Tag: malware

The Snowflake Attack May Be Turning Into One of the Largest Data Breaches Ever

[ad_1]

Since Snowflake acknowledged that accounts had been targeted, it has provided some more information about the incident. Brad Jones, Snowflake’s chief information security officer, said in a blog post that threat actors used login details to accounts that had been “purchased or obtained through infostealing malware,” which is designed to pull usernames and passwords from devices that have been compromised. The incident appears to be a “targeted campaign directed at users with single-factor authentication,” Jones added.

Jones’ post said Snowflake, alongside cybersecurity companies CrowdStrike and Mandiant, which it employed to investigate the incident, did not find evidence showing the attack was “caused by compromised credentials of current or former Snowflake personnel.” However, it has found one former employee’s demo accounts were accessed, claiming they did not contain sensitive data.

When asked about potential breaches of specific companies’ data, a Snowflake person pointed to Jones’ statement: “We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform.” The company did not provide an on-record comment clarifying what was meant by a “breach.” (Security company Hudson Rock said it removed a research post including various unverified claims about the Snowflake incident after receiving a legal letter from Snowflake).

The US Cybersecurity and Infrastructure Security Agency has issued an alert about the Snowflake incident, while Australia’s Cyber Security Center said it is “aware of successful compromises of several companies utilizing Snowflake environments.”

Unclear Origins

Little is known about the Sp1d3r account advertising data on BreachForums, and it is not clear whether ShinyHunters obtained the data it was selling from another source or directly from victims’ Snowflake accounts—information about a Ticketmaster and Santander breach was originally posted on another cybercrime forum by a new user called SpidermanData.

The Sp1d3r account posted on BreachForums that the 2 terabytes of alleged LendingTree and QuoteWizard data was for sale for $2 million; while 3 TB of data allegedly from Advance Auto Parts would cost someone $1.5 million. “The price set by the threat actor appears extremely high for a typical listing posted to BreachForums,” says Chris Morgan, a senior cyber-threat intelligence analyst at security firm ReliaQuest.

Morgan says the legitimacy of Sp1d3r is not clear; however, he points out there is a nod to teenage hacking group Scattered Spider. “Interestingly, the threat actor’s profile picture is taken from an article referencing the threat group Scattered Spider, although it is unclear whether this is to make an intentional association with the threat group.”

While the exact source of the alleged data breaches is unclear, the incident highlights how interconnected companies can be when relying on products and services from third-party providers. “I think a lot of this is just a recognition of how interdependent these services now are and how hard it is to control the security posture of third parties,” security researcher Tory Hunt told WIRED when the incidents first emerged.

As part of its response to the attacks, Snowflake has told all customers to make sure they enforce multifactor authentication on all accounts and allow traffic only from authorized users or locations. Companies that have been impacted should also reset their Snowflake login credentials. Enabling multifactor authentication vastly reduces the chances that online accounts will be compromised. As mentioned, TechCrunch reported this week that it has seen “hundreds of alleged Snowflake customer credentials” taken by infostealing malware from computers of people who have accessed Snowflake accounts.

In recent years, coinciding with more people working from home since the Covid-19 pandemic, there has been a rise in the use of infostealer malware. “Infostealers have become more popular because they’re in high demand and pretty easy to create,” says Ian Gray, the vice president of intelligence at security company Flashpoint. Hackers have been seen to be copying or modifying existing infostealers and selling them on for as little as $10 for all the login details, cookies, files, and more from one infected device.

“This malware can be delivered in different ways and targets sensitive info like browser data (cookies and credentials), credit cards, and crypto wallets,” Gray says. “Hackers might comb through the logs for enterprise credentials to break into accounts without permission.”

[ad_2]

Source link

June 6, 2024
TikTok Hack Targets ‘High-Profile’ Users via DMs

[ad_1]

TikTok says it’s currently taking steps to mitigate a cyberattack that’s targeting a number of high-profile users through direct messages, in an attempt to hijack their accounts.

“We have taken measures to stop this attack and prevent it from happening in the future. We’re working directly with affected account owners to restore access, if needed,” says Jason Grosse, a spokesperson for TikTok’s privacy and security team.

Grosse says TikTok is still investigating the attack and could not comment at this time about its scale or sophistication, describing the threat as merely a “potential exploit.”

TikTok’s acknowledgment followed a report on Tuesday claiming CNN’s account had been temporarily breached last week. Citing an anonymous source at the news organization, Semifor reports that the breach did “not appear to be the result of someone gaining access from CNN’s end.” CNN did not immediately respond to WIRED’s request to comment.

Concerns over hacking attempts targeting news organizations in the US are particularly high given the impending presidential election this fall.

Forbes reported earlier in the day that the account of hotel heiress Paris Hilton was similarly affected, citing sources within the company. A source at TikTok tells WIRED that Hilton’s account was targeted but had not been compromised.

This is a developing story. Check back for updates.

[ad_2]

Source link

June 4, 2024
‘Largest Botnet Ever’ Tied to Billions in Stolen Covid-19 Relief Funds

[ad_1]

The United States Department of Justice on Wednesday announced charges against a 35-year-old Chinese national, YunHe Wang, accused of operating a massive botnet allegedly linked to billions of dollars in fraud, child exploitation, and bomb threats, among other crimes.

Wang, identified by numerous pseudonyms—Tom Long and Jack Wan, among others—was arrested on May 24 and is accused of distributing malware through various pop-up VPN services, such as “ProxyGate” and “MaskVPN,” and by embedding viruses in internet files distributed via peer-to-peer networks known as torrents.

The malware is said to have compromised computers located in nearly every country in the world, turning them into proxies through which criminals were able to hide their identities while committing countless crimes. According to prosecutors in the US, this included the theft of billions of dollars slated for Covid-19 pandemic relief; funds allegedly stolen by foreign actors posing as unemployed US citizens.

According to an indictment, the infected computers allegedly provided Wang’s customers with a persistent backdoor, allowing them to disguise themselves as any one of the victims of Wang’s malware. This illicit proxy service, known as “911 S5,” launched as early as 2014, the US government says.

“The 911 S5 Botnet infected computers in nearly 200 countries and facilitated a whole host of computer-enabled crimes, including financial frauds, identity theft, and child exploitation,” says FBI director Christopher Wray, who described the illicit service as “likely the world’s largest botnet ever.”

The US Treasury Department has also sanctioned Wang and two other individuals allegedly tied to 911 S5.

Wang is said to have amassed access to nearly 614,000 IP addresses in the US and more than 18 million others worldwide—collectively, forming the botnet. 911 S5’s customers were able to filter the IPs geographically, choosing where they’d like to appear to be located down to a specific US zip code, the DOJ claims.

The indictment states that of the 150 dedicated servers used to manage the botnet, as many as 76 were leased by US-based service providers, including the one hosting 911 S5’s client interface, which allowed criminals overseas to purchase goods using stolen credit cards, in many cases for the alleged purpose of circumventing US export laws.

More than a half million fraudulent claims lodged with pandemic relief programs in the United States are allegedly tied to 911 S5. According to the indictment, nearly $6 billion in losses have been linked to IP addresses captured by 911 S5. Many of the IP addresses have been reportedly tied to more insidious crimes, including bomb threats and the trafficking of child sexual abuse material, or CSAM.

“Proxy services like 911 S5 are pervasive threats that shield criminals behind the compromised IP addresses of residential computers worldwide,” says Damien Diggs, the US attorney for the Eastern District of Texas, where the charges against Wang were brought by a grand jury earlier this month.

Adds Nicole Argentieri, head of the Justice Department’s Criminal Division: “These criminals used the hijacked computers to conceal their identities and commit a host of crimes, from fraud to cyberstalking.”

At the time of writing, it is unclear whether these virtual impersonations resulted in any criminal investigations or charges against US-based victims whose IP addresses were hijacked as part of the 911 S5 botnet. WIRED is awaiting a response from the Department of Justice regarding this concern.

According to the Justice Department, law enforcement agencies in Singapore, Thailand, and Germany collaborated with US authorities to effect Wang’s arrest.

Wang faces charges of conspiracy, computer fraud, conspiracy to commit wire fraud, and conspiracy to money laundering, with a maximum penalty of 65 years in prison. The US is also seeking to seize a mountain of luxury cars and goods allegedly owned by Wang, including a 2022 Ferrari Spider valued at roughly half a million dollars as well as a Patek Philippe watch worth potentially several times that amount.

[ad_2]

Source link

May 29, 2024
Apple’s iPhone Spyware Problem Is Getting Worse. Here’s What You Should Know

[ad_1]

Despite NSO Group’s claims, spyware has continued to target journalists, dissidents, and protesters. Saudi journalist and dissident Jamal Khashoggi’s wife, Hanan Elatr, was allegedly targeted with Pegasus before his death. In 2021, New York Times reporter Ben Hubbard learned his phone had been targeted twice with Pegasus.

Pegasus was silently implanted onto the iPhone of Claude Magnin, the wife of the political activist Naama Asfari, who was jailed and allegedly tortured in Morocco. Pegasus has also been used to target pro-democracy protesters in Thailand, Russian journalist Galina Timchenko, and UK government officials.

In 2021, Apple filed a lawsuit against NSO Group and its parent company to hold it accountable for “the surveillance and targeting of Apple users.”

The case is still ongoing, with NSO Group attempting to dismiss the lawsuit, but experts say the problem is not going to go away as long as spyware vendors are able to operate.

David Ruiz, senior privacy advocate at security firm Malwarebytes, blames “the obsessive and oppressive operators behind spyware, who compound its danger to society.”

The Spyware Drain

If you are faced with a zero-click exploit delivering spyware, experts say there is very little you can do to protect yourself or restore security to your devices. “The best thing to do if you are targeted is to entirely abandon both the hardware and any associated accounts,” says Aaron Engel, chief information security officer at ExpressVPN. “Get a new computer, get a new phone number, and create completely new accounts linked to the device.”

Detecting spyware can be challenging, but unusual behavior such as your battery draining quickly, unexpected shutdowns, or high data usage could be indicative of an infection, says Javvad Malik, lead security awareness advocate at security training organization KnowBe4. While specific apps claim to spot spyware, their effectiveness can vary, and professional assistance is often necessary for reliable detection, he says.

Chris Hauk, consumer privacy advocate at Pixel Privacy, agrees battery drain is a strong indicator of spyware on your device. “Most spyware has not been developed to run efficiently,” he says.

Users should also be on the lookout for apps they haven’t installed, forced redirects due to a browser being hijacked, and changed settings in their default browser or search engine.

Earlier this year, Kaspersky’s team introduced a method to detect indicators of infection from iOS spyware such as Pegasus, Reign, and Predator. It is effective because Pegasus infections leave traces in the unexpected system log, Shutdown.log, stored within iOS devices’ sysdiagnose archive, the security outfit says.

Another step you can take to safeguard your device is to ensure you restart it at least once a day. “This makes it necessary for attackers to repeatedly reinfect, increasing the chances of detection over time,” Larin says.

If you might be a target, you can also disable iMessage and FaceTime to reduce the risk of falling victim to zero-click attacks. At the same time, keep your device updated to the latest software and avoid clicking on links received in messages such as emails.

“Update to the latest software version to protect against known vulnerabilities, use multifactor authentication, and only install applications from verified and legitimate sources,” says Adam Price, cyber threat intelligence analyst at Cyjax.

If you do become a victim, helplines are available for aid in removing spyware, such as Access Now’s Digital Security Helpline and Amnesty International’s Security Lab. Meanwhile, Apple’s Lockdown Mode—which disables certain features but is surprisingly usable—can protect your iPhone from getting infected in the first place.

[ad_2]

Source link

May 6, 2024
Change Healthcare Finally Admits It Paid Ransomware Hackers—and Still Faces a Patient Data Leak

[ad_1]

For Change Healthcare and the beleaguered medical practices, hospitals, and patients that depend on it, the confirmation of its extortion payment to the hackers adds a bitter coda to an already dystopian story. AlphV’s digital paralysis of Change Healthcare, a subsidiary of UnitedHealth Group, snarled the insurance approval of prescriptions and medical procedures for hundreds of medical practices and hospitals across the country, making it by some measures the most widespread medical ransomware disruption ever. A survey of American Medical Association members, conducted between March 26 and April 3, found that four out of five clinicians had lost revenue as a result of the crisis. Many said they were using their own personal finances to cover a practice’s expenses. Change Healthcare, meanwhile, says that it has lost $872 million to the incident and projects that number to rise well over a billion in the longer term.

Change Healthcare’s confirmation of its ransom payment now appears to show that much of that catastrophic fallout for the US healthcare system unfolded after it had already paid the hackers an exorbitant sum—a payment in exchange for a decryption key for the systems the hackers had encrypted and a promise not to leak the company’s stolen data. As is often the case in ransomware attacks, AlphV’s disruption of its systems appears to have been so widespread that Change Healthcare’s recovery process has extended long after it obtained the decryption key designed to unlock its systems.

As ransomware payments go, $22 million wouldn’t be the most that a victim has forked over. But it’s close, says Brett Callow, a ransomware-focused security researcher who spoke to WIRED about the suspected payment in March. Only a few rare payments, such as the $40 million paid to hackers by CNA Financial in 2021, top that number. “It’s not without precedent, but it’s certainly very unusual,” Callow said of the $22 million figure.

That $22 million injection of funds into the ransomware ecosystem further fuels a vicious cycle that has reached epidemic proportions. Cryptocurrency tracing firm Chainalysis found that in 2023, ransomware victims paid the hackers targeting them fully $1.1 billion, a new record. Change Healthcare’s payment may represent only a small drop in that bucket. But it both rewards AlphV for its highly damaging attacks and may suggest to other ransomware groups that healthcare companies are particularly profitable targets, given those companies are especially sensitive to both the high cost of those cyberattacks financially and the risks they pose to patients’ health.

Compounding Change Healthcare’s mess is an apparent double-cross within the ransomware underground: AlphV by all appearances faked its own law enforcement takedown after receiving Change Healthcare’s payment in an attempt to avoid sharing it with its so-called affiliates, the hackers who partner with the group to penetrate victims on its behalf. The second ransomware group threatening ChangeHealthcare, RansomHub, now claims to WIRED that they obtained the stolen data from those affiliates, who still want to be paid for their work.

That’s created a situation where Change Healthcare’s payment provides little assurance that its compromised data won’t still be exploited by disgruntled hackers. “These affiliates work for multiple groups. They’re concerned with getting paid themselves, and there’s no trust among thieves,” Analyst1’s DiMaggio told WIRED in March. “If someone screws someone else, you don’t know what they’re going to do with the data.”

All of that means Change Healthcare still has little assurance that it’s avoided an even worse scenario than it’s yet faced: paying what may be one of the biggest ransoms in history and still seeing its data spilled onto the dark web. “If it gets leaked after they paid $22 million, it’s pretty much like setting that money on fire,” DiMaggio warned in March. “They’d have burned that money for nothing.”

[ad_2]

Source link

April 23, 2024
The XZ Backdoor: Everything You Need to Know

[ad_1]

On Friday, a lone Microsoft developer rocked the world when he revealed a backdoor had been intentionally planted in XZ Utils, an open source data compression utility available on almost all installations of Linux and other Unix-like operating systems. The person or people behind this project likely spent years on it. They were likely very close to seeing the backdoor update merged into Debian and Red Hat, the two biggest distributions of Linux, when an eagle-eyed software developer spotted something fishy.

“This might be the best-executed supply chain attack we’ve seen described in the open, and it’s a nightmare scenario: malicious, competent, authorized upstream in a widely used library,” software and cryptography engineer Filippo Valsorda said of the effort, which came frightfully close to succeeding.

Researchers have spent the weekend gathering clues. Here’s what we know so far.

What Is XZ Utils?

XZ Utils is nearly ubiquitous in Linux. It provides lossless data compression on virtually all Unix-like operating systems, including Linux. XZ Utils provides critical functions for compressing and decompressing data during all kinds of operations. XZ Utils also supports the legacy .lzma format, making this component even more crucial.

What Happened?

Andres Freund, a developer and engineer working on Microsoft’s PostgreSQL offerings, was recently troubleshooting performance problems a Debian system was experiencing with SSH, the most widely used protocol for remotely logging in to devices over the Internet. Specifically, SSH logins were consuming too many CPU cycles and were generating errors with valgrind, a utility for monitoring computer memory.

Through sheer luck and Freund’s careful eye, he eventually discovered the problems were the result of updates that had been made to XZ Utils. On Friday, Freund took to the Open Source Security List to disclose the updates were the result of someone intentionally planting a backdoor in the compression software.

What Does the Backdoor Do?

Malicious code added to XZ Utils versions 5.6.0 and 5.6.1 modified the way the software functions when performing operations related to .lzma compression or decompression. When these functions involved SSH, they allowed for malicious code to be executed with root privileges. This code allowed someone in possession of a predetermined encryption key to log in to the backdoored system over SSH. From then on, that person would have the same level of control as any authorized administrator.

How Did This Backdoor Come to Be?

It would appear that this backdoor was years in the making. In 2021, someone with the username JiaT75 made their first known commit to an open source project. In retrospect, the change to the libarchive project is suspicious, because it replaced the safe_fprint funcion with a variant that has long been recognized as less secure. No one noticed at the time.

The following year, JiaT75 submitted a patch over the XZ Utils mailing list, and, almost immediately, a never-before-seen participant named Jigar Kumar joined the discussion and argued that Lasse Collin, the longtime maintainer of XZ Utils, hadn’t been updating the software often or fast enough. Kumar, with the support of Dennis Ens and several other people who had never had a presence on the list, pressured Collin to bring on an additional developer to maintain the project.

In January 2023, JiaT75 made their first commit to XZ Utils. In the months following, JiaT75, who used the name Jia Tan, became increasingly involved in XZ Utils affairs. For instance, Tan replaced Collins’ contact information with their own on oss-fuzz, a project that scans open source software for vulnerabilities that can be exploited. Tan also requested that oss-fuzz disable the ifunc function during testing, a change that prevented it from detecting the malicious changes Tan would soon make to XZ Utils.

In February of this year, Tan issued commits for versions 5.6.0 and 5.6.1 of XZ Utils. The updates implemented the backdoor. In the following weeks, Tan or others appealed to developers of Ubuntu, Red Hat, and Debian to merge the updates into their OSes. Eventually, one of the two updates made its way into several releases, according to security firm Tenable. There’s more about Tan and the timeline here.

Can You Say More About What This Backdoor Does?

In a nutshell, it allows someone with the right private key to hijack sshd, the executable file responsible for making SSH connections, and from there to execute malicious commands. The backdoor is implemented through a five-stage loader that uses a series of simple but clever techniques to hide itself. It also provides the means for new payloads to be delivered without major changes being required.

Multiple people who have reverse-engineered the updates have much more to say about the backdoor. Developer Sam James provided an overview here.

[ad_2]

Source link

April 2, 2024