Tag Archive for: actively

Hacking toolkits to bypass two-factor authentication actively selling on Dark Web

/in






Two-factor authentication has become a must for online presence these days. We see every digital platform touting it as the most important security step for your account. While the claim might put you at peace, know that there are established ways of getting around this security wall. Even more concerning is the fact that there is little to nothing that you can do to prevent these hacks.

The reason why two-factor authentication is hailed as the epitome of online security is that it employs two different levels of security codes. One is the password that you have set for your account, while the other is the randomly generated code that you receive (through text or code generators) right at the time of login (or whenever required). Since it is only possible for you to know the random code, your account is presumably safe even if your password is compromised.

But hackers have found several ways over time to bypass this seemingly foolproof system. Initially, these ways relied on simple voice phishing to get the random code out of the account holder by duping him/ her on some pretext. Now, these attempts at hacking 2FA have become more sophisticated.

A new study points out that they are also becoming increasingly common in the hacker community.

Research conducted by researchers from Stony Brook University and cybersecurity firm Palo Alto Networks has found numerous “phishing toolkits” that can be used to hack 2FA setups. First spotted by The Record, the study also mentions that these toolkits are actively being sold on the dark web, to anyone wanting to hack an account using it.

Bypassing Two-Factor Authentication

As noted in the study, researchers have managed to find over 1,200 phishing toolkits online. These toolkits contain malicious codes that enable a hacker to launch sophisticated cyber attacks on a target. These attacks are specifically meant to steal 2FA authentication cookies from a system, thus allowing a hacker to bypass 2FA security.

This is done through what is called Man-in-the-Middle (MITM) attacks, wherein a hacker is able to redirect the traffic from a victim’s computer through a phishing site that employs a reverse proxy server. The attacks thus…

Source…

Android Patches Actively Exploited Zero-Day Kernel Bug – Threatpost

/in



Android Patches Actively Exploited Zero-Day Kernel Bug  Threatpost

Source…

Apple patches iOS vulnerability actively exploited in the wild

/in


Apple patched a zero-day vulnerability in iOS 15.0.2 on Monday that enabled remote code execution with kernel privileges.

The iOS vulnerability, CVE-2021-30883, impacts kernel extension IOMobileFrameBuffer. Apple described the flaw in its security advisory as a memory corruption issue and said it “may have been actively exploited.”

Apple said in the advisory that the newly patched bug impacts “iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).” The post said that the company has received “a report” of exploitation but did not elaborate further.

SearchSecurity asked Apple how widespread the exploitation was, but a spokesperson declined to comment.

Mobile security vendor ZecOps tweeted Tuesday that because the latest iOS vulnerability can be exploited from a browser, it is “perfect” for watering hole attacks.

Saar Amar, a researcher with the Microsoft Security Response Center (MSRC), published a technical blog about the vulnerability on GitHub that provided an overview of the bug and, broadly speaking, how it can be exploited. In the post, he called the vulnerability “great for jailbreaks” due to its accessibility via App Sandbox and showcased a proof of concept.

The origin of the zero-day is not known, and Apple credited the find to an “anonymous researcher.”

CVE-2021-30883 marks the latest flaw in a string of Apple zero-day vulnerabilities this year. More than a dozen such flaws have been exploited in the wild in 2021, several of which have impacted Apple’s WebKit browser engine.

In other vulnerability news, Apple has come under fire in recent weeks for its bug bounty program, which researchers have criticized for communication issues and, in some cases, an alleged lack of acknowledgement. From this frustration, one researcher publicly released three apparent zero-days last month.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Source…

John Anthony Smith: Russian Speaking REvil Group Is Actively Causing Widespread Cyber Terror

/in


(John Anthony Smith, president of the fast-growing Conversant Group on the Southside, advises on Internet security after an attack by a Russian criminal gang on a U.S. pipeline company that caused many gas stations to run dry for several days).

Similar in some ways to the global SolarWinds breach that occurred last year, threat actors have once again breached another system used for monitoring, patching, and remote administration.[1]  On Friday, it became publicly known that Kaseya, a well-known player in Remote Monitoring and Management (RMM) tools, had succumbed to a supply chain compromise.  Kaseya’s RMM, known as VSA, is commonly used by Managed Service Providers to manage, monitor, and patch their customers’ infrastructures. 

 

REvil Group was able to breach Kaseya’s VSA system and use that system to destroy backups and subsequently encrypt over 200 organizations’ data.  Kaseya VSA by the nature of how its system works has highly privileged access to the infrastructures in which it is deployed, as it is used to monitor, manage, and patch systems.  Thus, REvil was able to orchestrate this malicious attack nearly unthwarted by security controls.  On Friday, Kaseya sent out a warning of a potential attack and urged customers to shut down their servers running the service.  According to Kaseya’s web site, more than 40,000 organizations use their products.

 

REvil is demanding $50,000 in ransom from smaller companies and $5 million from larger ones.[2]  REvil is a Russian speaking hacking group that is highly active, and they are the same group of threat actors that successfully collected an $11 million ransom from JBS Meats.  It is widely believed that REvil operates from Russia, and this recent compromise comes on the heels of President Joe Biden’s meeting with Russian President Vladimir Putin in Geneva.  It is obvious that Biden’s conversation has invoked little action, at least thus far, in reigning in REvil’s continued attacks.

 

Ransomware attacks have spiked in the past 1.5 years with $412 million in ransom payments being paid last year alone, and…

Source…