Phishing Campaign Targets FINRA in Search for Microsoft Office or SharePoint Credentials

A new phishing campaign is targeting members of Financial
Industry Regulatory Authority (FINRA), with emails purporting to be from FINRA
officers. The goal is to obtain the members’ user names and passwords for
Microsoft Office or SharePoint.

Hacking a network or a protected system is difficult, but
attackers have a much easier time with real and valid login credentials. One
way to obtain such private data is through data breaches, but a more
conventional method involves a process named spearphishing.

In the case of the FINRA phishing attack, members of the
organization are directly targeted with emails explicitly crafted for them,
imitating the name of the domain by using “broker-finra.org”, which
is not connected to FINRA.

“These emails have a source domain name ‘@broker-finra.org’
and request immediate attention to an attachment relating to your firm,”
says the FINRA advisory.
“In at least in some cases, the emails do not actually include the
attachment, in which case they may be attempting to gain the recipient’s trust
so that a follow-up email can be sent with an infected attachment or link, or a
request for confidential firm information.”

Some of these phishing emails might contain an attachment
that redirects people to a website where they are asked for Microsoft Office or
SharePoint passwords. Many companies used numerous Office 365 services, and,
with the right credentials, they can be used to get a foothold.

FINRA advises anyone who entered their password to change
it immediately and notify the appropriate individuals in their firm. Employees
should also pay attention to incoming emails, verify if they come from known
contacts, and be wary of websites and other online resources that require them
to submit user names and passwords usually reserved for their organizations.

Targeted phishing campaigns are more common than you
might think. Just last week, Bitdefender identified a
new phishing campaign
directed at the Standard Bank of South Africa,
with tens of thousands of emails sent in just one month.

US and UK Cyber Security Agencies Warn of APT Attacks against Healthcare Organizations

An advisory from the US Department of Homeland Security
(DHS) Cybersecurity, the Infrastructure Security Agency (CISA) and the UK’s National
Cyber Security Centre (NCSC) warns of a coordinated attack against the
healthcare industry and other essential services.

Advanced Persistent Threat (APT) groups are targeting
numerous organizations, including healthcare bodies, pharmaceutical companies,
academia, medical research organizations and local governments, especially those
involved in national and international COVID-19 response teams.

APTs are usually groups backed by states or an actual
state actor seeking to disrupt services, steal data, or spy on the activities
of companies and even countries. Healthcare organizations are often hit because
they host valuable health-related data. The pandemic makes them a prime target
because APTs try to obtain information for domestic research into
COVID-19-related medicine.

“These organizations’ global reach and international
supply chains increase exposure to malicious cyber actors,” reads the advisory.
“Actors view supply chains as a weak link that they can exploit to obtain
access to better-protected targets. Many supply chain elements have also been
affected by the shift to remote working and the new vulnerabilities that have
resulted.”

One method used in these attacks is called password
spraying, in which bad actors try a brute force attack using common passwords.
Since one of the most significant security issues consists of people who choose
ridiculously easy passwords or reuse the same password on multiple services,
the technique usually yields results.

Even if a single password works in an organization, it’s enough,
especially for APT groups who are much more prepared than regular hackers. They
can compromise the network, move laterally inside the company or institution if
necessary, and access other credentials.

CISA and NCSC say that, as long the COVID-19 pandemic continues,
any organization in the healthcare industry will carry extra risk. The two
government institutions also presented several possible mitigations:

  • Update VPNs, network infrastructure devices and
    devices being used in remote work environments with the latest software patches
    and configurations.
  • Use multi-factor authentication to reduce the
    impact of password compromises.
  • Protect the management interfaces of your
    critical operational systems. In particular, use browse-down architecture to
    prevent attackers from easily gaining privileged access to your most vital
    assets.
  • Set up a security monitoring capability so you collect
    data that will be needed to analyze network intrusions.
  • Review and refresh your incident management
    processes.
  • Use modern systems and software. These have
    better security built in. If you cannot move off out-of-date platforms and
    applications straight away, there are short-term steps you can take to improve
    your position.

Wii, N64, and GameCube Source Codes Leak Online

A massive data leak is hitting Nintendo as source code,
demos, videos and other content for Wii, N64 and GameCube become available
online, following the publishing of a steady stream of information on 4Chan in
the past few weeks.

The first information about a possible Nintendo data leak
appeared on Dexerto, with reports of canceled games named “Pokemon Pink.” The
source code was published on 4Chan, and it seemed to be the entire extent of
the breach.

Now, more information has been published on the forums,
including source code for Nintendo Wii’s operating system boot0/1/2, along with
the similar resources for N64 and GameCube. The leaked data arrive over the
course of a few weeks, and a Resetera user indexed it all.

“The biggest and craziest thing in this leak is the
datasheets, block diagram and Verilog files for every component,”said
Atheerios, a ResetEra user. “Verilog is a hardware description language; is
used to describe circuits via code, so with this we can learn how every single
piece of the Wii was made.”

The data also contained several internal demos, an
official GameBoy emulator and SDKs. There’s no indication that this is the
extent of the data breach, and more may be on the way.

Nintendo has been silent so far, but the data breach may
have originated with a partner company called BroadOn that worked on Nintendo
Wii. While the leaked data pertains to old software and hardware, as none of
the affected systems are still sold today, it’s still a problem for the company
because the same source code can be used to develop emulators and similar
hardware.

Unfortunately for Nintendo, this is the second time their
name appears in the news concerning a security problem in short order. Just
last week, the company admitted that around 160,000 accounts were compromised
by attackers using a method called credential stuffing.

This goes to show that hackers are not always interested
in bank accounts and private health data. Sometimes, they target some of the
most unlikely sources.

New Trickbot Campaign Uses Fake Emails from U.S. Department of Labor

A new campaign is targeting people with messages that
seem to come from the U.S. Department of Labor (DoL), trying to trick them into
opening a DOC file, enabling macros, and eventually deploying the TrickBot
malware.

Like many of today’s malicious campaigns, this new one
tries to use COVID-19 as a cover to give it a sense of urgency. The use of an
official government institution is a well-known tactic and, in this case, the
bad actors impersonate the Department of Labor.

The email message talks about a provision called the
Family and Medical Leave Act (FMLA), which allows sick employees to receive
benefits when they miss work. Given the economic situation, the email aims to
convince people that they need to read a document attached to the email.

An analysis from IBM
X-Force
of the email shows that it contains one malicious file,
named “Family and Medical Leave of Act 22.04.doc.” It’s an actual DOC file but
asks for the users to enable Macros when opened. When the file is closed, the
attack runs scripts.

Macros are very useful in office suites, used to display
dynamic content or for various automatization procedures, but they should
remain off at all times. They can be used to execute scripts, allowing
attackers to download malware.

And this is precisely the route taken in this case. After
the user enables Macros, a file named terop.bat is downloaded and executed. But
things get iffy from there, as the attackers use cURL to download a number of
files from a compromised domain, only to fail. cURL is not available by default
in Windows-powered machines, so the commands present in the .bat file fail.

The researchers presume the attackers are still testing deployment
methods and procedures, and that’s why the download fails. But looking at the
IP address and the type “Macros on close” method indicates that the malware to
be eventually downloaded is Trickbot.

The Trickbot malware is adaptive and is used with
different attack vectors. It initially started as a credential-harvesting
threat, mostly focusing on e-banking, but it has a modular structure and allows
the use of specialized plugins that lets bad actors change its purpose
depending on the campaign.

Users are advised to never open emails from unknown
contacts and to be wary of any messages from seemingly official organizations
and institutions. Also, remember to keep Macros turned off at all times.

CAM4 Data Leak Exposes Personal Data of Millions of Users

The digital world is once again tainted by a highly sensitive data leak that puts millions of users at risk of blackmail attempts, identity theft and fraud.

A team of security researchers led by Anurag Sen recently uncovered a leaky database from CAM4, a popular live-streaming adult website. Housed on a misconfigured Elasticsearch server, the unsecure database exposed around 7TB of personal information from platform users and members.

Among the cluster of 10 billion records, the analysists discovered information of CAM4 users, including:

• First and last names
• Email addresses and password hashes
• Country of origin and sign-up dates
• Gender preference and sexual orientation
• Device information
• Miscellaneous user details such as spoken language
• Usernames and user conversations
• Payments logs including credit card type, amount paid and applicable currency
• Transcripts of email correspondence
• Inter-user conversations
• Chat transcripts between users and CAM4
• Token information
• IP addresses
• Fraud and Spam detection logs

After rounding up the personal information, the team was able to pinpoint 11 million records containing emails, 26.3 million containing passwords hashes, and less than 1,000 revealing full names, credit card types and amounts paid to view explicit content on the website.

“US, Brazilian and Italian users were the most heavily affected although the precise number of email records is difficult to gauge accurately due to multiple entries being duplicated,” said researchers.

“The fact that a large amount of email content came from popular domains such as Gmail, Hotmail and iCloud — domains that offer supplementary services such as cloud-storage and business tools — means that compromised CAM4 users could potentially see huge volumes of personal data including photographs, videos and related business information leaked to hackers — assuming their accounts were eventually hacked via phishing as one example,” they later added.

Although the database was immediately taken down by parent company Granity Entertainment, the logs date back to March 16, and cybercriminals could have already scraped the information.

Moreover, let’s not forget the Ashley Madison data breach scandal – victims are still being targeted with blackmail and sextortion campaigns 5 years after the incident.

Given the sensitive nature of the exposed info, the aftermath of the recent data leak could have serious consequences, leaving CAM4 members vulnerable to targeted attacks and phishing emails. On top of any financial losses that may occur, victims can suffer damaging psychological effects, following multiple blackmail attempts or defamation.

Tesla Data Leak: Pre-Owned Vehicle Infotainment Components Store Owners’ Personal Details and Passwords

According to white hat hacker GreenTheOnly, Tesla forgot to wipe personal information of customers from previously used infotainment and Autopilot hardware.The discovery came about after Green found and purchased four pre-owned Tesla components from Ebay.

“Bad news Sunday. If you had infotainment computer in your Tesla replaced (model3 FSD upgrade, mcu2 retrofit, mcu1 emmc fix or any other fixe requiring computer swap) – consider all accounts you logged into from the car compromised and change pwds,” said Green in a Twitter post on May 3.

While normal vehicle infotainment systems can store phone numbers, audio media and addresses, Tesla components also enable access to video- and audio-streaming platforms such as Netflix and Spotify.

In some of the systems, the researcher found Netflix session cookies that could be used to gain access to the owner’s account, while others included stored Gmail cookies, WiFi passwords and Spotify passwords in plain text.

“In particular if you log into spotify – the password is stored in plain text. gmail and netflix are stored as a cookie but still give a potential attacker access. The of course all recent calendar events and your phone book and calls history too,” Green added.

The company says upgrading a car’s hardware to gain access to new features and upgrades is performed in Tesla service centers, and owners can also request the transfer of their personal data and preferences to the new installations.

While service centers should destroy any pre-owned hardware, or at least wipe existing personal information, it is unclear how the hardware found its way onto the Ebay marketplace.

Green also notified Tesla representatives of his findings.However, the company failed to notify affected customers, and has yet to release an official statement.

Tesla owners that wish to sell their vehicles are advised to manually wipe the data from their infotainment systems, and should they opt for upgrading their car with new fittings, they should make sure that the service center properly disposes of the hardware and deleted any existing information.

Microsoft Teams Phishing Attack Wants Your Office 365 Credentials

A phishing attack using a notification from Microsoft
Teams in an effort to trick people into revealing their credentials is
spreading through emails that use convincing content.

While Microsoft Teams might not seem like an obvious
target, the fact that it’s linked to Microsoft Office 365 makes it highly valuable
to attackers. Office 365 credentials are a prime commodity on the black market
as they can provide access directly into companies’ networks with their valid
user names and passwords.

The phishing scheme is direct and follows a well-known
recipe. Users receive an email impersonating an automated email from Microsoft
Teams. The landing pages users open also look like the real deal, tricking
people into believing it’s an actual service from Microsoft.

“In one attack, the email contains a link to a
document on a domain used by an established email marketing provider to host
static material used for campaigns” explains the advisory
from Abnormal Security.

“Within this document there is an image urging the
recipient to log in to Microsoft Teams,” it says. “Once the user clicks this
image, the URL takes the recipient to a compromised page which impersonates the
Microsoft Office login page. In the other attack, the URL redirect is hosted on
YouTube, then redirected twice to the final webpage which hosts another
Microsoft login phishing credentials site.”

Typically, such links would be immediately identified by
security solutions, on servers or installed locally. To evade detection, the
attacks use many redirects to conceal the real URL.

The new Microsoft Team phishing campaign is just the
latest, and it won’t be the last. Users are advised never to open links from
sources or people they don’t know, or at least to verify the authenticity of
the sender. Also, never share your Microsoft Office credentials online and only
use them for online services you’ve already verified.

Privacy issues in Australia’s SkillSelect platform may have exposed personal information of 700,000 aspiring migrants

Personal details of more than 700,000 migrants and hopeful immigrants to Australia may have been exposed in a data breach concerning the Department of Home Affairs’ SkillSelect platform.

The department asks skilled workers who wish to migrate to the land Down Under to express their interest by creating an online account, making it easier for applicants to be considered for a skilled Australian visa. While the expression of interest (EOI) is not a Visa application, candidates who participate in the skills assessment and meet the mark have higher chances of receiving work visas.

During the application process, the SkillSelect portal asks participants to complete their personal information to create their online account, including:

• given name and family name
• date of birth
• country of birth
• gender
• passport and citizenship details
• place of residency
• relationship status

Once completed, the expression of interest is stored and displayed on the publicly available app for no less than 2 years. While account holders may access their EOI and update the information at any time, users of the app can also view any applicants’ ‘ADUserID’, an individual identifier including a partial name and numbers. While browsing through the app, the research team at Guardian Australia noticed that the database contained 774,326 unique ADUserIDs and 189,426 completed expressions of interest going back as far as 2014.

At first glance, only the birth country, age, qualifications, marital status and the outcome of the application could be reviewed. However, if multiple filters are applied in the search, users could obtain additional details and analyze individual entries of applicants.

Following the discovery, Guardian Australia also informed the Department of Home Affairs, and the SkillsSelect platform was taken offline, “currently undergoing maintenance”.

Privacy advocates quickly latched on to the news, issuing comments regarding the governments’ poor track record in keeping personal information safe.

“If you can use this to pin down a specific person that you’re thinking about and from that understand what they had entered into certain categories, then that is a way to extract information you might not already have known,” said Anna Johnston, the principal of Salinger Privacy.

Posts navigation

1 2 3 4 5 6 7
Scroll to top