The article I have chosen to highlight this week is leveraging search engine optimization to prioritize specific links based on search results related to specific industries highly searched forms/topics of interest. For example, one of the forms was a transition service agreement. When the employee searched for it, the blog website was a top search results and thus persuaded the user to click it. The blog had a link to a zip archive that contained a file called “Accounting for transition service agreement” with a .js extension (java script). There were almost 200 blog posts ranging from government, real-estate, education, medical and legal all catering to different topics/forms based on those industries. The only way to access these blogs were via relevant key-word/phrase google searches. The place these blogs were hosted is believed to be legitimate and the threat actors were just leveraging the blog platform.
I find this article interesting because i came across similar article how cyber criminals are using click wars like using google forms, to gain unauthorized access .
The article is about hackers from Vietnam that attacked the Holiday Inn owner Intercontinental Hotel Group (IHG) database and deleted data. They were able to access the database by guessing the password, which was one of the most common passwords, to the password vault. The hackers were a couple from Vietnam that justified performing cyber-attacks for ransomware due to the low wages of $300/month in Vietnam.
Once the hackers accessed the database and tried to demand ransomware, the company was able to quickly isolate servers before the hackers could deploy it, so they did a wiper attack instead and destroy data and files.
They tricked an employee into downloading a malicious piece of software through an email attachment. Additionally, they bypassed additional security prompt message sent to the worker’s device as part as an MFA.
Once again, we see an attack was due to an employee unintentionally doing something that could have been prevented by practicing common security best practices, in this case the employee should not have open an email attachment from someone they did not know.
My news for this week is about a data breach that occurred in Optus, an Australian telecommunication giant. The hackers gained access to 9.5 million customers PII information and asked for a ransom of 1million dollars. It is noteworthy that the hackers gave the company a week ultimatum to transfer the ransom through an untraceable decentralized crypto currency Monero. However, what comes to mind is the damage has been done already will the payment of these 1 million stop the hackers from still selling this information in the dark web or will the payment be a continuous trend of asking for more money as a threat not to expose 9.5 million Australian citizens PII. The dynamics of cyber warfare is becoming sophisticated hence the need for companies to invest in CERT so that they can be informed targets.
Quality customer service is a surprising hallmark of successful ransomware groups. If a group asks for a ransom and the victim is not reassured that payment will result in their data being released, what incentive is there to pay? So the big name ransomware groups take the time to ensure that when paid, they release the data and there have been reports even of those groups providing assistance to the victim after payment to get the word out that they can be trusted.
This article is actually an extension of the one that I wrote the previous week as new information has been released regarding the hacked information from American Airlines. As previously stated, it was believed that a phishing campaign had led the charge on the attack and this did turn out to be true but we now know that it led to the hacking of an employee’s Microsoft 365 account and unauthorized access had been noticed. The attacker also access many other employees’ accounts through the same method and used those other accounts to send even more phishing emails to other targets. One of the team members’ accounts also had employee files on their cloud service. It was announced that the actor had used the IMAP protocol to access the mailboxes. The company at first refused to disclose the number of people affected by the hack but it was later announced that 1,708 American Airlines customers and employees had been affected.
My article is about one of the biggest heads cratchers in recent history: Patreon fired their entire Security team. Patreon isn’t releasing any public explanation, so it has left a lot of people asking “Why?”. Theories abound, but beyond the question of why, this is a great example to discuss why something like this is a terrible business idea. Offloading InfoSec to a 3rd party might save some money, but a hard break with your existing SMEs is going to destroy so much institutional knowledge that a third party partner will not easily be able to rebuild.
This describes that the hacker who claimed to have hacked Optus, Australia’s second-largest mobile operator, has withdrawn their extortion demands after facing increased attention from law enforcement. The hacker has customers’ personal information: including name, address, date of birth, phone numbers, emails, driver’s licenses, and passport numbers. The hacker stated that they utilized an unsecured API endpoint to steal the data directly. Although others have utilized the data leaked to extort money from victims, the hacker has written an apology stating they deleted the information they stole from their personal device after the Australian Federal Police announced the launch of a large-scale operation to find the threat actors. Optus has now offered all impacted individuals a 12-month subscription to credit monitoring and identity protection through Equifax and any victims would receive new driver’s licenses free of charge.
This article identifies 85 total applications from Google Play and the Apple App store that have been exploited through the use of fraudulent ads. The current scheme is the third iteration of a similar scheme this time affecting more apps than previously (the first wave included only 40 applications). Investigations founds that these apps have been installed over 13 million times, reaching a significant number of people. The malicious actors spoof popular apps by coding the fraudulent apps to look like legitimate apps for advertising purposes. The victim is incentivized to purchase that app because they think they are getting a great deal as in many instances the fake app is worth more than the app would be standalone. Once the app is downloaded and installed, out of context and hidden ads appear offscreen and generate fraudulent ad clicks to make money.
This week I found this article about a new zero day bugs existing in Microsoft Exchange. This is utilized by the threat actors in order to perform remote code execution on affected system. According to the article, “These attacks has be carried out by a Chinese threat group. Once they discover a compromised servers, the threat actors are deploying Chinese Chopper web shells by combining two zero-day and their goals are to gain persistence, Data theft, and move laterally to other systems.
https://www.csoonline.com/article/3674791/seo-poisoning-campaign-directs-search-engine-visitors-from-multiple-industries-to-javascript-malwar.html#tk.rss_all?&web_view=true – SEO poisoning campaign directs search engine visitors from multiple industries to JavaScript malware
The article I have chosen to highlight this week is leveraging search engine optimization to prioritize specific links based on search results related to specific industries highly searched forms/topics of interest. For example, one of the forms was a transition service agreement. When the employee searched for it, the blog website was a top search results and thus persuaded the user to click it. The blog had a link to a zip archive that contained a file called “Accounting for transition service agreement” with a .js extension (java script). There were almost 200 blog posts ranging from government, real-estate, education, medical and legal all catering to different topics/forms based on those industries. The only way to access these blogs were via relevant key-word/phrase google searches. The place these blogs were hosted is believed to be legitimate and the threat actors were just leveraging the blog platform.
Hi Nicholas,
I find this article interesting because i came across similar article how cyber criminals are using click wars like using google forms, to gain unauthorized access .
https://www.bbc.com/news/technology-62937678
The article is about hackers from Vietnam that attacked the Holiday Inn owner Intercontinental Hotel Group (IHG) database and deleted data. They were able to access the database by guessing the password, which was one of the most common passwords, to the password vault. The hackers were a couple from Vietnam that justified performing cyber-attacks for ransomware due to the low wages of $300/month in Vietnam.
Once the hackers accessed the database and tried to demand ransomware, the company was able to quickly isolate servers before the hackers could deploy it, so they did a wiper attack instead and destroy data and files.
They tricked an employee into downloading a malicious piece of software through an email attachment. Additionally, they bypassed additional security prompt message sent to the worker’s device as part as an MFA.
Once again, we see an attack was due to an employee unintentionally doing something that could have been prevented by practicing common security best practices, in this case the employee should not have open an email attachment from someone they did not know.
Hi Jill ,
It is true that sometimes non malicious intention can put a company at risk. Hence Security Education Training Awareness is a must for everyone .
My news for this week is about a data breach that occurred in Optus, an Australian telecommunication giant. The hackers gained access to 9.5 million customers PII information and asked for a ransom of 1million dollars. It is noteworthy that the hackers gave the company a week ultimatum to transfer the ransom through an untraceable decentralized crypto currency Monero. However, what comes to mind is the damage has been done already will the payment of these 1 million stop the hackers from still selling this information in the dark web or will the payment be a continuous trend of asking for more money as a threat not to expose 9.5 million Australian citizens PII. The dynamics of cyber warfare is becoming sophisticated hence the need for companies to invest in CERT so that they can be informed targets.
https://www.news.com.au/finance/business/optus-data-breach-hacker-demands-15-million-ransom-customer-info-leaked-on-dark-web/news-story/d9877fe037a04970225af2eafec6d686
Quality customer service is a surprising hallmark of successful ransomware groups. If a group asks for a ransom and the victim is not reassured that payment will result in their data being released, what incentive is there to pay? So the big name ransomware groups take the time to ensure that when paid, they release the data and there have been reports even of those groups providing assistance to the victim after payment to get the word out that they can be trusted.
https://slate.com/technology/2022/05/ransomware-customer-service-history.html
https://www.bleepingcomputer.com/news/security/american-airlines-learned-it-was-breached-from-phishing-targets/
This article is actually an extension of the one that I wrote the previous week as new information has been released regarding the hacked information from American Airlines. As previously stated, it was believed that a phishing campaign had led the charge on the attack and this did turn out to be true but we now know that it led to the hacking of an employee’s Microsoft 365 account and unauthorized access had been noticed. The attacker also access many other employees’ accounts through the same method and used those other accounts to send even more phishing emails to other targets. One of the team members’ accounts also had employee files on their cloud service. It was announced that the actor had used the IMAP protocol to access the mailboxes. The company at first refused to disclose the number of people affected by the hack but it was later announced that 1,708 American Airlines customers and employees had been affected.
https://thehackernews.com/2022/09/firing-your-entire-cybersecurity-team.html
My article is about one of the biggest heads cratchers in recent history: Patreon fired their entire Security team. Patreon isn’t releasing any public explanation, so it has left a lot of people asking “Why?”. Theories abound, but beyond the question of why, this is a great example to discuss why something like this is a terrible business idea. Offloading InfoSec to a 3rd party might save some money, but a hard break with your existing SMEs is going to destroy so much institutional knowledge that a third party partner will not easily be able to rebuild.
https://www.bleepingcomputer.com/news/security/optus-hacker-apologizes-and-allegedly-deletes-all-stolen-data/
This describes that the hacker who claimed to have hacked Optus, Australia’s second-largest mobile operator, has withdrawn their extortion demands after facing increased attention from law enforcement. The hacker has customers’ personal information: including name, address, date of birth, phone numbers, emails, driver’s licenses, and passport numbers. The hacker stated that they utilized an unsecured API endpoint to steal the data directly. Although others have utilized the data leaked to extort money from victims, the hacker has written an apology stating they deleted the information they stole from their personal device after the Australian Federal Police announced the launch of a large-scale operation to find the threat actors. Optus has now offered all impacted individuals a 12-month subscription to credit monitoring and identity protection through Equifax and any victims would receive new driver’s licenses free of charge.
https://thehackernews.com/2022/09/experts-uncover-85-apps-with-13-million.html
This article identifies 85 total applications from Google Play and the Apple App store that have been exploited through the use of fraudulent ads. The current scheme is the third iteration of a similar scheme this time affecting more apps than previously (the first wave included only 40 applications). Investigations founds that these apps have been installed over 13 million times, reaching a significant number of people. The malicious actors spoof popular apps by coding the fraudulent apps to look like legitimate apps for advertising purposes. The victim is incentivized to purchase that app because they think they are getting a great deal as in many instances the fake app is worth more than the app would be standalone. Once the app is downloaded and installed, out of context and hidden ads appear offscreen and generate fraudulent ad clicks to make money.
This week I found this article about a new zero day bugs existing in Microsoft Exchange. This is utilized by the threat actors in order to perform remote code execution on affected system. According to the article, “These attacks has be carried out by a Chinese threat group. Once they discover a compromised servers, the threat actors are deploying Chinese Chopper web shells by combining two zero-day and their goals are to gain persistence, Data theft, and move laterally to other systems.
https://gbhackers.com/new-exchange-server-zero-day-rce-bug/