Tag Archive for: highprofile

High-profile summer attacks linked to same aggressive ransomware group

/in


The threat group behind some of the most high profile, identity-based cyberattacks this year is also “one of the most dangerous financial criminal groups” currently in operation, Microsoft researchers said in a Wednesday report.

The group, which Microsoft identifies as Octo Tempest and other researchers identify as Oktapus, Scattered Spider and UNC3944, uses multiple forms of social engineering to gain access to organizations’ infrastructure, steal corporate data and extort victims for ransom payments, according to Microsoft Threat Intelligence.

The collection of young, native English-speaking threat actors, which was initially observed in 2022 and affiliated with the ransomware-as-a-service operation ALPHV or BlackCat in mid 2023, has claimed responsibility for major attacks against MGM Resorts, Caesars Entertainment and Clorox in the past few months.

Microsoft researchers said similar social-engineering techniques resulted in attacks against four Okta customers’ environments in late July and August.

While those attacks directly targeted Okta customers for the initial point of intrusion, a more recent string of attacks against Okta customer environments occurred when a threat actor used a stolen Okta support system administrator credential to access authentication tokens for customers, including BeyondTrust, Cloudflare and 1Password.

The report also pointed to the group’s recent focus on VMware ESXi servers, virtualization infrastructure lacking security tools which have been hit by a spree of attacks this year.

The threat actors are responsible for wide-ranging campaigns using adversary-in-the-middle techniques, social engineering and SIM swapping. Industries most recently targeted for extortion include gaming, hospitality, technology, financial services, managed service providers and manufacturing, according to Microsoft.

“The well-organized, prolific nature of Octo Tempest’s attacks is indicative of extensive technical depth and multiple hands-on-keyboard operators,” Microsoft Threat Intelligence said in the report.

Microsoft joins other threat researchers in describing the group as prevalent, highly…

Source…

India: Authorities maintaining security restrictions across Uttar Pradesh State as of April 17 following high-profile assassination /update 1

/in


Event

Authorities are maintaining heightened security across Uttar Pradesh State as of April 17 following a shooting that killed two former lawmakers under police custody for organized crime charges in Prayagraj, late April 15. Section 144 of the Criminal Procedure Code (CrPC) has been imposed in all districts of Uttar Pradesh until further notice. Security forces have deployed to patrol and conduct vehicle searches in several areas across the state. The tightest security measures and an internet suspension until at least April 19 are underway in Prayagraj District. Extensions are likely.

Under Section 144, unauthorized public gatherings of four or more people, and the carriage of arms in public are prohibited, among other rules. The measure also empowers local authorities to impose further restrictions such as curfews if necessary. Security forces have deployed to prevent communal violence in areas with mixed populations of Hindus and Muslims as a precaution, as unverified videos showing the gunmen chant a religious slogan after the killing are in circulation. Security measures may prompt associated localized transport and business disruptions. Additional limits on social media and internet services are possible if significant clashes occur.

Demonstrations may occur in the coming days despite the gathering ban, mainly in the Allahabad West constituency in Prayagraj District where the deceased have won elections. Violence may quickly break out during gatherings, with protesters engaging in arson and vandalism. Opposition parties in the state may also hold rallies with dozens of supporters in urban centers to denounce alleged security lapses. Police are likely to monitor well-attended rallies, and forcibly disperse any unruly crowds.

Context

Three gunmen shot and killed Atique Ahmed and his brother, Khalid Azim as they were being transported for a court-mandated medical check while in police custody. Both brothers were former lawmakers from the Samajwadi Party facing dozens of criminal cases including kidnapping, extortion, and murder. Police have apprehended the three shooters. Security deployment to prevent retaliatory violence is likely in the coming weeks.

Advice

Exercise a high…

Source…

Twitter silent as hackers scam users with stolen high-profile verified accounts

/in


Looking at Jase Robertson and David Dayen, you wouldn’t think the two of them have much in common. Robertson is known for his time on the A&E reality TV show Duck Dynasty. He currently hosts a show on the conservative digital outlet TheBlaze. David Dayen is a longtime progressive journalist and executive editor for The American Prospect magazine.

However, over the past few weeks, tweets from both Robertson’s and Dayen’s Twitter accounts have been sharing the exact same messaging.

Jase Robertson hacked

A tweet from Jase Robertson’s hacked Twitter account.
Credit: Mashable Screenshot

“Hello twitter family !” begins the tweets posted to both accounts. “I have 10 MacBooks that I will personally sign myself , that you can purchase for $600 and free Shipping ! First come first serve basis , and all proceeds will be going to charity ! MY DMS ARE OPENED IF INTERESTED”

Included in each account’s tweets is the exact same photo of a MacBook Pro sitting on wood flooring. What’s going on here? Have Dayen and Robertson put their political differences aside and start an Apple reselling business?

No. They’ve been hacked, along with a slew of other legacy verified accounts on the social media platform. And, Twitter has been silent on the matter. 

Even though some of these accounts have been hacked for weeks now, Twitter has not suspended the accounts, allowing the hackers to scam users of thousands of dollars, if not more.

David Dayen's hacked Twitter account

A tweet from David Dayen’s hacked Twitter account.
Credit: Mashable Screenshot

Dayen tells Mashable that he was originally hacked last summer after clicking on a malicious link which provided bad actors with access to his account. He says his account was quickly suspended by Twitter then, well before Elon Musk acquired the company. When he regained access about a month later, Dayen quickly activated two-factor authentication on his account. Enacting this security measure should’ve made another hack extremely difficult to carry out.

However, here the @ddayen Twitter account is, just 6 months later, hacked and scamming the platform’s users.

Followers are falling for the scams

Mashable heard from at least one of Dayen’s followers who got scammed after seeing Dayen’s tweets. This person saw a tweet…

Source…

Credentials theft behind high-profile Medibank hack – Security

/in


Australia’s largest health insurer Medibank was breached thanks to credentials thefts by hackers who used the login details to access its network.

In an ASX filing for its 2023 half year results, the insurer said [pdf] that its systems were accessed through a stolen Medibank username and password.

That login was used by an unnamed third-party IT services provider for Medibank.

With the stolen credentials in hand, the hacker got through to Medibank’s network through a misconfigured firewall appliance, which “did not require an additional digital security certificate,” the insurer said.

Inside the network, the hacker was able to move laterally and capture further user credentials to freely access more of Medibanks systems.

The insurer discovered the hack within 24 hours of it taking place, but was powerless to stop the copied-over data from being leaked on the internet.

Ransomware raiders REvil, linked to Russia, are thought to be behind the hack which saw 9.7 million current and former Medibank customers’ sensitive information being breached after the insurer refused to pay the extortionists.

Australia’s prime minister Anthony Albanese is a Medibank customer, although it is unclear whether his data was included in the breach.

In its half year 2023 results, Medibank attributed a cost of $26.2 million to the cyber crime attack.

Medibank said that it has now made sure that firewall authenticaiton is configured properly across its entire network.

Existing monitoring, detection and forensics capability have been bolstered, along with Operation Safeguard testing of customer-facing platforms done with security experts from Microsoft.

Medibank contact centres have also introduced two-factor authentication (2FA) to improve security for customers calling for support.

The insurer is being investigated by the Office of the Australian Information Commissioner, and Medibank has commissioned professional services company Deloitte to conduct an external review that is ongoing currently.

Source…