Tag: underway | SpinSafe

Mass Exploitation of Zero-Day Bug in MOVEit File Transfer Underway

June 7, 2023/in Internet Security

A threat group with likely links to the financially motivated group known as FIN11 and other known adversaries is actively exploiting a critical zero-day vulnerability in Progress Software’s MOVEit Transfer app to steal data from organizations using the managed file transfer technology.

MOVEit Transfer is a managed file transfer app that organizations use to exchange sensitive data and large files both internally and externally. Organizations can deploy the software on-premises, or as infrastructure-as-a-service or as software-as-a-service in the cloud. Progress claims thousands of customers for MOVEit including major names such as Disney, Chase, BlueCross BlueShield, Geico, and Major League Baseball.

Researchers from Google’s Mandiant security group who are tracking the threat believe the exploit activity may well be a precursor to follow-on ransomware attacks on organizations that have fallen victim so far. A similar pattern played out earlier this year after an attacker exploited a zero-day flaw in Forta’s GoAnywhere file transfer software to access customer systems and steal data from them.

The Microsoft Threat Intelligence team meanwhile said via Twitter today that it has attributed the attack to a baddie it calls “Lace Tempest,” which is a financially motivated threat and ransomware affiliate that has ties to not only FIN11, but also TA505, Evil Corp, and the Cl0p gang.

Data Theft Happening in Minutes

An initial investigation into the MOVit Transfer attacks by Mandiant showed that the exploit activity began on May 27, or roughly four days before Progress disclosed the vulnerability and issued patches for all affected versions of the software. Mandiant has so far identified victims across multiple industry sectors located in Canada, India, and the US but believes the impact could be much broader.

“Following exploitation of the vulnerability, the threat actors are deploying a newly discovered LEMURLOOT Web shell with filenames that masquerade as human.aspx, which is a legitimate component of the MOVEit Transfer software,” Mandiant said in a blog post June 2.

The Web shell allows the attackers to issue commands for enumerating files and folders on a system running MOVEit…

Source…

Ukraine Russia war updates: Counteroffensive may be underway

June 6, 2023/in Internet Security

The Ukrainian army claimed to be gaining ground Monday along a wide front in the Bakhmut area, the “epicenter” of hostilities, amid Russian claims that the long-awaited Ukraine counteroffensive may be underway.

“We are successful, we occupy the dominant heights” surrounding Bakhmut, Deputy Minister of Defense Hanna Malyar said on Telegram. “The enemy is on the defensive. He wants to hold his position.”

The Russian Defense Ministry claimed Monday that Ukraine forces had begun a “large-scale offensive on five sectors of the front in the southern Donetsk area” − where Bakhmut is located − and said its troops fended off at least one attack.

Ukraine officials have said they won’t formally announce the start of the counteroffensive, but acknowledged their forces were indeed increasing offensive operations and suggested some of the Russian proclamations were misinformation.

Yevgeny Prigozhin, whose Wagner mercenaries were credited with seizing Bakhmut after months of battle, had harsh words for Russian regular troops assigned to hold the area. He said a nearby settlement had fallen and troops were abandoning their posts.

Pro-Russia military blogger Semen Pegov, known as WarGonzo, wrote that “news from the frontline … is getting more alarming every hour.” Pegov added that “the Armed Forces of Ukraine, unlike yesterday, are operating much more harmoniously and organized.”

Alexander Khodakovsky, deputy head of the Russian national guard in the self-proclaimed Donetsk People’s Republic, warned that “the enemy managed to put us in a difficult position.”

Developments:

◾ Vladimir Rogov, a Russian official in Ukraine’s partly occupied Zaporizhzhia province, said fighting resumed on its border with the eastern Donetsk region Monday after Russian defenses beat back a Ukrainian advance the previous day.

◾ Zaporizhzhia and Donetsk are two of the four provinces President Vladimir Putin claimed as Russian territory last fall, along with Luhansk and Kherson. Russia occupies large stretches of the provinces.

Source…

Ransomware recovery underway at National Gallery of Canada

May 13, 2023/in Internet Security

Ransomware recovery efforts are ongoing at the National Gallery of Canada, which is one of North America’s largest museums, following an attack on April 23, which has prompted an IT system shutdown, …

Source…

YouTube Account Hacked? New 2FA-Bypass YTStealer Attacks Are Underway

July 1, 2022/in Computer Security

YouTube creators warned of automated account takeover attacks

Future via Getty Images

When it comes to credential theft and account takeovers, you might think that cybercriminals are somewhat indifferent as to what account is compromised. This is true, to a degree. Some accounts are more valuable than others, an email account can hold the keys to various kingdoms for example, but any account hack is a win. Where specialization is a factor, and a profitable one at that, is within the assorted online forums where malware to attack specific account types is sold.

When the accounts in question are those belonging to YouTube creators, given the number of eyes these can attract, then it grabs my attention. Particularly when in the case of YTStealer it can effectively bypass 2FA protections. With YTStealer being sold as a service to cybercriminals, it should come as no surprise that security researchers have spotted fully automated YTStealer attacks underway with compromised accounts already being sold on the dark web.

According to a report from automated security intelligence provider Intezer, YTStealer is “malware whose objective is to steal YouTube authentication cookies.” A credential harvester focused entirely on gaining control of YouTube creator accounts, be they of ‘influencer’ follower proportions or small fishes in this incredibly large content creation sea. Once this account compromise as a service malware has harvested the credentials, it’s up to the customer what they do with them: high-value accounts could be sold at profit or compromised in order to spam or spread further malware.

How does a YTStealer attack work?

Then Intezer report discovered that game mods and trainers, or cheats if you prefer, were one of the target groups where YTStealer was dropped in the guise of an installer or a genuine application. These included various hacks for Counter-Strike Go, Call of Duty, and Roblox. Unsurprisingly, audio and video editing was another, with fake installers for the likes of Adobe Premiere Pro and Ableton Live 11 Suite among them. There were also other…

Source…

Tag Archive for: underway

Data Theft Happening in Minutes

How does a YTStealer attack work?