Tag Archive for: theft

Why Hacker Tactics Are Shifting To Cookie Theft: Expert


As more organizations adopt multifactor authentication, theft of browser cookies is becoming a go-to method for attackers to bypass the security measure, says Sophos Global Field CTO Chester Wisniewski.


As more organizations adopt multifactor authentication (MFA), the theft of web browser cookies is turning into a go-to method for attackers seeking to subvert the security measure, according to a top security researcher.

To combat the massive risk posed by stolen or compromised passwords, MFA—which requires a second form of authentication beyond username and password—has long been considered harder to defeat than password-only logins and is an essential part of cyberdefense.

[Related: 10 Major Cyberattacks And Data Breaches In 2023]

Organizations have gotten the message, and MFA is now increasingly commonplace even among small and midsize businesses. But because browser cookies are sometimes configured to allow logging in without triggering an MFA challenge, theft of the web session data is proving to be an ideal workaround for attackers, said Sophos Global Field CTO Chester Wisniewski.

“More and more small businesses are adopting good security practices, like multifactor [authentication],” Wisniewski told CRN. “But if I can get onto one computer and steal those cookies, I don’t need to worry about multifactor anymore. I can just bypass the authentication entirely.”

Ultimately, “the cookie is the universal key that unlocks everything,” he said.

The growth of this tactic among threat actors is underscored by findings from the recently released 2024 Sophos Threat Report, including the discovery that nearly all attacks tracked in the report—90 percent—included the use of infostealer malware. The percentage of attacks involving infostealers had not been tracked in previous years since it was seen as a significantly smaller concern, Wisniewski said.

And while the tools can be used to steal passwords, attackers are frequently using the malware to obtain browser cookies, he said. “I think…

Source…

Zero-Click Apple Shortcuts Vulnerability Allows Silent Data Theft


A dangerous vulnerability in Apple Shortcuts has surfaced, which could give attackers access to sensitive data across the device without the user being asked to grant permissions.

Apple’s Shortcuts application, designed for macOS and iOS, is aimed at automating tasks. For businesses, it allows users to create macros for executing specific tasks on their devices, and then combine them into workflows for everything from Web automation to smart-factory functions. These can then be shared online through iCloud and other platforms with co-workers and partners.

According to an analysis from Bitdefender out today, the vulnerability (CVE-2024-23204) makes it possible to craft a malicious Shortcuts file that would be able to bypass Apple’s Transparency, Consent, and Control (TCC) security framework, which is supposed to ensure that apps explicitly request permission from the user before accessing certain data or functionalities.

That means that when someone adds a malicious shortcut to their library, it can silently pilfer sensitive data and systems information, without having to get the user to give access permission. In their proof-of-concept (PoC) exploit, Bitdefender researchers were then able to exfiltrate the data in an encrypted image file.

“With Shortcuts being a widely used feature for efficient task management, the vulnerability raises concerns about the inadvertent dissemination of malicious shortcuts through diverse sharing platforms,” the report noted.

The bug is a threat to macOS and iOS devices running versions preceding macOS Sonoma 14.3, iOS 17.3, and iPadOS 17.3, and it is rated 7.5 out of a possible 10 (high) on the Common Vulnerability Scoring System (CVSS) because it can be remotely exploited with no required privileges.

Apple has patched the bug, and “we are urging users to make sure they are running the latest version of the Apple Shortcuts software,” says Bogdan Botezatu, director of threat research and reporting at Bitdefender.

Apple Security Vulnerabilities: Ever More Common

In October, Accenture published a report revealing a tenfold rise in Dark Web threat actors targeting macOS since 2019 — with the trend poised to continue.

The findings coincide with the emergence…

Source…

Did The Grand Theft Auto Hacker Do It With An Amazon Fire Stick While Under Police Custody?


An 18-year-old hacker, Arion Kurtaj, a key member of the international cyber-criminal gang Lapsus$, has been sentenced to an indefinite hospital order after leaking clips of the highly anticipated Grand Theft Auto 6 (GTA 6). The sentencing, delivered at Southwark Crown Court, sheds light on the extent of the gang’s audacious attacks on tech giants, including Uber, Nvidia, and Rockstar Games, which collectively cost the affected companies nearly $10 million.

Kurtaj, who hails from Oxford and is diagnosed with autism, was deemed unfit to stand trial due to the severity of his condition. The court heard that despite being under police protection at a Travelodge hotel, he managed to breach Rockstar Games, the developers behind GTA, using unconventional methods.

While on bail for hacking Nvidia and BT/EE, Kurtaj reportedly continued his cyber activities. Using an Amazon Fire TV Stick, he allegedly mirrored his smartphone’s display to the hotel TV, transforming it into a makeshift monitor. Connecting a Bluetooth keyboard and mouse to his smartphone, he exploited the device’s “desktop mode” (DeX) capabilities, essentially turning it into a Linux computer. The Fire TV Stick, in this context, acted as a wireless HDMI cable via Miracast.

Kurtaj’s actions resulted in the theft of 90 clips of the unreleased GTA 6, which he later posted, along with the source code, on a forum under the username “TeaPotUberHacker.” The hack reportedly cost Rockstar Games $5 million to recover from, in addition to thousands of hours of staff time.

In sentencing hearings, Kurtaj’s defense argued that the success of the GTA 6 trailer, released earlier this month and amassing 128 million views on YouTube in just four days, indicated minimal harm caused by the hack. However, the judge emphasized the real victims and harm caused by Kurtaj’s multiple cyberattacks, not only on corporations, but also on individuals.

The trial also saw…

Source…