Southern Water confirmed a data breach had occurred after the Black Basta ransomware group purportedly published personal information held by the firm

Read More

In the ever-evolving cybersecurity landscape, 2023 witnessed a dramatic surge in the sophistication of cyber threats and malware. AT&T Cybersecurity Alien Labs reviewed the big events of 2023 and how malware morphed this year to try new ways to breach and wreak havoc.

This year’s events kept cybersecurity experts on their toes, from expanding malware variants to introducing new threat actors and attack techniques. Here are some of the most compelling developments, highlighting malware’s evolving capabilities and the challenges defenders face.

Highlights of the year: Emerging trends and notable incidents

As the year unfolded, several trends and incidents left an indelible mark on the cybersecurity landscape:

Exploiting OneNote for malicious payloads

Cybercriminals leveraged Microsoft OneNote to deliver many malicious payloads to victims, including Redline, AgentTesla, Quasar RAT, and others. This previously underutilized Office program became a favored tool due to its low suspicion and widespread usage.

SEO poisoning and Google Ads

Malicious actors resorted to SEO poisoning tactics, deploying phishing links through Google Ads to deceive unsuspecting victims. These links led to cloned, benign web pages, avoiding Google’s detection and remaining active for extended periods. Prominent malware families, including Raccoon Stealer and IcedID, capitalized on this strategy.

Exploiting geopolitical events

Cybercriminals exploited the geopolitical climate, particularly the Middle East conflict, as a lure for their attacks. This trend mirrored the previous year’s Ukraine-related phishing campaigns and crypto scams.

APTs: State-sponsored espionage continues to present challenges

Advanced Persistent Threats (APTs) continued to pose a significant threat in 2023:

Snake: CISA reported on the Snake APT, an advanced cyber-espionage tool associated with the Russian Federal Security Service (FSB). This malware had been in use for nearly two decades.
Volt Typhoon: A campaign targeting critical infrastructure organizations in the United States was attributed to Volt Typhoon, a state-sponsored actor based in China. Their focus lay on espionage and information gathering.
Storm-0558: This highly sophisticated intrusion campaign, orchestrated by the Storm-0558 APT from China, infiltrated the email accounts of approximately 25 organizations, including government agencies.

Ransomware’s relentless rise

Ransomware remained a prevalent and lucrative threat throughout the year:

Cuba and Snatch: Ransomware groups like Cuba and Snatch targeted critical infrastructure in the United States, causing concern for national security.
ALPHV/BlackCat: Beyond SEO poisoning, this group compromised the computer systems of Caesar and MGM casinos. They also resorted to filing complaints with the US Securities and Exchange Commission (SEC) against their victims, applying additional pressure to pay ransoms.
Exploiting new vulnerabilities: Cybercriminals wasted no time exploiting newly discovered vulnerabilities, such as CVE-2023-22518 in Atlassian’s Confluence, CVE-2023-4966 (Citrix bleed), and others. These vulnerabilities became gateways for ransomware attacks.
Evolving ransomware families: New ransomware variants like Trash Panda emerged while existing families adapted to target Linux and ESXi servers, further expanding their reach.

Notable blogs of the year

1. BlackGuard: Elevating Malware-as-a-Service

One of the year’s standout stories was the evolution of BlackGuard, a formidable Malware-as-a-Service (MaaS) offered in underground forums and Telegram channels. This insidious tool underwent a significant upgrade, amplifying its capabilities. Already known for its ability to pilfer sensitive data from browsers, games, chats, and cryptocurrencies, the new BlackGuard variant upped the ante.

BlackGuard improved its Anti-Reversing and Sandboxing capabilities, making it even more elusive to security experts. Moreover, it could now tamper with cryptocurrency wallets copied to the clipboard. This enhancement posed a severe threat to cryptocurrency enthusiasts and investors. Additionally, BlackGuard incorporated advanced Loader capabilities, enabling it to propagate through shared or removable devices and mask its communications via public and private proxies or the anonymous Tor network.

2. SeroXen: A RAT’s rapid ascent and fall

In a twist of fate, 2023 witnessed the meteoric rise and fall of SeroXen, a new variant of the Quasar Remote Access Trojan (RAT). This modified branch of the open-source RAT added significant modifications to its original framework, enhancing its capabilities.

SeroXen achieved quick notoriety, with hundreds of samples identified within the first few months of the year. However, shortly after the blog highlighting its emergence was published, the SeroXen website announced its shutdown and implemented a kill-switch, rendering infected PCs useless to malicious actors. It was a rare instance where the publication of research inadvertently led to the downfall of a malware tool.

3. AdLoad: Mac systems turned into proxy servers

AT&T Cybersecurity Alien Labs uncovered a devious malware campaign involving AdLoad. This malware ingeniously transformed users’ Mac systems into proxy servers, then sold to third parties, including some with illicit purposes. The threat actor behind AdLoad infected target systems surreptitiously installed a proxy application in the background.

These infected systems were subsequently offered to proxy companies, portraying themselves as legitimate entities. Buyers exploited the benefits of these residential proxy botnets, enjoying anonymity, wide geographical availability, and high IP rotation for conducting nefarious activities, including SPAM campaigns.

Following the publication of the research blog, a similar campaign targeting Windows systems emerged. The modus operandi mirrored that of the Mac version but was tailored for Windows OS, significantly expanding the potential target pool and the impact of the proxy network.

4. AsyncRAT: The persistent phishing threat

Throughout 2023, cybersecurity experts observed a continuous influx of phishing emails using advanced techniques. These emails enticed victims to download a malicious JavaScript file, heavily obfuscated and armed with anti-sandboxing measures to evade detection. These attacks aimed to execute an AsyncRAT client on the compromised systems, granting attackers full remote access. 

About us

AT&T Alien Labs is the threat intelligence unit of AT&T Cybersecurity. We help fuel our cybersecurity consulting and managed security services with the most up-to-date threat intelligence information. We work with the Open Threat Exchange (OTX) to provide actionable and community-powered threat data. Watch the AT&T Cybersecurity blog for more observations and research from the Alien Labs team.

Read More

The Zero Day Initiative’s first Pwn2Own Automotive competition has handed out over $1m for 24 zero-days

Read More

Hewlett Packard Enterprise reveals that Russian state APT29 hackers stole data from corporate mailboxes

Read More

Security researchers have discovered a massive data breach containing more than 26 billion records — a hacker’s trove of records compiled from LinkedIn, Twitter, Adobe, and thousands of other organizations. Likely the largest of its kind, researchers have dubbed it MOAB or the “Mother of All Breaches.”

With billions of pieces of personal info compromised, you can count on one thing here for sure. Bad actors out there will surely take advantage of this windfall. We’ll share the immediate steps you can take to stay safe.

How big is the MOAB breach?

Just to get a sense of the breach’s scope, the newly discovered database contains over 3,800 folders, each containing records from an individual data breach. As such, it seems that these breached records were compiled over time to create this database.

Within that list of 3,800 folders, it includes major brands and entities such as Twitter/X (281 million records), LinkedIn (251 million records), Evite (179 million records), and Adobe (153 million records). Leading the way with breached records is Tencent, with 1.5 billion records exposed.

Researchers also discovered that the leak contains records from government organizations in the US, Brazil, Germany, Philippines, Turkey, and other countries.

To date, no group has stepped forward to claim responsibility for this massive compilation of breached info. Researchers speculate that it could be a “malicious actor, data broker, or some service that works with large amounts of data.”

What can I do to protect myself in the wake of the MOAB breach?

Given the scale of the breach, your best bet is to act like your data was caught up in it.

This breach truly is a treasure trove for hackers and scammers. With the info contained in it, they can launch follow-on attacks. Like identity theft, phishing attempts, and password-stuffing attacks often follow in the wake of breaches. And indeed, this is a massive breach.

We can’t stress enough that acting now is super important.

Immediate steps include:

Change your passwords and use a password manager.

Changing passwords now is a must. Strong and unique passwords are best, which means never reusing your passwords across different sites and platforms. Using a password manager will help you keep on top of it all, while also storing your passwords securely. Moreover, changing your passwords regularly might make a stolen password worthless because it’s out of date.

Enable two-factor authentication.

While a strong and unique password is a good first line of defense, enabling two-factor authentication across your accounts will help your cause by providing an added layer of security. It’s increasingly common to see nowadays, where banks and all manner of online services will only allow access to your accounts after you’ve provided a one-time passcode sent to your email or smartphone. If your accounts support two-factor authentication, enable it.

Consider using identity monitoring, particularly for the dark web.

An identity monitoring service can monitor everything from email addresses to IDs and phone numbers for signs of breaches so you can take action to secure your accounts before they’re used for identity theft.​ Personal info harvested from data breaches can end up on dark web marketplaces where other bad actors buy it for their own attacks. Ours monitors the dark web for your personal info and provides early notifications if your data is found on there, an average of 10 months ahead of similar services.​ We also provide guidance to help you act if your info is found.

Check your credit, consider a security freeze, and get ID theft protection.

When personal info gets released, there’s a chance that a hacker, scammer, or thief will put it to use. This might include committing fraud, where they draw funds from existing accounts, and theft, where they create new accounts in a victim’s name.

With that, strongly consider taking preventive measures now. Checking your credit, putting a security freeze in place, and getting theft protection can help keep you safe in the wake of a breach. You can get all three in place with our McAfee+ Advanced or Ultimate plans. Features include:

Credit monitoring keeps an eye on changes to your credit score, report, and accounts with timely notifications and guidance so you can take action to tackle identity theft.

Security freeze protects you proactively by stopping unauthorized access to existing credit card, bank, and utility accounts or from new ones being opened in your name. And it won’t affect your credit score.

ID Theft & Restoration Coverage gives you $2 million in identity theft coverage and identity restoration support if determined you’re a victim of identity theft.​ This way, you can cover losses and repair your credit and identity with a licensed recovery expert.

Also consider using comprehensive online protection.

A complete suite of online protection software can offer layers of extra security. In addition to password management and identity theft protection, it includes AI-powered scam detection that can spot scam texts, emails, and links on social media that otherwise look legit. If you accidentally tap or click on a sketchy link? Don’t worry, it can block those links from taking you to risky sites too. In all, online protection software offers you a broad range of defenses and preventative measures any time data breaches occur. Even breaches the size of the MOAB breach.

The post 26 Billion Records Released in “The mother of all breaches” appeared first on McAfee Blog.

Read More

This week the podcast is more lavatorial than usual, as we explore how privacy may have gone to sh*t on Google Maps, our guest drives hands-free on Britain’s motorways (and is defamed by AI), and ransomware attacks an airplane-leasing firm.

All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by BBC Technology Editor Zoe Kleinman.

Read More