VMware has released updates to address critical flaws impacting Cloud Foundation, vCenter Server, and vSphere ESXi that could be exploited to achieve privilege escalation and remote code execution.
The list of vulnerabilities is as follows -
CVE-2024-37079 & CVE-2024-37080 (CVSS scores: 9.8) - Multiple heap-overflow vulnerabilities in the implementation of the DCE/RPC protocol that could
The Singapore Police Force (SPF) has announced the extradition of two men from Malaysia for their alleged involvement in a mobile malware campaign targeting citizens in the country since June 2023.
The unnamed individuals, aged 26 and 47, engaged in scams that tricked unsuspecting users into downloading malicious apps onto their Android devices via phishing campaigns with the aim of stealing
Cybercriminals are not about to give up – this is how they make their living. So it’s up to cybersecurity professionals to stay vigilant and learn as much as they can about the forces they face.
Runtime enforcement is the future of software security, if we can only make it accessible to the developers that understand their applications the best.
As enterprises shift from on-premises to cloud systems, hybrid cloud solutions have become essential for optimizing performance, scalability, and user ease. However, risks arise when poorly configured environments connect to the cloud. A compromised Microsoft Active Directory can fully compromise a synchronized Microsoft Entra ID tenant, undermining the integrity and trust of connected services.
Cybersecurity researchers are tracking a novel Linux malware campaign that makes use of Discord emojis for command and control (C2) communication with attackers.
The campaign’s unusual combination of Linux malware and phishing lures suggests an attack aimed at Linux desktop users, the researchers from Volexity said.
“Volexity assesses it is highly likely this campaign, and the malware used, is targeted specifically towards government entities in India, who use a custom Linux distribution named BOSS as their daily desktop,” they wrote.
Threat Actor ‘UTA0137’ Linked to Campaign
Volexity researchers connected the campaign to a Pakistan-based threat actor they call UTA0137.
The researchers said they have “high confidence that UTA0137 has espionage-related objectives and a remit to target government entities in India. Based on Volexity’s analysis, UTA0137’s campaigns appear to have been successful.”
The researchers say they have “moderate confidence” that UTA0137 is a Pakistan-based threat actor because of the group’s targets and a few other reasons:
The Pakistani time zone was hardcoded in one malware sample.
There are weak infrastructure links to SideCopy, a known Pakistan-based threat actor.
The Punjabi language was used in the malware.
The malware used by the threat group uses a modified version of the discord-c2 GitHub project for its Discord command and control (C2) communication. The malware, dubbed DISGOMOJI by the researchers, is written in Golang and compiled for Linux systems.
The threat actors also use the DirtyPipe (CVE-2022-0847) privilege escalation exploit against “BOSS 9” systems, which remain vulnerable to the exploit.
Attack Starts With DSOP PDF
The malware is delivered via a DSOP.pdf lure, which claims to be a beneficiary document of India’s Defence Service Officer Provident Fund (screenshot below).
[caption id="attachment_77503" align="alignnone" width="750"] The DSOP lure that downloads the malware[/caption]
The malware then downloads the next-stage payload, named vmcoreinfo, from a remote server, clawsindia[.]in. The payload is an instance of the DISGOMOJI malware and is dropped in a hidden folder named .x86_64-linux-gnu in the user’s home directory.
DISGOMOJI, a UPX-packed ELF written in Golang, uses Discord for C2. “An authentication token and server ID are hardcoded inside the ELF, which are used to access the Discord server,” they wrote. “The malware creates a dedicated channel for itself in the Discord server, meaning each channel in the server represents an individual victim. The attacker can then interact with every victim individually using these channels.”
On startup, DISGOMOJI sends a check-in message in the channel that contains information like the internal IP, the user name, host name, OS and current working directory. The malware can survive reboots through the addition of a @reboot entry to the crontab, and it also downloads a script named uevent_seqnum.sh to copy files from any attached USB devices.
Discord Emojis Used for C2 Communication
C2 communication uses an emoji-based protocol, “where the attacker sends commands to the malware by sending emojis to the command channel, with additional parameters following the emoji where applicable.”
A Clock emoji in the command message lets the attacker know a command is being processed, while a Check Mark emoji confirms that the command was executed. The researchers summarized the emoji commands in a table:
[caption id="attachment_77505" align="alignnone" width="750"] The Discord emojis used to communicate with attackers (source: Volexity)[/caption]
Post-exploitation activities include use of the Zenity utility to display malicious dialog boxes to socially engineer users into giving up their passwords. Open source tools such as Nmap, Chisel and Ligolo are also used, and the DirtyPipe exploit suggests increasing sophistication of the atacker's methods, the researchers said.
Indicators of compromise (IoCs) can be downloaded from the Volexity GitHub page:
TETRA Technologies, Inc., a diversified oil and gas services company operating through divisions including Fluids, Production Testing, Compression, and Offshore, has reportedly fallen victim to the Akira ransomware group. This TETRA Technologies cyberattack has put crucial data at risk, including personal documents like passports, birth certificates, and driver’s licenses, as well as confidential agreements and NDAs.The threat actor responsible for the attack has indicated their intention to release approximately 40GB of sensitive data. Despite these claims, TETRA Technologies has not yet issued an official statement confirming or denying the breach.
Decoding the TETRA Technologies Cyberattack Claim by Akira Ransomware
[caption id="attachment_77529" align="alignnone" width="716"] Source: Dark Web[/caption]
The Cyber Express has reached out to the organization to learn more about this TETRA Technologies cyberattack. However, at the time of writing this, no official statement or response has been received, leaving the claims for the TETRA Technologies cyberattack unconfirmed. While the company’s public-facing website appears to be operational, it is speculated that the attack may have targeted internal systems or backend infrastructure rather than causing a visible disruption like a DDoS attack or website defacement.The threat actor behind this attack, Akira ransomware, has emerged as a significant threat in cybersecurity, highlighted by the Cybersecurity and Infrastructure Security Agency (CISA) warning and its widespread impact across various industries worldwide. Known for a dual extortion tactic involving data exfiltration and encryption, Akira ransomware demands ransom payments to prevent data publication on their dark website and to receive decryption keys. The group's name references a 1988 anime film, and they use specific strings like "*.akira" and "akira_readme.txt" for detection.
TETRA Technologies Releases New Processes for Managing Cybersecurity Risks and Governance
In their recent regulatory filings, specifically the 10-K filed on 2024-02-27, TETRA Technologies detailed their cybersecurity risk management and governance processes. These include ongoing risk assessments, incident response planning, and the implementation of cybersecurity training programs for employees. The company acknowledges the persistent evolution of cyber threats and emphasizes the importance of maintaining robust defenses against potential attacks.The Vice President of Information Technology leads TETRA Technologies’ cybersecurity initiatives, supported by a comprehensive framework to assess, identify, and manage cybersecurity risks across their operations. Regular updates and enhancements to their security protocols are integral to adapting to emerging threats and complying with regulatory standards.The Board of Directors and Audit Committee of TETRA Technologies provide oversight on cybersecurity matters, receiving periodic updates on the company’s cybersecurity risk profile and incident response capabilities. Management highlighted its commitment to safeguarding sensitive information and maintaining operational continuity despite the challenges posed by cyber threats.Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
The Los Angeles County Department of Public Health (DPH) has disclosed a significant data breach impacting more than 200,000 individuals. The data breach at Los Angeles County DPH, occurring between February 19 and 20, 2024, involved the theft of sensitive personal, medical, and financial information.
The data breach was initiated through a phishing attack, where an external threat actor obtained the login credentials of 53 DPH employees. “Between February 19, 2024, and February 20, 2024, DPH experienced a phishing attack,” reads the official notice.
Data Breach at Los Angeles County DPH: What Happened
The phishing email, designed to appear legitimate, tricked employees into divulging their credentials by clicking on a malicious link. This unauthorized access led to a wide-ranging compromise of data, affecting various individuals associated with DPH, including clients, employees, and others.
The compromised email accounts contained a wealth of sensitive data. The potentially exposed information includes:
It is important to note that not all of the above data elements were present for every affected individual. Each individual may have been impacted differently based on the specific information contained in the compromised accounts. “Affected individuals may have been impacted differently and not all of the elements listed were present for each individual,” Los Angeles County DPH informed.
Data Breach at Los Angeles County DPH Notification
DPH is taking extensive steps to notify all potentially affected individuals. Notifications are being sent via post to those whose mailing addresses are available. For individuals without a mailing address, DPH also posts a notice on its website to provide necessary information and resources.
The department has advised impacted individuals to review the content and accuracy of their medical records with their healthcare providers.
However, on delay in notification, Los Angeles County DPH said, “Due to an investigation by law enforcement, we were advised to delay notification of this incident, as public notice may have hindered their investigation.”
To assist in protecting against potential misuse of their information, DPH is offering one year of free identity monitoring services through Kroll, a global leader in risk mitigation and response.
“To help relieve concerns and restore confidence following this incident, we have secured the services of Kroll, a global leader in risk mitigation and response, to provide identity monitoring for one year at no cost to affected clients,” reads the notice.
Response and Preventive Measures
Upon discovering the Los Angeles County DPH data breach, DPH took immediate action to mitigate further risks. The department disabled the affected email accounts, reset and re-imaged the users’ devices, blocked the websites involved in the phishing campaign, and quarantined all suspicious incoming emails. Additionally, DPH has implemented numerous security enhancements to prevent similar incidents in the future.
Awareness notifications have been distributed to all workforce members, reminding them to be vigilant when reviewing emails, especially those containing links or attachments. These measures aim to bolster the department’s defense against phishing attacks and other cyber threats.
The incident was promptly reported to law enforcement authorities, who investigated the breach. The US Department of Health and Human Services’ Office for Civil Rights and other relevant agencies are also notified, as required by law and contractual obligations.
Steps for Individuals to Protect Themselves
While DPH cannot confirm whether any information has been accessed or misused, affected individuals are encouraged to take proactive steps to protect their personal information. These steps include:
Reviewing Medical Records: Individuals should review their medical records and Explanation of Benefits statements for any discrepancies or unauthorized services. Any irregularities should be reported to their healthcare provider or health plan.
Requesting Credit Reports: Individuals should remain vigilant against identity theft and fraud by regularly reviewing their financial statements and credit reports. Under US law, individuals are entitled to one free credit report annually from each of the three major credit reporting bureaus: Equifax, Experian, and TransUnion. Free credit reports can be requested at www.annualcreditreport.com or by calling 1-877-322-8228.
Placing Fraud Alerts: Individuals can place a fraud alert on their credit files, which notifies creditors to take additional steps to verify identity before granting credit. Fraud alerts can be set up by contacting any of the major credit bureaus.
Security Freezes: A security freeze can also be placed on credit reports, which prevents credit bureaus from releasing any information without written authorization. This measure can help prevent unauthorized credit activity but may delay the approval of new credit requests.
The Los Angeles County Department of Public Health continues to cooperate with law enforcement and other agencies to protect the privacy and security of its clients, employees, and other stakeholders.
With the requirement that all vulnerabilities first get reported to the Chinese government, once-private vulnerability research has become a goldmine for China's offensive cybersecurity programs.
TechSpective Podcast Episode 133 Nick Edwards, Vice President of Product Management at Menlo Security joins me for this insightful episode of the TechSpective Podcast. Nick brings decades of cybersecurity experience to the table, offering a deep dive into the […]
In June 2023, a critical vulnerability (CVE-2023-34362) in the MOVEit Transfer file transfer software was exploited by adversaries, resulting in a series of high-profile data breaches. Despite the availability of patches, and the vulnerability being publicly known and actively exploited, many organizations failed to prioritize its remediation. This lapse allowed attackers to gain unauthorized access […]
Authors/Presenters:Leo Stone, Rishi Ranjan, Stefan Nagy, Matthew Hicks
Many thanks to USENIX for publishing their outstanding USENIX Security ’23 Presenter’s content, and the organizations strong commitment to Open Access.
Originating from the conference’s events situated at the Anaheim Marriott; and via the organizations YouTube channel.
Many thanks to USENIX for publishing their outstanding USENIX Security ’23 Presenter’s content, and the organizations strong commitment to Open Access.
Originating from the conference’s events situated at the Anaheim Marriott; and via the organizations YouTube channel.
The following analysts contributed to this blog: Thomas Elkins, Daniel Thiede, Josh Lockwood, Tyler McGraw, and Sasha Kovalev.
Executive Summary
Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams. The installers were being used to drop a backdoor identified as Oyster, aka Broomstick. Following execution of the backdoor, we have observed enumeration commands indicative of hands-on-keyboard activity as well as the deployment of additional payloads.
In this blog post, we will examine the delivery methods of the Oyster backdoor, provide an in-depth analysis of its components, and offer a Python script to help extract its obfuscated configuration.
Overview
Initial Access
In three separate incidents, Rapid7 observed users downloading supposed Microsoft Teams installers from typo-squatted websites. Users were directed to these websites after using search engines such as Google and Bing for Microsoft Teams software downloads. Rapid7 observed that the websites were masquerading as Microsoft Teams websites, enticing users into believing they were downloading legitimate software when, in reality, they were downloading the threat actor’s malicious software.
Figure 1 - Fake Microsoft Teams Website
In one case, a user was observed navigating to the URL hxxps://micrsoft-teams-download[.]com/, which led to the download of the binary MSTeamsSetup_c_l_.exe. Initial analysis of the binary MSTeamsSetup_c_l_.exe showed that the binary was assigned by an Authenticode certificate issued to “Shanxi Yanghua HOME Furnishings Ltd”.
Figure 2 - MSTeamsSetup_c_l_.exe File Information
Searching VirusTotal for other files signed by “Shanxi Yanghua HOME Furnishings Ltd” showed the following:
Figure 3 - VirusTotal Signature Search Results
The results indicated other versions of the installer, each impersonating as a legitimate software installer. We observed that the first installer was submitted to VirusTotal around mid-May 2024.
In a related incident that occurred on May 29, 2024, we observed another binary posing as a Microsoft Teams setup file, TMSSetup.exe, which was assigned a valid certificate issued to “Shanghai Ruikang Decoration Co., Ltd”. As of May 30, 2024, that certificate has been revoked.
VirusTotal analysis of the binary MSTeamsSetup_c_l_.exe indicates it is associated with a malware family known as Oyster, dubbed Broomstick by IBM.
What is Oyster/Broomstick?
Oyster aka Broomstick aka CleanUpLoader is a family of malware first spotted in September of 2023 by researchers at IBM. While not much is known about the malware, it was delivered via a loader called Oyster Installer, which masqueraded as a browser installer. The installer was responsible for dropping the backdoor component, Oyster Main. Oyster Main was responsible for gathering information about the compromised host, handling communication with the hard-coded command-and-control (C2) addresses, and providing the capability for remote code execution.
In February, researchers on Twitter observed the same backdoor component and started to name the Oyster Main backdoor, CleanUpLoader.
In recent incidents, Rapid7 has observed Oyster Main being delivered without the Oyster Installer.
Technical Analysis
Initial analysis of the binary MSTeamsSetup_c_l_.exe revealed that two binaries were stored within the resource section. During execution, a function was observed using FindResourceA to locate the binaries, followed by LoadResource to access them. These binaries were then subsequently dropped into the Temp folder. We observed that the intended names of the two binaries dropped by MSTeamsSetup_c_l_.exe were CleanUp30.dll and MSTeamsSetup_c_l_.exe (the legitimate Microsoft Teams installer).
After dropping the binary CleanUp30.dll into the Temp directory, the program executes the DLL, passing the string rundll32.exe %s,Test to the function CreateProcessA, where %s stores the value CleanUp30.dll.
Figure 4 - Execution of CleanUp30.dll
After the execution of CleanUp30.dll, the program proceeds to initiate the legitimate Microsoft Teams installer, MSTeamsSetup_c_l_.exe, also located within the Temp directory. This tactic is employed to avoid raising suspicion from the user.
CleanUp30.dll Analysis
During the execution of CleanUp30.dll, Rapid7 observed that the binary starts by attempting to create the hard coded mutual exclusion (mutex) ITrkfSaV-4c7KwdfnC-Ds165XU4C-lH6R9pk1. Mutex creation is often used by programs in order to determine if the program is already running another instance. If the program is already running, the program will terminate the new instance.
After creating the mutex, the binary determines its execution path by calling the function GetModuleFilenameA. The value is stored as a string and used as a parameter for the creation of a scheduled task, ClearMngs. The scheduled task is created using the function ShellExecuteExW, passing the following as the command line:
The purpose of the scheduled task ClearMngs is to execute the binary <location of binary>\CleanUp30.dll with the exported function of Test using rundll32.exe every three hours.
After the creation of the scheduled task, the binary then proceeds to decode its C2 servers using a unique decoding function. The decoding function begins by taking in a string of encoded characters, and its length is in bytes. The decoding function then proceeds to read in each byte, starting from the end of the encoded string.
Figure 5 - The DLL’s Decoding Loop
Each byte of the encoded string is used as an index location to retrieve the decoded byte from a hard-coded byte map. A byte map is a byte array containing 256 bytes in a randomized order, one for each possible byte value from 1 to 256. Malware authors sometimes use this technique to obfuscate strings and other data. The iteration counter (i) used within the condition for the decoding loop is compared to half of the encoded string’s length as the decoding loop swaps two bytes at a time. The bytes of the encoded string are decoded and swapped beginning at the start and end bytes of the string and the decoding loop then progresses towards the center of the string from each end.
The loop swaps the bytes to reverse the decoded string, as the original plaintext strings stored in the malware were reversed prior to encoding. When the center of the string is reached, the decoding process is complete. Due to this algorithm, all the encoded strings that are passed must be of even length to avoid further processing. Immediately after the decoded string is loaded onto the stack, the malware then re-encodes the string using a similar loop. The final result for the first decoded string is a carriage return line feed (CRLF) delimited list of C2 domains.
We constructed a Python script that can decode all the encoded strings contained within the CleanUp.dll binaries, including previous versions. The Python script can be found in our GitHub repository.
Figure 6 - Sample Output from Python Script
Using our Python script, it revealed some of the C2 functionality, along with several JSON fields that are used to build a fingerprint of the infected system:
After the binary decodes the C2 addresses, the program proceeds to fingerprint the infected machine, using the following functions:
Function
Description
DsRoleGetPrimaryDomainInformation
Used to gather information about the domain the compromised machine resides in. In particular, the function returns the domain name.
GetUserNameW
Provides the name of the user in which the program is running under.
NetUserGetInfo
Provides details of the user under which the program is running. In this case, the program is querying if the user is admin or user.
GetComputerNameW
Provides the name of the compromised machine in which the binary is running on.
RtlGetVersion
Returns version information about the currently running operating system including name and version number.
Figure 7 - A Selection of Contents of the CleanUp30.dll Code that Outline the Collection of System Information
While enumerating information about the host, the information is stored in the JSON fields uncovered from the encoded strings identified above.
Figure 8 - Example of the Data Collected and Sent via HTTP POST to the Malicious Domains
The fingerprint information is encoded using the same loop previously discussed, where the data string is reversed and encoded using a byte map before being sent.
After the information is encoded, it is sent to the domains whereverhomebe[.]com/, supfoundrysettlers[.]us/, and retdirectyourman[.]eu/ via HTTP POST method. Rapid7 determined that CleanUp30.dll uses the open-source C++ library Boost.Beast to communicate with the observed C2 domains via HTTP and web sockets.
Figure 9 - Captured Network Traffic Attempting to Send POST Requests to whereverhomebe[.]com/ and supfoundrysettlers[.]us/ Following the Execution of CleanUp30.dll
Follow-on Activity
In one of the incidents Rapid7 observed, a PowerShell script was spawned following the execution of another version of CleanUp30.dll, CleanUp.dll. CleanUp.dll, similar to CleanUp30.dll, was originally dropped by the other fake Microsoft Teams installer, TMSSetup.exe, which dropped the binary into the AppData/Local/Temp directory as well.
The purpose of the PowerShell script was to create a shortcut LNK file named DiskCleanUp.lnk within C:\Users\<User>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\. By doing so, this ensured that the LNK file DiskCleanUp.lnk would be run each time the user logged in. The shortcut LNK file was responsible for executing the binary CleanUp.dll using rundll32.exe, passing the export Test.
Following the execution of the PowerShell script, Rapid7 observed execution of additional payloads:
k1.ps1
main.dll
getresult.exe
Unfortunately, during the incident, we were unable to acquire the additional payloads. During the incidents, Rapid7 also observed execution of the following enumeration commands:
Enumeration
Description
systeminfo
Provides information about the system's software and hardware configuration
arp -a
Shows a list of all IP addresses that the local computer has recently interacted with, along with their corresponding MAC addresses
net group 'domain computers' /domain
Lists the "Domain Computers" group within an Active Directory domain
Queries the registry to find information about installed software
findstr "DisplayName"
Used to filter information, showing only items contained under "DisplayName"
Rapid7 Customers
InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that are deployed and will alert on behavior related to this malware campaign:
Persistence - SchTasks Creating A Task Pointed At Users Temp Or Roaming Directory
Suspicious Process: RunDLL32 launching CMD or PowerShell
Persistence - Schtasks.exe Creating Task That Executes RunDLL32
California Assemblymember Phil Ting has introduced A.B. 1814, a bill that would supposedly regulate police use of facial recognition technology. The problem is that it would do little to actually change the status quo of how police use this invasive and problematic technology. Police use of facial recognition poses a massive risk to civil liberties, privacy, and even our physical health as the technology has been known to wrongfully sic armed police on innocent people–particularly Black men and women. That’s why this issue is too important to throw inadequate or half-measures like A.B. 1814 to try to fix it.
The bill dictates that police should examine facial recognition matches “with care” and that a match should not be the sole basis for the probable cause for an arrest or search warrant. And while we agree it is a big issue that police seem to repeatedly use the matches spit out by a computer as the only justification for arresting people, theoretically the limit this bill imposes is already the limit. Police departments and facial recognition companies alike both maintain that police cannot justify an arrest using only algorithmic matches–so what would this bill really change? It only gives the appearance of doing something to address face recognition technology's harms, while inadvertently allowing the practice to continue.
Additionally, A.B. 1814 gives defendants no real recourse against police who violate its requirements. There is neither a suppression remedy nor a usable private cause of action. The bill lacks transparency requirements which would compel police departments to reveal if they used face recognition in the first place. This means if police did arrest someone wrongfully because a computer said they looked similar to the subject, someone would likely not even know they could sue the department over damages, unless they uncovered it while being prosecuted.
Despite these attempts at creating leaky bureaucratic reforms, police may continue to use this technology to identify people at protests, track marginalized individuals when they visit doctors or have other personal encounters, as well as any other number of civil liberties-chilling uses police might overtly or inadvertently deploy. It is this reason that EFF continues to advocate for a complete ban on government use of face recognition–an approach that has also resulted in cities across the United States standing up for themselves and enacting bans. Until the day comes that California lawmakers realize the urgent need to ban government use of face recognition, we will continue to differentiate between bills that will make a serious difference in the lives of the surveilled, and those that do not. That is why we are urging Assemblymembers to vote no on A.B. 1814.
Surgeon General Vivek Murthy’s extraordinarily misguided and speech-chilling call this week to label social media platforms as harmful to adolescents is shameful fear-mongering that lacks scientific evidence and turns the nation’s top physician into a censor. This claim is particularly alarming given the far more complex and nuanced picture that studies have drawn about how social media and young people’s mental health interact.
The Surgeon General’s suggestion that speech be labeled as dangerous is extraordinary. Communications platforms are not comparable to unsafe food, unsafe cars, or cigarettes, all of which are physical products—rather than communications platforms—that can cause physical injury. Government warnings on speech implicate our fundamental rights to speak, to receive information, and to think. Murthy’s effort will harm teens, not help them, and the announcement puts the surgeon general in the same category as censorial public officials like Anthony Comstock.
There is no scientific consensus that social media is harmful to children's mental health. Social science shows that social media can help children overcome feelings of isolation and anxiety. This is particularly true for LBGTQ+ teens. EFF recently conducted a survey in which young people told us that online platforms are the safest spaces for them, where they can say the things they can't in real life ‘for fear of torment.’ They say these spaces have improved their mental health and given them a ‘haven’ to talk openly and safely. This comports with Pew Research findings that teens are more likely to report positive than negative experiences in their social media use.
Additionally, Murthy’s effort to label social media creates significant First Amendment problems in its own right, as any government labeling effort would be compelled speech and courts are likely to strike it down.
Young people’s use of social media has been under attack for several years. Several states have recently introduced and enacted unconstitutional laws that would require age verification on social media platforms, effectively banning some young people from them. Congress is also debating several federal censorship bills, including the Kids Online Safety Act and the Kids Off Social Media Act, that would seriously impact young people’s ability to use social media platforms without censorship. Last year, Montana banned the video-sharing app TikTok, citing both its Chinese ownership and its interest in protecting minors from harmful content. That ban was struck down as unconstitutionally overbroad; despite that, Congress passed a similar federal law forcing TikTok’s owner, ByteDance, to divest the company or face a national ban.
Like Murthy, lawmakers pushing these regulations cherry-pick the research, nebulously citing social media’s impact on young people, and dismissing both positive aspects of platforms and the dangerous impact these laws have on all users of social media, adults and minors alike.
We agree that social media is not perfect, and can have negative impacts on some users, regardless of age. But if Congress is serious about protecting children online, it should enact policies that promote choice in the marketplace and digital literacy. Most importantly, we need comprehensive privacy laws that protect all internet users from predatory data gathering and sales that target us for advertising and abuse.
Accused of hacking into more than 45 companies in the US, a 22-year-old British man was arrested by Spanish police and found to be in control of more than $27 million in Bitcoin.
Pakistani hackers are spying (▀̿Ĺ̯▀̿ ̿) on the highly sensitive organizations in India by using emojis (Ծ_Ծ) as malicious commands (⚆ᗝ⚆) and the old Dirty Pipe Linux flaw.
AI tools keep trying to take away all the fun jobs. Here are just a few of the reasons for cybersecurity folks (and others) to skip the writing cheats.
Our engineering team has been hard at work, reworking our flagship platform to enhance the Chariot platform to remain the most comprehensive and powerful CTEM platform on the market. So what’s new? Here are several new features recently added to Chariot: 1. Unmanaged Platform Chariot, Praetorian’s Continuous Threat Exposure Management (CTEM) solution, is now available […]
In the intricate ecosystem of data center operations, managing and optimizing infrastructure is a complex, continuous task. Data Center Infrastructure Management (DCIM) software has emerged as a vital tool in this arena, providing real-time monitoring, management, and analytical capabilities. Yet, the true potential of DCIM software is unlocked when it can seamlessly integrate with ...
Identifying and Mitigating Complex Malware Campaigns with ASNs
This week, I spent a good deal of time going down some rabbit holes - all of which were fascinating. However, this is an example where some of the work we do we would like to share but aren't always able. In this instance, we found confidential information related to a hacked mail server within malware we detonated. The malware was configured to use a government mail server as a relay to email out keylogger data.
In each case of the malware, there were essentially two victims, the victim(s) of the malware, and the operators of the mail server being used in the attacks. We've notified the department that manages the mail server of the compromise, and of the credentials used to send mail with their server.
This brings me to the "how" of it all. Cyber threat intelligence (CTI) experts and investigators face the daunting challenge of identifying and mitigating complex malware campaigns. These campaigns, orchestrated by sophisticated threat actors, often leverage diverse infrastructure and techniques to evade detection and compromise targets.
In this blog, we'll explore in detail how CTI experts can harness the power of Autonomous System Numbers (ASNs) and employ pivoting techniques to uncover and analyze malware campaigns. By understanding the nuances of ASNs and mastering effective pivoting strategies, CTI professionals can enhance their capabilities in threat detection, attribution, and response.
Understanding ASNs
Autonomous System Numbers (ASNs) serve as unique identifiers assigned to networks participating in the global routing system. Each ASN corresponds to an organization or entity that controls a portion of the internet's IP address space. By analyzing ASNs, CTI experts can gain valuable insights into the infrastructure utilized by threat actors to conduct malicious activities.
These insights include identifying the origins of malicious traffic, pinpointing hosting providers associated with malware distribution, and tracing connections between seemingly disparate cyber threats.
Pivoting with ASNs
Pivoting is a fundamental investigative technique that involves using known information or indicators of compromise (IOCs) as a starting point to uncover additional related data and connections. When investigating malware campaigns, CTI experts can pivot using ASNs to expand their understanding of the threat landscape and uncover hidden relationships.
Here's a step-by-step breakdown of how pivoting with ASNs can be accomplished:
1. Initial Investigation: The process begins with collecting IOCs such as IP addresses, domain names, file hashes, and other artifacts associated with a suspected malware campaign. These IOCs serve as the starting point for the investigation.
2. ASN Enumeration: CTI experts utilize specialized tools, databases, and techniques to map the collected IP addresses to their corresponding ASNs. This mapping provides crucial insights into the ownership and affiliations of the networks involved in the malware campaign.
3. ASNs Analysis: Once the ASNs associated with the collected IOCs are identified, CTI professionals conduct a detailed analysis to uncover patterns, anomalies, and potential relationships between different malware campaigns. They look for commonalities such as shared infrastructure or hosting providers used by multiple threats.
4. Expand Investigation: Armed with insights from the ASNs analysis, CTI experts pivot further to gather additional IOCs associated with the same ASNs. This may involve exploring related IP ranges, domains hosted on the same infrastructure, or other ASNs controlled by the same organization.
5. Threat Attribution: The final step involves analyzing the gathered data to attribute the malware campaigns to specific threat actors or groups. By tracing connections between different ASNs and malware activities, CTI experts can uncover the broader infrastructure and operations of malicious actors.
Using ASNs to Uncover a Malware Campaign
To illustrate the effectiveness of this approach, let's consider a hypothetical scenario where a CTI team investigates a ransomware campaign targeting a financial institution. By analyzing the ransomware samples and associated IOCs, the team identifies several IP addresses used as command and control (C2) servers.
Through ASN enumeration and analysis, they discover that these IP addresses belong to a hosting provider known for harboring malicious activities. Pivoting with the identified ASN leads them to uncover additional C2 servers, domains, and IP ranges used by the same threat actor across multiple campaigns. This comprehensive view enables the CTI team to attribute the ransomware campaign to a sophisticated cybercriminal group and take proactive measures to disrupt their operations.
In conclusion, the strategic utilization of ASNs and pivoting techniques with HYAS Insight threat intelligence is indispensable for CTI experts and investigators in their efforts to combat malware campaigns. By leveraging ASNs to trace connections and employing pivoting to uncover hidden relationships, CTI professionals can gain deeper insights into the tactics, techniques, and procedures (TTPs) employed by threat actors.
This enhanced understanding enables organizations to better protect their assets, mitigate risks, and respond effectively to evolving cyber threats. With a proactive and strategic approach to threat intelligence, CTI experts can stay ahead of adversaries and safeguard the digital ecosystem against malicious activities.
Is your security program prepared to defend against advanced malware and other sophisticated cyberthreats? Learn how HYAS can optimize your defenses. Request a HYAS demo today.
Traditional vulnerability scanning tools are enhanced with NodeZero's autonomous penetration testing, revolutionizing Vulnerability Management by providing comprehensive risk assessment, exploitability analysis, and cross-host vulnerability chaining, empowering organizations to prioritize and mitigate security weaknesses strategically.
It’s an exciting time here at Hyperproof! We are thrilled to announce that two new senior leaders have joined Hyperproof: Jay Hussein, Senior Vice President of Customer, and Mike Johnson, Senior Vice President of Sales. Both Mike and Jay have a wealth of experience serving larger enterprises and will support Hyperproof as we scale our...
By Max Ammann Fuzzing—a testing technique that tries to find bugs by repeatedly executing test cases and mutating them—has traditionally been used to detect segmentation faults, buffer overflows, and other memory corruption vulnerabilities that are detectable through crashes. But it has additional uses you may not know about: given the right invariants, we can use […]
In mobile penetration testing, third-party modules or libraries are often considered out of scope for several reasons, although it’s worth noting that the decision to include or exclude third-party components can vary depending on the specific requirements of the assessment […]
By: Abhilash R., Head of Cybersecurity at OQ Trading
In a progressively digital world, small and medium sized enterprises (SMEs) are not immune to cyber threats. Despite their size, SMEs are prime targets for cyberattacks due to their limited resources and perceived vulnerability.
Therefore, implementing robust cybersecurity strategies is imperative to safeguard sensitive data, maintain customer trust, and ensure business continuity.
This article delves into five essential cybersecurity strategies tailored to SMEs, emphasizing their importance, and providing cost effective solutions.
Employee Education and Training
One of the most critical cybersecurity strategies for SMEs is ensuring that employees are educated and trained in cybersecurity best practices. Human error remains a significant factor in cyber incidents, making cybersecurity awareness training indispensable. Employees should be educated on recognizing phishing attempts, creating strong passwords, and understanding the importance of software updates.
Importance: Employees serve as the first line of defence against cyber threats, they are also the weakest links in cybersecurity. By educating them, SMEs can significantly reduce the risk of successful cyberattacks.
Solutions: Implement regular cybersecurity training sessions for all employees, covering topics such as identifying suspicious emails, safe internet browsing practices, and responding to security incidents. Utilize online training resources and simulations to reinforce learning effectively.
You can develop internal cybersecurity awareness materials using free or low cost presentation tools such as Google Slides or Microsoft PowerPoint. Create engaging presentations covering topics like identifying phishing emails, password best practices, and responding to security incidents.
Additionally, leverage free online resources such as cybersecurity blogs, webinars, and tutorials to supplement employee training efforts. Encourage participation in online courses offered by reputable cybersecurity organizations, some of which may be available at no cost.
Implementing Multi-Factor Authentication (MFA)
Multifactor authentication (MFA) adds an extra layer of security by requiring users to provide multiple forms of verification before accessing sensitive data or systems. This strategy helps mitigate the risk of unauthorized access, even if passwords are compromised.
Importance: Passwords alone are no longer sufficient to protect against cyber threats. MFA significantly enhances security by requiring additional authentication factors, such as biometric data or one-time codes.
Solutions: Implement MFA for all accounts with access to sensitive information or critical systems. Many cloud-based services and software applications offer built-in MFA capabilities, making implementation relatively straightforward and cost effective.
Utilize built-in MFA features provided by cloud-based services and software applications, many of which offer MFA functionality at no additional cost. Implement open source MFA solutions that can be customized to fit the organization's specific needs without incurring licensing fees. Alternatively, explore low-cost MFA options offered by third-party providers, ensuring compatibility with existing systems and scalability as the business grows.
Regular Data Backups
Data loss can have devastating consequences for SMEs, ranging from financial losses to reputational damage. Regularly backing up data is essential for mitigating the impact of ransomware attacks, hardware failures, or accidental deletions.
Importance: Data backups serve as a safety net, allowing SMEs to recover quickly in the event of a cyber incident. Without backups, businesses risk permanent loss of valuable information.
Solutions: Automate regular backups of critical data to secure cloud storage or offline storage devices. Utilize backup solutions that offer versioning capabilities, allowing businesses to restore data to previous states if necessary.
Utilize cloud based backup solutions that offer affordable storage options and automated backup scheduling. Leverage free or low cost backup software with basic features for backing up critical data to secure cloud storage or external hard drives.
Implement a combination of full and incremental backups to optimize storage space and minimize backup times. Explore open source backup solutions that provide flexibility and customization options without the need for expensive proprietary software.
Network Security Measures
Securing the network infrastructure is crucial for protecting against external threats and unauthorized access. SMEs should implement robust network security measures, such as firewalls, intrusion detection systems (IDS), and virtual private networks (VPNs).
Importance: Networks are prime targets for cyberattacks, making network security measures essential for preventing unauthorized access and data breaches.
Solutions: Deploy firewalls to monitor and control incoming and outgoing network traffic. Implement IDS to detect and respond to suspicious activities within the network. Utilize VPNs to encrypt data transmissions and establish secure connections for remote workers.
Implement open source firewall solutions that provide robust network protection without the high cost associated with commercial firewalls. Utilize free or low cost intrusion detection system (IDS) software that offers essential features such as real time monitoring and threat detection. Explore cost effective virtual private network (VPN) solutions tailored to SMEs' needs, such as subscription based services with affordable pricing plans and easy deployment for remote workers.
Regular Security Assessments and Updates
Cyber threats are constantly evolving, requiring SMEs to stay vigilant and proactive in their cybersecurity efforts. Regular security assessments and updates help identify vulnerabilities and ensure that systems and software are up to date with the latest security patches.
Importance: Cyber threats are continuously evolving, making regular security assessments and updates essential for maintaining strong cybersecurity posture.
Solutions: Conduct regular security assessments to identify potential vulnerabilities in systems, networks, and applications. Develop and implement a patch management strategy to ensure that software and firmware updates are applied promptly.
Conduct internal security assessments using free or low cost vulnerability scanning tools to identify potential weaknesses in systems and networks. Utilize open source penetration testing frameworks to simulate cyberattacks and assess the effectiveness of existing security measures.
Implement a systematic approach to applying security patches and updates, leveraging free tools provided by software vendors or community driven initiatives. Additionally, establish internal processes for monitoring security advisories and alerts issued by relevant authorities to stay informed about emerging threats and vulnerabilities.
In conclusion, cybersecurity is a critical concern for SMEs in today's digital landscape. By implementing the strategies explained above, SMEs can significantly enhance their cybersecurity posture without breaking the bank.
Investing in cybersecurity is not only essential for protecting sensitive data and maintaining business operations but also for safeguarding the long-term viability and reputation of SMEs in an increasingly interconnected world.
About Author:
Abhilash Radhadevi, a seasoned cybersecurity leader, serves as the Head of Cybersecurity at OQ Trading, bringing over two decades of comprehensive experience in the Banking, Financial, Oil and Energy sectors. Widely recognized for his adept leadership, Abhilash has effectively steered international organizations through intricate security challenges. His illustrious career includes spearheading pioneering cybersecurity strategies, resulting in prestigious awards and acclaim. Beyond his professional achievements, Abhilash maintains a global influence and demonstrates unwavering commitment to mentoring, showcasing his dedication to shaping the future landscape of cybersecurity.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
By Hoda Alkhzaimi
The technological prowess of small nations is increasingly recognized as a significant driver of global economic power. This is because technology is a great equalizer; it can enable small nations to leapfrog development stages and compete on a global scale. For instance, the UNCTAD Technology and Innovation Report 2021 highlights that frontier technologies like AI, robotics, and biotechnology have the potential to significantly boost sustainable development, while also posing the risk of widening the digital divide.
Small nations, by embracing these technologies, can foster innovation, improve productivity, and create high-value industries that contribute to global trade and economic growth. Moreover, the digital transformation allows for the democratization of information and resources, enabling smaller economies to participate in markets traditionally dominated by larger countries.
The OECD also emphasizes the role of SMEs in adapting to a more open and digitalized environment, which is essential for inclusive globalization. Therefore, the technological development of small nations is not just about national progress; it's about contributing to and shaping the global economic landscape. By investing in technology and innovation, small nations can assert their presence on the world stage, influencing global trends and economic policies.
Cyber conflicts have emerged as a significant factor in international relations, influencing the dynamics
of power in the digital age. The Atlantic Council's Cyber Statecraft Initiative highlights the shift from
traditional deterrence strategies to more proactive measures like Defend Forward and Persistent
Engagement, reflecting the evolving nature of cyber threats. Research published in Armed Forces &
Society suggests that cyber conflicts, termed 'cool wars', are reshaping interactions between states,
with denial-of-service attacks and behaviour-changing tactics significantly affecting state relations.
Moreover, the ICRC has raised concerns about the protection of civilians from cyber threats during
armed conflicts, emphasizing the need for legal and policy frameworks to address the digital risks in
warfare.
The CyberPeace Institute's analysis of cyberattacks in the context of the Ukraine conflict
provides valuable data on the harm to civilians and the evolution of cyber threats. Additionally, the
European Repository of Cyber Incidents offers an extensive database of cyber incidents, which can
serve as a resource for understanding the scope and impact of cyber warfare. These insights
underscore the importance of cyber capabilities in asserting influence and the need for robust cyber
defence mechanisms to safeguard national security and civilian welfare in the face of digital threats.
The interplay between cyber operations and political power is complex, and as technology continues
to advance, the implications for international stability and power hierarchies will likely become even
more pronounced
The Role of Misinformation and Disinformation in Cyberconflict
Misinformation and disinformation play a critical role in the landscape of cyberconflict, shaping public
perception and influencing the dynamics of geopolitical tensions. A report by Full Fact highlights the
detrimental impact of false information on democratic societies, emphasizing the need for informed
citizenship to combat the spread of such information. Similarly, data from UNESCO underscores the
pervasive risk of encountering disinformation across various media platforms, with statistics indicating
a significant trust deficit in media and an increase in the manipulation of news consumption.
The cybersecurity sector also recognizes disinformation as a substantial threat, with a study by the Institute
for Public Relations revealing that 63% of Americans view disinformation as a major societal issue, and
nearly half of cybersecurity professionals consider it a significant threat to security. These concerns are
echoed globally, as a survey found that over 85% of people worry about the impact of online
disinformation on their country's politics. The intertwining of misinformation, disinformation, and
cyberconflict presents a complex challenge that requires a multifaceted approach, including media
literacy, regulatory frameworks, and international cooperation to mitigate its effects and safeguard
information integrity.
The Role of Big Tech in Cyberconflict Interplay
The role of big tech companies in cyber conflict is a complex and evolving issue. These companies often
find themselves at the forefront of cyber conflict, whether as targets, mediators, or sometimes even
participants. For instance, during civil conflicts, digital technologies have been used to recruit
followers, finance activities, and control narratives, posing additional challenges for peacemakers.
The explosive growth of digital technologies has also opened new potential domains for conflict, with state
and non-state actors capable of carrying out attacks across international borders, affecting critical
infrastructure and diminishing trust among states. In response to the invasion of Ukraine, big tech
companies played crucial roles in addressing information warfare and cyber-attacks, showcasing their
significant influence during times of conflict.
Moreover, the technological competition between major powers like the United States and China further highlights the geopolitical dimension of big tech's involvement in cyber conflict. These instances underscore the need for a robust framework to manage the participation of big tech in cyber conflict, ensuring that their capabilities are harnessed for peace and security rather than exacerbating tensions.
Hedging the Risks of Using AI and Emerging Tech To Scaleup Misinformation and Global Cyberconflicts
In response to the growing threat of election misinformation, various initiatives have been undertaken
globally. The World Economic Forum has identified misinformation as a top societal threat and
emphasized the need for a concerted effort to combat it, especially in an election year with a significant
global population going to the polls.
The European Union has implemented a voluntary code of
practice for online platforms to take proactive measures against disinformation, including the
establishment of a Rapid Alert System and the promotion of fact-checking and media literacy
programs. In the United States, the Brennan Center for Justice advocates for active monitoring of false
election information and collaboration with internet companies to curb digital disinformation.
Additionally, the North Carolina State Board of Elections (NCSBE) provides guidelines for the public to
critically assess the credibility of election news sources and encourages the use of reputable outlets.
These initiatives represent a multifaceted approach to safeguarding the integrity of elections by
enhancing public awareness, improving digital literacy, and fostering collaboration between
governments, tech companies, and civil society.
In the ongoing battle against election misinformation, several key alliances and actions have been
formed. Notably, the AI Elections Accord was proposed for public signature at the Munich Security
Conference on February 16, 2024. This accord represents a commitment by technology companies to
combat deceptive AI content in elections. In a similar vein, Meta established a dedicated team on
February 26, 2024, to address disinformation and the misuse of AI leading up to the European
Parliament elections.
Furthermore, the Federal Communications Commission (FCC) in the United
States took a decisive step by making AI-generated voices in robocalls illegal on February 8, 2024, to
prevent their use in misleading voters. These measures reflect a growing recognition of the need for
collaborative efforts to safeguard the integrity of elections in the digital age. The alliances and
regulations are pivotal in ensuring that the democratic process remains transparent and trustworthy
amidst the challenges posed by advanced technologies.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
With companies coming forward every day announcing impacts from their third-party cloud data storage vendor, the Snowflake data breach seems to be snowballing into one of the biggest data breaches of the digital age.
Here's everything to know about the Snowflake breach; we'll update this page as new information becomes available.
Why the Snowflake Breach Matters
Snowflake is a prominent U.S.-based cloud data storage and analytics company, with over 9,800 global customers. Its customer base includes major corporations like Adobe, AT&T, Capital One, DoorDash, HP, JetBlue, Mastercard, Micron, NBC Universal, Nielsen, Novartis, Okta, PepsiCo, Siemens, US Foods, Western Union, and Yamaha, among others.
Snowflake holds approximately a 20% share of the data warehouse market and was recently ranked #1 on the Fortune Future 50 List, it an attractive target for cybercriminals. However, it is crucial to note that the breaches are not necessarily due to failures by Snowflake. The correlation does not imply causation, as emphasized by Snowflake’s Chief Information Security Officer Brad Jones. The company, along with its forensic partners, found no evidence of vulnerabilities or breaches within Snowflake’s platform.
Ongoing Investigation and Preliminary Results in Snowflake Breach
On May 31, Snowflake revealed that attackers accessed customer accounts using single-factor authentication. According to preliminary results, these attackers leveraged credentials obtained through infostealing malware.
Compromised Employee Account
Snowflake confirmed that a threat actor obtained credentials from a single former employee, accessing demo accounts that were isolated from production and corporate systems. Snowflake’s core systems are protected by Okta and Multi-Factor Authentication (MFA) but the demo accounts lacked such safeguards.
Test Environments Targeted
Demo accounts are often overlooked as security risks. Despite assurances that these accounts do not contain sensitive data, they remain attractive targets due to their perceived value. Cybercriminals exploit the perception gap, knowing that a claimed breach of a high-profile company like Snowflake can generate significant media attention.
Attack Path
The initial access point for the attackers was almost certainly compromised credentials obtained through infostealing malware. Mandiant, who helped Snowflake in its investigation, confirmed that the compromised credentials were from customer instances and were traced back to infostealer malware logs. Several variants of infostealer malware were used, including VIDAR, RISEPRO, REDLINE, RACOON STEALER, LUMMA, and METASTEALER.
Possible Reasons for the Breach
Mandiant confirmed that there was no breach of Snowflake’s enterprise environment. They identified that most credentials used by the attackers originated from historical infostealer infections. The lack of MFA and failure to rotate credentials for up to four years were significant factors. Network allow lists were also not used to restrict access to trusted locations.
Unconfirmed Threat Actor Claims
The threat actor also claimed to have logged into Snowflake’s ServiceNow using the same credentials. This claim has neither been confirmed nor explicitly refuted by Snowflake. Other unknowns include whether similar methods compromised other Snowflake employees, and the definition of "sensitive" data used for determining the impact on demo accounts.
The investigation is ongoing, but Snowflake stands by its initial findings.
Affected Customers from Snowflake Breach
The data breaches began in April 2024, and the company claimed it had impacted a “limited” number of Snowflake customers. Snowflake initially did not disclose the exact number or the names of all affected customers. However, a comprehensive report from Mandiant two weeks after the initial disclosure revealed that 165 customers were impacted in the Snowflake data breach.
While some victims have been identified through attackers’ offers to sell stolen data, others were revealed via mandatory public disclosures. Most companies have yet to confirm the impact. Following is a list of all companies know to have been impacted in the Snowflake data breach:
Santander Group: The company confirmed a compromise without mentioning Snowflake.
Impact:Santander Bank staff and 30 million customers’ data has allegedly been breached.
TicketMaster (Live Nation Entertainment subsidiary): Confirmed via an SEC 8-K report, with Snowflake identified as the third party involved.
Impact: 560 Million TicketMaster user details and card info potentially at risk.
LendingTree: Notified by Snowflake about a potential data impact involving QuoteWizard.
Impact: On June 1, a hacker going by the name “Sp1d3r” posted on the cybercriminal platform BreachForums that they had stolen the sensitive information of over 190 million people from QuoteWizard. The alleged database included customer details, partial credit card numbers, insurance quotes and other information.
Advance Auto Parts: Unconfirmed by the company, but a dark web listing claimed significant data theft.
Impact: Same actor as LendingTree claimed leak of 380 million customers and 358,000 former and current employees.
Pure Storage: The Pure Storage data breach involved a third party temporarily gaining access to the workspace, which housed data such as company names, LDAP usernames, email addresses, and the Purity software release version number.
Impact:The same threat actor known as “Sp1d3r” claimed responsibility, alleging the theft of 3 terabytes of data from the company’s Snowflake cloud storage that was reportedly being sold for $1.5 million.
Tech Crunch discovered over 500 login credentials and web addresses for Snowflake environments on a website used by attackers to search for stolen credentials. These included corporate email addresses found in a recent data dump from various Telegram channels.
Security Measures and Customer Support
Snowflake Chief Information Security Officer Brad Jones reiterated the company's findings, asserting that the breaches were not due to any vulnerabilities, misconfigurations, or breaches of Snowflake’s platform or personnel credentials. Snowflake is collaborating with customers to enhance security measures and plans to mandate advanced security controls such as multi-factor authentication (MFA) and network policies, especially for privileged accounts.
The company acknowledges the friction in their MFA enrollment process and is working to streamline it. The shared responsibility model places MFA enforcement on customers, but Snowflake aims to make it a standard prerequisite due to the high sensitivity of the data stored in their cloud environments.
Key Recommendations for Snowflake Customers:
Enforce Multi-Factor Authentication: Make MFA mandatory for all accounts, particularly those with privileged access.
Regularly Rotate Credentials: Ensure that all credentials are regularly updated to prevent long-term exposure from previous leaks.
Implement Network Allow Lists: Restrict access to trusted IP addresses to minimize unauthorized access.
Enhance Logging and Monitoring: Improve logging and monitoring capabilities to detect and respond to suspicious activities promptly.
Snowflake has also published indicators of compromise and steps for detecting and preventing unauthorized user access here.
Cloud security firm Permiso has developed an open-source tool dubbed "YetiHunter" to detect and hunt for suspicious activity in Snowflake environments based on the IoCs shared by Snowflake, Mandiant, DataDog, and its own intelligence.
Editor's Note: This blog will be updated as additional breach information from Snowflake and its customers becomes available or is claimed by threat actors on underground forums for sale. Links and data to any additional IoCs related to the Snowflake breach will be published here too.
The on-again, off-again saga of BreachForums took another twist in recent days with the news that the data leak forum apparently has a new owner.
ShinyHunters – who had reportedly retired after tiring of the pressure of running a notorious hacker forum – returned on June 14 to announce that the forum is now under the ownership of a threat actor operating under the new handle name “Anastasia.”
It’s not yet clear if the move will quell concerns that the forum has been taken over by law enforcement after a May 15 FBI-led takeover, but for now, BreachForums is up and running under its .st domain.
ShinyHunters Alludes to BreachForums Issues
ShinyHunters alluded to those issues in a post announcing the forum’s new owner (screenshot below).
“It's hard to maintain motivation when you're constantly getting accused of being a honeypot and at this point I'm burned out, hollow is burned out and we just want to move on to bigger things rather than the constant onslaught of users complaining about how we ran our forum,” ShinyHunters wrote. “Baphomet has done an incredible job of building new features for everyone, keeping everything together and maintaining the forum. Couldn't have done it without him. We hope the forum can live on without us for a long time. Thank you all for your support. Goodbye.”
[caption id="attachment_77484" align="alignnone" width="750"] The announcement of a new BreachForums owner[/caption]
While “User-Anastasia” is a new account, ShinyHunters referred to the new owner as “an OG some of you may remember.” Cyble threat researchers reported that Anastasia also goes by “Anastasia Belshaw.”
BreachForums Returns, Hackers Raise Suspicions
BreachForums was seized by the FBI and the U.S. Department of Justice in mid-May, with help from international law enforcement agencies, and Baphomet was allegedly arrested in that action.
However, just two weeks later, the forum returned, leading to suspicion among some threat actors that the site was operating as a “honeypot” or a sting operation under the control of the FBI.
To further complicate matters, the site went down again last week, possibly due to technical issues, and its associated Telegram channels disappeared too amid reports that ShinyHunters was retiring. A few days later came the announcement that Anastasia would take over the forum.
It remains to be seen what direction the forum will take under new ownership, but given the site’s volatile history, whatever is in store is certain to be eventful.
Los Angeles County Department of Public Health revealed a data breach impacting more than 200,000 individuals, with personal, medical and financial data potentially stolen
As the lines between the physical and digital realms blur, widespread understanding of cyber threats to critical infrastructure is of paramount importance.
Ready to know what Malwarebytes knows? Ask us your questions and get some answers. What is a passphrase and what makes it—what’s the word? Strong?
Every day, countless readers, listeners, posters, and users ask us questions about some of the most commonly cited topics and terminology in cybersecurity. What are passkeys? Is it safer to use a website or an app? How can I stay safe from a ransomware attack? What is the dark web? And why can’t cybercriminals simply be caught and stopped?
For some cybersecurity experts, these questions may sound too “basic”—easily researched online and not worth the time or patience to answer. But those experts would be wrong.
In cybersecurity, so much of the work involves helping people take personal actions to stay safe online. That means it’s on cybersecurity companies and practitioners to provide clarity when the public is asking for it. it’s on us to provide clarity. Without this type of guidance, people are less secure, scammers are more successful, and clumsy, fixable mistakes are rarely addressed.
This is why, this summer, Malwarebytes is working harder on meeting people where they are. For weeks, we’ve been collecting questions from our users about WiFi security, data privacy, app settings, device passcodes, and identity protection.
All of these questions—no matter their level of understanding—are appreciated, as they help the team at Malwarebytes understand where to improve its communication. In cybersecurity, it is critical to create an environment where, for every single person seeking help, it’s safe to ask. It’s safe to ask what’s on their mind, safe to ask what confuses them, and safe to ask what they might even find embarrassing.
Today, on the Lock and Code podcast with host David Ruiz, we speak with Malwarebytes Product Marketing Manager Tjitske de Vries about the modern rules around passwords, the difficulties of stopping criminals on the dark web, and why online scams hurt people far beyond their financial repercussions.
“We had [an] 83-year-old man who was afraid to talk to his wife for three days because he had received… a sextortion scam… This is how they get people, and it’s horrible.”
With the right license, you can protect your open-source project and ensure proper usage. This article provides a clear overview of open-source licensing for developers and users.
Microsoft has announced it will postpone the broadly available preview of the heavily discussed Recall feature for Copilot+ PCs. Copilot+ PCs are personal computers that come equipped with several artificial intelligence (AI) features.
The Recall feature tracks anything from web browsing to voice chats. The idea is that Recall can assist users to reconstruct past activity by taking regular screenshots of a user’s activity and storing them locally. The user would then be able to search the database for anything they’ve seen on their PC.
However, Recall received heavy criticism by security researchers and privacy advocates since it was announced last month. The ensuing discussion saw a lot of contradictory statements. For example, Microsoft claimed that Recall would be disabled by default, while the original documentation said otherwise.
Researchers demonstrated how easy it was to extract and search through Recall snapshots on a compromised system. While some may remark that the compromised system is the problem in that equation—and they are not wrong—Recall would potentially provide an attacker with a lot of information that normally would not be accessible. Basically, it would be a goldmine that spyware and information stealers could easily access and search.
“Recall does not perform content moderation. It will not hide information such as passwords or financial account numbers. That data may be in snapshots that are stored on your device, especially when sites do not follow standard internet protocols like cloaking password entry.”
But now things have changed, and Recall will now only be available for participants in the Windows Insider Program (WIP) in the coming weeks, instead of being rolled out to all Copilot+ PC users on June 18 as originally planned.
Another security measure taken only as an afterthought was that users will now have to log into Windows Hello in order to activate Recall and to view your screenshot timeline.
In its blog, Microsoft indicates it will act on the feedback it expects to receive from WIP users.
“This decision is rooted in our commitment to providing a trusted, secure and robust experience for all customers and to seek additional feedback prior to making the feature available to all Copilot+ PC users.”
Our hope is that the WIP community will convince Microsoft to abandon the whole Recall idea. If not, we will make sure to let you know how you can disable it or use it more securely if you wish to do so.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
Vulnerability scans evaluate systems, networks, and applications to uncover security vulnerabilities. Leveraging databases of known vulnerabilities, these scans detect your weakest spots. These are the points most likely to be exploited by cybercriminals. Scans also help prioritize the order of importance in remediating and patching vulnerabilities. Vulnerability assessment scans are critical for maintaining the security […]
Abstract: LLM agents have become increasingly sophisticated, especially in the realm of cybersecurity. Researchers have shown that LLM agents can exploit real-world vulnerabilities when given a description of the vulnerability and toy capture-the-flag problems. However, these agents still perform poorly on real-world vulnerabilities that are unknown to the agent ahead of time (zero-day vulnerabilities).
In this work, we show that teams of LLM agents can exploit real-world, zero-day vulnerabilities. Prior agents struggle with exploring many different vulnerabilities and long-range planning when used alone. To resolve this, we introduce HPTSA, a system of agents with a planning agent that can launch subagents. The planning agent explores the system and determines which subagents to call, resolving long-term planning issues when trying different vulnerabilities. We construct a benchmark of 15 real-world vulnerabilities and show that our team of agents improve over prior work by up to 4.5×...
Ubuntu 23.10, codenamed “Mantic Minotaur,” was released on October 12, 2023, nearly nine months ago. Since it is an interim release, its support period is now approaching with the end of life scheduled on July 11, 2024. After this date, Ubuntu 23.10 will no longer receive software and security updates from Canonical. As a result, […]
Healthcare organizations worldwide are facing a surge in cyberattacks. The healthcare industry is grappling with increasingly sophisticated cyberattacks, often exploiting known vulnerabilities that should have been addressed much earlier. Automated Linux patching helps ensure that systems are continuously updated with the latest security patches. These days, healthcare organizations are increasingly relying on advanced technologies like […]
Login
Cybersecurity News and Magazine
SANS ISC InfoSec News Feed
Security Boulevard
Dark Reading
Malwarebytes Labs
