Information Technology Security

By Bill Toulas,  Bleeping Computer Google has fallen victim to its own ad platform, allowing threat actors to create fake Google Authenticator ads that push the DeerStealer information-stealing malware. For years, malicious advertising (malvertising) campaigns have targeted the Google search platform, where threat actors place ads to impersonate well-known software sites that install malware on visitors' devices. To make matters worse, threat actors have been able to create Google search ads that show legitimate domains, which adds a sense of trust to the advertisement. In a new malvertising campaign found by Malwarebytes, threat actors created ads that display an advertisement for Google Authenticator when users search for the software in Google search. What makes the ad more convincing is that it shows 'google.com' and "https://www.google.com" as the click URL, which clearly should not be allowed when a third party creates the advertisement. We have seen this ve...

By Sergiu Gatlan,  Bleeping Computer Microsoft confirmed today that a nine-hour outage on Tuesday, which took down and disrupted multiple Microsoft 365 and Azure services worldwide, was triggered by a distributed denial-of-service (DDoS) attack. Redmond says the outage impacted Microsoft Entra, some Microsoft 365 and Microsoft Purview services (including Intune, Power BI, and Power Platform), as well as Azure App Services, Application Insights, Azure IoT Central, Azure Log Search Alerts, Azure Policy, and the Azure portal. The company confirmed in a mitigation statement published today that the root cause behind yesterday's outage was a DDoS attack, although it has yet to link it to a specific threat actor. "While the initial trigger event was a Distributed Denial-of-Service (DDoS) attack, which activated our DDoS protection mechanisms, initial investigations suggest that an error in the implementation of our defenses amplified the impact of the attack rather than mitigating i...

By Bill Toulas,  Bleeping Computer A malicious campaign targeting Android devices worldwide utilizes thousands of Telegram bots to infect devices with SMS-stealing malware and steal one-time 2FA passwords (OTPs) for over 600 services. Zimperium researchers discovered the operation and have been tracking it since February 2022. They report finding at least 107,000 distinct malware samples associated with the campaign. The cybercriminals are motivated by financial gain, most likely using infected devices as authentication and anonymization relays. Telegram entrapment The SMS stealer is distributed either through malvertising or Telegram bots that automate communications with the victim. In the first case, victims are led to pages mimicking Google Play, reporting inflated download counts to add legitimacy and create a false sense of trust. On Telegram, the bots promise to give the user a pirated application for the Android platform, asking for their phone number before they share the ...

By Lawrence Abrams,  Bleeping Computer A Fortune 50 company paid a record-breaking $75 million ransom payment to the Dark Angels ransomware gang, according to a report by Zscaler ThreatLabz. "In early 2024, ThreatLabz uncovered a victim who paid Dark Angels $75 million, higher than any publicly known amount— an achievement that's bound to attract the interest of other attackers looking to replicate such success by adopting their key tactics (which we describe below)," reads the 2024 Zscaler Ransomware Report . This record-breaking payment was further confirmed by crypto intelligence company Chainalysis, who tweeted about it on X. The largest known ransom payment was previously $40 million, which insurance giant CNA paid after suffering an Evil Corp ransomware attack. While Zscaler did not share what company paid the $75 million ransom, they mentioned the company was in the Fortune 50 and the attack occurred in early 2024. One Fortune 50 company that suffered a cyberattack...

 By  KrebsOnSecurity More than a million domain names — including many registered by Fortune 100 firms and brand protection companies — are vulnerable to takeover by cybercriminals thanks to authentication weaknesses at a number of large web hosting providers and domain registrars, new research finds. Your Web browser knows how to find a site like example.com thanks to the global Domain Name System (DNS), which serves as a kind of phone book for the Internet by translating human-friendly website names (example.com) into numeric Internet addresses. When someone registers a domain name, the registrar will typically provide two sets of DNS records that the customer then needs to assign to their domain. Those records are crucial because they allow Web browsers to find the Internet address of the hosting provider that is serving that domain. But potential problems can arise when a domain’s DNS records are “lame,” meaning the authoritative name server does not have enough informatio...

By Sergiu Gatlan,  Bleeping Computer The United Kingdom's Information Commissioner's Office (ICO) revealed today that the Electoral Commission was breached in August 2021 because it failed to patch its on-premise Microsoft Exchange Server against ProxyShell vulnerabilities. In March, the U.K. National Cyber Security Centre (NCSC) attributed the UK Electoral Commission breach to a Chinese state-backed threat actor. Tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, these security flaws were chained to hack into the commission's Exchange Server 2016 and deploy web shells, which allowed the attackers to gain persistence after installing web shells and backdoors. While Microsoft released security updates in May 2021 that fixed the ProxyShell vulnerability chain, the commission failed to patch its systems promptly, exposing them to attacks. The attack and the deployed malware were discovered on October 28, 2021, when an employee found that the Commission's Exchan...

By Bill Toulas,  Bleeping Computer HSA provider HealthEquity has determined that a cybersecurity incident disclosed earlier this month has compromised the information of 4,300,000 people. HealthEquity, one of the largest HSA custodians in the U.S., specializes in providing health savings accounts (HSAs), flexible spending accounts (FSAs), health reimbursement arrangements (HRAs), and 401(k) retirement plans. In a Form 8-K filing submitted on July 2, 2024, the company disclosed that threat actors stole members' sensitive health data using a partner's compromised credentials. An investigation determined that the breach occurred on March 9, 2024, but was only verified by the firm on June 26, following an internal investigation. "We discovered some unauthorized access to and potential disclosure of protected health information and/or personally identifiable information stored in an unstructured data repository outside our core systems," reads the data breach notice to be...

By Bill Toulas,  Bleeping Computer A massive phishing campaign dubbed "EchoSpoofing" exploited now-fixed, weak permissions in Proofpoint's email protection service to dispatch millions of spoofed emails impersonating big entities like Disney, Nike, IBM, and Coca-Cola, to target Fortune 100 companies. The campaign started in January 2024, disseminating an average of 3 million spoofed emails daily and reaching a peak of 14 million emails in early June. The phishing emails were designed to steal sensitive personal information and incur unauthorized charges. They also included properly configured Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) signatures, making them appear authentic to the recipients. Guardio Labs helped discover the phishing campaign and security gap in Proofpoint's email relay servers. In May 2024, they notified the firm and helped them fix it.

By Ionut Ilascu,  Bleeping Computer A faulty component in the latest CrowdStrike Falcon update is crashing Windows systems, impacting various organizations and services across the world, including airports, TV stations, and hospitals. The glitch is affecting Windows workstations and servers, with users reporting massive outages that took offline entire companies and fleets of hundreds of thousands of computers. According to some reports, emergency services in the U.S. and Canada have also been impacted. Worldwide outage By the time of the correction, though, many large organizations across multiple verticals had already been affected. Some reports say that CrowdStrike’s update impacted some 911 emergency service agencies in the state of New York (EMS, police, fire department), Alaska, and Arizona, as well as 911 services in parts of Canada. A 911 telecommunicator in Illinois said that they were “working off of paper until things come back.” There also reports that the health hotlin...

By Sergiu Gatlan,  Bleeping Computer Microsoft says an Azure configuration change caused a major Microsoft 365 outage on Thursday, affecting customers across the Central US region. This massive outage started around 6:00 PM EST and prevented users from accessing various Microsoft 365 apps and services. The list of services impacted by the outage includes Microsoft Defender , Intune, Teams, PowerBI, Fabric, OneNote, OneDrive for Business, SharePoint Online, Windows 365, Viva Engage, Microsoft Purview, and the Microsoft 365 admin center. Xbox Support confirmed that the Xbox Live service was also hit by the issue, saying gamers had problems logging into their accounts. Throughout the outage, Downdetector has received tens of thousands of service issue reports, with affected Xbox users experiencing server connection issues and saying they couldn't log in. After acknowledging the outage, Microsoft said, "We're working on rerouting the impacted traffic to alternate systems to ...

By  KrebsOnSecurity At least a dozen organizations with domain names at domain registrar Squarespace saw their websites hijacked last week. Squarespace bought all assets of Google Domains a year ago, but many customers still haven’t set up their new accounts. Experts say malicious hackers learned they could commandeer any migrated Squarespace accounts that hadn’t yet been registered, merely by supplying an email address tied to an existing domain. The Squarespace domain hijacks, which took place between July 9 and July 12, appear to have mostly targeted cryptocurrency businesses, including Celer Network , Compound Finance , Pendle Finance , and Unstoppable Domains . In some cases, the attackers were able to redirect the hijacked domains to phishing sites set up to steal visitors’ cryptocurrency funds. New York City-based Squarespace purchased roughly 10 million domain names from Google Domains in June 2023, and it has been gradually migrating those domains to its service ever since...

By  KrebsOnSecurity AT&T Corp . disclosed today that a new data breach has exposed phone call and text message records for roughly 110 million people — nearly all of its customers. AT&T said it delayed disclosing the incident in response to “national security and public safety concerns,” noting that some of the records included data that could be used to determine where a call was made or text message sent. AT&T also acknowledged the customer records were exposed in a cloud database that was protected only by a username and password (no multi-factor authentication needed). In a regulatory filing with the U.S. Securities and Exchange Commission today, AT&T said cyber intruders accessed an AT&T workspace on a third-party cloud platform in April, downloading files containing customer call and text interactions between May 1 and October 31, 2022, as well as on January 2, 2023. The company said the stolen data includes records of calls and texts for mobile providers...

By  Hindustan Times This could be the largest such compilation of leaked passwords ever and the file contains passwords compromised in both recent and old data breaches. A file containing almost 10 billion passwords was reportedly posted on an online hacking forum. This could be the largest such compilation of leaked passwords ever and the file contains passwords compromised in both recent and old data breaches all over the world, Semafor reported. Owing to this, there could be an increased chance of credential stuffing attacks in which one compromised password used for a user’s account can be reused by a hacker to break into another account. The report claimed that not all the passwords in the file appeared to be new which means that they have been leaked previously and this increases the chance of “credential stuffing.” As per the practice, a bad actor can take a user’s known password and try to reuse it to break into other accounts in their name, Cybernews, a cybersecurity-focus...