Category: Uncategorized

Attackers abused open redirects on the websites of Snapchat and American Express in a series of phishing attacks to steal Microsoft 365, Fedex and Docusign credentials.

Open redirect occurs when a website provides a URL which direct to another URL, and it fails to validate user input, allowing attackers to redirect victims to malicious sites. Victims will trust the link, because the first domain name in the manipulated link is a trusted domain, such as American Express or Snapchat. An example of such URL is https://safe.com/redirect?url=https://malicious.com.

“The trusted domain (e.g., American Express, Snapchat) acts as a temporary landing page before the surfer is redirected to a malicious site.” says a post published in August 2022 by Inky.

During a two-and-a-half-month period, INKY engineers detected the snapchat[.]com open redirect vulnerability in 6,812 phishing emails originating from various hijacked accounts.

Open Bug Bounty reported the Snapchat vulnerability to the company on Aug. 4, 2021. However, it remains unpatched.

American Express quickly fixed the issue in late July 2022.

When examining links, surfers should keep an eye out for URLs that include, for example, “url=”, “redirect=”, “external-link”, or “proxy”. These strings might indicate that a trusted domain could redirect to another site.

Web sites owners should allow redirects to go only back to their web site.

Read more about it here.

The US Federal Communications Commission (FCC) warned Americans of the rising threat of robotext (smishing) attacks.

“Substantial increases in consumer complaints to the FCC, reports by non-government robocall and robotext blocking services, and anecdotal and news reporting make it clear that text messages are increasingly being used by scammers to target American consumers”, reads the alert.

Scam text message senders want you to engage with them. Like robocallers, a robotexter may use fear and anxiety to get you to interact. Texts may include false-but-believable claims about unpaid bills, package delivery snafus, bank account problems, or law enforcement actions against you.

Some scammers may be after your money, but others may simply be trying to collect personal information or confirm that a number is active for use in future scams. Do not respond or click on any links in the message

Some independent reports estimate billions of robotexts each month.

What should you do to protect Yourself:

• Do not respond to suspicious texts, even if the message requests that you “text STOP” to end messages.
• Do not click on any links.
• Do not provide any information via text or website.
• File a complaint.
• Forward unwanted texts to SPAM (7726).
• Delete all suspicious texts.
• Update your smart device OS and security apps.
• Consider installing anti-malware software.
• Review companies’ policies regarding opting out of text alerts and selling/sharing your information.
• Review text blocking tools in your mobile phone settings, available third-party apps, and your mobile phone carrier’s offerings.

Read more about it here.

Social media site Twitter has suffered a data breach of over 5.4 million accounts, that are now for sale on a hacking forum. The hacker, who goes by the alias ‘devil’, claimed in a post on Breach Forums that the dataset stolen includes email addresses and phone numbers from “Celebrities, to Companies, randoms, OGs, etc.” ‘OGs’ refers to Twitter handles that are desirable – either short, or a desirable word.

Back in January 1, 2022, a report was made on HackerOne of a vulnerability that allows an attacker to acquire the phone number and the email address associated with Twitter accounts, even if the user has hidden these fields in their privacy settings.

“The vulnerability allows any party without any authentication to obtain a twitter ID(which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibited this action in the privacy settings. The bug exists due to the process of authorization used in the Android Client of Twitter, specifically in the process of checking the duplication of a Twitter account.” reads the description in the report submitted by zhirinovskiy.

“This is a serious threat, as people can not only find users who have restricted the ability to be found by email/phone number, but any attacker with a basic knowledge of scripting/coding can enumerate a big chunk of the Twitter user base unavaliable to enumeration prior (create a database with phone/email to username connections). Such bases can be sold to malicious parties for advertising purposes, or for the purposes of tageting celebrities in different malicious activities.”

Five days after posting the report, Twitter acknowledged this to be a “valid security issue”. After further investigating the issue Twitter fixed the vulnerability, and awarded user zhirinovskiy with a $5,040 bounty.

A threat actor is now selling the data that was acquired from this vulnerability for at least $30,000. It is being offered on Breached Forums, the same forum that posted 23 terabytes of data leaked from 1 billion Chinese Citizens.

Read more about it here.

The Marriott International hotel chain has confirmed that it has been hit by yet another data breach.

The data breach took place at one location, the BWI Airport Marriott near Baltimore. Marriott said that it is directly contacting the 300 to 400 guests that had credit card information exposed. The threat actor used social engineering to trick one hotel employee at this single Marriott hotel into providing access to their computer. The threat actor claimed to have tried to extort the hotel chain but according to Marriott, no money was paid. In total 20GB of data were leaked.

In 2018, Marriott revealed that it had been hit by an enormous database breach that affected 500 million of its guests. The data breach lasted 4 years. In another dat a breach in 2020, Marriott exposed the personal information of 5.2 million guests.

Read more about it here.

Unknown threat actors claimed to have obtained data of one billion Chinese residents, after breaching a database of the Shanghai police. If that is true, this data breach is the largest one in the country’s history.

The anonymous internet user, identified as “ChinaDan”, posted on hacker forum Breach Forums last week, offering to sell the more than 23 terabytes (TB) of data for 10 bitcoin, equivalent to about $200,000. The data includes names, addresses, birthplaces, national IDs, phone numbers and criminal case information.

Zhao Changpeng, founder and CEO of cryptocurrency exchange Binance, tweeted last Monday that the company had detected the breach of a billion resident records “from one Asian country,” without specifying which, and had since stepped up its verification process for potentially affected users.

Our threat intelligence detected 1 billion resident records for sell in the dark web, including name, address, national id, mobile, police and medical records from one asian country. Likely due to a bug in an Elastic Search deployment by a gov agency. This has impact on …

— CZ 🔶 Binance (@cz_binance) July 3, 2022

Shanghai authorities have not publicly responded to the purported data breach.

Read more about it here.

According to a recent research report by MarketsandMarkets, the global Cybersecurity insurance market size is projected to grow from $11.9 billion in 2022 to $29.2 billion by 2027.

Cybercrime insurance protects organizations from financial losses relating to damage to, or loss of, information from networks and IT systems. This includes reputation loss, the cost of business interruption, infringement of regulatory data standards (such as GDPR or CCPA), and attacks from bad actors (e.g., ransomware, data breaches, etc.), depending on the coverage taken.

By organization size, the small and medium enterprise segment is expected to have the highest growth rate during the forecast period.

Asia Pacific is expected to have the highest growth rate during the forecast period.

Read more about it here.

Shadowserver Foundation analysts discovered over 3.6 million MySQL servers publicly exposed on the Internet and responding to queries, making them attractive targets. The report identifies accessible MySQL server instances on port TCP/3306. “This includes both TLS and non-TLS responses. We do not perform any intrusive checks to discover the level of access to any databases that is possible.” says the report. “Surprisingly to us, we found around 2.3M IPv4 addresses responding with such a greeting to our queries. Even more surprisingly, we found over 1.3M IPv6 devices responding as well.”

Most accessible IPv4 MySQL servers by country are as follows: United States (740.1K), China (296.3K), Poland (207.8K) and Germany (174.9K).

Most accessible IPv6 MySQL servers by country are as follows: United States (460.8K), Netherlands (296.3K), Singapore (218.2K) and Germany (173.7K).

The researchers pointed database administrators to the MySQL has a MySQL 5.7 Secure Deployment Guide and MySQL 8.0 Secure Deployment Guide. They added: “It is unlikely that you need to have your MySQL server allowing for external connections from the Internet (and thus a possible external attack surface). If you do receive a report on your network/constituency take action to filter out traffic to your MySQL instance and make sure to implement authentication on the server.”

Read more about it here.

Rahul Sasi, who is the founder and CEO of CloudSEK, a contextual AI business that predicts cyber threats, recently posted the following post on LinkedIn. According to him, it starts with the hacker calling the victim and convincing them to call a specific number, which looks like either **67*<10 digit number> or *405*<10 digit number>. Both numbers trigger call forwarding, which redirects a phone call to another number. Call forwarding is available on most, if not of all, phone carrier’s systems globally and is supported by most modern mobile phones.

**67*<10 digit number> will forward all your calls to the 10 digit number.

*405*<10 digit number> will forward calls, if your number is busy, to the 10 digit number.

The 10-digit number is always a phone number controlled by the hacker.

While the victim is calling one of the numbers, the hacker starts the WhatsApp registration process for the victim’s phone number, and chooses the option to deliver One Time Password (OTP) through phone call. Because of the activated call forwarding, the OTP will travel to the hacker’s phone.

How to mitigate:

• Ignore calls from unknown numbers.
• Don’t make calls to unknown numbers.
• Secure your WhatsApp account with Two-step verification.

Read more about it here.

The FBI warned on May 26, 2022 that thousands of compromised credentials harvested from US college and university networks are circulating on online crime forums in Russia and elsewhere, and could lead to subsequent cyber attacks against individual users or affiliated organizations. “Credential harvesting against an organization is often a byproduct of spear-phishing, ransomware, or other cyber intrusion tactics”, says the alert.

• As of January 2022, Russian cyber criminal forums offered for sale or posted for public access the network credentials and virtual private network accesses to a multitude of identified US-based universities and colleges across the country, some of which included screenshots as proof of access.
• In May 2021, over 36,000 email and password combinations (some of which may have been duplicates) for email accounts ending in .edu were identified on a publicly available instant messaging platform.
• In late 2020, US territory-based university account usernames and passwords with the domain .edu were found for sale on the dark web. The seller listed approximately 2,000 unique usernames with accompanying passwords.

The FBI alert offered recommendations:

• Keep all operating systems and software up to date.
• Implement user training programs and phishing exercises for students and faculty to raise awareness.
• Require strong, unique passwords for all accounts.
• Require multi-factor authentication (MFA).
• Restrict where accounts and credentials can be used.
• Segment networks to help prevent unauthorized access.
• Identify, detect, and investigate abnormal activity with network-monitoring tools.
• Use anomaly detection tools.
• Enforce principle of least privilege through authorization policies.
• Secure and closely monitor remote desktop protocol (RDP) use.
• Document external remote connections.

Read more about it here.

Agricultural machinery manufacturer giant AGCO announced that a ransomware attack impacted some of its production facilities. on May 5, 2022. “AGCO is still investigating the extent of the attack, but it is anticipated that its business operations will be adversely affected for several days and potentially longer to fully resume all services depending upon how quickly the Company is able to repair its systems” reads the announcement.

In an update provided on May 16, 2022, AGCO said: ” A majority of the affected production sites and parts operations resumed operational activities last week or today. The remainder of the sites are expected to begin operations during the balance of this week.” The Company also reported that there had been data exfiltration as a result of the ransomware cyber attack. While the Company does not have retail operations, and therefore no privacy-protected consumer data, the Company is still evaluating the scope and consequences of the data loss.

AGCO is based out of Duluth, Georgia, US, and has about 20,000 employees.

Read more about it here.