Microsoft Uncovers Banking AitM Phishing and BEC Attacks Targeting Financial Giants

 

Banking and financial services organizations are the targets of a new multi-stage adversary-in-the-middle (AitM) phishing and business email compromise (BEC) attack, Microsoft has revealed.

"The attack originated from a compromised trusted vendor and transitioned into a series of AiTM attacks and follow-on BEC activity spanning multiple organizations," the tech giant disclosed in a Thursday report.

Microsoft, which is tracking the cluster under its emerging moniker Storm-1167, called out the group's use of indirect proxy to pull off the attack.

This enabled the attackers to flexibly tailor the phishing pages to their targets and carry out session cookie theft, underscoring the continued sophistication of AitM attacks.

The modus operandi is unlike other AitM campaigns where the decoy pages act as a reverse proxy to harvest credentials and time-based one-time passwords (TOTPs) entered by the victims.

"The attacker presented targets with a website that mimicked the sign-in page of the targeted application, as in traditional phishing attacks, hosted on a cloud service," Microsoft said.

"The said sign-in page contained resources loaded from an attacker-controlled server, which initiated an authentication session with the authentication provider of the target application using the victim's credentials."

The attack chains commence with a phishing email that points to a link, which, when clicked, redirects a victim into visiting a spoofed Microsoft sign-in page and entering their credentials and TOTPs.

The harvested passwords and session cookies are then used to impersonate the user and gain unauthorized access to the email inbox by means of a replay attack. The access is then abused to get hold of sensitive emails and orchestrate a BEC attack.

What's more, a new SMS-based two-factor authentication method is added to the target account in order to sign in using the pilfered credentials sans attracting any attention.

In the incident analyzed by Microsoft, the attacker is said to have initiated a mass spam campaign, sending more than 16,000 emails to the compromised user's contacts, both within and outside of the organization, as well as distribution lists.

The adversary has also been observed taking steps to minimize detection and establish persistence by responding to incoming emails and subsequently taking steps to delete them from the mailbox.

Ultimately, the recipients of the phishing emails are targeted by a second AitM attack to steal their credentials and trigger yet another phishing campaign from the email inbox of one of the users whose account was hacked as a result of the AitM attack.

"This attack shows the complexity of AiTM and BEC threats, which abuse trusted relationships between vendors, suppliers, and other partner organizations with the intent of financial fraud," the company added.

The development comes less than a month after Microsoft warned of a surge in BEC attacks and the evolving tactics employed by cybercriminals, including the use of platforms, like BulletProftLink, for creating industrial-scale malicious mail campaigns.

Another tactic entails the use of residential internet protocol (IP) addresses to make attack campaigns appear locally generated, the tech giant said.

"BEC threat actors then purchase IP addresses from residential IP services matching the victim's location creating residential IP proxies which empower cybercriminals to mask their origin," Redmond explained.

"Now, armed with localized address space to support their malicious activities in addition to usernames and passwords, BEC attackers can obscure movements, circumvent 'impossible travel' flags, and open a gateway to conduct further attacks."

Netflix Announces Its First Public Bug Bounty Program

Netflix Announces its First Public Bug Bounty Program. 

Now Cyber Security researchers report the vulnerability to NetFlix in Bug Crowd Platform to keep it secure and safe.

Bug Bounty Program criteria between $100 – $15,000 as per vulnerability.

Netflix is an American entertainment company founded by Reed Hastings and Marc Randolph on August 29, 1997, in Scotts Valley, California. It specializes in and provides streaming media, video-on-demand online, and, DVD by mail. In 2013, Netflix expanded into film and television production as well as online distribution.

Netflix require that all researchers:

• Do not access customer or employee personal information, pre-release Netflix content, or Netflix confidential information. If you accidentally access any of these, please stop testing and submit the vulnerability.
• Stop testing and report the issue immediately if you gain access to any non-public application or non-public credentials.
• Do not degrade the Netflix user experience, disrupting production systems, or destroy data during security testing.
• Perform research only within the scope set out below.
• Use the Bugcrowd report submission form to report vulnerability information to us.
• Collect only the information necessary to demonstrate the vulnerability.
• Submit any necessary screenshots, screen captures, network requests, reproduction steps or similar using the Bugcrowd submission form (do not use third party file sharing sites).
• When investigating a vulnerability, please only target your own account and do not attempt to access data from anyone else’s account.
• Follow the Bugcrowd “Coordinated Disclosure” rules.

If you fulfill these requirements, Netflix will:

• Work with you to understand and attempt to resolve the issue quickly (confirming the report within 7 days of submission);
• Recognize your contribution to our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue.
• Pay you for your research for unique vulnerabilities that meet the guidelines listed below if you are the first to report the issue to us using the Bugcrowd portal.
• To encourage responsible disclosure, Netflix will not bring a lawsuit against you or ask law enforcement to investigate you if we determine that your research and disclosure meets these requirements and guidelines. 

Focus Areas

We encourage researchers to focus their efforts in the following areas:

• Cross Site Scripting (XSS)
• Cross-Site Request Forgery (CSRF)
• SQL Injection (SQLi)
• Authentication related issues
• Authorization related issues
• Data Exposure
• Redirection attacks
• Remote Code Execution
• Business Logic
• MSL Protocol (https://github.com/Netflix/msl)
• Particularly clever vulnerabilities or unique issues that do not fall into explicit categories
• Mobile-specific API vulnerabilities

Check here for more details.

Facebook CEO Mark Zuckerberg Admits It is "Breach of Trust" on Cambridge Analytica Scandal

Facebook CEO Mark Zuckerberg Admits It is "Breach of Trust" on Cambridge Analytica Scandal.

Biggest social media platform Facebook involving Cambridge Analytica breach. Currently, Facebook has 2 Billion active users monthly.

Who is Cambridge Analytica (CA)?

Cambridge Analytica is a privately held company that combines data mining, data brokerage, and data analysis with strategic communication for the electoral process. It was founded in 2013.

In 2015, it became known as the data analysis company working initially for Ted Cruz's presidential campaign. In 2016 CA worked for Donald Trump's presidential campaign, and on the Leave. EU-campaign for the United Kingdom's withdrawal from the European Union.

What is Cambridge Analytica Data Scandal?

On 17 March 2018, The New York Times and The Observer reported on Cambridge Analytica's use of personal information acquired from Facebook, without users' permission, by an external researcher who claimed to be collecting it for academic purposes. In response, Facebook banned Cambridge Analytica from advertising on its platform.

The Guardian further reported that Facebook had known about this security breach for two years but had done nothing to protect its users.

Mark Zuckerberg talked about it in his Facebook post,

"I want to share an update on the Cambridge Analytica situation -- including the steps we've already taken and our next steps to address this important issue.

We have a responsibility to protect your data, and if we can't then we don't deserve to serve you. I've been working to understand exactly what happened and how to make sure this doesn't happen again. The good news is that the most important actions to prevent this from happening again today we have already taken years ago. But we also made mistakes, there's more to do, and we need to step up and do it.

Here's a timeline of the events:

In 2007, we launched the Facebook Platform with the vision that more apps should be social. Your calendar should be able to show your friends' birthdays, your maps should show where your friends live, and your address book should show their pictures. To do this, we enabled people to log into apps and share who their friends were and some information about them.

In 2013, a Cambridge University researcher named Aleksandr Kogan created a personality quiz app. It was installed by around 300,000 people who shared their data as well as some of their friends' data. Given the way our platform worked at the time this meant Kogan was able to access tens of millions of their friends' data.

In 2014, to prevent abusive apps, we announced that we were changing the entire platform to dramatically limit the data apps could access. Most importantly, apps like Kogan's could no longer ask for data about a person's friends unless their friends had also authorized the app. We also required developers to get approval from us before they could request any sensitive data from people. These actions would prevent any app like Kogan's from being able to access so much data today.

In 2015, we learned from journalists at The Guardian that Kogan had shared data from his app with Cambridge Analytica. It is against our policies for developers to share data without people's consent, so we immediately banned Kogan's app from our platform, and demanded that Kogan and Cambridge Analytica formally certify that they had deleted all improperly acquired data. They provided these certifications.

Last week, we learned from The Guardian, The New York Times and Channel 4 that Cambridge Analytica may not have deleted the data as they had certified. We immediately banned them from using any of our services. Cambridge Analytica claims they have already deleted the data and has agreed to a forensic audit by a firm we hired to confirm this. We're also working with regulators as they investigate what happened.

This was a breach of trust between Kogan, Cambridge Analytica and Facebook. But it was also a breach of trust between Facebook and the people who share their data with us and expect us to protect it. We need to fix that.

In this case, we already took the most important steps a few years ago in 2014 to prevent bad actors from accessing people's information in this way. But there's more we need to do and I'll outline those steps here:

First, we will investigate all apps that had access to large amounts of information before we changed our platform to dramatically reduce data access in 2014, and we will conduct a full audit of any app with suspicious activity. We will ban any developer from our platform that does not agree to a thorough audit. And if we find developers that misused personally identifiable information, we will ban them and tell everyone affected by those apps. That includes people whose data Kogan misused here as well.

Second, we will restrict developers' data access even further to prevent other kinds of abuse. For example, we will remove developers' access to your data if you haven't used their app in 3 months. We will reduce the data you give an app when you sign in -- to only your name, profile photo, and email address. We'll require developers to not only get approval but also sign a contract in order to ask anyone for access to their posts or other private data. And we'll have more changes to share in the next few days.

Third, we want to make sure you understand which apps you've allowed to access your data. In the next month, we will show everyone a tool at the top of your News Feed with the apps you've used and an easy way to revoke those apps' permissions to your data. We already have a tool to do this in your privacy settings, and now we will put this tool at the top of your News Feed to make sure everyone sees it.

Beyond the steps we had already taken in 2014, I believe these are the next steps we must take to continue to secure our platform.

I started Facebook, and at the end of the day I'm responsible for what happens on our platform. I'm serious about doing what it takes to protect our community. While this specific issue involving Cambridge Analytica should no longer happen with new apps today, that doesn't change what happened in the past. We will learn from this experience to secure our platform further and make our community safer for everyone going forward.

I want to thank all of you who continue to believe in our mission and work to build this community together. I know it takes longer to fix all these issues than we'd like, but I promise you we'll work through this and build a better service over the long term."


Zuckerberg given interview to CNN,

Security isn't a problem that you ever fully solve," Zuckerberg told Segall on Wednesday night. "We're going to be working on this forever, as long as this community remains an important thing in the world."

INDIA shuts down the local website of Cambridge Analytica.

Ravi Shankaar prasad , Information Technology Minister of India has said in Twitter @rsprasad,
We welcome the fact that facebook has one of the highest number of users from India but if any theft of data of Indians takes place in collusion with other companies for manipulation of democratic processes then that will not be tolerated. 

Facebook shares going down, after the Mark has been confirmed data breach.

Punjab National Bank (PNB) Credit and Debit Card Data Breached

Punjab National Bank (PNB)'s Sensitive Information of 10,000 Credit and Debit Card Data Breached

The leaked information includes Names, Personal Identification Numbers (PIN), Expiry Dates and card verification values online.

Credit and debit cards details  are selling on Darkweb websites. Darkweb is illegally selling underground services such as Hacking or other leaked information.

Firstly CloudSek team identified a listing that claimed to have multiple cards that belonged to PNB that were put up for sale on a DarkWeb site. "We immediately tried reaching out to PNB using the cybercrime contact emails that were listed on their website. But that email bounced. said Rahul Sasi, CTO of Cloudsek.

On 21st, Feb, 8:10 PM company was able to get in touch with PNB officials via a third party source. The PNB officials were quick to respond as they got a call back the same day at 10.00 PM from PNB security officials. We provided them a detailed report about the leaked data.

On 22nd, Feb, 1:10 AM we provided them a more detailed report. And the officials ensured swift action."

According to report of Atimes,

“We believe, on preliminary analysis, that the data has been available for at least three months. While this is yet to be firmly established, we are carrying out our forensic investigation,” said a government official familiar with the case. Virwani was asked by Asia Times to comment on the breach, but has not yet responded. A message received from him states that he was not authorized to respond to the media and the queries have been forwarded to the Corporate Communications department. The story will be updated as and when a response is received.

“Usually these sites on the deep/dark web build up reputations on the authenticity of the data they sell illegally. This particular site has a very good reputation. They offer a sample size to buyers to establish their credentials before the sale is made. In this case they were offering to sell the data at US$4.90 per card,” he reported

PNB is already suffering from the latest fraud case worth 11,400 Crore in Indian Rupees. The firms were unable to pay to Bank after their bank accounts were frozen by the ED and the CBI in connection with the alleged Rs 11,400-crore scam.

In India, there are still some Banks and ATM's running on Windows XP, however support for Windows XP ended on 8 April 2014. Microsoft will no longer provide security updates or technical support for the Windows XP operating system. It is very important that customers and partners migrate to a modern operating system such as latest Microsoft Operating System Windows 10.

WikiLeaks Website Gets Defaced By Hacking Group OurMine

WikiLeaks Website Gets Defaced By Hacking Group OurMine 

WikiLeaks website wikileaks.org just got defaced by a hacking group OurMine.

OurMine Hacking Group is already known for hacking into high profile social media accounts including Google CEO Sundar Pichai, Facebook CEO Mark Zuckerberg, former Twitter CEOs Dick Costolo and Ev Williams, Netflix, Sony, HBO.

Proper reason has still not been found how this website got hacked but it seems their DNS entries have been compromised using DNS poisoning attack.

As of Today morning, the WikiLeaks.orghomepage displayed a message that read: “Hi, it’s OurMine (Security Group), don’t worry we are just testing your…. blablablab, oh wait, this is not a security test! Wikileaks, remember when you challenged us to hack you?”

“Anonymous, remember when you tried to dox us with fake information for attacking wikileaks?” the message continues. “There we go! One group beat you all! #WikileaksHack lets get it trending on twitter!”

And here is the screenshot of the message which was shown on the website when it got hacked.

• 
  

Wikileaks Published New Vault7 Series Project of CIA ExpressLane

Wikileaks Published New Vault7 Series Project of CIA ExpressLane

Now Wikileaks Leaked another project of CIA named 'ExpressLane'. The tool is used for information gathering. 

WikiLeaks publishes secret documents from the ExpressLane project of the CIA. These documents show one of the cyber operations the CIA conducts against liaison services -- which includes among many others the National Security Agency (NSA), the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI).

The OTS (Office of Technical Services), a branch within the CIA, has a biometric collection system that is provided to liaison services around the world -- with the expectation for sharing of the biometric takes collected on the systems. But this 'voluntary sharing' obviously does not work or is considered insufficient by the CIA, because ExpressLane is a covert information collection tool that is used by the CIA to secretly exfiltrate data collections from such systems provided to liaison services.

ExpressLane is installed and run with the cover of upgrading the biometric software by OTS agents that visit the liaison sites. Liaison officers overseeing this procedure will remain unsuspicious, as the data exfiltration disguises behind a Windows installation splash screen.

The core components of the OTS system are based on products from Cross Match, a US company specializing in biometric software for law enforcement and the Intelligence Community. The company hit the headlines in 2011 when it was reported that the US military used a Cross Match product to identify Osama bin Laden during the assassination operation in Pakistan.

Previously Wikileaks leaked projects of CIA

CouchPotato
10 August, 2017
Today, August 10th 2017, WikiLeaks publishes the the User Guide for the CoachPotato project of the CIA. CouchPotato is a remote tool for collection against RTSP/H.264 video streams. It provides the ability to collect either the stream as a video file (AVI) or capture still images (JPG) of frames from the stream that are of significant change from a previously captured frame. It utilizes ffmpeg for video and image encoding and decoding as well as RTSP connectivity. CouchPotato relies on being launched in an ICE v3 Fire and Collect compatible loader.

Dumbo
3 August, 2017
Today, August 3rd 2017 WikiLeaks publishes documents from the Dumbo project of the CIA. Dumbo is a capability to suspend processes utilizing webcams and corrupt any video recordings that could compromise a PAG deployment. The PAG (Physical Access Group) is a special branch within the CCI (Center for Cyber Intelligence); its task is to gain and exploit physical access to target computers in CIA field operations.

Dumbo can identify, control and manipulate monitoring and detection systems on a target computer running the Microsoft Windows operating sytem. It identifies installed devices like webcams and microphones, either locally or connected by wireless (Bluetooth, WiFi) or wired networks. All processes related to the detected devices (usually recording, monitoring or detection of video/audio/network streams) are also identified and can be stopped by the operator. By deleting or manipulating recordings the operator is aided in creating fake or destroying actual evidence of the intrusion operation.

Dumbo is run by the field agent directly from an USB stick; it requires administrator privileges to perform its task. It supports 32bit Windows XP, Windows Vista, and newer versions of Windows operating system. 64bit Windows XP, or Windows versions prior to XP are not supported

Wikileaks Unveiled 'Dumbo' Tool Which CIA Used To Spy Webcams And Microphones

Wikileaks Unveiled 'Dumbo' Tool Which CIA Used To Spy Webcams And Microphones

What Dumbo Can Do?

1. To identify, control the webcam and microphones.
2. Disables all network adapters
3. Suspends any processes using a camera recording device
4. Selectively corrupted or delete recordings
5. Support Windows 

WikiLeaks publishes documents from the Dumbo project of the CIA. Dumbo is a capability to suspend processes utilizing webcams and corrupt any video recordings that could compromise a PAG deployment. The PAG (Physical Access Group) is a special branch within the CCI (Center for Cyber Intelligence); its task is to gain and exploit physical access to target computers in CIA field operations.

Dumbo can identify, control and manipulate monitoring and detection systems on a target computer running the Microsoft Windows operating sytem. It identifies installed devices like webcams and microphones, either locally or connected by wireless (Bluetooth, WiFi) or wired networks. All processes related to the detected devices (usually recording, monitoring or detection of video/audio/network streams) are also identified and can be stopped by the operator. By deleting or manipulating recordings the operator is aided in creating fake or destroying actual evidence of the intrusion operation.

Dumbo is run by the field agent directly from an USB stick; it requires administrator privileges to perform its task. It supports 32bit Windows XP, Windows Vista, and newer versions of Windows operating system. 64bit Windows XP, or Windows versions prior to XP are not supported.

Game Of Thrones Scripts Hacked: HBO Confirms

Game Of Thrones Scripts Hacked: HBO Confirms

HBO gets Hacked, Hackers claimed to have obtained 1.3 Terabytes (TB) of data stolen from the company.  Upcoming episodes of Ballers and Room 104 have apparently been hacked. 

According to report, “HBO recently experienced a cyber incident, which resulted in the compromise of proprietary information,” the network confirmed in a statement. “We immediately began investigating the incident and are working with law enforcement and outside CyberSecurity firms. Data protection is a top priority at HBO, and we take seriously our responsibility to protect the data we hold.”

It is not confirmed yet that exactly what content have been stolen, HBO is currently investigating this incident. CEO and chairman Richard Plepler confirms the cyber attack in the email,

As most of you have probably heard by now, there has been a cyber incident directed at the company which has resulted in some stolen proprietary information, including some of our programming. Any intrusion of this nature is obviously disruptive, unsettling, and disturbing for all of us.
I can assure you that senior leadership and our extraordinary technology team, along with outside experts, are working round the clock to protect our collective interests. The efforts across multiple departments have been nothing short of herculean. It is a textbook example of quintessential HBO teamwork. The problem before us is unfortunately all too familiar in the world we now find ourselves a part of.
As has been the case with any challenge we have ever faced, I have absolutely no doubt that we will navigate our way through this successfully.
Richard 
And these leaks are not new to the era. Earlier in 2015, the first four episodes of the show's fifth season leaked online on the torrent sites before being aired on the network.

And it is not just about HBO, Netflix and ABC have also been the victim of such cyber attacks earlier. A hacker dubbed The Dark Overlord posted the first episode of Season 5 of Netflix’s Orange is the New Black in April when Netflix denied to make the settlement of the ransom. ABC was also targeted by the hackers when eight episodes of the unreleased game show of Steve Harvey, Funderdome were leaked online early.

Wiklieaks Vault 7 New CIA Exploit Tool For Mac OS And Linux Published

Wiklieaks Vault 7 New CIA Exploit Tool For Mac OS and Linux Published.

This series is made of three hacking exploits, Achilles, SeaPea and Aeris.

Wikileaks published two new exploits tool for Mac and Linux operating system under codenamed Imperial, project by CIA. It is targeting Macs, Debian, Red Hat, Solaris, FreeBSD and Centos.

WikiLeaks publishes documents, the 'Imperial' project of the CIA.

Achilles is a capability that provides an operator the ability to trojan an OS X disk image (.dmg) installer with one or more desired operator specified executables for a one-time execution.

Aeris is an automated implant written in C that supports a number of POSIX-based systems (Debian, RHEL, Solaris, FreeBSD, CentOS). It supports automated file exfiltration, configurable beacon interval and jitter, standalone and Collide-based HTTPS LP support and SMTP protocol support - all with TLS encrypted communications with mutual authentication. It is compatible with the NOD Cryptographic Specification and provides structured command and control that is similar to that used by several Windows implants.

SeaPea is an OS X Rootkit that provides stealth and tool launching capabilities. It hides files/directories, socket connections and/or processes. It runs on Mac OSX 10.6 and 10.7.

Previous project #Vault7 Leaks

UCL / Raytheon:  Raytheon Blackbird Technologies acted as a kind of "technology scout" for the Remote Development Branch (RDB) of the CIA by analysing malware attacks in the wild and giving recommendations to the CIA development teams for further investigation and PoC development for their own malware projects.

HighRise: HighRise is an Android application designed for mobile devices running Android 4.0 to 4.3. It provides a redirector function for SMS messaging that could be used by a number of IOC tools that use SMS messages for communication between implants and listening posts. HighRise acts as a SMS proxy that provides greater separation between devices in the field ("targets") and the listening post (LP) by proxying "incoming" and "outgoing" SMS messages to an internet LP. Highrise provides a communications channel between the HighRise field operator and the LP with a TLS/SSL secured internet communication.

UniCredit Bank Gets Hacked And 400,000 Italian Customers Affected

UniCredit Bank Gets Hacked And 400,000 Italian Customers Affected.

• Italian Largest UniCredit Bank 400,000 customers are affecting due to two security breaches. 

• First Security breach occurred in September and October 2016  and Second in June and July 2017

According to the report, UniCredit admitted that no password were stolen but cyber criminals might have accessed customer personal data and IBAN numbers. Unicredit has blamed to a third party service provider for the security breach incident. Also, its share fell about 1% after its disclosure of the hack.


UniCredit said in the statement, UniCredit today announced it has been the victim of a  security breach in Italy due to unauthorised access through an Italian third party provider to Italian customer data related to personal loans only.


A first breach seems to have occurred in September and October 2016 and a second breach which has just been identified in June and  July 2017. Data of approximately 400,000 customers in Italy  is assumed to have been impacted during these two periods. No data, such as passwords allowing access to customer accounts or allowing for unauthorised transactions, has been affected, whilst some other personal data and IBAN numbers might have been accessed.

UniCredit has launched an audit and has informed all the relevant authorities. In the morning, UniCredit will also file a claim with the Milan Prosecutor's office. The bank has also taken immediate remedial action to close this breach.

For immediate information, customers should contact UniCredit's dedicated toll-free number 800 323285 or  their regular branch customer services team.  In addition, UniCredit will be contacting affected customers through specific channels, not including email or phone calls.

Customer data safety and security is UniCredit's top priority and as part of Transform 2019, UniCredit is investing  2.3 billion euro in upgrading and strengthening its IT systems.