Tag Archive for: identity

Understanding Scattered Spider, and how they perform cloud-centric identity attacks

/in


Scattered Spider is an active cyber-attack group that goes by many names. You might hear them referred to as Starfraud, UNC3944, Scatter Swine, Octo Tempest, Muddled Libra, and of course, Scattered Spider. Their focus is on developing playbooks that result in reproducible (mainly identity-based) attacks with high success rates.

While many attackers use identity to infiltrate organizations, Scattered Spider has become especially effective at bypassing MFA and getting in through cloud identities. They transition into living-off-the-land attacks that span the entirety of the enterprise: cloud, network, and everything an identity touches.

What does Scattered Spider do?

Scattered Spider has a history of both traditional and hybrid attacks on cloud enterprise environments. Their goal is to target data wherever it is the most valuable.

Their ransomware strategy focuses on denial of service and extortion for stolen data. By encrypting systems and blocking access, they shut down operations from the inside, making it hard to do business. Ultimately, they exfiltrate the data and demand payment or threaten to release or use the data against you.

Cloud-centric Scattered Spider attacks

Image based on Mandiant SIM swapping documentation

In this documented attack example, Scattered Spider exploited the Entra ID identity through SMS phishing. They used this to pivot into Azure’s platform-as-a-service (PaaS), which they then used to connect directly to Azure IaaS where they deployed the command and control that brought the attacker into the IaaS. They were able to span multiple attack surfaces with minimal preventative measures in place to stop them.

Scattered Spider is highly effective at accessing and abusing identity

The diagram below shows the documented cloud identity techniques used by this attack group. There is the traditional MITRE view of the identity techniques Scattered Spider has available to them in the cloud, such as SIM swap, MFA bombing, voice phishing, etc. Once they’ve bypassed MFA, they register persistence at the device level and the tenant level, manipulate accounts, and begin harvesting data. Ultimately, it’s not just identity tactics at play; they span the gamut of the…

Source…

Identity Thief Lived as a Different Man for 33 Years

/in


It’s been a week since the world avoided a potentially catastrophic cyberattack. On March 29, Microsoft developer Andres Freund disclosed his discovery of a backdoor in XZ Utils, a compression tool widely used in Linux distributions and thus countless computer systems worldwide. The backdoor was inserted into the open source tool by someone operating under the persona “Jia Tan” after years of patient work building a reputation as a trustworthy volunteer developer. Security experts believe Jia Tan is the work of a nation-state actor, with clues largely pointing to Russia, although definitive attribution for the attack is still outstanding.

In early 2022, a hacker operating under the name “P4x” took down the internet of North Korea, after the country’s hackers had targeted him. This week, WIRED revealed P4x’s true identity as Alejandro Caceres, a 38-year-old Colombian American. Following his successful attack on North Korea, Caceres pitched the US military on a “special forces”-style offensive hacking team that would carry out operations similar to the one that made P4x famous. The Pentagon eventually declined, but Caceres has launched a startup, Hyperion Gray, and plans to further pursue his controversial approach to cyberwarfare.

In mid-February, millions of people lost internet access after three undersea cables in the Arabian Sea were damaged. Some blamed Houthi rebels in Yemen, who had been attacking ships in the region, but the group denied it had sabotaged the cables. But the rebel attacks are still likely to blame—albeit, in a bizarre way. A WIRED analysis of satellite images, maritime data, and more found that the cables were likely damaged by the trailing anchor of a cargo ship that the Houthi rebels had bombed. The ship drifted for two weeks before finally sinking, crossing paths with the cables at the time they were damaged.

The myth that Google Chrome’s Incognito mode provides adequate privacy protections can finally be put to rest. As part of a settlement over Google’s Incognito privacy claims and practices, the company has agreed to delete “billions” of records collected while users browsed in Incognito mode. It will also further clarify how…

Source…

Webroot Premium 2024 with Allstate Identity Protection

/in


Amazon offers an excellent deal on the Webroot Premium 2024 with Allstate Identity Protection software. This comprehensive online security solution protects not only your computer but also your very identity, which is more crucial than ever in today’s digital age where data breaches and identity theft are rampant.

Buying the Webroot Premium 2024 software on Amazon today offers several advantages that go beyond its impressive 50.77% discount. The software includes a $50K stolen funds reimbursement feature in case money is stolen from your bank accounts, including Health Savings or 401(k) plans. Additionally, you also get $500K fraud expense reimbursement for your out-of-pocket costs related to identity restoration, including legal fees, lost wages, and the replacement of identification cards, driver licenses, and passports.

Source…

Black Hat Hacker Exposes Real Identity After Infecting Own Computer With Malware

/in


A threat actor infected their own computer with an information stealer, which has allowed Israeli threat intelligence company Hudson Rock to uncover their real identity.

Using the online moniker ‘La_Citrix’, the threat actor has been active on Russian speaking cybercrime forums since 2020, offering access to hacked companies and info-stealer logs from active infections.

La_Citrix, Hudson Rock says, has been observed hacking into organizations and compromising Citrix, VPN, and RDP servers to sell illicit access to them.

The hacker, the cybersecurity firm says, was careless enough to infect their own computer with an information stealer and to sell access to the machine without noticing.

This allowed Hudson Rock to explore the cybercriminal’s computer, which had been used to perpetrate intrusions at hundreds of companies. The computer contained employee credentials at almost 300 organizations, and the browser stored corporate credentials used to perform hacks.

According to Hudson Rock, La_Citrix was employing information stealers to exfiltrate corporate credentials that were then used to access organizations’ networks without authorization.

Further analysis of the threat actor’s computer also helped the cybersecurity firm discover their real identity and their location.

Advertisement. Scroll to continue reading.

“Data from La_Citrix’s computer such as ‘Installed Software’ reveals the real identity of the hacker, his address, phone, and other incriminating evidence such as ‘qTox’, prominent messenger used by ransomware groups, being installed on the computer,” Hudson Rock notes.

The threat intelligence company, which notes that it has knowledge of thousands of hackers who accidentally infected their own computers with malware, says it will forward the uncovered evidence to the relevant law enforcement authorities.

“This is not the first time we’ve identified hackers who accidentally got compromised by info-stealers, and we expect to see more as info-stealer infections grow exponentially,” the company notes.

Related: New Information Stealer ‘Mystic Stealer’ Rising to Fame

Related: North Korean Hackers Caught Using Malware With Microphone Wiretapping…

Source…