Tag Archive for: Breaches

RDP Abuse Present in 90% of Ransomware Breaches

/in


Remote desktop protocol (RDP) compromise has reached record levels in ransomware attacks, according to new data from Sophos.

The UK-based security vendor analyzed 150 of its incident response cases from 2023 and found RDP abuse featured in 90% of them to give threat actors remote access to Windows environments.

Sophos described the rate of RDP abuse as “unprecedented” and said it partially explained why “external remote services” were the most popular way for threat actors to gain initial access in ransomware attacks – accounting for 65% of cases last year.

In one case, attackers successfully compromised the same victim four times within six months via exposed RDP ports. Once inside, they were able to move laterally through its networks, downloading malicious binaries, disabling endpoint protection and establishing remote access, Sophos said.

RDP offers several advantages for ransomware actors:

  • It is extremely popular among network administrators
  • Attackers can abuse it for remote access without setting off any AV or EDR alarms
  • It offers an easy-to-use GUI
  • The service is often misconfigured, meaning it is publicly exposed and protected only with easy-to-crack credentials
  • Highly privileged accounts are sometimes used for RDP, amplifying the damage that can be done
  • Administrators often disable security features such as Network Level Authentication
  • Many organizations forget to segment their networks, which helps RDP attackers

Read more on RDP threats: VPN and RDP Exploitation the Most Common Attack Technique

“External remote services are a necessary, but risky, requirement for many businesses. Attackers understand the risks these services pose and actively seek to subvert them due to the bounty that lies beyond,” argued John Shier, Sophos field CTO.

“Exposing services without careful consideration and mitigation of their risks inevitably leads to compromise. It doesn’t take long for an attacker to find and breach an exposed RDP server, and without additional controls, neither does finding the Active Directory server that awaits on the other side.”

Source…

‘Mother of all data breaches’ reported in latest large-scale hack

/in


‘Mother of all data breaches’ hits numerous websites

Huirong Fu is a founding director of OU’s Center for Cybersecurity. She says this is difficult for consumers who sometimes have no choice but to register their information with companies they want to do business with.

FOX 2 (WJBK)It’s a shocking number – 26  billion account records were stolen in what’s being called the ‘mother of all data breaches.’

The leak includes popular sites like Dropbox,  Linkedin, Telegram, and Twitter. It was detailed in a report from Cybernews.com and is unsettling for anyone who ever goes online. 

“It’s horrible. It’s really horrible,” said Professor Huirong Fu, of Oakland University.

Fu is a founding director of OU’s Center for Cybersecurity.  She says this is difficult for consumers who sometimes have no choice but to register their information with companies they want to do business with.

This includes taking birthdays, addresses, and sometimes even Social Security numbers, putting many people between a rock and a hard place.

“We have no choice, if they don’t want to provide this information, they can not use their platform,” she said. “This is horrible.”

Cybernews.com calls it the “Mother of all Breaches” – 12 terabytes of information. Some companies you’ve likely used,

So can you do anything?

The Federal Trade Commission has some general tips: Secure your devices by keeping security software, internet browser, and operating systems up to date. protect your accounts — particularly those with personal information, like your bank, email, and social media accounts.

Strong passwords and multi-factor authentication can really help. Also be very circumspect when giving out any personal information to any organization even if you trust them, because the possibility of a hack is always a real threat.

For more on the data breach click here.

Source…

Router botnet tied to Volt Typhoon’s critical infrastructure breaches

/in


Chinese threat group Volt Typhoon used a sophisticated botnet of unsecured home and small business routers to stealthily transfer data during a major campaign targeting U.S. critical infrastructure discovered earlier this year.

The group’s actions raised alarm in the intelligence community when they were first reported in May because of the breadth and potential impact of its attacks. Organizations across a range of sectors, including government, defense, communications, IT and utilities were targeted.

One victim was a critical infrastructure organization in the U.S. territory of Guam. There were fears the breach could be a precursor to an attack aimed at disrupting U.S. military capabilities in the nearby South China Sea.

KV-botnet comprised of end-of-life routers

In a Dec. 13 post, Lumen Technologies said following the discovery of the attacks, its Black Lotus Labs division discovered Volt Typhoon — and possibly other advanced persistent threat (APT) actors — had used a botnet as a data transfer network as part of its operations.

Dubbed KV-botnet, it was a network of mainly end-of-life infected small office/home office (SOHO) routers made by Cisco, DrayTek and Netgear.

“The KV-botnet features two distinct logical clusters, a complex infection process and a well-concealed command-and-control (C2) framework,” the researchers said. “The operators of this botnet meticulously implement tradecraft and obfuscation techniques.”

There were several advantages of building a botnet from older SOHO routers, they said, including the large number available, the lack of security measures and patching they were subjected to, and the significant data bandwidth they could handle without raising suspicion.

“Additionally, because these models are associated with home and small business users, it’s likely many targets lack the resources and expertise to monitor or detect malicious activity and perform forensics.”

In a separate statement, Lumen said KV-botnet had enabled Volt Typhoon to maintain secret communication channels that merged with normal network traffic, avoiding security barriers and firewalls.

“This botnet was essential for their strategic intelligence collection operations,…

Source…

Breaches by Iran-affiliated hackers spanned multiple U.S. states, federal agencies say

/in


HARRISBURG, Pa. — A small western Pennsylvania water authority was just one of multiple organizations breached in the United States by Iran-affiliated hackers who targeted a specific industrial control device because it is Israeli-made, U.S. and Israeli authorities say.

“The victims span multiple U.S. states,” the FBI, the Environmental Protection Agency, the Cybersecurity and Infrastructure Security Agency, known as CISA, as well as Israel’s National Cyber Directorate said in an advisory emailed to The Associated Press late Friday.

They did not say how many organizations were hacked or otherwise describe them.

Matthew Mottes, the chairman of the Municipal Water Authority of Aliquippa, which discovered it had been hacked on Nov. 25, said Thursday that federal officials had told him the same group also breached four other utilities and an aquarium.

Cybersecurity experts say that while there is no evidence of Iranian involvement in the Oct. 7 attack into Israel by Hamas that triggered the war in Gaza they expected state-backed Iranian hackers and pro-Palestinian hacktivists to step up cyberattacks on Israeli and its allies in its aftermath. And indeed that has happened.

The multiagency advisory explained what CISA had not when it confirmed the Pennsylvania hack on Wednesday — that other industries outside water and water-treatment facilities use the same equipment — Vision Series programmable logic controllers made by Unitronics — and were also potentially vulnerable.

Those industries include “energy, food and beverage manufacturing and healthcare,” the advisory says. The devices regulate processes including pressure, temperature and fluid flow.

The Aliquippa hack promoted workers to temporarily halt pumping in a remote station that regulates water pressure for two nearby towns, leading crews to switch to manual operation. The hackers left a digital calling card on the compromised device saying all Israeli-made equipment is “a legal target.”

The multiagency advisory said it was not known if the hackers had tried to penetrate deeper into breached networks. The access they did get enabled “more profound cyber physical effects on processes and equipment,” it said.

Source…