Tag: targeted

Hospital helpdesks targeted by hackers — US Health Department warns health services are under threat

Post author By lisa nichols
Post date April 8, 2024
No Comments on Hospital helpdesks targeted by hackers — US Health Department warns health services are under threat

[ad_1]

The US Department of Health and Human Services (HHS) has issued a warning that hackers are attempting to target the helpdesks of hospitals in order to gain access to critical hospital systems.

The hackers have been observed contacting hospital IT help desks using local area code phone numbers and then pretending to be a hospital employee, providing the helpdesk with stolen identification.

The hackers then request that their device be set up to use the employee’s multi-factor authentication. Once they have access to the hospital’s internal systems, they are free to steal data and re-route transactions into their own bank accounts.

Hospital data and finances a honeypot for hackers

The Health Sector Cybersecurity Coordination Center (HC3) issued a warning for hospitals to be vigilant in the face of hackers using elaborate social engineering campaigns to gain access to hospital systems. The HC3 stated that the hackers “specifically targeted login information related to payer websites, where they then submitted a form to make ACH changes for payer accounts” in order to steal money.

“Once access has been gained to employee email accounts, they sent instructions to payment processors to divert legitimate payments to attacker-controlled U.S. bank accounts,” HC3 continued. “The funds were then transferred to overseas accounts. During the malicious campaign, the threat actor also registered a domain with a single letter variation of the target organization and created an account impersonating the target organization’s Chief Financial Officer (CFO).

While no threat actor has been formally identified as responsible for these attacks, HC3 issued a number of guidance points to IT help desks in order to avoid succumbing to such an attack: (PDF)

Require callbacks for employees requesting new device MFA enrollment or password resets using the number on file for the employee
Monitor ACH changes for suspicious activity and frequently revalidate users who have access to payer websites
Employees requesting MFA device enrollment, password resets, or ACH changes should report in person to the IT helpdesk
Where this is not possible, contact the employee supervisor for verification
Train helpdesk employees to identify social engineering techniques and spearphishing attempts

Via BleepingComputer

Linux servers targeted by dangerous espionage malware as Windows threat makes the jump

Post author By lisa nichols
Post date April 1, 2024
No Comments on Linux servers targeted by dangerous espionage malware as Windows threat makes the jump

[ad_1]

A dangerous espionage malware, previously only used against Windows devices, is increasingly being observed on Linux machines, too, experts have warned.

Following earlier reports by ESET and Trend Micro, Kaspersky is now warning of the Dinodas Remote Access Trojan (RAT), signaling the rising popularity of the malware.

Kaspersky claims the backdoor is “fully functional, granting the operator complete control over the infected machine, enabling data exfiltration and espionage”. DinodasRAT is designed to monitor, control, and steal data from target endpoints. Besides stealing data, it can run processes, create a remote shell for direct command, or file execution, update and upgrade itself, uninstall itself and delete all traces of its existence.

XDealer and DinodasRAT

Older reports indicate that DinodasRAT is a Linux version of a known Windows RAT dubbed XDealer. Earlier in March, Trend Micro observed the Chinese APT group known as “Earth Krahang” using XDealer against both Windows and Linux systems belonging to “governments worldwide”.

The researchers did not detail how the attackers managed to drop the malware onto target endpoints, but did stress that since October 2023, the targets were mostly located in China, Taiwan, Turkey, and Uzbekistan.

Today, many nation-states are engaged in cyber-warfare, disrupting operations and stealing sensitive data from their adversaries. Besides China, there are notable threats coming from North Korea (Lazarus Group, for example), Russia (Fancy Bear), Iran (Scarred Manticore), and others.

With war raging in Ukraine, China eyeing Taiwan, Israel engaged against Hamas, as well as other potential hotpots (the issues of migration in both Europe and the States, U.S. presidential elections), it is no wonder that not a day goes by without news of state-sponsored hacking groups engaging in cyber-espionage.

The rising popularity of DinodasRAT only demonstrates the increasing use of Linux-powered devices in government agencies around the world.

Via BleepingComputer

Warning: Apple Users Targeted in Advanced Phishing Attack Involving Password Reset Requests

Post author By miranda cosgrove
Post date March 26, 2024
No Comments on Warning: Apple Users Targeted in Advanced Phishing Attack Involving Password Reset Requests

[ad_1]

Phishing attacks taking advantage of what appears to be a bug in Apple’s password reset feature have become increasingly common, according to a report from KrebsOnSecurity. Multiple Apple users users have been targeted in an attack that bombards them with an endless stream of notifications or multi-factor authentication (MFA) messages in an attempt to get them to approve an Apple ID password change.

reset password request iphone
An attacker is able to cause the target’s iPhone, Apple Watch, or Mac to display system-level password change approval texts over and over again, with the hope that the person being targeted will mistakenly approve the request or get tired of the notifications and click on the accept button. If the request is approved, the attacker is able to change the ‌Apple ID‌ password and lock the Apple user out of their account.

Because the password requests target the ‌Apple ID‌, they pop up on all of a user’s devices. The notifications render all linked Apple products unable to be used until the popups are dismissed one by one on each device. Twitter user Parth Patel recently shared his experience being targeted with the attack, and he says he could not use his devices until he clicked on “Don’t Allow” for more than 100 notifications.

When attackers are unable to get the person to click “Allow” on the password change notification, targets often get phone calls that seem to be coming from Apple. On these calls, the attacker claims to know that the victim is under attack, and attempts to get the one-time password that is sent to a user’s phone number when attempting a password change.

In Patel’s case, the attacker was using information leaked from a people search website, which included name, current address, past address, and phone number, giving the person attempting to access his account ample information to work from. The attacker happened to have his name wrong, and he also became suspicious because he was asked for a one-time code that Apple explicitly sends with a message confirming that Apple does not ask for those codes.

The attack seems to hinge on the perpetrator having access to the email address and phone number associated with an ‌Apple ID‌.

KrebsOnSecurity looked into the issue, and found that attackers appear to be using Apple’s page for a forgotten ‌Apple ID‌ password. This page requires a user’s ‌Apple ID‌ email or phone number, and it has a CAPTCHA. When an email address is put in, the page displays the last two digits of the phone number associated with the Apple account, and filing in the missing digits and hitting submit sends a system alert.

It is not clear how the attackers are abusing the system to send multiple messages to Apple users, but it appears to be a bug that is being exploited. It is unlikely that Apple’s system is meant to be able to be used to send more than 100 requests, so presumably the rate limit is being bypassed.

Apple device owners targeted by this kind of attack should be sure to tap “Don’t Allow” on all requests, and should be aware that Apple does not make phone calls requesting one-time password reset codes.

[ad_2]

Source Article Link

Tags advanced, Apple, attack, involving, Password, Phishing, Requests, reset, targeted, users, Warning

Featured

Python devs are being targeted by this massive infostealing malware campaign

Post author By lisa nichols
Post date March 26, 2024
No Comments on Python devs are being targeted by this massive infostealing malware campaign

[ad_1]

Cybersecurity researchers from Checkmarx have discovered a new infostealing campaign that leveraged typosquatting and stolen GitHub accounts to distribute malicious Python packages to the PyPI repository.

In a blog post, Tal Folkman, Yehuda Gelb, Jossef Harush Kadouri, and Tzachi Zornshtain of Checkmarx said they discovered the campaign after a Python developer complained about falling victim to the attack.

Apparently, the company believes more than 170,000 people are at risk.

Infostealers and keyloggers

The attackers first took a popular Python mirror, Pythonhosted, and created a typosquatted website version. They named it PyPIhosted. Then, they grabbed a major package, called Colorama (150+ million monthly downloads), added malicious code to it, and then uploaded it on their typosquatted-domain fake-mirror. “This strategy makes it considerably more challenging to identify the package’s harmful nature with the naked eye, as it initially appears to be a legitimate dependency,” the researchers explained.

Another strategy involved stealing popular GitHub accounts. An account named “editor-syntax” got their account compromised, most likely via session cookie theft. By obtaining session cookies, the attackers managed to bypass any and all authentication methods and logged directly into the person’s account. Editor-syntax is a major contributor, maintaining the Top.gg GitHub organization whose community counts more than 170,000 members. The threat actors used the access to commit malware to the Top.gg Python library.

The goal of the campaign was to steal sensitive data from the victims. Checkmarx’s researchers said the malware stole browser data (cookies, autofill information, browsing history, bookmarks, credit cards, and login credentials, from the biggest browsers such as Opera, Chrome, Brave, Vivaldi, Yandex, and Edge), Discord data (including Discord tokens, which can be used to access accounts), cryptocurrency wallet data, Telegram chat sessions, computer files, and Instagram data.

Further analysis also discovered that the infostealer was able to work as a keylogger, as well.

US government warns water services are being targeted in cyberattacks

Post author By lisa nichols
Post date March 20, 2024
No Comments on US government warns water services are being targeted in cyberattacks

[ad_1]

The US government has issued a warning to its allies that state-backed hackers from Iran and China are increasingly targeting critical infrastructure, with the most notable attacks against water systems.

The Cybersecurity and Infrastructure Security Agency (CISA) probed a number of Iranian attacks targeting Unitronic programmable logic controllers (PLC) used in water facilities.

China has also turned its attention to probing critical US infrastructure in what government officials claim could be practice for a wider playbook in the event of war between the US and China.

Targeting the weakest link in the chain

A public letter issued by Environment Protection Agency (EPA) Administrator, Michael Regan, and National Security Advisor, Jake Sullivan, said, “Disabling cyberattacks are striking water and wastewater systems throughout the United States. These attacks have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities.”

While the attack conducted by an Iranian-backed group did not affect the water supply at the targeted facility, a breach of the PLCs used to control the supply of water means that had the attack progressed further, the attackers could have contaminated the water, damaged the facility itself, or even turned off the municipal water supply.

Volt Typhoon is the most likely culprit behind the attacks carried out by China, with water facilities alongside power grids, port infrastructure, and at least one oil and gas pipeline. The letter continued, stating, “Federal departments and agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves to disrupt critical infrastructure operations in the event of geopolitical tensions and/or military conflicts.”

Water facilities in the US have long been an easy target for cyber attacks due to the critical underfunding, low staffing levels, and a general lack of cyber security. The Biden Administration recently announced that the burden of responsibility for cyber security should be shifted onto private enterprises that are best positioned to reduce the risks for small businesses and public institutions.

“In many cases, even basic cybersecurity precautions — such as resetting default passwords or updating software to address known vulnerabilities — are not in place and can mean the difference between business as usual and a disruptive cyberattack,” the letter stated.

Via Bloomberg