’s most popular threat actor. Some researchers have linked it to the GRU – the Russian General Staff Main Intelligence Directorate – the foreign military intelligence agency of the General Staff of the Armed Forces of the Russian Federation.

In mid-February this year, US law enforcement agents successfully shut down a malicious Fancy Bear botnet. At the time, the U.S. Department of Justice (DoJ) said its agents conducted a “court-authorized operation” that has neutralized a network of “hundreds of small office/home office (SOHO) routers”.

As explained by the DoJ, most of the Ubiquiti Edge OS routers used in the botnet were previously infected by malware called Moobot, which was developed by a private hacking group. This group targeted routers with factory settings and otherwise easy-to-guess passwords to install the malware. Then, APT 28 (as they call Fancy Bear) swooped in and took over the malware, turning the infected devices into a “global cyber espionage platform.”

Via The Register

Hackers are loading SVG files with multi-stage malware in new phishing attack

Post author By lisa nichols
Post date April 9, 2024
No Comments on Hackers are loading SVG files with multi-stage malware in new phishing attack

[ad_1]

A sophisticated new phishing attack was spotted in the wild, leveraging a wide variety of tools to bypass antivirus protections and ultimately deliver different Remote Access Trojan (RAT) malware.

According to cybersecurity researchers at Fortinet, an unidentified threat actor was seen sending phishing emails, stating a shipment has been delivered, and attaching an invoice. This attachment, however, is a Scalable Vector Graphics (SVG) file which, when run, triggers the infection sequence.

The SVG file drops a ZIP archive created with BatCloak – a tool designed to help malware bypass antivirus protection. This archive unpacks a ScrubCrypt batch file, which is another antivirus-evading tool which, in turn, sets up persistence, and bypasses AMSI and ETW protections to deliver the Venom RAT.

Rat infestation

While ScrubCrypt was first seen last year, and linked to the 8220 Gang threat actor, Fortinet does not mention if the same group was behind this campaign as well.

Venom RAT is described as a fork of Quasar RAT, and a powerful remote access trojan allowing threat actors full system takeover, sensitive data exfiltration, and more.

“While Venom RAT’s primary program may appear straightforward, it maintains communication channels with the C2 server to acquire additional plugins for various activities,” the researchers said in the report. “This includes Venom RAT v6.0.3 with keylogger capabilities, NanoCore RAT, XWorm, and Remcos RAT.

“This [Remcos RAT] plugin was distributed from VenomRAT’s C2 using three methods: an obfuscated VBS script named ‘remcos.vbs,’ ScrubCrypt, and Guloader PowerShell,” they added.

Besides Venom RAT, the researchers observed the malware dropping Remcos RAT, XWorm, NanoCore RAT, and a stealer that grabs information from cryptocurrency wallets such as Atomic Wallet, Electrum, Exodus, Jaxx Liberty, and others. Information from Foxmail and Telegram were also being exfiltrated to a remote server, they concluded.

The best way to protect against these attacks is to be extra careful when receiving emails with links, attachments, or similar calls to action.

Via The Hacker News

Hospital helpdesks targeted by hackers — US Health Department warns health services are under threat

Post author By lisa nichols
Post date April 8, 2024
No Comments on Hospital helpdesks targeted by hackers — US Health Department warns health services are under threat

[ad_1]

The US Department of Health and Human Services (HHS) has issued a warning that hackers are attempting to target the helpdesks of hospitals in order to gain access to critical hospital systems.

The hackers have been observed contacting hospital IT help desks using local area code phone numbers and then pretending to be a hospital employee, providing the helpdesk with stolen identification.

The hackers then request that their device be set up to use the employee’s multi-factor authentication. Once they have access to the hospital’s internal systems, they are free to steal data and re-route transactions into their own bank accounts.

Hospital data and finances a honeypot for hackers

The Health Sector Cybersecurity Coordination Center (HC3) issued a warning for hospitals to be vigilant in the face of hackers using elaborate social engineering campaigns to gain access to hospital systems. The HC3 stated that the hackers “specifically targeted login information related to payer websites, where they then submitted a form to make ACH changes for payer accounts” in order to steal money.

“Once access has been gained to employee email accounts, they sent instructions to payment processors to divert legitimate payments to attacker-controlled U.S. bank accounts,” HC3 continued. “The funds were then transferred to overseas accounts. During the malicious campaign, the threat actor also registered a domain with a single letter variation of the target organization and created an account impersonating the target organization’s Chief Financial Officer (CFO).

While no threat actor has been formally identified as responsible for these attacks, HC3 issued a number of guidance points to IT help desks in order to avoid succumbing to such an attack: (PDF)

Require callbacks for employees requesting new device MFA enrollment or password resets using the number on file for the employee
Monitor ACH changes for suspicious activity and frequently revalidate users who have access to payer websites
Employees requesting MFA device enrollment, password resets, or ACH changes should report in person to the IT helpdesk
Where this is not possible, contact the employee supervisor for verification
Train helpdesk employees to identify social engineering techniques and spearphishing attempts

Via BleepingComputer

Hackers can now hijack your face. Here’s how to fight back

Post author By lisa nichols
Post date April 2, 2024
No Comments on Hackers can now hijack your face. Here’s how to fight back

[ad_1]

The future of mobile malware is here. For the first time, cybercriminals are infiltrating iOS and Android devices and stealing user face scans. Then, armed with the power of deepfakes and AI, they’re replicating the user’s likeness to break into their bank accounts.

Yes, you read that correctly. Today’s technology allows bad actors to spoof biometric safeguards and hijack your face. This hack is as novel as it is terrifying – and it warrants immediate action from enterprises and users alike.

The arrival of deepfake hacking

This is truly a brave new world of hacking. Believed to be developed by the Chinese-speaking crime group GoldFactory, this hack uses fake apps to trick users into performing biometric verification checks. Unwittingly, users then share the facial scans required to bypass the same checks employed by legitimate banking apps in Asia Pacific.

The hackers do this by – and here’s the real innovation – using AI-powered face-swapping platforms. With biometric data in hand, as well as the ability to intercept 2FA text messages, these cybercriminals create deepfake replicas of their victims, enabling unauthorized access to their banking accounts. The result is an app scam that researchers have never seen before.

In a way, this hack reminds me of Cherryblos, another threat I wrote about in November that uses mobile malware to extract passwords and sensitive information from images. Now, it seems, hackers are turning their efforts from static images to user faces.

Unfortunately, it’s understandable why hackers are going down this route. Facial biometrics are one of the most popular mobile access methods and are used at least once a day with an app by more than 130 million Americans. Up until this point, facial biometrics have been seen as a trusted alternative to passwords. The authentication method is quick, convenient, and difficult to falsify. This cunning attack shows that it’s indeed tough to crack – but not impossible.

Apu Pavithran

Founder and CEO, Hexnode.

Enterprises must fight fire with fire

This hack is only currently active in a specific region and a specific app vertical but don’t be fooled – it’s a sign of threats to come. The entry barrier for AI and deepfake technology is low and any hacking actor with a semblance of budget and know-how is looking at this case for inspiration. For enterprises, this means fighting fire with fire and building robust mobile malware and biometric identification protections today.

This starts with getting a grip on the apps in your ecosystem. A good way to do this is by creating a custom “store” with approved apps for corporate endpoints. Think of it like your own Play Store or App Store. Here, you can also modify permissions to regulate the level of control the app has over target devices and remove anything resembling risky behavior. It’s also vital to have strict cybersecurity criteria when inspecting which apps do or don’t make your store. If something doesn’t meet your standards, blacklist it.

Next, adhere to best practices to combat mobile malware, beginning with maintaining up-to-date devices through effective patch management. Enable auto-updates, install updates promptly upon release, and automate software modifications outside of business hours. Similarly, prioritize security scans and device monitoring. Deploy a user session monitoring system to identify malware and block suspicious sessions before users share any personal data.

Finally, watch out for the telltale signs of malware infection. This includes things like device battery drain, unusual data storage, slow performance, and strange behavior. Regular audits with a unified endpoint protection software platform can help to uncover these device malfunctions. Additionally, so can another enterprise resource: employees.

In the “face” of this new threat – excuse the pun – employees are arguably the most important cybersecurity element for enterprises to get right. Why? Because social engineering is malware’s main infection avenue and this case is no different.

This hack isn’t capitalizing on Android or iOS vulnerabilities. Rather, for this facejacking malware to work, the victim must authorize relevant permissions, therefore requiring a multi-stage social engineering strategy to gain entry into the phone.

This point is worth repeating. The malware cannot rip official biometric data on Android or iOS since this information is – rightfully – encrypted and kept separate from running apps. The entire hack relies on tricking the user. Only once invited inside the device can the trojan horse then read incoming SMS messages, control background functions, and request to capture the victim’s face.

Now more than ever, users must understand how to stay safe for their own good and that of the enterprise. IT must spearhead cyber hygiene initiatives and instruct employees to avoid clicking suspicious links, use company-approved apps, and report device problems like failed software updates or irregular performance.

And, in this evermore complicated landscape of cybersecurity and AI, remind users to think twice whenever an app asks for a face scan.

We’ve listed the best free Android apps.

This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

[ad_2]

Source Article Link

Tags Face, fight, hackers, Heres, hijack

Featured

Hackers are already attacking this Microsoft SharePoint vulnerability, so patch now

Post author By lisa nichols
Post date March 29, 2024
No Comments on Hackers are already attacking this Microsoft SharePoint vulnerability, so patch now

[ad_1]

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a new Microsoft Sharepoint Server vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, signaling that hackers have begun exploiting it in the wild.

The vulnerability is tracked as CVE-2023-24955, and carries a severity score of 7.2. It is described as a critical remote code execution (RCE) flaw, that allows an authenticated threat actor, with Site Owner privileges, to execute arbitrary code on the vulnerable endpoints.

Such a vulnerability could be used for a number of things, from malware deployment, to information stealing.

FCEBs on a deadline

“In a network-based attack, an authenticated attacker as a Site Owner could execute code remotely on the SharePoint Server,” Microsoft said in an advisory.

The fix was released with the May 2023 Patch Tuesday cumulative update, so in case you skipped that one, you might want to reconsider. Those who have automatic updates enabled are most likely already protected, though.

Two months ago, CISA added a separate flaw, CVE-2023-29357, to KEV. This flaw was chained together with the newly-added RCE last year, at the Pwn2Own Vancouver hacking contest. StarLabs SG, who demonstrated how the two vulnerabilities could be combined for devastating effects, won $100,000 for their efforts.

While threat actors currently might be abusing these two, there is no evidence that anyone chained them together yet.

Federal Civilian Executive Branch (FCEB) agencies have until April 16 this year to apply the patch.

Microsoft SharePoint is a web-based collaborative platform, available through the Microsoft 365 productivity suite. It was first launched in 2001 as a document management and storage system. It was also used to share information via intranet. According to Microsoft’s 2020 figures, SharePoint had more than 200 million active monthly users, with Gitnux adding that 80% of Fortune 500 companies use the tool.

Via TheHackerNews