Cyber Attacks and Hacking

[RTH10260]

Cisco warns of new ‘Greatness’ phishing-as-a-service tool seen in the wild

Alexander Martin
May 10th, 2023

A new phishing-as-a-service (PaaS) tool is allowing rookie hackers to incorporate “some of the most advanced” features into their cyberattacks, researchers warned Wednesday.

Similar to other criminal services, PaaS platforms lower the bar to entry for cybercrime, offering unskilled hackers the ability to automate the tasks involved in tricking victims into entering their credentials on a fake login page.

The report from Cisco’s Talos threat intelligence team says the new service is called “Greatness” and was first seen in mid-2022 — with spikes in activity in December 2022 and March 2023 based on the number of attachment samples available on VirusTotal.

It has “almost exclusively” been used to target companies, rather than government organizations for instance, by mimicking their Microsoft 365 login pages, indicating that the service’s users are motivated by accessing their targets’ networks for financial gain rather than espionage purposes.



https://therecord.media/phishing-as-a-s ... kers-cisco

[RTH10260]

Malware Used for Cyber Espionage Since 2004 Shut Down in US After Years-Long FBI Operation

SCOTT IKEDA·
MAY 15, 2023

One of the key pieces of malware in the toolbox of Russian intelligence agents has been driven out of the United States, as the FBI has terminated its entire network after a years-long infiltration and tracking operation. The Russian Federal Security Service (FSB) has used “Snake” for cyber espionage since at least 2004, and it has been described as the most sophisticated tool in the country’s hacking arsenal.

Snake had established a peer-to-peer network of infected computers in the US, which the FBI monitored for several years to develop a full map and learn the system’s internal commands. The agency developed a tool to completely shut the network down, which was deployed in early May after receiving approval from a federal judge.

Russian malware network out of commission in US, but individual compromised computers may still pass sensitive information
According to a Justice Department statement, a FSB unit called “Turla” has operated the Snake malware for nearly 20 years and made use of it to steal data from at least 50 countries. The cyber espionage is generally directed at government agencies and journalists in NATO countries with a focus on stealing confidential documents of interest to the Russian government, but is funneled through a network of compromised computers around the world including a number in the US.

The statement indicates that US authorities have been aware of Snake for nearly all of its lifetime, but that it was difficult to pin down as it is highly sophisticated and something that Russia appears to put substantial resources into. Turla routinely upgrades and revises the malware to evade detection, and developed a unique encoded communications protocol to issue commands via its world-spanning peer-to-peer network of infected devices.

The FBI’s Operation Medusa, using a custom tool called Perseus, has wiped the Russian malware off of all known infected systems in the US. This came after an operation spanning years, initiated in 2016, in which the FBI received consent from owners of several infected systems to monitor traffic on them and ultimately figured out how to decrypt the cyber espionage network’s communications. The operation was able to deploy codes that disable the malware on infected devices without impacting their operation in any other way.




https://www.cpomagazine.com/cyber-secur ... operation/

[RTH10260]

China's Mustang Panda Hackers Exploit TP-Link Routers for Persistent Attacks

May 16, 2023
Ravie Lakshmanan Network Security / Threat Intel

The Chinese nation-state actor known as Mustang Panda has been linked to a new set of sophisticated and targeted attacks aimed at European foreign affairs entities since January 2023.

An analysis of these intrusions, per Check Point researchers Itay Cohen and Radoslaw Madej, has revealed a custom firmware implant designed explicitly for TP-Link routers.

"The implant features several malicious components, including a custom backdoor named 'Horse Shell' that enables the attackers to maintain persistent access, build anonymous infrastructure, and enable lateral movement into compromised networks," the company said.

"Due to its firmware-agnostic design, the implant's components can be integrated into various firmware by different vendors."

The Israeli cybersecurity firm is tracking the threat group under the mythical creature name Camaro Dragon, which is also known as BASIN, Bronze President, Earth Preta, HoneyMyte, RedDelta, and Red Lich.

The exact method used to deploy the tampered firmware images on the infected routers is currently unknown, as is its usage and involvement in actual attacks. It's suspected that initial access may have been acquired by exploiting known security flaws or brute-forcing devices with default or easily guessable passwords.




https://thehackernews.com/2023/05/china ... it-tp.html

[Phoenix520]

One of the key pieces of malware in the toolbox of Russian intelligence agents has been driven out of the United States, as the FBI has terminated its entire network after a years-long infiltration and tracking operation. The Russian Federal Security Service (FSB) has used “Snake” for cyber espionage since at least 2004, and it has been described as the most sophisticated tool in the country’s hacking arsenal.

But…but…the MAGAts say the FBI is feeble and working against us and must go!

[RTH10260]

One of the key pieces of malware in the toolbox of Russian intelligence agents has been driven out of the United States, as the FBI has terminated its entire network after a years-long infiltration and tracking operation. The Russian Federal Security Service (FSB) has used “Snake” for cyber espionage since at least 2004, and it has been described as the most sophisticated tool in the country’s hacking arsenal.

But…but…the MAGAts say the FBI is feeble and working against us and must go!

Of course --- all those maggaots who sponsor their computers to the Russians and praise RT television ....

[Dave from down under]

https://www.abc.net.au/news/2023-06-05/ ... /102425324

How Australian cyber spies used 'Rickrolling' to disrupt Islamic State militants in Iraq

Etc

[keith]

https://www.abc.net.au/news/2023-06-05/ ... /102425324

How Australian cyber spies used 'Rickrolling' to disrupt Islamic State militants in Iraq

Etc

Extremely interesting.

I'm not sure I really needed to know even that gross level of detail though.

[Dave from down under]

https://www.abc.net.au/news/2023-06-04/ ... /102438900

World's spy chiefs connect in secret conclave at Shangri-La Dialogue security meeting in Singapore

[somerset]

https://www.abc.net.au/news/2023-06-04/ ... /102438900

World's spy chiefs connect in secret conclave at Shangri-La Dialogue security meeting in Singapore

Such meetings are organised by the Singapore government and have been discreetly held at a separate venue alongside the security summit for several years, insiders told Reuters.

The US was represented by director of National Intelligence Avril Haines, the head of her country's intelligence community, while China was among the other countries present, despite the tensions between the two superpowers.

"The meeting is an important fixture on the international shadow agenda," said one person with knowledge of the discussions. "Given the range of countries involved, it is not a festival of tradecraft, but rather a way of promoting a deeper understanding of intentions and bottom lines.



"There is an unspoken code among intelligence services that they can talk when more formal and open diplomacy is harder — it is a very important factor during times of tension, and the Singapore event helps promote that."

The Shangri-La Dialogue is one of the most important annual meetings that help keep otherwise hostile parties communicating. I see this as a very good thing.

[Dave from down under]

It is a VERY good thing!
Talking can avoid mistakes...

[RTH10260]

https://www.abc.net.au/news/2023-06-04/ ... /102438900

World's spy chiefs connect in secret conclave at Shangri-La Dialogue security meeting in Singapore

at least they didn't use a floating hide-away ....

After boat full of Israeli and Italian spies sinks in Lake Maggiore, conspiracy theories abound
4 people, including 3 spies, died when boat sank in lake just 100 metres from shore

Published: June 02, 2023 20:40
Gulf News Report

Mystery shrouds the sinking of a tour boat full of Israeli and Italian intelligence figures in Italy’s Lake Maggiore earlier this week.

Four people, including a retired Mossad agent died when the boat sank just 100 metres from the shore.

The strange nature of the tragedy drew widespread attention after Rome acknowledged that two of the dead — Claudio Alonzi, 62, and Tiziana Barnobi, 53, — worked for the Italian secret services.

Adding to the mystery, ten surviving Mossad agents appeared to have been spirited away from the lake within hours of the accident. The Mossad sent an aircraft to return the Israeli survivors home, and tried to prevent publication of details about the incident in Israel, reports said.

Though Israeli officials have not released the dead agent’s name, Italian media reports identified him as 50-year-old Erez Shimoni.



https://gulfnews.com/world/europe/after ... 1.96161988

(ps. reason the boat sunk was overloading, permitted 15, aboard 26, when a local storm opened up)

[Tiredretiredlawyer]

Verrrry interesting. Conspiracy theories spring easily to one's mind. The film possibilities are boundless.

[somerset]

It is a VERY good thing!
Talking can avoid mistakes...

A little more on the Shangri-La Dialogue this past weekend:


https://link.foreignpolicy.com/view/644 ... w/45951f31

Today's FP This Week features a dispatch from FP editor in chief Ravi Agrawal.

Every year, the world’s top defense officials fly to Singapore for a security conference known as the Shangri-La Dialogue. I was in the summit’s main conference hall this past weekend as U.S. Defense Secretary Lloyd Austin and his Chinese counterpart, Li Shangfu, delivered dueling speeches about the world order and security in the Indo-Pacific region. The two were talking at each other, not with each other.

Days earlier, Beijing turned down a White House request for a private meeting, citing U.S. sanctions on Li. In his speech at the conference hall, Austin criticized Li’s refusal to meet. “Dialogue is not a reward. It is a necessity,” Austin said. “I am deeply concerned that [Beijing] has been unwilling to engage more seriously on better mechanisms for crisis management between our two militaries.”

Li, who spoke the next day, slammed what he called a “Cold War mentality” and the formation of “small cliques,” referring to the United States’ growing security partnerships in Asia. This was Li’s first international speech as defense minister, and so all of us were watching him closely. There were no surprises as he denounced a bullying and hegemonic America, a trope that has become familiar from Chinese officials in recent times. [For more on this, watch my CNN segment, and join me for our next China-focused FP Live this Wednesday with China Brief author James Palmer and the Spectator’s Cindy Yu.]

The relative lack of high-level dialogue between the United States and China is increasingly worrying from any vantage point. In a reminder that this kind of heated rhetoric has consequences, as delegates mingled in Singapore, a Chinese naval ship dangerously cut across the path of a U.S. guided missile destroyer, which was conducting a joint exercise in the international waters of the Taiwan Strait.

—Ravi Agrawal

A couple of additional paragraphs at the link

[RTH10260]

Barracuda Urges Replacing — Not Patching — Its Email Security Gateways

KrebsOnSecurity
June 8, 2023

It’s not often that a zero-day vulnerability causes a network security vendor to urge customers to physically remove and decommission an entire line of affected hardware — as opposed to just applying software updates. But experts say that is exactly what transpired this week with Barracuda Networks, as the company struggled to combat a sprawling malware threat which appears to have undermined its email security appliances in such a fundamental way that they can no longer be safely updated with software fixes.

Campbell, Calif. based Barracuda said it hired incident response firm Mandiant on May 18 after receiving reports about unusual traffic originating from its Email Security Gateway (ESG) devices, which are designed to sit at the edge of an organization’s network and scan all incoming and outgoing email for malware.

On May 19, Barracuda identified that the malicious traffic was taking advantage of a previously unknown vulnerability in its ESG appliances, and on May 20 the company pushed a patch for the flaw to all affected appliances (CVE-2023-2868).

In its security advisory, Barracuda said the vulnerability existed in the Barracuda software component responsible for screening attachments for malware. More alarmingly, the company said it appears attackers first started exploiting the flaw in October 2022.

But on June 6, Barracuda suddenly began urging its ESG customers to wholesale rip out and replace — not patch — affected appliances.

“Impacted ESG appliances must be immediately replaced regardless of patch version level,”

the company’s advisory warned. “Barracuda’s recommendation at this time is full replacement of the impacted ESG.”

In a statement, Barracuda said it will be providing the replacement product to impacted customers at no cost, and that not all ESG appliances were compromised.

“No other Barracuda product, including our SaaS email solutions, were impacted by this vulnerability,” the company said. “If an ESG appliance is displaying a notification in the User Interface, the ESG appliance had indicators of compromise. If no notification is displayed, we have no reason to believe that the appliance has been compromised at this time.”

Nevertheless, the statement says that “out of an abundance of caution and in furtherance of our containment strategy, we recommend impacted customers replace their compromised appliance.”

“As of June 8, 2023, approximately 5% of active ESG appliances worldwide have shown any evidence of known indicators of compromise due to the vulnerability,” the statement continues. “Despite deployment of additional patches based on known IOCs, we continue to see evidence of ongoing malware activity on a subset of the compromised appliances. Therefore, we would like customers to replace any compromised appliance with a new unaffected device.”

Rapid7‘s Caitlin Condon called this remarkable turn of events “fairly stunning,” and said there appear to be roughly 11,000 vulnerable ESG devices still connected to the Internet worldwide.




https://krebsonsecurity.com/2023/06/bar ... -gateways/

[RTH10260]

“Picture in Picture” Technique Exploited in New Deceptive Phishing Attack

HABIBA RASHID
JUNE 8, 2023

The innovative approach, known as “picture in picture,” capitalizes on users’ trust in familiar logos and promotions, making the attacks more convincing and harder to detect.

In a recent phishing campaign, hackers have employed sophisticated obfuscation tactics to deceive unsuspecting users into visiting malicious websites and disclosing sensitive information.

What makes this campaign unique is the technique where threat actors hide malicious links within seemingly innocuous images, particularly targeting customers of renowned brands such as Delta Airlines and Kohl’s.

The innovative approach, known as “picture in picture,” capitalizes on users’ trust in familiar logos and promotions, making the attacks more convincing and harder to detect.

Avanan, a subsidiary of Check Point Software, has been investigating these attacks, shedding light on the methods used by hackers to manipulate users’ perception of legitimacy. By embedding nefarious URLs within promotional images, cybercriminals exploit the limitations of URL filters, making it challenging for security systems to identify the threats.

When users receive an email containing the image, they are enticed to click on it, assuming they are accessing a legitimate offer or loyalty program. However, upon clicking, they are redirected to fake websites aimed at harvesting their credentials.

Jeremy Fuchs, a cybersecurity researcher and analyst at Avanan, explained, “Often, hackers will happily link a file, image, or QR code to something malicious. You can see the true intention by using OCR to convert the images to text or parsing QR codes and decoding them. But many security services don’t or can’t do this.”

The implications of these attacks extend beyond individual consumers, as airline loyalty program communications often reach corporate inboxes. With the rise of remote work, many employees use personal devices for business purposes or access personal services on business-issued laptops, making businesses vulnerable to these phishing attempts.




https://www.hackread.com/picture-in-pic ... ng-attack/

[RTH10260]

Just a randomly selected article on one of the current threats

CISA advisory on LockBit: $91 million extorted from 1,700 attacks since 2020

by Karl Greenberg in Security
on June 15, 2023, 7:37 PM EDT

FBI, CISA and international organizations released an advisory detailing breadth and depth of LockBit, and how to defend against the most prevalent ransomware of 2022 and (so far) 2023.

A new advisory from a consortium of international organizations, including the Cybersecurity and Infrastructure Security Agency, the FBI and the Multi-State Information Sharing and Analysis Center, details incidents involving LockBit, the most prevalent ransomware since 2022, and recommends mitigations. The growing numbers of hybrid workers are creating even more vulnerabilities, with smaller companies particularly vulnerable.

• What is LockBit?
• How does LockBit’s kill chain differ from other RaaS players?
• Saul Goodman of the dark web: LockBit’s act is faux legit
• Pay-to-play model lowers the barrier to entry
• LockBit’s global reach
• Information dumped on data leak sites is not the whole picture
• How to defend against LockBit
• Mitigations for other events in the LockBit kill chain

What is LockBit?

LockBit — a ransomware-as-a-service operation that has extorted $91 million from some 1,700 attacks against U.S. organizations since 2020, striking at least 576 organizations in 2022 — gives customers a low-code interface for launching attacks.

The cybersecurity advisory noted that LockBit attacks have impacted the financial services, food, education, energy, government and emergency services, healthcare, manufacturing and transportation sectors.




the rest at https://www.techrepublic.com/article/ci ... y-lockbit/

[RTH10260]

crossposting

WormGPT: New AI Tool Allows Cybercriminals to Launch Sophisticated Cyber Attacks

THN
Jul 15, 2023

With generative artificial intelligence (AI) becoming all the rage these days, it's perhaps not surprising that the technology has been repurposed by malicious actors to their own advantage, enabling avenues for accelerated cybercrime.

According to findings from SlashNext, a new generative AI cybercrime tool called WormGPT has been advertised on underground forums as a way for adversaries to launch sophisticated phishing and business email compromise (BEC) attacks.

"This tool presents itself as a blackhat alternative to GPT models, designed specifically for malicious activities," security researcher Daniel Kelley said. "Cybercriminals can use such technology to automate the creation of highly convincing fake emails, personalized to the recipient, thus increasing the chances of success for the attack."

The author of the software has described it as the "biggest enemy of the well-known ChatGPT" that "lets you do all sorts of illegal stuff." It's said to use the open-source GPT-J language model developed by EleutherAI.

In the hands of a bad actor, tools like WormGPT could be a powerful weapon, especially as OpenAI ChatGPT and Google Bard are increasingly taking steps to combat the abuse of large language models (LLMs) to fabricate convincing phishing emails and generate malicious code.

"Bard's anti-abuse restrictors in the realm of cybersecurity are significantly lower compared to those of ChatGPT," Check Point said in a report this week. "Consequently, it is much easier to generate malicious content using Bard's capabilities."

Sophisticated Cyber Attacks

Earlier this February, the Israeli cybersecurity firm disclosed how cybercriminals are working around ChatGPT's restrictions by taking advantage of its API, not to mention trade stolen premium accounts and sell brute-force software to hack into ChatGPT accounts by using huge lists of email addresses and passwords.

The fact that WormGPT operates without any ethical boundaries underscores the threat posed by generative AI, even permitting novice cybercriminals to launch attacks swiftly and at scale without having the technical wherewithal to do so.



https://thehackernews.com/2023/07/wormg ... llows.html

[RTH10260]

[RTH10260]

European project EXFILES hacks the latest cryptophones

News item |
14-08-2023 | 06:00

Hacking cryptophones. That is what the European project EXFILES is all about. Not only various law enforcement agencies, but also companies are working together on the project to develop new methods and techniques to gain access to the latest cryptophones. The Netherlands Forensic Institute (NFI) is one of the participants of the project, which ends this summer. “EXFILES has made an important contribution towards gaining access to hundreds of mobile phones, mostly in the context of investigations into serious organised crime for Dutch investigation agencies,” said head of the NFI’s Digital and Biometrical Traces division Erwin van Eijk: “At the European level, many times over.”

Whilst obtaining access to messages on cryptophones has become more relevant in recent years, it has also become more complicated. “These days mobile phones have multiple layers of encryption and the phones are modified at the software level,” van Eijk said: “That makes it necessary for forensic digital examiners to collaborate within Europe. Developments happen so fast that we have to join forces.” EXFILES began in July 2020 and will end this month.

Serious organised crime

The knowledge that the NFI acquired during the project could immediately be applied to criminal cases. Martijn Egberts, National Public Prosecutor for Digital Investigations finds it important that experts share the knowledge with each other in regards to accessing mobile phones: “That way, the police and the Public Prosecution Service can still use the decrypted information originating from these kinds of seized cryptophones as evidence in criminal cases.” The messages play a major role in a great many investigations into organised crime. “A large proportion of the messages come from cryptophones which the NFI succeeded in hacking. In many cases, it concerns evidence that the judicial authorities were unable to collect in any other manner”, said Egberts.

Combination of hardware and software

In order to obtain readable data from mobile phones, the examiners must always search for the weak links. “At first, it was possible to retrieve information directly from the hardware (chips). Next the information was encrypted using keys that were saved on yet other chips, combined with the passwords created by the users themselves,” said van Eijk: “Nowadays a combination of knowledge about hardware and software is needed to obtain access to encryption keys. In addition, knowledge of cryptography is required in order to search for passwords efficiently. For example, the examiner must first edit the chip to subsequently access decrypted user information via software. People often specialise in either hardware or software techniques, said van Eijk. “Within the EXFILES project, we literally bring people in various specialist areas together to develop new solutions. And it was precisely that which resulted in breakthroughs.”

Looking ahead

In the EXFILES project, the forensic researchers and law enforcement agencies together prioritise which knowledge and expertise, with regard to which kinds of cryptophones, must be developed first and for which cryptophones they can best share methods of access. In so doing, the investigators look at sales figures, for example, but also trends they identify among suspect or criminal groups. Technicians from all over Europe then come up with solutions together. As a result, the methods that enable access to these kinds of cryptophones have usually already reached an advanced stage once the police seizes them. In this way, the NFI is ready for the forensic demands of tomorrow. “It doesn’t matter to me whether it concerns incriminating material or not. Getting access to information helps with establishing the truth in the court of law,” said van Eijk. “If the technique works and we gain access, then we will deem the project a success.”

In October, the European Commission will evaluate the project and the decision will be made as to whether there will be a follow-up.




https://www.forensicinstitute.nl/news/n ... yptophones

Note: the Dutch had success in kracking the smartphone of the presumed murderer of the Dutch journalist Peter R. de Vries who was murdered in Amsterdam in 2021 by drug dealer gang.

[RTH10260]

The website of the EU organization cordinating the decryption efforts:

EXFILES

Europe fights against crime and terrorism

https://exfiles.eu/

[Foggy]

I think this is fascinating stuff, Eurobot. Keep it coming, por favor.

[RTH10260]

UK

Met police on high alert after supplier IT security breach
Incident reported to National Crime Agency as union says possible leak of data could do ‘incalculable damage’

PA Media
Sat 26 Aug 2023 23.33 BST

The Metropolitan police are on high alert after a security breach involving the IT system of one of their suppliers.

Scotland Yard is working with the company to try to understand the scale of the incident.

The company had access to names, ranks, photos, vetting levels and pay numbers for officers and staff, but did not hold personal information such as addresses, phone numbers or financial details, the force said.

A spokesperson was unable to say when the breach occurred or how many personnel could be affected.

Rick Prior, the vice-chair of the Metropolitan Police Federation, which represents staff, said any potential leak “will cause colleagues incredible concern and anger”.

He said: “Metropolitan police officers are as we speak out on the streets of London undertaking some of the most difficult and dangerous roles imaginable to catch criminals and keep the public safe.

“To have their personal details potentially leaked out into the public domain in this manner, for all to possibly see, will cause colleagues incredible concern and anger. We share that sense of fury … this is a staggering security breach that should never have happened.”

Prior added: “Given the roles we ask our colleagues to undertake, significant safeguards and checks and balances should have been in place to protect this valuable personal information which, if in the wrong hands, could do incalculable damage.




https://www.theguardian.com/uk-news/202 ... ils-hacked

[RTH10260]

FBI-Led Global Effort Takes Down Massive Qakbot Botnet

by Karl Greenberg in Security
on August 30, 2023, 7:18 PM EDT

After more than 15 years in the wild, the Qakbot botnet, a zombie network of over 700,000 computers worldwide, is hanging on the FBI's trophy wall for now.

A multinational action called Operation “Duck Hunt” — led by the FBI, the Department of Justice, the National Cybersecurity Alliance, Europol, and crime officials in France, Germany, the Netherlands, Romania, Latvia and the U.K. — was able to gain access to the Qakbot network and shut down the malicious botnet, which has affected 700,000 computers worldwide.

Qakbot nets nearly $58 million in ransom in just 18 months

Over the course of its more than 15-year campaign, Qakbot (aka Qbot and Pinkslipbot) has launched some 40 worldwide ransomware attacks focused on companies, governments and healthcare operations, affecting some 700,000 computers. Qakbot, like almost all ransomware attacks, hit victims through spam emails with malicious links, according to the Justice Department. The DOJ noted that over just the past year and a half, Qakbot has caused nearly $58 million in damages. As part of the action against Qakbot, the DOJ seized approximately $8.6 million in cryptocurrency in illicit profits (here’s the department’s seizure warrant).

According to the DOJ, the action represented the largest U.S.-led financial and technical disruption of a botnet infrastructure leveraged by cybercriminals to commit ransomware, financial fraud and other cyber-enabled criminal activities.

“Cybercriminals who rely on malware like Qakbot to steal private data from innocent victims have been reminded today that they do not operate outside the bounds of the law,” said Attorney General Merrick B. Garland in a statement.




https://www.techrepublic.com/article/fb ... wn-qakbot/

[RTH10260]

Microsoft Confronts China-based Storm-0558, Apple Issues Patches for Pegasus Spyware
It’s a cat-and-mouse struggle as tech giants Microsoft and Apple deal with persistent threats from China state actors and Pegasus spyware.

by Karl Greenberg in Security
on September 8, 2023, 7:15 PM EDT

Revelations this week from Microsoft and Apple speak to the COVID-like persistence of cyber threats and the ability of threat actors to adapt in the wild, steal credentials and sidestep patches.

Microsoft explained this week how it had discovered and attempted to harden ramparts in the face of state actors (using malware Microsoft dubbed Cigril), while Apple focused on patches designed to address zero day exposure to Pegasus mobile-device spyware.

Microsoft seals doors against Storm-0558

The China-aligned actor Storm-0558 earlier this year accessed senior officials in the U.S. State and Commerce Departments thanks to credentials stolen from a Microsoft engineer’s corporate account two years ago, which the company described in a post earlier this week.

Microsoft explained how the consumer signing system crash in April of 2021, which resulted in a snapshot of the crashed process, or “crash dump,” gave the actors access to credentials.

Said Microsoft, “The crash dumps, which redact sensitive information, should not include the signing key. In this case, a race condition allowed the key to be present in the crash dump. The key material’s presence in the crash dump was not detected by our systems.”

Microsoft said that the attackers forged authentication tokens to access user email using the “acquired” Microsoft account consumer signing key. “Microsoft has completed mitigation of this attack for all customers,” the company said.

The company said that it has enhanced prevention, detection and response for credential material; enhanced credential scanning to better detect the presence of signing keys in the debugging environment; released enhanced libraries to automate key scope validation in authentication libraries; and clarified related documentation.

Apple issued patches versus Pegasus, an ongoing tête-à-tête with NSO Group

A day after Microsoft’s explanation, Apple floated an emergency release of software patches to fix a pair of zero-day vulnerabilities that were reportedly used to attack a victim with the NSO Group’s Pegasus spyware. Pegasus is notorious, among other things, for having been deployed by the Saudi government to track — and murder — the journalist Jamal Khashoggi. The two new vulnerabilities are reportedly Apple’s thirteenth zero-day this year.

The kill chain could affect even the most up-to-date (iOS 16.6) iPhones, with the victim having to fall for social engineering. Apple, here, said that a CVE left certain Apple mobile devices, including iPhones, Apple Watches, Macs and iPads, open to attack. Apple said the attack chain aims for the Image I/O framework. The second vulnerability in the Wallet function leaves a device open to attacks from a “maliciously crafted attachment.”

The patches for iOS, iPadOS, watchOS, macOS and Ventura is the latest effort to put the shackles on Pegasus, originally meant as a government tool for Israeli surveillance.




https://www.techrepublic.com/article/mi ... e-spyware/

[poplove]

MGM Resorts Receives Colossal Kick to the Nads in Companywide Cyberattack

https://www.casino.org/vitalvegas/mgm-r ... berattack/