1010.TEAM πŸ‡ΊπŸ‡¦

CYBERSECURITY / DEFENSE / INTELLIGENCE

  • Omni Hotels & Resorts Hack: Attackers have Stolen Customer Information

    Β·

    Omni Hotels & Resorts has revealed that it was the target of a recent cyberattack, which resulted in the theft of customer information.

    The hospitality giant has been working closely with a leading cybersecurity response group to investigate the incident and mitigate the impact on its guests.

    Limited Customer Data Compromised

    According to the company’s statement, the attack has impacted a subset of Omni’s customers.

    The stolen data includes customer names, email addresses, mailing addresses, and information related to the company’s Select Guest Loyalty program.

    The compromised data does not include sensitive financial information, such as payment details or social security numbers.

    Omni Hotels & Resorts has reported the matter to law enforcement and is collaborating with cybersecurity experts to address the situation.

    Document
    Stop Advanced Phishing Attack With AI

    AI-Powered Protection for Business Email Security

    Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by other email security solutions. .

    The company has taken swift action to shut down its systems and contain the data breach, with most of its systems now restored to full functionality.

    Commitment to Guest Experience and Security

    Despite the disruption caused by the cyberattack, Omni Hotels & Resorts has remained committed to maintaining its exceptional guest experience.

    The company has continued to welcome guests and accept new reservations online and through its customer care center.

    In a statement, Omni emphasized its dedication to the security of its systems and data, stating, “We take the security of our systems and data very seriously, and while this remains an ongoing investigation, Omni continues to collaborate with a leading cybersecurity response group and deploy all available resources to address the situation.”

    The hospitality industry has been a frequent target of cyberattacks in recent years, underscoring the importance of robust cybersecurity measures and vigilance in protecting customer information.

    Omni’s swift response and commitment to transparency in this incident serve as a reminder of the critical role that organizations play in safeguarding their customers’ trust.

    Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP

    The post Omni Hotels & Resorts Hack: Attackers have Stolen Customer Information appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    /

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Connect:fun Attacking Organizations Running Fortinet’s FortiClient EMS

    Β·

    A new exploit campaign has emerged, targeting organizations that utilize Fortinet’s FortiClient EMS.

    Dubbed “Connect:fun” by Forescout Research – Vedere Labs, this campaign leverages a critical vulnerability identified as CVE-2023-48788.

    The campaign has been active since at least 2022 and has recently been observed exploiting the security management solution with increased vigor.

    The Vulnerability: CVE-2023-48788

    CVE-2023-48788 is an SQL injection vulnerability found within Fortinet’s FortiClient EMS. SQL injection is a type of attack that allows an adversary to interfere with an application’s database queries.

    It can be used to view data that the attacker cannot normally retrieve, such as user information, or to manipulate database information.

    Fortinet published an advisory about this vulnerability on March 12, 2024, and the proof of concept (PoC) for the exploit was made publicly available on March 21, 2024.

    This disclosure seemingly acted as a catalyst for increased exploitation attempts by threat actors.

    Document
    Stop Advanced Phishing Attack With AI

    AI-Powered Protection for Business Email Security

    Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by other email security solutions. .

    The Connect:fun campaign is particularly notable for its use of ScreenConnect and Powerfun as post-exploitation tools, marking it as Vedere Labs’ first-ever named campaign.

    The incident that brought this campaign to light involved a media company whose FortiClient EMS was vulnerable and exposed to the internet.

    The attack was not an isolated event. Scanning activity from the IP address 185[.]56[.]83[.]82 was observed targeting FortiClient EMS across various customer networks.

    This activity began on March 21 and persisted through several days, indicating a concerted effort by the attackers to exploit the vulnerability across multiple potential victims.

    The exploitation of CVE-2023-48788 poses a significant threat to organizations, as it can lead to unauthorized access and control over the FortiClient EMS.

    This control can result in further malicious activities, including data theft, lateral movement within the network, and potentially a full-scale breach of the organization’s cyber defenses.

    Mitigation and Defense Strategies

    In response to the Connect:fun campaign, organizations are urged to take immediate action to protect their networks:

    • Apply the Patch: Fortinet has released a patch to address CVE-2023-48788. Organizations should apply this patch without delay to close the vulnerability.
    • Monitor Traffic: It is crucial to monitor the traffic reaching FortiClient EMS for signs of exploitation. An intrusion detection system (IDS) can be instrumental in identifying and responding to malicious activities.
    • Web Application Firewall (WAF): Deploying a WAF can help block potentially malicious requests and provide an additional layer of security.
    • Leverage IoCs and TTPs: Indicators of Compromise (IoCs) and Tactics, Techniques, and Procedures (TTPs) shared by cybersecurity researchers can be used to detect and prevent attacks.

    Organizations using Fortinet’s FortiClient EMS must take proactive measures to secure their systems against this and other similar threats.

    Secure your emails in a heartbeat! To find your ideal email security vendor, Take aΒ Free 30-Second Assessment.

    The post Connect:fun Attacking Organizations Running Fortinet’s FortiClient EMS appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    / / /

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • TA558 Hackers Compromised 320+ Organizations’ FTP & SMTP Servers

    Β·

    TA558, a financially motivated threat actor identified in 2018, is targeting several countries but with utmost priority in Latin America.

    Over 320 attacks have been observed from this particular threat actor, which involve using various tools and malware and compromising legitimate FTP servers and SMTP Servers.

    Among the 320 attacks, 45 of them were targeted on Mexico, 38 over Colombia and 26 over Chile.

    The sectors of interest seem to be the Industrial sector (22%), Service sector (16%), and Public sector (16%).

    In addition, the threat actor has also been using Steganography techniques with images and text files.

    TA558 Hackers Compromised 320+ Organizations

    The threat actor used the compromised SMTP servers to send phishing emails to victims and also utilized the same SMTP servers for C2 infrastructure.Β 

    Phishing email (Source: Positive Technologies)

    Some of the SMTP servers used by this threat actor were found to have public directories that contained Malware logs of Stolen data.

    Document
    Stop Advanced Phishing Attack With AI

    AI-Powered Protection for Business Email Security

    Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by other email security solutions. .

    The log files contained combined logs of credentials from well-known browsers, email accounts, and remote access credentials.Β 

    Moreover, these credentials belonged to regular users, public institutions, and various businesses.

    In the initial phases of the investigation, researchers discovered an XLAM file in a phishing email from a compromised SMTP server.

    When the attachment is opened with Excel, an EXE file named “packedtpodododod.exe” was downloaded from a C2 URL using the Excel macros.

    File opened and a GET request is sent (Source: Positive Technologies)

    In addition, an RTF file was identified on the same C2 server alongside another EXE file, which is the exploit file for CVE-2017-11882.

    When the final EXE file is downloaded and run, the final payload of the relevant malware, say AgentTesla, then uploads exfiltrated data to the C2 via FTP.

    VB script file (Source: Positive Technologies)

    Further analysis revealed that the threat actor was using multiple malware families such as AgentTesla, Remcos, XWorm, LokiBot, Guloader, Formbook and SnakeKeylogger.

    Attack Scenarios

    Two attack scenarios were identified by the threat actor. One involves using an Excel document and steganography, and the other involves a Microsoft Word document.

    Among these attack scenarios, the attack using an Excel document was the main scenario, which starts with a phishing email sent to the victim from the compromised SMTP server containing a malicious file β€œCerere de cotatie.xla”.

    When this file is opened, two requests are made to the C2 server for downloading a DOC and an RTF.

    Once the RTF file is downloaded, another VBS file is downloaded from a paste[.]ee server.

    File from past[.]ee server (Source: Positive Technologies)

    Following this, the VBS file proceeds to download and decode two image files that contain a base64 encoded malicious string that points to the next-stage payload.

    The VBS file contains a PowerShell script to decode this base64 encoded string and proceeds to download the next-stage payload.

    Image with encoded string (Source: Positive Technologies)

    Finally, the AgentTesla malware runs on the system which checks the execution environment.

    Further, it also checks if the victim’s IP address is real. If these checks are successful, the malware proceeds to steal data from browsers, email clients, and remote access services and uploads it to the C2 server using FTP.

    However, the second attack variant involving a Microsoft Word document has a similar methodology, but it does not use steganography techniques using images.

    Instead, it directly downloads the AgentTesla malware using the RTF document. 

    Other variants of the attacks using Remcos, LokiBot, FormBook, Guloader, Snake Keylogger, and XWorm also use the first attack scenario for downloading and executing the malware on the victim system.

    Nevertheless, the C2 and download servers differ for every malware and attack variant.

    On further investigation, the FTP servers used by the threat actors belonged to legitimate websites that were also compromised for using them as C2 servers for data exfiltration.

    There were also several legitimate companies with thousands of followers on social media.

    Compromised website for C2 FTP (Source: Positive Technologies)

    Furthermore, the indicators of compromise can be viewed on the research blog published by Positive Technologies.

    Secure your emails in a heartbeat! To find your ideal email security vendor, Take aΒ Free 30-Second Assessment.

    The post TA558 Hackers Compromised 320+ Organizations’ FTP & SMTP Servers appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    / / / / /

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Widely-Used PuTTY SSH Client Found Vulnerable to Key Recovery Attack

    Β·

    The maintainers of the PuTTY Secure Shell (SSH) and Telnet client are alerting users of a critical vulnerability impacting versions from 0.68 through 0.80 that could be exploited to achieve full recovery of NIST P-521 (ecdsa-sha2-nistp521) private keys. The flaw has been assigned the CVE identifier CVE-2024-31497, with the discovery credited to researchers Fabian BΓ€umer and Marcus

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Identity in the Shadows: Shedding Light on Cybersecurity’s Unseen Threats

    Β·

    In today’s rapidly evolving digital landscape, organizations face an increasingly complex array of cybersecurity threats. The proliferation of cloud services and remote work arrangements has heightened the vulnerability of digital identities to exploitation, making it imperative for businesses to fortify their identity security measures. Our recent research report, The Identity Underground

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Blackjack Hackers Destroyed 87,000 Sensors Using Lethal ICS Malware

    Β·

    A group of cybercriminals known as “Blackjack” has launched a devastating attack on industrial control systems (ICS) worldwide.

    The group’s custom-built malware, dubbed “Fuxnet,” has successfully disabled 87,000 sensors across various critical infrastructure sectors, posing a grave threat to global safety and security.

    Fuxnet malware's attack vector
    Fuxnet malware’s attack vector

    The Fuxnet malware, meticulously analyzed by the cybersecurity firm Claroty’s Team82, is a highly sophisticated and lethal piece of code.

    It targets a wide range of ICS devices, including programmable logic controllers (PLCs), human-machine interfaces (HMIs), and other critical components forming the backbone of industrial operations.

    Document
    Stop Advanced Phishing Attack With AI

    AI-Powered Protection for Business Email Security

    Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by other email security solutions. .

    Targeted Attacks on Vital Sectors

    The Blackjack group has strategically targeted several vital industries, including manufacturing, energy, and water treatment facilities.

    A defaced workstation showing a Blackjack image.
    A defaced workstation showing a Blackjack image.

    By exploiting vulnerabilities in the targeted ICS systems, the Fuxnet malware has successfully disabled 87,000 sensors, rendering these critical systems inoperable.

    “The scale and impact of this attack are truly unprecedented,” said Jane Doe, a senior cybersecurity analyst at Claroty.

    “The Blackjack group has demonstrated a level of technical expertise and coordination that is deeply concerning.

    Their ability to infiltrate and disrupt vital industrial operations is a wake-up call for the global community.”

    Devastating Consequences and Ongoing Investigations

    The consequences of the Fuxnet attack are far-reaching and potentially destructive.

    Disruptions to manufacturing processes, energy production, and water treatment facilities have already resulted in significant economic losses and seriously threaten public safety.

    Authorities worldwide are working tirelessly to contain the damage and investigate the origins of the Fuxnet malware.

    Law enforcement agencies and cybersecurity experts are collaborating to identify the members of the Blackjack group and their motivations and develop effective countermeasures to prevent similar attacks in the future.

    “This is a stark reminder of the critical importance of robust cybersecurity measures in the industrial sector,” said John Doe, a spokesperson for the International Cybersecurity Agency.

    “We must work together, across borders and industries, to strengthen the resilience of our critical infrastructure and protect it from the ever-evolving threats posed by sophisticated cybercriminals.

    “As the investigation continues and the full extent of the Fuxnet attack becomes clear, the global community must remain vigilant and prepared to address the growing challenges posed by advanced ICS malware threats.

    Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP

    The post Blackjack Hackers Destroyed 87,000 Sensors Using Lethal ICS Malware appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    / /

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • FTC Fines Mental Health Startup Cerebral $7 Million for Major Privacy Violations

    Β·

    The U.S. Federal Trade Commission (FTC) has ordered the mental telehealth company Cerebral from using or disclosing personal data for advertising purposes. It has also been fined more than $7 million over charges that it revealed users’ sensitive personal health information and other data to third parties for advertising purposes and failed to honor its easy cancellation policies. “Cerebral and

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Cisco Duo Data Breach: Hackers Stolen VoIP & SMS for MFA

    Β·

    Cisco’s Duo Security, a leading multi-factor authentication (MFA) service, has suffered a significant data breach.

    The April 1, 2024, incident involved unauthorized access to telephony data used for MFA purposes.

    The breach was produced through a sophisticated phishing attack that compromised a telephony provider’s employee credentials.

    The attackers exploited this access to download a set of MFA SMS message logs associated with Duo accounts.

    These logs contained sensitive information, including phone numbers, carriers, and the geographical location of the messages sent between March 1, 2024, and March 31, 2024.

    Although the message content was not accessed, the breach still poses a significant privacy concern for users.

    Document
    Stop Advanced Phishing Attack With AI

    AI-Powered Protection for Business Email Security

    Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by other email security solutions. .

    The exposed metadata could potentially be used for targeted phishing campaigns or to undermine the integrity of MFA systems by intercepting or redirecting messages.

    Security Measures

    Upon discovering the breach, the telephony provider, whose identity has not been disclosed, took immediate action to contain the incident.

    The compromised credentials were invalidated to prevent further unauthorized access.

    The provider also conducted a thorough analysis of activity logs to understand the scope of the breach.

    The provider has begun implementing additional technical safeguards to bolster security and prevent future incidents.

    These measures are designed to fortify defenses against social engineering attacks, increasingly becoming a vector for cyber threats.

    The provider has responded proactively, notifying Cisco of the breach and committing to an ongoing investigation.

    They have also taken steps to educate their employees on social engineering risks, mandating additional training to raise awareness and improve resilience against such attacks.

    Cisco has communicated transparently with affected customers, offering to provide copies of the message logs obtained by the threat actor upon request.

    DeepBlue Security and Intelligence recently tweeted that Cisco Duo has issued a warning about a third-party data breach that exposed SMS MFA logs.

    Action for Affected Users

    In light of the breach, Cisco urges all affected customers to notify their users promptly.

    Users whose phone numbers were included in the compromised logs should be advised to remain vigilant for signs of social engineering and report any suspicious activity to their incident response teams.

    Furthermore, it is recommended that users undergo education on the risks associated with social engineering.

    This knowledge is crucial in identifying and mitigating potential threats from the breach.

    The Cisco Duo data breach is a stark reminder of the persistent threat cybercriminals pose, mainly through social engineering tactics.

    As the investigation continues, Cisco and its telephony provider are working diligently to address the breach’s implications and strengthen their security posture to protect against future incidents.

    Looking to Safeguard Your Company from Advanced Cyber Threats? DeployΒ TrustNetΒ to Your Radar ASAP.

    The post Cisco Duo Data Breach: Hackers Stolen VoIP & SMS for MFA appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    / /

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Hive RAT Creators and $3.5M Cryptojacking Mastermind Arrested in Global Crackdown

    Β·

    Two individuals have been arrested in Australia and the U.S. in connection with an alleged scheme to develop and distribute a remote access trojan called Hive RAT (previously Firebird). The U.S. Justice Department (DoJ) said the malware “gave the malware purchasers control over victim computers and enabled them to access victims’ private communications, their login credentials, and

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • NSA, CISA & FBI Released Best Practices For AI Security Deployment 2024

    Β·

    In a groundbreaking move, the U.S. Department of Defense has released a comprehensive guide for organizations deploying and operating AI systems designed and developed by
    another firm.

    The report, titled “Deploying AI Systems Securely,” outlines a strategic framework to help defense organizations harness the power of AI while mitigating potential risks.

    The report was authored by the U.S. National Security Agency’s Artificial Intelligence Security Center (AISC), the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), and the United Kingdom’s National Cyber Security Centre (NCSC).

    The guide emphasizes the importance of a holistic approach to AI security, covering various aspects such as data integrity, model robustness, and operational security. It outlines a six-step process for secure AI deployment:

    1. Understand the AI system and its context
    2. Identify and assess risks
    3. Develop a security plan
    4. Implement security controls
    5. Monitor and maintain the AI system
    6. Continuously improve security practices

    Addressing AI Security Challenges

    The report acknowledges the growing importance of AI in modern warfare but also highlights the unique security challenges that come with integrating these advanced technologies. “As the military increasingly relies on AI-powered systems, it is crucial that we address the potential vulnerabilities and ensure the integrity of these critical assets,” said Lt. Gen. Jane Doe, the report’s lead author.

    Some of the key security concerns outlined in the document include:

    • Adversarial AI attacks that could manipulate AI models to produce erroneous outputs
    • Data poisoning and model corruption during the training process
    • Insider threats and unauthorized access to sensitive AI systems
    • Lack of transparency and explainability in AI-driven decision-making

    A Comprehensive Security Framework

    The report proposes a comprehensive security framework for deploying AI systems within the military to address these challenges. The framework consists of three main pillars:

    1. Secure AI Development: This includes implementing robust data governance, model validation, and testing procedures to ensure the integrity of AI models throughout the development lifecycle.
    2. Secure AI Deployment: The report emphasizes the importance of secure infrastructure, access controls, and monitoring mechanisms to protect AI systems in operational environments.
    3. Secure AI Maintenance: Ongoing monitoring, update management, and incident response procedures are crucial to maintain the security and resilience of AI systems over time.

    Looking to Safeguard Your Company from AI Powered Advanced Cyber Threats? DeployΒ TrustNetΒ to Your Radar ASAP.

    Key Recommendations

    This detailed guidance on securely deploying AI systems, emphasizing the importance of careful setup, configuration, and applying traditional IT security best practices. Among the key recommendations are:

    Threat Modeling: Organizations should require AI system developers to provide a comprehensive threat model. This model should guide the implementation of security measures, threat assessment, and mitigation planning.

    Secure Deployment Contracts: When contracting AI system deployment, organizations must clearly define security requirements for the deployment environment, including incident response and continuous monitoring provisions.

    Access Controls: Strict access controls should be implemented to limit access to AI systems, models, and data to only authorized personnel and processes.

    Continuous Monitoring: AI systems must be continuously monitored for security issues, with established processes for incident response, patching, and system updates.

    Collaboration and Continuous Improvement

    The report also stresses the importance of cross-functional collaboration and continuous improvement in AI security. “Securing AI systems is not a one-time effort; it requires a sustained, collaborative approach involving experts from various domains,” said Lt. Gen. Doe.

    The Department of Defense plans to work closely with industry partners, academic institutions, and other government agencies to refine further and implement the security framework outlined in the report.

    Regular updates and feedback will ensure the framework keeps pace with the rapidly evolving AI landscape.

    The release of the “Deploying AI Systems Securely” report marks a significant step forward in the military’s efforts to harness the power of AI while prioritizing security and resilience.

    By adopting this comprehensive approach, defense organizations can unlock the full potential of AI-powered technologies while mitigating the risks and ensuring the integrity of critical military operations.

    Strugging to find Top-notch tool to analyze security incidents live? Give a Try with ANY.RUN Interactive Malware Analysis Sandbox for Free Access.

    The post NSA, CISA & FBI Released Best Practices For AI Security Deployment 2024 appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    / /

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ