Tag Archive for: credential

GM credential stuffing attack exposed car owners’ personal info

/in


General Motors logo on a building

US car manufacturer GM disclosed that it was the victim of a credential stuffing attack last month that exposed some customers’ information and allowed hackers to redeem rewards points for gift cards.

General Motors operates an online platform to help owners of Chevrolet, Buick, GMC, and Cadillac vehicles manage their bills, services, and redeem rewards points.

Car owners can redeem GM rewards points towards GM vehicles, car service, accessories, and purchasing OnStar service plans.

Targeted in credential stuffing attack

GM disclosed that they detected the malicious login activity between April 11th and April 29th, 2022, and confirmed that the hackers redeemed customer reward points for gift cards in some cases.

“We are writing to follow up on our [DATE] email to you, advising you of a data incident involving the identification of recent redemption of your reward points that appears to be without your authorization,” explains a data breach notification sent to affected customers.

GM states they will be restoring rewards points for all customers affected by this breach.

However, these breaches are not a result of a General Motors being hacked but rather are caused by a wave of credential stuffing attacks targeting customers on their platform.

Credential Stuffing attacks are when threat actors use collections of username/password combinations leaked in other sites’ data breaches to gain access to user accounts on a website.

“Based on the investigation to date, there is no evidence that the log in information was obtained from GM itself,” explains a different data breach notification from GM

“We believe that unauthorized parties gained access to customer login credentials that were previously compromised on other non-GM sites and then reused those credentials on the customer’s GM account.”

GM requires affected users to reset their passwords before logging in to their accounts again.

Personal information exposed

When the hackers successfully breached a GM account, they could access certain information stored on the site. This information includes the following personal details:

  • First and last name,
  • personal email address,
  • personal address,
  • username and phone number for…

Source…

North Korean Hackers Found Behind a Range of Credential Theft Campaigns

/in


A threat actor with ties to North Korea has been linked to a prolific wave of credential theft campaigns targeting research, education, government, media and other organizations, with two of the attacks also attempting to distribute malware that could be used for intelligence gathering.

Enterprise security firm Proofpoint attributed the infiltrations to a group it tracks as TA406, and by the wider threat intelligence community under the monikers Kimsuky (Kaspersky), Velvet Chollima (CrowdStrike), Thallium (Microsoft), Black Banshee (PwC), ITG16 (IBM), and the Konni Group (Cisco Talos).

Policy experts, journalists and nongovernmental organizations (NGOs) were targeted as part of weekly campaigns observed between from January through June 2021, Proofpoint researchers Darien Huss and Selena Larson disclosed in a technical report detailing the actor’s tactics, techniques, and procedures (TTPs), with the attacks spread across North America, Russia, China, and South Korea.

Known to be operational as early as 2012, Kimsuky has since emerged as one of the most active advanced persistent threat (APT) group known for setting its sights on cyber espionage but also for conducting attacks for financial gain, targeting government entities, think tanks, and individuals identified as experts in various fields as well as harvest sensitive information pertaining to foreign policy and national security issues.

Automatic GitHub Backups

“Like other APT groups that constitute a big umbrella, Kimsuky contains several clusters: BabyShark, AppleSeed, Flower Power, and Gold Dragon,” Kaspersky researchers noted in their Q2 2021 APT trends report published last month. The AppleSeed sub-group is also referred to as TA408.

The group is also known for reeling in targets with convincing social engineering schemes and watering hole attacks before sending them malware-infected payloads or tricking them into submitting sensitive credentials to phishing sites, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in a public alert issued in October 2020.

Earlier this month, researchers from Cisco Talos disclosed an ongoing Kimsuky campaign since June 2021 that was found leveraging malicious blogs hosted on Google’s…

Source…

Data breach extortion. Credential reuse risk. Blackswan zero-days. A Monero cryptojacker. Notes on the ransomware summit.

/in


Attacks, Threats, and Vulnerabilities

Extortionist Hacker Group SnapMC Breaches Networks in Under 30 Minutes (SecurityWeek) Over the past few months, a threat actor has been increasingly breaching enterprise networks to steal data and extort victims, but without disrupting their operations

SnapMC skips ransomware, steals data (NCC Group Research) Over the past few months NCC Group has observed an increasing number of data breach extortion cases, where the attacker steals data and threatens to publish said data online if the victim decides not to pay. Given the current threat landscape, most notable is the absence of ransomware or any technical attempt at disrupting the victim’s operations.

Academics find Meltdown-like attacks on AMD CPUs, previously thought to be unaffected (The Record by Recorded Future) Two academic papers have been published over the past two months detailing new side-channel attacks in AMD processors that have eerily similar consequences to the Meltdown attack disclosed in early 2018, to which AMD CPUs were previously thought to be immune.

How Impersonation Attacks Fool Users (Avanan) Hackers use impersonated messages from reputable brands to fool users. In this case, scammers are impersonating DocuSign.

Once-in-a-decade discovery made by international cyber security company built by former spies (PR Newswire) Field Effect, a global cyber security company, has released details of their discovery of seven 0-day vulnerabilities in Microsoft Windows software and…

Blox Tales: Microsoft Defender Vishing Using AnyDesk (Armorblox) This blog focuses on a Microsoft Defender vishing campaign where attackers tried to get victims to download AnyDesk for an RDP attack.

Heads up: Verizon’s Visible MVNO accounts are getting hacked left and right (AndroidPolice) Users are reporting account hijacks, address changes, and unauthorized purchases

Apparent Verizon Visible hack was credential stuffing attack, says carrier [U] (9to5Mac) Multiple reports of an apparent Verizon Visible hack, with attackers changing shipping addresses, then ordering phones that are charged …

Verizon’s Visible confirms accounts were breached – report (FierceWireless) Some customer accounts for the…

Source…

COVID-19 themed malware and credential theft campaigns make a resurgence as Delta variant spreads

/in


Proofpoint finds COVID-19 themed email threats make a resurgence as the Delta variant spreads.

Since late June 2021, Proofpoint has observed high volumes of COVID-19 themed threats distributing malware and credential theft campaigns, including a Microsoft credential theft campaign targeting thousands of organisations globally. Proofpoint researchers also identified an increase in business email compromise, with threat actors posing as human resource professionals to gain an individual’s trust.  

The new attacks follow a lull in COVID-19-themed threat campaigns through the Spring and early Summer of 2021. Now, multiple types of high-volume threats have pivoted back to using COVID-19 social engineering themes as global concern about the Delta variant rises. 

Proofpoint has been tracking ongoing threats using COVID-19 and related coronavirus themes since the beginning of the pandemic. TA452, known to distribute Emotet, first began using COVID-19 in email threats in January 2020. Although the virus has remained an ongoing theme, researchers have observed a significant increase in messages leveraging COVID-19 in recent months. 

Since late June 2021, Proofpoint has observed high a volume COVID-19 themed campaigns distributing RustyBuer, Formbook, and Ave Maria malware, in addition to multiple corporate phishing attempts to steal Microsoft and O365 credentials. The researchers also found an increase in business email compromise threats using COVID-19 themes during this timeframe.

“The increase in COVID-19 themes in our data aligns with public interest in the highly contagious COVID-19 Delta variant,” says Proofpoint.

“According to global Google Trend data, worldwide searches for “Delta variant” first peaked the last week in June 2021 and have continued through August 2021 so far. The increase in COVID-19 related threats is global. We observed tens of thousands of messages intended for customers in various industries worldwide.” 

Open-source data also supports a greater threat actor adoption of COVID-19 themes. South Korea, for example, recently raised its cyber threat warning level in response to an increase of threats related to its COVID-19 relief programs. 

Threat actors…

Source…