MFA Fatigue: Hackers’ new favorite tactic in high-profile breaches
With the advent of multi-factor authentication, especially through employees’ smartphones, it was inevitable that a hack would be soon to follow. An MFA Fatigue attack is when a threat actor runs a script that attempts to log in with stolen credentials over and over, causing a repeated stream of MFA push requests to be sent to the account owner’s mobile device. The goal is to keep this up, to the point that the employee simply presses OK to clear the onslaught. If that does not work, the threat actors make contact through voice or email, imploring the user to accept the requests. This type of social engineering technique has proven to be very successful by the Lapsus$ and Yanluowang threat actors when breaching large and well-known organizations such as Microsoft, Cisco, and now Uber. The full story is available at Bleeping Computer.
Senate reports details inefficiencies, confusion at key U.S. counterintelligence center
The National Counterintelligence and Security Center is paralyzed by dysfunction, lack of resources and confusion about its mission, leaving a key national security asset dangerously vulnerable, U.S. senators said Wednesday. The center’s inability to adapt to the growing role of cyber and the “whole-of-society threat landscape” are among several factors contributing to the organization’s decline according to a blistering 153-page Senate Select Committee on Intelligence report. The report said, for example, that because U.S. adversaries now have access to far more varied tools for influencing American officials and inflaming social tensions, the counterintelligence center must gain real authority and modernize its mission and strategies.
Australian telco Optus suffers massive data breach
Australia’s second-largest telco, Optus, has suffered a massive data breach, with the personal information of potentially millions of customers compromised by a malicious cyber-attack. It is believed the attackers were working for a criminal or state-sponsored organization and made off with birthdates, phone numbers, email addresses, driver’s licences and passport numbers. Optus stated yesterday that they could not yet say how many of its 9.7 million subscribers in Australia had been compromised, but did say the number was “significant”. They added, “We’re so deeply disappointed because we spend so much time and we invest so much in preventing this from occurring.”
BlackCat ransomware’s data exfiltration tool gets an upgrade
The BlackCat ransomware (aka ALPHV) isn’t showing any signs of slowing down, and the latest example of its evolution is a new version of the gang’s data exfiltration tool used for double-extortion attacks. Considered as a successor to Darkside and BlackMatter it is one of the most sophisticated and technically advanced Ransomware-as-a-service (RaaS) operations. The latest version has gone through heavy code refactoring to better evade detection, including deployment of a new malware called “Eamfo,” which explicitly targets credentials stored in Veeam backups. This software is typically used for storing credentials to domain controllers and cloud services so that the ransomware actors can use them for deeper infiltration and lateral movement.
Thanks to today’s episode sponsor, 6clicks
Domain shadowing becoming more popular among cybercriminals
Threat analysts at Palo Alto Networks (Unit 42) have discovered that the phenomenon of ‘domain shadowing’ might be more prevalent than previously thought, uncovering 12,197 cases while scanning the web between April and June 2022. Domain shadowing is a subcategory of DNS hijacking, where threat actors compromise the DNS of a legitimate domain to host their own subdomains for use in malicious activity but do not modify the legitimate DNS entries that already exist. In the meantime, the threat actors are free to host C2 (command and control) addresses, phishing sites, and malware-dropping points, abusing the good reputation of the hijacked domain to bypass security checks.
U-Haul data breach exposed data of more than 2 million clients
The moving and storage rental company started an investigation that concluded that the hackers accessed customers’ PII between November 5, 2021, and April 5, 2022. U-Haul traced the data breach to a contract search tool that allows access to rental contracts for U-Haul customers. However, the customer data breach did not expose any payment card information since the tool does not access that information.
Twitter password reset bug exposed user accounts
Twitter has remediated an issue that allowed accounts to stay logged in across multiple devices even after a voluntary password reset. In an announcement Wednesday, the social media company explained that the bug meant users who proactively changed their passwords on one device may have still been able to access open sessions on other screens. The bug meant that a threat actor who was able to access an account in some way would have continued to be able to do so even after such a reset. It’s unclear exactly how long users have been exposed in this way, but Twitter explained that the issue appeared after it made a change “last year” to the systems that power its password reset functionality.
Fake sites fool Zoom users into downloading deadly code
Threat researchers at cybersecurity firm Cyble found six fake Zoom sites offering applications that, if clicked on, will download the Vidar Stealer malware, which also grabs lots of other goodies. The fake Zoom sites are part of a wider info-stealing effort, according to the Cyble Research and Intelligence Lab (CRIL). The Cyble researchers said they found six such sites that are still in operation, with names like zoom-download[.]host and zoomus[.]website. These sites redirect users to a GitHub URL that shows applications that can be downloaded, which are, of course, malicious.