Information Technology Security

Attackers are increasingly making use of "networkless" attack techniques targeting cloud apps and identities. Here's how attackers can (and are) compromising organizations – without ever needing to touch the endpoint or conventional networked systems and services. Before getting into the details of the attack techniques being used, let's discuss why these attacks are becoming more prevalent.

By Lawrence Abrams,  Bleeping Computer The RansomHub extortion gang has begun leaking what they claim is corporate and patient data stolen from United Health subsidiary Change Healthcare in what has been a long and convoluted extortion process for the company. In February, Change Healthcare suffered a cyberattack that caused massive disruption to the US healthcare system , preventing pharmacies and doctors from billing or sending claims to insurance companies. The attack was ultimately linked to the BlackCat / ALPHV ransomware operation, who later said they stole 6 TB of data during the attack . After facing increased pressure from law enforcement, the BlackCat gang shut down their operation . This occurred amid claims they were pulling an exit scam by stealing a $22 million Change Healthcare ransom payment from the affiliate who conducted the attack. While Change Healthcare has declined to comment on whether it has paid a ransom, the affiliate known as "Notchy" said they

By Sergiu Gatlan, Bleeping Computer CISA has issued a new emergency directive ordering U.S. federal agencies to address risks resulting from the breach of multiple Microsoft corporate email accounts by the Russian APT29 hacking group. Emergency Directive 24-02 was issued to Federal Civilian Executive Branch (FCEB) agencies on April 2. It requires them to investigate potentially affected emails, reset any compromised credentials (if any), and take measures to secure privileged Microsoft Azure accounts. CISA says Russian Foreign Intelligence Service (SVR) operatives now use information stolen from Microsoft's corporate email systems, including the authentication details shared between Microsoft and its customers by email, to gain access to certain customer systems. "This Emergency Directive requires immediate action by agencies to reduce risk to our federal systems. For several years, the U.S. government has documented malicious cyber activity as a standard part of the Russian

By Sergiu Gatlan,  Bleeping Computer LastPass revealed this week that threat actors targeted one of its employees in a voice phishing attack, using deepfake audio to impersonate Karim Toubba, the company's Chief Executive Officer. However, while 25% of people have been on the receiving end of an AI voice impersonation scam or know someone who has, according to a recent global study, the LastPass employee didn't fall for it because the attacker used WhatsApp, which is a very uncommon business channel. "In our case, an employee received a series of calls, texts, and at least one voicemail featuring an audio deepfake from a threat actor impersonating our CEO via WhatsApp," LastPass intelligence analyst Mike Kosak said. Deepfake audio LastPass CEO impersonation "As the attempted communication was outside of normal business communication channels and due to the employee’s suspicion regarding the presence of many of the hallmarks of a social engineering attempt (such a

By Ax Sharma,  Bleeping Computer The Notepad++ project is seeking the public's help in taking down a copycat website that closely impersonates Notepad++ but is not affiliated with the project. Although, at the time of writing, the lookalike website takes visitors to the official Notepad++ downloads page, there is some concern that it could pose security threats—for example, if it starts pushing malicious releases or spam someday either deliberately or as a result of a hijack. The lookalike website appears prominently in search results

Among the never-ending list of malicious software that threat actors use in cyber attacks are viruses, worms, trojans, ransomware, spyware, and adware. Today's malware is not just about causing immediate damage; some programs get embedded within systems to siphon off data over time, disrupt operations strategically, or lay the groundwork for massive, coordinated attacks.  A prime example is a recently found malicious backdoor in a popular compression tool, known as xz Utils. Thankfully the malicious code was identified early “due to bad actor sloppiness”, but the consequences could’ve been massive. Read on to get the lowdown on recent high-profile malware attacks along with strategies to help limit malware risks at your organization.  Recent High-Profile Malware Attacks Here's a detailed overview of recent malware attacks, highlighting key incidents and offering valuable insights and lessons learned from each event. StripedFly A prolific and advanced cross-platform malware fram

By Sergiu Gatlan,  Bleeping Computer Microsoft has confirmed that some Outlook.com users are experiencing issues with emails being blocked and marked as spam when trying to email Gmail accounts. This known issue only impacts users with Outlook.com country domains, according to a support document published by Redmond on Tuesday. Affected Outlook users are being told in follow-up emails from Gmail's servers that their messages were suspicious and have been stopped from reaching the recipient's inbox. "Remote server returned message detected as spam [..]. Gmail has detected that this message is likely suspicious due to the very low reputation of the sending domain. To best protect our users from spam, the message has been blocked," the replies from Gmail's mail server (mx.google.com) explain. Google's support website says that it's very likely that only a subset of these messages are being blocked because they have "a strong likelihood of being spam.&quo

By  KrebsOnSecurity Several Apple customers recently reported being targeted in elaborate phishing attacks that involve what appears to be a bug in Apple’s password reset feature. In this scenario, a target’s Apple devices are forced to display dozens of system-level prompts that prevent the devices from being used until the recipient responds “Allow” or “Don’t Allow” to each prompt. Assuming the user manages not to fat-finger the wrong button on the umpteenth password reset request, the scammers will then call the victim while spoofing Apple support in the caller ID, saying the user’s account is under attack and that Apple support needs to “verify” a one-time code. Parth Patel is an entrepreneur who is trying to build a startup in the conversational AI space. On March 23, Patel documented on Twitter/X a recent phishing campaign targeting him that involved what’s known as a “push bombing” or “MFA fatigue” attack, wherein the phishers abuse a feature or weakness of a multi-factor authen

By  The Hacker News Key Points MuddyWater Phishing : MuddyWater used seemingly harmless PDF attachments containing malicious links. Clicking these links downloaded an installer for the real Atera Agent (RMM software), granting them unauthorized access to compromised systems. Shift in Tactics : This campaign represents a shift for MuddyWater, who previously relied on directly embedded malicious links. This new tactic increases deception and potentially widens their attack reach. MuddyWater Targets : This is not the first time MuddyWater has targeted organizations. Since October 2023, they’ve used other legitimate remote access tools for infiltration attempts. Supply Chain Attack : Another Iranian group, Lord Nemesis, compromised a software provider in a supply chain attack, potentially impacting their clients. Dangers of Supply Chain Attacks : This attack highlights the growing risk of supply chain attacks, where compromising a trusted vendor grants access to a wider network of targets.

By Bill Toulas,  Bleeping Computer Cybercriminals have been increasingly using a new phishing-as-a-service (PhaaS) platform named 'Tycoon 2FA' to target Microsoft 365 and Gmail accounts and bypass two-factor authentication (2FA) protection. Tycoon 2FA was discovered by Sekoia analysts in October 2023 during routine threat hunting, but it has been active since at least August 2023, when the Saad Tycoon group offered it through private Telegram channels. The PhaaS kit shares similarities with other adversary-in-the-middle (AitM) platforms, such as Dadsec OTT, suggesting possible code reuse or a collaboration between developers. In 2024, Tycoon 2FA released a new version that is stealthier, indicating a continuous effort to improve the kit. Currently, the service leverages 1,100 domains and has been observed in thousands of phishing attacks.

By Bill Toulas, Bleeping Computer A new large-scale StrelaStealer malware campaign has impacted over a hundred organizations across the United States and Europe, attempting to steal email account credentials. StrelaStealer was first documented in November 2022 as a new information-stealing malware that steals email account credentials from Outlook and Thunderbird. One notable characteristic of the malware was using a polyglot file infection method to evade detection from security software. At the time, StrelaStealer was seen targeting predominately Spanish-speaking users. However, according to a recent report by Palo Alto Networks' Unit42, this has changed as the malware now targets people from the U.S. and Europe. StrelaStealer is distributed through phishing campaigns that showed a significant uptick in November 2023, some days targeting over 250 organizations in the U.S. The elevated phishing email distribution volumes continued into 2024, with a significant wave of activity bei

By Sergiu Gatlan,  Bleeping Computer CISA, the NSA, the FBI, and several other agencies in the U.S. and worldwide warned critical infrastructure leaders to protect their systems against the Chinese Volt Typhoon hacking group. Together with the NSA, the FBI, other U.S. government agencies, and partner Five Eyes cybersecurity agencies, including cybersecurity agencies from Australia, Canada, the United Kingdom, and New Zealand, it also issued defense tips on detecting and defending against Volt Typhoon attacks. Last month, they also warned that Chinese hackers had breached multiple U.S. critical infrastructure organizations and maintained access to at least one of them for at least five years before being discovered. Authorities have observed that the cyber espionage group Volt Typhoon's targets and tactics differ from typical activities, suggesting their goal is to obtain access to Operational Technology (OT) assets within networks, which could be exploited to disrupt critical infra

By Bill Toulas,  Bleeping Computer The Ukrainian cyber police, in collaboration with investigators from the national police (ГУНП), have arrested three individuals who are accused of hijacking over 100 million emails and Instagram accounts worldwide. The three suspects, aged between 20 and 40, used specialized software to brute-force account passwords and then steal them. Brute force is the means of guessing account passwords through an automated trial-and-error process that has computers try many possible combinations until the correct one is found. This method's success relies on the available computational power in relation to the password length and complexity of the targeted account. The arrested cybercriminals monetized their illicit activities by selling access to compromised accounts to various fraud groups on the darknet. The buyers then used their access to these accounts to message the victims' contacts, requesting them to transfer money under false pretenses. The po

By Sean Lyngaas, CNN A federal agency in charge of cybersecurity discovered it was hacked last month and was forced to take two key computer systems offline, an agency spokesperson and US officials familiar with the incident told CNN. One of the US Cybersecurity and Infrastructure Security Agency’s affected systems runs a program that allows federal, state and local officials to share cyber and physical security assessment tools, according to the US officials briefed on the matter. The other holds information on security assessment of chemical facilities, the sources said. A CISA spokesperson said in a statement that “there is no operational impact at this time” from the incident and that the agency continues to “upgrade and modernize our systems.” “This is a reminder that any organization can be affected by a cyber vulnerability and having an incident response plan in place is a necessary component of resilience,” the spokesperson said, adding that the impact from the hack “was limite

By Bill Toulas, Bleeping Computer Optum's Change Healthcare has started to bring systems back online after suffering a crippling BlackCat ransomware attack last month that led to widespread disruption to the US healthcare system. United Health Group (UHG) is the largest American health insurance company, and its subsidiary, Optum Solutions, operates the Change Healthcare platform. Change Healthcare operates the largest payment exchange platform between doctors, pharmacies, healthcare providers, and patients in the US. On February 21, 2024, Optum Solutions suffered a ransomware attack by ALPHV/BlackCat, causing extensive outages after servers were allegedly encrypted and the company shut down its IT systems. These outages led to wide disruption at pharmacies and doctor offices, which could not send claims, causing some patients to pay full price for their medications. Today, UHG released a statement that finally delivered some good news, announcing the electronic prescription syst

By Bill Toulas, Bleeping Computer FBI's Internet Crime Complaint Center (IC3) has released its 2023 Internet Crime Report, which recorded a 22% increase in reported losses compared to 2022, amounting to a record of $12.5 billion. The number of relevant complaints submitted to the FBI in 2023 reached 880,000, 10% higher than the previous year, with the age group topping the report being people over 60, which shows how vulnerable older adults are to cybercrime. Both figures continue a worrying trend seen by the agency since 2019, where complaints and losses rise yearly. For 2023, the types of crimes that increased were tech support scams and extortion, whereas phishing, personal data breach, and non-payment/non-delivery scams slightly waned.

By  Krebs On Security There are indications that U.S. healthcare giant Change Healthcare has made a $22 million extortion payment to the infamous BlackCat ransomware group (a.k.a. “ALPHV“) as the company struggles to bring services back online amid a cyberattack that has disrupted prescription drug services nationwide for weeks. However, the cybercriminal who claims to have given BlackCat access to Change’s network says the crime gang cheated them out of their share of the ransom, and that they still have the sensitive data Change reportedly paid the group to destroy. Meanwhile, the affiliate’s disclosure appears to have prompted BlackCat to cease operations entirely. In the third week of February, a cyber intrusion at Change Healthcare began shutting down important healthcare services as company systems were taken offline. It soon emerged that BlackCat was behind the attack, which has disrupted the delivery of prescription drugs for hospitals and pharmacies nationwide for nearly two w

By Lawrence Abrams,  Bleeping Computer American Express is warning customers that credit cards were exposed in a third-party data breach after a merchant processor was hacked. This incident was not caused by a data breach at American Express, but rather at a merchant processor in which American Express Card member data was processed.  In a data breach notification filed with the state of Massachusetts under "American Express Travel Related Services Company," the company warned customers their credit cards may have been stolen. "We became aware that a third party service provider engaged by numerous merchants experienced unauthorized access to its system," explains the data breach notification. "Account information of some of our Card Members, including some of your account information, may have been involved. It is important to note that American Express owned or controlled systems were not compromised by this incident, and we are providing this notice to you a

By Bill Toulas,  Bleeping Computer The Main Intelligence Directorate (GUR) of Ukraine's Ministry of Defense claims that it breached the servers of the Russian Ministry of Defense (Minoborony) and stole sensitive documents. A press release published today on an official Ukrainian government domain describes the attack as a "special operation" carried out by GUR's cyber-specialists. As a result of the breach, the GUR claims to have obtained sensitive documents that contain secret service information, including: Software used by the Russian Ministry of Defense for protecting and encrypting data An array of secret service documents from the Russian Ministry of Defense, including orders, reports, directives, and various other documents, circulated among over 2000 structural units of the ministry. Information that allows establishing the complete structure of the system of the Minoborony and its links. Data that helped identify senior heads of structural units of the Minobo