Author: Admin
An Iranian Advanced Persistent Threat (APT) threat actor believed to be affiliated with the Ministry of Intelligence and Security (MOIS) is now acting as an initial access broker providing remote access to targeted networks. Google-owned Mandiant tracks a cluster of pseudonymous activity UNC1860which he says has similarities to intrusion kits tracked by Microsoft, Cisco Talos and Check Point as Storm-0861 (formerly DEV-0861), Shrouded Snooperand Scarred Manticorerespectively. “A key feature of the UNC1860 is its set of specialized tools and passive backdoors, which (…) support several purposes, including its role as a likely initial access provider and its ability to gain…
In the IT environment, some secrets are managed well and some fly under the radar. Here’s a quick checklist of what secrets companies typically manage, including one type they should manage: Passwords (x) TLS Certificates (x) Accounts (x) SSH keys ??? The secrets listed above are typically protected by Privileged Access Management (PAM) or similar solutions. However, most traditional PAM vendors barely talk about SSH key management. The reason is simple: they don’t have the technology to do it properly. We can prove it. All of our SSH key management customers deployed traditional PAM, but they realized they couldn’t manage…
September 20, 2024Ravi LakshmananEncryption / digital security Google on Thursday unveiled a PIN password manager that lets Chrome Web users sync their passwords across Windows, macOS, Linux, ChromeOS and Android devices. “This PIN adds an extra layer of security to ensure that your access keys are end-to-end encrypted and cannot be accessed by anyone, not even Google,” said Chrome Product Manager Chirag Desai. said. The default PIN is a six-digit code, although you can also create a longer alphanumeric PIN by selecting PIN Options. This marks a change from the previous status quo where users could only save passkeys to…
September 20, 2024Ravi LakshmananEnterprise Security / Network Security Ivanti has revealed that a critical security flaw affecting the Cloud Service Appliance (CSA) is being exploited in the wild. The new vulnerability, assigned CVE ID CVE-2024-8963, has a CVSS score of 9.4 out of a maximum of 10.0. This was “incidentally resolved” by the company as part of CSA 4.6 Patch 519 and CSA 5.0. “Passing the path in Ivanti CSA prior to 4.6 Patch 519 allows a remote, unauthenticated attacker to gain access to limited functionality,” the company said in a statement. said in Thursday’s newsletter. He also noted that…
Just a couple of years ago, only a few IAM professionals knew what service accounts were. In recent years, these silent accounts of non-human entities (NHIs) have become one of the most targeted and compromised attack surfaces. It is estimated that compromised service accounts play a key role in lateral movement in more than 70% of ransomware attacks. However, there is a troubling disparity between the exposure and potential impact of hacking work accounts, and the security measures available to mitigate this risk. In this article, we explore what makes service accounts such a lucrative target, why they fall outside…
September 19, 2024Ravi LakshmananCyber attack / hacking It has been observed that threat actors are targeting the construction sector by infiltrating the FOUNDATION accounting softwareaccording to Huntress’ new findings. “It has been observed that attackers are mass exploiting the software and gaining access simply by using the product’s default credentials,” the cybersecurity company said. said. Plumbing, HVAC, concrete and other related industries are being targeted by the new threat. The FOUNDATION software comes with a Microsoft SQL (MS SQL) server to handle database operations and, in some cases, has TCP port 4243 open for direct database access via a mobile…
September 19, 2024Ravi LakshmananCryptojacking / Cloud Security A cryptojacking operation known as Team TNT has probably relaunched as part of a new campaign targeting virtual private server (VPS) infrastructure based on the CentOS operating system. “The initial access was accomplished through a brute-force Secure Shell (SSH) attack on the victim’s assets, during which the threat actor downloaded a malicious script,” Group-IB researchers Vito Alfano and Nam Le Phuong said in Wednesday’s report. The malicious script, the Singapore-based cybersecurity firm noted, is responsible for disabling security features, deleting logs, halting cryptocurrency mining processes, and preventing recovery. Attack chains ultimately pave the…
A previously undocumented malware called SambaSpy is targeting users in Italy exclusively through a phishing campaign orchestrated by an alleged Brazilian Portuguese-speaking actor. “Threat actors usually try to cast a wide net to maximize their profits, but these attackers are focused on just one country,” Kaspersky said in a new analysis. “It is likely that the attackers are testing the waters with Italian users before expanding to other countries.” The starting point of the attack is a phishing email that contains an HTML attachment or an embedded link that initiates the infection process. When the HTML attachment is opened, a…
Healthcare cybersecurity has never been more important. As the most vulnerable industry and the biggest target for cybercriminals, healthcare is facing a growing wave of cyberattacks. When a hospital’s systems are held hostage by ransomware, not only data is at risk, but the care of patients who depend on life-saving treatment. Imagine an attack that causes emergency care to be halted, surgeries to be delayed, or a cancer patient’s private health information to be used for extortion. That’s the reality healthcare faces when cybercriminals exploit people in need. Since 2012, healthcare accounted for 17.8% of all breaches and 18.2% of…
September 19, 2024Ravi LakshmananHealthcare / Malware Microsoft has revealed that a financially motivated threat actor has used a ransomware called INC for the first time to target the US healthcare sector The tech giant’s threat intelligence team tracks activity under the name Vanilla storm (formerly DEV-0832). “Vanilla Tempest receives a transmission from GootLoader of the Storm-0494 threat before deploying tools such as the Supper backdoor, AnyDesk’s legitimate remote monitoring and management (RMM) tool, and the MEGA data synchronization tool, said in a series of messages shared by X. In the next step, attackers perform lateral movement via Remote Desktop Protocol…