Tag Archive for: ‘compromise

Mobile Verification Toolkit: Forensic analysis of Android and iOS devices to identify compromise

/in


Mobile Verification Toolkit (MVT) is a collection of utilities to simplify and automate the process of gathering forensic traces helpful to identify a potential compromise of Android and iOS devices.

Mobile Verification Toolkit

MVT supports using public indicators of compromise (IOCs) to scan mobile devices for potential traces of targeting or infection by known spyware campaigns. MVT is a forensic research tool intended for technologists and investigators. Using it requires understanding the basics of forensic analysis and using command-line tools. MVT is not intended for end-user self-assessment.

It was developed and released by the Amnesty International Security Lab in July 2021 in the context of the Pegasus Project, along with a technical forensic methodology. It continues to be maintained by Amnesty International and other contributors.

Mobile Verification Toolkit key features

MVT’s capabilities are continuously evolving, but some of its key features include:

  • Decrypt encrypted iOS backups.
  • Process and parse records from numerous iOS system and apps databases, logs, and system analytics.
  • Extract installed applications from Android devices.
  • Extract diagnostic information from Android devices through the adb protocol.
  • Compare extracted records to a provided list of malicious indicators in STIX2 format.
  • Generate JSON logs of extracted records and separate JSON logs of all detected malicious traces.
  • Generate a unified chronological timeline of extracted records, along with a timeline of all detected malicious traces.

Mobile Verification Toolkit is available for download on GitHub. The developers do not want MVT to enable privacy violations of non-consenting individuals. To achieve this, MVT is released under its license.

Source…

Explained | How did a China-based hacking group compromise Microsoft’s cloud security? 

/in


The story so far: In July, Microsoft said that a China-based hacking group breached U.S. government-linked email accounts. The company said the group identified as Storm-0558, gained access to email accounts of 25 organisations, including Western European government agencies, email accounts from top American officials such as Commerce Secretary Gina Raimondo, U.S. Ambassador to China Nicholas Burns, and Assistant Secretary of State for East Asia Daniel Kritenbrink. The attacks stemmed from the compromise of a Microsoft engineer’s corporate account. The company further explained that hackers were able to extract a cryptographic key from the engineer’s account to access into email accounts. The flaw has been fixed now.

When did the attacks start?

The attack on email accounts of American government officials was first noticed when customers reported abnormal activity on June 16. Microsoft then began an investigation which revealed that from May 15, Storm-0558 gained access to email accounts affecting approximately 25 organisations in the public cloud including government agencies as well as related customer accounts of individuals associated with them.

What is Storm-0558?

Microsoft Threat Intelligence “with moderate confidence” assessed that Storm-0558 is a China-based threat actor with activities and methods consistent with espionage objectives. The group is thought to operate as its own distinct group and its core working hours are consistent with working hours in China, Microsoft said in a blog post.

In the past, the group has been seen to have primarily targeted U.S. and European diplomatic, economic, and legislative governing bodies, and individuals connected to Taiwan and Uyghur geopolitical interests. The group has been targeting Microsoft accounts since August 2021 and had reportedly obtained credentials for initial access through phishing campaigns and exploited vulnerabilities in public-facing applications to gain access to victims’ networks.

How did the threat actors breach Microsoft’s security?

The China-based threat actor was able to compromise Microsoft’s cloud security systems by using an acquired MSA key to forge tokens to access Outlook Web Access…

Source…

Stake experiences a security compromise worth $41 million

/in


Stake has reportedly experienced a major hack for its hot wallets. This has caused the platform a loss of approximately $41 million. The malicious actor is said to have executed multiple transactions, thereby creating suspicion around the outflow of cryptocurrencies. This development was first broken out by on-chain analysts who have now informed that the process to deposit and withdraw at Stake has been halted.

A total of three blockchains were targeted, namely BNB Chain, Polygon, and Ethereum. Two analyst firms have come forward to highlight different transactions.

The first one by Cyvers mentions that $15.7 million worth of cryptocurrency has been transferred by the hacker. This comprises $5.9 million in stablecoins and $9.8 million in ether. The subsequent data from ZachXBT has said that additional funds worth $25.6 million have been moved away from hot wallets that are operated by Stake. This includes $17.8 million in BNB Chain and $7.8 million in Polygon.

That, thereby, brings up the approximate total loss of $41 million.

An official statement by Stake is awaited; however, the online casino operator has published a post on X, formerly Twitter, stating that it is currently investigating the matter. Till then, it has halted the deposit and withdrawal processes for customers. A tentative date for resuming the said activities is yet to be shared with the community.

An act of a platform getting exploited by malicious actors is not new, especially when it comes to Web3. The whole segment, as a matter of fact, has lost more than $1 billion after Base added to the ongoing monthly trouble.

The loss for Web3 platforms in 2023 till date has come to $1.2 billion out of which $23 million was reportedly lost in August this year. This has happened due to malicious actors finding a way to get into the system and drain financial resources through hack and/or fraud.

The loss stated above has come to the notice after 211 incidents happened. Not just Base, BNB Chain, and Ethereum have also been targeted the most per the report published by Immunefi.

Immunefi publishes a report regarding the threats and security issues that a platform carries with it on the internet.

Such an incident has put…

Source…

Celerium Announces Compromise Defender™ Solution with Defensive Support Against Cl0p/MOVEit Ransomware Threats

/in


Compromise Defender is a new Celerium solution that implements in 30 minutes and leverages automation to detect and disrupt cyber compromise activity.

TYSON’S CORNER, June 22, 2023 /PRNewswire/ — Celerium Inc., a leading cyber defense company, today announces the release of its latest cybersecurity solution, Compromise Defender™. As an integral part of Celerium’s Cyber Defense Network™, this innovative solution combines rapid implementation and automation to provide early detection and defense of compromise activity.

Celerium powers active cyber defense solutions to help protect companies and communities from increasing cyberattacks. (PRNewsfoto/Celerium)

Celerium powers active cyber defense solutions to help protect companies and communities from increasing cyberattacks. (PRNewsfoto/Celerium)

Research by IBM found that the average detection time of a data breach is around 200 days, nearly seven months. The need for early detection and defense against compromise activity, which often succeeds the network intrusion phase of a cyber incident and can be a precursor to later-stage ransomware and data breach attacks, is more critical than ever. Celerium created Compromise Defender to address this need.

“Small and medium-sized businesses and local government organizations are overloaded and overwhelmed with cybersecurity challenges,” said Tommy McDowell, General Manager of Celerium. “Our aim with Compromise Defender is to lighten their load by providing a real-time, automated solution that not only detects threats early but also launches an effective defense.”

Celerium specifically designed Compromise Defender for busy and overloaded organizations, with quick setup and easy operation:

  • 30-minute non-intrusive implementation, without any hardware or software to install.

  • Secure connectivity between an organization’s perimeter firewalls to Celerium’s Decision Engine hosted on the AWS cloud.

  • 100% automated, eliminating the need for integration with SIEM or IT security stack solutions.

  • Autonomous operation, requiring no IT staff for day-to-day management.

  • Real-time automated defense mechanisms to block network threats and compromise activity. The real-time mechanism re-optimizes network defense measures every 15 minutes.

  • Integrated automated analysis and reporting platforms show compromise activity (of reconnaissance, C2 server…

Source…