Let's Bake It!
Cyber Bakery Chronicles

Your Weekly Cybersecurity Update (15 November 2024)

  • Massive Data Leak Exposes Employee Information from Over 25 Companies
  • New Phishing Campaign Uses Fake Copyright Claims to Spread Malware
  • Iranian threat group targets aerospace workers with fake job lures
  • Hackers Keep Stealing Tickets From People’s Ticketmaster Accounts
  • 2023 Top Routinely Exploited Vulnerabilities- Joint Cyber Security Advisory
  • Experts have discovered 70,000 hijacked domains in a widespread attack scheme known as “Sitting Ducks.”

Massive Data Leak Exposes Employee Information from Over 25 Companies

A data leak has exposed the personal information of millions of employees from over 25 companies, including Amazon, Lenovo, HP, and MetLife. The leaked data is believed to have been stolen during a series of attacks targeting MOVEit, a secure file transfer platform, in May 2023.

Amazon Confirms Breach:

Amazon confirmed the leak, acknowledging that over 2.8 million employee records, including names, contact information, and work locations, were compromised. However, they emphasized that the breach originated from a third-party vendor and did not involve access to Amazon’s internal systems or sensitive employee data like Social Security numbers.

Other Affected Companies:

The leak impacts a wide range of companies across various sectors. Here are some of the most affected:

  • Lenovo (45,522 employees)
  • HP (104,119 employees)
  • McDonald’s (3,295 employees)
  • HSBC (280,693 employees)
  • MetLife (585,130 employees)

Source of the Breach:

The data breach is attributed to a zero-day vulnerability exploited in MOVEit Transfer software during the May 2023 attacks. The threat actor, Nam3L3ss, claims to possess data from various sources, including other ransomware gangs’ leaks and exposed cloud storage buckets.

Impact and Next Steps:

The stolen data could be used for targeted phishing attacks, social engineering scams, or even identity theft. Companies affected by the leak are likely to face reputational damage and potential regulatory scrutiny. It’s crucial for individuals whose information might be exposed to remain vigilant and be cautious of suspicious emails or communications.

This incident highlights the importance of robust third-party security measures and staying updated on potential software vulnerabilities.

A new phishing campaign leveraging a sophisticated infostealer, known as Rhadamanthys, is targeting organizations worldwide. Cybercriminals are sending out emails falsely claiming copyright infringement, enticing victims to open malicious attachments.

How the Attack Works:

  1. Phishing Email: Victims receive emails from seemingly legitimate sources accusing them of copyright infringement.
  2. Malicious Attachment: The email contains a ZIP file that, when opened, executes a malicious script.
  3. Infostealer Deployment: The script installs the Rhadamanthys infostealer, which steals sensitive information like passwords, credentials, and cryptocurrency wallet data.

Key Features of Rhadamanthys:

  • AI-Powered OCR: The malware uses AI-powered OCR to identify and extract valuable data from victims’ systems.
  • Versatile Attack Methods: Rhadamanthys can deploy via various methods, including MSI files, which can bypass security defences.
  • Data Theft: The malware steals a wide range of sensitive information, including credentials, cookies, and cryptocurrency wallet data.

Protecting Yourself:

  • Be Wary of Suspicious Emails: Exercise caution when receiving unexpected emails, especially those claiming legal action.
  • Avoid Opening Attachments from Unknown Senders: Never open attachments from suspicious emails, even if they appear to be from legitimate sources.
  • Keep Software Updated: Ensure that your operating system and security software are up-to-date with the latest patches.
  • Use Strong Passwords: Create strong, unique passwords for each online account.
  • Enable Two-Factor Authentication: Use two-factor authentication whenever possible to add an extra layer of security.

By staying informed and practising good cybersecurity habits, individuals and organisations can protect themselves from these types of attacks.

Iranian threat group targets aerospace workers with fake job lures

An Iranian cyber threat group associated with APT35 (Charming Kitten) has launched a targeted attack campaign using false job offers to compromise aerospace industry professionals.

Beginning in September 2023, the campaign leverages the SnailResin malware, leading to the deployment of the SlugResin backdoor. These job-themed lures exploit career-focused individuals, bypassing standard security measures. Companies are advised to boost employee awareness and enhance security protocols to detect these increasingly sophisticated, AI-influenced tactics.

Hackers Keep Stealing Tickets From People’s Ticketmaster Accounts

The article talks about the aftermath of a major Ticketmaster data breach that affected over 500 million customers, resulting in ticket thefts and account compromises. Users, including those who spent significant amounts on tickets, reported hackers accessing accounts and transferring tickets, leading to financial loss and disrupted event plans.

Although security experts stated passwords weren’t directly compromised, questions remain about account vulnerabilities. Ticketmaster’s parent, Live Nation, is under scrutiny for antitrust issues, monopolistic control, and poor user experience, adding to the company’s challenges.

Customers of Ticketmater are advised to change passwords and enable security measures.

2023 Top Routinely Exploited Vulnerabilities

The following cybersecurity agencies coauthored a joint Cybersecurity Advisory released by CISA this week.

  • United States: The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and National Security Agency (NSA)
  • Australia: Australian Signals Directorate’s Australian Cyber Security Centre (ACSC)
  • Canada: Canadian Centre for Cyber Security (CCCS)
  • New Zealand: New Zealand National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team New Zealand (CERT NZ)
  • United Kingdom: National Cyber Security Centre (NCSC-UK)

This advisory provides details, collected and compiled by the authoring agencies, on the Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited by malicious cyber actors in 2023 and their associated Common Weakness Enumerations (CWEs). Malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks in 2023 compared to 2022, allowing them to conduct operations against high priority targets.

The authoring agencies strongly encourage vendors, designers, developers, and end-user organisations to implement the following recommendations to reduce the risk of compromise by malicious cyber actors.

  • Vendors, designers, and developers should incorporate secure by design and default principles to reduce software vulnerabilities, following the SP 800-218 Secure Software Development Framework (SSDF). They should establish a vulnerability disclosure program and ensure secure default configurations.
  • End-user organisations must apply patches promptly, check for signs of compromise before patching, implement centralized patch management systems, utilize security tools, and engage with software providers regarding their secure design practices.

Experts have discovered 70,000 hijacked domains in a widespread attack scheme known as “Sitting Ducks.”

Multiple threat actors have exploited an attack technique known as “Sitting Ducks” to hijack legitimate domains for use in phishing attacks and investment fraud schemes over the years.

Recent findings from Infoblox indicate that nearly 800,000 vulnerable registered domains were identified in the past three months, with approximately 9% of them (around 70,000) having been hijacked.

Technique Overview:

  • The Sitting Ducks attack is used by cybercriminals to hijack legitimate domains through DNS misconfigurations, allowing them to operate without needing access to the domain owner’s registrar account.
  • Misconfigurations like improper delegation of authoritative DNS servers make these domains vulnerable.

Scale and Scope:
• Since its original documentation in 2016, this technique became widely known after the scale of misuse was highlighted in August 2024.
• Infoblox’s research shows that approximately 9% (70,000) of 800,000 vulnerable domains were hijacked in recent months.

Methodology and Stealth:
• Threat actors use domain reputation to mask malicious activity. Without obvious signals like phishing or malware, changes like IP address modifications can be hard to detect.
• The rotational hijacking technique involves repeated takeovers by different actors, complicating detection and prevention.

Notable Threat Actors:
• Vacant Viper: Active since 2019, used for spam, C2 operations, and malware distribution.
• Horrid Hawk: Focuses on investment scams via temporary ads since February 2023.
• Hasty Hawk: Known for phishing, imitating reputable sources like DHL or support sites for Ukraine since 2022.
• VexTrio Viper: Runs a traffic distribution system (TDS) and coordinates scams, including pharmaceutical campaigns.

Threats and Impacts:
• Hijacked domains facilitate a wide range of cybercrime, including credential theft, malware distribution, and fraudulent schemes.
• The use of high-reputation domains makes it difficult for conventional security measures to identify and block these activities.
Hasty Hawk: Known for phishing and imitating reputable sources like DHL or support sites for Ukraine since 2022.

• Increased awareness hasn’t yet reduced the number of hijackings, though businesses are more informed about potential risks.
• The main challenge lies in distinguishing legitimate domain changes from those made by malicious actors without generating false positives.

The findings emphasise the importance of robust DNS security measures, monitoring for subtle domain changes, and staying informed about new threat actor techniques.

Quick favour: Let’s spread the value! If you find this newsletter useful, don’t keep it to yourself. 👉 Share it with friends and colleagues who could benefit from it.

Remember, one share could spark insight, ignite inspiration, or lead to a breakthrough for someone else.

Let’s make 2024 the year of shared knowledge and community growth!

gps
15 Nov 2024
Comment 0
Categoty: 
  • Cyber Security
  • News

    • Leave a Comment

    Your email address will not be published. Required fields are marked *

    News & Blog

    Related Blog

    Lorem Ipsum is simply dummy text of the printing and typesetting
    industry. Lorem Ipsum has been the industry's

    CyberBakery uplifts your cyber security posture through our cyber security uplift program, advanced professional services and awareness training.
    Our vision is to create a working environment safe from cyberattacks. Our mission is to protect businesses and uplift their cyber security posture and behaviour.

    Services

    Menu

    Useful Links

    Menu

    Contact

     Copyright 2024 CyberBakery Pty Ltd is the trademark owner of CyberBakery™. All rights are reserved.