Supply Chain attacks, Espionage, Russian Hackers. Nobellium targets Tech Resellers in Cyberattacks

Monday, January 3, 2022

Supply Chain attacks, Espionage, & Russian Hackers. Nobellium targets Tech Resellers in Cyberattacks - YouTube

Supply chain attacks 2021 - SolarWinds APT Targets Tech Resellers in Latest Supply-Chain CyberattacksOriginal article: https://threatpost.com/solarwinds-tech-resellers-supply-chain-cybe...

Click Here:- https://www.youtube.com/watch?v=RMq8BN_RBRc

The SolarWinds attackers – an advanced persistent threat (APT) known as Nobelium – have started a new wave of supply-chain intrusions, this time using the technology reseller/service provider community to attack their targets.

The activity has affected victims in North America and Europe thus far, researchers said, and the goal is espionage: Nobelium has been linked to the Russian government’s foreign intelligence service, known as SVR.

According to an analysis from Mandiant and Microsoft, Nobelium isn’t exploiting a vulnerability or, as was the case with SolarWinds, trojanizing legitimate code. Instead, it’s infiltrating reseller networks using tried-and-true tactics like credential-stuffing and phishing, as well as API abuse and token theft, in order to gather legitimate account credentials and privileged access to reseller networks.

From there, Nobelium attempts to pivot and land inside the networks of reseller customers downstream. Once inside a reseller network, it becomes much easier to impersonate the company and exploit the trusted relationship that reseller has with its customers, researchers pointed out.

“Mandiant has investigated multiple intrusions in 2021 where suspected Russian threat actors exploited supply-chain relationships between technology companies and their customers,” said Mandiant senior vice president and CTO Charles Carmakal, via email. “While the SolarWinds supply-chain attack involved malicious code inserted in legitimate software, most of this recent intrusion activity has involved leveraging stolen identities and the networks of technology solutions, services and reseller companies in North America and Europe to ultimately access the environments of organizations that are targeted by the Russian government.”

Since May, Microsoft has observed Nobelium attacking more than 140 resellers and technology service providers, it said, with about 14 of them succumbing to compromise. However, in its writeup, issued Sunday, the software giant didn’t say how many downstream customers have been affected.

Mandiant’s Carmakal only said that the firm has seen successful intrusions into on-premises and cloud victim environments.

“This attack path makes it very difficult for victim organizations to discover they were compromised and investigate the actions taken by the threat actor,” Carmakal said. “Investigating these intrusions requires collaboration and information-sharing across multiple victim organizations, which is ch allenging due to privacy concerns and organizational sensitivities.”

The approach is also particularly effective for Nobelium because it allows the cyberattackers to avoid dealing with what could be strong defense measures at the end-user targets, he added.

“It shifts the initial intrusion away from the ultimate targets, which in some situations are organizations with more mature cyberdefenses, to smaller technology partners with less mature cyberdefenses,” he said.

If successful, an attack could allow for data theft, reconnaissance, compromise of customer systems and more.

“Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems,” according to Microsoft. “This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling – now or in the future – targets of interest to the Russian government.”

To that point, Microsoft also said that this particular campaign is merely a subset of a larger wave of Nobelium activities, which points to significantly ramped-up efforts by Russia to establish a persistent anchor for its spy activities. For instance, in September it was seen installing the FoggyWeb custom backdoor on single sign-on servers.

“Between July 1 and Oct. 19 this year, we informed 609 customers that they had been attacked 22,868 times by Nobelium, with a success rate in the low single digits,” according to its writeup. “By comparison, prior to July 1, we had notified customers about attacks from all nation-state actors 20,500 times over the past three years.”

Famously, the SolarWinds attack caused widespread damage and allowed Nobelium to gain access to several U.S. government agencies, by hijacking a legitimate software update from the platform to push malware to SolarWinds users.

Friday, November 12, 2021

What is Phishing?

What is Phishing?

Phishing Explained – What is Phishing? How it works & How to prevent it | Attack techniques & Scam ExamplesIn this episode we are going to talk about Phishin...

Click Here:- https://www.youtube.com/watch?v=FsuVU4zu_kc

In this episode we are going to talk about Phishing. Phishing is a cyber attack that uses disguised email as a weapon. It's one of the oldest types of cyberattacks, dating back to the 1990s, and it's still one of the most widespread and pernicious, with phishing messages and techniques becoming increasingly sophisticated. According to research, including the 2019 Verizon Data Breach Investigations Report, nearly a third of all breaches involved phishing. For cyber-espionage attacks, that number jumps to 78%. The worst phishing news is that its perpetrators are getting much, much better at it thanks to well-produced, off-the-shelf tools and templates.

An organization succumbing to such an attack typically sustains severe financial losses in addition to declining market share, reputation, and consumer trust. Depending on scope, a phishing attempt might escalate into a security incident from which a business will have a difficult time recovering.

We want to make sure we are secure and prepared in case one of these attackers tries to infiltrate our systems so today we are going to take a look at Phishing and see how we can protect our company, systems and clients from it.

What is Phishing? Phishing Attacks. How phishing attacks work

Phishing is a type of social engineering where an attacker sends a fraudulent ("spoofed") message designed to trick a human victim into revealing sensitive information to the attacker or to deploy malicious software on the victim's infrastructure like ransomware. Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim is navigating the site, and transverse any additional security boundaries with the victim. As of 2020, phishing is by far the most common attack performed by cyber-criminals, with the FBI's Internet Crime Complaint Centre recording over twice as many incidents of phishing than any other type of computer crime

Phishing Explained

Phishing Explained

Phishing Explained – What is Phishing? How it works & How to prevent it | Attack techniques & Scam ExamplesIn this episode we are going to talk about Phishin...

Click Here:- https://www.youtube.com/watch?v=FsuVU4zu_kc

What is Phishing? Phishing Attacks. How phishing attacks work

What is a Supply Chain Attack?

What is a Supply Chain Attack?

Supply Chain Attacks Explained – What is a Supply Chain Attack? How do Supply Chain Attacks Work? | What you need to know about Supply Chain AttacksIn this e...

Click Here:- https://www.youtube.com/watch?v=6HLOknSWxxc

In this episode we are going to talk about Supply Chain Attacks. Whether you talk about Solarwinds, Codecov, Ccleaner or the Ukrainian accounting software MEDoc, Supply Chain attacks are on the rise. Supply chain attacks are scary because they're really hard to deal with, and because they make it clear you're trusting every vendor whose code is on your machine, and you're trusting every vendor's vendor. Believe it or not supply chain attacks were first demonstrated around four decades ago, when Ken Thompson, one of the creators of the Unix operating system, wanted to see if he could hide a backdoor in Unix's login function.

The goal of this video is to help you understand What supply chain attack means along with the different types that exist.

This way you can

A) Have a reference to check your own systems and processes to see whether or not your current plan and working mode has any vulnerabilities to these types of attacks

B) So that you can read about these attacks and be able to spot the type yourself 

What is a Supply Chain Attack? Supply Chain Attacks. How Supply Chain Attacks work

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less-secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. Cybercriminals typically tamper with the manufacturing process of a product by installing a rootkit or hardware-based spying components.

Craigslist Malware attack

Craigslist Malware attack

Attackers Hijack Craigslist Emails to Bypass Security, Deliver MalwareOriginal article: https://threatpost.com/attackers-hijack-craigslist-email-malware/1757...

Click Here:- https://www.youtube.com/watch?v=rM8SZ-SjCZE&feature=youtu.be

Musical instruments, motorcycle parts and now malware — Craigslist really does have it all.

The Craigslist internal email system was hijacked by attackers this month to deliver convincing messages, ultimately aimed at avoiding Microsoft Office security controls in order to deliver malware.

Sent from an authentic Craigslist IP address, the emails informed users that one of their published ads included inappropriate content and violated Craigslist‘s terms and conditions, giving false instructions on how to avoid having their accounts deleted.

Researchers at INKY discovered that the attackers manipulated the email’s HTML into a customized document with a malware-download link uploaded to a Microsoft OneDrive page. That page impersonated major brands like DocuSign, Norton and Microsoft.

That also allowed the campaign to slip past standard email authentication.

“Since the URL to resolve the issue hosted a customized document placed on Microsoft OneDrive, it did not appear on any threat intelligence feed, allowing it to slip past most security vendors,” the researchers noted in a posting this week.

Abusing Anonymity

Craigslist is more than one gigantic yard sale. Its internal email system also lets interested buyers and sellers contact each other anonymously. According to INKY’s report, threat actors were able to abuse that Craigslist email system so as to deliver authentic-looking phishing emails to users who were actively trying to sell something on the site.

Malicious pdf analysis

Malicious pdf analysis

How does PDF malware work? | Malicious PDF’s Explained – What is a malicious pdf? In this episode we are going to talk about Malicious PDF’s. It’s hard to im...

Click Here:- https://youtu.be/U8xExM3ykYA

In this episode we are going to talk about Malicious PDF’s. It’s hard to imagine business proposals without PDFs. The PDF format is used in almost all companies to share business deals, company brochures, and even invitations. PDF is widely used because it’s flexible. It can contain text, image and codes at the same time. Many people don’t know but it’s even possible to play games in PDF files, such as tic-tac-toe, for example. The problem is that this flexibility has a dark side, which is exploited by hackers. So, opening a PDF file can endanger important information from your organization and even open a backdoor so criminals can access your devices.

Being the most common email attachment, PDF is commonly targeted to breach computer networks. Advanced forms of PDF malware are not easily detectable by Secure EMail gateways.

What is PDF malware? And how does it work?

PDF's have the ability to deliver rich content (static and dynamic).

Combined, these elements can deliver visually appealing interactive, and portable documents. While we have all benefited from this feature-rich information-sharing venue, there exists a darker side. The dynamic PDF capabilities mentioned above can and have been used to house malicious content. In previous years, cybercriminals embedded malicious script to install malware and steal user credentials.

Normally, the PDF malware’s malicious behavior is in a script that is embedded In PDF files. The scripts that are responsible for malicious behavior can be written in a scripting language that PDF supports. JavaScript is the most popular for this purpose. In most cases, the embedded scripts are responsible for dropper functionality, or else there is a need to install an OS-based malware on the victim’s system.

Discord’s Content Delivery Network

Discord’s Content Delivery Network

Discord Malware - How to protect yourself from malicious discord bots Original article: https://threatpost.com/threat-actors-abuse-discord-to-push-malware/1...

Click Here:- https://www.youtube.com/watch?v=M4G8c2mc1Fg

Threat actors are abusing the core features of the popular Discord digital communication platform to persistently deliver various types of malware—in particular remote access trojans (RATs) that can take over systems–putting its 150 million users at risk, researchers have found.

RiskIQ and CheckPoint both discovered multi-functional malware being sent in messages across the platform, which allows users to organize Discord servers into topic-based channels in which they can share text, image or voice files or other executables. Those files are then stored on Discord’s Content Delivery Network (CDN) servers.

Researchers warn, “many files sent across the Discord platform are malicious, pointing to a significant amount of abuse of its self-hosted CDN by actors by creating channels with the sole purpose of delivering these malicious files,” according to a report published Thursday by Team RiskIQ.

Initially Discord attracted gamers, but the platform is now being used by organizations for workplace communication. The storage of malicious files on Discord’s CDN and proliferation of malware on the platform mean that “many organizations could be allowing this bad traffic onto their network,” RiskIQ researchers wrote.

Features of the latest malware found on the platform include the capability to take screenshots, download and execute additional files, and perform keylogging, CheckPoint researchers Idan Shechter and Omer Ventura disclosed in a separate report also published Thursday.

CheckPoint also found that the Discord Bot API—a simple Python implementation that eases modifications and shortens the development process of bots on the platform–“can easily turn the bot into a simple RAT” that threat actors can use “to gain full access and remote control on a user’s system.”