Tag Archive for: documents

Escanor RAT Malware Deployed Via Microsoft Office and PDF Documents

/in


A new remote administration tool (RAT) weaponizing Microsoft Office and Adobe PDF documents to deliver malicious code was spotted in dark web forums and Telegram channels.

The malware was discovered by security researchers at Resecurity over the weekend and dubbed Escanor in an advisory published on Sunday, August 21, 2022.

“The threat actors offer Android-based and PC-based versions of RAT, along with a hidden virtual network computing (HVNC) module and exploit builder to weaponize Microsoft Office and Adobe PDF documents to deliver malicious code,” reads the document.

According to the Resecurity team, the RAT was first released for sale on January 26, 2022. Initially designed as an HVNC implant, the malware simply allowed attackers to set up a silent remote connection to the victim’s computer. The tool later evolved into a full-scale commercial RAT with a rich feature set. 

“Escanor has built a credible reputation in dark web, and attracted over 28,000 subscribers on the Telegram channel,” Resecurity wrote.

“In the past, the actor with the exact same moniker released ‘cracked’ versions of other dark web tools, including Venom RAT, and Pandora HVNC which were likely used to enrich further functionality of Escanor.”

As for the mobile version of Escanor (dubbed ‘Esca RAT’), the malware is reportedly actively used by cyber-criminals to attack online-banking customers by interception of one-time password (OTP) codes.

“The tool can be used to collect GPS coordinates of the victim, monitor keystrokes, activate hidden cameras and browse files on the remote mobile devices to steal data,” reads the advisory.

Further, Resecurity warned that the domain name used by Escanor had been previously identified in connection to Arid Viper, a group active within the Middle Eastern region in 2015 and known to mainly target Israeli military assets.

As for Escanor, the majority of its victims were identified in the U.S., Canada, UAE, Saudi Arabia, Kuwait, Bahrain, Egypt, Israel, Mexico and Singapore with some infections spotted in South-East Asia.

Source…

Rideau Hall cyberbreach was ‘sophisticated’ incident, internal documents show – National

/in


Newly disclosed documents reveal the breach of an internal computer network at Rideau Hall was described to senior government officials as a “sophisticated cyber incident” in the days before the public was told of the security lapse.

Internal government emails, obtained by The Canadian Press through the Access to Information Act, also say officials were “unable to confirm the full extent of the information that was accessed.”

Read more:

Rideau Hall internal cyber network hit by ‘breach’ — effects unclear

As a result, the Office of the Secretary to the Governor General was looking to make credit monitoring services available to employees due to concerns that sensitive personal information might have been pilfered.

All managers were encouraged “to reflect on the information holdings they manage in their respective units” and raise any concerns they might have, says a Nov. 17, 2021, draft of a message that was to shared with Rideau Hall employees.

Story continues below advertisement

In a Dec. 2 news release, the Office of the Secretary to the Governor General said there was “an unauthorized access to its internal network” and that it was working on the investigation with the Canadian Centre for Cyber Security – a wing of the Communications Security Establishment, Canada’s electronic spy service.

It mentioned efforts to improve computer networks as well as consultation with the federal privacy commissioner’s office.

Ciara Trudeau, a spokeswoman for the Office of the Secretary, said it communicated with Rideau Hall employees and “external partners who may have been affected by the incident.”

However, she declined to provide a general update on the breach, the sort of information accessed, or other details about how and why it took place.

Trudeau also would not discuss the provision of secure credit monitoring services to employees.

The internal emails indicate several senior Privy Council Office officials were advised of the breach two weeks before the event was made public.

Trending Stories

Source…

New Lapsus$ Hack Documents Make Okta’s Response Look More Bizarre

/in


In the week since the digital extortion group Lapsus$ first revealed that it had breached the identity management platform Okta through one of the company’s subprocessors, customers and organizations across the tech industry have been scrambling to understand the true impact of the incident. The subprocessor, Sykes Enterprises, which is owned by the business services outsourcing company Sitel Group, confirmed publicly last week that it suffered a data breach in January 2022. Now, leaked documents show Sitel’s initial breach notification to customers, which would include Okta, on January 25, as well as a detailed “Intrusion Timeline” dated March 17.

The documents raise serious questions about the state of Sitel/Sykes’ security defenses prior to the breach, and they highlight apparent gaps in Okta’s response to the incident. Sitel declined to comment about the documents, which were obtained by independent security researcher Bill Demirkapi and shared with WIRED.

Okta said in a statement, “We are aware of the public disclosure of what appears to be a portion of a report Sitel prepared regarding its incident. … Its content is consistent with the chronology we have disclosed regarding the January 2022 compromise at Sitel.” The company added, “Once we received this summary report from Sitel on March 17, we should have moved more swiftly to understand its implications. We are determined to learn from and improve following this incident.”

When the Lapsus$ group published screenshots claiming it had breached Okta on March 21, the company says that it had already received Sitel’s breach report on March 17. But after sitting with the report for four days, Okta seemed to be caught flat-footed when the hackers took the information public. The company even initially said, “The Okta service has not been breached.” WIRED has not seen the complete report, but the “Intrusion Timeline” alone would presumably be deeply alarming to a company like Okta, which essentially holds the keys to the kingdom for thousands of major organizations. Okta said last week that the “maximum potential impact” of the breach reaches 366 customers.

The timeline, which was seemingly produced by security…

Source…

Toronto feared 35,000 citizens’ data would be made public after cyberattack: documents

/in


The City of Toronto expected metadata concerning some 35,000 citizens to be posted on an online forum run by Eastern European cybercriminals after a data breach earlier this year — but ended up escaping the worst, new documents obtained by CTV News Toronto show.

Some six months after an internal city agency sounded the alarm in confidential documents, the information has yet to be shared publicly and the city says it never received a ransom request, leading some cybersecurity experts to wonder if the city escaped what has been described as a massive spree of cyberattacks. 

“It looks like they failed. The silence is somewhat deafening,” said cybersecurity expert Claudiu Popa. “Maybe the attacker failed to get what they wanted and didn’t have the leverage to extort this particular victim.”

The attack on Toronto was one among thousands of remote, sometimes automated attacks seeking to get data, and then threaten to expose it or destroy it unless handsome sums are paid, often in digital currency.

Ontario’s Information and Privacy Commissioner says cybercriminals are increasingly targeting public agencies, warning breaches are up 151 per cent in 2021 — with 39 public institutions attacked this year in Ontario.

“Hackers are taking advantage of the current public health crisis, and cybersecurity incidents are on the rise,” a spokesperson for the agency said.

The City of Toronto threat assessment, obtained through a Freedom of Information request, describes the attack in January of 2021 as happening through a “zero day” weakness in the city’s Accellion file transfer system.

Hackers known as “CLOP” discovered the weakness in the file transfer system at that time and used it to exploit a large number of organizations, including the Region of Durham.

CTV News Toronto has already shown that those attackers gained and then posted health and schooling data of tens of thousands of individuals, as well as a video of the arrest of a young man by Toronto police on a Durham Region transit bus.

The document appears to link the Toronto attack for the first time publicly to CLOP, which is believed to be a network operating out of…

Source…