Information Technology Security

By  KrebsOnSecurity Several Apple customers recently reported being targeted in elaborate phishing attacks that involve what appears to be a bug in Apple’s password reset feature. In this scenario, a target’s Apple devices are forced to display dozens of system-level prompts that prevent the devices from being used until the recipient responds “Allow” or “Don’t Allow” to each prompt. Assuming the user manages not to fat-finger the wrong button on the umpteenth password reset request, the scammers will then call the victim while spoofing Apple support in the caller ID, saying the user’s account is under attack and that Apple support needs to “verify” a one-time code. Parth Patel is an entrepreneur who is trying to build a startup in the conversational AI space. On March 23, Patel documented on Twitter/X a recent phishing campaign targeting him that involved what’s known as a “push bombing” or “MFA fatigue” attack, wherein the phishers abuse a feature or weakness of a multi-factor au...

By  The Hacker News Key Points MuddyWater Phishing : MuddyWater used seemingly harmless PDF attachments containing malicious links. Clicking these links downloaded an installer for the real Atera Agent (RMM software), granting them unauthorized access to compromised systems. Shift in Tactics : This campaign represents a shift for MuddyWater, who previously relied on directly embedded malicious links. This new tactic increases deception and potentially widens their attack reach. MuddyWater Targets : This is not the first time MuddyWater has targeted organizations. Since October 2023, they’ve used other legitimate remote access tools for infiltration attempts. Supply Chain Attack : Another Iranian group, Lord Nemesis, compromised a software provider in a supply chain attack, potentially impacting their clients. Dangers of Supply Chain Attacks : This attack highlights the growing risk of supply chain attacks, where compromising a trusted vendor grants access to a wider network of targ...

By Bill Toulas,  Bleeping Computer Cybercriminals have been increasingly using a new phishing-as-a-service (PhaaS) platform named 'Tycoon 2FA' to target Microsoft 365 and Gmail accounts and bypass two-factor authentication (2FA) protection. Tycoon 2FA was discovered by Sekoia analysts in October 2023 during routine threat hunting, but it has been active since at least August 2023, when the Saad Tycoon group offered it through private Telegram channels. The PhaaS kit shares similarities with other adversary-in-the-middle (AitM) platforms, such as Dadsec OTT, suggesting possible code reuse or a collaboration between developers. In 2024, Tycoon 2FA released a new version that is stealthier, indicating a continuous effort to improve the kit. Currently, the service leverages 1,100 domains and has been observed in thousands of phishing attacks.

By Bill Toulas, Bleeping Computer A new large-scale StrelaStealer malware campaign has impacted over a hundred organizations across the United States and Europe, attempting to steal email account credentials. StrelaStealer was first documented in November 2022 as a new information-stealing malware that steals email account credentials from Outlook and Thunderbird. One notable characteristic of the malware was using a polyglot file infection method to evade detection from security software. At the time, StrelaStealer was seen targeting predominately Spanish-speaking users. However, according to a recent report by Palo Alto Networks' Unit42, this has changed as the malware now targets people from the U.S. and Europe. StrelaStealer is distributed through phishing campaigns that showed a significant uptick in November 2023, some days targeting over 250 organizations in the U.S. The elevated phishing email distribution volumes continued into 2024, with a significant wave of activity bei...

By Sergiu Gatlan,  Bleeping Computer CISA, the NSA, the FBI, and several other agencies in the U.S. and worldwide warned critical infrastructure leaders to protect their systems against the Chinese Volt Typhoon hacking group. Together with the NSA, the FBI, other U.S. government agencies, and partner Five Eyes cybersecurity agencies, including cybersecurity agencies from Australia, Canada, the United Kingdom, and New Zealand, it also issued defense tips on detecting and defending against Volt Typhoon attacks. Last month, they also warned that Chinese hackers had breached multiple U.S. critical infrastructure organizations and maintained access to at least one of them for at least five years before being discovered. Authorities have observed that the cyber espionage group Volt Typhoon's targets and tactics differ from typical activities, suggesting their goal is to obtain access to Operational Technology (OT) assets within networks, which could be exploited to disrupt critical infra...

By Bill Toulas,  Bleeping Computer The Ukrainian cyber police, in collaboration with investigators from the national police (ГУНП), have arrested three individuals who are accused of hijacking over 100 million emails and Instagram accounts worldwide. The three suspects, aged between 20 and 40, used specialized software to brute-force account passwords and then steal them. Brute force is the means of guessing account passwords through an automated trial-and-error process that has computers try many possible combinations until the correct one is found. This method's success relies on the available computational power in relation to the password length and complexity of the targeted account. The arrested cybercriminals monetized their illicit activities by selling access to compromised accounts to various fraud groups on the darknet. The buyers then used their access to these accounts to message the victims' contacts, requesting them to transfer money under false pretenses. The po...

By Sean Lyngaas, CNN A federal agency in charge of cybersecurity discovered it was hacked last month and was forced to take two key computer systems offline, an agency spokesperson and US officials familiar with the incident told CNN. One of the US Cybersecurity and Infrastructure Security Agency’s affected systems runs a program that allows federal, state and local officials to share cyber and physical security assessment tools, according to the US officials briefed on the matter. The other holds information on security assessment of chemical facilities, the sources said. A CISA spokesperson said in a statement that “there is no operational impact at this time” from the incident and that the agency continues to “upgrade and modernize our systems.” “This is a reminder that any organization can be affected by a cyber vulnerability and having an incident response plan in place is a necessary component of resilience,” the spokesperson said, adding that the impact from the hack “was limite...

By Bill Toulas, Bleeping Computer Optum's Change Healthcare has started to bring systems back online after suffering a crippling BlackCat ransomware attack last month that led to widespread disruption to the US healthcare system. United Health Group (UHG) is the largest American health insurance company, and its subsidiary, Optum Solutions, operates the Change Healthcare platform. Change Healthcare operates the largest payment exchange platform between doctors, pharmacies, healthcare providers, and patients in the US. On February 21, 2024, Optum Solutions suffered a ransomware attack by ALPHV/BlackCat, causing extensive outages after servers were allegedly encrypted and the company shut down its IT systems. These outages led to wide disruption at pharmacies and doctor offices, which could not send claims, causing some patients to pay full price for their medications. Today, UHG released a statement that finally delivered some good news, announcing the electronic prescription syst...

By Bill Toulas, Bleeping Computer FBI's Internet Crime Complaint Center (IC3) has released its 2023 Internet Crime Report, which recorded a 22% increase in reported losses compared to 2022, amounting to a record of $12.5 billion. The number of relevant complaints submitted to the FBI in 2023 reached 880,000, 10% higher than the previous year, with the age group topping the report being people over 60, which shows how vulnerable older adults are to cybercrime. Both figures continue a worrying trend seen by the agency since 2019, where complaints and losses rise yearly. For 2023, the types of crimes that increased were tech support scams and extortion, whereas phishing, personal data breach, and non-payment/non-delivery scams slightly waned.

By  Krebs On Security There are indications that U.S. healthcare giant Change Healthcare has made a $22 million extortion payment to the infamous BlackCat ransomware group (a.k.a. “ALPHV“) as the company struggles to bring services back online amid a cyberattack that has disrupted prescription drug services nationwide for weeks. However, the cybercriminal who claims to have given BlackCat access to Change’s network says the crime gang cheated them out of their share of the ransom, and that they still have the sensitive data Change reportedly paid the group to destroy. Meanwhile, the affiliate’s disclosure appears to have prompted BlackCat to cease operations entirely. In the third week of February, a cyber intrusion at Change Healthcare began shutting down important healthcare services as company systems were taken offline. It soon emerged that BlackCat was behind the attack, which has disrupted the delivery of prescription drugs for hospitals and pharmacies nationwide for nearly t...

By Lawrence Abrams,  Bleeping Computer American Express is warning customers that credit cards were exposed in a third-party data breach after a merchant processor was hacked. This incident was not caused by a data breach at American Express, but rather at a merchant processor in which American Express Card member data was processed.  In a data breach notification filed with the state of Massachusetts under "American Express Travel Related Services Company," the company warned customers their credit cards may have been stolen. "We became aware that a third party service provider engaged by numerous merchants experienced unauthorized access to its system," explains the data breach notification. "Account information of some of our Card Members, including some of your account information, may have been involved. It is important to note that American Express owned or controlled systems were not compromised by this incident, and we are providing this notice to you a...

By Bill Toulas,  Bleeping Computer The Main Intelligence Directorate (GUR) of Ukraine's Ministry of Defense claims that it breached the servers of the Russian Ministry of Defense (Minoborony) and stole sensitive documents. A press release published today on an official Ukrainian government domain describes the attack as a "special operation" carried out by GUR's cyber-specialists. As a result of the breach, the GUR claims to have obtained sensitive documents that contain secret service information, including: Software used by the Russian Ministry of Defense for protecting and encrypting data An array of secret service documents from the Russian Ministry of Defense, including orders, reports, directives, and various other documents, circulated among over 2000 structural units of the ministry. Information that allows establishing the complete structure of the system of the Minoborony and its links. Data that helped identify senior heads of structural units of the Minobo...