MFA Fatigue: Hackers’ new favorite tactic in high-profile breaches
With the advent of multi-factor authentication, especially via employee smartphones, it was inevitable that a hack would soon follow. An MFA Fatigue attack occurs when a malicious actor executes a script that attempts to log in with stolen credentials repeatedly, causing a repeated stream of MFA push requests to be sent to the owner’s mobile device Account. The goal is to continue, to the point where the employee simply presses OK to clear the assault. If that doesn’t work, the threat actors make contact by voice or email, imploring the user to accept the requests. This type of social engineering technique has been proven to be very effective by threat actors Lapsus$ and Yanluowang when breaching large, well-known organizations such as Microsoft, Cisco, and now Uber. The full story is available on Bleeping Computer.
Senate reports detail inefficiencies and confusion at key US counterintelligence center
The National Counterintelligence and Security Center is crippled by dysfunction, lack of resources and confusion about its mission, leaving a key national security asset dangerously vulnerable, U.S. senators said Wednesday. The center’s inability to adapt to the growing role of cyber and the “wider threat landscape of society” is among the factors contributing to the organization’s decline, according to a stunning 153-page document. Senate Select Committee on Intelligence report. The report says, for example, that because U.S. adversaries now have access to far more varied tools to influence U.S. officials and stoke social tensions, the counterintelligence center must acquire real authority and modernize its mission and its functions. strategies.
Australian phone company Optus suffers massive data breach
Australia’s second-largest telecom operator, Optus, has suffered a massive data breach, with the personal information of millions of customers potentially compromised by a malicious cyberattack. The attackers are believed to have worked for a criminal or state-sponsored organization and got away with birth dates, phone numbers, email addresses, driver’s licenses and passport numbers. Optus said yesterday they could not yet say how many of its 9.7 million subscribers in Australia had been compromised, but said the number was “significant”. They added: “We are deeply disappointed because we are spending so much time and investing so much to prevent this from happening.”
BlackCat ransomware’s data exfiltration tool gets an update
BlackCat (aka ALPHV) ransomware shows no signs of slowing down, and the latest example of its evolution is a new version of the gang’s data exfiltration tool used for double extortion attacks. Considered a successor to Darkside and BlackMatter, it is one of the most sophisticated and technically advanced Ransomware-as-a-service (RaaS) operations. The latest version has undergone a heavy code refactoring to better evade detection, including the deployment of new malware called “Eamfo”, which explicitly targets credentials stored in Veeam backups. This software is typically used to store credentials of domain controllers and cloud services so that ransomware actors can use them for deeper infiltration and lateral movement.
Thanks to today’s episode sponsor, 6clicks
Domain Observation Becomes More Popular Among Cybercriminals
Threat analysts at Palo Alto Networks (Unit 42) have discovered that the phenomenon of “domain shadowing” may be more widespread than previously thought, uncovering 12,197 cases when scanning the web between April and June 2022 Domain shadowing is a subcategory of DNS hijacking, where hackers compromise the DNS of a legitimate domain to host their own subdomains to use in malicious activity, but do not modify legitimate DNS entries that already exist. . In the meantime, threat actors are free to host C2 (command and control) addresses, phishing sites and malware drop-off points, abusing the good reputation of the hacked domain to circumvent security checks.
U-Haul data breach exposed data of over 2 million customers
The moving and storage rental company launched an investigation which concluded that the hackers accessed customers’ PII between November 5, 2021 and April 5, 2022. U-Haul traced the data breach to a contract search tool that provides access to rental contracts for U-Flight customers. However, the customer data breach did not reveal any payment card information since the tool does not access this information.
Twitter password reset bug exposes user accounts
Twitter fixed an issue that allowed accounts to remain logged in across multiple devices even after a voluntary password reset. In an announcement Wednesday, the social media company explained that the bug meant that users who proactively changed their passwords on one device could still access open sessions on other screens. The bug meant that a threat actor who was able to gain access to an account in some way would have continued to be able to do so even after such a reset. It’s unclear for how long users have been exposed in this way, but Twitter said the issue arose after it made a change “last year” to the systems that power its password reset functionality. .
Fake sites trick Zoom users into downloading deadly code
Threat researchers from cybersecurity firm Cyble have found six fake Zoom sites offering apps that, if clicked, will download the Vidar Stealer malware, which also fetches many other goodies. The fake Zoom sites are part of a larger information theft effort, according to the Cyble Research and Intelligence Lab (CRIL). Cyble researchers said they found six such sites that are still in operation, with names like zoom-download[.]host and zoomus[.]website. These sites redirect users to a GitHub URL that displays downloadable, of course, malicious applications.