MFA Fatigue: Hackers’ new favorite tactic in high-profile breaches
With the advent of multi-factor authentication, especially through employees’ smartphones, it was inevitable that a hack would be soon to follow. An MFA Fatigue attack is when a threat actor runs a script that attempts to log in with stolen credentials over and over, causing a repeated stream of MFA push requests to be sent to the account owner’s mobile device. The goal is to keep this up, to the point that the employee simply presses OK to clear the onslaught. If that does not work, the threat actors make contact through voice or email, imploring the user to accept the requests. This type of social engineering technique has proven to be very successful by the Lapsus$ and Yanluowang threat actors when breaching large and well-known organizations such as Microsoft, Cisco, and now Uber. The full story is available at Bleeping Computer.
Senate reports details inefficiencies, confusion at key U.S. counterintelligence center
According to US senators, “the National Counterintelligence and Security Center is paralyzed by dysfunction, lack of resources and confusion about its mission, leaving a key national security asset dangerously vulnerable.” This is the sentiment of the 153-page Senate Select Committee on Intelligence report. It describes the center’s inability to adapt to the growing role of cyber and the “whole-of-society threat landscape” as among a number of factors that are speeding the organization’s decline. The report pointed out that because U.S. adversaries now have access to far more varied tools for influencing American officials and inflaming social tensions, the counterintelligence center must gain real authority and modernize its mission and strategies.
Australian telco Optus suffers massive data breach
The breach hit Optus, Australia’s second-largest telecom company, and this means the personal information of potentially millions of customers may be compromised.The attackers, who are believed to be operating on a nation-state level made of with standard PII, driver’s licences and passport numbers, but Optus could not yet say how many of its 9.7 million Australian subscribers had been compromised, other than to say the number was “significant”. They added, “We’re so deeply disappointed because we spend so much time and we invest so much in preventing this from occurring.”
BlackCat ransomware’s data exfiltration tool gets an upgrade
BlackCat ransomware also known as ALPHV has an upgraded version of the exfiltration tool used for double-extortion attacks. Considered as a successor to Darkside and BlackMatter it is one of the most technically advanced Ransomware-as-a-service (RaaS) operations. The latest version has gone through heavy code refactoring to better evade detection, including deployment of a new malware called “Eamfo,” which explicitly targets credentials stored in Veeam backups. According to Bleeping Computer, this software is typically used for storing credentials to domain controllers and cloud services so that the ransomware actors can use them for deeper infiltration and lateral movement.
Thanks to today’s episode sponsor, 6clicks
Domain shadowing becoming more popular among cybercriminals
Palo Alto Networks (Unit 42) analysts suggest that “domain shadowing” might be more prevalent than previously thought. During a scan of the internet between April and June 2022, they found more than 12,000, cases. “Domain shadowing is a subcategory of DNS hijacking, where threat actors compromise the DNS of a legitimate domain to host their own subdomains for use in malicious activity but do not modify the legitimate DNS entries that already exist.” This enables the threat actors to host command and control (C2) addresses, phishing sites, and malware-dropping points, abusing thehijacked domain to bypass security checks.
U-Haul data breach exposed data of more than 2 million clients
The moving and storage rental company started an investigation that concluded that the hackers accessed customers’ PII between November 5, 2021, and April 5, 2022. The data breach was traced back to a contract search tool that allows access to rental contracts for U-Haul customers. However, the customer data breach did not expose any payment card information since the tool does not access that information.
Twitter password reset bug exposed user accounts
Twitter has updated a system that allowed accounts to stay logged in across multiple devices after a voluntary password reset. The danger of this bug is/was that a threat actor who had been able to access an account could have continued to enjoy access even after the user performed a password reset. It is not clear how long users this vulnerability has existed, but “Twitter explained that the issue appeared after it made a change last year to the systems that power its password reset functionality.”
Fake sites fool Zoom users into downloading deadly code
Threat researchers at Cyble located six fake Zoom sites that tempt users into clicking on links that will download the Vidar Stealer malware. Cyble believes these fake Zoom sites are part of a wider info-stealing effort. The Cyble researchers found six sites with names that include the word “zoom,” These sites redirect users to a GitHub URL that shows applications that can be downloaded, which are, of course, malicious.